From cec3c0af3d713319749641a4b714688d610c8b9e Mon Sep 17 00:00:00 2001
From: Christian Rebischke <chris@shibumi.dev>
Date: Sat, 19 Jun 2021 01:16:42 +0200
Subject: [PATCH 001/376] helm: add new ingressClass resource (#6882)

* helm: add new ingressClass resource

* add ingress parameters support

This commit adds ingress parameters support.
Credits go to Ariel Vinas: ariel@craftech.io
---
 charts/ingress-nginx/templates/_helpers.tpl   | 10 ++++++++
 .../templates/controller-ingressclass.yaml    | 23 +++++++++++++++++++
 charts/ingress-nginx/values.yaml              | 11 +++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 charts/ingress-nginx/templates/controller-ingressclass.yaml

diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
index b48bf4a4a..8b1fd0951 100644
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@@ -122,3 +122,13 @@ Check the ingress controller version tag is at most three versions behind the la
 {{- fail "Controller container image tag should be 0.27.0 or higher" -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+IngressClass parameters.
+*/}}
+{{- define "ingressClass.parameters" -}}
+  {{- if .Values.controller.ingressClassResource.parameters -}}
+          parameters:
+{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
+  {{ end }}
+{{- end -}}
diff --git a/charts/ingress-nginx/templates/controller-ingressclass.yaml b/charts/ingress-nginx/templates/controller-ingressclass.yaml
new file mode 100644
index 000000000..f94b9590d
--- /dev/null
+++ b/charts/ingress-nginx/templates/controller-ingressclass.yaml
@@ -0,0 +1,23 @@
+{{- if and (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.ingressClassResource.enabled) -}}
+{{- if and (semverCompare "=1.18-0" .Capabilities.KubeVersion.GitVersion)  }}
+apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: networking.k8s.io/v1
+{{- end }}
+kind: IngressClass
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ .Values.controller.ingressClass }}
+{{- if .Values.controller.ingressClassResource.default }}
+  annotations:
+    ingressclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+spec:
+  controller: k8s.io/ingress-nginx
+  {{ template "ingressClass.parameters" . }}
+{{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 42fe0c77e..460b19884 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -80,6 +80,17 @@ controller:
   ##
   ingressClass: nginx
 
+  # This section refers to the creation of the IngressClass resource
+  # IngressClass resources are supported since k8s >= 1.18
+  ingressClassResource:
+    enabled: false
+    default: false
+
+    # Parameters is a link to a custom resource containing additional
+    # configuration for the controller. This is optional if the controller
+    # does not require extra parameters.
+    parameters: {}
+
   # labels to add to the pod container metadata
   podLabels: {}
   #  key: value

From 388fa0185c719bbe7148bfb673b2fffb8b95b3b2 Mon Sep 17 00:00:00 2001
From: Jie Shen <drfish.me@gmail.com>
Date: Sun, 20 Jun 2021 03:40:50 +0800
Subject: [PATCH 002/376] Fix broken get started link in contributing doc
 (#7248)

---
 CONTRIBUTING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 5dd01830b..afaf04291 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -22,7 +22,7 @@ If you're new to the project and want to help, but don't know where to start, we
 ## Contributing a Patch
 
 1. If you haven't already done so, sign a Contributor License Agreement (see details above).
-1. Read the [Ingress development guide](docs/development.md).
+1. Read the [Ingress development guide](docs/developer-guide/getting-started.md).
 1. Fork the desired repo, develop and test your code changes.
 1. Submit a pull request.
 

From 2a190d265710bcec5edcedb6c76031a5081d29b4 Mon Sep 17 00:00:00 2001
From: Long <longwuyuan@gmail.com>
Date: Mon, 21 Jun 2021 11:56:51 +0000
Subject: [PATCH 003/376] added namespace field in the namespace scoped
 resource templates of helm chart (#7256)

* added namespace field in the namespace scoped resource templates of helm chart

* moved namespace field from roleRef to metadata
---
 .../admission-webhooks/job-patch/job-createSecret.yaml         | 1 +
 .../admission-webhooks/job-patch/job-patchWebhook.yaml         | 1 +
 .../templates/admission-webhooks/job-patch/role.yaml           | 1 +
 .../templates/admission-webhooks/job-patch/rolebinding.yaml    | 1 +
 .../templates/admission-webhooks/job-patch/serviceaccount.yaml | 1 +
 .../templates/controller-configmap-addheaders.yaml             | 1 +
 .../templates/controller-configmap-proxyheaders.yaml           | 1 +
 charts/ingress-nginx/templates/controller-configmap-tcp.yaml   | 1 +
 charts/ingress-nginx/templates/controller-configmap-udp.yaml   | 1 +
 charts/ingress-nginx/templates/controller-configmap.yaml       | 1 +
 charts/ingress-nginx/templates/controller-daemonset.yaml       | 1 +
 charts/ingress-nginx/templates/controller-deployment.yaml      | 3 ++-
 charts/ingress-nginx/templates/controller-hpa.yaml             | 1 +
 .../templates/controller-poddisruptionbudget.yaml              | 1 +
 charts/ingress-nginx/templates/controller-role.yaml            | 1 +
 charts/ingress-nginx/templates/controller-rolebinding.yaml     | 1 +
 .../ingress-nginx/templates/controller-service-internal.yaml   | 1 +
 charts/ingress-nginx/templates/controller-service-metrics.yaml | 1 +
 charts/ingress-nginx/templates/controller-service-webhook.yaml | 1 +
 charts/ingress-nginx/templates/controller-service.yaml         | 1 +
 charts/ingress-nginx/templates/controller-serviceaccount.yaml  | 1 +
 charts/ingress-nginx/templates/default-backend-deployment.yaml | 1 +
 charts/ingress-nginx/templates/default-backend-hpa.yaml        | 1 +
 .../templates/default-backend-poddisruptionbudget.yaml         | 1 +
 charts/ingress-nginx/templates/default-backend-role.yaml       | 1 +
 .../ingress-nginx/templates/default-backend-rolebinding.yaml   | 1 +
 charts/ingress-nginx/templates/default-backend-service.yaml    | 1 +
 .../templates/default-backend-serviceaccount.yaml              | 1 +
 28 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index e715c15e5..3656be487 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -3,6 +3,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission-create
+  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index b8585e2cf..9e9bd0138 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -3,6 +3,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission-patch
+  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
index fe1c2ee7f..9b083ee6e 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
@@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name:  {{ include "ingress-nginx.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
index b4af7fbcf..edda07f5d 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
@@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
index 5dfdd345a..1ff0f7f0e 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
diff --git a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
index c06458958..e0b7a0f21 100644
--- a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
@@ -6,5 +6,6 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
+  namespace: {{ .Release.Namespace }}
 data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
index 5a1b25229..91f22f03d 100644
--- a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
+  namespace: {{ .Release.Namespace }}
 data:
 {{- if .Values.controller.proxySetHeaders }}
 {{ toYaml .Values.controller.proxySetHeaders | indent 2 }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
index bc972517c..aaf336fb3 100644
--- a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
@@ -9,5 +9,6 @@ metadata:
   annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-tcp
+  namespace: {{ .Release.Namespace }}
 data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/ingress-nginx/templates/controller-configmap-udp.yaml
index a9dc388f1..7f46791ec 100644
--- a/charts/ingress-nginx/templates/controller-configmap-udp.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-udp.yaml
@@ -9,5 +9,6 @@ metadata:
   annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-udp
+  namespace: {{ .Release.Namespace }}
 data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml
index 0706fa0eb..630545140 100644
--- a/charts/ingress-nginx/templates/controller-configmap.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap.yaml
@@ -8,6 +8,7 @@ metadata:
   annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
 {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 data:
 {{- if .Values.controller.addHeaders }}
   add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 991dc4f36..2f6def589 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -10,6 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index fe3b56a73..7e2d223a9 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -10,6 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   {{- if .Values.controller.annotations }}
   annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
   {{- end }}
@@ -241,4 +242,4 @@ spec:
         {{ toYaml .Values.controller.extraVolumes | nindent 8 }}
       {{- end }}
     {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml
index 9eab00ebb..fb14bdf6a 100644
--- a/charts/ingress-nginx/templates/controller-hpa.yaml
+++ b/charts/ingress-nginx/templates/controller-hpa.yaml
@@ -12,6 +12,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
index 369c12bdb..a5a425f74 100644
--- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   selector:
     matchLabels:
diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml
index 52f830315..1a5ccd29b 100644
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ include "ingress-nginx.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 rules:
   - apiGroups:
       - ""
diff --git a/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/ingress-nginx/templates/controller-rolebinding.yaml
index 9ab3b461c..5ec3bc774 100644
--- a/charts/ingress-nginx/templates/controller-rolebinding.yaml
+++ b/charts/ingress-nginx/templates/controller-rolebinding.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ include "ingress-nginx.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml
index 49b4ee1d6..0bb966127 100644
--- a/charts/ingress-nginx/templates/controller-service-internal.yaml
+++ b/charts/ingress-nginx/templates/controller-service-internal.yaml
@@ -13,6 +13,7 @@ metadata:
     {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}-internal
+  namespace: {{ .Release.Namespace }}
 spec:
   type: "{{ .Values.controller.service.type }}"
 {{- if .Values.controller.service.internal.loadBalancerIP }}
diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml
index b01f460af..1b690192c 100644
--- a/charts/ingress-nginx/templates/controller-service-metrics.yaml
+++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml
@@ -12,6 +12,7 @@ metadata:
     {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
   {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
+  namespace: {{ .Release.Namespace }}
 spec:
   type: {{ .Values.controller.metrics.service.type }}
 {{- if .Values.controller.metrics.service.clusterIP }}
diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml
index 7a4dd51db..228cb59d8 100644
--- a/charts/ingress-nginx/templates/controller-service-webhook.yaml
+++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml
@@ -9,6 +9,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ include "ingress-nginx.controller.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
 spec:
   type: {{ .Values.controller.admissionWebhooks.service.type }}
 {{- if .Values.controller.admissionWebhooks.service.clusterIP }}
diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml
index 9db734deb..908291cff 100644
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@@ -13,6 +13,7 @@ metadata:
     {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   type: {{ .Values.controller.service.type }}
 {{- if .Values.controller.service.clusterIP }}
diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
index f4b1278f6..50a718d32 100644
--- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
@@ -6,5 +6,6 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ template "ingress-nginx.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml
index ff8a6d9a6..99345269b 100644
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   selector:
     matchLabels:
diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml
index a007d0315..e31fda3f9 100644
--- a/charts/ingress-nginx/templates/default-backend-hpa.yaml
+++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
index 327d809b9..153f005e2 100644
--- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   selector:
     matchLabels:
diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml
index 53b63b6bf..5d29a2d52 100644
--- a/charts/ingress-nginx/templates/default-backend-role.yaml
+++ b/charts/ingress-nginx/templates/default-backend-role.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ include "ingress-nginx.fullname" . }}-backend
+  namespace: {{ .Release.Namespace }}
 rules:
   - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']
diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
index 03eac869f..4a9cb9284 100644
--- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
+++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
@@ -6,6 +6,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ include "ingress-nginx.fullname" . }}-backend
+  namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml
index e74714d92..7624ab36c 100644
--- a/charts/ingress-nginx/templates/default-backend-service.yaml
+++ b/charts/ingress-nginx/templates/default-backend-service.yaml
@@ -9,6 +9,7 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   type: {{ .Values.defaultBackend.service.type }}
 {{- if .Values.defaultBackend.service.clusterIP }}
diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
index a95826bda..0c00e9369 100644
--- a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
@@ -6,5 +6,6 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
 automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
 {{- end }}

From 39ace3176b0dd111b6f0bd67039887570f82618d Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 21 Jun 2021 16:32:51 -0300
Subject: [PATCH 004/376] Fix nilpointer in admission and remove failing test
 (#7255)

* Fix nilpointer in admission when it was unable to validate default backend ingress

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Remove temporarily the slow shutdown tests

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
---
 internal/ingress/controller/controller.go  | 4 ++++
 test/e2e/gracefulshutdown/shutdown.go      | 7 ++-----
 test/e2e/gracefulshutdown/slow_requests.go | 7 ++-----
 3 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 966de6f2f..dd04b0f09 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -1654,6 +1654,10 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net
 				continue
 			}
 
+			if location.IsDefBackend {
+				continue
+			}
+
 			ingresses = append(ingresses, &location.Ingress.Ingress)
 		}
 	}
diff --git a/test/e2e/gracefulshutdown/shutdown.go b/test/e2e/gracefulshutdown/shutdown.go
index c3c0d5234..5282d1a11 100644
--- a/test/e2e/gracefulshutdown/shutdown.go
+++ b/test/e2e/gracefulshutdown/shutdown.go
@@ -17,15 +17,12 @@ limitations under the License.
 package gracefulshutdown
 
 import (
-	"context"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
-	appsv1 "k8s.io/api/apps/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
@@ -60,7 +57,7 @@ var _ = framework.IngressNginxDescribe("[Shutdown] ingress controller", func() {
 
 		assert.LessOrEqual(ginkgo.GinkgoT(), int(time.Since(startTime).Seconds()), 60, "waiting shutdown")
 	})
-
+	/* @rikatz - Removing this tests as they are failing in GH Actions but not locally.
 	ginkgo.It("should shutdown after waiting 60 seconds for pending connections to be closed", func(done ginkgo.Done) {
 		defer close(done)
 
@@ -149,5 +146,5 @@ var _ = framework.IngressNginxDescribe("[Shutdown] ingress controller", func() {
 		statusCode := <-result
 		assert.Equal(ginkgo.GinkgoT(), http.StatusOK, statusCode, "expecting a valid response from HTTP request")
 		assert.GreaterOrEqual(ginkgo.GinkgoT(), int(time.Since(startTime).Seconds()), 150, "waiting shutdown")
-	}, 200)
+	}, 200) */
 })
diff --git a/test/e2e/gracefulshutdown/slow_requests.go b/test/e2e/gracefulshutdown/slow_requests.go
index c05ff7b87..605e4d869 100644
--- a/test/e2e/gracefulshutdown/slow_requests.go
+++ b/test/e2e/gracefulshutdown/slow_requests.go
@@ -17,9 +17,6 @@ limitations under the License.
 package gracefulshutdown
 
 import (
-	"net/http"
-	"strings"
-
 	"github.com/onsi/ginkgo"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
@@ -32,7 +29,7 @@ var _ = framework.IngressNginxDescribe("[Shutdown] Graceful shutdown with pendin
 		f.NewSlowEchoDeployment()
 		f.UpdateNginxConfigMapData("worker-shutdown-timeout", "50s")
 	})
-
+	/* @rikatz  - This seems to be failing on GH Actions and needs to be re-checked and re-verified
 	ginkgo.It("should let slow requests finish before shutting down", func() {
 		host := "graceful-shutdown"
 
@@ -57,5 +54,5 @@ var _ = framework.IngressNginxDescribe("[Shutdown] Graceful shutdown with pendin
 		framework.Sleep()
 		f.DeleteNGINXPod(60)
 		<-done
-	})
+	}) */
 })

From a8408cdb51086a099a2c71ed3e68363eb3a7ae60 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <tao12345666333@163.com>
Date: Tue, 22 Jun 2021 19:37:58 +0800
Subject: [PATCH 005/376] release: helm chart v3.34.0 (#7258)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 charts/ingress-nginx/CHANGELOG.md             |  8 ++++
 charts/ingress-nginx/Chart.yaml               |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 48 +++++++++----------
 deploy/static/provider/aws/deploy.yaml        | 48 +++++++++----------
 deploy/static/provider/baremetal/deploy.yaml  | 48 +++++++++----------
 deploy/static/provider/cloud/deploy.yaml      | 48 +++++++++----------
 deploy/static/provider/do/deploy.yaml         | 48 +++++++++----------
 deploy/static/provider/exoscale/deploy.yaml   | 48 +++++++++----------
 deploy/static/provider/kind/deploy.yaml       | 48 +++++++++----------
 deploy/static/provider/scw/deploy.yaml        | 48 +++++++++----------
 10 files changed, 202 insertions(+), 194 deletions(-)

diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index 1711f4aa8..36526e082 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 3.34.0
+
+- [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates
+
+### 3.33.0
+
+- [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1
+
 ### 3.32.0
 
 - [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 6cecb04ab..43d526eae 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 3.33.0
+version: 3.34.0
 appVersion: 0.47.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
@@ -21,4 +21,4 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Update nginx to v1.20.1
+    - Add namespace field in the namespace scoped resource templates
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 1ea8ddc66..e70e88853 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -50,7 +50,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -119,7 +119,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -139,7 +139,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -225,7 +225,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -247,7 +247,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -278,7 +278,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -308,7 +308,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -426,7 +426,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -462,17 +462,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -483,7 +483,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -507,7 +507,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -527,17 +527,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -552,17 +552,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -577,23 +577,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -625,23 +625,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 727f2d354..15831416d 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -268,7 +268,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -298,7 +298,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -413,7 +413,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -449,17 +449,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -470,7 +470,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -494,7 +494,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -514,17 +514,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -539,17 +539,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -564,23 +564,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -612,23 +612,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 8aa2d2ed5..63ad2a46e 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -265,7 +265,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -294,7 +294,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -408,7 +408,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -444,17 +444,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -465,7 +465,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -489,7 +489,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -509,17 +509,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -534,17 +534,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -559,23 +559,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -607,23 +607,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 92fe6307c..bfce22c62 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -265,7 +265,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -295,7 +295,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -410,7 +410,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -446,17 +446,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -467,7 +467,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -491,7 +491,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -511,17 +511,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -536,17 +536,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -561,23 +561,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -609,23 +609,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index d0d5d8c37..b262c1edd 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -113,7 +113,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -133,7 +133,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -219,7 +219,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -241,7 +241,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -267,7 +267,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -297,7 +297,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -412,7 +412,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -448,17 +448,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -469,7 +469,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -493,7 +493,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -513,17 +513,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -538,17 +538,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -563,23 +563,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -611,23 +611,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 74535b1c0..411e5c752 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -273,7 +273,7 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -303,7 +303,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -418,7 +418,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -454,17 +454,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -475,7 +475,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -499,7 +499,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -519,17 +519,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -544,17 +544,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -569,23 +569,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -617,23 +617,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 31515efc4..7198b1d03 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -265,7 +265,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -294,7 +294,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -420,7 +420,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -456,17 +456,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -477,7 +477,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -501,7 +501,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -521,17 +521,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -546,17 +546,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -571,23 +571,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -619,23 +619,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 81c6c85f3..76104696f 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -113,7 +113,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -133,7 +133,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -219,7 +219,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -241,7 +241,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -267,7 +267,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -297,7 +297,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -412,7 +412,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -448,17 +448,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -469,7 +469,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -493,7 +493,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
@@ -513,17 +513,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 rules:
   - apiGroups:
       - ''
@@ -538,17 +538,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ingress-nginx-admission
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -563,23 +563,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-create
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0
@@ -611,23 +611,23 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.33.0
+    helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.47.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
-  namespace: ingress-nginx
 spec:
   template:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.33.0
+        helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.47.0

From f5c80783bfa050760314b78a639dfe95b3babfa8 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Tue, 6 Jul 2021 01:50:18 -0300
Subject: [PATCH 006/376] [Cherry Pick] - Add configuration to disable external
 name service feature (#7314) (#7321)

* Add configuration to disable external name service feature (#7314)

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Fix CI files
---
 .github/workflows/ci.yaml                     |  6 +-
 build/run-e2e-suite.sh                        |  1 +
 cmd/nginx/flags.go                            | 48 +++++-----
 go.mod                                        |  2 +-
 go.sum                                        | 91 +++---------------
 internal/ingress/controller/controller.go     |  6 ++
 .../settings/disable_service_external_name.go | 95 +++++++++++++++++++
 7 files changed, 144 insertions(+), 105 deletions(-)
 create mode 100644 test/e2e/settings/disable_service_external_name.go

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 612bd4b38..a6101db9f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -137,7 +137,7 @@ jobs:
         id: kind
         uses: engineerd/setup-kind@v0.5.0
         with:
-          version: v0.10.0
+          version: v0.11.1
           image: kindest/node:v1.20.2
 
       - name: Test
@@ -159,7 +159,7 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.16.15, v1.17.17, v1.18.15, v1.19.7, v1.20.2]
+        k8s: [v1.16.15, v1.17.17, v1.18.19, v1.19.11, v1.20.7]
 
     steps:
 
@@ -175,7 +175,7 @@ jobs:
         id: kind
         uses: engineerd/setup-kind@v0.5.0
         with:
-          version: v0.10.0
+          version: v0.11.1
           config: test/e2e/kind.yaml
           image: kindest/node:${{ matrix.k8s }}
 
diff --git a/build/run-e2e-suite.sh b/build/run-e2e-suite.sh
index 8db069d22..27f17bed5 100755
--- a/build/run-e2e-suite.sh
+++ b/build/run-e2e-suite.sh
@@ -78,3 +78,4 @@ kubectl run --rm \
   --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \
   --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \
   e2e --image=nginx-ingress-controller:e2e
+
diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index 5fb63b430..62c4ced23 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -126,6 +126,9 @@ Requires the update-status parameter.`)
 		enableSSLPassthrough = flags.Bool("enable-ssl-passthrough", false,
 			`Enable SSL Passthrough.`)
 
+		disableServiceExternalName = flags.Bool("disable-svc-external-name", false,
+			`Disable support for Services of type ExternalName`)
+
 		annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix,
 			`Prefix of the Ingress annotations specific to the NGINX controller.`)
 
@@ -264,28 +267,29 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 	ngx_config.EnableSSLChainCompletion = *enableSSLChainCompletion
 
 	config := &controller.Configuration{
-		APIServerHost:          *apiserverHost,
-		KubeConfigFile:         *kubeConfigFile,
-		UpdateStatus:           *updateStatus,
-		ElectionID:             *electionID,
-		EnableProfiling:        *profiling,
-		EnableMetrics:          *enableMetrics,
-		MetricsPerHost:         *metricsPerHost,
-		MonitorMaxBatchSize:    *monitorMaxBatchSize,
-		EnableSSLPassthrough:   *enableSSLPassthrough,
-		ResyncPeriod:           *resyncPeriod,
-		DefaultService:         *defaultSvc,
-		Namespace:              *watchNamespace,
-		ConfigMapName:          *configMap,
-		TCPConfigMapName:       *tcpConfigMapName,
-		UDPConfigMapName:       *udpConfigMapName,
-		DefaultSSLCertificate:  *defSSLCertificate,
-		PublishService:         *publishSvc,
-		PublishStatusAddress:   *publishStatusAddress,
-		UpdateStatusOnShutdown: *updateStatusOnShutdown,
-		ShutdownGracePeriod:    *shutdownGracePeriod,
-		UseNodeInternalIP:      *useNodeInternalIP,
-		SyncRateLimit:          *syncRateLimit,
+		APIServerHost:              *apiserverHost,
+		KubeConfigFile:             *kubeConfigFile,
+		UpdateStatus:               *updateStatus,
+		ElectionID:                 *electionID,
+		EnableProfiling:            *profiling,
+		EnableMetrics:              *enableMetrics,
+		MetricsPerHost:             *metricsPerHost,
+		MonitorMaxBatchSize:        *monitorMaxBatchSize,
+		DisableServiceExternalName: *disableServiceExternalName,
+		EnableSSLPassthrough:       *enableSSLPassthrough,
+		ResyncPeriod:               *resyncPeriod,
+		DefaultService:             *defaultSvc,
+		Namespace:                  *watchNamespace,
+		ConfigMapName:              *configMap,
+		TCPConfigMapName:           *tcpConfigMapName,
+		UDPConfigMapName:           *udpConfigMapName,
+		DefaultSSLCertificate:      *defSSLCertificate,
+		PublishService:             *publishSvc,
+		PublishStatusAddress:       *publishStatusAddress,
+		UpdateStatusOnShutdown:     *updateStatusOnShutdown,
+		ShutdownGracePeriod:        *shutdownGracePeriod,
+		UseNodeInternalIP:          *useNodeInternalIP,
+		SyncRateLimit:              *syncRateLimit,
 		ListenPorts: &ngx_config.ListenPorts{
 			Default:  *defServerPort,
 			Health:   *healthzPort,
diff --git a/go.mod b/go.mod
index efbf04769..181e72f7d 100644
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/mitchellh/mapstructure v1.3.2
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
 	github.com/ncabatoff/process-exporter v0.7.2
-	github.com/onsi/ginkgo v1.14.1
+	github.com/onsi/ginkgo v1.16.4
 	github.com/opencontainers/runc v1.0.0-rc92
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.7.1
diff --git a/go.sum b/go.sum
index 4439cb737..05782fd6c 100644
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,5 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
@@ -75,7 +74,6 @@ github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQ
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
@@ -97,7 +95,6 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa h1:OaNxuTZr7kxeODyLWsRMC+OD03aFUH+mW6r2d+MWa5Y=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/containerd/console v1.0.0/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
@@ -105,7 +102,6 @@ github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkE
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
@@ -113,7 +109,6 @@ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7
 github.com/coreos/go-systemd/v22 v22.1.0 h1:kq/SbG2BCKLkDKkjQf5OWwKWUKj1lgs3lFI4PxnR5lg=
 github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f h1:lBNOc5arjvs8E5mO2tbpBpLoyyu8B6e44T7hJy6potg=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -123,16 +118,13 @@ github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96 h1:cenwrSVm+Z7QLSV/BsnenAOcDXdX4cMv4wP0B/5QbPg=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4k=
 github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0=
@@ -142,7 +134,6 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/ekalinin/github-markdown-toc v0.0.0-20190514155158-83fadb60a7f1/go.mod h1:XfZS1iyC28CnllR54Ou2Ero6qs4Rmn7GpVumNSj1DZo=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
@@ -150,7 +141,6 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT
 github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -182,9 +172,7 @@ github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgO
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v0.3.0 h1:q4c+kbcR0d5rSurhBR8dIgieOaYpXtsdTYfx22Cu6rs=
 github.com/go-logr/logr v0.3.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
@@ -203,6 +191,7 @@ github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tF
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
@@ -214,16 +203,13 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef h1:veQD95Isof8w9/WXiA+pa3tz3fJXkt5B7QaRBrM62gk=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
@@ -240,7 +226,6 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
@@ -253,7 +238,6 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
@@ -271,13 +255,11 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
 github.com/googleapis/gnostic v0.5.1 h1:A8Yhf6EtqTv9RMsU6MQTyrtV1TjWlR6xU9BsZIwuTCM=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
@@ -292,12 +274,9 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4 h1:z53tR0945TRRQO/fLEVPI6SMv7ZflF0TEaTAoU7tOzg=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.9.5 h1:UImYN5qQ8tuGpGE16ZmjvcTtTw24zw1QAp/SlnNrZhI=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
@@ -316,7 +295,6 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
@@ -337,7 +315,6 @@ github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -359,12 +336,10 @@ github.com/klauspost/compress v1.8.2 h1:Bx0qjetmNjdFXASH02NSAREKpiaDwkO1DRZ3dV2K
 github.com/klauspost/compress v1.8.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/cpuid v1.2.1 h1:vJi+O/nMdFt0vqm8NZBI6wzALWdA2X+egi0ogNyrC/w=
 github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -392,7 +367,6 @@ github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx
 github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
@@ -410,7 +384,6 @@ github.com/mitchellh/hashstructure v1.0.0 h1:ZkRJX1CyOoTkar7p/mLS5TZU4nJ1Rn/F8u9
 github.com/mitchellh/hashstructure v1.0.0/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.3.2 h1:mRS76wmkOn3KkKAyXDu42V+6ebnXWIztFSYGN7GeoRg=
 github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
@@ -446,8 +419,9 @@ github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QU
 github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag=
 github.com/ncabatoff/process-exporter v0.7.2 h1:2UxJJ5fm9fiiUHqHgbusrfceCFQpEET/+wADEOfDSqI=
 github.com/ncabatoff/process-exporter v0.7.2/go.mod h1:d7Yf/brhprE2fjCdtZ2Edt0so30RY5PmtRu6qD0gUOc=
-github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
@@ -458,13 +432,13 @@ github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.14.1 h1:jMU0WaQrP0a/YAEq8eJmJKjBoMs+pClEr1vDMlM/Do4=
 github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
+github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -504,7 +478,6 @@ github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
 github.com/prometheus/client_golang v1.7.1 h1:NTGy1Ja9pByO+xAeH/qiWnLrKtr3hJPNjaVUwnjpdpA=
@@ -520,20 +493,16 @@ github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7q
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1 h1:K0MGApIoQvMw27RTdJkPbr3JZ7DNbtxQNyi5STVM6Kw=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
-github.com/prometheus/common v0.10.0 h1:RyRA7RzGXQZiW+tGMr7sxa85G1z0yOpM1qq5c8lNawc=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.14.0 h1:RHRyE8UocrbjU+6UvRzwi6HjiDfxrrBU91TtbKzkGp4=
 github.com/prometheus/common v0.14.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.2 h1:6LJUbpNm42llc4HRCuvApCSWB/WfhuNo9K98Q9sNGfs=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.2.0 h1:wH4vA7pcjKuZzjF7lM8awk4fnuJO6idemZXoKnULUx4=
 github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
@@ -552,18 +521,15 @@ github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/soheilhy/cmux v0.1.4 h1:0HKaf1o97UwFjHH9o5XsHUOF+tqmdA7KEzXLpiyaw0E=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
@@ -582,11 +548,9 @@ github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3
 github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
@@ -596,7 +560,6 @@ github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG
 github.com/tallclair/mdtoc v1.0.0 h1:+FqBzRdFsgwrkzewUYC8GG6/hckREy9t4cDw4bWjx+M=
 github.com/tallclair/mdtoc v1.0.0/go.mod h1:BjDk9nfX4091pXLHhvf6Ejr4/r//9NslWmweWb2Hkbs=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 h1:LnC5Kc/wtumK+WB441p7ynQJzVuNRJiqddSIE3IlSEQ=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
@@ -614,7 +577,6 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
 github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
-github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0 h1:6fRhSjgLCkTD3JnJxvaJ4Sj+TYblw757bqYgZaOq5ZY=
 github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0/go.mod h1:/LWChgwKmvncFJFHJ7Gvn9wZArjbV5/FppcK2fKk/tI=
@@ -625,12 +587,11 @@ github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDf
 github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI=
 github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zakjan/cert-chain-resolver v0.0.0-20200729110141-6b99e360f97a h1:Tj7Mkjj6sjeNwFBiRHM7ieg1CiPHCDNSMSmS0ooGcZo=
 github.com/zakjan/cert-chain-resolver v0.0.0-20200729110141-6b99e360f97a/go.mod h1:KNkcm66cr4ilOiEcjydK+tc2ShPUhqmuoXCljXUBPu8=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.5 h1:XAzx9gjCb0Rxj7EoqcClPD1d5ZBxZJk0jbuoPHenBt0=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
@@ -641,26 +602,20 @@ go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.8.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0 h1:nR6NoDBgAf67s68NhaXbsojM+2gxp3S1hWkHDl27pVU=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 go.uber.org/zap v1.15.0 h1:ZZCA22JRF2gQE5FoNmhmrf7jeJJ2uhqDUNRYKm8dvmM=
 go.uber.org/zap v1.15.0/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc=
@@ -672,7 +627,6 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -695,7 +649,6 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f h1:J5lckAjkw6qYlOZNj90mLYNTEKDvWeuc1yieZ8qUzUE=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
@@ -736,16 +689,14 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7 h1:AeiKBIuRw3UomYXSbLy0Mc2dDLfdtbT/IVn4keq83P0=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6 h1:pE8b58s1HRDMi8RDc79m0HISf9D4TzseP40cEA6IGfs=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -755,6 +706,7 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -793,31 +745,25 @@ golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299 h1:DYfZAGf2WMFjMxbgTjaC+2HC7NkNAQs+6Q8b9WEB/F4=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642 h1:B6caxRw+hozq68X2MY7jEpZh/cr4/aHLv9xU8Kkadrw=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -863,11 +809,11 @@ golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200616133436-c1934b75d054 h1:HHeAlu5H9b71C+Fx0K+1dGgVFN1DM1/wz4aoGOA5qS8=
 golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e h1:4nW4NLDYnU28ojHaHO8OVxFHk/aQ33U01a9cjED+pzE=
+golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -887,10 +833,8 @@ google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
@@ -901,7 +845,6 @@ google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
 google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
@@ -914,7 +857,6 @@ google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a h1:pOwg4OoaRYScjmR4LlLgdtnyoHYTSAVhhqe5uPdpII8=
 google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
@@ -927,9 +869,7 @@ google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij
 google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.26.0 h1:2dTRdpdFEEhJYQD8EMLB61nnrzSCTbG38PhqdhvOltg=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0 h1:rRYRFMVgRv6E0D70Skyfsr28tDXIuuPZyWGMPdMcnXg=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1 h1:zvIju4sqAGvwKspUQOhwnpcqSbzi7/H6QomNNjTL4sk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
@@ -939,10 +879,8 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0 h1:UhZDfRO8JRQru4/+LlLE0BRKGF8L+PICnvYZmx/fEGA=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
@@ -953,7 +891,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogR
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
 gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM=
@@ -965,7 +902,6 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.2.2 h1:orlkJ3myw8CN1nVQHBFfloD+L3egixIa4FvUP6RosSA=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
@@ -978,7 +914,6 @@ gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -989,7 +924,6 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3 h1:sXmLre5bzIR6ypkjXCDI3jHPssRhc8KD/Ome589sc3U=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
@@ -1020,7 +954,6 @@ k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8
 k8s.io/gengo v0.0.0-20201113003025-83324d819ded h1:JApXBKYyB7l9xx+DK7/+mFjC7A9Bt5A93FPvFD0HIFE=
 k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ=
 k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index dd04b0f09..5d4cff721 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -85,6 +85,8 @@ type Configuration struct {
 
 	ListenPorts *ngx_config.ListenPorts
 
+	DisableServiceExternalName bool
+
 	EnableSSLPassthrough bool
 
 	EnableProfiling bool
@@ -963,6 +965,10 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres
 
 	// Ingress with an ExternalName Service and no port defined for that Service
 	if svc.Spec.Type == apiv1.ServiceTypeExternalName {
+		if n.cfg.DisableServiceExternalName {
+			klog.Warningf("Service %q of type ExternalName not allowed due to Ingress configuration.", svcKey)
+			return upstreams, nil
+		}
 		servicePort := externalNamePorts(backendPort, svc)
 		endps := getEndpoints(svc, servicePort, apiv1.ProtocolTCP, n.store.GetServiceEndpoints)
 		if len(endps) == 0 {
diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go
new file mode 100644
index 000000000..910a906ca
--- /dev/null
+++ b/test/e2e/settings/disable_service_external_name.go
@@ -0,0 +1,95 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/gavv/httpexpect/v2"
+	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", func() {
+	f := framework.NewDefaultFramework("disabled-service-external-name")
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeploymentWithReplicas(2)
+
+		err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
+			args := deployment.Spec.Template.Spec.Containers[0].Args
+			args = append(args, "--disable-svc-external-name=true")
+			deployment.Spec.Template.Spec.Containers[0].Args = args
+			_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
+
+			return err
+		})
+		assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
+	})
+
+	ginkgo.It("should ignore services of external-name type", func() {
+
+		nonexternalhost := "echo-svc.com"
+
+		externalhost := "echo-external-svc.com"
+		svcexternal := &corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "external",
+				Namespace: f.Namespace,
+			},
+			Spec: corev1.ServiceSpec{
+				ExternalName: "httpbin.org",
+				Type:         corev1.ServiceTypeExternalName,
+			},
+		}
+		f.EnsureService(svcexternal)
+
+		ingexternal := framework.NewSingleIngress(externalhost, "/", externalhost, f.Namespace, "external", 80, nil)
+		f.EnsureIngress(ingexternal)
+
+		ing := framework.NewSingleIngress(nonexternalhost, "/", nonexternalhost, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(nonexternalhost, func(cfg string) bool {
+			return strings.Contains(cfg, "server_name echo-svc.com")
+		})
+
+		f.WaitForNginxServer(externalhost, func(cfg string) bool {
+			return strings.Contains(cfg, "server_name echo-external-svc.com")
+		})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", nonexternalhost).
+			Expect().
+			Status(http.StatusOK)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", externalhost).
+			Expect().
+			StatusRange(httpexpect.Status5xx)
+
+	})
+})

From a064337621c127385cf3f8903adb3bbf7d9c1abc Mon Sep 17 00:00:00 2001
From: Kirill Trofimenkov <cgorbit@joom.com>
Date: Tue, 6 Jul 2021 20:50:19 +0300
Subject: [PATCH 007/376] Rewrite clean-nginx-conf.sh in Go to speed up
 admission webhook (#7076) (#7322)

* Rewrite clean-nginx-conf.sh to speed up admission webhook

* Less diff with original clean-nginx-conf.sh

* Add error handling, add documentation, add unit test

* indent code

* Don't ignore Getwd() error
---
 go.mod                                        |   1 +
 .../ingress/controller/template/template.go   | 104 +++++++++-
 .../controller/template/template_test.go      |  41 ++++
 rootfs/Dockerfile                             |   1 -
 rootfs/ingress-controller/clean-nginx-conf.sh |  27 ---
 rootfs/ingress-controller/indent.sh           |  22 ---
 test/data/cleanConf.expected.conf             | 139 +++++++++++++
 test/data/cleanConf.src.conf                  | 187 ++++++++++++++++++
 8 files changed, 462 insertions(+), 60 deletions(-)
 delete mode 100755 rootfs/ingress-controller/clean-nginx-conf.sh
 delete mode 100755 rootfs/ingress-controller/indent.sh
 create mode 100644 test/data/cleanConf.expected.conf
 create mode 100644 test/data/cleanConf.src.conf

diff --git a/go.mod b/go.mod
index 181e72f7d..b3e3ac703 100644
--- a/go.mod
+++ b/go.mod
@@ -20,6 +20,7 @@ require (
 	github.com/onsi/ginkgo v1.16.4
 	github.com/opencontainers/runc v1.0.0-rc92
 	github.com/pkg/errors v0.9.1
+	github.com/pmezard/go-difflib v1.0.0
 	github.com/prometheus/client_golang v1.7.1
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.14.0
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 98e737a63..3aa521c87 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -23,12 +23,12 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"math/rand" // #nosec
 	"net"
 	"net/url"
 	"os"
-	"os/exec"
 	"reflect"
 	"regexp"
 	"sort"
@@ -50,9 +50,15 @@ import (
 )
 
 const (
-	slash         = "/"
-	nonIdempotent = "non_idempotent"
-	defBufferSize = 65535
+	slash                   = "/"
+	nonIdempotent           = "non_idempotent"
+	defBufferSize           = 65535
+	writeIndentOnEmptyLines = true // backward-compatibility
+)
+
+const (
+	stateCode = iota
+	stateComment
 )
 
 // TemplateWriter is the interface to render a template
@@ -86,6 +92,87 @@ func NewTemplate(file string) (*Template, error) {
 	}, nil
 }
 
+// 1. Removes carriage return symbol (\r)
+// 2. Collapses multiple empty lines to single one
+// 3. Re-indent
+// (ATW: always returns nil)
+func cleanConf(in *bytes.Buffer, out *bytes.Buffer) error {
+	depth := 0
+	lineStarted := false
+	emptyLineWritten := false
+	state := stateCode
+	for {
+		c, err := in.ReadByte()
+		if err != nil {
+			if err == io.EOF {
+				return nil
+			}
+			return err // unreachable
+		}
+
+		needOutput := false
+		nextDepth := depth
+		nextLineStarted := lineStarted
+
+		switch state {
+		case stateCode:
+			switch c {
+			case '{':
+				needOutput = true
+				nextDepth = depth + 1
+				nextLineStarted = true
+			case '}':
+				needOutput = true
+				depth--
+				nextDepth = depth
+				nextLineStarted = true
+			case ' ', '\t':
+				needOutput = lineStarted
+			case '\r':
+			case '\n':
+				needOutput = !(!lineStarted && emptyLineWritten)
+				nextLineStarted = false
+			case '#':
+				needOutput = true
+				nextLineStarted = true
+				state = stateComment
+			default:
+				needOutput = true
+				nextLineStarted = true
+			}
+		case stateComment:
+			switch c {
+			case '\r':
+			case '\n':
+				needOutput = true
+				nextLineStarted = false
+				state = stateCode
+			default:
+				needOutput = true
+			}
+		}
+
+		if needOutput {
+			if !lineStarted && (writeIndentOnEmptyLines || c != '\n') {
+				for i := 0; i < depth; i++ {
+					err = out.WriteByte('\t') // always nil
+					if err != nil {
+						return err
+					}
+				}
+			}
+			emptyLineWritten = !lineStarted
+			err = out.WriteByte(c) // always nil
+			if err != nil {
+				return err
+			}
+		}
+
+		depth = nextDepth
+		lineStarted = nextLineStarted
+	}
+}
+
 // Write populates a buffer using a template with NGINX configuration
 // and the servers and upstreams created by Ingress rules
 func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) {
@@ -110,12 +197,9 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) {
 
 	// squeezes multiple adjacent empty lines to be single
 	// spaced this is to avoid the use of regular expressions
-	cmd := exec.Command("/ingress-controller/clean-nginx-conf.sh")
-	cmd.Stdin = tmplBuf
-	cmd.Stdout = outCmdBuf
-	if err := cmd.Run(); err != nil {
-		klog.Warningf("unexpected error cleaning template: %v", err)
-		return tmplBuf.Bytes(), nil
+	err = cleanConf(tmplBuf, outCmdBuf)
+	if err != nil {
+		return nil, err
 	}
 
 	return outCmdBuf.Bytes(), nil
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index 1af988197..411b24349 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package template
 
 import (
+	"bytes"
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
@@ -29,6 +30,7 @@ import (
 	"testing"
 
 	jsoniter "github.com/json-iterator/go"
+	"github.com/pmezard/go-difflib/difflib"
 	apiv1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -178,6 +180,14 @@ proxy_pass http://upstream_balancer;`,
 	}
 )
 
+func getTestDataDir() (string, error) {
+	pwd, err := os.Getwd()
+	if err != nil {
+		return "", err
+	}
+	return path.Join(pwd, "../../../../test/data"), nil
+}
+
 func TestBuildLuaSharedDictionaries(t *testing.T) {
 	invalidType := &ingress.Ingress{}
 	expected := ""
@@ -1576,3 +1586,34 @@ func TestConvertGoSliceIntoLuaTablet(t *testing.T) {
 		}
 	}
 }
+
+func TestCleanConf(t *testing.T) {
+	testDataDir, err := getTestDataDir()
+	if err != nil {
+		t.Error("unexpected error reading conf file: ", err)
+	}
+	actual := &bytes.Buffer{}
+	{
+		data, err := ioutil.ReadFile(testDataDir + "/cleanConf.src.conf")
+		if err != nil {
+			t.Error("unexpected error reading conf file: ", err)
+		}
+		in := bytes.NewBuffer(data)
+		err = cleanConf(in, actual)
+		if err != nil {
+			t.Error("cleanConf failed: ", err)
+		}
+	}
+
+	expected, err := ioutil.ReadFile(testDataDir + "/cleanConf.expected.conf")
+	if err != nil {
+		t.Error("unexpected error reading conf file: ", err)
+	}
+	if !bytes.Equal(expected, actual.Bytes()) {
+		diff, err := difflib.GetUnifiedDiffString(difflib.UnifiedDiff{A: strings.SplitAfter(string(expected), "\n"), B: strings.SplitAfter(actual.String(), "\n"), Context: 3})
+		if err != nil {
+			t.Error("failed to get diff for cleanConf", err)
+		}
+		t.Errorf("cleanConf result don't match with expected: %s", diff)
+	}
+}
diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
index 49abbdac2..7fc8cfee3 100644
--- a/rootfs/Dockerfile
+++ b/rootfs/Dockerfile
@@ -40,7 +40,6 @@ RUN apk update \
   && rm -rf /var/cache/apk/*
 
 COPY --chown=www-data:www-data etc /etc
-COPY --chown=www-data:www-data ingress-controller /ingress-controller
 
 COPY --chown=www-data:www-data bin/${TARGETARCH}/dbg /
 COPY --chown=www-data:www-data bin/${TARGETARCH}/nginx-ingress-controller /
diff --git a/rootfs/ingress-controller/clean-nginx-conf.sh b/rootfs/ingress-controller/clean-nginx-conf.sh
deleted file mode 100755
index 07900981e..000000000
--- a/rootfs/ingress-controller/clean-nginx-conf.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This script removes consecutive empty lines in nginx.conf
-# Using sed is more simple than using a go regex
-
-# Sed commands:
-# 1. remove the return carrier character/s
-# 2. remove empty lines
-# 3. replace multiple empty lines
-
-SCRIPT_ROOT=$(dirname ${BASH_SOURCE})
-
-sed -e 's/\r//g' | sed -e 's/^  *$/\'$'\n/g' | sed -e '/^$/{N;/^\n$/D;}' | ${SCRIPT_ROOT}/indent.sh
diff --git a/rootfs/ingress-controller/indent.sh b/rootfs/ingress-controller/indent.sh
deleted file mode 100755
index 83c0f0005..000000000
--- a/rootfs/ingress-controller/indent.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/awk -f
-
-# Copyright 2017 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Credits to https://evasive.ru/f29bd7ebacf24a50c582f973a55eee28.html
-
-{sub(/^[ \t]+/,"");idx=0}
-/\{/{ctx++;idx=1}
-/\}/{ctx--}
-{id="";for(i=idx;i<ctx;i++)id=sprintf("%s%s", id, "\t");printf "%s%s\n", id, $0}
diff --git a/test/data/cleanConf.expected.conf b/test/data/cleanConf.expected.conf
new file mode 100644
index 000000000..5edad651b
--- /dev/null
+++ b/test/data/cleanConf.expected.conf
@@ -0,0 +1,139 @@
+# Configuration checksum: 
+
+# setup custom paths that do not require root access
+pid /tmp/nginx.pid;
+
+daemon off;
+
+worker_processes 8;
+
+worker_rlimit_nofile 130048;
+
+worker_shutdown_timeout 240s ;
+
+events {
+	multi_accept        on;
+	worker_connections  16384;
+	use                 epoll;
+}
+
+http {
+	lua_package_path "/etc/nginx/lua/?.lua;;";
+	
+	lua_shared_dict balancer_ewma 10M;
+	lua_shared_dict balancer_ewma_last_touched_at 10M;
+	lua_shared_dict balancer_ewma_locks 1M;
+	lua_shared_dict certificate_data 20M;
+	lua_shared_dict certificate_servers 5M;
+	lua_shared_dict configuration_data 20M;
+	lua_shared_dict ocsp_response_cache 5M;
+	
+	init_by_lua_block {
+		collectgarbage("collect")
+		
+		-- init modules
+		local ok, res
+		
+		ok, res = pcall(require, "lua_ingress")
+		if not ok then
+		error("require failed: " .. tostring(res))
+		else
+		lua_ingress = res
+		lua_ingress.set_config({
+			use_forwarded_headers = true,
+			use_proxy_protocol = false,
+			is_ssl_passthrough_enabled = false,
+			http_redirect_code = 308,
+			listen_ports = { ssl_proxy = "442", https = "443" },
+			
+			hsts = true,
+			hsts_max_age = 15724800,
+			hsts_include_subdomains = true,
+			hsts_preload = false,
+		})
+		end
+		
+		ok, res = pcall(require, "monitor")
+		if not ok then
+		error("require failed: " .. tostring(res))
+		else
+		monitor = res
+		end
+		
+	}
+	
+	init_worker_by_lua_block {
+		lua_ingress.init_worker()
+		balancer.init_worker()
+		
+		monitor.init_worker(10000)
+		
+		plugins.run()
+	}
+	
+	map $request_uri $loggable {
+		
+		default 1;
+	}
+	
+	access_log /var/log/nginx/access.log upstreaminfo  if=$loggable;
+	
+	error_log  /var/log/nginx/error.log notice;
+	
+	resolver 169.254.25.10 valid=30s ipv6=off;
+	
+	# See https://www.nginx.com/blog/websocket-nginx
+	map $http_upgrade $connection_upgrade {
+		default          upgrade;
+		
+		# See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+		''               '';
+		
+	}
+	
+	## start server _
+	server {
+		server_name _ ;
+		
+		listen 80 default_server reuseport backlog=4096 ;
+		listen 443 default_server reuseport backlog=4096 ssl http2 ;
+		
+		set $proxy_upstream_name "-";
+		
+		ssl_certificate_by_lua_block {
+			certificate.call()
+		}
+		
+		location / {
+			
+			set $namespace      "";
+			set $ingress_name   "";
+			set $service_name   "";
+			set $service_port   "";
+			set $location_path  "";
+			
+			rewrite_by_lua_block {
+				lua_ingress.rewrite({
+					force_ssl_redirect = false,
+					ssl_redirect = false,
+					force_no_ssl_redirect = false,
+					use_port_in_redirects = false,
+				})
+				balancer.rewrite()
+				plugins.run()
+			}
+			
+			# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
+			# other authentication method such as basic auth or external auth useless - all requests will be allowed.
+			#access_by_lua_block {
+			#}
+			
+			header_filter_by_lua_block {
+				lua_ingress.header()
+				plugins.run()
+			}
+			
+		}
+		## end server _
+		
+	}
diff --git a/test/data/cleanConf.src.conf b/test/data/cleanConf.src.conf
new file mode 100644
index 000000000..81944e1ce
--- /dev/null
+++ b/test/data/cleanConf.src.conf
@@ -0,0 +1,187 @@
+# Configuration checksum: 
+
+# setup custom paths that do not require root access
+pid /tmp/nginx.pid;
+
+
+
+
+
+
+
+
+
+
+
+
+
+daemon off;
+
+worker_processes 8;
+
+
+worker_rlimit_nofile 130048;
+
+
+
+worker_shutdown_timeout 240s ;
+
+
+
+events {
+    multi_accept        on;
+    worker_connections  16384;
+    use                 epoll;
+}
+
+http {
+    lua_package_path "/etc/nginx/lua/?.lua;;";
+
+    lua_shared_dict balancer_ewma 10M;
+lua_shared_dict balancer_ewma_last_touched_at 10M;
+lua_shared_dict balancer_ewma_locks 1M;
+lua_shared_dict certificate_data 20M;
+lua_shared_dict certificate_servers 5M;
+lua_shared_dict configuration_data 20M;
+lua_shared_dict ocsp_response_cache 5M;
+
+
+    init_by_lua_block {
+        collectgarbage("collect")
+
+        -- init modules
+        local ok, res
+
+        ok, res = pcall(require, "lua_ingress")
+        if not ok then
+          error("require failed: " .. tostring(res))
+        else
+          lua_ingress = res
+          lua_ingress.set_config({
+		use_forwarded_headers = true,
+		use_proxy_protocol = false,
+		is_ssl_passthrough_enabled = false,
+		http_redirect_code = 308,
+		listen_ports = { ssl_proxy = "442", https = "443" },
+
+		hsts = true,
+		hsts_max_age = 15724800,
+		hsts_include_subdomains = true,
+		hsts_preload = false,
+	})
+        end
+
+
+        
+        ok, res = pcall(require, "monitor")
+        if not ok then
+          error("require failed: " .. tostring(res))
+        else
+          monitor = res
+        end
+        
+
+    }
+
+    init_worker_by_lua_block {
+        lua_ingress.init_worker()
+        balancer.init_worker()
+        
+        monitor.init_worker(10000)
+        
+
+        plugins.run()
+    }
+
+    
+    
+    map $request_uri $loggable {
+        
+        default 1;
+    }
+
+    
+    
+    access_log /var/log/nginx/access.log upstreaminfo  if=$loggable;
+    
+    
+
+    
+    error_log  /var/log/nginx/error.log notice;
+    
+
+    resolver 169.254.25.10 valid=30s ipv6=off;
+
+    # See https://www.nginx.com/blog/websocket-nginx
+    map $http_upgrade $connection_upgrade {
+        default          upgrade;
+        
+        # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+        ''               '';
+        
+    }
+
+
+    ## start server _
+    server {
+        server_name _ ;
+
+        
+        
+
+        
+        
+        
+
+        listen 80 default_server reuseport backlog=4096 ;
+        listen 443 default_server reuseport backlog=4096 ssl http2 ;
+
+        set $proxy_upstream_name "-";
+
+        ssl_certificate_by_lua_block {
+            certificate.call()
+        }
+
+
+
+        location / {
+            
+            set $namespace      "";
+            set $ingress_name   "";
+            set $service_name   "";
+            set $service_port   "";
+            set $location_path  "";
+
+            
+
+            
+
+            rewrite_by_lua_block {
+                lua_ingress.rewrite({
+		force_ssl_redirect = false,
+		ssl_redirect = false,
+		force_no_ssl_redirect = false,
+		use_port_in_redirects = false,
+	})
+                balancer.rewrite()
+                plugins.run()
+            }
+
+            # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
+            # other authentication method such as basic auth or external auth useless - all requests will be allowed.
+            #access_by_lua_block {
+            #}
+
+            header_filter_by_lua_block {
+                lua_ingress.header()
+                plugins.run()
+            }
+
+
+    }
+    ## end server _
+
+    
+
+    
+}

From 12a2a6d0e096ef99df00693636ffe65257cc8fa9 Mon Sep 17 00:00:00 2001
From: Kyle Michel <kylermichel@gmail.com>
Date: Tue, 6 Jul 2021 22:24:43 -0400
Subject: [PATCH 008/376] Fix definition order of modsecurity directives for
 controller to match PR 5315 (#6940) (#7323)

* Fix definition order of modsecurity directives for controller to match PR 5315

* Add a test
---
 rootfs/etc/nginx/template/nginx.tmpl | 10 ++--
 test/e2e/annotations/modsecurity.go  | 76 ++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index a18922895..e6f516f73 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -149,14 +149,16 @@ http {
     {{ if $all.Cfg.EnableModsecurity }}
     modsecurity on;
 
+    {{ if (not (empty $all.Cfg.ModsecuritySnippet)) }}
+    modsecurity_rules '
+      {{ $all.Cfg.ModsecuritySnippet }}
+    ';
+    {{ end }}
+
     modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
 
     {{ if $all.Cfg.EnableOWASPCoreRules }}
     modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
-    {{ else if (not (empty $all.Cfg.ModsecuritySnippet)) }}
-    modsecurity_rules '
-      {{ $all.Cfg.ModsecuritySnippet }}
-    ';
     {{ end }}
 
     {{ end }}
diff --git a/test/e2e/annotations/modsecurity.go b/test/e2e/annotations/modsecurity.go
index 1f5a2f607..d83803c93 100644
--- a/test/e2e/annotations/modsecurity.go
+++ b/test/e2e/annotations/modsecurity.go
@@ -216,4 +216,80 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 			Expect().
 			Status(http.StatusForbidden)
 	})
+
+	ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() {
+		host := "modsecurity.foo.com"
+		nameSpace := f.Namespace
+
+		snippet := `SecRuleEngine On
+		SecRequestBodyAccess On
+		SecAuditEngine RelevantOnly
+		SecAuditLogParts ABIJDEFHZ
+		SecAuditLog /dev/stdout
+		SecAuditLogType Serial
+		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.SetNginxConfigMapData(map[string]string{
+			"enable-modsecurity":           "true",
+			"enable-owasp-modsecurity-crs": "true",
+		})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "SecRuleEngine On")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("User-Agent", "block-ua").
+			Expect().
+			Status(http.StatusForbidden)
+	})
+
+	ginkgo.It("should enable modsecurity through the config map", func() {
+		host := "modsecurity.foo.com"
+		nameSpace := f.Namespace
+
+		snippet := `SecRequestBodyAccess On
+		SecAuditEngine RelevantOnly
+		SecAuditLogParts ABIJDEFHZ
+		SecAuditLog /dev/stdout
+		SecAuditLogType Serial
+		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		expectedComment := "SecRuleEngine On"
+
+		f.SetNginxConfigMapData(map[string]string{
+			"enable-modsecurity":           "true",
+			"enable-owasp-modsecurity-crs": "true",
+			"modsecurity-snippet":          expectedComment,
+		})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return true
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("User-Agent", "block-ua").
+			Expect().
+			Status(http.StatusForbidden)
+	})
 })

From 0e606ddcb26e3b29c56c44b389610278bf479e68 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Fri, 9 Jul 2021 17:38:54 -0300
Subject: [PATCH 009/376] Speed up admission hook by eliminating deep copy of
 Ingresses in CheckIngress (#7298) (#7333)

Co-authored-by: Kirill Trofimenkov <cgorbit@joom.com>
---
 internal/ingress/controller/location.go | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/internal/ingress/controller/location.go b/internal/ingress/controller/location.go
index e6b6c44bd..c5db878c5 100644
--- a/internal/ingress/controller/location.go
+++ b/internal/ingress/controller/location.go
@@ -20,10 +20,8 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/mitchellh/copystructure"
 	networking "k8s.io/api/networking/v1beta1"
 	"k8s.io/ingress-nginx/internal/ingress"
-	"k8s.io/klog/v2"
 )
 
 var (
@@ -73,18 +71,14 @@ func updateServerLocations(locations []*ingress.Location) []*ingress.Location {
 			continue
 		}
 
-		// copy location before any change
-		el, err := copystructure.Copy(location)
-		if err != nil {
-			klog.ErrorS(err, "copying location")
-		}
+		var el ingress.Location = *location
 
 		// normalize path. Must end in /
 		location.Path = normalizePrefixPath(location.Path)
 		newLocations = append(newLocations, location)
 
 		// add exact location
-		exactLocation := el.(*ingress.Location)
+		exactLocation := &el
 		exactLocation.PathType = &pathTypeExact
 
 		newLocations = append(newLocations, exactLocation)

From 74a112a5558c36805a3a3d03517e5fa7c98dc07e Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rkatz@vmware.com>
Date: Fri, 9 Jul 2021 17:40:47 -0300
Subject: [PATCH 010/376] Release v0.48

---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 0131a133c..4af8a6aad 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v0.47.0
+v0.48.0

From b61043b928850f92b98ebe99cb759fbc08ffdf89 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rkatz@vmware.com>
Date: Sun, 11 Jul 2021 10:33:40 -0300
Subject: [PATCH 011/376] Release v0.48.1

---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 4af8a6aad..2268e6061 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v0.48.0
+v0.48.1

From 24f99c84666c6919ed0fe0c61dcb8c78f87a125c Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 14 Jul 2021 15:06:19 -0400
Subject: [PATCH 012/376] update v0.48.1 (#7350)

---
 Changelog.md                                  | 23 ++++++++++
 README.md                                     | 12 +++---
 charts/ingress-nginx/Chart.yaml               |  2 +-
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 40 +++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 40 +++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 40 +++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 40 +++++++++---------
 deploy/static/provider/do/deploy.yaml         | 40 +++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 42 +++++++++----------
 deploy/static/provider/kind/deploy.yaml       | 40 +++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 40 +++++++++---------
 docs/deploy/index.md                          | 18 ++++----
 stable.txt                                    |  1 +
 14 files changed, 204 insertions(+), 178 deletions(-)
 create mode 100644 stable.txt

diff --git a/Changelog.md b/Changelog.md
index b9a0de82b..661b96d4a 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,28 @@
 # Changelog
 
+### 0.48.1
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899`
+
+_New Features:_
+
+
+_Changes:_
+
+- [X] [#7298](https://github.com/kubernetes/ingress-nginx/pull/ ) Speed up admission hook by eliminating deep 
+  copy of Ingresses in CheckIngress
+- [X] [#6940](https://github.com/kubernetes/ingress-nginx/pull/6940) Fix definition order of modsecurity 
+  directives for controller
+- [X] [#7314](https://github.com/kubernetes/ingress-nginx/pull/7314) Add configuration to disable external name service feature #7314
+- [X] [#7076](https://github.com/kubernetes/ingress-nginx/pull/7076) Rewrite clean-nginx-conf.sh in Go to speed up 
+  admission webhook
+- [X] [#7255](https://github.com/kubernetes/ingress-nginx/pull/7255) Fix nilpointer in admission and remove failing 
+  test #7255 
+- [X] [#7216](https://github.com/kubernetes/ingress-nginx/pull/7216) Admission: Skip validation checks if an ingress 
+  is marked as deleted #7216
+  
 ### 0.47.0
 
 **Image:**
diff --git a/README.md b/README.md
index 9add5beba..cdbd96a4a 100644
--- a/README.md
+++ b/README.md
@@ -37,11 +37,13 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 ### Support Versions table 
 
-| Ingress-nginx version | k8s supported version | Alpine Version | Nginx Version |
-|-----------------------|-------------          |----------------|---------------|
-| v0.47.0               | 1.21, 1.20, 1.19      | 3.13.5         |  1.20.1       |
-| v0.46.0               | 1.21, 1.20, 1.19      | 3.13.2         |  1.19.6       |
-| v0.45.0               | 1.21, 1.20, 1.19      | 3.13.2         |  1.19.6       |
+| Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
+|-----------------------|-------------           |----------------|---------------|
+| v1.0.0-alpha.2        | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
+| v1.0.0-alpha.1        | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
+| v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
+| v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
+| v0.46.0               | 1.21, 1.20, 1.19       | 3.13.2         |  1.19.6       |
 
 # Get Involved
 
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 43d526eae..d4eedf977 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -3,7 +3,7 @@ name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
 version: 3.34.0
-appVersion: 0.47.0
+appVersion: 0.48.1
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 460b19884..f5496eb61 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v0.47.0"
-    digest: sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+    tag: "v0.48.1"
+    digest: sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index e70e88853..36ad19519 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -53,7 +53,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -122,7 +122,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -142,7 +142,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -228,7 +228,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -250,7 +250,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -281,7 +281,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -311,7 +311,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -334,7 +334,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -429,7 +429,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,7 +470,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,7 +486,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,7 +510,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,7 +535,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,7 +560,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,7 +585,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,7 +596,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -633,7 +633,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -644,7 +644,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 15831416d..6233febd9 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -46,7 +46,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -115,7 +115,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -135,7 +135,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,7 +221,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,7 +243,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -271,7 +271,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -301,7 +301,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,7 +416,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -457,7 +457,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -473,7 +473,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -497,7 +497,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -522,7 +522,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -547,7 +547,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -572,7 +572,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -583,7 +583,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -620,7 +620,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -631,7 +631,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 63ad2a46e..01dbd0376 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -46,7 +46,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -115,7 +115,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -135,7 +135,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,7 +221,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,7 +243,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -268,7 +268,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,7 +297,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -411,7 +411,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -452,7 +452,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -468,7 +468,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -492,7 +492,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -517,7 +517,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -542,7 +542,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -567,7 +567,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -578,7 +578,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -615,7 +615,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -626,7 +626,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index bfce22c62..ef156a1ad 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -46,7 +46,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -115,7 +115,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -135,7 +135,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,7 +221,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,7 +243,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -268,7 +268,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,7 +298,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -321,7 +321,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -413,7 +413,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -454,7 +454,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -470,7 +470,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -494,7 +494,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -519,7 +519,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -544,7 +544,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -569,7 +569,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -580,7 +580,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -617,7 +617,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -628,7 +628,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index b262c1edd..e11912f95 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -47,7 +47,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -116,7 +116,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -136,7 +136,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -222,7 +222,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -244,7 +244,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -270,7 +270,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -300,7 +300,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -415,7 +415,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -456,7 +456,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -472,7 +472,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -496,7 +496,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -521,7 +521,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -546,7 +546,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -571,7 +571,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -582,7 +582,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -619,7 +619,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -630,7 +630,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 411e5c752..4ca8022e0 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -46,7 +46,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -115,7 +115,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -135,7 +135,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,7 +221,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,7 +243,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -276,7 +276,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -306,7 +306,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -329,7 +329,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -341,7 +341,7 @@ spec:
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
             - --ingress-class=nginx
-            - --configmap=ingress-nginx/ingress-nginx-controller
+            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
             - --validating-webhook-key=/usr/local/certificates/key
@@ -421,7 +421,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -462,7 +462,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -478,7 +478,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -502,7 +502,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -527,7 +527,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -552,7 +552,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -577,7 +577,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -588,7 +588,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -625,7 +625,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -636,7 +636,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 7198b1d03..e949e8597 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -46,7 +46,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -115,7 +115,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -135,7 +135,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,7 +221,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,7 +243,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -268,7 +268,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,7 +297,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -423,7 +423,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -464,7 +464,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -480,7 +480,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -504,7 +504,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -529,7 +529,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -554,7 +554,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -579,7 +579,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -590,7 +590,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -627,7 +627,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -638,7 +638,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 76104696f..464742262 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -16,7 +16,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -31,7 +31,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -47,7 +47,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -116,7 +116,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -136,7 +136,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -222,7 +222,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -244,7 +244,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -270,7 +270,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -300,7 +300,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.47.0@sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -415,7 +415,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -456,7 +456,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -472,7 +472,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -496,7 +496,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -521,7 +521,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -546,7 +546,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -571,7 +571,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -582,7 +582,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -619,7 +619,7 @@ metadata:
     helm.sh/chart: ingress-nginx-3.34.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.47.0
+    app.kubernetes.io/version: 0.48.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -630,7 +630,7 @@ spec:
         helm.sh/chart: ingress-nginx-3.34.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.47.0
+        app.kubernetes.io/version: 0.48.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index a821357df..2c8d46efd 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -54,7 +54,7 @@ Kubernetes is available in Docker Desktop
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 #### minikube
@@ -82,7 +82,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (ELB)
@@ -91,10 +91,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -140,7 +140,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -149,7 +149,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -157,13 +157,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
new file mode 100644
index 000000000..f1c0a329b
--- /dev/null
+++ b/stable.txt
@@ -0,0 +1 @@
+controller-v0.48.1

From 1de9a24b286ad933fa2076a20fe6f1e6205398e0 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 14 Jul 2021 15:14:40 -0400
Subject: [PATCH 013/376] Update ci main (#7351)

* update actions, master to main:

* update cloud build and scripts
---
 .github/ISSUE_TEMPLATE/bug_report.md | 4 ++--
 .github/PULL_REQUEST_TEMPLATE.md     | 2 +-
 .github/workflows/ci.yaml            | 2 +-
 .github/workflows/docs.yaml          | 2 +-
 .github/workflows/helm.yaml          | 2 +-
 cloudbuild.yaml                      | 2 +-
 hack/generate-e2e-suite-doc.sh       | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 095f079d6..ed5a31532 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -60,11 +60,11 @@ Help up us (if possible) reproducing the issue using minikube or kind.
 
 ## Install the ingress controller
 
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
 
 ## Install an application that will act as default backend (is just an echo app)
 
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml
 
 ## Create an ingress (please add any additional annotation required)
 
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 8b499fe8d..27d5ba4b7 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -28,6 +28,6 @@ fixes #
 <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
 - [ ] My change requires a change to the documentation.
 - [ ] I have updated the documentation accordingly.
-- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md) guide
+- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
 - [ ] I have added tests to cover my changes.
 - [ ] All new and existing tests passed.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a6101db9f..d121c2fa3 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,7 +7,7 @@ on:
 
   push:
     branches:
-      - master
+      - main
 
 jobs:
 
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 3d180dc54..4fdff33d2 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -3,7 +3,7 @@ name: Documentation
 on:
   push:
     branches:
-      - master
+      - main
 
 jobs:
 
diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index af8b01448..a8a4c0227 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -3,7 +3,7 @@ name: Helm
 on:
   push:
     branches:
-      - master
+      - main
 
 jobs:
 
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 0c2854fa8..8dead6df3 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -21,5 +21,5 @@ steps:
       && make release
 substitutions:
   _GIT_TAG: "12345"
-  _PULL_BASE_REF: "master"
+  _PULL_BASE_REF: "main"
   _PULL_BASE_SHA: '12345'
diff --git a/hack/generate-e2e-suite-doc.sh b/hack/generate-e2e-suite-doc.sh
index cfcc55040..c5545945e 100755
--- a/hack/generate-e2e-suite-doc.sh
+++ b/hack/generate-e2e-suite-doc.sh
@@ -22,7 +22,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-URL="https://github.com/kubernetes/ingress-nginx/tree/master/"
+URL="https://github.com/kubernetes/ingress-nginx/tree/main/"
 DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)
 
 echo "

From 20b620262012fface13eff941a0d6aa8a54db83e Mon Sep 17 00:00:00 2001
From: Long <5085914+longwuyuan@users.noreply.github.com>
Date: Fri, 16 Jul 2021 17:08:09 +0530
Subject: [PATCH 014/376] changed syntax from v1beta1 to v1 (#7362)

---
 docs/user-guide/basic-usage.md | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md
index 82019d978..5ccb9bd38 100644
--- a/docs/user-guide/basic-usage.md
+++ b/docs/user-guide/basic-usage.md
@@ -5,7 +5,7 @@ ingress-nginx can be used for many use cases, inside various cloud provider and
 First of all follow the instructions to install ingress-nginx. Then imagine that you need to expose 2 HTTP services already installed: `myServiceA`, `myServiceB`. Let's say that you want to expose the first at `myServiceA.foo.org` and the second at `myServiceB.foo.org`. One possible solution is to create two **ingress** resources:
 
 ```
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-myservicea
@@ -18,11 +18,14 @@ spec:
     http:
       paths:
       - path: /
+        pathType: Prefix
         backend:
-          serviceName: myservicea
-          servicePort: 80
+          service:
+            name: myservicea
+            port:
+              number: 80
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-myserviceb
@@ -35,9 +38,12 @@ spec:
     http:
       paths:
       - path: /
+        pathType: Prefix
         backend:
-          serviceName: myserviceb
-          servicePort: 80
+          service:
+            name: myserviceb
+            port:
+              number: 80
 ```
 
 When you apply this yaml, 2 ingress resources will be created managed by the **ingress-nginx** instance. Nginx is configured to automatically discover all ingress with the `kubernetes.io/ingress.class: "nginx"` annotation.

From 724df422bda7a58afa47550969394a000a9b7314 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Fri, 16 Jul 2021 09:30:09 -0300
Subject: [PATCH 015/376] Add cpanato as Helm chart approver (#7364)

Signed-off-by: Ricardo Katz <rkatz@vmware.com>
---
 charts/ingress-nginx/OWNERS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/ingress-nginx/OWNERS b/charts/ingress-nginx/OWNERS
index 7aadb8dc2..0cece5f7c 100644
--- a/charts/ingress-nginx/OWNERS
+++ b/charts/ingress-nginx/OWNERS
@@ -1,5 +1,7 @@
 approvers:
   - ChiefAlexander
+  - cpanato
 
 reviewers:
   - ChiefAlexander
+  - cpanato

From a20f27ff7d438a3243486f7e452b3ad0f4bb8863 Mon Sep 17 00:00:00 2001
From: Shuhei Kitagawa <shuheiktgw@users.noreply.github.com>
Date: Fri, 16 Jul 2021 22:06:09 +0900
Subject: [PATCH 016/376] Add missing tests for store/endpoint (#7039)

---
 .../ingress/controller/store/endpoint_test.go | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 internal/ingress/controller/store/endpoint_test.go

diff --git a/internal/ingress/controller/store/endpoint_test.go b/internal/ingress/controller/store/endpoint_test.go
new file mode 100644
index 000000000..6c8ae40e2
--- /dev/null
+++ b/internal/ingress/controller/store/endpoint_test.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/cache"
+	"testing"
+)
+
+func newEndpointLister(t *testing.T) *EndpointLister {
+	t.Helper()
+
+	return &EndpointLister{Store: cache.NewStore(cache.MetaNamespaceKeyFunc)}
+}
+
+func TestEndpointLister(t *testing.T) {
+	t.Run("the key does not exist", func(t *testing.T) {
+		el := newEndpointLister(t)
+
+		key := "namespace/endpoint"
+		_, err := el.ByKey(key)
+
+		if err == nil {
+			t.Error("expected an error but nothing has been returned")
+		}
+
+		if _, ok := err.(NotExistsError); !ok {
+			t.Errorf("expected NotExistsError, got %v", err)
+		}
+	})
+
+	t.Run("the key exists", func(t *testing.T) {
+		el := newEndpointLister(t)
+
+		key := "namespace/endpoint"
+		endpoint := &apiv1.Endpoints{ObjectMeta: metav1.ObjectMeta{Namespace: "namespace", Name: "endpoint"}}
+
+		el.Add(endpoint)
+
+		e, err := el.ByKey(key)
+
+		if err != nil {
+			t.Errorf("unexpeted error %v", err)
+		}
+
+		if e != endpoint {
+			t.Errorf("expected %v, error, got %v", e, endpoint)
+		}
+	})
+}

From cc57c05321f521184691cf0d25fc7b055a378d55 Mon Sep 17 00:00:00 2001
From: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Date: Fri, 16 Jul 2021 15:24:09 +0200
Subject: [PATCH 017/376] update OWNERS and aliases files (#7365)

Signed-off-by: Carlos Panato <ctadeu@gmail.com>
---
 OWNERS                      | 13 +++++--------
 OWNERS_ALIASES              | 30 ++++++++++++++++++++++++++----
 charts/ingress-nginx/OWNERS |  8 ++++----
 images/OWNERS               | 10 ++++++----
 4 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/OWNERS b/OWNERS
index 250bce4e8..1d90c4cd5 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,15 +1,12 @@
 # See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
 
 approvers:
-  - ingress-nginx-admins
-  - ingress-nginx-maintainers
-  - ElvinEfendi
-  - rikatz
+- ingress-nginx-admins
+- ingress-nginx-maintainers
+- sig-network-leads
 
 reviewers:
-  - ElvinEfendi
-  - cmluciano
-  - rikatz
+- ingress-nginx-reviewers
 
 emeritus_approvers:
-  - aledbf  # 2020-04-02
+- aledbf  # 2020-04-02
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index 30f781cfc..b313f36b8 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -2,9 +2,31 @@
 
 aliases:
   sig-network-leads:
-    - caseydavenport
-    - dcbw
-    - thockin
+  - caseydavenport
+  - dcbw
+  - thockin
+
   ingress-nginx-admins:
-    - bowei
+  - bowei
+  - rikatz
+
   ingress-nginx-maintainers:
+  - ElvinEfendi
+  - justinsb
+  - rikatz
+  - strongjz
+
+  ingress-nginx-reviewers:
+  - ElvinEfendi
+  - cmluciano
+  - rikatz
+  - strongjz
+  - tao12345666333
+
+  ingress-nginx-helm-maintainers:
+  - ChiefAlexander
+  - cpanato
+
+  ingress-nginx-helm-reviewers:
+  - ChiefAlexander
+  - cpanato
diff --git a/charts/ingress-nginx/OWNERS b/charts/ingress-nginx/OWNERS
index 0cece5f7c..a31654fff 100644
--- a/charts/ingress-nginx/OWNERS
+++ b/charts/ingress-nginx/OWNERS
@@ -1,7 +1,7 @@
+# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+
 approvers:
-  - ChiefAlexander
-  - cpanato
+- ingress-nginx-helm-maintainers
 
 reviewers:
-  - ChiefAlexander
-  - cpanato
+- ingress-nginx-helm-reviewers
diff --git a/images/OWNERS b/images/OWNERS
index b135a937c..00f162ebd 100644
--- a/images/OWNERS
+++ b/images/OWNERS
@@ -1,7 +1,9 @@
+# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+
 approvers:
-- aledbf
-- ElvinEfendi
+- ingress-nginx-admins
+- ingress-nginx-maintainers
 
 reviewers:
-- ElvinEfendi
-- aledbf
+- ingress-nginx-admins
+- ingress-nginx-maintainers

From 9e274dd41cc214219be873680184912407437f48 Mon Sep 17 00:00:00 2001
From: Long <5085914+longwuyuan@users.noreply.github.com>
Date: Fri, 16 Jul 2021 18:58:09 +0530
Subject: [PATCH 018/376] fix for #7197 & #7285 (#7361)

---
 deploy/grafana/kustomization.yaml    |   1 -
 deploy/prometheus/kustomization.yaml |   1 -
 docs/user-guide/monitoring.md        | 148 +++++++++++++++++++--------
 3 files changed, 103 insertions(+), 47 deletions(-)

diff --git a/deploy/grafana/kustomization.yaml b/deploy/grafana/kustomization.yaml
index 2069c1a7a..e2744818e 100644
--- a/deploy/grafana/kustomization.yaml
+++ b/deploy/grafana/kustomization.yaml
@@ -9,4 +9,3 @@ resources:
 - service.yaml
 images:
 - name: grafana/grafana
-  newTag: 6.1.6
diff --git a/deploy/prometheus/kustomization.yaml b/deploy/prometheus/kustomization.yaml
index 2d6e0a7e2..a55bd8d2c 100644
--- a/deploy/prometheus/kustomization.yaml
+++ b/deploy/prometheus/kustomization.yaml
@@ -12,7 +12,6 @@ resources:
 - service.yaml
 images:
 - name: prom/prometheus
-  newTag: v2.3.2
 configMapGenerator:
 - name: prometheus-configuration
   files:
diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 4f6376a3b..6471f997e 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -7,79 +7,137 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
 
 ## Before You Begin
 
-The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md).
+- The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md).
+
+- The controller should be configured for exporting metrics. This requires 3 configurations to the controller. These configurations are :
+  1. controller.metrics.enabled=true
+  2. controller.podAnnotations."prometheus.io/scrape"="true"
+  3. controller.podAnnotations."prometheus.io/port"="10254"
+
+  - The easiest way to configure the controller for metrics is via helm upgrade. Assuming you have installed the ingress-nginx controller as a helm release named ingresscontroller0, then you can simply type the command show below :
+  ```
+  helm upgrade ingresscontroller0 ingress-nginx/ingress-nginx \
+  --namespace ingress-nginx \
+  --set controller.metrics.enabled=true \
+  --set-string controller.podAnnotations."prometheus\.io/scrape"="true" \
+  --set-string controller.podAnnotations."prometheus\.io/port"="10254"
+  ```
+  - You can validate that the controller is configured for metrics by looking at the values of the installed release, like this ;
+  ```
+  helm get values ingress-controller --namespace ingress-nginx
+  ```
+  - You should be able to see the values shown below ;
+  ```
+  ..
+  controller:
+    metrics:
+      enabled: true
+      service:
+        annotations:
+          prometheus.io/port: "10254"
+          prometheus.io/scrape: "true" 
+  ..
+  ```
 
-Note that the kustomize bases used in this tutorial are stored in the [deploy](https://github.com/kubernetes/ingress-nginx/tree/master/deploy) folder of the GitHub repository [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx).
 
 ## Deploy and configure Prometheus Server
 
-The Prometheus server must be configured so that it can discover endpoints of services. If a Prometheus server is already running in the cluster and if it is configured in a way that it can find the ingress controller pods, no extra configuration is needed.
+Note that the kustomize bases used in this tutorial are stored in the [deploy](https://github.com/kubernetes/ingress-nginx/tree/master/deploy) folder of the GitHub repository [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx).
 
-If there is no existing Prometheus server running, the rest of this tutorial will guide you through the steps needed to deploy a properly configured Prometheus server.
+- The Prometheus server must be configured so that it can discover endpoints of services. If a Prometheus server is already running in the cluster and if it is configured in a way that it can find the ingress controller pods, no extra configuration is needed.
 
-Running the following command deploys prometheus in Kubernetes:
+- If there is no existing Prometheus server running, the rest of this tutorial will guide you through the steps needed to deploy a properly configured Prometheus server.
 
-```console
-kubectl apply --kustomize github.com/kubernetes/ingress-nginx/deploy/prometheus/
-```
+- Running the following command deploys prometheus in Kubernetes:
+
+  ```
+  kubectl apply --kustomize github.com/kubernetes/ingress-nginx/deploy/prometheus/
+  ```
 
 ### Prometheus Dashboard
 
-Open Prometheus dashboard in a web browser:
+- Open Prometheus dashboard in a web browser:
 
-```console
-kubectl get svc -n ingress-nginx
-NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
-default-http-backend   ClusterIP   10.103.59.201   <none>        80/TCP                                       3d
-ingress-nginx          NodePort    10.97.44.72     <none>        80:30100/TCP,443:30154/TCP,10254:32049/TCP   5h
-prometheus-server      NodePort    10.98.233.86    <none>        9090:32630/TCP                               1m
-```
+  ```console
+  kubectl get svc -n ingress-nginx
+  NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
+  default-http-backend   ClusterIP   10.103.59.201   <none>        80/TCP                                       3d
+  ingress-nginx          NodePort    10.97.44.72     <none>        80:30100/TCP,443:30154/TCP,10254:32049/TCP   5h
+  prometheus-server      NodePort    10.98.233.86    <none>        9090:32630/TCP                               1m
+  ```
 
-Obtain the IP address of the nodes in the running cluster:
+  - Obtain the IP address of the nodes in the running cluster:
 
-```console
-kubectl get nodes -o wide
-```
+  ```console
+  kubectl get nodes -o wide
+  ```
 
-In some cases where the node only have internal IP addresses we need to execute:
+  - In some cases where the node only have internal IP addresses we need to execute:
 
-```console
-kubectl get nodes --selector=kubernetes.io/role!=master -o jsonpath={.items[*].status.addresses[?\(@.type==\"InternalIP\"\)].address}
-10.192.0.2 10.192.0.3 10.192.0.4
-```
+  ```
+  kubectl get nodes --selector=kubernetes.io/role!=master -o jsonpath={.items[*].status.addresses[?\(@.type==\"InternalIP\"\)].address}
+  10.192.0.2 10.192.0.3 10.192.0.4
+  ```
 
-Open your browser and visit the following URL: _http://{node IP address}:{prometheus-svc-nodeport}_ to load the Prometheus Dashboard.
+  - Open your browser and visit the following URL: _http://{node IP address}:{prometheus-svc-nodeport}_ to load the Prometheus Dashboard.
 
-According to the above example, this URL will be http://10.192.0.3:32630
+  - According to the above example, this URL will be http://10.192.0.3:32630
 
-![Dashboard](../images/prometheus-dashboard.png)
+  ![Prometheus Dashboard](../images/prometheus-dashboard.png)
 
 ### Grafana
 
-```console
-kubectl apply --kustomize github.com/kubernetes/ingress-nginx/deploy/grafana/
-```
+  - Install grafana using the below command
+  ```
+  kubectl apply --kustomize github.com/kubernetes/ingress-nginx/deploy/grafana/
+  ```
+  - Look at the services
+  ```
+  kubectl get svc -n ingress-nginx
+  NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
+  default-http-backend   ClusterIP   10.103.59.201   <none>        80/TCP                                       3d
+  ingress-nginx          NodePort    10.97.44.72     <none>        80:30100/TCP,443:30154/TCP,10254:32049/TCP   5h
+  prometheus-server      NodePort    10.98.233.86    <none>        9090:32630/TCP                               10m
+  grafana                NodePort    10.98.233.87    <none>        3000:31086/TCP                               10m
+  ```
 
-```console
-kubectl get svc -n ingress-nginx
-NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
-default-http-backend   ClusterIP   10.103.59.201   <none>        80/TCP                                       3d
-ingress-nginx          NodePort    10.97.44.72     <none>        80:30100/TCP,443:30154/TCP,10254:32049/TCP   5h
-prometheus-server      NodePort    10.98.233.86    <none>        9090:32630/TCP                               10m
-grafana                NodePort    10.98.233.87    <none>        3000:31086/TCP                               10m
-```
-
-Open your browser and visit the following URL: _http://{node IP address}:{grafana-svc-nodeport}_ to load the Grafana Dashboard.
+  - Open your browser and visit the following URL: _http://{node IP address}:{grafana-svc-nodeport}_ to load the Grafana Dashboard.
 According to the above example, this URL will be http://10.192.0.3:31086
 
-The username and password is `admin`
+  The username and password is `admin`
 
-After the login you can import the Grafana dashboard from [official dashboards](https://github.com/kubernetes/ingress-nginx/tree/master/deploy/grafana/dashboards)
+  - After the login you can import the Grafana dashboard from [official dashboards](https://github.com/kubernetes/ingress-nginx/tree/master/deploy/grafana/dashboards), by following steps given below :
 
-![Dashboard](../images/grafana.png)
+    - Navigate to lefthand panel of grafana
+    - Hover on the gearwheel icon for Configuration and click "Data Sources"
+    - Click "Add data source"
+    - Select "Prometheus"
+    - Enter the details (note: I used http://CLUSTER_IP_PROMETHEUS_SVC:9090)
+    - Left menu (hover over +) -> Dashboard
+    - Click "Import"
+    - Enter the copy pasted json from https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
+    - Click Import JSON
+    - Select the Prometheus data source
+    - Click "Import"
+
+
+
+  ![Grafana Dashboard](../images/grafana.png)
 
 ## Caveats
 
 ### Wildcard ingresses
 
-By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress).
+  - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress).
+
+## Grafana dashboard using ingress resource
+  - If you want to expose the dashboard for grafana using a ingress resource, then you can : 
+    - change the service type of the prometheus-server service and the grafana service to "ClusterIP" like this :
+    ```
+    kubectl -n ingress-nginx edit svc grafana
+    ```
+    - This will open the currently deployed service grafana in the default editor configured in your shell (vi/nvim/nano/other)
+    - scroll down to line 34 that looks like "type: NodePort"
+    - change it to look like "type: ClusterIP". Save and exit.
+    - create a ingress reource with backend as "grafana" and port as "3000"
+  - Similarly, you can edit the service "prometheus-server" and add a ingress resource.

From 91a4bba0261f61ed3628b9c8534e787e6e25bfe8 Mon Sep 17 00:00:00 2001
From: Long <5085914+longwuyuan@users.noreply.github.com>
Date: Fri, 23 Jul 2021 02:21:18 +0530
Subject: [PATCH 019/376] grpc - replaced fortune-builder app with official
 greeter app (#7360)

---
 docs/examples/grpc/README.md                  | 191 ++++++++++++------
 docs/examples/grpc/app.yaml                   |  23 ---
 docs/examples/grpc/cert.yaml                  |   7 -
 docs/examples/grpc/ingress.yaml               |  24 ---
 docs/examples/grpc/svc.yaml                   |  12 --
 images/go-grpc-greeter-server/Makefile        |  55 +++++
 images/go-grpc-greeter-server/cloudbuild.yaml |  24 +++
 .../go-grpc-greeter-server/rootfs/Dockerfile  |  16 ++
 images/grpc-fortune-teller/.gitignore         |   1 -
 images/grpc-fortune-teller/BUILD.bazel        |  15 --
 images/grpc-fortune-teller/Gopkg.lock         | 104 ----------
 images/grpc-fortune-teller/README.md          |  59 ------
 images/grpc-fortune-teller/WORKSPACE          |  62 ------
 images/grpc-fortune-teller/app/BUILD.bazel    |  69 -------
 images/grpc-fortune-teller/app/main.go        | 137 -------------
 images/grpc-fortune-teller/go.mod             |   0
 .../proto/fortune/BUILD.bazel                 |  24 ---
 .../proto/fortune/fortune.proto               |  14 --
 18 files changed, 220 insertions(+), 617 deletions(-)
 delete mode 100644 docs/examples/grpc/app.yaml
 delete mode 100644 docs/examples/grpc/cert.yaml
 delete mode 100644 docs/examples/grpc/ingress.yaml
 delete mode 100644 docs/examples/grpc/svc.yaml
 create mode 100644 images/go-grpc-greeter-server/Makefile
 create mode 100644 images/go-grpc-greeter-server/cloudbuild.yaml
 create mode 100644 images/go-grpc-greeter-server/rootfs/Dockerfile
 delete mode 100644 images/grpc-fortune-teller/.gitignore
 delete mode 100644 images/grpc-fortune-teller/BUILD.bazel
 delete mode 100644 images/grpc-fortune-teller/Gopkg.lock
 delete mode 100644 images/grpc-fortune-teller/README.md
 delete mode 100644 images/grpc-fortune-teller/WORKSPACE
 delete mode 100644 images/grpc-fortune-teller/app/BUILD.bazel
 delete mode 100644 images/grpc-fortune-teller/app/main.go
 delete mode 100644 images/grpc-fortune-teller/go.mod
 delete mode 100644 images/grpc-fortune-teller/proto/fortune/BUILD.bazel
 delete mode 100644 images/grpc-fortune-teller/proto/fortune/fortune.proto

diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md
index 60e696bfd..8835b5110 100644
--- a/docs/examples/grpc/README.md
+++ b/docs/examples/grpc/README.md
@@ -1,93 +1,152 @@
 # gRPC
 
-This example demonstrates how to route traffic to a gRPC service through the
-nginx controller.
+This example demonstrates how to route traffic to a gRPC service through the nginx controller.
 
 ## Prerequisites
 
 1. You have a kubernetes cluster running.
-2. You have a domain name such as `example.com` that is configured to route
-   traffic to the ingress controller.  Replace references to
-   `fortune-teller.stack.build` (the domain name used in this example) to your
-   own domain name (you're also responsible for provisioning an SSL certificate
-   for the ingress).
-3. You have the nginx-ingress controller installed in typical fashion (must be
-   at least
-   [quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0](https://quay.io/kubernetes-ingress-controller/nginx-ingress-controller)
-   for grpc support.
-4. You have a backend application running a gRPC server and listening for TCP
-   traffic.  If you prefer, you can use the
-   [fortune-teller](https://github.com/kubernetes/ingress-nginx/tree/master/images/grpc-fortune-teller)
-   application provided here as an example.
+2. You have a domain name such as `example.com` that is configured to route traffic to the ingress controller.
+3. You have the nginx-ingress controller installed as per docs, with gRPC support.
+4. You have a backend application running a gRPC server and listening for TCP traffic.  If you want, you can use <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> as an example.
+5. You're also responsible for provisioning an SSL certificate for the ingress. So you need to have a valid SSL certificate, deployed as a Kubernetes secret of type tls, in the same namespace as the gRPC application.
 
-### Step 1: kubernetes `Deployment`
+### Step 1: Create a Kubernetes `Deployment` for gRPC app
 
-```sh
-$ kubectl create -f app.yaml
-```
+- Make sure your gRPC application pod is running and listening for connections. For example you can try a kubectl command like this below:
+  ```
+  $ kubectl get po -A -o wide | grep go-grpc-greeter-server
+  ```
+- If you have a gRPC app deployed in your cluster, then skip further notes in this Step 1, and continue from Step 2 below. 
 
-This is a standard kubernetes deployment object.  It is running a grpc service
-listening on port `50051`.
+- As an example gRPC application, we can use this app <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> .
 
-The sample application
-[fortune-teller-app](https://github.com/kubernetes/ingress-nginx/tree/master/images/grpc-fortune-teller)
-is a grpc server implemented in go. Here's the stripped-down implementation:
+- To create a container image for this app, you can use [this Dockerfile](../../../images/go-grpc-greeter-server/rootfs/Dockerfile). 
 
-```go
-func main() {
-	grpcServer := grpc.NewServer()
-	fortune.RegisterFortuneTellerServer(grpcServer, &FortuneTeller{})
-	lis, _ := net.Listen("tcp", ":50051")
-	grpcServer.Serve(lis)
-}
-```
+- If you use the Dockerfile mentioned above, to create a image, then given below is an example of a Kubernetes manifest, to create a deployment resource, that uses that image. If needed, then edit this manifest to suit your needs. Assuming the name of this yaml file is  `deployment.go-grpc-greeter-server.yaml` ;
 
-The takeaway is that we are not doing any TLS configuration on the server (as we
-are terminating TLS at the ingress level, grpc traffic will travel unencrypted
-inside the cluster and arrive "insecure").
+  ```
+  cat <<EOF | kubectl apply -f -
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    labels:
+      app: go-grpc-greeter-server
+    name: go-grpc-greeter-server
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app: go-grpc-greeter-server
+    template:
+      metadata:
+        labels:
+          app: go-grpc-greeter-server
+      spec:
+        containers:
+        - image: <reponame>/go-grpc-greeter-server   # Edit this for your reponame
+          resources:
+            limits:
+              cpu: 100m
+              memory: 100Mi
+            requests:
+              cpu: 50m
+              memory: 50Mi
+          name: go-grpc-greeter-server
+          ports:
+          - containerPort: 50051
+  EOF
+  ```
 
-For your own application you may or may not want to do this.  If you prefer to
-forward encrypted traffic to your POD and terminate TLS at the gRPC server
-itself, add the ingress annotation `nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"`.
+### Step 2: Create the Kubernetes `Service` for the gRPC app
 
-### Step 2: the kubernetes `Service`
+- You can use the following example manifest to create a service of type ClusterIP. Edit the name/namespace/label/port to match your deployment/pod ;
+  ```
+  cat <<EOF | kubectl apply -f -
+  apiVersion: v1
+  kind: Service
+  metadata:
+    labels:
+      app: go-grpc-greeter-server
+    name: go-grpc-greeter-server
+  spec:
+    ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 50051
+    selector:
+      app: go-grpc-greeter-server
+    type: ClusterIP
+  EOF
+  ```
+- You can save the above example manifest to a file with name `service.go-grpc-greeter-server.yaml` and edit it to match your deployment/pod, if required. You can create the service resource with a kubectl command like this ;
 
-```sh
-$ kubectl create -f svc.yaml
-```
+  ```
+  $ kubectl create -f service.go-grpc-greeter-server.yaml
+  ```
 
-Here we have a typical service. Nothing special, just routing traffic to the
-backend application on port `50051`.
+### Step 3: Create the Kubernetes `Ingress` resource for the gRPC app
 
-### Step 3: the kubernetes `Ingress`
+- Use the following example manifest of a ingress resource to create a ingress for your grpc app. If required, edit it to match your app's details like name, namespace, service, secret etc. Make sure you have the required SSL-Certificate, existing in your Kubernetes cluster, in the same namespace where the gRPC app is. The certificate must be available as a kubernetes secret resource, of type "kubernete.io/tls" https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. This is because we are terminating TLS on the ingress;
 
-```sh
-$ kubectl create -f ingress.yaml
-```
+  ```
+  cat <<EOF | kubectl apply -f -
+  apiVersion: networking.k8s.io/v1
+  kind: Ingress
+  metadata:
+    annotations:
+      kubernetes.io/ingress.class: "nginx"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+    name: fortune-ingress
+    namespace: default
+  spec:
+    rules:
+    - host: grpctest.dev.mydomain.com
+      http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: go-grpc-greeter-server
+              port:
+                number: 80
+    tls:
+    # This secret must exist beforehand
+    # The cert must also contain the subj-name grpctest.dev.mydomain.com
+    # https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
+    - secretName: wildcard.dev.mydomain.com
+      hosts:
+        - grpctest.dev.mydomain.com
+  EOF
+  ```
 
-A few things to note:
+- If you save the above example manifest as a file named `ingress.go-grpc-greeter-server.yaml` and edit it to match your deployment and service, you can create the ingress like this ;
 
-1. We've tagged the ingress with the annotation
-   `nginx.ingress.kubernetes.io/backend-protocol: "GRPC"`.  This is the magic
-   ingredient that sets up the appropriate nginx configuration to route http/2
-   traffic to our service.
-1. We're terminating TLS at the ingress and have configured an SSL certificate
-   `fortune-teller.stack.build`.  The ingress matches traffic arriving as
-   `https://fortune-teller.stack.build:443` and routes unencrypted messages to
-   our kubernetes service.
+  ```
+  $ kubectl create -f ingress.go-grpc-greeter-server.yaml
+  ```
+
+- The takeaway is that we are not doing any TLS configuration on the server (as we are terminating TLS at the ingress level, gRPC traffic will travel unencrypted inside the cluster and arrive "insecure").
+
+- For your own application you may or may not want to do this.  If you prefer to forward encrypted traffic to your POD and terminate TLS at the gRPC server itself, add the ingress annotation `nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"`.
+
+- A few more things to note:
+
+  - We've tagged the ingress with the annotation `nginx.ingress.kubernetes.io/backend-protocol: "GRPC"`.  This is the magic ingredient that sets up the appropriate nginx configuration to route http/2 traffic to our service.
+
+  - We're terminating TLS at the ingress and have configured an SSL certificate `wildcard.dev.mydomain.com`.  The ingress matches traffic arriving as `https://grpctest.dev.mydomain.com:443` and routes unencrypted messages to the backend Kubernetes service.
 
 ### Step 4: test the connection
 
-Once we've applied our configuration to kubernetes, it's time to test that we
-can actually talk to the backend.  To do this, we'll use the
-[grpcurl](https://github.com/fullstorydev/grpcurl) utility:
+- Once we've applied our configuration to Kubernetes, it's time to test that we can actually talk to the backend.  To do this, we'll use the [grpcurl](https://github.com/fullstorydev/grpcurl) utility:
 
-```sh
-$ grpcurl fortune-teller.stack.build:443 build.stack.fortune.FortuneTeller/Predict
-{
-  "message": "Let us endeavor so to live that when we come to die even the undertaker will be sorry.\n\t\t-- Mark Twain, \"Pudd'nhead Wilson's Calendar\""
-}
-```
+  ```
+  $ grpcurl grpctest.dev.mydomain.com:443 helloworld.Greeter/SayHello
+  {
+    "message": "
+  }
+  ```
 
 ### Debugging Hints
 
diff --git a/docs/examples/grpc/app.yaml b/docs/examples/grpc/app.yaml
deleted file mode 100644
index acc4060d0..000000000
--- a/docs/examples/grpc/app.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: fortune-teller-app
-  labels:
-    k8s-app: fortune-teller-app
-  namespace: default
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      k8s-app: fortune-teller-app
-  template:
-    metadata:
-      labels:
-        k8s-app: fortune-teller-app
-    spec:
-      containers:
-      - name: fortune-teller-app
-        image: quay.io/kubernetes-ingress-controller/grpc-fortune-teller:0.1
-        ports:
-        - containerPort: 50051
-          name: grpc
diff --git a/docs/examples/grpc/cert.yaml b/docs/examples/grpc/cert.yaml
deleted file mode 100644
index 562c30313..000000000
--- a/docs/examples/grpc/cert.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: "stable.k8s.psg.io/v1"
-kind: "Certificate"
-metadata:
-  name: fortune-teller.stack.build
-  namespace: default
-spec:
-  domain: "fortune-teller.stack.build"
diff --git a/docs/examples/grpc/ingress.yaml b/docs/examples/grpc/ingress.yaml
deleted file mode 100644
index 1d76476d1..000000000
--- a/docs/examples/grpc/ingress.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
-  name: fortune-ingress
-  namespace: default
-spec:
-  rules:
-  - host: fortune-teller.stack.build
-    http:
-      paths:
-      - backend:
-          serviceName: fortune-teller-service
-          servicePort: grpc
-  tls:
-  # This secret must exist beforehand
-  # The cert must also contain the subj-name fortune-teller.stack.build
-  # https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
-  - secretName: fortune-teller.stack.build
-    hosts:
-      - fortune-teller.stack.build
diff --git a/docs/examples/grpc/svc.yaml b/docs/examples/grpc/svc.yaml
deleted file mode 100644
index 7bfa789fd..000000000
--- a/docs/examples/grpc/svc.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: fortune-teller-service
-  namespace: default
-spec:
-  selector:
-    k8s-app: fortune-teller-app
-  ports:
-  - port: 50051
-    targetPort: 50051
-    name: grpc
diff --git a/images/go-grpc-greeter-server/Makefile b/images/go-grpc-greeter-server/Makefile
new file mode 100644
index 000000000..523b83bfb
--- /dev/null
+++ b/images/go-grpc-greeter-server/Makefile
@@ -0,0 +1,55 @@
+# Copyright 2021 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# set default shell
+SHELL=/bin/bash -o pipefail -o errexit
+
+DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
+INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
+
+TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD)
+REGISTRY ?= local
+
+IMAGE = $(REGISTRY)/go-grpc-greeter-server
+
+# required to enable buildx
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+# build with buildx
+PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x
+OUTPUT=
+PROGRESS=plain
+
+build: ensure-buildx
+	docker buildx build \
+		--platform=${PLATFORMS} $(OUTPUT) \
+		--progress=$(PROGRESS) \
+		--pull \
+		-t $(IMAGE):$(TAG) rootfs
+
+# push the cross built image
+push: OUTPUT=--push
+push: build
+
+# enable buildx
+ensure-buildx:
+# this is required for cloudbuild
+ifeq ("$(wildcard $(INIT_BUILDX))","")
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+else
+	@exec $(INIT_BUILDX)
+endif
+	@echo "done"
+
+.PHONY: build push ensure-buildx
diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml
new file mode 100644
index 000000000..14c64db31
--- /dev/null
+++ b/images/go-grpc-greeter-server/cloudbuild.yaml
@@ -0,0 +1,24 @@
+timeout: 1200s
+options:
+  substitution_option: ALLOW_LOOSE
+  # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
+  machineType: N1_HIGHCPU_8
+steps:
+  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20210622-762366a
+    entrypoint: bash
+    env:
+      - DOCKER_CLI_EXPERIMENTAL=enabled
+      - TAG=$_GIT_TAG
+      - BASE_REF=$_PULL_BASE_REF
+      - REGISTRY=gcr.io/k8s-staging-ingress-nginx
+      # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx
+      # set the home to /root explicitly to if using docker buildx
+      - HOME=/root
+    args:
+    - -c
+    - |
+      gcloud auth configure-docker \
+      && make push
+substitutions:
+  _GIT_TAG: "12345"
+  _PULL_BASE_REF: "master"
diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile
new file mode 100644
index 000000000..a528c6cb6
--- /dev/null
+++ b/images/go-grpc-greeter-server/rootfs/Dockerfile
@@ -0,0 +1,16 @@
+FROM golang:buster as build
+
+WORKDIR /go/src/greeter-server
+
+RUN curl -o main.go https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go && \
+  go mod init greeter-server && \
+  go mod tidy && \
+  go build -o /greeter-server main.go
+
+FROM gcr.io/distroless/base-debian10
+
+COPY --from=build /greeter-server /
+
+EXPOSE 50051
+
+CMD ["/greeter-server"]
diff --git a/images/grpc-fortune-teller/.gitignore b/images/grpc-fortune-teller/.gitignore
deleted file mode 100644
index ac51a054d..000000000
--- a/images/grpc-fortune-teller/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-bazel-*
diff --git a/images/grpc-fortune-teller/BUILD.bazel b/images/grpc-fortune-teller/BUILD.bazel
deleted file mode 100644
index b000f8347..000000000
--- a/images/grpc-fortune-teller/BUILD.bazel
+++ /dev/null
@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "gazelle", "go_prefix")
-
-gazelle(
-    name = "gazelle",
-    args = [
-        "-build_file_name",
-        "BUILD,BUILD.bazel",
-    ],
-    command = "fix",
-    prefix = "github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller",
-)
-
-go_prefix(
-    prefix = "github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller",
-)
diff --git a/images/grpc-fortune-teller/Gopkg.lock b/images/grpc-fortune-teller/Gopkg.lock
deleted file mode 100644
index e25ff02dd..000000000
--- a/images/grpc-fortune-teller/Gopkg.lock
+++ /dev/null
@@ -1,104 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  name = "github.com/golang/protobuf"
-  packages = [
-    "proto",
-    "protoc-gen-go/descriptor",
-    "ptypes",
-    "ptypes/any",
-    "ptypes/duration",
-    "ptypes/timestamp"
-  ]
-  revision = "925541529c1fa6821df4e44ce2723319eb2be768"
-  version = "v1.0.0"
-
-[[projects]]
-  name = "github.com/vromero/gofortune"
-  packages = [
-    "lib",
-    "lib/fortune"
-  ]
-  revision = "8a3c485287c0d3d3e4f8f0d9e0058f6cdd29740d"
-  version = "v0.0.1"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/net"
-  packages = [
-    "context",
-    "http2",
-    "http2/hpack",
-    "idna",
-    "internal/timeseries",
-    "lex/httplex",
-    "trace"
-  ]
-  revision = "b3c676e531a6dc479fa1b35ac961c13f5e2b4d2e"
-
-[[projects]]
-  name = "golang.org/x/text"
-  packages = [
-    "collate",
-    "collate/build",
-    "internal/colltab",
-    "internal/gen",
-    "internal/tag",
-    "internal/triegen",
-    "internal/ucd",
-    "language",
-    "secure/bidirule",
-    "transform",
-    "unicode/bidi",
-    "unicode/cldr",
-    "unicode/norm",
-    "unicode/rangetable"
-  ]
-  revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0"
-  version = "v0.3.0"
-
-[[projects]]
-  branch = "master"
-  name = "google.golang.org/genproto"
-  packages = ["googleapis/rpc/status"]
-  revision = "35de2414665fc36f56b72d982c5af480d86de5ab"
-
-[[projects]]
-  name = "google.golang.org/grpc"
-  packages = [
-    ".",
-    "balancer",
-    "balancer/base",
-    "balancer/roundrobin",
-    "codes",
-    "connectivity",
-    "credentials",
-    "encoding",
-    "encoding/proto",
-    "grpclb/grpc_lb_v1/messages",
-    "grpclog",
-    "internal",
-    "keepalive",
-    "metadata",
-    "naming",
-    "peer",
-    "reflection",
-    "reflection/grpc_reflection_v1alpha",
-    "resolver",
-    "resolver/dns",
-    "resolver/passthrough",
-    "stats",
-    "status",
-    "tap",
-    "transport"
-  ]
-  revision = "d89cded64628466c4ab532d1f0ba5c220459ebe8"
-  version = "v1.11.2"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  inputs-digest = "fcd36504ba120cfbbe161eac2ddd439c884fcef61ce318b5c0a544d27bc47043"
-  solver-name = "gps-cdcl"
-  solver-version = 1
diff --git a/images/grpc-fortune-teller/README.md b/images/grpc-fortune-teller/README.md
deleted file mode 100644
index 5cc755ef6..000000000
--- a/images/grpc-fortune-teller/README.md
+++ /dev/null
@@ -1,59 +0,0 @@
-
-# grpc-fortune-teller
-
-This is the grpc server application for the nginx-ingress grpc example.  Bazel
-0.12 is used for the building and container management.
-
-## Build
-
-Builds a statically compiled go binary cross-compiled for linux:
-
-```
-$ bazel build //app:fortune 
-Target //app:fortune up-to-date:
-  bazel-bin/app/linux_amd64_static_pure_stripped/fortune
-```
-
-> To build for your host system, comment out the `goos` and `goarch` attributes
-> in the `go_binary` rule.
-
-## Run
-
-Builds a minimal docker image that wraps the go_binary, loads it into your local
-docker image repository, and runs it:
-
-```sh
-$ bazel run //app:image
-Loaded image ID: sha256:aa597c897c873116fcbfccafecf5ab0f6f4178a05e4a00c8e79de91ac0d2e9e7
-Tagging aa597c897c873116fcbfccafecf5ab0f6f4178a05e4a00c8e79de91ac0d2e9e7 as bazel/app:image
-2018/05/01 02:13:43 Restored /tmp/fortune-teller/usr/share/games/fortunes/fortunes.dat
-2018/05/01 02:13:43 Restored /tmp/fortune-teller/usr/share/games/fortunes/literature
-2018/05/01 02:13:43 Restored /tmp/fortune-teller/usr/share/games/fortunes/literature.dat
-2018/05/01 02:13:43 Restored /tmp/fortune-teller/usr/share/games/fortunes/riddles
-2018/05/01 02:13:43 Restored /tmp/fortune-teller/usr/share/games/fortunes/riddles.dat
-2018/05/01 02:13:43 Restored /tmp/fortune-teller/usr/share/games/fortunes/fortunes
-2018/05/01 02:13:43 Assets restored to /tmp/fortune-teller
-2018/05/01 02:13:43 Listening for gRPC requests at 50051
-```
-
-Or run it via docker:
-
-```sh
-$ docker run bazel/app:image
-```
-
-Build image and push to the container registry specified in the `container_push`
-rule:
-
-```sh
-$ bazel run //app:push
-```
-
-## Invoke
-
-```sh
-$ grpcurl -plaintext localhost:50051 build.stack.fortune.FortuneTeller/Predict
-{
-  "message": "Whenever the literary German dives into a sentence, that is the last\nyou are going to see of him until he emerges on the other side of his\nAtlantic with his verb in his mouth.\n\t\t-- Mark Twain \"A Connecticut Yankee in King Arthur's Court\""
-}
-```
diff --git a/images/grpc-fortune-teller/WORKSPACE b/images/grpc-fortune-teller/WORKSPACE
deleted file mode 100644
index a6960d054..000000000
--- a/images/grpc-fortune-teller/WORKSPACE
+++ /dev/null
@@ -1,62 +0,0 @@
-workspace(name = "com_github_kubernetes_ingress_nginx_images_grpc_fortune_teller")
-
-#####################################################################
-# RULES_GO
-#####################################################################
-
-git_repository(
-    name = "io_bazel_rules_go",
-    remote = "https://github.com/bazelbuild/rules_go.git",
-    commit = "161c91485b007c6bf51c0e81808cf4ee2ded299d",
-)
-
-http_archive(
-    name = "com_github_scele_rules_go_dep",
-    urls = ["https://github.com/scele/rules_go_dep/archive/49a5e4ca9f6a16c9b4c930a51ce3a537498bb4e1.tar.gz"],
-    strip_prefix = "rules_go_dep-49a5e4ca9f6a16c9b4c930a51ce3a537498bb4e1",
-    sha256 = "f170d3d6f55e216f1493f975cde6c489d7070da2a8a41fd4de9812d96f4fb38b",
-)
-
-load("@io_bazel_rules_go//go:def.bzl", "go_rules_dependencies", "go_register_toolchains")
-load("@com_github_scele_rules_go_dep//dep:dep.bzl", "dep_import")
-
-go_register_toolchains(go_version = "1.10.1")
-
-go_rules_dependencies()
-
-dep_import(
-    name = "godeps",
-    prefix = "github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller",
-    gopkg_lock = "//:Gopkg.lock",
-)
-
-load("@godeps//:Gopkg.bzl", "go_deps")
-
-go_deps()
-
-#############################################################
-# RULES_DOCKER
-#############################################################
-
-RULES_DOCKER_VERSION = "553d5506bb7325185950f91533b967da8f5bc536"
-
-http_archive(
-    name = "io_bazel_rules_docker",
-    url = "https://github.com/bazelbuild/rules_docker/archive/%s.zip" % RULES_DOCKER_VERSION,
-    strip_prefix = "rules_docker-" + RULES_DOCKER_VERSION,
-    sha256 = "e0b3d966f2a5c0fe921b6294df7c823afa63b4c439f0a7f3b9da3ed6534bab83",
-)
-
-load(
-    "@io_bazel_rules_docker//container:container.bzl",
-    container_repositories = "repositories",
-)
-
-container_repositories()
-
-load(
-    "@io_bazel_rules_docker//go:image.bzl",
-    go_image_repositories = "repositories",
-)
-
-go_image_repositories()
diff --git a/images/grpc-fortune-teller/app/BUILD.bazel b/images/grpc-fortune-teller/app/BUILD.bazel
deleted file mode 100644
index 4fffd481e..000000000
--- a/images/grpc-fortune-teller/app/BUILD.bazel
+++ /dev/null
@@ -1,69 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library", "go_embed_data")
-load("@io_bazel_rules_docker//go:image.bzl", "go_image")
-load("@io_bazel_rules_docker//container:push.bzl", "container_push")
-
-# Concatenates the fortune databases to a single bundle.
-# May need to adjust paths for your system (built on ubuntu 16.04).
-# $ apt-get install fortune
-genrule(
-    name = "tar",
-    outs = ["fortune.tar"],
-    cmd = " && ".join([
-        "OUT=$$(pwd)/$@",
-        "tar -cvf $$OUT /usr/share/games/fortunes",
-    ]),
-)
-
-# Generates a .go source file with the tarball content in 
-# the fortuneFiles variable.
-go_embed_data(
-    name = "fortune_assets",
-    srcs = [
-        ":tar",
-    ],
-    package = "main",
-    unpack = True,
-    var = "fortuneFiles",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = [
-        "main.go",
-        ":fortune_assets",  # keep
-    ],
-    importpath = "github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller/app",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//proto/fortune:go_default_library",
-        "@com_github_vromero_gofortune//lib/fortune:go_default_library",
-        "@org_golang_google_grpc//:go_default_library",
-        "@org_golang_google_grpc//codes:go_default_library",
-        "@org_golang_google_grpc//reflection:go_default_library",
-    ],
-)
-
-go_binary(
-    name = "fortune",
-    embed = [":go_default_library"],
-    goarch = "amd64",
-    goos = "linux",
-    pure = "on",
-    static = "on",
-    visibility = ["//visibility:public"],
-)
-
-go_image(
-    name = "image",
-    binary = ":fortune",
-    visibility = ["//visibility:public"],
-)
-
-container_push(
-    name = "push",
-    format = "Docker",
-    image = ":image",
-    registry = "quay.io",
-    repository = "kubernetes-ingress-controller/grpc-fortune-teller",
-    tag = "0.1",
-)
diff --git a/images/grpc-fortune-teller/app/main.go b/images/grpc-fortune-teller/app/main.go
deleted file mode 100644
index d09799cbe..000000000
--- a/images/grpc-fortune-teller/app/main.go
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"os"
-	"path"
-
-	proto "github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller/proto/fortune"
-	"github.com/vromero/gofortune/lib/fortune"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/reflection"
-)
-
-const (
-	grpcPort = 50051
-)
-
-func main() {
-
-	baseDir := "/tmp/fortune-teller"
-	mustMkdirAll(baseDir)
-
-	opts := []grpc.ServerOption{
-		grpc.MaxConcurrentStreams(200),
-	}
-
-	grpcServer := grpc.NewServer(opts...)
-
-	fortuneTeller := &FortuneTeller{
-		fs: createFortuneFilesystemNodeDescriptor(baseDir),
-	}
-	proto.RegisterFortuneTellerServer(grpcServer, fortuneTeller)
-
-	reflection.Register(grpcServer)
-
-	lis, err := net.Listen("tcp", fmt.Sprintf(":%d", grpcPort))
-	if err != nil {
-		log.Fatalf("Error while starting grpc server: %v\n", err)
-	}
-
-	log.Printf("Listening for gRPC requests at %d\n", grpcPort)
-	grpcServer.Serve(lis)
-}
-
-// FortuneTeller - struct that will implement the grpc service interface.
-type FortuneTeller struct {
-	fs *fortune.FileSystemNodeDescriptor
-}
-
-// Predict - implementation for the grpc unary request method.
-func (f *FortuneTeller) Predict(ctx context.Context, r *proto.PredictionRequest) (*proto.PredictionResponse, error) {
-	_, data, err := fortune.GetRandomFortune(*f.fs)
-	if err != nil {
-		return nil, grpc.Errorf(codes.Internal, "Unable to render fortune: %v", err)
-	}
-	return &proto.PredictionResponse{
-		Message: data,
-	}, nil
-}
-
-func createFortuneFilesystemNodeDescriptor(baseDir string) *fortune.FileSystemNodeDescriptor {
-
-	// Restore the packed fortune data
-	fortuneDir := path.Join(baseDir, "usr/share/games/fortunes")
-
-	mustRestore(baseDir, fortuneFiles, nil)
-
-	// init gofortune fs
-	fs, err := fortune.LoadPaths([]fortune.ProbabilityPath{
-		{Path: fortuneDir},
-	})
-	if err != nil {
-		log.Fatalf("Unable to load fortune paths: %v", err)
-	}
-
-	fortune.SetProbabilities(&fs, true) // consider all equal probabilities
-	return &fs
-}
-
-// mustRestore - Restore assets.
-func mustRestore(baseDir string, assets map[string][]byte, mappings map[string]string) {
-	// unpack variable is provided by the go_embed data and is a
-	// map[string][]byte such as {"/usr/share/games/fortune/literature.dat":
-	// bytes... }
-	for basename, bytes := range assets {
-		if mappings != nil {
-			replacement := mappings[basename]
-			if replacement != "" {
-				basename = replacement
-			}
-		}
-		filename := path.Join(baseDir, basename)
-		dirname := path.Dir(filename)
-		//log.Printf("file %s, dir %s, rel %d, abs %s, absdir: %s", file, dir, rel, abs, absdir)
-		if err := os.MkdirAll(dirname, os.ModePerm); err != nil {
-			log.Fatalf("Failed to create asset dir %s: %v", dirname, err)
-		}
-
-		if err := ioutil.WriteFile(filename, bytes, os.ModePerm); err != nil {
-			log.Fatalf("Failed to write asset %s: %v", filename, err)
-		}
-		log.Printf("Restored %s", filename)
-	}
-
-	log.Printf("Assets restored to %s", baseDir)
-}
-
-// mustMkdirAll - make all dirs and panic if fail
-func mustMkdirAll(dirs ...string) {
-	for _, dir := range dirs {
-		err := os.MkdirAll(dir, os.ModePerm)
-		if err != nil {
-			panic(fmt.Sprintf("Failed mkdir %s: %v", dir, err))
-		}
-	}
-}
diff --git a/images/grpc-fortune-teller/go.mod b/images/grpc-fortune-teller/go.mod
deleted file mode 100644
index e69de29bb..000000000
diff --git a/images/grpc-fortune-teller/proto/fortune/BUILD.bazel b/images/grpc-fortune-teller/proto/fortune/BUILD.bazel
deleted file mode 100644
index b3008b826..000000000
--- a/images/grpc-fortune-teller/proto/fortune/BUILD.bazel
+++ /dev/null
@@ -1,24 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
-
-go_library(
-    name = "go_default_library",
-    srcs = ["doc.go"],
-    embed = [":build_stack_fortune_go_proto"],  # keep
-    importpath = "github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller/proto/fortune",
-    visibility = ["//visibility:public"],
-)
-
-proto_library(
-    name = "build_stack_fortune_proto",
-    srcs = ["fortune.proto"],
-    visibility = ["//visibility:public"],
-)
-
-go_proto_library(
-    name = "build_stack_fortune_go_proto",
-    compilers = ["@io_bazel_rules_go//proto:go_grpc"],
-    importpath = "github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller/proto/fortune",
-    proto = ":build_stack_fortune_proto",
-    visibility = ["//visibility:public"],
-)
diff --git a/images/grpc-fortune-teller/proto/fortune/fortune.proto b/images/grpc-fortune-teller/proto/fortune/fortune.proto
deleted file mode 100644
index d71b4acb1..000000000
--- a/images/grpc-fortune-teller/proto/fortune/fortune.proto
+++ /dev/null
@@ -1,14 +0,0 @@
-syntax = "proto3";
-
-package build.stack.fortune;
-
-message PredictionRequest {
-}
-
-message PredictionResponse {
-    string message = 1;
-}
-
-service FortuneTeller {
-    rpc Predict(PredictionRequest) returns (PredictionResponse);
-}
\ No newline at end of file

From 191b27a8bbc168422582375cf352f95ea89c2732 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 22 Jul 2021 21:29:16 -0300
Subject: [PATCH 020/376] Automatically add area labels to help triaging
 (#7387)

---
 charts/ingress-nginx/OWNERS | 3 +++
 docs/OWNERS                 | 4 ++++
 rootfs/etc/nginx/lua/OWNERS | 4 ++++
 3 files changed, 11 insertions(+)
 create mode 100644 docs/OWNERS
 create mode 100644 rootfs/etc/nginx/lua/OWNERS

diff --git a/charts/ingress-nginx/OWNERS b/charts/ingress-nginx/OWNERS
index a31654fff..392bc92f5 100644
--- a/charts/ingress-nginx/OWNERS
+++ b/charts/ingress-nginx/OWNERS
@@ -5,3 +5,6 @@ approvers:
 
 reviewers:
 - ingress-nginx-helm-reviewers
+
+labels:
+- area/helm
\ No newline at end of file
diff --git a/docs/OWNERS b/docs/OWNERS
new file mode 100644
index 000000000..1d3805a73
--- /dev/null
+++ b/docs/OWNERS
@@ -0,0 +1,4 @@
+# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+
+labels:
+- area/docs
\ No newline at end of file
diff --git a/rootfs/etc/nginx/lua/OWNERS b/rootfs/etc/nginx/lua/OWNERS
new file mode 100644
index 000000000..79814fdba
--- /dev/null
+++ b/rootfs/etc/nginx/lua/OWNERS
@@ -0,0 +1,4 @@
+# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+
+labels:
+- area/lua
\ No newline at end of file

From a82ea7d617600a2f6da17da764d15b446122b334 Mon Sep 17 00:00:00 2001
From: Steven Harms <sharms@snowfoundry.com>
Date: Mon, 26 Jul 2021 08:40:33 -0400
Subject: [PATCH 021/376] aws-load-balancer-internal is a boolean value (#7353)

* aws-load-balancer-internal is a boolean value

* Update to string true

* Update to string true

* Update to string true
---
 charts/ingress-nginx/README.md                             | 2 +-
 charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml  | 2 +-
 charts/ingress-nginx/ci/deployment-internal-lb-values.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 53657e56f..d5a2c3ca8 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -159,7 +159,7 @@ controller:
       enabled: true
       annotations:
         # Create internal ELB
-        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
         # Any other annotation can be declared here.
 ```
 
diff --git a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
index 443e39d8b..d8948d634 100644
--- a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
@@ -7,4 +7,4 @@ controller:
     internal:
       enabled: true
       annotations:
-        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
index 892f6de3f..c7f22d636 100644
--- a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
@@ -6,4 +6,4 @@ controller:
     internal:
       enabled: true
       annotations:
-        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+        service.beta.kubernetes.io/aws-load-balancer-internal: "true"

From c4cc9a504acbc17eded62911b56f6da44f0e94b9 Mon Sep 17 00:00:00 2001
From: Robert J <robert@aztek.io>
Date: Mon, 26 Jul 2021 19:04:45 -0500
Subject: [PATCH 022/376] =?UTF-8?q?docs=EF=BC=9Aupdate=20troubleshooting.m?=
 =?UTF-8?q?d=20(#7224)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Update troubleshooting.md

Made the troubleshooting steps a bit more fluid IMHO.

* Update troubleshooting.md

Fixed introduced troubleshooting workflow change.

* Update troubleshooting.md

Fixed token path in new proposed workflow.

* Update troubleshooting.md

Fixed terminology (pod vs. container)

* Changed verb to get CLA refresh.

* Updating PR with requested changes.

Signed-off-by: Robert Jackson <robert@aztek.io>
---
 docs/troubleshooting.md | 75 +++++++++++++++--------------------------
 1 file changed, 27 insertions(+), 48 deletions(-)

diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index 1707aa0e2..a8cf212b1 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -173,68 +173,47 @@ Verify with the following commands:
 
 ```console
 # start a container that contains curl
-$ kubectl run test --image=tutum/curl -- sleep 10000
-
-# check that container is running
-$ kubectl get pods
-NAME                   READY     STATUS    RESTARTS   AGE
-test-701078429-s5kca   1/1       Running   0          16s
+$ kubectl run -it --rm test --image=curlimages/curl --restart=Never -- /bin/sh
 
 # check if secret exists
-$ kubectl exec test-701078429-s5kca -- ls /var/run/secrets/kubernetes.io/serviceaccount/
-ca.crt
-namespace
-token
-
-# get service IP of master
-$ kubectl get services
-NAME         CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
-kubernetes   10.0.0.1     <none>        443/TCP   1d
+/ $ ls /var/run/secrets/kubernetes.io/serviceaccount/
+ca.crt     namespace  token
+/ $
 
 # check base connectivity from cluster inside
-$ kubectl exec test-701078429-s5kca -- curl -k https://10.0.0.1
-Unauthorized
+/ $ curl -k https://kubernetes.default.svc.cluster.local
+{
+  "kind": "Status",
+  "apiVersion": "v1",
+  "metadata": {
+
+  },
+  "status": "Failure",
+  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
+  "reason": "Forbidden",
+  "details": {
+
+  },
+  "code": 403
+}/ $
 
 # connect using tokens
-$ TOKEN_VALUE=$(kubectl exec test-701078429-s5kca -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-$ echo $TOKEN_VALUE
-eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi....9A
-$ kubectl exec test-701078429-s5kca -- curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H  "Authorization: Bearer $TOKEN_VALUE" https://10.0.0.1
+}/ $ curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H  "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc.cluster.local
+&& echo
 {
   "paths": [
     "/api",
     "/api/v1",
     "/apis",
-    "/apis/apps",
-    "/apis/apps/v1alpha1",
-    "/apis/authentication.k8s.io",
-    "/apis/authentication.k8s.io/v1beta1",
-    "/apis/authorization.k8s.io",
-    "/apis/authorization.k8s.io/v1beta1",
-    "/apis/autoscaling",
-    "/apis/autoscaling/v1",
-    "/apis/batch",
-    "/apis/batch/v1",
-    "/apis/batch/v2alpha1",
-    "/apis/certificates.k8s.io",
-    "/apis/certificates.k8s.io/v1alpha1",
-    "/apis/networking",
-    "/apis/networking/v1beta1",
-    "/apis/policy",
-    "/apis/policy/v1alpha1",
-    "/apis/rbac.authorization.k8s.io",
-    "/apis/rbac.authorization.k8s.io/v1alpha1",
-    "/apis/storage.k8s.io",
-    "/apis/storage.k8s.io/v1beta1",
-    "/healthz",
-    "/healthz/ping",
-    "/logs",
-    "/metrics",
-    "/swaggerapi/",
-    "/ui/",
+    "/apis/",
+    ... TRUNCATED
+    "/readyz/shutdown",
     "/version"
   ]
 }
+/ $
+
+# when you type `exit` or `^D` the test pod will be deleted.
 ```
 
 If it is not working, there are two possible reasons:

From b1f9f838107acf17ccc4453a16e9ef20f92db0ab Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Tue, 27 Jul 2021 15:18:45 +0200
Subject: [PATCH 023/376] reorder contributing infos (#7394)

* reorder contributing infos

* Change requests of PR
---
 README.md | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index cdbd96a4a..3675e690c 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 # NGINX Ingress Controller
 
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx)
-[![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/LICENSE)
+[![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers)
-[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md)
+[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx?ref=badge_shield)
 
 ## Overview
@@ -20,15 +20,6 @@ See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) do
 
 If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), [file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.
 
-## Contributing
-
-Thanks for taking the time to join our community and start contributing!
-
-- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms.
-- See [CONTRIBUTING.md](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
-- Check out the [open issues](https://github.com/kubernetes/ingress-nginx).
-- Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
-
 ## Changelog
 
 See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes.
@@ -45,19 +36,28 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.46.0               | 1.21, 1.20, 1.19       | 3.13.2         |  1.19.6       |
 
-# Get Involved
+## Get Involved
 
-- **Contributing**: Pull requests are welcome!
-  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) and check out [help-wanted](https://github.com/kubernetes/ingress-nginx/labels/help%20wanted) issues.
-  - Submit github issues for any feature enhancements, bugs or documentation problems.
-- **Support**: Join to [Kubernetes Slack](http://slack.kubernetes.io/) in the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel to ask questions to get support from the maintainers and other users.
+Thanks for taking the time to join our community and start contributing!
+
+- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms.
+
+- **Contributing**: Contributions of all kind are welcome!
+  
+  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
+
+  - Check out the [open issues](https://github.com/kubernetes/ingress-nginx), especially [help-wanted](https://github.com/kubernetes/ingress-nginx/labels/help%20wanted) ones.
+
+  - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
+  
+  - Submit github issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+
+- **Support**: Join the the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
+  
   - The [github issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
+
 - **Discuss**: Tweet using the `#IngressNginx` hashtag.
 
-## Issues
-
-Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
-
 ## License
 
-[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/master/LICENSE)
+[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)

From a327a809d9b6b58fe3999723738300f5ae698a1a Mon Sep 17 00:00:00 2001
From: Dmitry Kuleshov <vdksystem@users.noreply.github.com>
Date: Thu, 29 Jul 2021 22:49:19 +0300
Subject: [PATCH 024/376] auto backend protocol for HTTP/HTTPS (#6985)

* add auto backend protocol for HTTP/HTTPS

* e2e test for AUTO_HTTP backend protocol

* unit  test for AUTO_HTTP backend protocol

Co-authored-by: Luca Del Monte <luca.delmonte5@gmail.com>
---
 .../annotations/backendprotocol/main.go       |  2 +-
 .../ingress/controller/template/template.go   |  2 +
 .../controller/template/template_test.go      | 93 ++++++++++++++++---
 test/e2e/annotations/backendprotocol.go       | 15 +++
 4 files changed, 96 insertions(+), 16 deletions(-)

diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go
index d6e7beb4c..65566d6e9 100644
--- a/internal/ingress/annotations/backendprotocol/main.go
+++ b/internal/ingress/annotations/backendprotocol/main.go
@@ -31,7 +31,7 @@ import (
 const HTTP = "HTTP"
 
 var (
-	validProtocols = regexp.MustCompile(`^(HTTP|HTTPS|AJP|GRPC|GRPCS|FCGI)$`)
+	validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|AJP|GRPC|GRPCS|FCGI)$`)
 )
 
 type backendProtocol struct {
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 3aa521c87..a14e2d50b 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -617,6 +617,8 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
 	proxyPass := "proxy_pass"
 
 	switch location.BackendProtocol {
+	case "AUTO_HTTP":
+		proto = "$scheme://"
 	case "HTTPS":
 		proto = "https://"
 	case "GRPC":
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index 411b24349..c5f40c246 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -59,20 +59,22 @@ func init() {
 var (
 	// TODO: add tests for SSLPassthrough
 	tmplFuncTestcases = map[string]struct {
-		Path             string
-		Target           string
-		Location         string
-		ProxyPass        string
-		Sticky           bool
-		XForwardedPrefix string
-		SecureBackend    bool
-		enforceRegex     bool
+		Path              string
+		Target            string
+		Location          string
+		ProxyPass         string
+		AutoHttpProxyPass string
+		Sticky            bool
+		XForwardedPrefix  string
+		SecureBackend     bool
+		enforceRegex      bool
 	}{
 		"when secure backend enabled": {
 			"/",
 			"/",
 			"/",
 			"proxy_pass https://upstream_balancer;",
+			"proxy_pass https://upstream_balancer;",
 			false,
 			"",
 			true,
@@ -83,6 +85,7 @@ var (
 			"/",
 			"/",
 			"proxy_pass https://upstream_balancer;",
+			"proxy_pass https://upstream_balancer;",
 			false,
 			"",
 			true,
@@ -93,6 +96,7 @@ var (
 			"/",
 			"/",
 			"proxy_pass https://upstream_balancer;",
+			"proxy_pass https://upstream_balancer;",
 			true,
 			"",
 			true,
@@ -103,6 +107,7 @@ var (
 			"/",
 			"/",
 			"proxy_pass http://upstream_balancer;",
+			"proxy_pass $scheme://upstream_balancer;",
 			false,
 			"",
 			false,
@@ -113,6 +118,7 @@ var (
 			"/",
 			"/",
 			"proxy_pass http://upstream_balancer;",
+			"proxy_pass $scheme://upstream_balancer;",
 			false,
 			"",
 			false,
@@ -125,6 +131,9 @@ var (
 			`
 rewrite "(?i)/" /jenkins break;
 proxy_pass http://upstream_balancer;`,
+			`
+rewrite "(?i)/" /jenkins break;
+proxy_pass $scheme://upstream_balancer;`,
 			false,
 			"",
 			false,
@@ -137,6 +146,9 @@ proxy_pass http://upstream_balancer;`,
 			`
 rewrite "(?i)/" /something break;
 proxy_pass http://upstream_balancer;`,
+			`
+rewrite "(?i)/" /something break;
+proxy_pass $scheme://upstream_balancer;`,
 			true,
 			"",
 			false,
@@ -149,6 +161,9 @@ proxy_pass http://upstream_balancer;`,
 			`
 rewrite "(?i)/" /something break;
 proxy_pass http://upstream_balancer;`,
+			`
+rewrite "(?i)/" /something break;
+proxy_pass $scheme://upstream_balancer;`,
 			true,
 			"",
 			false,
@@ -162,6 +177,10 @@ proxy_pass http://upstream_balancer;`,
 rewrite "(?i)/there" /something break;
 proxy_set_header X-Forwarded-Prefix "/there";
 proxy_pass http://upstream_balancer;`,
+			`
+rewrite "(?i)/there" /something break;
+proxy_set_header X-Forwarded-Prefix "/there";
+proxy_pass $scheme://upstream_balancer;`,
 			true,
 			"/there",
 			false,
@@ -172,6 +191,7 @@ proxy_pass http://upstream_balancer;`,
 			"/something",
 			`~* "^/something"`,
 			"proxy_pass http://upstream_balancer;",
+			"proxy_pass $scheme://upstream_balancer;",
 			false,
 			"",
 			false,
@@ -344,6 +364,48 @@ func TestBuildProxyPass(t *testing.T) {
 	}
 }
 
+func TestBuildProxyPassAutoHttp(t *testing.T) {
+	defaultBackend := "upstream-name"
+	defaultHost := "example.com"
+
+	for k, tc := range tmplFuncTestcases {
+		loc := &ingress.Location{
+			Path:             tc.Path,
+			Rewrite:          rewrite.Config{Target: tc.Target},
+			Backend:          defaultBackend,
+			XForwardedPrefix: tc.XForwardedPrefix,
+		}
+
+		if tc.SecureBackend {
+			loc.BackendProtocol = "HTTPS"
+		} else {
+			loc.BackendProtocol = "AUTO_HTTP"
+		}
+
+		backend := &ingress.Backend{
+			Name: defaultBackend,
+		}
+
+		if tc.Sticky {
+			backend.SessionAffinity = ingress.SessionAffinityConfig{
+				AffinityType: "cookie",
+				CookieSessionAffinity: ingress.CookieSessionAffinity{
+					Locations: map[string][]string{
+						defaultHost: {tc.Path},
+					},
+				},
+			}
+		}
+
+		backends := []*ingress.Backend{backend}
+
+		pp := buildProxyPass(defaultHost, backends, loc)
+		if !strings.EqualFold(tc.AutoHttpProxyPass, pp) {
+			t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, tc.ProxyPass, pp)
+		}
+	}
+}
+
 func TestBuildAuthLocation(t *testing.T) {
 	invalidType := &ingress.Ingress{}
 	expected := ""
@@ -899,13 +961,14 @@ func TestEscapeLiteralDollar(t *testing.T) {
 
 func TestOpentracingPropagateContext(t *testing.T) {
 	tests := map[*ingress.Location]string{
-		{BackendProtocol: "HTTP"}:  "opentracing_propagate_context;",
-		{BackendProtocol: "HTTPS"}: "opentracing_propagate_context;",
-		{BackendProtocol: "GRPC"}:  "opentracing_grpc_propagate_context;",
-		{BackendProtocol: "GRPCS"}: "opentracing_grpc_propagate_context;",
-		{BackendProtocol: "AJP"}:   "opentracing_propagate_context;",
-		{BackendProtocol: "FCGI"}:  "opentracing_propagate_context;",
-		nil:                        "",
+		{BackendProtocol: "HTTP"}:      "opentracing_propagate_context;",
+		{BackendProtocol: "HTTPS"}:     "opentracing_propagate_context;",
+		{BackendProtocol: "AUTO_HTTP"}: "opentracing_propagate_context;",
+		{BackendProtocol: "GRPC"}:      "opentracing_grpc_propagate_context;",
+		{BackendProtocol: "GRPCS"}:     "opentracing_grpc_propagate_context;",
+		{BackendProtocol: "AJP"}:       "opentracing_propagate_context;",
+		{BackendProtocol: "FCGI"}:      "opentracing_propagate_context;",
+		nil:                            "",
 	}
 
 	for loc, expectedDirective := range tests {
diff --git a/test/e2e/annotations/backendprotocol.go b/test/e2e/annotations/backendprotocol.go
index db7e50908..a215cbe83 100644
--- a/test/e2e/annotations/backendprotocol.go
+++ b/test/e2e/annotations/backendprotocol.go
@@ -46,6 +46,21 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() {
 			})
 	})
 
+	ginkgo.It("should set backend protocol to $scheme:// and use proxy_pass", func() {
+		host := "backendprotocol.foo.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/backend-protocol": "AUTO_HTTP",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "proxy_pass $scheme://upstream_balancer;")
+			})
+	})
+
 	ginkgo.It("should set backend protocol to grpc:// and use grpc_pass", func() {
 		host := "backendprotocol.foo.com"
 		annotations := map[string]string{

From f222c752beb720b5736a52f10441eac08eeb048f Mon Sep 17 00:00:00 2001
From: wasker <wasker@users.noreply.github.com>
Date: Thu, 29 Jul 2021 14:23:19 -0700
Subject: [PATCH 025/376] Enable session affinity for canaries (#7371)

---
 build/run-in-docker.sh                        |   3 +
 docs/examples/affinity/cookie/README.md       |   1 +
 .../nginx-configuration/annotations.md        |   7 +-
 .../ingress/annotations/annotations_test.go   |  64 +--
 .../annotations/sessionaffinity/main.go       |  20 +-
 internal/ingress/controller/controller.go     |  10 +-
 .../ingress/controller/controller_test.go     | 323 +++++++++++++-
 rootfs/etc/nginx/lua/balancer.lua             |  21 +-
 rootfs/etc/nginx/lua/balancer/chashsubset.lua |   4 +
 rootfs/etc/nginx/lua/balancer/ewma.lua        |   4 +
 rootfs/etc/nginx/lua/balancer/resty.lua       |   4 +
 rootfs/etc/nginx/lua/balancer/sticky.lua      |  39 +-
 .../nginx/lua/test/balancer/sticky_test.lua   | 349 ++++++++++-----
 rootfs/etc/nginx/lua/test/balancer_test.lua   | 407 +++++++++++-------
 rootfs/etc/nginx/lua/test/util/split.lua      |  15 -
 rootfs/etc/nginx/lua/test/util/split_test.lua |  57 +++
 rootfs/etc/nginx/lua/util/split.lua           |  15 +
 17 files changed, 1021 insertions(+), 322 deletions(-)
 delete mode 100644 rootfs/etc/nginx/lua/test/util/split.lua
 create mode 100644 rootfs/etc/nginx/lua/test/util/split_test.lua

diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index d6723c7a1..e31b98524 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -25,6 +25,9 @@ set -o pipefail
 # temporal directory for the /etc/ingress-controller directory
 INGRESS_VOLUME=$(mktemp -d)
 
+# make sure directory for SSL cert storage exists under ingress volume
+mkdir "${INGRESS_VOLUME}/ssl"
+
 if [[ "$OSTYPE" == darwin* ]]; then
   INGRESS_VOLUME=/private$INGRESS_VOLUME
 fi
diff --git a/docs/examples/affinity/cookie/README.md b/docs/examples/affinity/cookie/README.md
index 670d345e3..4f93fc0f8 100644
--- a/docs/examples/affinity/cookie/README.md
+++ b/docs/examples/affinity/cookie/README.md
@@ -10,6 +10,7 @@ Session affinity can be configured using the following annotations:
 | --- | --- | --- |
 |nginx.ingress.kubernetes.io/affinity|Type of the affinity, set this to `cookie` to enable session affinity|string (NGINX only supports `cookie`)|
 |nginx.ingress.kubernetes.io/affinity-mode|The affinity mode defines how sticky a session is. Use `balanced` to redistribute some sessions when scaling pods or `persistent` for maximum stickiness.|`balanced` (default) or `persistent`|
+|nginx.ingress.kubernetes.io/affinity-canary-behavior|Defines session affinity behavior of canaries. By default the behavior is `sticky`, and canaries respect session affinity configuration. Set this to `legacy` to restore original canary behavior, when session affinity parameters were not respected.|`sticky` (default) or `legacy`|
 |nginx.ingress.kubernetes.io/session-cookie-name|Name of the cookie that will be created|string (defaults to `INGRESSCOOKIE`)|
 |nginx.ingress.kubernetes.io/session-cookie-path|Path that will be set on the cookie (required if your [Ingress paths][ingress-paths] use regular expressions)|string (defaults to the currently [matched path][ingress-paths])|
 |nginx.ingress.kubernetes.io/session-cookie-samesite|SameSite attribute to apply to the cookie|Browser accepted values are `None`, `Lax`, and `Strict`|
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index add5c5595..ef9a4e5ef 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -18,6 +18,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/app-root](#rewrite)|string|
 |[nginx.ingress.kubernetes.io/affinity](#session-affinity)|cookie|
 |[nginx.ingress.kubernetes.io/affinity-mode](#session-affinity)|"balanced" or "persistent"|
+|[nginx.ingress.kubernetes.io/affinity-canary-behavior](#session-affinity)|"sticky" or "legacy"|
 |[nginx.ingress.kubernetes.io/auth-realm](#authentication)|string|
 |[nginx.ingress.kubernetes.io/auth-secret](#authentication)|string|
 |[nginx.ingress.kubernetes.io/auth-secret-type](#authentication)|string|
@@ -140,7 +141,7 @@ In some cases, you may want to "canary" a new set of changes by sending a small
 Canary rules are evaluated in order of precedence. Precedence is as follows:
 `canary-by-header -> canary-by-cookie -> canary-weight`
 
-**Note** that when you mark an ingress as canary, then all the other non-canary annotations will be ignored (inherited from the corresponding main ingress) except `nginx.ingress.kubernetes.io/load-balance` and `nginx.ingress.kubernetes.io/upstream-hash-by`.
+**Note** that when you mark an ingress as canary, then all the other non-canary annotations will be ignored (inherited from the corresponding main ingress) except `nginx.ingress.kubernetes.io/load-balance`, `nginx.ingress.kubernetes.io/upstream-hash-by`, and [annotations related to session affinity](#session-affinity). If you want to restore the original behavior of canaries when session affinity was ignored, set `nginx.ingress.kubernetes.io/affinity-canary-behavior` annotation with value `legacy` on the non-canary ingress definition.
 
 **Known Limitations**
 
@@ -163,6 +164,8 @@ The only affinity type available for NGINX is `cookie`.
 
 The annotation `nginx.ingress.kubernetes.io/affinity-mode` defines the stickiness of a session. Setting this to `balanced` (default) will redistribute some sessions if a deployment gets scaled up, therefore rebalancing the load on the servers. Setting this to `persistent` will not rebalance sessions to new servers, therefore providing maximum stickiness.
 
+The annotation `nginx.ingress.kubernetes.io/affinity-canary-behavior` defines the behavior of canaries when session affinity is enabled. Setting this to `sticky` (default) will ensure that users that were served by canaries, will continue to be served by canaries. Setting this to `legacy` will restore original canary behavior, when session affinity was ignored.
+
 !!! attention
     If more than one Ingress is defined for a host and at least one Ingress uses `nginx.ingress.kubernetes.io/affinity: cookie`, then only paths on the Ingress using `nginx.ingress.kubernetes.io/affinity` will use session cookie affinity. All paths defined on other Ingresses for the host will be load balanced through the random selection of a backend server.
 
@@ -342,7 +345,7 @@ CORS can be controlled with the following annotations:
   - Example: `nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For, X-app123-XPTO"`
 
 * `nginx.ingress.kubernetes.io/cors-expose-headers`
-  controls which headers are exposed to response. This is a multi-valued field, separated by ',' and accepts 
+  controls which headers are exposed to response. This is a multi-valued field, separated by ',' and accepts
   letters, numbers, _, - and *.
   - Default: *empty*
   - Example: `nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"`
diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go
index 1a428e729..de02a8a16 100644
--- a/internal/ingress/annotations/annotations_test.go
+++ b/internal/ingress/annotations/annotations_test.go
@@ -30,19 +30,20 @@ import (
 )
 
 var (
-	annotationPassthrough          = parser.GetAnnotationWithPrefix("ssl-passthrough")
-	annotationAffinityType         = parser.GetAnnotationWithPrefix("affinity")
-	annotationAffinityMode         = parser.GetAnnotationWithPrefix("affinity-mode")
-	annotationCorsEnabled          = parser.GetAnnotationWithPrefix("enable-cors")
-	annotationCorsAllowMethods     = parser.GetAnnotationWithPrefix("cors-allow-methods")
-	annotationCorsAllowHeaders     = parser.GetAnnotationWithPrefix("cors-allow-headers")
-	annotationCorsExposeHeaders    = parser.GetAnnotationWithPrefix("cors-expose-headers")
-	annotationCorsAllowCredentials = parser.GetAnnotationWithPrefix("cors-allow-credentials")
-	defaultCorsMethods             = "GET, PUT, POST, DELETE, PATCH, OPTIONS"
-	defaultCorsHeaders             = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
-	annotationAffinityCookieName   = parser.GetAnnotationWithPrefix("session-cookie-name")
-	annotationUpstreamHashBy       = parser.GetAnnotationWithPrefix("upstream-hash-by")
-	annotationCustomHTTPErrors     = parser.GetAnnotationWithPrefix("custom-http-errors")
+	annotationPassthrough            = parser.GetAnnotationWithPrefix("ssl-passthrough")
+	annotationAffinityType           = parser.GetAnnotationWithPrefix("affinity")
+	annotationAffinityMode           = parser.GetAnnotationWithPrefix("affinity-mode")
+	annotationAffinityCanaryBehavior = parser.GetAnnotationWithPrefix("affinity-canary-behavior")
+	annotationCorsEnabled            = parser.GetAnnotationWithPrefix("enable-cors")
+	annotationCorsAllowMethods       = parser.GetAnnotationWithPrefix("cors-allow-methods")
+	annotationCorsAllowHeaders       = parser.GetAnnotationWithPrefix("cors-allow-headers")
+	annotationCorsExposeHeaders      = parser.GetAnnotationWithPrefix("cors-expose-headers")
+	annotationCorsAllowCredentials   = parser.GetAnnotationWithPrefix("cors-allow-credentials")
+	defaultCorsMethods               = "GET, PUT, POST, DELETE, PATCH, OPTIONS"
+	defaultCorsHeaders               = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
+	annotationAffinityCookieName     = parser.GetAnnotationWithPrefix("session-cookie-name")
+	annotationUpstreamHashBy         = parser.GetAnnotationWithPrefix("upstream-hash-by")
+	annotationCustomHTTPErrors       = parser.GetAnnotationWithPrefix("custom-http-errors")
 )
 
 type mockCfg struct {
@@ -162,29 +163,38 @@ func TestAffinitySession(t *testing.T) {
 	ing := buildIngress()
 
 	fooAnns := []struct {
-		annotations  map[string]string
-		affinitytype string
-		affinitymode string
-		name         string
+		annotations    map[string]string
+		affinitytype   string
+		affinitymode   string
+		cookiename     string
+		canarybehavior string
 	}{
-		{map[string]string{annotationAffinityType: "cookie", annotationAffinityMode: "balanced", annotationAffinityCookieName: "route"}, "cookie", "balanced", "route"},
-		{map[string]string{annotationAffinityType: "cookie", annotationAffinityMode: "persistent", annotationAffinityCookieName: "route1"}, "cookie", "persistent", "route1"},
-		{map[string]string{annotationAffinityType: "cookie", annotationAffinityMode: "balanced", annotationAffinityCookieName: ""}, "cookie", "balanced", "INGRESSCOOKIE"},
-		{map[string]string{}, "", "", ""},
-		{nil, "", "", ""},
+		{map[string]string{annotationAffinityType: "cookie", annotationAffinityMode: "balanced", annotationAffinityCookieName: "route", annotationAffinityCanaryBehavior: ""}, "cookie", "balanced", "route", ""},
+		{map[string]string{annotationAffinityType: "cookie", annotationAffinityMode: "persistent", annotationAffinityCookieName: "route1", annotationAffinityCanaryBehavior: "sticky"}, "cookie", "persistent", "route1", "sticky"},
+		{map[string]string{annotationAffinityType: "cookie", annotationAffinityMode: "balanced", annotationAffinityCookieName: "", annotationAffinityCanaryBehavior: "legacy"}, "cookie", "balanced", "INGRESSCOOKIE", "legacy"},
+		{map[string]string{}, "", "", "", ""},
+		{nil, "", "", "", ""},
 	}
 
 	for _, foo := range fooAnns {
 		ing.SetAnnotations(foo.annotations)
 		r := ec.Extract(ing).SessionAffinity
-		t.Logf("Testing pass %v %v", foo.affinitytype, foo.name)
+		t.Logf("Testing pass %v %v", foo.affinitytype, foo.cookiename)
 
-		if r.Mode != foo.affinitymode {
-			t.Errorf("Returned %v but expected %v for Name", r.Mode, foo.affinitymode)
+		if r.Type != foo.affinitytype {
+			t.Errorf("Returned %v but expected %v for Type", r.Type, foo.affinitytype)
 		}
 
-		if r.Cookie.Name != foo.name {
-			t.Errorf("Returned %v but expected %v for Name", r.Cookie.Name, foo.name)
+		if r.Mode != foo.affinitymode {
+			t.Errorf("Returned %v but expected %v for Mode", r.Mode, foo.affinitymode)
+		}
+
+		if r.CanaryBehavior != foo.canarybehavior {
+			t.Errorf("Returned %v but expected %v for CanaryBehavior", r.CanaryBehavior, foo.canarybehavior)
+		}
+
+		if r.Cookie.Name != foo.cookiename {
+			t.Errorf("Returned %v but expected %v for Cookie.Name", r.Cookie.Name, foo.cookiename)
 		}
 	}
 }
diff --git a/internal/ingress/annotations/sessionaffinity/main.go b/internal/ingress/annotations/sessionaffinity/main.go
index c5b340ec7..80b24f13b 100644
--- a/internal/ingress/annotations/sessionaffinity/main.go
+++ b/internal/ingress/annotations/sessionaffinity/main.go
@@ -27,8 +27,10 @@ import (
 )
 
 const (
-	annotationAffinityType = "affinity"
-	annotationAffinityMode = "affinity-mode"
+	annotationAffinityType           = "affinity"
+	annotationAffinityMode           = "affinity-mode"
+	annotationAffinityCanaryBehavior = "affinity-canary-behavior"
+
 	// If a cookie with this name exists,
 	// its value is used as an index into the list of available backends.
 	annotationAffinityCookieName = "session-cookie-name"
@@ -66,6 +68,8 @@ type Config struct {
 	Type string `json:"type"`
 	// The affinity mode, i.e. how sticky a session is
 	Mode string `json:"mode"`
+	// Affinity behavior for canaries (sticky or legacy)
+	CanaryBehavior string `json:"canaryBehavior"`
 	Cookie
 }
 
@@ -160,6 +164,11 @@ func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) {
 		am = ""
 	}
 
+	cb, err := parser.GetStringAnnotation(annotationAffinityCanaryBehavior, ing)
+	if err != nil {
+		cb = ""
+	}
+
 	switch at {
 	case "cookie":
 		cookie = a.cookieAffinityParse(ing)
@@ -169,8 +178,9 @@ func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) {
 	}
 
 	return &Config{
-		Type:   at,
-		Mode:   am,
-		Cookie: *cookie,
+		Type:           at,
+		Mode:           am,
+		CanaryBehavior: cb,
+		Cookie:         *cookie,
 	}, nil
 }
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 5d4cff721..08ef2d240 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -1315,7 +1315,7 @@ func canMergeBackend(primary *ingress.Backend, alternative *ingress.Backend) boo
 }
 
 // Performs the merge action and checks to ensure that one two alternative backends do not merge into each other
-func mergeAlternativeBackend(priUps *ingress.Backend, altUps *ingress.Backend) bool {
+func mergeAlternativeBackend(ing *ingress.Ingress, priUps *ingress.Backend, altUps *ingress.Backend) bool {
 	if priUps.NoServer {
 		klog.Warningf("unable to merge alternative backend %v into primary backend %v because %v is a primary backend",
 			altUps.Name, priUps.Name, priUps.Name)
@@ -1329,6 +1329,10 @@ func mergeAlternativeBackend(priUps *ingress.Backend, altUps *ingress.Backend) b
 		}
 	}
 
+	if ing.ParsedAnnotations != nil && ing.ParsedAnnotations.SessionAffinity.CanaryBehavior != "legacy" {
+		priUps.SessionAffinity.DeepCopyInto(&altUps.SessionAffinity)
+	}
+
 	priUps.AlternativeBackends =
 		append(priUps.AlternativeBackends, altUps.Name)
 
@@ -1368,7 +1372,7 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres
 					klog.V(2).Infof("matching backend %v found for alternative backend %v",
 						priUps.Name, altUps.Name)
 
-					merged = mergeAlternativeBackend(priUps, altUps)
+					merged = mergeAlternativeBackend(ing, priUps, altUps)
 				}
 			}
 
@@ -1421,7 +1425,7 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres
 					klog.V(2).Infof("matching backend %v found for alternative backend %v",
 						priUps.Name, altUps.Name)
 
-					merged = mergeAlternativeBackend(priUps, altUps)
+					merged = mergeAlternativeBackend(ing, priUps, altUps)
 				}
 			}
 
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index 22d108ca4..112aac0b1 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -44,6 +44,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity"
 	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
 	"k8s.io/ingress-nginx/internal/ingress/controller/store"
@@ -786,6 +787,326 @@ func TestMergeAlternativeBackends(t *testing.T) {
 				},
 			},
 		},
+		"alternative backend gets SessionAffinitySettings configured when CanaryBehavior is 'sticky'": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "example",
+					},
+					Spec: networking.IngressSpec{
+						Rules: []networking.IngressRule{
+							{
+								Host: "example.com",
+								IngressRuleValue: networking.IngressRuleValue{
+									HTTP: &networking.HTTPIngressRuleValue{
+										Paths: []networking.HTTPIngressPath{
+											{
+												Path:     "/",
+												PathType: &pathTypePrefix,
+												Backend: networking.IngressBackend{
+													ServiceName: "http-svc-canary",
+													ServicePort: intstr.IntOrString{
+														IntVal: 80,
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				ParsedAnnotations: &annotations.Ingress{
+					SessionAffinity: sessionaffinity.Config{
+						CanaryBehavior: "sticky",
+					},
+				},
+			},
+			map[string]*ingress.Backend{
+				"example-http-svc-80": {
+					Name:     "example-http-svc-80",
+					NoServer: false,
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+				"example-http-svc-canary-80": {
+					Name:     "example-http-svc-canary-80",
+					NoServer: true,
+					TrafficShapingPolicy: ingress.TrafficShapingPolicy{
+						Weight: 20,
+					},
+				},
+			},
+			map[string]*ingress.Server{
+				"example.com": {
+					Hostname: "example.com",
+					Locations: []*ingress.Location{
+						{
+							Path:     "/",
+							PathType: &pathTypePrefix,
+							Backend:  "example-http-svc-80",
+						},
+					},
+				},
+			},
+			map[string]*ingress.Backend{
+				"example-http-svc-80": {
+					Name:                "example-http-svc-80",
+					NoServer:            false,
+					AlternativeBackends: []string{"example-http-svc-canary-80"},
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+				"example-http-svc-canary-80": {
+					Name:     "example-http-svc-canary-80",
+					NoServer: true,
+					TrafficShapingPolicy: ingress.TrafficShapingPolicy{
+						Weight: 20,
+					},
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+			},
+			map[string]*ingress.Server{
+				"example.com": {
+					Hostname: "example.com",
+					Locations: []*ingress.Location{
+						{
+							Path:     "/",
+							PathType: &pathTypePrefix,
+							Backend:  "example-http-svc-80",
+						},
+					},
+				},
+			},
+		},
+		"alternative backend gets SessionAffinitySettings configured when CanaryBehavior is not 'legacy'": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "example",
+					},
+					Spec: networking.IngressSpec{
+						Rules: []networking.IngressRule{
+							{
+								Host: "example.com",
+								IngressRuleValue: networking.IngressRuleValue{
+									HTTP: &networking.HTTPIngressRuleValue{
+										Paths: []networking.HTTPIngressPath{
+											{
+												Path:     "/",
+												PathType: &pathTypePrefix,
+												Backend: networking.IngressBackend{
+													ServiceName: "http-svc-canary",
+													ServicePort: intstr.IntOrString{
+														IntVal: 80,
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				ParsedAnnotations: &annotations.Ingress{
+					SessionAffinity: sessionaffinity.Config{
+						CanaryBehavior: "", // In fact any value but 'legacy' would do the trick.
+					},
+				},
+			},
+			map[string]*ingress.Backend{
+				"example-http-svc-80": {
+					Name:     "example-http-svc-80",
+					NoServer: false,
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+				"example-http-svc-canary-80": {
+					Name:     "example-http-svc-canary-80",
+					NoServer: true,
+					TrafficShapingPolicy: ingress.TrafficShapingPolicy{
+						Weight: 20,
+					},
+				},
+			},
+			map[string]*ingress.Server{
+				"example.com": {
+					Hostname: "example.com",
+					Locations: []*ingress.Location{
+						{
+							Path:     "/",
+							PathType: &pathTypePrefix,
+							Backend:  "example-http-svc-80",
+						},
+					},
+				},
+			},
+			map[string]*ingress.Backend{
+				"example-http-svc-80": {
+					Name:                "example-http-svc-80",
+					NoServer:            false,
+					AlternativeBackends: []string{"example-http-svc-canary-80"},
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+				"example-http-svc-canary-80": {
+					Name:     "example-http-svc-canary-80",
+					NoServer: true,
+					TrafficShapingPolicy: ingress.TrafficShapingPolicy{
+						Weight: 20,
+					},
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+			},
+			map[string]*ingress.Server{
+				"example.com": {
+					Hostname: "example.com",
+					Locations: []*ingress.Location{
+						{
+							Path:     "/",
+							PathType: &pathTypePrefix,
+							Backend:  "example-http-svc-80",
+						},
+					},
+				},
+			},
+		},
+		"alternative backend doesn't get SessionAffinitySettings configured when CanaryBehavior is 'legacy'": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "example",
+					},
+					Spec: networking.IngressSpec{
+						Rules: []networking.IngressRule{
+							{
+								Host: "example.com",
+								IngressRuleValue: networking.IngressRuleValue{
+									HTTP: &networking.HTTPIngressRuleValue{
+										Paths: []networking.HTTPIngressPath{
+											{
+												Path:     "/",
+												PathType: &pathTypePrefix,
+												Backend: networking.IngressBackend{
+													ServiceName: "http-svc-canary",
+													ServicePort: intstr.IntOrString{
+														IntVal: 80,
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				ParsedAnnotations: &annotations.Ingress{
+					SessionAffinity: sessionaffinity.Config{
+						CanaryBehavior: "legacy",
+					},
+				},
+			},
+			map[string]*ingress.Backend{
+				"example-http-svc-80": {
+					Name:     "example-http-svc-80",
+					NoServer: false,
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+				"example-http-svc-canary-80": {
+					Name:     "example-http-svc-canary-80",
+					NoServer: true,
+					TrafficShapingPolicy: ingress.TrafficShapingPolicy{
+						Weight: 20,
+					},
+				},
+			},
+			map[string]*ingress.Server{
+				"example.com": {
+					Hostname: "example.com",
+					Locations: []*ingress.Location{
+						{
+							Path:     "/",
+							PathType: &pathTypePrefix,
+							Backend:  "example-http-svc-80",
+						},
+					},
+				},
+			},
+			map[string]*ingress.Backend{
+				"example-http-svc-80": {
+					Name:                "example-http-svc-80",
+					NoServer:            false,
+					AlternativeBackends: []string{"example-http-svc-canary-80"},
+					SessionAffinity: ingress.SessionAffinityConfig{
+						AffinityType: "cookie",
+						AffinityMode: "balanced",
+						CookieSessionAffinity: ingress.CookieSessionAffinity{
+							Name: "test",
+						},
+					},
+				},
+				"example-http-svc-canary-80": {
+					Name:     "example-http-svc-canary-80",
+					NoServer: true,
+					TrafficShapingPolicy: ingress.TrafficShapingPolicy{
+						Weight: 20,
+					},
+				},
+			},
+			map[string]*ingress.Server{
+				"example.com": {
+					Hostname: "example.com",
+					Locations: []*ingress.Location{
+						{
+							Path:     "/",
+							PathType: &pathTypePrefix,
+							Backend:  "example-http-svc-80",
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for title, tc := range testCases {
@@ -801,7 +1122,7 @@ func TestMergeAlternativeBackends(t *testing.T) {
 				if !actualUpstream.Equal(expUpstream) {
 					t.Logf("actual upstream %s alternative backends: %s", actualUpstream.Name, actualUpstream.AlternativeBackends)
 					t.Logf("expected upstream %s alternative backends: %s", expUpstream.Name, expUpstream.AlternativeBackends)
-					t.Errorf("upstream %s was not equal to what was expected: ", upsName)
+					t.Errorf("upstream %s was not equal to what was expected", actualUpstream.Name)
 				}
 			}
 
diff --git a/rootfs/etc/nginx/lua/balancer.lua b/rootfs/etc/nginx/lua/balancer.lua
index afcfebb67..e83257a6f 100644
--- a/rootfs/etc/nginx/lua/balancer.lua
+++ b/rootfs/etc/nginx/lua/balancer.lua
@@ -48,7 +48,7 @@ local function get_implementation(backend)
 
   if backend["sessionAffinityConfig"] and
      backend["sessionAffinityConfig"]["name"] == "cookie" then
-    if backend["sessionAffinityConfig"]["mode"] == 'persistent' then
+    if backend["sessionAffinityConfig"]["mode"] == "persistent" then
       name = "sticky_persistent"
     else
       name = "sticky_balanced"
@@ -186,6 +186,11 @@ local function sync_backends()
 end
 
 local function route_to_alternative_balancer(balancer)
+  if balancer.is_affinitized(balancer) then
+    -- If request is already affinitized to a primary balancer, keep the primary balancer.
+    return false
+  end
+
   if not balancer.alternative_backends then
     return false
   end
@@ -204,6 +209,13 @@ local function route_to_alternative_balancer(balancer)
     return false
   end
 
+  if alternative_balancer.is_affinitized(alternative_balancer) then
+    -- If request is affinitized to an alternative balancer, instruct caller to
+    -- switch to alternative.
+    return true
+  end
+
+  -- Use traffic shaping policy, if request didn't have affinity set.
   local traffic_shaping_policy =  alternative_balancer.traffic_shaping_policy
   if not traffic_shaping_policy then
     ngx.log(ngx.ERR, "traffic shaping policy is not set for balancer ",
@@ -254,6 +266,10 @@ local function route_to_alternative_balancer(balancer)
   return false
 end
 
+local function get_balancer_by_upstream_name(upstream_name)
+  return balancers[upstream_name]
+end
+
 local function get_balancer()
   if ngx.ctx.balancer then
     return ngx.ctx.balancer
@@ -263,7 +279,7 @@ local function get_balancer()
 
   local balancer = balancers[backend_name]
   if not balancer then
-    return
+    return nil
   end
 
   if route_to_alternative_balancer(balancer) then
@@ -352,6 +368,7 @@ setmetatable(_M, {__index = {
   sync_backend = sync_backend,
   route_to_alternative_balancer = route_to_alternative_balancer,
   get_balancer = get_balancer,
+  get_balancer_by_upstream_name = get_balancer_by_upstream_name,
 }})
 
 return _M
diff --git a/rootfs/etc/nginx/lua/balancer/chashsubset.lua b/rootfs/etc/nginx/lua/balancer/chashsubset.lua
index 28c2354a1..d9ceb471e 100644
--- a/rootfs/etc/nginx/lua/balancer/chashsubset.lua
+++ b/rootfs/etc/nginx/lua/balancer/chashsubset.lua
@@ -68,6 +68,10 @@ function _M.new(self, backend)
   return o
 end
 
+function _M.is_affinitized()
+  return false
+end
+
 function _M.balance(self)
   local key = util.generate_var_value(self.hash_by)
   local subset_id = self.instance:find(key)
diff --git a/rootfs/etc/nginx/lua/balancer/ewma.lua b/rootfs/etc/nginx/lua/balancer/ewma.lua
index ae65ccc73..681866dc1 100644
--- a/rootfs/etc/nginx/lua/balancer/ewma.lua
+++ b/rootfs/etc/nginx/lua/balancer/ewma.lua
@@ -170,6 +170,10 @@ local function calculate_slow_start_ewma(self)
   return total_ewma / endpoints_count
 end
 
+function _M.is_affinitized()
+  return false
+end
+
 function _M.balance(self)
   local peers = self.peers
   local endpoint, ewma_score = peers[1], -1
diff --git a/rootfs/etc/nginx/lua/balancer/resty.lua b/rootfs/etc/nginx/lua/balancer/resty.lua
index c1065ff19..12b24be14 100644
--- a/rootfs/etc/nginx/lua/balancer/resty.lua
+++ b/rootfs/etc/nginx/lua/balancer/resty.lua
@@ -14,6 +14,10 @@ function _M.new(self, o)
   return o
 end
 
+function _M.is_affinitized()
+  return false
+end
+
 function _M.sync(self, backend)
   self.traffic_shaping_policy = backend.trafficShapingPolicy
   self.alternative_backends = backend.alternativeBackends
diff --git a/rootfs/etc/nginx/lua/balancer/sticky.lua b/rootfs/etc/nginx/lua/balancer/sticky.lua
index 45ea9beaf..63f3c6785 100644
--- a/rootfs/etc/nginx/lua/balancer/sticky.lua
+++ b/rootfs/etc/nginx/lua/balancer/sticky.lua
@@ -13,6 +13,7 @@ local setmetatable = setmetatable
 
 local _M = balancer_resty:new()
 local DEFAULT_COOKIE_NAME = "route"
+local COOKIE_VALUE_DELIMITER = "|"
 
 function _M.cookie_name(self)
   return self.cookie_session_affinity.name or DEFAULT_COOKIE_NAME
@@ -22,7 +23,8 @@ function _M.new(self)
   local o = {
     alternative_backends = nil,
     cookie_session_affinity = nil,
-    traffic_shaping_policy = nil
+    traffic_shaping_policy = nil,
+    backend_key = nil
   }
 
   setmetatable(o, self)
@@ -31,13 +33,37 @@ function _M.new(self)
   return o
 end
 
-function _M.get_cookie(self)
+function _M.get_cookie_parsed(self)
   local cookie, err = ck:new()
   if not cookie then
     ngx.log(ngx.ERR, err)
   end
 
-  return cookie:get(self:cookie_name())
+  local result = {
+    upstream_key = nil,
+    backend_key = nil
+  }
+
+  local raw_value = cookie:get(self:cookie_name())
+  if not raw_value then
+    return result
+  end
+
+  local parsed_value, len = split.split_string(raw_value, COOKIE_VALUE_DELIMITER)
+  if len == 0 then
+    return result
+  end
+
+  result.upstream_key = parsed_value[1]
+  if len > 1 then
+    result.backend_key = parsed_value[2]
+  end
+
+  return result
+end
+
+function _M.get_cookie(self)
+  return self:get_cookie_parsed().upstream_key
 end
 
 function _M.set_cookie(self, value)
@@ -63,7 +89,7 @@ function _M.set_cookie(self, value)
 
   local cookie_data = {
     key = self:cookie_name(),
-    value = value,
+    value = value .. COOKIE_VALUE_DELIMITER .. self.backend_key,
     path = cookie_path,
     httponly = true,
     samesite = cookie_samesite,
@@ -86,6 +112,10 @@ function _M.set_cookie(self, value)
   end
 end
 
+function _M.is_affinitized(self)
+  return self:get_cookie_parsed().backend_key == self.backend_key
+end
+
 function _M.get_last_failure()
   return ngx_balancer.get_last_failure()
 end
@@ -166,6 +196,7 @@ function _M.sync(self, backend)
   self.traffic_shaping_policy = backend.trafficShapingPolicy
   self.alternative_backends = backend.alternativeBackends
   self.cookie_session_affinity = backend.sessionAffinityConfig.cookieSessionAffinity
+  self.backend_key = ngx.md5(ngx.md5(backend.name) .. backend.name)
 end
 
 return _M
diff --git a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
index 44e103c1c..a0c0ae54f 100644
--- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
@@ -5,24 +5,35 @@ local util = require("util")
 
 local original_ngx = ngx
 
-function mock_ngx(mock)
-  local _ngx = mock
-  setmetatable(_ngx, {__index = _G.ngx})
-  _G.ngx = _ngx
-end
-
-local function reset_ngx()
-  _G.ngx = original_ngx
-end
-
 local function reset_sticky_balancer()
   package.loaded["balancer.sticky"] = nil
   package.loaded["balancer.sticky_balanced"] = nil
   package.loaded["balancer.sticky_persistent"] = nil
+
   sticky_balanced = require("balancer.sticky_balanced")
   sticky_persistent = require("balancer.sticky_persistent")
 end
 
+local function mock_ngx(mock, after_mock_set)
+  local _ngx = mock
+  setmetatable(_ngx, { __index = ngx })
+  _G.ngx = _ngx
+
+  if after_mock_set then
+    after_mock_set()
+  end
+
+  -- Balancer module caches ngx module, must be reset after mocks were configured.
+  reset_sticky_balancer()
+end
+
+local function reset_ngx()
+  _G.ngx = original_ngx
+
+  -- Ensure balancer cache is reset.
+  _G.ngx.ctx.balancer = nil
+end
+
 function get_mocked_cookie_new()
   local o = { value = nil }
   local mock = {
@@ -55,7 +66,6 @@ end
 describe("Sticky", function()
   before_each(function()
     mock_ngx({ var = { location_path = "/", host = "test.com" } })
-    reset_sticky_balancer()
   end)
 
   after_each(function()
@@ -65,29 +75,44 @@ describe("Sticky", function()
   local test_backend = get_test_backend()
   local test_backend_endpoint= test_backend.endpoints[1].address .. ":" .. test_backend.endpoints[1].port
 
+  local legacy_cookie_value = test_backend_endpoint
+  local function create_current_cookie_value(backend_key)
+    return test_backend_endpoint .. "|" .. backend_key
+  end
+
   describe("new(backend)", function()
-    context("when backend specifies cookie name", function()
-      local function test(sticky)
-        local sticky_balancer_instance = sticky:new(test_backend)
+    describe("when backend specifies cookie name", function()
+      local function test_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
         local test_backend_cookie_name = test_backend.sessionAffinityConfig.cookieSessionAffinity.name
         assert.equal(sticky_balancer_instance:cookie_name(), test_backend_cookie_name)
       end
 
-      it("returns an instance containing the corresponding cookie name", function() test(sticky_balanced) end)
-      it("returns an instance containing the corresponding cookie name", function() test(sticky_persistent) end)
+      it("returns an instance containing the corresponding cookie name", function() test_with(sticky_balanced) end)
+      it("returns an instance containing the corresponding cookie name", function() test_with(sticky_persistent) end)
     end)
 
-    context("when backend does not specify cookie name", function()
-      local function test(sticky)
+    describe("when backend does not specify cookie name", function()
+      local function test_with(sticky_balancer_type)
         local temp_backend = util.deepcopy(test_backend)
         temp_backend.sessionAffinityConfig.cookieSessionAffinity.name = nil
-        local sticky_balancer_instance = sticky:new(temp_backend)
+        local sticky_balancer_instance = sticky_balancer_type:new(temp_backend)
         local default_cookie_name = "route"
         assert.equal(sticky_balancer_instance:cookie_name(), default_cookie_name)
       end
 
-      it("returns an instance with 'route' as cookie name", function() test(sticky_balanced) end)
-      it("returns an instance with 'route' as cookie name", function() test(sticky_persistent) end)
+      it("returns an instance with 'route' as cookie name", function() test_with(sticky_balanced) end)
+      it("returns an instance with 'route' as cookie name", function() test_with(sticky_persistent) end)
+    end)
+
+    describe("backend_key", function()
+      local function test_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
+        assert.is_truthy(sticky_balancer_instance.backend_key)
+      end
+
+      it("calculates at construction time", function() test_with(sticky_balanced) end)
+      it("calculates at construction time", function() test_with(sticky_persistent) end)
     end)
   end)
 
@@ -95,28 +120,25 @@ describe("Sticky", function()
     local mocked_cookie_new = cookie.new
 
     before_each(function()
-      package.loaded["balancer.sticky_balanced"] = nil
-      package.loaded["balancer.sticky_persistent"] = nil
-      sticky_balanced = require("balancer.sticky_balanced")
-      sticky_persistent = require("balancer.sticky_persistent")
+      reset_sticky_balancer()
     end)
 
     after_each(function()
       cookie.new = mocked_cookie_new
     end)
 
-    context("when client doesn't have a cookie set and location is in cookie_locations", function()
+    describe("when client doesn't have a cookie set and location is in cookie_locations", function()
 
-      local function test_pick_endpoint(sticky)
-        local sticky_balancer_instance = sticky:new(test_backend)
+      local function test_pick_endpoint_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
         local peer = sticky_balancer_instance:balance()
         assert.equal(test_backend_endpoint, peer)
       end
 
-      it("picks an endpoint for the client", function() test_pick_endpoint(sticky_balanced) end)
-      it("picks an endpoint for the client", function() test_pick_endpoint(sticky_persistent) end)
+      it("picks an endpoint for the client", function() test_pick_endpoint_with(sticky_balanced) end)
+      it("picks an endpoint for the client", function() test_pick_endpoint_with(sticky_persistent) end)
 
-      local function test_set_cookie(sticky)
+      local function test_set_cookie_with(sticky_balancer_type)
         local s = {}
         cookie.new = function(self)
           local cookie_instance = {
@@ -137,15 +159,15 @@ describe("Sticky", function()
         local b = get_test_backend()
         b.sessionAffinityConfig.cookieSessionAffinity.locations = {}
         b.sessionAffinityConfig.cookieSessionAffinity.locations["test.com"] = {"/"}
-        local sticky_balancer_instance = sticky:new(b)
+        local sticky_balancer_instance = sticky_balancer_type:new(b)
         assert.has_no.errors(function() sticky_balancer_instance:balance() end)
         assert.spy(s).was_called()
       end
 
-      it("sets a cookie on the client", function() test_set_cookie(sticky_balanced) end)
-      it("sets a cookie on the client", function() test_set_cookie(sticky_persistent) end)
+      it("sets a cookie on the client", function() test_set_cookie_with(sticky_balanced) end)
+      it("sets a cookie on the client", function() test_set_cookie_with(sticky_persistent) end)
 
-      local function test_set_ssl_cookie(sticky)
+      local function test_set_ssl_cookie_with(sticky_balancer_type)
         ngx.var.https = "on"
         local s = {}
         cookie.new = function(self)
@@ -167,21 +189,17 @@ describe("Sticky", function()
         local b = get_test_backend()
         b.sessionAffinityConfig.cookieSessionAffinity.locations = {}
         b.sessionAffinityConfig.cookieSessionAffinity.locations["test.com"] = {"/"}
-        local sticky_balancer_instance = sticky:new(b)
+        local sticky_balancer_instance = sticky_balancer_type:new(b)
         assert.has_no.errors(function() sticky_balancer_instance:balance() end)
         assert.spy(s).was_called()
       end
 
-      it("sets a secure cookie on the client when being in ssl mode", function()
-          test_set_ssl_cookie(sticky_balanced)
-      end)
-      it("sets a secure cookie on the client when being in ssl mode", function()
-        test_set_ssl_cookie(sticky_persistent)
-      end)
+      it("sets a secure cookie on the client when being in ssl mode", function() test_set_ssl_cookie_with(sticky_balanced) end)
+      it("sets a secure cookie on the client when being in ssl mode", function() test_set_ssl_cookie_with(sticky_persistent) end)
     end)
 
-    context("when client doesn't have a cookie set and cookie_locations contains a matching wildcard location",
-    function()
+    describe("when client doesn't have a cookie set and cookie_locations contains a matching wildcard location", function()
+
       before_each(function ()
         ngx.var.host = "dev.test.com"
       end)
@@ -189,7 +207,7 @@ describe("Sticky", function()
         ngx.var.host = "test.com"
       end)
 
-      local function test(sticky)
+      local function test_with(sticky_balancer_type)
         local s = {}
         cookie.new = function(self)
           local cookie_instance = {
@@ -211,27 +229,27 @@ describe("Sticky", function()
         local b = get_test_backend()
         b.sessionAffinityConfig.cookieSessionAffinity.locations = {}
         b.sessionAffinityConfig.cookieSessionAffinity.locations["*.test.com"] = {"/"}
-        local sticky_balancer_instance = sticky:new(b)
+        local sticky_balancer_instance = sticky_balancer_type:new(b)
         assert.has_no.errors(function() sticky_balancer_instance:balance() end)
         assert.spy(s).was_called()
       end
 
-      it("sets a cookie on the client", function() test(sticky_balanced) end)
-      it("sets a cookie on the client", function() test(sticky_persistent) end)
+      it("sets a cookie on the client", function() test_with(sticky_balanced) end)
+      it("sets a cookie on the client", function() test_with(sticky_persistent) end)
     end)
 
-    context("when client doesn't have a cookie set and location not in cookie_locations", function()
+    describe("when client doesn't have a cookie set and location not in cookie_locations", function()
 
-      local function test_pick_endpoint(sticky)
-        local sticky_balancer_instance = sticky:new(test_backend)
+      local function test_pick_endpoint_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
         local peer = sticky_balancer_instance:balance()
         assert.equal(peer, test_backend_endpoint)
       end
 
-      it("picks an endpoint for the client", function() test_pick_endpoint(sticky_balanced) end)
-      it("picks an endpoint for the client", function() test_pick_endpoint(sticky_persistent) end)
+      it("picks an endpoint for the client", function() test_pick_endpoint_with(sticky_balanced) end)
+      it("picks an endpoint for the client", function() test_pick_endpoint_with(sticky_persistent) end)
 
-      local function test_no_cookie(sticky)
+      local function test_no_cookie_with(sticky_balancer_type)
         local s = {}
         cookie.new = function(self)
           local cookie_instance = {
@@ -248,34 +266,34 @@ describe("Sticky", function()
           s = spy.on(cookie_instance, "set")
           return cookie_instance, false
         end
-        local sticky_balancer_instance = sticky:new(get_test_backend())
+        local sticky_balancer_instance = sticky_balancer_type:new(get_test_backend())
         assert.has_no.errors(function() sticky_balancer_instance:balance() end)
         assert.spy(s).was_not_called()
       end
 
-      it("does not set a cookie on the client", function() test_no_cookie(sticky_balanced) end)
-      it("does not set a cookie on the client", function() test_no_cookie(sticky_persistent) end)
+      it("does not set a cookie on the client", function() test_no_cookie_with(sticky_balanced) end)
+      it("does not set a cookie on the client", function() test_no_cookie_with(sticky_persistent) end)
     end)
 
-    context("when client has a cookie set", function()
+    describe("when client has a cookie set", function()
 
-      local function test_no_cookie(sticky)
+      local function test_no_cookie_with(sticky_balancer_type)
         local s = {}
         cookie.new = function(self)
           local return_obj = {
             set = function(v) return false, nil end,
-            get = function(k) return test_backend_endpoint end,
+            get = function(k) return legacy_cookie_value end,
           }
           s = spy.on(return_obj, "set")
           return return_obj, false
         end
-        local sticky_balancer_instance = sticky:new(test_backend)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
         assert.has_no.errors(function() sticky_balancer_instance:balance() end)
         assert.spy(s).was_not_called()
       end
 
-      it("does not set a cookie", function() test_no_cookie(sticky_balanced) end)
-      it("does not set a cookie", function() test_no_cookie(sticky_persistent) end)
+      it("does not set a cookie", function() test_no_cookie_with(sticky_balanced) end)
+      it("does not set a cookie", function() test_no_cookie_with(sticky_persistent) end)
 
       local function test_correct_endpoint(sticky)
         local sticky_balancer_instance = sticky:new(test_backend)
@@ -312,17 +330,16 @@ describe("Sticky", function()
 
     before_each(function()
       mock_ngx({ var = { location_path = "/", host = "test.com" } })
-      reset_sticky_balancer()
     end)
 
     after_each(function()
       reset_ngx()
     end)
 
-    context("when request to upstream fails", function()
+    describe("when request to upstream fails", function()
 
-      local function test(sticky, change_on_failure)
-        local sticky_balancer_instance = sticky:new(get_several_test_backends(change_on_failure))
+      local function test_with(sticky_balancer_type, change_on_failure)
+        local sticky_balancer_instance = sticky_balancer_type:new(get_several_test_backends(change_on_failure))
 
         local old_upstream = sticky_balancer_instance:balance()
         assert.is.Not.Nil(old_upstream)
@@ -349,29 +366,21 @@ describe("Sticky", function()
         end
       end
 
-      it("changes upstream when change_on_failure option is true", function()
-        test(sticky_balanced, true)
-      end)
-      it("changes upstream when change_on_failure option is true", function()
-        test(sticky_balanced, false)
-      end)
-      it("changes upstream when change_on_failure option is true", function()
-        test(sticky_persistent, true)
-      end)
-      it("changes upstream when change_on_failure option is true", function()
-        test(sticky_persistent, false)
-      end)
+      it("changes upstream when change_on_failure option is true", function() test_with(sticky_balanced, true) end)
+      it("changes upstream when change_on_failure option is true", function() test_with(sticky_persistent, true) end)
+
+      it("changes upstream when change_on_failure option is false", function() test_with(sticky_balanced, false) end)
+      it("changes upstream when change_on_failure option is false", function() test_with(sticky_persistent, false) end)
     end)
   end)
 
-  context("when client doesn't have a cookie set and no host header, matching default server '_'",
-  function()
+  describe("when client doesn't have a cookie set and no host header, matching default server '_'", function()
     before_each(function ()
       ngx.var.host = "not-default-server"
       ngx.var.server_name = "_"
     end)
 
-    local function test(sticky)
+    local function test_with(sticky_balancer_type)
       local s = {}
       cookie.new = function(self)
         local cookie_instance = {
@@ -393,30 +402,27 @@ describe("Sticky", function()
       local b = get_test_backend()
       b.sessionAffinityConfig.cookieSessionAffinity.locations = {}
       b.sessionAffinityConfig.cookieSessionAffinity.locations["_"] = {"/"}
-      local sticky_balancer_instance = sticky:new(b)
+      local sticky_balancer_instance = sticky_balancer_type:new(b)
       assert.has_no.errors(function() sticky_balancer_instance:balance() end)
       assert.spy(s).was_called()
     end
 
-    it("sets a cookie on the client", function() test(sticky_balanced) end)
-    it("sets a cookie on the client", function() test(sticky_persistent) end)
+    it("sets a cookie on the client", function() test_with(sticky_balanced) end)
+    it("sets a cookie on the client", function() test_with(sticky_persistent) end)
   end)
 
   describe("SameSite settings", function()
     local mocked_cookie_new = cookie.new
 
     before_each(function()
-      package.loaded["balancer.sticky_balanced"] = nil
-      package.loaded["balancer.sticky_persistent"] = nil
-      sticky_balanced = require("balancer.sticky_balanced")
-      sticky_persistent = require("balancer.sticky_persistent")
+      reset_sticky_balancer()
     end)
 
     after_each(function()
       cookie.new = mocked_cookie_new
     end)
 
-    local function test_set_cookie(sticky, samesite, conditional_samesite_none, expected_path, expected_samesite)
+    local function test_set_cookie_with(sticky_balancer_type, samesite, conditional_samesite_none, expected_path, expected_samesite)
       local s = {}
       cookie.new = function(self)
         local cookie_instance = {
@@ -439,34 +445,179 @@ describe("Sticky", function()
       b.sessionAffinityConfig.cookieSessionAffinity.locations["test.com"] = {"/"}
       b.sessionAffinityConfig.cookieSessionAffinity.samesite = samesite
       b.sessionAffinityConfig.cookieSessionAffinity.conditional_samesite_none = conditional_samesite_none
-      local sticky_balancer_instance = sticky:new(b)
+      local sticky_balancer_instance = sticky_balancer_type:new(b)
       assert.has_no.errors(function() sticky_balancer_instance:balance() end)
       assert.spy(s).was_called()
     end
 
     it("returns a cookie with SameSite=Strict when user specifies samesite strict", function()
-      test_set_cookie(sticky_balanced, "Strict", false, "/", "Strict")
+      test_set_cookie_with(sticky_balanced, "Strict", false, "/", "Strict")
     end)
     it("returns a cookie with SameSite=Strict when user specifies samesite strict and conditional samesite none", function()
-      test_set_cookie(sticky_balanced, "Strict", true, "/", "Strict")
+      test_set_cookie_with(sticky_balanced, "Strict", true, "/", "Strict")
     end)
     it("returns a cookie with SameSite=Lax when user specifies samesite lax", function()
-      test_set_cookie(sticky_balanced, "Lax", false, "/", "Lax")
+      test_set_cookie_with(sticky_balanced, "Lax", false, "/", "Lax")
     end)
     it("returns a cookie with SameSite=Lax when user specifies samesite lax and conditional samesite none", function()
-      test_set_cookie(sticky_balanced, "Lax", true, "/", "Lax")
+      test_set_cookie_with(sticky_balanced, "Lax", true, "/", "Lax")
     end)
     it("returns a cookie with SameSite=None when user specifies samesite None", function()
-      test_set_cookie(sticky_balanced, "None", false, "/", "None")
+      test_set_cookie_with(sticky_balanced, "None", false, "/", "None")
     end)
     it("returns a cookie with SameSite=None when user specifies samesite None and conditional samesite none with supported user agent", function()
       mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2704.103 Safari/537.36"} })
-      test_set_cookie(sticky_balanced, "None", true, "/", "None")
+      test_set_cookie_with(sticky_balanced, "None", true, "/", "None")
     end)
     it("returns a cookie without SameSite=None when user specifies samesite None and conditional samesite none with unsupported user agent", function()
       mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} })
-      reset_sticky_balancer()
-      test_set_cookie(sticky_balanced, "None", true, "/", nil)
+      test_set_cookie_with(sticky_balanced, "None", true, "/", nil)
+    end)
+
+    it("returns a cookie with SameSite=Strict when user specifies samesite strict", function()
+      test_set_cookie_with(sticky_persistent, "Strict", false, "/", "Strict")
+    end)
+    it("returns a cookie with SameSite=Strict when user specifies samesite strict and conditional samesite none", function()
+      test_set_cookie_with(sticky_persistent, "Strict", true, "/", "Strict")
+    end)
+    it("returns a cookie with SameSite=Lax when user specifies samesite lax", function()
+      test_set_cookie_with(sticky_persistent, "Lax", false, "/", "Lax")
+    end)
+    it("returns a cookie with SameSite=Lax when user specifies samesite lax and conditional samesite none", function()
+      test_set_cookie_with(sticky_persistent, "Lax", true, "/", "Lax")
+    end)
+    it("returns a cookie with SameSite=None when user specifies samesite None", function()
+      test_set_cookie_with(sticky_persistent, "None", false, "/", "None")
+    end)
+    it("returns a cookie with SameSite=None when user specifies samesite None and conditional samesite none with supported user agent", function()
+      mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2704.103 Safari/537.36"} })
+      test_set_cookie_with(sticky_persistent, "None", true, "/", "None")
+    end)
+    it("returns a cookie without SameSite=None when user specifies samesite None and conditional samesite none with unsupported user agent", function()
+      mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} })
+      test_set_cookie_with(sticky_persistent, "None", true, "/", nil)
     end)
   end)
+
+  describe("get_cookie()", function()
+
+    describe("legacy cookie value", function()
+      local function test_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
+
+        cookie.new = function(self)
+          local return_obj = {
+            set = function(v) return false, nil end,
+            get = function(k) return legacy_cookie_value end,
+          }
+          return return_obj, false
+        end
+
+        assert.equal(test_backend_endpoint, sticky_balancer_instance.get_cookie(sticky_balancer_instance))
+      end
+
+      it("retrieves upstream key value", function() test_with(sticky_balanced) end)
+      it("retrieves upstream key value", function() test_with(sticky_persistent) end)
+    end)
+
+    describe("current cookie value", function()
+      local function test_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
+
+        cookie.new = function(self)
+          local return_obj = {
+            set = function(v) return false, nil end,
+            get = function(k) return create_current_cookie_value(sticky_balancer_instance.backend_key) end,
+          }
+          return return_obj, false
+        end
+
+        assert.equal(test_backend_endpoint, sticky_balancer_instance.get_cookie(sticky_balancer_instance))
+      end
+
+      it("retrieves upstream key value", function() test_with(sticky_balanced) end)
+      it("retrieves upstream key value", function() test_with(sticky_persistent) end)
+    end)
+
+  end)
+
+  describe("get_cookie_parsed()", function()
+
+    describe("legacy cookie value", function()
+      local function test_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
+
+        cookie.new = function(self)
+          local return_obj = {
+            set = function(v) return false, nil end,
+            get = function(k) return legacy_cookie_value end,
+          }
+          return return_obj, false
+        end
+
+        local parsed_cookie = sticky_balancer_instance.get_cookie_parsed(sticky_balancer_instance)
+
+        assert.is_truthy(parsed_cookie)
+        assert.equal(test_backend_endpoint, parsed_cookie.upstream_key)
+        assert.is_falsy(parsed_cookie.backend_key)
+      end
+
+      it("retrieves upstream key value", function() test_with(sticky_balanced) end)
+      it("retrieves upstream key value", function() test_with(sticky_persistent) end)
+    end)
+
+    describe("current cookie value", function()
+      local function test_with(sticky_balancer_type)
+        local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
+
+        cookie.new = function(self)
+          local return_obj = {
+            set = function(v) return false, nil end,
+            get = function(k) return create_current_cookie_value(sticky_balancer_instance.backend_key) end,
+          }
+          return return_obj, false
+        end
+
+        local parsed_cookie = sticky_balancer_instance.get_cookie_parsed(sticky_balancer_instance)
+
+        assert.is_truthy(parsed_cookie)
+        assert.equal(test_backend_endpoint, parsed_cookie.upstream_key)
+        assert.equal(sticky_balancer_instance.backend_key, parsed_cookie.backend_key)
+      end
+
+      it("retrieves all supported values", function() test_with(sticky_balanced) end)
+      it("retrieves all supported values", function() test_with(sticky_persistent) end)
+    end)
+
+  end)
+
+  describe("set_cookie()", function()
+
+    local function test_with(sticky_balancer_type)
+      local sticky_balancer_instance = sticky_balancer_type:new(test_backend)
+
+      local cookieSetSpy = {}
+      cookie.new = function(self)
+        local return_obj = {
+          set = function(self, payload)
+            assert.equal(create_current_cookie_value(sticky_balancer_instance.backend_key), payload.value)
+
+            return true, nil
+          end,
+          get = function(k) return nil end,
+        }
+        cookieSetSpy = spy.on(return_obj, "set")
+
+        return return_obj, false
+      end
+
+      sticky_balancer_instance.set_cookie(sticky_balancer_instance, test_backend_endpoint)
+
+      assert.spy(cookieSetSpy).was_called()
+    end
+
+    it("constructs correct cookie value", function() test_with(sticky_balanced) end)
+    it("constructs correct cookie value", function() test_with(sticky_persistent) end)
+
+  end)
 end)
diff --git a/rootfs/etc/nginx/lua/test/balancer_test.lua b/rootfs/etc/nginx/lua/test/balancer_test.lua
index 1834b6f60..4f40bc6ae 100644
--- a/rootfs/etc/nginx/lua/test/balancer_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer_test.lua
@@ -6,12 +6,9 @@ local original_ngx = ngx
 
 local function reset_ngx()
   _G.ngx = original_ngx
-end
 
-local function mock_ngx(mock)
-  local _ngx = mock
-  setmetatable(_ngx, { __index = ngx })
-  _G.ngx = _ngx
+  -- Ensure balancer cache is reset.
+  _G.ngx.ctx.balancer = nil
 end
 
 local function reset_balancer()
@@ -19,6 +16,19 @@ local function reset_balancer()
   balancer = require("balancer")
 end
 
+local function mock_ngx(mock, after_mock_set)
+  local _ngx = mock
+  setmetatable(_ngx, { __index = ngx })
+  _G.ngx = _ngx
+
+  if after_mock_set then
+    after_mock_set()
+  end
+
+  -- Balancer module caches ngx module, must be reset after mocks were configured.
+  reset_balancer()
+end
+
 local function reset_expected_implementations()
   expected_implementations = {
     ["access-router-production-web-80"] = package.loaded["balancer.round_robin"],
@@ -26,7 +36,8 @@ local function reset_expected_implementations()
     ["my-dummy-app-2"] = package.loaded["balancer.chash"],
     ["my-dummy-app-3"] = package.loaded["balancer.sticky_persistent"],
     ["my-dummy-app-4"] = package.loaded["balancer.ewma"],
-    ["my-dummy-app-5"] = package.loaded["balancer.sticky_balanced"]
+    ["my-dummy-app-5"] = package.loaded["balancer.sticky_balanced"],
+    ["my-dummy-app-6"] = package.loaded["balancer.chashsubset"]
   }
 end
 
@@ -48,20 +59,35 @@ local function reset_backends()
         cookie = ""
       },
     },
-    { name = "my-dummy-app-1", ["load-balance"] = "round_robin", },
     {
-      name = "my-dummy-app-2", ["load-balance"] = "chash",
+      name = "my-dummy-app-1",
+      ["load-balance"] = "round_robin",
+    },
+    {
+      name = "my-dummy-app-2",
+      ["load-balance"] = "round_robin",           -- upstreamHashByConfig will take priority.
       upstreamHashByConfig = { ["upstream-hash-by"] = "$request_uri", },
     },
     {
-      name = "my-dummy-app-3", ["load-balance"] = "ewma",
-      sessionAffinityConfig = { name = "cookie", mode = 'persistent', cookieSessionAffinity = { name = "route" } }
+      name = "my-dummy-app-3",
+      ["load-balance"] = "ewma",                  -- sessionAffinityConfig will take priority.
+      sessionAffinityConfig = { name = "cookie", mode = "persistent", cookieSessionAffinity = { name = "route" } }
     },
-    { name = "my-dummy-app-4", ["load-balance"] = "ewma", },
     {
-      name = "my-dummy-app-5", ["load-balance"] = "ewma", ["upstream-hash-by"] = "$request_uri",
+      name = "my-dummy-app-4",
+      ["load-balance"] = "ewma",
+    },
+    {
+      name = "my-dummy-app-5",
+      ["load-balance"] = "ewma",                  -- sessionAffinityConfig will take priority.
+      upstreamHashByConfig = { ["upstream-hash-by"] = "$request_uri", },
       sessionAffinityConfig = { name = "cookie", cookieSessionAffinity = { name = "route" } }
     },
+    {
+      name = "my-dummy-app-6",
+      ["load-balance"] = "ewma",                  -- upstreamHashByConfig will take priority.
+      upstreamHashByConfig = { ["upstream-hash-by"] = "$request_uri", ["upstream-hash-by-subset"] = "true", }
+    },
   }
 end
 
@@ -77,7 +103,7 @@ describe("Balancer", function()
   end)
 
   describe("get_implementation()", function()
-    it("returns correct implementation for given backend", function()
+    it("uses heuristics to select correct load balancer implementation for a given backend", function()
       for _, backend in pairs(backends) do
         local expected_implementation = expected_implementations[backend.name]
         local implementation = balancer.get_implementation(backend)
@@ -89,8 +115,8 @@ describe("Balancer", function()
   describe("get_balancer()", function()
     it("always returns the same balancer for given request context", function()
       local backend = {
-        name = "my-dummy-app-6", ["load-balance"] = "ewma",
-        alternativeBackends = { "my-dummy-canary-app-6" },
+        name = "my-dummy-app-100", ["load-balance"] = "ewma",
+        alternativeBackends = { "my-dummy-canary-app-100" },
         endpoints = { { address = "10.184.7.40", port = "8080", maxFails = 0, failTimeout = 0 } },
         trafficShapingPolicy = {
           weight = 0,
@@ -100,8 +126,8 @@ describe("Balancer", function()
         },
       }
       local canary_backend = {
-        name = "my-dummy-canary-app-6", ["load-balance"] = "ewma",
-        alternativeBackends = { "my-dummy-canary-app-6" },
+        name = "my-dummy-canary-app-100", ["load-balance"] = "ewma",
+        alternativeBackends = { "my-dummy-canary-app-100" },
         endpoints = { { address = "11.184.7.40", port = "8080", maxFails = 0, failTimeout = 0 } },
         trafficShapingPolicy = {
           weight = 5,
@@ -112,7 +138,6 @@ describe("Balancer", function()
       }
 
       mock_ngx({ var = { proxy_upstream_name = backend.name } })
-      reset_balancer()
 
       balancer.sync_backend(backend)
       balancer.sync_backend(canary_backend)
@@ -126,172 +151,223 @@ describe("Balancer", function()
   end)
 
   describe("route_to_alternative_balancer()", function()
-    local backend, _balancer
+    local backend, _primaryBalancer
 
     before_each(function()
       backend = backends[1]
-      _balancer = {
+      _primaryBalancer = {
         alternative_backends = {
           backend.name,
         }
       }
       mock_ngx({ var = { request_uri = "/" } })
-      reset_balancer()
     end)
 
-    it("returns false when no trafficShapingPolicy is set", function()
-      balancer.sync_backend(backend)
-      assert.equal(false, balancer.route_to_alternative_balancer(_balancer))
-    end)
+    -- Not affinitized request must follow traffic shaping policies.
+    describe("not affinitized", function()
 
-    it("returns false when no alternative backends is set", function()
-      backend.trafficShapingPolicy.weight = 100
-      balancer.sync_backend(backend)
-      _balancer.alternative_backends = nil
-      assert.equal(false, balancer.route_to_alternative_balancer(_balancer))
-    end)
+      before_each(function()
+        _primaryBalancer.is_affinitized = function (_)
+          return false
+        end
+      end)
 
-    it("returns false when alternative backends name does not match", function()
-      backend.trafficShapingPolicy.weight = 100
-      balancer.sync_backend(backend)
-      _balancer.alternative_backends[1] = "nonExistingBackend"
-      assert.equal(false, balancer.route_to_alternative_balancer(_balancer))
-    end)
+      it("returns false when no trafficShapingPolicy is set", function()
+        balancer.sync_backend(backend)
+        assert.equal(false, balancer.route_to_alternative_balancer(_primaryBalancer))
+      end)
 
-    context("canary by weight", function()
-      it("returns true when weight is 100", function()
+      it("returns false when no alternative backends is set", function()
         backend.trafficShapingPolicy.weight = 100
         balancer.sync_backend(backend)
-        assert.equal(true, balancer.route_to_alternative_balancer(_balancer))
+        _primaryBalancer.alternative_backends = nil
+        assert.equal(false, balancer.route_to_alternative_balancer(_primaryBalancer))
       end)
 
-      it("returns false when weight is 0", function()
-        backend.trafficShapingPolicy.weight = 0
+      it("returns false when alternative backends name does not match", function()
+        backend.trafficShapingPolicy.weight = 100
         balancer.sync_backend(backend)
-        assert.equal(false, balancer.route_to_alternative_balancer(_balancer))
+        _primaryBalancer.alternative_backends[1] = "nonExistingBackend"
+        assert.equal(false, balancer.route_to_alternative_balancer(_primaryBalancer))
       end)
+
+      describe("canary by weight", function()
+        it("returns true when weight is 100", function()
+          backend.trafficShapingPolicy.weight = 100
+          balancer.sync_backend(backend)
+          assert.equal(true, balancer.route_to_alternative_balancer(_primaryBalancer))
+        end)
+
+        it("returns false when weight is 0", function()
+          backend.trafficShapingPolicy.weight = 0
+          balancer.sync_backend(backend)
+          assert.equal(false, balancer.route_to_alternative_balancer(_primaryBalancer))
+        end)
+      end)
+
+      describe("canary by cookie", function()
+        it("returns correct result for given cookies", function()
+          local test_patterns = {
+            {
+              case_title = "cookie_value is 'always'",
+              request_cookie_name = "canaryCookie",
+              request_cookie_value = "always",
+              expected_result = true,
+            },
+            {
+              case_title = "cookie_value is 'never'",
+              request_cookie_name = "canaryCookie",
+              request_cookie_value = "never",
+              expected_result = false,
+            },
+            {
+              case_title = "cookie_value is undefined",
+              request_cookie_name = "canaryCookie",
+              request_cookie_value = "foo",
+              expected_result = false,
+            },
+            {
+              case_title = "cookie_name is undefined",
+              request_cookie_name = "foo",
+              request_cookie_value = "always",
+              expected_result = false
+            },
+          }
+          for _, test_pattern in pairs(test_patterns) do
+            mock_ngx({ var = {
+              ["cookie_" .. test_pattern.request_cookie_name] = test_pattern.request_cookie_value,
+              request_uri = "/"
+            }})
+            backend.trafficShapingPolicy.cookie = "canaryCookie"
+            balancer.sync_backend(backend)
+            assert.message("\nTest data pattern: " .. test_pattern.case_title)
+              .equal(test_pattern.expected_result, balancer.route_to_alternative_balancer(_primaryBalancer))
+            reset_ngx()
+          end
+        end)
+      end)
+
+      describe("canary by header", function()
+        it("returns correct result for given headers", function()
+          local test_patterns = {
+            -- with no header value setting
+            {
+              case_title = "no custom header value and header value is 'always'",
+              header_name = "canaryHeader",
+              header_value = "",
+              request_header_name = "canaryHeader",
+              request_header_value = "always",
+              expected_result = true,
+            },
+            {
+              case_title = "no custom header value and header value is 'never'",
+              header_name = "canaryHeader",
+              header_value = "",
+              request_header_name = "canaryHeader",
+              request_header_value = "never",
+              expected_result = false,
+            },
+            {
+              case_title = "no custom header value and header value is undefined",
+              header_name = "canaryHeader",
+              header_value = "",
+              request_header_name = "canaryHeader",
+              request_header_value = "foo",
+              expected_result = false,
+            },
+            {
+              case_title = "no custom header value and header name is undefined",
+              header_name = "canaryHeader",
+              header_value = "",
+              request_header_name = "foo",
+              request_header_value = "always",
+              expected_result = false,
+            },
+            -- with header value setting
+            {
+              case_title = "custom header value is set and header value is 'always'",
+              header_name = "canaryHeader",
+              header_value = "foo",
+              request_header_name = "canaryHeader",
+              request_header_value = "always",
+              expected_result = false,
+            },
+            {
+              case_title = "custom header value is set and header value match custom header value",
+              header_name = "canaryHeader",
+              header_value = "foo",
+              request_header_name = "canaryHeader",
+              request_header_value = "foo",
+              expected_result = true,
+            },
+            {
+              case_title = "custom header value is set and header name is undefined",
+              header_name = "canaryHeader",
+              header_value = "foo",
+              request_header_name = "bar",
+              request_header_value = "foo",
+              expected_result = false
+            },
+          }
+
+          for _, test_pattern in pairs(test_patterns) do
+            mock_ngx({ var = {
+              ["http_" .. test_pattern.request_header_name] = test_pattern.request_header_value,
+              request_uri = "/"
+            }})
+            backend.trafficShapingPolicy.header = test_pattern.header_name
+            backend.trafficShapingPolicy.headerValue = test_pattern.header_value
+            balancer.sync_backend(backend)
+            assert.message("\nTest data pattern: " .. test_pattern.case_title)
+              .equal(test_pattern.expected_result, balancer.route_to_alternative_balancer(_primaryBalancer))
+            reset_ngx()
+          end
+        end)
+      end)
+
     end)
 
-    context("canary by cookie", function()
-      it("returns correct result for given cookies", function()
-        local test_patterns = {
-          {
-            case_title = "cookie_value is 'always'",
-            request_cookie_name = "canaryCookie",
-            request_cookie_value = "always",
-            expected_result = true,
-          },
-          {
-            case_title = "cookie_value is 'never'",
-            request_cookie_name = "canaryCookie",
-            request_cookie_value = "never",
-            expected_result = false,
-          },
-          {
-            case_title = "cookie_value is undefined",
-            request_cookie_name = "canaryCookie",
-            request_cookie_value = "foo",
-            expected_result = false,
-          },
-          {
-            case_title = "cookie_name is undefined",
-            request_cookie_name = "foo",
-            request_cookie_value = "always",
-            expected_result = false
-          },
-        }
-        for _, test_pattern in pairs(test_patterns) do
-          mock_ngx({ var = {
-            ["cookie_" .. test_pattern.request_cookie_name] = test_pattern.request_cookie_value,
-            request_uri = "/"
-          }})
-          reset_balancer()
-          backend.trafficShapingPolicy.cookie = "canaryCookie"
-          balancer.sync_backend(backend)
-          assert.message("\nTest data pattern: " .. test_pattern.case_title)
-            .equal(test_pattern.expected_result, balancer.route_to_alternative_balancer(_balancer))
-          reset_ngx()
-        end
-      end)
-    end)
+    -- Affinitized request prefers backend it is affinitized to.
+    describe("affinitized", function()
 
-    context("canary by header", function()
-      it("returns correct result for given headers", function()
-        local test_patterns = {
-          -- with no header value setting
-          {
-            case_title = "no custom header value and header value is 'always'",
-            header_name = "canaryHeader",
-            header_value = "",
-            request_header_name = "canaryHeader",
-            request_header_value = "always",
-            expected_result = true,
-          },
-          {
-            case_title = "no custom header value and header value is 'never'",
-            header_name = "canaryHeader",
-            header_value = "",
-            request_header_name = "canaryHeader",
-            request_header_value = "never",
-            expected_result = false,
-          },
-          {
-            case_title = "no custom header value and header value is undefined",
-            header_name = "canaryHeader",
-            header_value = "",
-            request_header_name = "canaryHeader",
-            request_header_value = "foo",
-            expected_result = false,
-          },
-          {
-            case_title = "no custom header value and header name is undefined",
-            header_name = "canaryHeader",
-            header_value = "",
-            request_header_name = "foo",
-            request_header_value = "always",
-            expected_result = false,
-          },
-          -- with header value setting
-          {
-            case_title = "custom header value is set and header value is 'always'",
-            header_name = "canaryHeader",
-            header_value = "foo",
-            request_header_name = "canaryHeader",
-            request_header_value = "always",
-            expected_result = false,
-          },
-          {
-            case_title = "custom header value is set and header value match custom header value",
-            header_name = "canaryHeader",
-            header_value = "foo",
-            request_header_name = "canaryHeader",
-            request_header_value = "foo",
-            expected_result = true,
-          },
-          {
-            case_title = "custom header value is set and header name is undefined",
-            header_name = "canaryHeader",
-            header_value = "foo",
-            request_header_name = "bar",
-            request_header_value = "foo",
-            expected_result = false
-          },
-        }
-
-        for _, test_pattern in pairs(test_patterns) do
-          mock_ngx({ var = {
-            ["http_" .. test_pattern.request_header_name] = test_pattern.request_header_value,
-            request_uri = "/"
-          }})
-          reset_balancer()
-          backend.trafficShapingPolicy.header = test_pattern.header_name
-          backend.trafficShapingPolicy.headerValue = test_pattern.header_value
-          balancer.sync_backend(backend)
-          assert.message("\nTest data pattern: " .. test_pattern.case_title)
-            .equal(test_pattern.expected_result, balancer.route_to_alternative_balancer(_balancer))
-          reset_ngx()
-        end
+      before_each(function()
+        mock_ngx({ var = { request_uri = "/", proxy_upstream_name = backend.name } })
+        balancer.sync_backend(backend)
       end)
+
+      it("returns false if request is affinitized to primary backend", function()
+        _primaryBalancer.is_affinitized = function (_)
+          return true
+        end
+
+        local alternativeBalancer = balancer.get_balancer_by_upstream_name(backend.name)
+
+        local primarySpy = spy.on(_primaryBalancer, "is_affinitized")
+        local alternativeSpy = spy.on(alternativeBalancer, "is_affinitized")
+
+        assert.is_false(balancer.route_to_alternative_balancer(_primaryBalancer))
+        assert.spy(_primaryBalancer.is_affinitized).was_called()
+        assert.spy(alternativeBalancer.is_affinitized).was_not_called()
+      end)
+
+      it("returns true if request is affinitized to alternative backend", function()
+        _primaryBalancer.is_affinitized = function (_)
+          return false
+        end
+
+        local alternativeBalancer = balancer.get_balancer_by_upstream_name(backend.name)
+        alternativeBalancer.is_affinitized = function (_)
+          return true
+        end
+
+        local primarySpy = spy.on(_primaryBalancer, "is_affinitized")
+        local alternativeSpy = spy.on(alternativeBalancer, "is_affinitized")
+
+        assert.is_true(balancer.route_to_alternative_balancer(_primaryBalancer))
+        assert.spy(_primaryBalancer.is_affinitized).was_called()
+        assert.spy(alternativeBalancer.is_affinitized).was_called()
+      end)
+
     end)
   end)
 
@@ -432,10 +508,13 @@ describe("Balancer", function()
           },
         }
       }
-      mock_ngx({ var = { proxy_upstream_name = "access-router-production-web-80" }, ctx = { } })
-      ngx.shared.configuration_data:set("backends", cjson.encode(backends))
-      reset_balancer()
+
+      mock_ngx({ var = { proxy_upstream_name = "access-router-production-web-80" }, ctx = { } }, function()
+        ngx.shared.configuration_data:set("backends", cjson.encode(backends))
+      end)
+
       balancer.init_worker()
+
       assert.not_equal(balancer.get_balancer(), nil)
     end)
 
diff --git a/rootfs/etc/nginx/lua/test/util/split.lua b/rootfs/etc/nginx/lua/test/util/split.lua
deleted file mode 100644
index 3d3a6d7e9..000000000
--- a/rootfs/etc/nginx/lua/test/util/split.lua
+++ /dev/null
@@ -1,15 +0,0 @@
-local split = require("util.split")
-
-
-describe("split", function()
-  it("get_last_value", function()
-    for _, case in ipairs({
-        {"127.0.0.1:26157 : 127.0.0.1:26158", "127.0.0.1:26158"},
-        {"127.0.0.1:26157, 127.0.0.1:26158", "127.0.0.1:26158"},
-        {"127.0.0.1:26158", "127.0.0.1:26158"},
-    }) do
-      local last = split.get_last_value(case[1])
-      assert.equal(case[2], last)
-    end
-  end)
-end)
diff --git a/rootfs/etc/nginx/lua/test/util/split_test.lua b/rootfs/etc/nginx/lua/test/util/split_test.lua
new file mode 100644
index 000000000..d81a92c2d
--- /dev/null
+++ b/rootfs/etc/nginx/lua/test/util/split_test.lua
@@ -0,0 +1,57 @@
+local split = require("util.split")
+
+describe("split", function()
+
+  describe("get_last_value", function()
+    it("splits value of an upstream variable and returns last value", function()
+      for _, case in ipairs({{"127.0.0.1:26157 : 127.0.0.1:26158", "127.0.0.1:26158"},
+                             {"127.0.0.1:26157, 127.0.0.1:26158", "127.0.0.1:26158"},
+                             {"127.0.0.1:26158", "127.0.0.1:26158"}}) do
+        local last = split.get_last_value(case[1])
+        assert.equal(case[2], last)
+      end
+    end)
+  end)
+
+  describe("split_string", function()
+
+    it("returns empty array if input string is empty", function()
+      local splits, len = split.split_string("", ",")
+      assert.equal(0, len)
+      assert.is.truthy(splits)
+    end)
+
+    it("returns empty array if input string is nil", function()
+      local splits, len = split.split_string(nil, ",")
+      assert.equal(0, len)
+      assert.is.truthy(splits)
+    end)
+
+    it("returns empty array if delimiter is empty", function()
+      local splits, len = split.split_string("1,2", "")
+      assert.equal(0, len)
+      assert.is.truthy(splits)
+    end)
+
+    it("returns empty array delimiter is nil", function()
+      local splits, len = split.split_string("1,2", nil)
+      assert.equal(0, len)
+      assert.is.truthy(splits)
+    end)
+
+    it("returns array of 1 value if input string is not a list", function()
+      local splits, len = split.split_string("123", ",")
+      assert.equal(1, len)
+      assert.equal("123", splits[1])
+    end)
+
+    it("returns array of values extracted from the input string", function()
+      local splits, len = split.split_string("1,2,3", ",")
+      assert.equal(3, len)
+      assert.equal("1", splits[1])
+      assert.equal("2", splits[2])
+      assert.equal("3", splits[3])
+    end)
+
+  end)
+end)
diff --git a/rootfs/etc/nginx/lua/util/split.lua b/rootfs/etc/nginx/lua/util/split.lua
index d5400ab57..63edf0900 100644
--- a/rootfs/etc/nginx/lua/util/split.lua
+++ b/rootfs/etc/nginx/lua/util/split.lua
@@ -65,4 +65,19 @@ function _M.split_upstream_addr(addrs_str)
   return host_and_ports
 end
 
+-- Splits string by delimiter. Returns array of parsed values and the length of the array.
+function _M.split_string(what, delim)
+  local result = {}
+  local idx = 0
+
+  if what and delim and delim ~= "" then
+    for chunk in what:gmatch("([^" .. delim .. "]+)") do
+      idx = idx + 1
+      result[idx] = chunk
+    end
+  end
+
+  return result, idx
+end
+
 return _M

From 5315ab24ff3e0e5168502044224cb2ec4fc9d6dd Mon Sep 17 00:00:00 2001
From: Soumya Ghosh Dastidar <44349253+gdsoumya@users.noreply.github.com>
Date: Tue, 3 Aug 2021 00:48:20 +0530
Subject: [PATCH 026/376] added checks to verify backend works with the given
 configs (#7415)

Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com>
---
 test/e2e/annotations/clientbodybuffersize.go | 38 +++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/test/e2e/annotations/clientbodybuffersize.go b/test/e2e/annotations/clientbodybuffersize.go
index 4091bdad1..7a4ce977f 100644
--- a/test/e2e/annotations/clientbodybuffersize.go
+++ b/test/e2e/annotations/clientbodybuffersize.go
@@ -18,10 +18,10 @@ package annotations
 
 import (
 	"fmt"
+	"net/http"
 	"strings"
 
 	"github.com/onsi/ginkgo"
-
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
@@ -46,6 +46,12 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() {
 			func(server string) bool {
 				return strings.Contains(server, fmt.Sprintf("client_body_buffer_size %s;", clientBodyBufferSize))
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 
 	ginkgo.It("should set client_body_buffer_size to 1K", func() {
@@ -62,6 +68,12 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() {
 			func(server string) bool {
 				return strings.Contains(server, fmt.Sprintf("client_body_buffer_size %s;", clientBodyBufferSize))
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 
 	ginkgo.It("should set client_body_buffer_size to 1k", func() {
@@ -78,6 +90,12 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() {
 			func(server string) bool {
 				return strings.Contains(server, fmt.Sprintf("client_body_buffer_size %s;", clientBodyBufferSize))
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 
 	ginkgo.It("should set client_body_buffer_size to 1m", func() {
@@ -94,6 +112,12 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() {
 			func(server string) bool {
 				return strings.Contains(server, fmt.Sprintf("client_body_buffer_size %s;", clientBodyBufferSize))
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 
 	ginkgo.It("should set client_body_buffer_size to 1M", func() {
@@ -110,6 +134,12 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() {
 			func(server string) bool {
 				return strings.Contains(server, fmt.Sprintf("client_body_buffer_size %s;", clientBodyBufferSize))
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 
 	ginkgo.It("should not set client_body_buffer_size to invalid 1b", func() {
@@ -126,5 +156,11 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() {
 			func(server string) bool {
 				return !strings.Contains(server, fmt.Sprintf("client_body_buffer_size %s;", clientBodyBufferSize))
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 })

From e70f040d193a5b082b787305a9a19ec2d7d04c01 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Tue, 3 Aug 2021 10:44:48 -0300
Subject: [PATCH 027/376] Add dev-v1 branch into helm releaser (#7424)

---
 .github/workflows/helm.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index a8a4c0227..7c54282de 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - dev-v1
 
 jobs:
 

From 499ed16cc87c32b4600301d20244bde369c372af Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Tue, 3 Aug 2021 20:04:49 +0530
Subject: [PATCH 028/376] Fixed chart version (#7423)

---
 charts/ingress-nginx/Chart.yaml               |  2 +-
 .../provider/aws/deploy-tls-termination.yaml  | 46 +++++++++----------
 deploy/static/provider/aws/deploy.yaml        | 38 +++++++--------
 deploy/static/provider/baremetal/deploy.yaml  | 38 +++++++--------
 deploy/static/provider/cloud/deploy.yaml      | 38 +++++++--------
 deploy/static/provider/do/deploy.yaml         | 38 +++++++--------
 deploy/static/provider/exoscale/deploy.yaml   | 40 ++++++++--------
 deploy/static/provider/kind/deploy.yaml       | 38 +++++++--------
 deploy/static/provider/scw/deploy.yaml        | 38 +++++++--------
 9 files changed, 158 insertions(+), 158 deletions(-)

diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index d4eedf977..de46643ba 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 3.34.0
+version: 3.35.0
 appVersion: 0.48.1
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 36ad19519..3dd951061 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -38,10 +38,10 @@ metadata:
   namespace: ingress-nginx
 data:
   http-snippet: |
-    server {
-      listen 2443;
-      return 308 https://$host$request_uri;
-    }
+	server {
+	  listen 2443;
+	  return 308 https://$host$request_uri;
+	}
   proxy-real-ip-cidr: XXX.XXX.XXX/XX
   use-forwarded-headers: 'true'
 ---
@@ -50,7 +50,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -119,7 +119,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -139,7 +139,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -225,7 +225,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -247,7 +247,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -278,7 +278,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -308,7 +308,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -426,7 +426,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -467,7 +467,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -483,7 +483,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -507,7 +507,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -532,7 +532,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -557,7 +557,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -582,7 +582,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -593,7 +593,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -630,7 +630,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -641,7 +641,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 6233febd9..ca406635c 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -268,7 +268,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -298,7 +298,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -413,7 +413,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -454,7 +454,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -470,7 +470,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -494,7 +494,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -519,7 +519,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -544,7 +544,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -569,7 +569,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -580,7 +580,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -617,7 +617,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -628,7 +628,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 01dbd0376..2ee36c827 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -265,7 +265,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -294,7 +294,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -408,7 +408,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -449,7 +449,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -465,7 +465,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -489,7 +489,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -514,7 +514,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -539,7 +539,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -564,7 +564,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -575,7 +575,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -612,7 +612,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -623,7 +623,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index ef156a1ad..0bd420d92 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -265,7 +265,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -295,7 +295,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -410,7 +410,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -451,7 +451,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -467,7 +467,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -491,7 +491,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -516,7 +516,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -541,7 +541,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -566,7 +566,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -577,7 +577,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -614,7 +614,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -625,7 +625,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index e11912f95..7f044bc0f 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -113,7 +113,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -133,7 +133,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -219,7 +219,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -241,7 +241,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -267,7 +267,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -297,7 +297,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -412,7 +412,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -453,7 +453,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -469,7 +469,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -493,7 +493,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -518,7 +518,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -543,7 +543,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -568,7 +568,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -579,7 +579,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -616,7 +616,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -627,7 +627,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 4ca8022e0..923051ca6 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -273,7 +273,7 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -303,7 +303,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -341,7 +341,7 @@ spec:
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
             - --ingress-class=nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+            - --configmap=ingress-nginx/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
             - --validating-webhook-key=/usr/local/certificates/key
@@ -418,7 +418,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -459,7 +459,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -475,7 +475,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -499,7 +499,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -524,7 +524,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -549,7 +549,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -574,7 +574,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -585,7 +585,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -622,7 +622,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -633,7 +633,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index e949e8597..4f2c6ae99 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -43,7 +43,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -218,7 +218,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -240,7 +240,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -265,7 +265,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -294,7 +294,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -420,7 +420,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -461,7 +461,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -477,7 +477,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -501,7 +501,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -526,7 +526,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -551,7 +551,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -576,7 +576,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -587,7 +587,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -624,7 +624,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -635,7 +635,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 464742262..1d148a7b9 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -113,7 +113,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -133,7 +133,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -219,7 +219,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -241,7 +241,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -267,7 +267,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -297,7 +297,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -412,7 +412,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -453,7 +453,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -469,7 +469,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -493,7 +493,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -518,7 +518,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -543,7 +543,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -568,7 +568,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -579,7 +579,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1
@@ -616,7 +616,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.34.0
+    helm.sh/chart: ingress-nginx-3.35.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 0.48.1
@@ -627,7 +627,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.34.0
+        helm.sh/chart: ingress-nginx-3.35.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 0.48.1

From 3a1ab7c6444e621ccdd7ec0fc9b220c19c3f494c Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Tue, 3 Aug 2021 22:48:48 +0530
Subject: [PATCH 029/376] Removed tabs and one extra-space (#7426)

---
 deploy/static/provider/aws/deploy-tls-termination.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 3dd951061..8f890975e 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -38,10 +38,10 @@ metadata:
   namespace: ingress-nginx
 data:
   http-snippet: |
-	server {
-	  listen 2443;
-	  return 308 https://$host$request_uri;
-	}
+    server{
+      listen 2443;
+      return 308 https://$host$request_uri;
+    }
   proxy-real-ip-cidr: XXX.XXX.XXX/XX
   use-forwarded-headers: 'true'
 ---

From eb5c38d6363c6262f6d4d5e49efaf6237a73e1f6 Mon Sep 17 00:00:00 2001
From: Bhumij Gupta <bhumijgupta@gmail.com>
Date: Thu, 5 Aug 2021 17:35:22 +0530
Subject: [PATCH 030/376] Add http request test to annotaion ssl cipher test
 (#7431)

Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com>
---
 test/e2e/annotations/sslciphers.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/test/e2e/annotations/sslciphers.go b/test/e2e/annotations/sslciphers.go
index 0e2753b52..a619bf3bc 100644
--- a/test/e2e/annotations/sslciphers.go
+++ b/test/e2e/annotations/sslciphers.go
@@ -17,6 +17,7 @@ limitations under the License.
 package annotations
 
 import (
+	"net/http"
 	"strings"
 
 	"github.com/onsi/ginkgo"
@@ -46,5 +47,11 @@ var _ = framework.DescribeAnnotation("ssl-ciphers", func() {
 				return strings.Contains(server, "ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;") &&
 					strings.Contains(server, "ssl_prefer_server_ciphers off;")
 			})
+		f.HTTPTestClient().
+			GET("/something").
+			WithURL(f.GetURL(framework.HTTPS)).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 })

From b1a71adb74d3216923c9ce3cc257ff58b2d51839 Mon Sep 17 00:00:00 2001
From: Swift <yuswift2018@gmail.com>
Date: Thu, 5 Aug 2021 20:23:22 +0800
Subject: [PATCH 031/376] Bump PDB API version to v1 (#7421)

* update pdb to v1

Signed-off-by: yuswift <yuswift2018@gmail.com>

* validate the version in PDB

Signed-off-by: yuswift <yuswift2018@gmail.com>
---
 .../ingress-nginx/templates/controller-poddisruptionbudget.yaml | 2 +-
 .../templates/default-backend-poddisruptionbudget.yaml          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
index a5a425f74..9556f5863 100644
--- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
@@ -1,5 +1,5 @@
 {{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (and (not .Values.controller.autoscaling.enabled) (gt (.Values.controller.replicaCount | int) 1)) }}
-apiVersion: policy/v1beta1
+apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
 kind: PodDisruptionBudget
 metadata:
   labels:
diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
index 153f005e2..9e586aa21 100644
--- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@@ -1,5 +1,5 @@
 {{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }}
-apiVersion: policy/v1beta1
+apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
 kind: PodDisruptionBudget
 metadata:
   labels:

From 46be93808b7550f08f535ce78507b276f979de86 Mon Sep 17 00:00:00 2001
From: Maikel <maikelvl@users.noreply.github.com>
Date: Thu, 5 Aug 2021 15:23:22 +0200
Subject: [PATCH 032/376] Add scope configuration check. (#6864)

---
 charts/ingress-nginx/templates/clusterrole.yaml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml
index 8ec5f49fa..b546aaea2 100644
--- a/charts/ingress-nginx/templates/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/clusterrole.yaml
@@ -1,4 +1,10 @@
-{{- if and .Values.rbac.create (not .Values.rbac.scope) -}}
+{{- if .Values.rbac.create }}
+
+{{- if and .Values.rbac.scope (not .Values.controller.scope.enabled) -}}
+  {{ required "Invalid configuration: 'rbac.scope' should be equal to 'controller.scope.enabled' (true/false)." (index (dict) ".") }}
+{{- end }}
+
+{{- if not .Values.rbac.scope -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -73,3 +79,5 @@ rules:
       - list
       - watch
 {{- end }}
+
+{{- end }}

From 6f0401fc735303a6f5c8381af5b1866e25721977 Mon Sep 17 00:00:00 2001
From: Bhumij Gupta <bhumijgupta@gmail.com>
Date: Fri, 6 Aug 2021 04:01:41 +0530
Subject: [PATCH 033/376] Helm -  Enable configuring request and limit for
 containers in webhook jobs (#7434)

* helm: add feature to configure request and limit for container in createSecret and patchWebhook job

Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com>

* Remove empty line in helm template

Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com>

* Add test for admission webhook job container resources

Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com>

* Add new line character at the end of charts ci file

Signed-off-by: Bhumij Gupta <bhumijgupta@gmail.com>
---
 .../deployment-webhook-resources-values.yaml  | 23 +++++++++++++++++++
 .../job-patch/job-createSecret.yaml           |  3 +++
 .../job-patch/job-patchWebhook.yaml           |  3 +++
 charts/ingress-nginx/values.yaml              | 12 ++++++++++
 4 files changed, 41 insertions(+)
 create mode 100644 charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml

diff --git a/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
new file mode 100644
index 000000000..49ebbb02c
--- /dev/null
+++ b/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
@@ -0,0 +1,23 @@
+controller:
+  service:
+    type: ClusterIP
+  admissionWebhooks:
+    enabled: true
+    createSecretJob:
+      resources:
+        limits:
+          cpu: 10m
+          memory: 20Mi
+        requests:
+          cpu: 10m
+          memory: 20Mi
+    patchWebhookJob:
+      resources:
+        limits:
+          cpu: 10m
+          memory: 20Mi
+        requests:
+          cpu: 10m
+          memory: 20Mi
+    patch:
+      enabled: true
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index 3656be487..1f58bdce7 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -47,6 +47,9 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
+          resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
+          {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
     {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 9e9bd0138..6d01ad230 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -49,6 +49,9 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
+          resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
+          {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
     {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index f5496eb61..b2aad3224 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -526,6 +526,18 @@ controller:
       servicePort: 443
       type: ClusterIP
 
+    createSecretJob:
+      resources: {}
+        # limits:
+        #   cpu: 10m
+        #   memory: 20Mi
+        # requests:
+        #   cpu: 10m
+        #   memory: 20Mi
+
+    patchWebhookJob:
+      resources: {}
+
     patch:
       enabled: true
       image:

From 26768e95789a60112d914ca421c1fabb7adf3091 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Fri, 6 Aug 2021 11:35:19 -0300
Subject: [PATCH 034/376] Prepare for go v1.16 (#7451)

---
 images/test-runner/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index fc6a31ec7..7578230ff 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -39,9 +39,9 @@ build: ensure-buildx
 		--progress=$(PROGRESS) \
 		--pull \
 		--build-arg BASE_IMAGE=$(NGINX_BASE_IMAGE) \
-		--build-arg GOLANG_VERSION=1.16.5 \
+		--build-arg GOLANG_VERSION=1.16.7 \
 		--build-arg ETCD_VERSION=3.4.3-0 \
-		--build-arg K8S_RELEASE=v1.19.4 \
+		--build-arg K8S_RELEASE=v1.21.3 \
 		--build-arg RESTY_CLI_VERSION=0.27 \
 		--build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \
 		--build-arg LUAROCKS_VERSION=3.3.1 \

From 6da7e9ce2a089a9f2f3fd625d60d9c2b508ed923 Mon Sep 17 00:00:00 2001
From: Neha Lohia <nehapithadiya444@gmail.com>
Date: Fri, 6 Aug 2021 20:55:19 +0530
Subject: [PATCH 035/376] run k8s job ci pipeline with 1.21.2 in main br
 (#7452)

Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>
---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d121c2fa3..5d67eab25 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -159,7 +159,7 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.16.15, v1.17.17, v1.18.19, v1.19.11, v1.20.7]
+        k8s: [v1.16.15, v1.17.17, v1.18.19, v1.19.11, v1.20.7, v1.21.2]
 
     steps:
 

From d226d831bdfc104785114e4ed73e2777ede3625a Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rkatz@vmware.com>
Date: Fri, 6 Aug 2021 11:18:17 -0300
Subject: [PATCH 036/376] Update go version, modules and remove ioutil

---
 .github/workflows/ci.yaml                     |   4 +-
 .gitignore                                    |   1 +
 build/run-in-docker.sh                        |   3 +-
 go.mod                                        |  60 +-
 go.sum                                        | 635 +++++++++++++-----
 hack/tools.go                                 |   2 +-
 internal/admission/controller/server.go       |   4 +-
 internal/file/file.go                         |   4 +-
 internal/file/file_test.go                    |   4 +-
 internal/ingress/annotations/auth/main.go     |   6 +-
 .../ingress/annotations/auth/main_test.go     |   5 +-
 internal/ingress/controller/checker.go        |   4 +-
 .../ingress/controller/controller_test.go     |   4 +-
 internal/ingress/controller/nginx.go          |  15 +-
 internal/ingress/controller/nginx_test.go     |   9 +-
 internal/ingress/controller/store/store.go    |   4 +-
 .../ingress/controller/store/store_test.go    |   5 +-
 .../ingress/controller/template/template.go   |   3 +-
 .../controller/template/template_test.go      |   9 +-
 internal/ingress/controller/util.go           |   3 +-
 internal/ingress/metric/collectors/socket.go  |   3 +-
 internal/net/dns/dns.go                       |   4 +-
 internal/net/dns/dns_test.go                  |   5 +-
 internal/net/ssl/ssl.go                       |  17 +-
 internal/net/ssl/ssl_test.go                  |   6 +-
 internal/nginx/main.go                        |   8 +-
 internal/runtime/cpu_linux.go                 |   4 +-
 internal/watch/file_watcher_test.go           |   9 +-
 test/e2e-image/Dockerfile                     |   2 +-
 test/e2e/settings/ocsp/ocsp.go                |  12 +-
 test/e2e/settings/proxy_protocol.go           |  10 +-
 31 files changed, 576 insertions(+), 288 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d121c2fa3..cdd3a737f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -65,11 +65,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
-      - name: Set up Go 1.15
+      - name: Set up Go 1.16
         id: go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.15
+          go-version: 1.16
 
       - name: Set up Docker Buildx
         id: buildx
diff --git a/.gitignore b/.gitignore
index 257ff6594..921ba6aec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ test/e2e/e2e\.test
 bin
 test/e2e-image/wait-for-nginx.sh
 .cache
+.modcache
 cover.out
 
 # secret terraform variables
diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index e31b98524..cbe7b791b 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -37,7 +37,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210601-g96a87c79b@sha256:f84dcddc84e5cba220260f315e18cd47fc8c6b7f3f4f57b7b3e9cc2ea25324b7}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210806-g26768e957@sha256:0f3c0d0bda953aa7f1164c452cc0165ce8a0c72469b550988a9601c539f61608}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
@@ -63,6 +63,7 @@ else
     --rm                                                \
     ${DOCKER_OPTS}                                      \
     -e GOCACHE="/go/src/${PKG}/.cache"                  \
+    -e GOMODCACHE="/go/src/${PKG}/.modcache"                  \
     -e DOCKER_IN_DOCKER_ENABLED="true"                  \
     -v "${HOME}/.kube:${HOME}/.kube"                    \
     -v "${KUBE_ROOT}:/go/src/${PKG}"                    \
diff --git a/go.mod b/go.mod
index b3e3ac703..02de2cecf 100644
--- a/go.mod
+++ b/go.mod
@@ -1,49 +1,47 @@
 module k8s.io/ingress-nginx
 
-go 1.15
+go 1.16
 
 require (
-	github.com/armon/go-proxyproto v0.0.0-20200108142055-f0b8253b1507
+	github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a
 	github.com/eapache/channels v1.1.0
 	github.com/fsnotify/fsnotify v1.4.9
-	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa // indirect
-	github.com/gavv/httpexpect/v2 v2.1.0
-	github.com/imdario/mergo v0.3.10
-	github.com/json-iterator/go v1.1.10
+	github.com/gavv/httpexpect/v2 v2.3.1
+	github.com/imdario/mergo v0.3.12
+	github.com/json-iterator/go v1.1.11
 	github.com/kylelemons/godebug v1.1.0
-	github.com/mitchellh/copystructure v1.0.0
 	github.com/mitchellh/go-ps v1.0.0
-	github.com/mitchellh/hashstructure v1.0.0
-	github.com/mitchellh/mapstructure v1.3.2
+	github.com/mitchellh/hashstructure v1.1.0
+	github.com/mitchellh/mapstructure v1.4.1
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
-	github.com/ncabatoff/process-exporter v0.7.2
+	github.com/ncabatoff/process-exporter v0.7.5
 	github.com/onsi/ginkgo v1.16.4
-	github.com/opencontainers/runc v1.0.0-rc92
+	github.com/opencontainers/runc v1.0.1
 	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.0
-	github.com/prometheus/client_golang v1.7.1
+	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/client_model v0.2.0
-	github.com/prometheus/common v0.14.0
-	github.com/spf13/cobra v1.1.1
+	github.com/prometheus/common v0.30.0
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.6.1
-	github.com/tallclair/mdtoc v1.0.0
-	github.com/zakjan/cert-chain-resolver v0.0.0-20200729110141-6b99e360f97a
-	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
-	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
-	google.golang.org/grpc v1.27.1
+	github.com/stretchr/testify v1.7.0
+	github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
+	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d
+	google.golang.org/grpc v1.38.0
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/go-playground/pool.v3 v3.1.1
-	k8s.io/api v0.20.2
-	k8s.io/apiextensions-apiserver v0.20.2
-	k8s.io/apimachinery v0.20.2
-	k8s.io/apiserver v0.20.2
-	k8s.io/cli-runtime v0.20.2
-	k8s.io/client-go v0.20.2
-	k8s.io/code-generator v0.20.2
-	k8s.io/component-base v0.20.2
-	k8s.io/klog/v2 v2.4.0
-	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
+	k8s.io/api v0.21.3
+	k8s.io/apiextensions-apiserver v0.21.3
+	k8s.io/apimachinery v0.21.3
+	k8s.io/apiserver v0.21.3
+	k8s.io/cli-runtime v0.21.3
+	k8s.io/client-go v0.21.3
+	k8s.io/code-generator v0.21.3
+	k8s.io/component-base v0.21.3
+	k8s.io/klog/v2 v2.10.0
+	k8s.io/utils v0.0.0-20210802155522-efc7438f0176
 	pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732
-	sigs.k8s.io/controller-runtime v0.8.0
+	sigs.k8s.io/controller-runtime v0.9.5
+	sigs.k8s.io/mdtoc v1.0.1
 )
diff --git a/go.sum b/go.sum
index 05782fd6c..795d1bf16 100644
--- a/go.sum
+++ b/go.sum
@@ -8,32 +8,45 @@ cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
 cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0 h1:3ithwDMr7/3vpAMXiH+ZQnYbuIsh+OPhUPMFC9enmn0=
 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
+cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
+cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
+cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
+cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
+cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
+cloud.google.com/go v0.81.0 h1:at8Tk2zUz63cLPR0JPWm5vp77pEZmzxEQBEfRKn1VV8=
+cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
+cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
+cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
+cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.1 h1:eVvIXUKiTgv++6YnWb42DUA1YL7qDugnKP0HljexdnQ=
-github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
-github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
+github.com/Azure/go-autorest/autorest v0.11.12 h1:gI8ytXbxMfI+IVbI9mP2JGCTXIuhHLgRlvQ9X4PsnHE=
+github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
 github.com/Azure/go-autorest/autorest/adal v0.9.5 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0=
 github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
 github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
-github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE=
@@ -45,7 +58,9 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
@@ -54,6 +69,7 @@ github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWX
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
 github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c=
+github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -61,24 +77,34 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
+github.com/andybalholm/brotli v1.0.2 h1:JKnhI/XQ75uFBTiuzXpzFrUriDPiZjlOSzh6wXogP0E=
+github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-proxyproto v0.0.0-20200108142055-f0b8253b1507 h1:dmVRVC/MmuwC2edm/P6oWIP+9n+p9IgVgK0lq9mBQjU=
-github.com/armon/go-proxyproto v0.0.0-20200108142055-f0b8253b1507/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU=
+github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ129pdm9Ek7bH7yutN3hByqsMoNrWAxRQc=
+github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
+github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
+github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
+github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
@@ -88,17 +114,21 @@ github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
+github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
+github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
-github.com/containerd/console v1.0.0/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
+github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -106,13 +136,15 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd/v22 v22.1.0 h1:kq/SbG2BCKLkDKkjQf5OWwKWUKj1lgs3lFI4PxnR5lg=
-github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI=
+github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -120,9 +152,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -133,19 +164,25 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1
 github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
-github.com/ekalinin/github-markdown-toc v0.0.0-20190514155158-83fadb60a7f1/go.mod h1:XfZS1iyC28CnllR54Ou2Ero6qs4Rmn7GpVumNSj1DZo=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fasthttp/websocket v1.4.2 h1:AU/zSiIIAuJjBMf5o+vO0syGOnEfvZRu40xIhW/3RuM=
-github.com/fasthttp/websocket v1.4.2/go.mod h1:smsv/h4PBEBaU0XDTY5UwJTpZv69fQ0FfcLJr21mA6Y=
+github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
+github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fasthttp/websocket v1.4.3-rc.6 h1:omHqsl8j+KXpmzRjF8bmzOSYJ8GnS0E3efi1wYT+niY=
+github.com/fasthttp/websocket v1.4.3-rc.6/go.mod h1:43W9OM2T8FeXpCWMsBd9Cb7nE2CACNqNvCqQCoty/Lc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/structs v1.0.0 h1:BrX964Rv5uQ3wwS+KRUAJCBBw5PQmgJfJ6v4yly5QwU=
 github.com/fatih/structs v1.0.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
@@ -153,54 +190,92 @@ github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTg
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
+github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU=
-github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
-github.com/gavv/httpexpect/v2 v2.1.0 h1:Q7xnFuKqBY2si4DsqxdbWBt9rfrbVTT2/9YSomc9tEw=
-github.com/gavv/httpexpect/v2 v2.1.0/go.mod h1:lnd0TqJLrP+wkJk3SFwtrpSlOAZQ7HaaIFuOYbgqgUM=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpTZwlIzQ28rbPY8pNJvzY7Gcx5KnNOk=
+github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
+github.com/gavv/httpexpect/v2 v2.3.1 h1:sGLlKMn8AuHS9ztK9Sb7AJ7OxIL8v2PcLdyxfKt1Fo4=
+github.com/gavv/httpexpect/v2 v2.3.1/go.mod h1:yOE8m/aqFYQDNrgprMeXgq4YynfN9h1NgcE1+1suV64=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
+github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
+github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
+github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/logr v0.3.0 h1:q4c+kbcR0d5rSurhBR8dIgieOaYpXtsdTYfx22Cu6rs=
-github.com/go-logr/logr v0.3.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/zapr v0.2.0 h1:v6Ji8yBW77pva6NkJKQdHLAJKrIJKRHz0RXwPqCHSR4=
-github.com/go-logr/zapr v0.2.0/go.mod h1:qhKdvif7YF5GI9NWEpyxTSSBdGmzkNguibrdCNVPunU=
+github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
+github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-logr/zapr v0.4.0 h1:uc1uML3hRYL9/ZZPdgHS/n8Nzo+eaYL/Efxkkamf7OM=
+github.com/go-logr/zapr v0.4.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
+github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
+github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
+github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
+github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
+github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
+github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
+github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
+github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
 github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
+github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
 github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
 github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/spec v0.19.3 h1:0XRyw8kguri6Yw4SxhsQA/atC88yqrk0+G4YhI2wabc=
+github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
+github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk=
+github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
+github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
+github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
+github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
+github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
+github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
 github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
+github.com/go-openapi/spec v0.19.5 h1:Xm0Ao53uqnk9QE/LlYV5DEU09UAgpliA85QoT9LzqPw=
+github.com/go-openapi/spec v0.19.5/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
+github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
+github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
+github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
+github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
+github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
+github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
+github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
+github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
-github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
+github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -213,7 +288,9 @@ github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -227,11 +304,15 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/gomarkdown/markdown v0.0.0-20190222000725-ee6a7931a1e4 h1:vELsocEzlhM4lk2nhxolEaQrMp25u7/i9IX8s9uLads=
-github.com/gomarkdown/markdown v0.0.0-20190222000725-ee6a7931a1e4/go.mod h1:gmFANS06wAVmF0B9yi65QKsRmPQ97tze7FRLswua+OY=
+github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 h1:LP/6EfrZ/LyCc+SXvANDrIJ4sP9u2NAtqyv6QknetNQ=
+github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -239,36 +320,52 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
+github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
-github.com/googleapis/gnostic v0.5.1 h1:A8Yhf6EtqTv9RMsU6MQTyrtV1TjWlR6xU9BsZIwuTCM=
-github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
+github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
+github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.0.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
@@ -278,6 +375,7 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
@@ -306,47 +404,48 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.10 h1:6q5mVkdH/vYmqngx7kZQTjJ5HRsx+ImorDIEQ+beJgc=
-github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
+github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
+github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imkira/go-interpol v1.0.0 h1:HrmLyvOLJyjR0YofMw8QGdCIuYOs4TJUBDNU5sJC09E=
 github.com/imkira/go-interpol v1.0.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
+github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 h1:uC1QfSlInpQF+M0ao65imhwqKnz3Q2z/d8PWZRMQvDM=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.8.2 h1:Bx0qjetmNjdFXASH02NSAREKpiaDwkO1DRZ3dV2KCcs=
-github.com/klauspost/compress v1.8.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/cpuid v1.2.1 h1:vJi+O/nMdFt0vqm8NZBI6wzALWdA2X+egi0ogNyrC/w=
-github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8=
+github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
@@ -354,11 +453,16 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/markbates/pkger v0.17.1/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -372,36 +476,36 @@ github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182aff
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=
-github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
-github.com/mitchellh/hashstructure v1.0.0 h1:ZkRJX1CyOoTkar7p/mLS5TZU4nJ1Rn/F8u9dGS02Q3Y=
-github.com/mitchellh/hashstructure v1.0.0/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
+github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0=
+github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.3.2 h1:mRS76wmkOn3KkKAyXDu42V+6ebnXWIztFSYGN7GeoRg=
-github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY=
-github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4=
 github.com/mmarkdown/mmark v2.0.40+incompatible/go.mod h1:Uvmoz7tvsWpr7bMVxIpqZPyN3FbOtzDmnsJDFp7ltJs=
-github.com/moby/sys/mountinfo v0.1.3/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o=
-github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
+github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
+github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
+github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52 h1:8zDEa5yAIWYBHSDpPbSgGIBL/SvPSE9/FlB3aQ54d/A=
 github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52/go.mod h1:jE2HT8eoucYyUPBFJMreiVlC3KPHkDMtN8wn+ef7Y64=
-github.com/mrunalp/fileutils v0.0.0-20200520151820-abd8a0e76976/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0=
+github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -414,11 +518,13 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE
 github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
 github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
-github.com/ncabatoff/fakescraper v0.0.0-20161023141611-15938421d91a/go.mod h1:Tx6UMSMyIsjLG/VU/F6xA1+0XI+/f9o1dGJnf1l+bPg=
+github.com/ncabatoff/fakescraper v0.0.0-20201102132415-4b37ba603d65/go.mod h1:Tx6UMSMyIsjLG/VU/F6xA1+0XI+/f9o1dGJnf1l+bPg=
 github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QUgeEjeXnVb+oYuEDQc6gLvrZJTYo94=
 github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag=
-github.com/ncabatoff/process-exporter v0.7.2 h1:2UxJJ5fm9fiiUHqHgbusrfceCFQpEET/+wADEOfDSqI=
-github.com/ncabatoff/process-exporter v0.7.2/go.mod h1:d7Yf/brhprE2fjCdtZ2Edt0so30RY5PmtRu6qD0gUOc=
+github.com/ncabatoff/process-exporter v0.7.5 h1:KPB7abQEny4kaSge/WFRQb04/UbLmUgHxrpWAU+voRE=
+github.com/ncabatoff/process-exporter v0.7.5/go.mod h1:RMjrx3Qn8l2pgCD27g45xbko4UDpVVuHC8Cd2YXPtWA=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
@@ -432,7 +538,6 @@ github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
@@ -440,14 +545,14 @@ github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs=
-github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/onsi/gomega v1.14.0 h1:ep6kpPVwmr/nTbklSx2nrLNSIO62DoYAhnPNIMhK8gI=
+github.com/onsi/gomega v1.14.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
-github.com/opencontainers/runc v1.0.0-rc92 h1:+IczUKCRzDzFDnw99O/PAqrcBBCoRp9xN3cB1SYSNS4=
-github.com/opencontainers/runc v1.0.0-rc92/go.mod h1:X1zlU4p7wOlX4+WRCz+hvlRv8phdL7UqbYD+vQwNMmE=
-github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6 h1:NhsM2gc769rVWDqJvapK37r+7+CBXI8xHhnfnt8uQsg=
-github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
+github.com/opencontainers/runc v1.0.1 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs=
+github.com/opencontainers/runc v1.0.1/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
 github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis=
 github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74=
 github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
@@ -460,6 +565,7 @@ github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIw
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -470,18 +576,20 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA=
+github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
-github.com/prometheus/client_golang v1.7.1 h1:NTGy1Ja9pByO+xAeH/qiWnLrKtr3hJPNjaVUwnjpdpA=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.8.0/go.mod h1:O9VU6huf47PktckDQfMTX0Y8tY0/7TSWwj+ITvv0TnM=
+github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
+github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -489,41 +597,47 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:
 github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.14.0 h1:RHRyE8UocrbjU+6UvRzwi6HjiDfxrrBU91TtbKzkGp4=
 github.com/prometheus/common v0.14.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
+github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
+github.com/prometheus/common v0.30.0 h1:JEkYlQnpzrzQFxi6gnukFPdQ+ac82oRhzMcIduJu/Ug=
+github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.2.0 h1:wH4vA7pcjKuZzjF7lM8awk4fnuJO6idemZXoKnULUx4=
 github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
-github.com/savsgio/gotils v0.0.0-20200117113501-90175b0fbe3f h1:PgA+Olipyj258EIEYnpFFONrrCcAIWNUNoFhUfMqAGY=
-github.com/savsgio/gotils v0.0.0-20200117113501-90175b0fbe3f/go.mod h1:lHhJedqxCoHN+zMtwGNTXWmF0u9Jt363FYRhV6g0CdY=
+github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873 h1:N3Af8f13ooDKcIhsmFT7Z05CStZWu4C7Md0uDEy4q6o=
+github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873/go.mod h1:dmPawKuiAeG/aFYVs2i+Dyosoo7FNcm+Pi8iK6ZUrX8=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
@@ -531,46 +645,57 @@ github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJ
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.1.1 h1:KfztREH0tPxJJ+geloSLaAkaPkr4ki2Er5quFV1TDo4=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
+github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
+github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v1.1.3/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/tallclair/mdtoc v1.0.0 h1:+FqBzRdFsgwrkzewUYC8GG6/hckREy9t4cDw4bWjx+M=
-github.com/tallclair/mdtoc v1.0.0/go.mod h1:BjDk9nfX4091pXLHhvf6Ejr4/r//9NslWmweWb2Hkbs=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.9.0 h1:hNpmUdy/+ZXYpGy0OBfm7K0UQTzb73W0T0U4iJIVrMw=
-github.com/valyala/fasthttp v1.9.0/go.mod h1:FstJa9V+Pj9vQ7OJie2qMHdwemEDaDiSdBnvPM1Su9w=
-github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
+github.com/valyala/fasthttp v1.27.0 h1:gDefRDL9aqSiwXV6aRW8aSBPs82y4KizSzHrBLf4NDI=
+github.com/valyala/fasthttp v1.27.0/go.mod h1:cmWIqlu99AO/RKcp1HWaViTqc57FswJOfYYdPJBl8BA=
+github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
+github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
-github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
@@ -578,6 +703,9 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:
 github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
 github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca h1:1CFlNzQhALwjS9mBAUkycX616GzgsuYUOCHA5+HSlXI=
+github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0 h1:6fRhSjgLCkTD3JnJxvaJ4Sj+TYblw757bqYgZaOq5ZY=
 github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0/go.mod h1:/LWChgwKmvncFJFHJ7Gvn9wZArjbV5/FppcK2fKk/tI=
 github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA=
@@ -586,50 +714,70 @@ github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3Ifn
 github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
 github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI=
 github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/zakjan/cert-chain-resolver v0.0.0-20200729110141-6b99e360f97a h1:Tj7Mkjj6sjeNwFBiRHM7ieg1CiPHCDNSMSmS0ooGcZo=
-github.com/zakjan/cert-chain-resolver v0.0.0-20200729110141-6b99e360f97a/go.mod h1:KNkcm66cr4ilOiEcjydK+tc2ShPUhqmuoXCljXUBPu8=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981 h1:fT5BTZ0s8G56nHHHyIf0/y1DE98CP5cDD7YTzyojDt8=
+github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
+go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
+go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
+go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
+go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
+go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
+go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
+go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.8.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
-go.uber.org/zap v1.15.0 h1:ZZCA22JRF2gQE5FoNmhmrf7jeJJ2uhqDUNRYKm8dvmM=
-go.uber.org/zap v1.15.0/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc=
+go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
+go.uber.org/zap v1.18.1 h1:CSUJ2mjFszzEWt4CdKISEuChVIXGBn3lAPwkRGyVrc4=
+go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
+golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -651,8 +799,10 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -660,11 +810,16 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.1-0.20200828183125-ce943fd02449/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -673,12 +828,15 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -689,24 +847,54 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
+golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d h1:20cMwl2fHAzkJMEA+8J4JgqBQcQGzbisXo31MIeenXI=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI=
+golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -718,6 +906,7 @@ golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -730,7 +919,9 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -739,39 +930,69 @@ golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw=
+golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=
+golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s=
-golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -782,6 +1003,7 @@ golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
@@ -807,18 +1029,36 @@ golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e h1:4nW4NLDYnU28ojHaHO8OVxFHk/aQ33U01a9cjED+pzE=
+golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA=
+golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.1.0 h1:Phva6wqu+xR//Njw6iorylFFgn/z547tw5Ne3HZPQ+k=
-gomodules.xyz/jsonpatch/v2 v2.1.0/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
+gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
+gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -829,15 +1069,28 @@ google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsb
 google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
+google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
+google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
+google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
+google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
+google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
+google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
+google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -856,10 +1109,33 @@ google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvx
 google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a h1:pOwg4OoaRYScjmR4LlLgdtnyoHYTSAVhhqe5uPdpII8=
+google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
+google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
+google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c h1:wtujag7C+4D6KMoulW9YauvK2lgdvCMS260jsqqBXr0=
+google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
@@ -869,10 +1145,23 @@ google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij
 google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1 h1:zvIju4sqAGvwKspUQOhwnpcqSbzi7/H6QomNNjTL4sk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
+google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0=
+google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -882,13 +1171,17 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
+gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
@@ -900,6 +1193,7 @@ gopkg.in/go-playground/pool.v3 v3.1.1/go.mod h1:pUAGBximS/hccTTSzEop6wvvQhVa3QPD
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
@@ -909,58 +1203,58 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3 h1:sXmLre5bzIR6ypkjXCDI3jHPssRhc8KD/Ome589sc3U=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
-k8s.io/api v0.20.2 h1:y/HR22XDZY3pniu9hIFDLpUCPq2w5eQ6aV/VFQ7uJMw=
-k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
-k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk=
-k8s.io/apiextensions-apiserver v0.20.2 h1:rfrMWQ87lhd8EzQWRnbQ4gXrniL/yTRBgYH1x1+BLlo=
-k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs=
-k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apimachinery v0.20.2 h1:hFx6Sbt1oG0n6DZ+g4bFt5f6BoMkOjKWsQFu077M3Vg=
-k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
-k8s.io/apiserver v0.20.2 h1:lGno2t3gcZnLtzsKH4oG0xA9/4GTiBzMO1DGp+K+Bak=
-k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA=
-k8s.io/cli-runtime v0.20.2 h1:W0/FHdbApnl9oB7xdG643c/Zaf7TZT+43I+zKxwqvhU=
-k8s.io/cli-runtime v0.20.2/go.mod h1:FjH6uIZZZP3XmwrXWeeYCbgxcrD6YXxoAykBaWH0VdM=
-k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
-k8s.io/client-go v0.20.2 h1:uuf+iIAbfnCSw8IGAv/Rg0giM+2bOzHLOsbbrwrdhNQ=
-k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
-k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
-k8s.io/code-generator v0.20.2 h1:SQaysped4EtUDk3u1zphnUJiOAwFdhHx9xS3WKAE0x8=
-k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
-k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
-k8s.io/component-base v0.20.2 h1:LMmu5I0pLtwjpp5009KLuMGFqSc2S2isGw8t1hpYKLE=
-k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/api v0.21.3 h1:cblWILbLO8ar+Fj6xdDGr603HRsf8Wu9E9rngJeprZQ=
+k8s.io/api v0.21.3/go.mod h1:hUgeYHUbBp23Ue4qdX9tR8/ANi/g3ehylAqDn9NWVOg=
+k8s.io/apiextensions-apiserver v0.21.3 h1:+B6biyUWpqt41kz5x6peIsljlsuwvNAp/oFax/j2/aY=
+k8s.io/apiextensions-apiserver v0.21.3/go.mod h1:kl6dap3Gd45+21Jnh6utCx8Z2xxLm8LGDkprcd+KbsE=
+k8s.io/apimachinery v0.21.3 h1:3Ju4nvjCngxxMYby0BimUk+pQHPOQp3eCGChk5kfVII=
+k8s.io/apimachinery v0.21.3/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI=
+k8s.io/apiserver v0.21.3 h1:QxAgE1ZPQG5cPlHScHTnLxP9H/kU3zjH1Vnd8G+n5OI=
+k8s.io/apiserver v0.21.3/go.mod h1:eDPWlZG6/cCCMj/JBcEpDoK+I+6i3r9GsChYBHSbAzU=
+k8s.io/cli-runtime v0.21.3 h1:eXevRomULAAGjQ7m6qo+AWHvtVRqaLG8WQICEBwjtmo=
+k8s.io/cli-runtime v0.21.3/go.mod h1:h65y0uXIXDnNjd5J+F3CvQU3ZNplH4+rjqbII7JkD4A=
+k8s.io/client-go v0.21.3 h1:J9nxZTOmvkInRDCzcSNQmPJbDYN/PjlxXT9Mos3HcLg=
+k8s.io/client-go v0.21.3/go.mod h1:+VPhCgTsaFmGILxR/7E1N0S+ryO010QBeNCv5JwRGYU=
+k8s.io/code-generator v0.21.3 h1:K2Onrjuve/31D4Y5DpR9ngWM2BiiKUxrGaCxSEJS/Y8=
+k8s.io/code-generator v0.21.3/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo=
+k8s.io/component-base v0.21.3 h1:4WuuXY3Npa+iFfi2aDRiOz+anhNvRfye0859ZgfC5Og=
+k8s.io/component-base v0.21.3/go.mod h1:kkuhtfEHeZM6LkX0saqSK8PbdO7A0HigUngmhhrwfGQ=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20201113003025-83324d819ded h1:JApXBKYyB7l9xx+DK7/+mFjC7A9Bt5A93FPvFD0HIFE=
-k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 h1:Uusb3oh8XcdzDF/ndlI4ToKTYVlkCSJP39SRY2mfRAw=
+k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ=
-k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c=
-k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
-k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw=
+k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/klog/v2 v2.10.0 h1:R2HDMDJsHVTHA2n4RjwbeYXdOcBymXdX/JRb1v0VGhE=
+k8s.io/klog/v2 v2.10.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 h1:vEx13qjvaZ4yfObSSXW7BrMc/KQBBT/Jyee8XtLf4x0=
+k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20210802155522-efc7438f0176 h1:Mx0aa+SUAcNRQbs5jUzV8lkDlGFU8laZsY9jrcVX5SY=
+k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e h1:C7q+e9M5nggAvWfVg9Nl66kebKeuJlP3FD58V4RR5wo=
 moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e/go.mod h1:nejbQVfXh96n9dSF6cH3Jsk/QI1Z2oEL7sSI2ifXFNA=
 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg=
@@ -968,13 +1262,18 @@ pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/controller-runtime v0.8.0 h1:s0dYdo7lQgJiAf+alP82PRwbz+oAqL3oSyMQ18XRDOc=
-sigs.k8s.io/controller-runtime v0.8.0/go.mod h1:v9Lbj5oX443uR7GXYY46E0EE2o7k2YxQ58GxVNeXSW4=
-sigs.k8s.io/kustomize v2.0.3+incompatible h1:JUufWFNlI44MdtnjUqVnvh29rR37PQFzPbLXqhyOyX0=
-sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.19/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
+sigs.k8s.io/controller-runtime v0.9.5 h1:WThcFE6cqctTn2jCZprLICO6BaKZfhsT37uAapTNfxc=
+sigs.k8s.io/controller-runtime v0.9.5/go.mod h1:q6PpkM5vqQubEKUKOM6qr06oXGzOBcCby1DA9FbyZeA=
+sigs.k8s.io/kustomize/api v0.8.8 h1:G2z6JPSSjtWWgMeWSoHdXqyftJNmMmyxXpwENGoOtGE=
+sigs.k8s.io/kustomize/api v0.8.8/go.mod h1:He1zoK0nk43Pc6NlV085xDXDXTNprtcyKZVm3swsdNY=
+sigs.k8s.io/kustomize/kyaml v0.10.17 h1:4zrV0ym5AYa0e512q7K3Wp1u7mzoWW0xR3UHJcGWGIg=
+sigs.k8s.io/kustomize/kyaml v0.10.17/go.mod h1:mlQFagmkm1P+W4lZJbJ/yaxMd8PqMRSC4cPcfUVt5Hg=
+sigs.k8s.io/mdtoc v1.0.1 h1:6ECKhQnbetwZBR6R2IeT2LH+1w+2Zsip0iXjikgaXIk=
+sigs.k8s.io/mdtoc v1.0.1/go.mod h1:COYBtOjsaCg7o7SC4eaLwEXPuVRSuiVuLLRrHd7kShw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
+sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
+sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/hack/tools.go b/hack/tools.go
index f2d455a94..aad9b7438 100644
--- a/hack/tools.go
+++ b/hack/tools.go
@@ -21,6 +21,6 @@ limitations under the License.
 package tools
 
 import (
-	_ "github.com/tallclair/mdtoc"
 	_ "k8s.io/code-generator"
+	_ "sigs.k8s.io/mdtoc"
 )
diff --git a/internal/admission/controller/server.go b/internal/admission/controller/server.go
index 8c9235bdc..513d812a4 100644
--- a/internal/admission/controller/server.go
+++ b/internal/admission/controller/server.go
@@ -17,7 +17,7 @@ limitations under the License.
 package controller
 
 import (
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	admissionv1 "k8s.io/api/admission/v1"
@@ -61,7 +61,7 @@ func NewAdmissionControllerServer(ac AdmissionController) *AdmissionControllerSe
 func (acs *AdmissionControllerServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	defer req.Body.Close()
 
-	data, err := ioutil.ReadAll(req.Body)
+	data, err := io.ReadAll(req.Body)
 	if err != nil {
 		klog.ErrorS(err, "Failed to read request body")
 		w.WriteHeader(http.StatusBadRequest)
diff --git a/internal/file/file.go b/internal/file/file.go
index 30dc9868d..18205f3b0 100644
--- a/internal/file/file.go
+++ b/internal/file/file.go
@@ -19,7 +19,7 @@ package file
 import (
 	"crypto/sha1" // #nosec
 	"encoding/hex"
-	"io/ioutil"
+	"os"
 
 	"k8s.io/klog/v2"
 )
@@ -27,7 +27,7 @@ import (
 // SHA1 returns the SHA1 of a file.
 func SHA1(filename string) string {
 	hasher := sha1.New() // #nosec
-	s, err := ioutil.ReadFile(filename)
+	s, err := os.ReadFile(filename)
 	if err != nil {
 		klog.ErrorS(err, "Error reading file", "path", filename)
 		return ""
diff --git a/internal/file/file_test.go b/internal/file/file_test.go
index 3256f4aa5..93ec39cf9 100644
--- a/internal/file/file_test.go
+++ b/internal/file/file_test.go
@@ -17,7 +17,7 @@ limitations under the License.
 package file
 
 import (
-	"io/ioutil"
+	"os"
 	"testing"
 )
 
@@ -31,7 +31,7 @@ func TestSHA1(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		f, err := ioutil.TempFile("", "sha-test")
+		f, err := os.CreateTemp("", "sha-test")
 		if err != nil {
 			t.Fatal(err)
 		}
diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go
index 9edfc1751..84425a95c 100644
--- a/internal/ingress/annotations/auth/main.go
+++ b/internal/ingress/annotations/auth/main.go
@@ -18,7 +18,7 @@ package auth
 
 import (
 	"fmt"
-	"io/ioutil"
+	"os"
 	"regexp"
 	"strings"
 
@@ -183,7 +183,7 @@ func dumpSecretAuthFile(filename string, secret *api.Secret) error {
 		}
 	}
 
-	err := ioutil.WriteFile(filename, val, file.ReadWriteByUser)
+	err := os.WriteFile(filename, val, file.ReadWriteByUser)
 	if err != nil {
 		return ing_errors.LocationDenied{
 			Reason: errors.Wrap(err, "unexpected error creating password file"),
@@ -202,7 +202,7 @@ func dumpSecretAuthMap(filename string, secret *api.Secret) error {
 		builder.WriteString("\n")
 	}
 
-	err := ioutil.WriteFile(filename, []byte(builder.String()), file.ReadWriteByUser)
+	err := os.WriteFile(filename, []byte(builder.String()), file.ReadWriteByUser)
 	if err != nil {
 		return ing_errors.LocationDenied{
 			Reason: errors.Wrap(err, "unexpected error creating password file"),
diff --git a/internal/ingress/annotations/auth/main_test.go b/internal/ingress/annotations/auth/main_test.go
index b02741d01..d018a8ddc 100644
--- a/internal/ingress/annotations/auth/main_test.go
+++ b/internal/ingress/annotations/auth/main_test.go
@@ -18,7 +18,6 @@ package auth
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -202,12 +201,12 @@ func TestIngressAuthInvalidSecretKey(t *testing.T) {
 }
 
 func dummySecretContent(t *testing.T) (string, string, *api.Secret) {
-	dir, err := ioutil.TempDir("", fmt.Sprintf("%v", time.Now().Unix()))
+	dir, err := os.MkdirTemp("", fmt.Sprintf("%v", time.Now().Unix()))
 	if err != nil {
 		t.Error(err)
 	}
 
-	tmpfile, err := ioutil.TempFile("", "example-")
+	tmpfile, err := os.CreateTemp("", "example-")
 	if err != nil {
 		t.Error(err)
 	}
diff --git a/internal/ingress/controller/checker.go b/internal/ingress/controller/checker.go
index 81c6e12be..e6aa8ea85 100644
--- a/internal/ingress/controller/checker.go
+++ b/internal/ingress/controller/checker.go
@@ -18,8 +18,8 @@ package controller
 
 import (
 	"fmt"
-	"io/ioutil"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 
@@ -46,7 +46,7 @@ func (n *NGINXController) Check(_ *http.Request) error {
 		return errors.Wrap(err, "reading /proc directory")
 	}
 
-	f, err := ioutil.ReadFile(nginx.PID)
+	f, err := os.ReadFile(nginx.PID)
 	if err != nil {
 		return errors.Wrapf(err, "reading %v", nginx.PID)
 	}
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index 112aac0b1..34ee87bdb 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -22,7 +22,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -123,7 +123,7 @@ func (ntc testNginxTestCommand) Test(cfg string) ([]byte, error) {
 		return nil, err
 	}
 	defer fd.Close()
-	bytes, err := ioutil.ReadAll(fd)
+	bytes, err := io.ReadAll(fd)
 	if err != nil {
 		ntc.t.Errorf("could not read generated nginx configuration: %v", err.Error())
 	}
diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index 664d36b75..e5c47c9aa 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -22,7 +22,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"os"
@@ -616,12 +615,12 @@ func (n NGINXController) testTemplate(cfg []byte) error {
 	if len(cfg) == 0 {
 		return fmt.Errorf("invalid NGINX configuration (empty)")
 	}
-	tmpfile, err := ioutil.TempFile("", tempNginxPattern)
+	tmpfile, err := os.CreateTemp("", tempNginxPattern)
 	if err != nil {
 		return err
 	}
 	defer tmpfile.Close()
-	err = ioutil.WriteFile(tmpfile.Name(), cfg, file.ReadWriteByUser)
+	err = os.WriteFile(tmpfile.Name(), cfg, file.ReadWriteByUser)
 	if err != nil {
 		return err
 	}
@@ -666,14 +665,14 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
 	}
 
 	if klog.V(2).Enabled() {
-		src, _ := ioutil.ReadFile(cfgPath)
+		src, _ := os.ReadFile(cfgPath)
 		if !bytes.Equal(src, content) {
-			tmpfile, err := ioutil.TempFile("", "new-nginx-cfg")
+			tmpfile, err := os.CreateTemp("", "new-nginx-cfg")
 			if err != nil {
 				return err
 			}
 			defer tmpfile.Close()
-			err = ioutil.WriteFile(tmpfile.Name(), content, file.ReadWriteByUser)
+			err = os.WriteFile(tmpfile.Name(), content, file.ReadWriteByUser)
 			if err != nil {
 				return err
 			}
@@ -696,7 +695,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
 		}
 	}
 
-	err = ioutil.WriteFile(cfgPath, content, file.ReadWriteByUser)
+	err = os.WriteFile(cfgPath, content, file.ReadWriteByUser)
 	if err != nil {
 		return err
 	}
@@ -1093,7 +1092,7 @@ func createOpentracingCfg(cfg ngx_config.Configuration) error {
 	// Expand possible environment variables before writing the configuration to file.
 	expanded := os.ExpandEnv(tmplBuf.String())
 
-	return ioutil.WriteFile("/etc/nginx/opentracing.json", []byte(expanded), file.ReadWriteByUser)
+	return os.WriteFile("/etc/nginx/opentracing.json", []byte(expanded), file.ReadWriteByUser)
 }
 
 func cleanTempNginxCfg() error {
diff --git a/internal/ingress/controller/nginx_test.go b/internal/ingress/controller/nginx_test.go
index fb8632029..d168efffd 100644
--- a/internal/ingress/controller/nginx_test.go
+++ b/internal/ingress/controller/nginx_test.go
@@ -19,7 +19,6 @@ package controller
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -179,7 +178,7 @@ func TestConfigureDynamically(t *testing.T) {
 					t.Errorf("expected a 'POST' request, got '%s'", r.Method)
 				}
 
-				b, err := ioutil.ReadAll(r.Body)
+				b, err := io.ReadAll(r.Body)
 				if err != nil && err != io.EOF {
 					t.Fatal(err)
 				}
@@ -339,7 +338,7 @@ func TestConfigureCertificates(t *testing.T) {
 					t.Errorf("expected a 'POST' request, got '%s'", r.Method)
 				}
 
-				b, err := ioutil.ReadAll(r.Body)
+				b, err := io.ReadAll(r.Body)
 				if err != nil && err != io.EOF {
 					t.Fatal(err)
 				}
@@ -478,7 +477,7 @@ func TestCleanTempNginxCfg(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	tmpfile, err := ioutil.TempFile("", tempNginxPattern)
+	tmpfile, err := os.CreateTemp("", tempNginxPattern)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -495,7 +494,7 @@ func TestCleanTempNginxCfg(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	tmpfile, err = ioutil.TempFile("", tempNginxPattern)
+	tmpfile, err = os.CreateTemp("", tempNginxPattern)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index 0088c3b01..14096d270 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -20,7 +20,7 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"reflect"
 	"sort"
 	"sync"
@@ -851,7 +851,7 @@ func (s *k8sStore) writeSSLSessionTicketKey(cmap *corev1.ConfigMap, fileName str
 			return
 		}
 
-		err = ioutil.WriteFile(fileName, decodedTicket, file.ReadWriteByUser)
+		err = os.WriteFile(fileName, decodedTicket, file.ReadWriteByUser)
 		if err != nil {
 			klog.Errorf("unexpected error writing ssl-session-ticket-key to %s: %v", fileName, err)
 			return
diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go
index bcc8f67d6..963d36af6 100644
--- a/internal/ingress/controller/store/store_test.go
+++ b/internal/ingress/controller/store/store_test.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"sync"
 	"sync/atomic"
@@ -959,14 +958,14 @@ func TestWriteSSLSessionTicketKey(t *testing.T) {
 			},
 		}
 
-		f, err := ioutil.TempFile("", "ssl-session-ticket-test")
+		f, err := os.CreateTemp("", "ssl-session-ticket-test")
 		if err != nil {
 			t.Fatal(err)
 		}
 
 		s.writeSSLSessionTicketKey(cmap, f.Name())
 
-		content, err := ioutil.ReadFile(f.Name())
+		content, err := os.ReadFile(f.Name())
 		if err != nil {
 			t.Fatal(err)
 		}
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index a14e2d50b..7a248938f 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -24,7 +24,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math/rand" // #nosec
 	"net"
 	"net/url"
@@ -76,7 +75,7 @@ type Template struct {
 //NewTemplate returns a new Template instance or an
 //error if the specified template file contains errors
 func NewTemplate(file string) (*Template, error) {
-	data, err := ioutil.ReadFile(file)
+	data, err := os.ReadFile(file)
 	if err != nil {
 		return nil, errors.Wrapf(err, "unexpected error reading template %v", file)
 	}
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index c5f40c246..ad0635adf 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -20,7 +20,6 @@ import (
 	"bytes"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
 	"path"
@@ -538,7 +537,7 @@ func TestTemplateWithData(t *testing.T) {
 		t.Errorf("unexpected error reading json file: %v", err)
 	}
 	defer f.Close()
-	data, err := ioutil.ReadFile(f.Name())
+	data, err := os.ReadFile(f.Name())
 	if err != nil {
 		t.Error("unexpected error reading json file: ", err)
 	}
@@ -582,7 +581,7 @@ func BenchmarkTemplateWithData(b *testing.B) {
 		b.Errorf("unexpected error reading json file: %v", err)
 	}
 	defer f.Close()
-	data, err := ioutil.ReadFile(f.Name())
+	data, err := os.ReadFile(f.Name())
 	if err != nil {
 		b.Error("unexpected error reading json file: ", err)
 	}
@@ -1657,7 +1656,7 @@ func TestCleanConf(t *testing.T) {
 	}
 	actual := &bytes.Buffer{}
 	{
-		data, err := ioutil.ReadFile(testDataDir + "/cleanConf.src.conf")
+		data, err := os.ReadFile(testDataDir + "/cleanConf.src.conf")
 		if err != nil {
 			t.Error("unexpected error reading conf file: ", err)
 		}
@@ -1668,7 +1667,7 @@ func TestCleanConf(t *testing.T) {
 		}
 	}
 
-	expected, err := ioutil.ReadFile(testDataDir + "/cleanConf.expected.conf")
+	expected, err := os.ReadFile(testDataDir + "/cleanConf.expected.conf")
 	if err != nil {
 		t.Error("unexpected error reading conf file: ", err)
 	}
diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go
index 5946cb47c..b84f2c2e4 100644
--- a/internal/ingress/controller/util.go
+++ b/internal/ingress/controller/util.go
@@ -18,7 +18,6 @@ package controller
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
@@ -123,7 +122,7 @@ func (nc NginxCommand) Test(cfg string) ([]byte, error) {
 
 // getSysctl returns the value for the specified sysctl setting
 func getSysctl(sysctl string) (int, error) {
-	data, err := ioutil.ReadFile(path.Join("/proc/sys", sysctl))
+	data, err := os.ReadFile(path.Join("/proc/sys", sysctl))
 	if err != nil {
 		return -1, err
 	}
diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go
index 08c3865e3..0f23e2cfb 100644
--- a/internal/ingress/metric/collectors/socket.go
+++ b/internal/ingress/metric/collectors/socket.go
@@ -19,7 +19,6 @@ package collectors
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
 	"os"
 	"syscall"
@@ -442,7 +441,7 @@ func (sc *SocketCollector) SetHosts(hosts sets.String) {
 // handleMessages process the content received in a network connection
 func handleMessages(conn io.ReadCloser, fn func([]byte)) {
 	defer conn.Close()
-	data, err := ioutil.ReadAll(conn)
+	data, err := io.ReadAll(conn)
 	if err != nil {
 		return
 	}
diff --git a/internal/net/dns/dns.go b/internal/net/dns/dns.go
index b300e1aae..7dfbbd177 100644
--- a/internal/net/dns/dns.go
+++ b/internal/net/dns/dns.go
@@ -17,8 +17,8 @@ limitations under the License.
 package dns
 
 import (
-	"io/ioutil"
 	"net"
+	"os"
 	"strings"
 
 	"k8s.io/klog/v2"
@@ -29,7 +29,7 @@ var defResolvConf = "/etc/resolv.conf"
 // GetSystemNameServers returns the list of nameservers located in the file /etc/resolv.conf
 func GetSystemNameServers() ([]net.IP, error) {
 	var nameservers []net.IP
-	file, err := ioutil.ReadFile(defResolvConf)
+	file, err := os.ReadFile(defResolvConf)
 	if err != nil {
 		return nameservers, err
 	}
diff --git a/internal/net/dns/dns_test.go b/internal/net/dns/dns_test.go
index bd2243ae7..2b21e81e7 100644
--- a/internal/net/dns/dns_test.go
+++ b/internal/net/dns/dns_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package dns
 
 import (
-	"io/ioutil"
 	"net"
 	"os"
 	"testing"
@@ -34,14 +33,14 @@ func TestGetDNSServers(t *testing.T) {
 		t.Error("expected at least 1 nameserver in /etc/resolv.conf")
 	}
 
-	f, err := ioutil.TempFile("", "fw")
+	f, err := os.CreateTemp("", "fw")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	defer f.Close()
 	defer os.Remove(f.Name())
 
-	ioutil.WriteFile(f.Name(), []byte(`
+	os.WriteFile(f.Name(), []byte(`
 	# comment
 	; comment
 	nameserver 2001:4860:4860::8844
diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go
index a329b8303..bb99e2e8a 100644
--- a/internal/net/ssl/ssl.go
+++ b/internal/net/ssl/ssl.go
@@ -29,7 +29,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"math/big"
 	"net"
 	"os"
@@ -181,7 +180,7 @@ func CheckCACert(caBytes []byte) ([]*x509.Certificate, error) {
 func StoreSSLCertOnDisk(name string, sslCert *ingress.SSLCert) (string, error) {
 	pemFileName, _ := getPemFileName(name)
 
-	err := ioutil.WriteFile(pemFileName, []byte(sslCert.PemCertKey), file.ReadWriteByUser)
+	err := os.WriteFile(pemFileName, []byte(sslCert.PemCertKey), file.ReadWriteByUser)
 	if err != nil {
 		return "", fmt.Errorf("could not create PEM certificate file %v: %v", pemFileName, err)
 	}
@@ -209,7 +208,7 @@ func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLC
 		return fmt.Errorf("could not write ca data to cert file %v: %v", sslCert.CAFileName, err)
 	}
 
-	return ioutil.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0644)
+	return os.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0644)
 }
 
 // ConfigureCRL creates a CRL file and append it into the SSLCert
@@ -232,7 +231,7 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error {
 		return fmt.Errorf(err.Error())
 	}
 
-	err = ioutil.WriteFile(crlFileName, crl, 0644)
+	err = os.WriteFile(crlFileName, crl, 0644)
 	if err != nil {
 		return fmt.Errorf("could not write CRL file %v: %v", crlFileName, err)
 	}
@@ -250,7 +249,7 @@ func ConfigureCACert(name string, ca []byte, sslCert *ingress.SSLCert) error {
 	caName := fmt.Sprintf("ca-%v.pem", name)
 	fileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, caName)
 
-	err := ioutil.WriteFile(fileName, ca, 0644)
+	err := os.WriteFile(fileName, ca, 0644)
 	if err != nil {
 		return fmt.Errorf("could not write CA file %v: %v", fileName, err)
 	}
@@ -332,7 +331,7 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre
 func AddOrUpdateDHParam(name string, dh []byte) (string, error) {
 	pemFileName, pemName := getPemFileName(name)
 
-	tempPemFile, err := ioutil.TempFile(file.DefaultSSLDirectory, pemName)
+	tempPemFile, err := os.CreateTemp(file.DefaultSSLDirectory, pemName)
 
 	klog.V(3).InfoS("Creating temporal file for DH", "path", tempPemFile.Name(), "name", pemName)
 	if err != nil {
@@ -351,7 +350,7 @@ func AddOrUpdateDHParam(name string, dh []byte) (string, error) {
 
 	defer os.Remove(tempPemFile.Name())
 
-	pemCerts, err := ioutil.ReadFile(tempPemFile.Name())
+	pemCerts, err := os.ReadFile(tempPemFile.Name())
 	if err != nil {
 		return "", err
 	}
@@ -530,12 +529,12 @@ func (tl *TLSListener) TLSConfig() *tls.Config {
 
 func (tl *TLSListener) load() {
 	klog.InfoS("loading tls certificate", "path", tl.certificatePath, "key", tl.keyPath)
-	certBytes, err := ioutil.ReadFile(tl.certificatePath)
+	certBytes, err := os.ReadFile(tl.certificatePath)
 	if err != nil {
 		tl.certificate = nil
 		tl.err = err
 	}
-	keyBytes, err := ioutil.ReadFile(tl.keyPath)
+	keyBytes, err := os.ReadFile(tl.keyPath)
 	if err != nil {
 		tl.certificate = nil
 		tl.err = err
diff --git a/internal/net/ssl/ssl_test.go b/internal/net/ssl/ssl_test.go
index d161b57ff..0b972d21c 100644
--- a/internal/net/ssl/ssl_test.go
+++ b/internal/net/ssl/ssl_test.go
@@ -28,11 +28,11 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"math"
 	"math/big"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"strings"
 	"sync"
 	"testing"
@@ -393,7 +393,7 @@ func encodeCertPEM(cert *x509.Certificate) []byte {
 func newFakeCertificate(t *testing.T) ([]byte, string, string) {
 	cert, key := getFakeHostSSLCert("localhost")
 
-	certFile, err := ioutil.TempFile("", "crt-")
+	certFile, err := os.CreateTemp("", "crt-")
 	if err != nil {
 		t.Errorf("failed to write test key: %v", err)
 	}
@@ -401,7 +401,7 @@ func newFakeCertificate(t *testing.T) ([]byte, string, string) {
 	certFile.Write(cert)
 	defer certFile.Close()
 
-	keyFile, err := ioutil.TempFile("", "key-")
+	keyFile, err := os.CreateTemp("", "key-")
 	if err != nil {
 		t.Errorf("failed to write test key: %v", err)
 	}
diff --git a/internal/nginx/main.go b/internal/nginx/main.go
index bc88391f6..485b7d229 100644
--- a/internal/nginx/main.go
+++ b/internal/nginx/main.go
@@ -20,7 +20,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"os/exec"
@@ -69,7 +69,7 @@ func NewGetStatusRequest(path string) (int, []byte, error) {
 	}
 	defer res.Body.Close()
 
-	data, err := ioutil.ReadAll(res.Body)
+	data, err := io.ReadAll(res.Body)
 	if err != nil {
 		return 0, nil, err
 	}
@@ -93,7 +93,7 @@ func NewPostStatusRequest(path, contentType string, data interface{}) (int, []by
 	}
 	defer res.Body.Close()
 
-	body, err := ioutil.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		return 0, nil, err
 	}
@@ -133,7 +133,7 @@ func readFileToString(path string) (string, error) {
 	}
 	defer f.Close()
 
-	contents, err := ioutil.ReadAll(f)
+	contents, err := io.ReadAll(f)
 	if err != nil {
 		return "", err
 	}
diff --git a/internal/runtime/cpu_linux.go b/internal/runtime/cpu_linux.go
index 41b969df1..7b6a96d60 100644
--- a/internal/runtime/cpu_linux.go
+++ b/internal/runtime/cpu_linux.go
@@ -19,8 +19,8 @@ limitations under the License.
 package runtime
 
 import (
-	"io/ioutil"
 	"math"
+	"os"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -52,7 +52,7 @@ func NumCPU() int {
 }
 
 func readCgroupFileToInt64(cgroupPath, cgroupFile string) int64 {
-	contents, err := ioutil.ReadFile(filepath.Join(cgroupPath, cgroupFile))
+	contents, err := os.ReadFile(filepath.Join(cgroupPath, cgroupFile))
 	if err != nil {
 		return -1
 	}
diff --git a/internal/watch/file_watcher_test.go b/internal/watch/file_watcher_test.go
index 7b39c4e30..d97d6b9ae 100644
--- a/internal/watch/file_watcher_test.go
+++ b/internal/watch/file_watcher_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package watch
 
 import (
-	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
@@ -37,7 +36,7 @@ func prepareTimeout() chan bool {
 }
 
 func TestFileWatcher(t *testing.T) {
-	f, err := ioutil.TempFile("", "fw")
+	f, err := os.CreateTemp("", "fw")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -62,7 +61,7 @@ func TestFileWatcher(t *testing.T) {
 		t.Fatalf("expected no events before writing a file")
 	case <-timeoutChan:
 	}
-	ioutil.WriteFile(f.Name(), []byte{}, file.ReadWriteByUser)
+	os.WriteFile(f.Name(), []byte{}, file.ReadWriteByUser)
 	select {
 	case <-events:
 	case <-timeoutChan:
@@ -71,7 +70,7 @@ func TestFileWatcher(t *testing.T) {
 }
 
 func TestFileWatcherWithNestedSymlink(t *testing.T) {
-	target1, err := ioutil.TempFile("", "t1")
+	target1, err := os.CreateTemp("", "t1")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -115,7 +114,7 @@ func TestFileWatcherWithNestedSymlink(t *testing.T) {
 	}
 	defer fw.Close()
 
-	target2, err := ioutil.TempFile("", "t2")
+	target2, err := os.CreateTemp("", "t2")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index 8c640d92b..8ff9729b1 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210601-g96a87c79b@sha256:f84dcddc84e5cba220260f315e18cd47fc8c6b7f3f4f57b7b3e9cc2ea25324b7 AS BASE
+FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210806-g26768e957@sha256:0f3c0d0bda953aa7f1164c452cc0165ce8a0c72469b550988a9601c539f61608 AS BASE
 
 FROM alpine:3.12
 
diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go
index 873d10f2b..161815aed 100644
--- a/test/e2e/settings/ocsp/ocsp.go
+++ b/test/e2e/settings/ocsp/ocsp.go
@@ -22,8 +22,8 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"net/http"
+	"os"
 	"os/exec"
 	"strings"
 	"syscall"
@@ -57,13 +57,13 @@ var _ = framework.DescribeSetting("OCSP", func() {
 		ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil)
 		f.EnsureIngress(ing)
 
-		leafCert, err := ioutil.ReadFile("leaf.pem")
+		leafCert, err := os.ReadFile("leaf.pem")
 		assert.Nil(ginkgo.GinkgoT(), err)
 
-		leafKey, err := ioutil.ReadFile("leaf-key.pem")
+		leafKey, err := os.ReadFile("leaf-key.pem")
 		assert.Nil(ginkgo.GinkgoT(), err)
 
-		intermediateCa, err := ioutil.ReadFile("intermediate_ca.pem")
+		intermediateCa, err := os.ReadFile("intermediate_ca.pem")
 		assert.Nil(ginkgo.GinkgoT(), err)
 
 		var pemCertBuffer bytes.Buffer
@@ -82,7 +82,7 @@ var _ = framework.DescribeSetting("OCSP", func() {
 			},
 		})
 
-		cfsslDB, err := ioutil.ReadFile("empty.db")
+		cfsslDB, err := os.ReadFile("empty.db")
 		assert.Nil(ginkgo.GinkgoT(), err)
 
 		cmap, err := f.EnsureConfigMap(&corev1.ConfigMap{
@@ -197,7 +197,7 @@ const configTemplate = `
 
 func prepareCertificates(namespace string) error {
 	config := fmt.Sprintf(configTemplate, namespace)
-	err := ioutil.WriteFile("cfssl_config.json", []byte(config), 0644)
+	err := os.WriteFile("cfssl_config.json", []byte(config), 0644)
 	if err != nil {
 		return fmt.Errorf("creating cfssl_config.json file: %v", err)
 	}
diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go
index 3b85cf428..3b551d1d8 100644
--- a/test/e2e/settings/proxy_protocol.go
+++ b/test/e2e/settings/proxy_protocol.go
@@ -20,7 +20,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net"
 	"strings"
 
@@ -66,7 +66,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() {
 		conn.Write([]byte(header))
 		conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n"))
 
-		data, err := ioutil.ReadAll(conn)
+		data, err := io.ReadAll(conn)
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data")
 
 		body := string(data)
@@ -99,7 +99,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() {
 		conn.Write([]byte(header))
 		conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n"))
 
-		data, err := ioutil.ReadAll(conn)
+		data, err := io.ReadAll(conn)
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data")
 
 		body := string(data)
@@ -141,7 +141,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() {
 		_, err = tlsConn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n"))
 		assert.Nil(ginkgo.GinkgoT(), err, "writing HTTP request")
 
-		data, err := ioutil.ReadAll(tlsConn)
+		data, err := io.ReadAll(tlsConn)
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data")
 
 		body := string(data)
@@ -208,7 +208,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() {
 		conn.Write([]byte(header))
 		conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n"))
 
-		_, err = ioutil.ReadAll(conn)
+		_, err = io.ReadAll(conn)
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data")
 
 		logs, err := f.NginxLogs()

From 390bd257e70daee84eb6334437fd6b31a965604f Mon Sep 17 00:00:00 2001
From: Jennifer Kirsch <7807969+DysphoricUnicorn@users.noreply.github.com>
Date: Fri, 6 Aug 2021 20:57:30 +0200
Subject: [PATCH 037/376] Add documentation for monitoring without helm (#7455)

* Add documentation for monitoring without helm

As someone who is currently learning Kubernetes without using helm, I wasn't able to get the ingress controller to export metrics without asking someone more experienced for help.

I think a bit more information would be a good addition for my fellow Kubernetes newcomers.
If there are any wording/ formatting issues, I will be happy to update this.

* Fix typo
---
 docs/user-guide/monitoring.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 6471f997e..d02e1a682 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -38,6 +38,33 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
           prometheus.io/scrape: "true" 
   ..
   ```
+   - If you are **not using helm**, you will have to edit your manifests like this:
+     - Service manifest:
+       ```
+       apiVersion: v1
+       kind: Service
+       metadata:
+        annotations:
+          prometheus.io/scrape: "true"
+          prometheus.io/port: "10254"
+       ..
+       spec:
+         ports:
+           - name: prometheus
+             port: 10254
+             targetPort: prometheus
+             ..
+
+       ```
+       
+      - DaemonSet manifest:
+           ```
+           ..
+           ports:
+             - name: prometheus
+               containerPort: 10254
+             ..
+           ```
 
 
 ## Deploy and configure Prometheus Server

From 5c98c93f0f36bdcc0d02a0b93a3ffdf400e70851 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Sat, 7 Aug 2021 01:09:30 +0530
Subject: [PATCH 038/376] added K8s v1.22 tip for kind cluster,bug-report
 (#7437)

---
 .github/ISSUE_TEMPLATE/bug_report.md    | 25 +++++++++++++++++++++++++
 docs/developer-guide/getting-started.md |  1 +
 2 files changed, 26 insertions(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index ed5a31532..3df73cc6a 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -37,7 +37,32 @@ This questions are the first thing we need to know to understand the context.
 - **OS** (e.g. from /etc/os-release):
 - **Kernel** (e.g. `uname -a`):
 - **Install tools**:
+  - `Please mention how/where was clsuter created like kubeadm/kops/minikube/kind etc. `
+- **Basic cluster related info**:
+  - `kubectl version`
+  - `kubectl get nodes -o wide`
+
+- **How was the ingress-nginx-controller installed**:
+  - If helm was used then please show output of `helm ls -A`
+  - If helm was used then please show output of `helm -n <ingresscontrollernamepspace> get values <helmreleasename>`
+  - If helm was not used, then please explain how the ingress-nginx-controller was installed or copy/paste the command used to install the controller below
+  - if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
+
+- **Current State of the controller**:
+  - `kubectl -n <ingresscontrollernamespace> get all -A -o wide`
+  - `kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>`
+  - `kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>`
+
+- **Current state of ingress object, if applicable**:
+  - `kubectl -n <appnnamespace> get all,ing -o wide`
+  - `kubectl -n <appnamespace> describe ing <ingressname>`
+  - If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag
+
 - **Others**:
+  - Any other related information like ;
+    - copy/paste of the snippet (if applicable)
+    - `kubectl describe ...` of any custom configmap(s) created and in use
+    - Any other related information that may help
 
 **What happened**:
 
diff --git a/docs/developer-guide/getting-started.md b/docs/developer-guide/getting-started.md
index eb5e7cae5..2e0c5b26c 100644
--- a/docs/developer-guide/getting-started.md
+++ b/docs/developer-guide/getting-started.md
@@ -29,6 +29,7 @@ Start a local Kubernetes cluster using [kind](https://kind.sigs.k8s.io/), build
 ```console
 make dev-env
 ```
+- If you are working on the v1.x.x version of this controler, and you want to create a cluster with kubernetes version 1.22, then please visit the [documentation for kind](https://kind.sigs.k8s.io/docs/user/configuration/#a-note-on-cli-parameters-and-configuration-files), and look for how to set a custom image for the kind node (image: kindest/node...), in the kind config file.
 
 ### Testing
 

From c51a509ad86025cbddeb5f732d6c0869fe90fc3f Mon Sep 17 00:00:00 2001
From: Benedikt <64281777+bensch98@users.noreply.github.com>
Date: Fri, 6 Aug 2021 21:41:30 +0200
Subject: [PATCH 039/376] correct ingress-controller naming (#7450)

---
 docs/user-guide/monitoring.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index d02e1a682..41fe96b36 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -14,9 +14,9 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
   2. controller.podAnnotations."prometheus.io/scrape"="true"
   3. controller.podAnnotations."prometheus.io/port"="10254"
 
-  - The easiest way to configure the controller for metrics is via helm upgrade. Assuming you have installed the ingress-nginx controller as a helm release named ingresscontroller0, then you can simply type the command show below :
+  - The easiest way to configure the controller for metrics is via helm upgrade. Assuming you have installed the ingress-nginx controller as a helm release named ingress-controller, then you can simply type the command show below :
   ```
-  helm upgrade ingresscontroller0 ingress-nginx/ingress-nginx \
+  helm upgrade ingress-controller ingress-nginx/ingress-nginx \
   --namespace ingress-nginx \
   --set controller.metrics.enabled=true \
   --set-string controller.podAnnotations."prometheus\.io/scrape"="true" \

From 9efea320b92e381cb55438891a4967daf254cf0d Mon Sep 17 00:00:00 2001
From: tobiasgiese <tobiasgiese@gmail.com>
Date: Fri, 6 Aug 2021 21:45:30 +0200
Subject: [PATCH 040/376] Fix cap for NET_BIND_SERVICE (#7449)

Signed-off-by: Tobias Giese <tobias.giese@daimler.com>
---
 rootfs/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
index 7fc8cfee3..5a8af2a6d 100644
--- a/rootfs/Dockerfile
+++ b/rootfs/Dockerfile
@@ -65,6 +65,8 @@ RUN apk add --no-cache libcap \
   && setcap -v cap_net_bind_service=+ep /nginx-ingress-controller \
   && setcap    cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \
   && setcap -v cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \
+  && setcap    cap_net_bind_service=+ep /usr/bin/dumb-init \
+  && setcap -v cap_net_bind_service=+ep /usr/bin/dumb-init \
   && apk del libcap
 
 USER www-data

From e5e33051b936dc034acc3c84c687b2644504887c Mon Sep 17 00:00:00 2001
From: Ian Roberts <i.roberts@dcs.shef.ac.uk>
Date: Fri, 6 Aug 2021 21:27:29 +0100
Subject: [PATCH 041/376] Allow overriding of the default response format
 (#7245)

Rather than hard-coding the default response format as HTML, allow the default to be overridden by an environment variable.  For example, given a REST API endpoint that defaults to responding in JSON, you may wish to configure the error messages to be JSON by default as well.
---
 images/custom-error-pages/main.go | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/images/custom-error-pages/main.go b/images/custom-error-pages/main.go
index 8f4e6b267..7d3d73029 100644
--- a/images/custom-error-pages/main.go
+++ b/images/custom-error-pages/main.go
@@ -62,6 +62,12 @@ const (
 	// ErrFilesPathVar is the name of the environment variable indicating
 	// the location on disk of files served by the handler.
 	ErrFilesPathVar = "ERROR_FILES_PATH"
+
+	// DefaultFormatVar is the name of the environment variable indicating
+	// the default error MIME type that should be returned if either the
+	// client does not specify an Accept header, or the Accept header provided
+	// cannot be mapped to a file extension.
+	DefaultFormatVar = "DEFAULT_RESPONSE_FORMAT"
 )
 
 func init() {
@@ -75,7 +81,12 @@ func main() {
 		errFilesPath = os.Getenv(ErrFilesPathVar)
 	}
 
-	http.HandleFunc("/", errorHandler(errFilesPath))
+	defaultFormat := "text/html"
+	if os.Getenv(DefaultFormatVar) != "" {
+		defaultFormat = os.Getenv(DefaultFormatVar)
+	}
+
+	http.HandleFunc("/", errorHandler(errFilesPath, defaultFormat))
 
 	http.Handle("/metrics", promhttp.Handler())
 
@@ -86,10 +97,16 @@ func main() {
 	http.ListenAndServe(fmt.Sprintf(":8080"), nil)
 }
 
-func errorHandler(path string) func(http.ResponseWriter, *http.Request) {
+func errorHandler(path, defaultFormat string) func(http.ResponseWriter, *http.Request) {
+	defaultExts, err := mime.ExtensionsByType(defaultFormat)
+	if err != nil || len(defaultExts) == 0 {
+		panic("couldn't get file extension for default format")
+	}
+	defaultExt := defaultExts[0]
+
 	return func(w http.ResponseWriter, r *http.Request) {
 		start := time.Now()
-		ext := "html"
+		ext := defaultExt
 
 		if os.Getenv("DEBUG") != "" {
 			w.Header().Set(FormatHeader, r.Header.Get(FormatHeader))
@@ -105,14 +122,14 @@ func errorHandler(path string) func(http.ResponseWriter, *http.Request) {
 
 		format := r.Header.Get(FormatHeader)
 		if format == "" {
-			format = "text/html"
+			format = defaultFormat
 			log.Printf("format not specified. Using %v", format)
 		}
 
 		cext, err := mime.ExtensionsByType(format)
 		if err != nil {
 			log.Printf("unexpected error reading media type extension: %v. Using %v", err, ext)
-			format = "text/html"
+			format = defaultFormat
 		} else if len(cext) == 0 {
 			log.Printf("couldn't get media type extension. Using %v", ext)
 		} else {
@@ -131,6 +148,10 @@ func errorHandler(path string) func(http.ResponseWriter, *http.Request) {
 		if !strings.HasPrefix(ext, ".") {
 			ext = "." + ext
 		}
+		// special case for compatibility
+		if ext == ".htm" {
+			ext = ".html"
+		}
 		file := fmt.Sprintf("%v/%v%v", path, code, ext)
 		f, err := os.Open(file)
 		if err != nil {

From 2d90ba14f5f9a245af2a6e000e376803bbef4da9 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Fri, 6 Aug 2021 21:07:29 -0300
Subject: [PATCH 042/376] Change all master reference to main (#7369)

---
 Changelog.md                                  |  16 +-
 RELEASE.md                                    |  32 +-
 charts/ingress-nginx/README.md                |   8 +-
 charts/ingress-nginx/values.yaml              |  12 +-
 docs/deploy/hardening-guide.md                |  12 +-
 docs/deploy/index.md                          |   2 +-
 docs/deploy/upgrade.md                        |   2 +-
 docs/developer-guide/code-overview.md         |  50 +-
 docs/developer-guide/getting-started.md       |   2 +-
 docs/e2e-tests.md                             | 786 +++++++++---------
 docs/examples/PREREQUISITES.md                |   2 +-
 .../auth/oauth-external-auth/README.md        |   4 +-
 .../custom-configuration/README.md            |   2 +-
 .../customization/custom-headers/README.md    |   4 +-
 docs/examples/customization/sysctl/README.md  |   2 +-
 docs/examples/docker-registry/README.md       |   6 +-
 docs/examples/multi-tls/multi-tls.yaml        |   4 +-
 docs/examples/psp/README.md                   |   2 +-
 docs/how-it-works.md                          |   4 +-
 docs/kubectl-plugin.md                        |   2 +-
 docs/troubleshooting.md                       |   2 +-
 docs/user-guide/custom-errors.md              |   2 +-
 docs/user-guide/default-backend.md            |   2 +-
 docs/user-guide/monitoring.md                 |   6 +-
 .../nginx-configuration/configmap.md          |  16 +-
 images/cfssl/Makefile                         |   2 +-
 images/echo/Makefile                          |   2 +-
 images/fastcgi-helloserver/Makefile           |   2 +-
 images/httpbin/Makefile                       |   2 +-
 images/nginx/Makefile                         |   2 +-
 images/test-runner/Makefile                   |   2 +-
 rootfs/etc/nginx/lua/plugins/README.md        |   2 +-
 32 files changed, 498 insertions(+), 498 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 661b96d4a..750660764 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -806,7 +806,7 @@ _New Features:_
 - NGINX 1.17.10
 - OpenSSL 1.1.1g - [CVE-2020-1967](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1967)
 - OCSP stapling
-- Helm chart [stable/nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) is now maintained in the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) repository
+- Helm chart [stable/nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) is now maintained in the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx) repository
 - Support for custom Maxmind GeoLite2 Databases [flag --maxmind-edition-ids](https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/)
 - New [PathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) and [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) fields. Requires Kubernetes v1.18 or higher
 - Enable configuration of lua plugins using the configuration configmap
@@ -1658,7 +1658,7 @@ _Documentation:_
 _New Features:_
 
 - NGINX 1.15.9
-- New `canary-by-header-value` [annotation](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#canary).
+- New `canary-by-header-value` [annotation](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#canary).
 - New debug binary to get runtime information from lua [3686](https://github.com/kubernetes/ingress-nginx/pull/3686)
 - Support for Opentracing with Datadog
 - New [kubectl plugin](https://github.com/kubernetes/ingress-nginx/pull/3779) **Alpha**
@@ -2027,7 +2027,7 @@ _Documentation:_
 _New Features:_
 
 - NGINX 1.15.5
-- Support for *regular expressions* in paths https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/ingress-path-matching.md
+- Support for *regular expressions* in paths https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/ingress-path-matching.md
 - Provide possibility to block IPs, User-Agents and Referers globally
 - Remove --default-backend-service requirement. Use the flag only for custom default backends
 - Valgrind and Openresty gdb tools
@@ -2228,7 +2228,7 @@ _Documentation:_
 
 _New Features:_
 
-- [Grafana dashboards](https://github.com/kubernetes/ingress-nginx/tree/master/deploy/grafana/dashboards)
+- [Grafana dashboards](https://github.com/kubernetes/ingress-nginx/tree/main/deploy/grafana/dashboards)
 
 _Changes:_
 
@@ -2550,7 +2550,7 @@ _New Features:_
   - The annotation `nginx.ingress.kubernetes.io/grpc-backend: "true"` enable this feature
   - If the gRPC service requires TLS `nginx.ingress.kubernetes.io/secure-backends: "true"`
 - Configurable load balancing with EWMA
-- Support for [lua-resty-waf](https://github.com/p0pr0ck5/lua-resty-waf) as alternative to ModSecurity. [Check configuration guide](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/annotations.md#lua-resty-waf)
+- Support for [lua-resty-waf](https://github.com/p0pr0ck5/lua-resty-waf) as alternative to ModSecurity. [Check configuration guide](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/annotations.md#lua-resty-waf)
 - Support for session affinity when dynamic configuration is enabled.
 - Add NoAuthLocations and default it to "/.well-known/acme-challenge"
 
@@ -3587,7 +3587,7 @@ _New Features:_
 - Custom log formats using `log-format-upstream` directive in the configuration configmap.
 - Force redirect to SSL using the annotation `ingress.kubernetes.io/force-ssl-redirect`
 - Prometheus metric for VTS status module (transparent, just enable vts stats)
-- Improved external authentication adding `ingress.kubernetes.io/auth-signin` annotation. Please check this [example](https://github.com/kubernetes/ingress/tree/master/examples/external-auth/nginx)
+- Improved external authentication adding `ingress.kubernetes.io/auth-signin` annotation. Please check this [example](https://github.com/kubernetes/ingress/tree/main/examples/external-auth/nginx)
 
 _Breaking changes:_
 
@@ -3651,9 +3651,9 @@ _Changes:_
 
 _New Features:_
 
-- New configuration flag `proxy-set-headers` to allow set custom headers before send traffic to backends. [Example here](https://github.com/kubernetes/ingress/tree/master/examples/customization/custom-headers/nginx)
+- New configuration flag `proxy-set-headers` to allow set custom headers before send traffic to backends. [Example here](https://github.com/kubernetes/ingress/tree/main/examples/customization/custom-headers/nginx)
 - Disable directive access_log globally using `disable-access-log: "true"` in the configuration ConfigMap.
-- Sticky session per Ingress rule using the annotation `ingress.kubernetes.io/affinity`. [Example here](https://github.com/kubernetes/ingress/tree/master/examples/affinity/cookie/nginx)
+- Sticky session per Ingress rule using the annotation `ingress.kubernetes.io/affinity`. [Example here](https://github.com/kubernetes/ingress/tree/main/examples/affinity/cookie/nginx)
 
 _Changes:_
 
diff --git a/RELEASE.md b/RELEASE.md
index 50324bf71..1ed6eaef7 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,4 +1,4 @@
-1. [NGINX](https://github.com/kubernetes/ingress-nginx/tree/master/images/nginx)
+1. [NGINX](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx)
 
 * Open pull request
   
@@ -18,13 +18,13 @@ The sha is available in output from [cloud build](https://console.cloud.google.c
 
 2. Change to images:
    
-* [e2e](https://github.com/kubernetes/ingress-nginx/tree/master/images/test-runner)
+* [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/images/test-runner)
 
-    * [test-runner](https://github.com/kubernetes/ingress-nginx/tree/master/images/echo)
-    * [echo](https://github.com/kubernetes/ingress-nginx/tree/master/images/echo)
-    * [cfssl](https://github.com/kubernetes/ingress-nginx/tree/master/images/cfssl)
-    * [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/master/images/fastcgi-helloserver)
-    * [httpbin](https://github.com/kubernetes/ingress-nginx/tree/master/images/httpbin)
+    * [test-runner](https://github.com/kubernetes/ingress-nginx/tree/main/images/echo)
+    * [echo](https://github.com/kubernetes/ingress-nginx/tree/main/images/echo)
+    * [cfssl](https://github.com/kubernetes/ingress-nginx/tree/main/images/cfssl)
+    * [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/main/images/fastcgi-helloserver)
+    * [httpbin](https://github.com/kubernetes/ingress-nginx/tree/main/images/httpbin)
 
 * Open pull request
 * Merge
@@ -32,7 +32,7 @@ The sha is available in output from [cloud build](https://console.cloud.google.c
 
 2a. Promote images:
 
-* Open pull request to promote [staging image](https://github.com/kubernetes/k8s.io/blob/master/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)
+* Open pull request to promote [staging image](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)
     * e2e-test-runner
     * e2e-test-cfssl
     * e2e-test-echo
@@ -41,38 +41,38 @@ The sha is available in output from [cloud build](https://console.cloud.google.c
 
 3. Update references to e2e-test-runner image:
 
-* [e2e-image](https://github.com/kubernetes/ingress-nginx/blob/master/test/e2e-image/Dockerfile#L1)
+* [e2e-image](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e-image/Dockerfile#L1)
 * [run-in-docker.sh](https://github.com/kubernetes/ingress-nginx/blob/ff60aa9e2b5377db1544091b98f475a90a630297/build/run-in-docker.sh#L37)
 
 4. Prepare for a new release:
 
-* Change [TAG](https://github.com/kubernetes/ingress-nginx/blob/master/TAG#L1)
+* Change [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1)
 * Open pull request
 * Merge
 * [Wait for cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
 
 4a. Promote images:
 
-* Open pull request to promote [staging image](https://github.com/kubernetes/k8s.io/blob/master/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)
+* Open pull request to promote [staging image](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)
   * controller
 
 5. Release helm chart:
 
-* Open pull request updating [Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/master/charts/ingress-nginx/Chart.yaml#L3-L4)
+* Open pull request updating [Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml#L3-L4)
 * Merge
-* [New helm chart is available](https://github.com/kubernetes/ingress-nginx/blob/master/.github/workflows/main.yaml#L47-L68)
+* [New helm chart is available](https://github.com/kubernetes/ingress-nginx/blob/main/.github/workflows/main.yaml#L47-L68)
 
 6. New release:
 
 * Update static scripts:
-    * [generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/master/hack/generate-deploy-scripts.sh)
+    * [generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
     * Open pull request with the updates
     * Merge
 
 * Update Changelog and Documentation:
-    * Open pull request updating [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md)
+    * Open pull request updating [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md)
     * Update the version in [docs/deploy/index.md](docs/deploy/index.md)
     * Update Supported versions in the Support Versions table in the README.md 
     * Merge
       
-7. Github release
\ No newline at end of file
+7. Github release
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index d5a2c3ca8..22e66fb85 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -90,9 +90,9 @@ You can add Prometheus annotations to the metrics service using `controller.metr
 
 Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
 
-- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
-- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
-  You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server
+- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
+- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
+  You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server
 
 ### ExternalDNS Service Configuration
 
@@ -107,7 +107,7 @@ controller:
 
 ### AWS L7 ELB with SSL Termination
 
-Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml):
+Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/aws/l7/service-l7.yaml):
 
 ```yaml
 controller:
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index b2aad3224..f2f28ed91 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -1,5 +1,5 @@
 ## nginx configuration
-## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/index.md
+## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
 ##
 
 ## Overrides for generated resource names
@@ -40,7 +40,7 @@ controller:
   ##
   configAnnotations: {}
 
-  # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers
+  # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
   proxySetHeaders: {}
 
   # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
@@ -782,7 +782,7 @@ defaultBackend:
 
   priorityClassName: ""
 
-## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266
+## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
 rbac:
   create: true
   scope: false
@@ -803,18 +803,18 @@ imagePullSecrets: []
 # - name: secretName
 
 # TCP service key:value pairs
-# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp
+# Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
 ##
 tcp: {}
 #  8080: "default/example-tcp-svc:9000"
 
 # UDP service key:value pairs
-# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp
+# Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
 ##
 udp: {}
 #  53: "kube-system/kube-dns:53"
 
 # A base64ed Diffie-Hellman parameter
 # This can be generated with: openssl dhparam 4096 2> /dev/null | base64
-# Ref: https://github.com/krmichel/ingress-nginx/blob/master/docs/examples/customization/ssl-dh-param
+# Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
 dhParam:
diff --git a/docs/deploy/hardening-guide.md b/docs/deploy/hardening-guide.md
index 5b44686ab..d428bc3aa 100644
--- a/docs/deploy/hardening-guide.md
+++ b/docs/deploy/hardening-guide.md
@@ -54,14 +54,14 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho
 | __2.4 Network Configuration__ ||| |
 | 2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored)| OK | Ensured by automatic nginx.conf configuration| |
 | 2.4.2 Ensure requests for unknown host names are rejected (Not Scored)| OK | They are not rejected but send to the "default backend" delivering appropriate errors (mostly 404)| |
-| 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored)| ACTION NEEDED| Default is 75s | configure keep-alive to 10 seconds [according to this documentation](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#keep-alive) |
+| 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored)| ACTION NEEDED| Default is 75s | configure keep-alive to 10 seconds [according to this documentation](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#keep-alive) |
 | 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)| RISK TO BE ACCEPTED| Not configured, however the nginx default is 60s| Not configurable|
 | ||| |
 | __2.5 Information Disclosure__||| |
 | 2.5.1 Ensure server_tokens directive is set to `off` (Scored) | OK | server_tokens is configured to off by default| |
 | 2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored) | ACTION NEEDED| 404 shows no version at all, 503 and 403 show "nginx", which is hardcoded [see this line in nginx source code](https://github.com/nginx/nginx/blob/master/src/http/ngx_http_special_response.c#L36) | configure custom error pages at least for 403, 404 and 503 and 500|
 | 2.5.3 Ensure hidden file serving is disabled (Not Scored) | ACTION NEEDED | config not set | configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please |
-| 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)| ACTION NEEDED| hide not configured| configure hide-headers with array of "X-Powered-By" and "Server": [according to this documentation](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#hide-headers) |
+| 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)| ACTION NEEDED| hide not configured| configure hide-headers with array of "X-Powered-By" and "Server": [according to this documentation](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#hide-headers) |
 | ||| |
 | __3 Logging__ ||| |
 | ||| |
@@ -86,7 +86,7 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho
 | 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored)| OK | HSTS is enabled by default | |
 | 4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored)| ACTION NEEDED / RISK TO BE ACCEPTED | HKPK not enabled by default | If lets encrypt is not used, set correct HPKP header. There are several ways to implement this - with the helm charts it works via controller.add-headers. If lets encrypt is used, this is complicated, a solution here is yet unknown |
 | 4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored) | DEPENDS ON BACKEND | Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh| If backend allows it, [manual is here](https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/)|
-| 4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored) | DEPENDS ON BACKEND | Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh| If backend allows it, [see configuration here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#backend-certificate-authentication) |
+| 4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored) | DEPENDS ON BACKEND | Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh| If backend allows it, [see configuration here](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#backend-certificate-authentication) |
 | 4.1.12 Ensure your domain is preloaded (Not Scored) | ACTION NEEDED| Preload is not active by default | Set controller.config.hsts-preload to true|
 | 4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)| OK | Session tickets are disabled by default | |
 | 4.1.14 Ensure HTTP/2.0 is used (Not Scored) | OK | http2 is set by default| |
@@ -98,9 +98,9 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho
 | 5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored) | OK/ACTION NEEDED | Depends on use case| If required it can be set via config snippet|
 | ||| |
 | __5.2 Request Limits__||| |
-| 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored) | ACTION NEEDED| Default timeout is 60s | Set via [this configuration parameter](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#client-header-timeout) and respective body equivalent|
-| 5.2.2 Ensure the maximum request body size is set correctly (Scored)| ACTION NEEDED| Default is 1m| set via [this configuration parameter](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#proxy-body-size)|
-| 5.2.3 Ensure the maximum buffer size for URIs is defined (Scored) | ACTION NEEDED| Default is 4 8k| Set via [this configuration parameter](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#large-client-header-buffers)|
+| 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored) | ACTION NEEDED| Default timeout is 60s | Set via [this configuration parameter](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#client-header-timeout) and respective body equivalent|
+| 5.2.2 Ensure the maximum request body size is set correctly (Scored)| ACTION NEEDED| Default is 1m| set via [this configuration parameter](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#proxy-body-size)|
+| 5.2.3 Ensure the maximum buffer size for URIs is defined (Scored) | ACTION NEEDED| Default is 4 8k| Set via [this configuration parameter](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#large-client-header-buffers)|
 | 5.2.4 Ensure the number of connections per IP address is limited (Not Scored) | OK/ACTION NEEDED| No limit set| Depends on use case, limit can be set via [these annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting)|
 | 5.2.5 Ensure rate limits by IP address are set (Not Scored) | OK/ACTION NEEDED| No limit set| Depends on use case, limit can be set via [these annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting)|
 | ||| |
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 2c8d46efd..afa9f7e41 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -169,7 +169,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Exoscale
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/exoscale/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/exoscale/deploy.yaml
 ```
 
 The full list of annotations supported by Exoscale is available in the Exoscale Cloud Controller Manager [documentation](https://github.com/exoscale/exoscale-cloud-controller-manager/blob/master/docs/service-loadbalancer.md).
diff --git a/docs/deploy/upgrade.md b/docs/deploy/upgrade.md
index 6d28f11eb..b42a09865 100644
--- a/docs/deploy/upgrade.md
+++ b/docs/deploy/upgrade.md
@@ -50,4 +50,4 @@ helm upgrade --reuse-values ngx-ingress ingress-nginx/ingress-nginx
 
 ### Migrating from stable/nginx-ingress
 
-See detailed steps in the upgrading section of the `ingress-nginx` chart [README](https://github.com/kubernetes/ingress-nginx/blob/master/charts/ingress-nginx/README.md#migrating-from-stablenginx-ingress).
+See detailed steps in the upgrading section of the `ingress-nginx` chart [README](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/README.md#migrating-from-stablenginx-ingress).
diff --git a/docs/developer-guide/code-overview.md b/docs/developer-guide/code-overview.md
index f75f948d7..b5d22e068 100644
--- a/docs/developer-guide/code-overview.md
+++ b/docs/developer-guide/code-overview.md
@@ -27,11 +27,11 @@ The following parts of the code can be found:
 
 Is the `main` package, responsible for starting ingress-nginx program.
 
-It can be found in [cmd/nginx](https://github.com/kubernetes/ingress-nginx/tree/master/cmd/nginx) directory.
+It can be found in [cmd/nginx](https://github.com/kubernetes/ingress-nginx/tree/main/cmd/nginx) directory.
 
 ### Version
 
-Is the package of the code responsible for adding `version` subcommand, and can be found in [version](https://github.com/kubernetes/ingress-nginx/tree/master/version) directory.
+Is the package of the code responsible for adding `version` subcommand, and can be found in [version](https://github.com/kubernetes/ingress-nginx/tree/main/version) directory.
 
 ### Internal code
 
@@ -41,27 +41,27 @@ This part of the code contains the internal logics that compose Ingress NGINX Co
 
 Contains the code of [Kubernetes Admission Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) which validates the syntax of ingress objects before accepting it.
 
-This code can be found in [internal/admission/controller](https://github.com/kubernetes/ingress-nginx/tree/master/internal/admission/controller) directory.
+This code can be found in [internal/admission/controller](https://github.com/kubernetes/ingress-nginx/tree/main/internal/admission/controller) directory.
 
 
 #### File functions
 
 Contains auxiliary codes that deal with files, such as generating the SHA1 checksum of a file, or creating required directories.
 
-This code can be found in [internal/file](https://github.com/kubernetes/ingress-nginx/blob/master/internal/file) directory.
+This code can be found in [internal/file](https://github.com/kubernetes/ingress-nginx/blob/main/internal/file) directory.
 
 #### Ingress functions
 
 Contains all the logics from NGINX Ingress Controller, with some examples being:
 
-* Expected Golang structures that will be used in templates and other parts of the codes - [internal/ingress/types.go](https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/types.go).
-* supported annotations and its parsing logics - [internal/ingress/annotations](https://github.com/kubernetes/ingress-nginx/tree/master/internal/ingress/annotations).
-* reconciliation loops and logics - [internal/ingress/controller](https://github.com/kubernetes/ingress-nginx/tree/master/internal/ingress/controller)
+* Expected Golang structures that will be used in templates and other parts of the codes - [internal/ingress/types.go](https://github.com/kubernetes/ingress-nginx/blob/main/internal/ingress/types.go).
+* supported annotations and its parsing logics - [internal/ingress/annotations](https://github.com/kubernetes/ingress-nginx/tree/main/internal/ingress/annotations).
+* reconciliation loops and logics - [internal/ingress/controller](https://github.com/kubernetes/ingress-nginx/tree/main/internal/ingress/controller)
 * Defaults - define the default struct.
-* Error interface and types implementation - [internal/ingress/errors](https://github.com/kubernetes/ingress-nginx/tree/master/internal/ingress/errors)
-* Metrics collectors for Prometheus exporting - [internal/ingress/metric](https://github.com/kubernetes/ingress-nginx/tree/master/internal/ingress/metric).
+* Error interface and types implementation - [internal/ingress/errors](https://github.com/kubernetes/ingress-nginx/tree/main/internal/ingress/errors)
+* Metrics collectors for Prometheus exporting - [internal/ingress/metric](https://github.com/kubernetes/ingress-nginx/tree/main/internal/ingress/metric).
 * Resolver - Extracts information from a controller.
-* Ingress Object status publisher - [internal/ingress/status](https://github.com/kubernetes/ingress-nginx/tree/master/internal/ingress/status).
+* Ingress Object status publisher - [internal/ingress/status](https://github.com/kubernetes/ingress-nginx/tree/main/internal/ingress/status).
 
 And other parts of the code that will be written in this document in a future.
 
@@ -69,25 +69,25 @@ And other parts of the code that will be written in this document in a future.
 
 Contains helper functions for parsing Kubernetes objects.
 
-This part of the code can be found in [internal/k8s](https://github.com/kubernetes/ingress-nginx/tree/master/internal/k8s) directory.
+This part of the code can be found in [internal/k8s](https://github.com/kubernetes/ingress-nginx/tree/main/internal/k8s) directory.
 
 #### Networking functions
 
 Contains helper functions for networking, such as IPv4 and IPv6 parsing, SSL certificate parsing, etc.
 
-This part of the code can be found in [internal/net](https://github.com/kubernetes/ingress-nginx/tree/master/internal/net) directory.
+This part of the code can be found in [internal/net](https://github.com/kubernetes/ingress-nginx/tree/main/internal/net) directory.
 
 #### NGINX functions
 
 Contains helper function to deal with NGINX, such as verify if it's running and reading it's configuration file parts.
 
-This part of the code can be found in [internal/nginx](https://github.com/kubernetes/ingress-nginx/tree/master/internal/nginx) directory.
+This part of the code can be found in [internal/nginx](https://github.com/kubernetes/ingress-nginx/tree/main/internal/nginx) directory.
 
 #### Tasks / Queue
 
 Contains the functions responsible for the sync queue part of the controller.
 
-This part of the code can be found in [internal/task](https://github.com/kubernetes/ingress-nginx/tree/master/internal/task) directory.
+This part of the code can be found in [internal/task](https://github.com/kubernetes/ingress-nginx/tree/main/internal/task) directory.
 
 #### Other parts of internal
 
@@ -95,7 +95,7 @@ Other parts of internal code might not be covered here, like runtime and watch b
 
 ## E2E Test
 
-The e2e tests code is in [test](https://github.com/kubernetes/ingress-nginx/tree/master/test) directory.
+The e2e tests code is in [test](https://github.com/kubernetes/ingress-nginx/tree/main/test) directory.
 
 ## Other programs
 
@@ -105,19 +105,19 @@ Describe here `kubectl plugin`, `dbg`, `waitshutdown` and cover the hack scripts
 
 This directory contains the `yaml` deploy files used as examples or references in the docs to deploy Ingress NGINX and other componentes.
 
-Those files are in [deploy](https://github.com/kubernetes/ingress-nginx/tree/master/deploy) directory.
+Those files are in [deploy](https://github.com/kubernetes/ingress-nginx/tree/main/deploy) directory.
 
 ## Helm Chart
 
 Used to generate the Helm chart published.
 
-Code is in [charts/ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx).
+Code is in [charts/ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx).
 
 ## Documentation/Website
 
 The documentation used to generate the website https://kubernetes.github.io/ingress-nginx/
 
-This code is available in [docs](https://github.com/kubernetes/ingress-nginx/tree/master/docs) and it's main "language" is `Markdown`, used by [mkdocs](https://github.com/kubernetes/ingress-nginx/blob/master/mkdocs.yml) file to generate static pages.
+This code is available in [docs](https://github.com/kubernetes/ingress-nginx/tree/main/docs) and it's main "language" is `Markdown`, used by [mkdocs](https://github.com/kubernetes/ingress-nginx/blob/main/mkdocs.yml) file to generate static pages.
 
 ## Container Images
 
@@ -125,9 +125,9 @@ Container images used to run ingress-nginx, or to build the final image.
 
 ### Base Images
 
-Contains the `Dockerfiles` and scripts used to build base images that are used in other parts of the repo. They are present in [images](https://github.com/kubernetes/ingress-nginx/tree/master/images) repo. Some examples:
-* [nginx](https://github.com/kubernetes/ingress-nginx/tree/master/images/nginx) - The base NGINX image ingress-nginx uses is not a vanilla NGINX. It bundles many libraries together and it is a job in itself to maintain that and keep things up-to-date.
-* [custom-error-pages](https://github.com/kubernetes/ingress-nginx/tree/master/images/custom-error-pages) - Used on the custom error page examples.
+Contains the `Dockerfiles` and scripts used to build base images that are used in other parts of the repo. They are present in [images](https://github.com/kubernetes/ingress-nginx/tree/main/images) repo. Some examples:
+* [nginx](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx) - The base NGINX image ingress-nginx uses is not a vanilla NGINX. It bundles many libraries together and it is a job in itself to maintain that and keep things up-to-date.
+* [custom-error-pages](https://github.com/kubernetes/ingress-nginx/tree/main/images/custom-error-pages) - Used on the custom error page examples.
 
 There are other images inside this directory.
 
@@ -137,20 +137,20 @@ The image used to build the final ingress controller, used in deploy scripts and
 
 This is NGINX with some Lua enhancement. We do dynamic certificate, endpoints handling, canary traffic split, custom load balancing etc at this component. One can also add new functionalities using Lua plugin system.
 
-The files are in [rootfs](https://github.com/kubernetes/ingress-nginx/tree/master/rootfs) directory and contains:
+The files are in [rootfs](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs) directory and contains:
 
 * The Dockerfile
-* [Auxiliary scripts](https://github.com/kubernetes/ingress-nginx/tree/master/rootfs/ingress-controller)
+* [Auxiliary scripts](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs/ingress-controller)
 
 #### Ingress NGINX Lua Scripts
 
 Ingress NGINX uses Lua Scripts to enable features like hot reloading, rate limiting and monitoring. Some are written using the [OpenResty](https://openresty.org/en/) helper.
 
-The directory containing Lua scripts is [rootfs/etc/nginx/lua](https://github.com/kubernetes/ingress-nginx/tree/master/rootfs/etc/nginx/lua).
+The directory containing Lua scripts is [rootfs/etc/nginx/lua](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs/etc/nginx/lua).
 
 #### Nginx Go template file
 
 One of the functions of Ingress NGINX is to turn [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) objects into nginx.conf file. 
 
-To do so, the final step is to apply those configurations in [nginx.tmpl](https://github.com/kubernetes/ingress-nginx/tree/master/rootfs/etc/nginx/template) turning it into a final nginx.conf file.
+To do so, the final step is to apply those configurations in [nginx.tmpl](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs/etc/nginx/template) turning it into a final nginx.conf file.
 
diff --git a/docs/developer-guide/getting-started.md b/docs/developer-guide/getting-started.md
index 2e0c5b26c..f6a9fdbe0 100644
--- a/docs/developer-guide/getting-started.md
+++ b/docs/developer-guide/getting-started.md
@@ -66,7 +66,7 @@ FOCUS="no-auth-locations" make kind-e2e-test
 !!! note
     The variable `FOCUS` defines Ginkgo [Focused Specs](https://onsi.github.io/ginkgo/#focused-specs)
 
-Valid values are defined in the describe definition of the e2e tests like [Default Backend](https://github.com/kubernetes/ingress-nginx/blob/master/test/e2e/defaultbackend/default_backend.go#L29)
+Valid values are defined in the describe definition of the e2e tests like [Default Backend](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e/defaultbackend/default_backend.go#L29)
 
 The complete list of tests can be found [here](e2e-tests.md)
 
diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md
index 0a92e8ad1..552a11f1e 100644
--- a/docs/e2e-tests.md
+++ b/docs/e2e-tests.md
@@ -1,574 +1,574 @@
 
 
-# e2e test suite for [NGINX Ingress Controller](https://github.com/kubernetes/ingress-nginx/tree/master/)
-
-
-
-### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/with_hosts.go#L31)
-
-- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/with_hosts.go#L39)
-
-### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/default_backend.go#L29)
-
-- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/default_backend.go#L32)
-- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/default_backend.go#L89)
-- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/default_backend.go#L106)
-
-### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/custom_default_backend.go#L33)
-
-- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/custom_default_backend.go#L36)
-
-### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/ssl.go#L26)
-
-- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/defaultbackend/ssl.go#L29)
+# e2e test suite for [NGINX Ingress Controller](https://github.com/kubernetes/ingress-nginx/tree/main/)
+
+
+
+### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L31)
+
+- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L39)
+
+### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L29)
+
+- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L32)
+- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L89)
+- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L106)
+
+### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L33)
+
+- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L36)
+
+### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L26)
+
+- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L29)
 
-### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/tcpudp/tcp.go#L37)
+### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L37)
 
-- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/tcpudp/tcp.go#L40)
-- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/tcpudp/tcp.go#L98)
+- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L40)
+- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L98)
 
-### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L39)
+### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39)
 
-- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L46)
-- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L65)
-- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L89)
-- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L116)
-- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L144)
-- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L171)
-- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L199)
-- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L238)
-- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L256)
-- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L273)
-- [](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L294)
-- [retains cookie set by external authentication server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L316)
-- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L413)
-- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L422)
-- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L433)
-- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L490)
-- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L499)
-- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L510)
-- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L584)
-- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L604)
-- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L632)
-- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/auth.go#L661)
+- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46)
+- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65)
+- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89)
+- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116)
+- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144)
+- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L171)
+- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199)
+- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L238)
+- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L256)
+- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L273)
+- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L294)
+- [retains cookie set by external authentication server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L316)
+- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L413)
+- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422)
+- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433)
+- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L490)
+- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L499)
+- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L510)
+- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L584)
+- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L604)
+- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L632)
+- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L661)
 
-### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinitymode.go#L31)
+### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31)
 
-- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinitymode.go#L34)
-- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinitymode.go#L64)
-
-### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L28)
+- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L34)
+- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L64)
+
+### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L28)
 
-- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L36)
-- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L52)
-- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L68)
-- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L85)
-- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L100)
-- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L115)
-- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L136)
-- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L157)
-- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L179)
-- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L194)
-- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L215)
-- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxy.go#L233)
+- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L36)
+- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L52)
+- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L68)
+- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L85)
+- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L100)
+- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L115)
+- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L136)
+- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L157)
+- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L179)
+- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L194)
+- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L215)
+- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L233)
 
-### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L35)
+### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35)
 
-- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L42)
-- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L64)
-- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L99)
-- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L121)
-- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L182)
-- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L213)
-- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L237)
-- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L263)
-- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L295)
-- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/affinity.go#L315)
+- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42)
+- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64)
+- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99)
+- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121)
+- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L182)
+- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L213)
+- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L237)
+- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L263)
+- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L295)
+- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L315)
 
-### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/mirror.go#L28)
+### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L28)
 
-- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/mirror.go#L36)
-- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/mirror.go#L51)
-- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/mirror.go#L67)
+- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L36)
+- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51)
+- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67)
 
-### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L35)
+### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L35)
 
-- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L47)
-- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L79)
-- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L106)
-- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L160)
-- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L205)
-- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L249)
-- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L306)
-- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L361)
-- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L415)
-- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L479)
-- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L521)
-- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L555)
-- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L593)
-- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L632)
-- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L687)
-- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L743)
-- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L771)
-- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/canary.go#L795)
+- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L47)
+- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L79)
+- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L106)
+- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L160)
+- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L205)
+- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L249)
+- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L306)
+- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L361)
+- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L415)
+- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L479)
+- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L521)
+- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L555)
+- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L593)
+- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L632)
+- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L687)
+- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L743)
+- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L771)
+- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L795)
 
-### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/limitrate.go#L29)
+### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L29)
 
-- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/limitrate.go#L37)
+- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L37)
 
-### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/forcesslredirect.go#L27)
+### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27)
 
-- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/forcesslredirect.go#L34)
+- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34)
 
-### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/http2pushpreload.go#L27)
+### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L27)
 
-- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/http2pushpreload.go#L34)
+- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34)
 
-### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxyssl.go#L30)
+### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L30)
 
-- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxyssl.go#L37)
-- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxyssl.go#L64)
-- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxyssl.go#L94)
-- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxyssl.go#L122)
-- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/proxyssl.go#L150)
+- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L37)
+- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L64)
+- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L94)
+- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L122)
+- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L150)
 
-### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L27)
+### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L27)
 
-- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L34)
-- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L52)
-- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L73)
-- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L90)
-- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L109)
-- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L131)
-- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L152)
-- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/modsecurity.go#L186)
+- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L34)
+- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L52)
+- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L73)
+- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L90)
+- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L109)
+- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L131)
+- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L152)
+- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity.go#L186)
 
-### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/grpc.go#L38)
+### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L38)
 
-- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/grpc.go#L41)
-- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/grpc.go#L66)
-- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/grpc.go#L124)
+- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L41)
+- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L66)
+- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L124)
 
-### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L28)
+### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L28)
 
-- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L35)
-- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L60)
-- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L76)
-- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L92)
-- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L108)
-- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L124)
-- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/cors.go#L140)
+- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L35)
+- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L60)
+- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L76)
+- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L92)
+- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L108)
+- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L124)
+- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L140)
 
-### [influxdb-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/influxdb.go#L39)
+### [influxdb-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L39)
 
-- [should send the request metric to the influxdb server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/influxdb.go#L48)
+- [should send the request metric to the influxdb server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/influxdb.go#L48)
 
-### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/limitconnections.go#L31)
+### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L31)
 
-- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/limitconnections.go#L38)
+- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L38)
 
-### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/clientbodybuffersize.go#L28)
+### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28)
 
-- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/clientbodybuffersize.go#L35)
-- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/clientbodybuffersize.go#L51)
-- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/clientbodybuffersize.go#L67)
-- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/clientbodybuffersize.go#L83)
-- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/clientbodybuffersize.go#L99)
-- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/clientbodybuffersize.go#L115)
+- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35)
+- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L51)
+- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L67)
+- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L83)
+- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L99)
+- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L115)
 
-### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/default_backend.go#L29)
+### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L29)
 
-- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/default_backend.go#L37)
+- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L37)
 
-### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/connection.go#L29)
+### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L29)
 
-- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/connection.go#L36)
+- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L36)
 
-### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/upstreamvhost.go#L27)
+### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L27)
 
-- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/upstreamvhost.go#L34)
+- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L34)
 
-### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/customhttperrors.go#L34)
+### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L34)
 
-- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/customhttperrors.go#L41)
+- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L41)
 
-### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/disableaccesslog.go#L27)
+### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L27)
 
-- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/disableaccesslog.go#L34)
-- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/disableaccesslog.go#L46)
+- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L34)
+- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L46)
 
-### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/serversnippet.go#L27)
+### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L27)
 
-- [](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/serversnippet.go#L34)
+- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L34)
 
-### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/rewrite.go#L30)
+### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30)
 
-- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/rewrite.go#L37)
-- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/rewrite.go#L66)
-- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/rewrite.go#L111)
-- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/rewrite.go#L158)
-- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/rewrite.go#L190)
+- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37)
+- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66)
+- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111)
+- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158)
+- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190)
 
-### [app-root](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/approot.go#L28)
+### [app-root](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L28)
 
-- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/approot.go#L35)
+- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L35)
 
-### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/ipwhitelist.go#L26)
+### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L26)
 
-- [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/ipwhitelist.go#L33)
+- [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L33)
 
-### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/log.go#L27)
+### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L27)
 
-- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/log.go#L34)
-- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/log.go#L49)
+- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L34)
+- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L49)
 
-### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/xforwardedprefix.go#L28)
+### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L28)
 
-- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/xforwardedprefix.go#L35)
-- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/xforwardedprefix.go#L57)
+- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35)
+- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57)
 
-### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/snippet.go#L27)
+### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L27)
 
-- [ in all locations](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/snippet.go#L34)
+- [ in all locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L34)
 
-### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fastcgi.go#L31)
+### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L31)
 
-- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fastcgi.go#L38)
-- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fastcgi.go#L55)
-- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fastcgi.go#L72)
-- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fastcgi.go#L105)
+- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L38)
+- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L55)
+- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L72)
+- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L105)
 
-### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fromtowwwredirect.go#L31)
+### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L31)
 
-- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fromtowwwredirect.go#L38)
-- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/fromtowwwredirect.go#L64)
+- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L38)
+- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L64)
 
-### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/redirect.go#L30)
+### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L30)
 
-- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/redirect.go#L33)
-- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/redirect.go#L61)
+- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L33)
+- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L61)
 
-### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/upstreamhashby.go#L76)
+### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L76)
 
-- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/upstreamhashby.go#L83)
-- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/upstreamhashby.go#L92)
+- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L83)
+- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L92)
 
-### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/globalratelimit.go#L30)
+### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L30)
 
-- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/globalratelimit.go#L38)
+- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L38)
 
-### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/backendprotocol.go#L27)
+### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L27)
 
-- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/backendprotocol.go#L34)
-- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/backendprotocol.go#L49)
-- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/backendprotocol.go#L64)
-- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/backendprotocol.go#L79)
-- [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/backendprotocol.go#L94)
+- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L34)
+- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L49)
+- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64)
+- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79)
+- [should set backend protocol to '' and use ajp_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94)
 
-### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/satisfy.go#L35)
+### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L35)
 
-- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/satisfy.go#L42)
-- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/satisfy.go#L84)
+- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L42)
+- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L84)
 
-### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/alias.go#L29)
+### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L29)
 
-- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/alias.go#L36)
-- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/alias.go#L62)
-- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/alias.go#L87)
+- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L36)
+- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L62)
+- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L87)
 
-### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/sslciphers.go#L27)
+### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L27)
 
-- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/sslciphers.go#L34)
+- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L34)
 
-### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/authtls.go#L30)
+### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L30)
 
-- [should set valid auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/authtls.go#L37)
-- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/authtls.go#L73)
-- [should set valid auth-tls-secret, pass certificate to upstream, and error page](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/authtls.go#L103)
-- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/annotations/authtls.go#L153)
+- [should set valid auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L37)
+- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L73)
+- [should set valid auth-tls-secret, pass certificate to upstream, and error page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L103)
+- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L153)
 
-### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/status/update.go#L38)
+### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L38)
 
-- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/status/update.go#L43)
+- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L43)
 
-### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/dbg/main.go#L29)
+### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29)
 
-- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/dbg/main.go#L37)
-- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/dbg/main.go#L56)
-- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/dbg/main.go#L85)
+- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37)
+- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L56)
+- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L85)
 
-### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/leaks/lua_ssl.go#L35)
+### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L35)
 
-- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/leaks/lua_ssl.go#L42)
+- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L42)
 
-### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/pathtype_mixed.go#L30)
+### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L30)
 
-- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/pathtype_mixed.go#L39)
+- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L39)
 
-### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/without_host.go#L32)
+### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L32)
 
-- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/without_host.go#L35)
-- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/without_host.go#L56)
+- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L35)
+- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L56)
 
-### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/multiple_rules.go#L31)
+### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L31)
 
-- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/multiple_rules.go#L39)
+- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L39)
 
-### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/pathtype_exact.go#L30)
+### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L30)
 
-- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/pathtype_exact.go#L37)
+- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L37)
 
-### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/pathtype_prefix.go#L28)
+### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L28)
 
-- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/ingress/pathtype_prefix.go#L35)
+- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L35)
 
-### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/security/request_smuggling.go#L32)
+### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L32)
 
-- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/security/request_smuggling.go#L39)
+- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L39)
 
-### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/default_ssl_certificate.go#L33)
+### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33)
 
-- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/default_ssl_certificate.go#L64)
-- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/default_ssl_certificate.go#L80)
+- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64)
+- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80)
 
-### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/enable_real_ip.go#L30)
+### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30)
 
-- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/enable_real_ip.go#L40)
-- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/enable_real_ip.go#L78)
+- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40)
+- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78)
 
-### [access-log](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/access_log.go#L26)
+### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L26)
 
-- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/access_log.go#L31)
-- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/access_log.go#L39)
-- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/access_log.go#L51)
-- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/access_log.go#L63)
-- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/access_log.go#L75)
+- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L31)
+- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L39)
+- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L51)
+- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L63)
+- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L75)
 
-### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/lua_shared_dicts.go#L26)
+### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26)
 
-- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/lua_shared_dicts.go#L29)
+- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29)
 
-### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/server_tokens.go#L30)
+### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L30)
 
-- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/server_tokens.go#L38)
-- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/server_tokens.go#L50)
+- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38)
+- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50)
 
-### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_protocol.go#L36)
+### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36)
 
-- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_protocol.go#L46)
-- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_protocol.go#L79)
-- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_protocol.go#L112)
-- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_protocol.go#L155)
+- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46)
+- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79)
+- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112)
+- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155)
 
-### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/listen_nondefault_ports.go#L32)
+### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32)
 
-- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/listen_nondefault_ports.go#L48)
-- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/listen_nondefault_ports.go#L70)
-- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/listen_nondefault_ports.go#L100)
+- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48)
+- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70)
+- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100)
 
-### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/no_auth_locations.go#L34)
+### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L34)
 
-- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/no_auth_locations.go#L55)
-- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/no_auth_locations.go#L69)
-- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/no_auth_locations.go#L83)
+- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L55)
+- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L69)
+- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L83)
 
-### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_host.go#L28)
+### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28)
 
-- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_host.go#L36)
-- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_host.go#L57)
+- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36)
+- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57)
 
-### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_connect_timeout.go#L28)
+### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28)
 
-- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_connect_timeout.go#L36)
-- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_connect_timeout.go#L52)
+- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36)
+- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52)
 
-### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/pod_security_policy.go#L40)
+### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L40)
 
-- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/pod_security_policy.go#L43)
+- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L43)
 
-### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/geoip2.go#L29)
+### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L29)
 
-- [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/geoip2.go#L38)
+- [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L38)
 
-### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/pod_security_policy_volumes.go#L36)
+### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L36)
 
-- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/pod_security_policy_volumes.go#L39)
+- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L39)
 
-### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/multi_accept.go#L27)
+### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27)
 
-- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/multi_accept.go#L31)
-- [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/multi_accept.go#L39)
-- [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/multi_accept.go#L49)
+- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L31)
+- [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L39)
+- [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L49)
 
-### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/log-format.go#L28)
+### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28)
 
-- [should disable the log-format-escape-json by default](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/log-format.go#L40)
-- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/log-format.go#L47)
-- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/log-format.go#L55)
-- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/log-format.go#L66)
-- [log-format-escape-json disabled](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/log-format.go#L89)
+- [should disable the log-format-escape-json by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40)
+- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47)
+- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55)
+- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L66)
+- [log-format-escape-json disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L89)
 
-### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ingress_class.go#L39)
+### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39)
 
-- [should ignore Ingress with class](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ingress_class.go#L91)
-- [should ignore Ingress with no class](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ingress_class.go#L143)
-- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ingress_class.go#L177)
-- [check scenarios for IngressClass and ingress.class annotation](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ingress_class.go#L216)
+- [should ignore Ingress with class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L91)
+- [should ignore Ingress with no class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L143)
+- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L177)
+- [check scenarios for IngressClass and ingress.class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L216)
 
-### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ssl_ciphers.go#L28)
+### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28)
 
-- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ssl_ciphers.go#L31)
+- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31)
 
-### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_next_upstream.go#L28)
+### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28)
 
-- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_next_upstream.go#L36)
+- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36)
 
-### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L32)
+### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L32)
 
-- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L83)
-- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L100)
-- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L124)
-- [should still return status code 200 after auth backend is deleted using cache ](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L153)
-- [](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L195)
-- [](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L208)
-- [](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L221)
-- [](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L235)
-- [](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_external_auth.go#L248)
+- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L83)
+- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L100)
+- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L124)
+- [should still return status code 200 after auth backend is deleted using cache ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L153)
+- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L195)
+- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L208)
+- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L221)
+- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L235)
+- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L248)
 
-### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_access_block.go#L28)
+### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28)
 
-- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_access_block.go#L38)
-- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_access_block.go#L55)
-- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/global_access_block.go#L88)
+- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38)
+- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55)
+- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88)
 
-### [plugins](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/plugins.go#L28)
+### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28)
 
-- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/plugins.go#L35)
+- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35)
 
-### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/limit_rate.go#L28)
+### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28)
 
-- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/limit_rate.go#L36)
+- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36)
 
-### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L47)
+### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L47)
 
-- [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L57)
-- [should exists opentracing directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L70)
-- [should not exists opentracing_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L84)
-- [should exists opentracing_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L99)
-- [should not exists opentracing_location_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L114)
-- [should exists opentracing_location_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L129)
-- [should enable opentracing using zipkin](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L144)
-- [should enable opentracing using jaeger](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L156)
-- [should enable opentracing using jaeger with sampler host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L168)
-- [should propagate the w3c header when configured with jaeger](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L181)
-- [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/opentracing.go#L225)
+- [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L57)
+- [should exists opentracing directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L70)
+- [should not exists opentracing_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L84)
+- [should exists opentracing_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L99)
+- [should not exists opentracing_location_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L114)
+- [should exists opentracing_location_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L129)
+- [should enable opentracing using zipkin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L144)
+- [should enable opentracing using jaeger](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L156)
+- [should enable opentracing using jaeger with sampler host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L168)
+- [should propagate the w3c header when configured with jaeger](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L181)
+- [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L225)
 
-### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/forwarded_headers.go#L30)
+### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30)
 
-- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/forwarded_headers.go#L40)
-- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/forwarded_headers.go#L90)
+- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40)
+- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L90)
 
-### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_send_timeout.go#L28)
+### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28)
 
-- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_send_timeout.go#L36)
-- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_send_timeout.go#L52)
+- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36)
+- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52)
 
-### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/no_tls_redirect_locations.go#L28)
+### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28)
 
-- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/no_tls_redirect_locations.go#L31)
+- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31)
 
-### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/globalratelimit.go#L30)
+### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30)
 
-- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/globalratelimit.go#L38)
+- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38)
 
-### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/custom_header.go#L30)
+### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30)
 
-- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/custom_header.go#L40)
-- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/custom_header.go#L65)
+- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40)
+- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65)
 
-### [hash size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L27)
+### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27)
 
-- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L40)
-- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L48)
-- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L60)
-- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L68)
-- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L80)
-- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L88)
-- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/hash-size.go#L100)
+- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40)
+- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48)
+- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60)
+- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68)
+- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80)
+- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88)
+- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100)
 
-### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/keep-alive.go#L28)
+### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L28)
 
-- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/keep-alive.go#L40)
-- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/keep-alive.go#L48)
-- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/keep-alive.go#L59)
-- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/keep-alive.go#L68)
-- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/keep-alive.go#L77)
+- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L40)
+- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L48)
+- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L59)
+- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L68)
+- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77)
 
-### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/disable_catch_all.go#L34)
+### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L34)
 
-- [should ignore catch all Ingress](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/disable_catch_all.go#L51)
-- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/disable_catch_all.go#L70)
-- [should allow Ingress with both a default backend and rules](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/disable_catch_all.go#L108)
+- [should ignore catch all Ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L51)
+- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L70)
+- [should allow Ingress with both a default backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L108)
 
-### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/main_snippet.go#L27)
+### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27)
 
-- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/main_snippet.go#L31)
+- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31)
 
-### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L31)
+### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L31)
 
-- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L65)
-- [enforcing TLS v1.0](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L87)
-- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L133)
-- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L149)
-- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L168)
-- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L188)
-- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L209)
-- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/tls.go#L227)
+- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L65)
+- [enforcing TLS v1.0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L87)
+- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L133)
+- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L149)
+- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L168)
+- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L188)
+- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L209)
+- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L227)
 
-### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/configmap_change.go#L29)
+### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29)
 
-- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/configmap_change.go#L36)
+- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36)
 
-### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_read_timeout.go#L28)
+### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28)
 
-- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_read_timeout.go#L36)
-- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/proxy_read_timeout.go#L52)
+- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36)
+- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52)
 
-### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/modsecurity_snippet.go#L27)
+### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity_snippet.go#L27)
 
-- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/modsecurity_snippet.go#L30)
+- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity_snippet.go#L30)
 
-### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ocsp/ocsp.go#L42)
+### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42)
 
-- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/ocsp/ocsp.go#L49)
+- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49)
 
-### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/reuse-port.go#L27)
+### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L27)
 
-- [reuse port should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/reuse-port.go#L38)
-- [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/reuse-port.go#L44)
-- [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/settings/reuse-port.go#L52)
+- [reuse port should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L38)
+- [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L44)
+- [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L52)
 
-### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/gracefulshutdown/slow_requests.go#L28)
+### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L28)
 
-- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/gracefulshutdown/slow_requests.go#L36)
+- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L36)
 
-### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/gracefulshutdown/shutdown.go#L33)
+### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L33)
 
-- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/gracefulshutdown/shutdown.go#L43)
-- [should shutdown after waiting 60 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/gracefulshutdown/shutdown.go#L64)
-- [should shutdown after waiting 150 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/gracefulshutdown/shutdown.go#L109)
+- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L43)
+- [should shutdown after waiting 60 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L64)
+- [should shutdown after waiting 150 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L109)
 
-### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_backend.go#L32)
+### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L32)
 
-- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_backend.go#L35)
-- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_backend.go#L53)
+- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L35)
+- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L53)
 
-### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L37)
+### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L37)
 
-- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L40)
-- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L73)
-- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L107)
-- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L148)
-- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L179)
-- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L221)
-- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/master/test/e2e/servicebackend/service_externalname.go#L252)
+- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L40)
+- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L73)
+- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L107)
+- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L148)
+- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L179)
+- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L221)
+- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L252)
diff --git a/docs/examples/PREREQUISITES.md b/docs/examples/PREREQUISITES.md
index c03dd095e..4d122b148 100644
--- a/docs/examples/PREREQUISITES.md
+++ b/docs/examples/PREREQUISITES.md
@@ -60,7 +60,7 @@ All examples that require a test HTTP Service use the standard http-svc pod,
 which you can deploy as follows
 
 ```console
-$ kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
+$ kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml
 service "http-svc" created
 replicationcontroller "http-svc" created
 
diff --git a/docs/examples/auth/oauth-external-auth/README.md b/docs/examples/auth/oauth-external-auth/README.md
index 00f8d45dc..c5fcd7264 100644
--- a/docs/examples/auth/oauth-external-auth/README.md
+++ b/docs/examples/auth/oauth-external-auth/README.md
@@ -51,13 +51,13 @@ kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addon
 
 ![Register OAuth2 Application](images/register-oauth-app-2.png)
 
-3. Configure oauth2_proxy values in the file [`oauth2-proxy.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml) with the values:
+3. Configure oauth2_proxy values in the file [`oauth2-proxy.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml) with the values:
 
 - OAUTH2_PROXY_CLIENT_ID with the github `<Client ID>`
 - OAUTH2_PROXY_CLIENT_SECRET with the github `<Client Secret>`
 - OAUTH2_PROXY_COOKIE_SECRET with value of `python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'`
 
-4. Customize the contents of the file [`dashboard-ingress.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml):
+4. Customize the contents of the file [`dashboard-ingress.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml):
 
 Replace `__INGRESS_HOST__` with a valid FQDN and `__INGRESS_SECRET__` with a Secret with a valid SSL certificate.
 
diff --git a/docs/examples/customization/custom-configuration/README.md b/docs/examples/customization/custom-configuration/README.md
index 3ddefe245..3fc6bbaf6 100644
--- a/docs/examples/customization/custom-configuration/README.md
+++ b/docs/examples/customization/custom-configuration/README.md
@@ -17,7 +17,7 @@ metadata:
 ```
 
 ```
-curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-configuration/configmap.yaml \
+curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-configuration/configmap.yaml \
     | kubectl apply -f -
 ```
 
diff --git a/docs/examples/customization/custom-headers/README.md b/docs/examples/customization/custom-headers/README.md
index 99af78408..ac43499e9 100644
--- a/docs/examples/customization/custom-headers/README.md
+++ b/docs/examples/customization/custom-headers/README.md
@@ -7,13 +7,13 @@ server.
 [custom-headers.yaml](custom-headers.yaml) defines a ConfigMap in the `ingress-nginx` namespace named `custom-headers`, holding several custom X-prefixed HTTP headers.
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/custom-headers.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/custom-headers.yaml
 ```
 
 [configmap.yaml](configmap.yaml) defines a ConfigMap in the `ingress-nginx` namespace named `ingress-nginx-controller`. This controls the [global configuration](../../../user-guide/nginx-configuration/configmap.md) of the ingress controller, and already exists in a standard installation. The key `proxy-set-headers` is set to cite the previously-created `ingress-nginx/custom-headers` ConfigMap.
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/configmap.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/configmap.yaml
 ```
 
 The nginx ingress controller will read the `ingress-nginx/ingress-nginx-controller` ConfigMap, find the `proxy-set-headers` key, read HTTP headers from the `ingress-nginx/custom-headers` ConfigMap, and include those HTTP headers in all requests flowing from nginx to the backends.
diff --git a/docs/examples/customization/sysctl/README.md b/docs/examples/customization/sysctl/README.md
index 2de45b2da..01cb2f192 100644
--- a/docs/examples/customization/sysctl/README.md
+++ b/docs/examples/customization/sysctl/README.md
@@ -4,7 +4,7 @@ This example aims to demonstrate the use of an Init Container to adjust sysctl d
 
 ```console
 kubectl patch deployment -n ingress-nginx nginx-ingress-controller \
-    --patch="$(curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/sysctl/patch.json)"
+    --patch="$(curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/sysctl/patch.json)"
 ```
 
 **Changes:**
diff --git a/docs/examples/docker-registry/README.md b/docs/examples/docker-registry/README.md
index 495297a84..102c8d39d 100644
--- a/docs/examples/docker-registry/README.md
+++ b/docs/examples/docker-registry/README.md
@@ -7,7 +7,7 @@ This example demonstrates how to deploy a [docker registry](https://github.com/d
 First we deploy the docker registry in the cluster:
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/deployment.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/docker-registry/deployment.yaml
 ```
 
 !!! Important
@@ -22,7 +22,7 @@ The next required step is creation of the ingress rules. To do this we have two
 Download and edit the yaml deployment replacing `registry.<your domain>` with a valid DNS name pointing to the ingress controller:
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-without-tls.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/docker-registry/ingress-without-tls.yaml
 ```
 
 !!! Important
@@ -35,7 +35,7 @@ Please check [deploy a plain http registry](https://docs.docker.com/registry/ins
 Download and edit the yaml deployment replacing `registry.<your domain>` with a valid DNS name pointing to the ingress controller:
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-with-tls.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/docker-registry/ingress-with-tls.yaml
 ```
 
 Deploy [kube lego](https://github.com/jetstack/kube-lego) use [Let's Encrypt](https://letsencrypt.org/) certificates or edit the ingress rule to use a secret with an existing SSL certificate.
diff --git a/docs/examples/multi-tls/multi-tls.yaml b/docs/examples/multi-tls/multi-tls.yaml
index c616501be..7dda9267e 100644
--- a/docs/examples/multi-tls/multi-tls.yaml
+++ b/docs/examples/multi-tls/multi-tls.yaml
@@ -103,13 +103,13 @@ spec:
     - foo.bar.com
     # This secret must exist beforehand
     # The cert must also contain the subj-name foo.bar.com
-    # https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
+    # https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/PREREQUISITES.md#tls-certificates
     secretName: foobar
   - hosts:
     - bar.baz.com
     # This secret must exist beforehand
     # The cert must also contain the subj-name bar.baz.com
-    # https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
+    # https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/PREREQUISITES.md#tls-certificates
     secretName: barbaz
   rules:
   - host: foo.bar.com
diff --git a/docs/examples/psp/README.md b/docs/examples/psp/README.md
index 4064ed218..4d5f317fb 100644
--- a/docs/examples/psp/README.md
+++ b/docs/examples/psp/README.md
@@ -11,7 +11,7 @@ you will need to provide the Deployment with the permissions to create pods.
 
 Before applying any objects, first apply the PSP permissions by running:
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/psp/psp.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml
 ```
 
 Note: PSP permissions must be granted before to the creation of the Deployment and the ReplicaSet.
diff --git a/docs/how-it-works.md b/docs/how-it-works.md
index 81d4ec2d6..1e530d045 100644
--- a/docs/how-it-works.md
+++ b/docs/how-it-works.md
@@ -67,8 +67,8 @@ This webhook appends the incoming ingress objects to the list of ingresses, gene
 [1]: https://coreos.com/kubernetes/docs/latest/replication-controller.html#the-reconciliation-loop-in-detail
 [2]: https://godoc.org/k8s.io/client-go/informers#NewFilteredSharedInformerFactory
 [3]: https://godoc.org/k8s.io/client-go/tools/cache#ResourceEventHandlerFuncs
-[4]: https://github.com/kubernetes/ingress-nginx/blob/master/internal/task/queue.go#L38
+[4]: https://github.com/kubernetes/ingress-nginx/blob/main/internal/task/queue.go#L38
 [5]: https://golang.org/pkg/sync/#Mutex
-[6]: https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/template/nginx.tmpl
+[6]: https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl
 [7]: http://nginx.org/en/docs/beginners_guide.html#control
 [8]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook
diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md
index 801a187b7..c0dc6b922 100644
--- a/docs/kubectl-plugin.md
+++ b/docs/kubectl-plugin.md
@@ -1,7 +1,7 @@
 <!--
 -----------------NOTICE------------------------
 This file is referenced in code as
-https://github.com/kubernetes/ingress-nginx/blob/master/docs/kubectl-plugin.md
+https://github.com/kubernetes/ingress-nginx/blob/main/docs/kubectl-plugin.md
 Do not move it without providing redirects.
 -----------------------------------------------
 -->
diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index a8cf212b1..67d111f5e 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -1,7 +1,7 @@
 <!--
 -----------------NOTICE------------------------
 This file is referenced in code as
-https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md
+https://github.com/kubernetes/ingress-nginx/blob/main/docs/troubleshooting.md
 Do not move it without providing redirects.
 -----------------------------------------------
 -->
diff --git a/docs/user-guide/custom-errors.md b/docs/user-guide/custom-errors.md
index 05678f9e6..159a82078 100644
--- a/docs/user-guide/custom-errors.md
+++ b/docs/user-guide/custom-errors.md
@@ -27,5 +27,5 @@ An example of such custom backend is available inside the source repository at [
 See also the [Custom errors][example-custom-errors] example.
 
 [cm-custom-http-errors]: ./nginx-configuration/configmap.md#custom-http-errors
-[img-custom-error-pages]: https://github.com/kubernetes/ingress-nginx/tree/master/images/custom-error-pages
+[img-custom-error-pages]: https://github.com/kubernetes/ingress-nginx/tree/main/images/custom-error-pages
 [example-custom-errors]: ../../examples/customization/custom-errors
diff --git a/docs/user-guide/default-backend.md b/docs/user-guide/default-backend.md
index ccf11bb44..d57b89323 100644
--- a/docs/user-guide/default-backend.md
+++ b/docs/user-guide/default-backend.md
@@ -9,5 +9,5 @@ Basically a default backend exposes two URLs:
 - `/` that returns 404
 
 !!! example
-    The sub-directory [`/images/custom-error-pages`](https://github.com/kubernetes/ingress-nginx/tree/master/images/custom-error-pages)
+    The sub-directory [`/images/custom-error-pages`](https://github.com/kubernetes/ingress-nginx/tree/main/images/custom-error-pages)
     provides an additional service for the purpose of customizing the error pages served via the default backend.
diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 41fe96b36..1c454827e 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -69,7 +69,7 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
 
 ## Deploy and configure Prometheus Server
 
-Note that the kustomize bases used in this tutorial are stored in the [deploy](https://github.com/kubernetes/ingress-nginx/tree/master/deploy) folder of the GitHub repository [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx).
+Note that the kustomize bases used in this tutorial are stored in the [deploy](https://github.com/kubernetes/ingress-nginx/tree/main/deploy) folder of the GitHub repository [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx).
 
 - The Prometheus server must be configured so that it can discover endpoints of services. If a Prometheus server is already running in the cluster and if it is configured in a way that it can find the ingress controller pods, no extra configuration is needed.
 
@@ -133,7 +133,7 @@ According to the above example, this URL will be http://10.192.0.3:31086
 
   The username and password is `admin`
 
-  - After the login you can import the Grafana dashboard from [official dashboards](https://github.com/kubernetes/ingress-nginx/tree/master/deploy/grafana/dashboards), by following steps given below :
+  - After the login you can import the Grafana dashboard from [official dashboards](https://github.com/kubernetes/ingress-nginx/tree/main/deploy/grafana/dashboards), by following steps given below :
 
     - Navigate to lefthand panel of grafana
     - Hover on the gearwheel icon for Configuration and click "Data Sources"
@@ -142,7 +142,7 @@ According to the above example, this URL will be http://10.192.0.3:31086
     - Enter the details (note: I used http://CLUSTER_IP_PROMETHEUS_SVC:9090)
     - Left menu (hover over +) -> Dashboard
     - Click "Import"
-    - Enter the copy pasted json from https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
+    - Enter the copy pasted json from https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/grafana/dashboards/nginx.json
     - Click Import JSON
     - Select the Prometheus data source
     - Click "Import"
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index df357d5e9..aec821c2a 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -5,7 +5,7 @@ ConfigMaps allow you to decouple configuration artifacts from image content to k
 The ConfigMap API resource stores configuration data as key-value pairs. The data provides the configurations for system
 components for the nginx-controller.
 
-In order to overwrite nginx-controller configuration values as seen in [config.go](https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go),
+In order to overwrite nginx-controller configuration values as seen in [config.go](https://github.com/kubernetes/ingress-nginx/blob/main/internal/ingress/controller/config/config.go),
 you can add key-value pairs to the data section of the config-map. For Example:
 
 ```yaml
@@ -203,7 +203,7 @@ The following table shows a configuration option's name, type, and the default v
 
 ## add-headers
 
-Sets custom headers from named configmap before sending traffic to the client. See [proxy-set-headers](#proxy-set-headers). [example](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers)
+Sets custom headers from named configmap before sending traffic to the client. See [proxy-set-headers](#proxy-set-headers). [example](https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers)
 
 ## allow-backend-server-header
 
@@ -465,7 +465,7 @@ _**default:**_ "0.0.0.0/0"
 
 ## proxy-set-headers
 
-Sets custom headers from named configmap before sending traffic to backends. The value format is namespace/name.  See [example](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers)
+Sets custom headers from named configmap before sending traffic to backends. The value format is namespace/name.  See [example](https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers)
 
 ## server-name-hash-max-size
 
@@ -508,7 +508,7 @@ _References:_
 
 ## plugins
 
-Activates plugins installed in `/etc/nginx/lua/plugins`. Refer to [ingress-nginx plugins README](https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/lua/plugins/README.md) for more information on how to write and install a plugin.
+Activates plugins installed in `/etc/nginx/lua/plugins`. Refer to [ingress-nginx plugins README](https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/lua/plugins/README.md) for more information on how to write and install a plugin.
 
 ## server-tokens
 
@@ -523,7 +523,7 @@ The default cipher list is:
 
 The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect [forward secrecy](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy).
 
-DHE-based cyphers will not be available until DH parameter is configured [Custom DH parameters for perfect forward secrecy](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/ssl-dh-param)
+DHE-based cyphers will not be available until DH parameter is configured [Custom DH parameters for perfect forward secrecy](https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param)
 
 Please check the [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/).
 
@@ -681,7 +681,7 @@ Sets the algorithm to use for load balancing.
 The value can either be:
 
 - round_robin: to use the default round robin loadbalancer
-- ewma: to use the Peak EWMA method for routing ([implementation](https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/lua/balancer/ewma.lua))
+- ewma: to use the Peak EWMA method for routing ([implementation](https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/lua/balancer/ewma.lua))
 
 The default is `round_robin`.
 
@@ -1083,7 +1083,7 @@ Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-url`.
 Locations that should not get authenticated can be listed using `no-auth-locations` See [no-auth-locations](#no-auth-locations). In addition, each service can be excluded from authentication via annotation `enable-global-auth` set to "false".
 _**default:**_ ""
 
-_References:_ [https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#external-authentication](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#external-authentication)
+_References:_ [https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#external-authentication](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#external-authentication)
 
 ## global-auth-method
 
@@ -1174,7 +1174,7 @@ _References:_
 
 * `global-rate-limit-status-code`: configure HTTP status code to return when rejecting requests. Defaults to 429.
 
-Configure `memcached` client for [Global Rate Limiting](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#global-rate-limiting).
+Configure `memcached` client for [Global Rate Limiting](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-rate-limiting).
 
 * `global-rate-limit-memcached-host`: IP/FQDN of memcached server to use. Required to enable Global Rate Limiting.
 * `global-rate-limit-memcached-port`: port of memcached server to use. Defaults default memcached port of `11211`.
diff --git a/images/cfssl/Makefile b/images/cfssl/Makefile
index 344646462..b1909abe3 100644
--- a/images/cfssl/Makefile
+++ b/images/cfssl/Makefile
@@ -46,7 +46,7 @@ push: build
 ensure-buildx:
 # this is required for cloudbuild
 ifeq ("$(wildcard $(INIT_BUILDX))","")
-	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
 else
 	@exec $(INIT_BUILDX)
 endif
diff --git a/images/echo/Makefile b/images/echo/Makefile
index ca00528df..a467b456a 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -49,7 +49,7 @@ push: build
 ensure-buildx:
 # this is required for cloudbuild
 ifeq ("$(wildcard $(INIT_BUILDX))","")
-	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
 else
 	@exec $(INIT_BUILDX)
 endif
diff --git a/images/fastcgi-helloserver/Makefile b/images/fastcgi-helloserver/Makefile
index e35e1fa79..c1b54703f 100644
--- a/images/fastcgi-helloserver/Makefile
+++ b/images/fastcgi-helloserver/Makefile
@@ -48,7 +48,7 @@ push: build
 ensure-buildx:
 # this is required for cloudbuild
 ifeq ("$(wildcard $(INIT_BUILDX))","")
-	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
 else
 	@exec $(INIT_BUILDX)
 endif
diff --git a/images/httpbin/Makefile b/images/httpbin/Makefile
index d0c7d40c2..ac363dfa8 100644
--- a/images/httpbin/Makefile
+++ b/images/httpbin/Makefile
@@ -46,7 +46,7 @@ push: build
 ensure-buildx:
 # this is required for cloudbuild
 ifeq ("$(wildcard $(INIT_BUILDX))","")
-	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
 else
 	@exec $(INIT_BUILDX)
 endif
diff --git a/images/nginx/Makefile b/images/nginx/Makefile
index 11ffd2f06..438d0cfe1 100644
--- a/images/nginx/Makefile
+++ b/images/nginx/Makefile
@@ -48,7 +48,7 @@ push: build
 ensure-buildx:
 # this is required for cloudbuild
 ifeq ("$(wildcard $(INIT_BUILDX))","")
-	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
 else
 	@exec $(INIT_BUILDX)
 endif
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index 7578230ff..f13a75ee7 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -60,7 +60,7 @@ push: build
 ensure-buildx:
 # this is required for cloudbuild
 ifeq ("$(wildcard $(INIT_BUILDX))","")
-	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
 else
 	@exec $(INIT_BUILDX)
 endif
diff --git a/rootfs/etc/nginx/lua/plugins/README.md b/rootfs/etc/nginx/lua/plugins/README.md
index 0967c8d94..5178f01f0 100644
--- a/rootfs/etc/nginx/lua/plugins/README.md
+++ b/rootfs/etc/nginx/lua/plugins/README.md
@@ -18,7 +18,7 @@ By defining functions with the following names, you can run your custom Lua code
  - `body_filter`: this is called when response body is received, it is useful for logging response body 
  - `log`: this is called when request processing is completed and a response is delivered to the client
 
-Check this [`hello_world`](https://github.com/kubernetes/ingress-nginx/tree/master/rootfs/etc/nginx/lua/plugins/hello_world) plugin as a simple example or refer to [OpenID Connect integration](https://github.com/ElvinEfendi/ingress-nginx-openidc/tree/master/rootfs/etc/nginx/lua/plugins/openidc) for more advanced usage.
+Check this [`hello_world`](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs/etc/nginx/lua/plugins/hello_world) plugin as a simple example or refer to [OpenID Connect integration](https://github.com/ElvinEfendi/ingress-nginx-openidc/tree/master/rootfs/etc/nginx/lua/plugins/openidc) for more advanced usage.
 
 Do not forget to write tests for your plugin.
 

From 8b2db80433ac653bc5c98bffaa863e619c5563c0 Mon Sep 17 00:00:00 2001
From: Sergey Lanzman <sergeylanz@gmail.com>
Date: Sun, 8 Aug 2021 15:19:30 +0300
Subject: [PATCH 043/376] Update configmap.md (#7462)

---
 docs/user-guide/nginx-configuration/configmap.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index aec821c2a..54449df7c 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -385,7 +385,7 @@ Sets the time, in seconds, that the browser should remember that this site is on
 
 ## hsts-preload
 
-Enables or disables the preload attribute in the HSTS feature (when it is enabled) dd
+Enables or disables the preload attribute in the HSTS feature (when it is enabled).
 
 ## keep-alive
 

From 98288bc3ca62f83272591d67c610b75cd186e100 Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Mon, 9 Aug 2021 13:55:30 +0200
Subject: [PATCH 044/376] Update versions of components for base image (#7411)

* update versions and checksums

* change requests from PR
---
 images/nginx/rootfs/build.sh | 183 ++++++++++++++++++++++++-----------
 1 file changed, 126 insertions(+), 57 deletions(-)

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index ebea37cf6..42add23b5 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -19,43 +19,112 @@ set -o nounset
 set -o pipefail
 
 export NGINX_VERSION=1.20.1
+
+# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master
 export NDK_VERSION=0.3.1
+
+# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.32...master
 export SETMISC_VERSION=0.32
+
+# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.33...master
 export MORE_HEADERS_VERSION=0.33
-export NGINX_DIGEST_AUTH=cd8641886c873cf543255aeda20d23e4cd603d05
-export NGINX_SUBSTITUTIONS=bc58cb11844bc42735bbaef7085ea86ace46d05b
-export NGINX_OPENTRACING_VERSION=0.11.0
-export OPENTRACING_CPP_VERSION=1.6.0
+
+# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master
+export NGINX_DIGEST_AUTH=1.0.0
+
+# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master
+export NGINX_SUBSTITUTIONS=b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0
+
+# Check for recent changes: https://github.com/opentracing-contrib/nginx-opentracing/compare/v0.19.0...master
+export NGINX_OPENTRACING_VERSION=0.19.0
+
+#Check for recent changes: https://github.com/opentracing/opentracing-cpp/compare/v1.6.0...master
+export OPENTRACING_CPP_VERSION=f86b33f3d9e7322b1298ba62d5ffa7a9519c4c41
+
+# Check for recent changes: https://github.com/rnburn/zipkin-cpp-opentracing/compare/v0.5.2...master
 export ZIPKIN_CPP_VERSION=f69593138ff84ca2f6bc115992e18ca3d35f344a
-export YAML_CPP_VERSION=yaml-cpp-0.6.3
+
+# Check for recent changes: https://github.com/jbeder/yaml-cpp/compare/yaml-cpp-0.7.0...master
+export YAML_CPP_VERSION=yaml-cpp-0.7.0
+
+# Check for recent changes: https://github.com/jaegertracing/jaeger-client-cpp/compare/v0.7.0...master
 export JAEGER_VERSION=0.7.0
-export MSGPACK_VERSION=3.2.1
-export DATADOG_CPP_VERSION=7b560e5c13324c0581476dad3bd8ac4ac5f64045
-export MODSECURITY_VERSION=22e53aba4e3ae8c7d59a3672d6727e49246afe96
-export MODSECURITY_LIB_VERSION=v3.0.4
-export OWASP_MODSECURITY_CRS_VERSION=v3.3.0
-export LUA_NGX_VERSION=138c1b96423aa26defe00fe64dd5760ef17e5ad8
-export LUA_STREAM_NGX_VERSION=0.0.9
-export LUA_UPSTREAM_VERSION=0.07
-export LUA_CJSON_VERSION=2.1.0.8
+
+# Check for recent changes: https://github.com/msgpack/msgpack-c/compare/cpp-3.3.0...master
+export MSGPACK_VERSION=3.3.0
+
+# Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.0...master
+export DATADOG_CPP_VERSION=af53c523787cca108ae9f458ea5c962e48187a36
+
+# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.2...master
+export MODSECURITY_VERSION=1.0.2
+
+# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.5...v3/master
+export MODSECURITY_LIB_VERSION=v3.0.5
+
+# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master
+export OWASP_MODSECURITY_CRS_VERSION=v3.3.2
+
+# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.20...master
+export LUA_NGX_VERSION=b721656a9127255003b696b42ccc871c7ec18d59
+
+# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.10...master
+export LUA_STREAM_NGX_VERSION=74f8c8bca5b95cecbf42d4e1a465bc08cd075a9b
+
+# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master
+export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf
+
+# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.8...openresty:master
+export LUA_CJSON_VERSION=4b350c531de3d71008c77ae94e59275b8371b4dc
+
 export NGINX_INFLUXDB_VERSION=5b09391cb7b9a889687c0aa67964c06a2d933e8b
-export GEOIP2_VERSION=3.3
-export NGINX_AJP_VERSION=bf6cd93f2098b59260de8d494f0f4b1f11a84627
 
-export LUAJIT_VERSION=2.1-20201027
+# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.3...master
+export GEOIP2_VERSION=a26c6beed77e81553686852dceb6c7fdacc5970d
 
-export LUA_RESTY_BALANCER=af4508f7aa5560c7d810922c2515b557f9e5d51a
-export LUA_RESTY_CACHE=0.10
-export LUA_RESTY_CORE=0.1.21
-export LUA_RESTY_COOKIE_VERSION=766ad8c15e498850ac77f5e0265f1d3f30dc4027
-export LUA_RESTY_DNS=0.21
-export LUA_RESTY_HTTP=0.15
+# Check for recent changes: https://github.com/yaoweibin/nginx_ajp_module/compare/v0.3.0...master
+export NGINX_AJP_VERSION=a964a0bcc6a9f2bfb82a13752d7794a36319ffac
+
+# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20210510...v2.1-agentzh
+export LUAJIT_VERSION=2.1-20210510
+
+# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.03...master
+export LUA_RESTY_BALANCER=56fd8ad03d5718f507a5129edc43a25948364b9f
+
+# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.11...master
+export LUA_RESTY_CACHE=0.11
+
+# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.22...master
+export LUA_RESTY_CORE=0.1.22
+
+# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/v0.1.0...master
+export LUA_RESTY_COOKIE_VERSION=303e32e512defced053a6484bc0745cf9dc0d39e
+
+# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.22...master
+export LUA_RESTY_DNS=0.22
+
+# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.16.1...master
+export LUA_RESTY_HTTP=0ce55d6d15da140ecc5966fa848204c6fd9074e8
+
+# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.08...master
 export LUA_RESTY_LOCK=0.08
+
+# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.10...master
 export LUA_RESTY_UPLOAD_VERSION=0.10
-export LUA_RESTY_STRING_VERSION=0.12
-export LUA_RESTY_MEMCACHED_VERSION=0.15
+
+# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.14...master
+export LUA_RESTY_STRING_VERSION=9ace36f2dde09451c377c839117ade45eb02d460
+
+# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.16...master
+export LUA_RESTY_MEMCACHED_VERSION=0.16
+
+# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.29...master
 export LUA_RESTY_REDIS_VERSION=0.29
-export LUA_RESTY_IPMATCHER_VERSION=1a0a1c58fd085b15eedee58de8b5f45c27aff7bc
+
+# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6...master
+export LUA_RESTY_IPMATCHER_VERSION=211e0d2eb8bbb558b79368f89948a0bafdc23654
+
+# Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main
 export LUA_RESTY_GLOBAL_THROTTLE_VERSION=0.2.0
 
 export BUILD_PATH=/tmp/build
@@ -133,94 +202,94 @@ get_src f1ad2459c4ee6a61771aa84f77871f4bfe42943a4aa4c30c62ba3f981f52c201 \
 get_src a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf \
         "https://github.com/openresty/headers-more-nginx-module/archive/v$MORE_HEADERS_VERSION.tar.gz"
 
-get_src fe683831f832aae4737de1e1026a4454017c2d5f98cb88b08c5411dc380062f8 \
-        "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz"
+get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
+        "https://github.com/atomx/nginx-http-auth-digest/archive/v$NGINX_DIGEST_AUTH.tar.gz"
 
-get_src 618551948ab14cac51d6e4ad00452312c7b09938f59ebff4f93875013be31f2d \
+get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
         "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz"
 
-get_src a0087c61e82651dbdeeef1ceec375ce103f0ce571a1c8b35863cff4e596434a6 \
+get_src 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 \
         "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz"
 
-get_src 5b170042da4d1c4c231df6594da120875429d5231e9baa5179822ee8d1054ac3 \
-        "https://github.com/opentracing/opentracing-cpp/archive/v$OPENTRACING_CPP_VERSION.tar.gz"
+get_src cbe625cba85291712253db5bc3870d60c709acfad9a8af5a302673d3d201e3ea \
+        "https://github.com/opentracing/opentracing-cpp/archive/$OPENTRACING_CPP_VERSION.tar.gz"
 
 get_src 71de3d0658935db7ccea20e006b35e58ddc7e4c18878b9523f2addc2371e9270 \
         "https://github.com/rnburn/zipkin-cpp-opentracing/archive/$ZIPKIN_CPP_VERSION.tar.gz"
 
-get_src 38f2ae43fceda683f652065e13a80b14a580ede476a4b44eb0ddd85665380360 \
-        "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz"
+get_src f8d3ff15520df736c5e20e91d5852ec27e0874566c2afce7dcb979e2298d6980 \
+        "https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$MODSECURITY_VERSION.tar.gz"
 
-get_src 77ea1b90b3718aa0c324207cb29418f5bced2354c2e483a9523d98c3460af1ed \
+get_src 43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3 \
         "https://github.com/jbeder/yaml-cpp/archive/$YAML_CPP_VERSION.tar.gz"
 
 get_src 3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994 \
         "https://github.com/jaegertracing/jaeger-client-cpp/archive/v$JAEGER_VERSION.tar.gz"
 
-get_src 464f46744a6be778626d11452c4db3c2d09461080c6db42e358e21af19d542f6 \
+get_src 754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b \
         "https://github.com/msgpack/msgpack-c/archive/cpp-$MSGPACK_VERSION.tar.gz"
 
-get_src 7dc05df3d1824b02c6958ff37f9e682b73c1737dcfee93212ca3f6c5bfae08f3 \
+get_src 085a9fb2bf9c4466977595a5fe5156d76f3a2d9a2a81be3cacaff2021773393e \
         "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz"
 
-get_src 6fcf7054f412a19c23c1ac3c0663f42f40bccc907d98c5d1657ae5cab9973ee9 \
-        "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz"
+get_src ba38c9f8e4265836ba7f2ac559ddf140693ff2f5ae33ab1e384f51f3992151ab \
+        "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz"
 
-get_src 2a69815e4ae01aa8b170941a8e1a10b6f6a9aab699dee485d58f021dd933829a \
-        "https://github.com/openresty/lua-upstream-nginx-module/archive/v$LUA_UPSTREAM_VERSION.tar.gz"
+get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \
+        "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz"
 
-get_src f74a0821b079ea1fd63dd8659064356fc3f421ff4b35c17877140d2b2841cc3b \
+get_src 1ee6dad809a5bb22efb45e6dac767f7ce544ad652d353a93d7f26b605f69fe3f \
         "https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz"
 
-get_src 40cc298f22bc29621024b68503335dcce464e42bcf02246f5864d7f8f2f5c379 \
+get_src f29393f2cd9288105a0029a6a324fe1f7558a9e7e852d59a6355f7581bb90e30 \
         "https://github.com/DataDog/dd-opentracing-cpp/archive/$DATADOG_CPP_VERSION.tar.gz"
 
 get_src 1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e \
         "https://github.com/influxdata/nginx-influxdb-module/archive/$NGINX_INFLUXDB_VERSION.tar.gz"
 
-get_src 41378438c833e313a18869d0c4a72704b4835c30acaf7fd68013ab6732ff78a7 \
+get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \
         "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz"
 
-get_src 5f629a50ba22347c441421091da70fdc2ac14586619934534e5a0f8a1390a950 \
+get_src 94d1512bf0e5e6ffa4eca0489db1279d51f45386fffcb8a1d2d9f7fe93518465 \
         "https://github.com/yaoweibin/nginx_ajp_module/archive/$NGINX_AJP_VERSION.tar.gz"
 
 get_src 5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd \
         "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz"
 
-get_src bfd8c4b6c90aa9dcbe047ac798593a41a3f21edcb71904d50d8ac0e8c77d1132 \
-        "https://github.com/openresty/lua-resty-string/archive/v$LUA_RESTY_STRING_VERSION.tar.gz"
+get_src 462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853 \
+        "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz"
 
-get_src a21ec0d78a5dc5856df2374890a8a58e51de866b3d5978aceb0109a094367630 \
+get_src b3d28adac2acee1e5904e9f65d6e80e0553b01647fa0701b812bc7e464de74ad \
         "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz"
 
-get_src a377fbce78ba10f3ed3a8b5173ea318f8cf8da9d2ab127bb1e1f263078bf7da0 \
+get_src 4d971f711fad48c097070457c128ca36053835d8a3ba25a937e9991547d55d4d \
         "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz"
 
-get_src bd6bee4ccc6cf3307ab6ca0eea693a921fab9b067ba40ae12a652636da588ff7 \
+get_src 8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238 \
         "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz"
 
-get_src f818b5cef0881e5987606f2acda0e491531a0cb0c126d8dca02e2343edf641ef \
+get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \
         "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz"
 
-get_src dae9fb572f04e7df0dabc228f21cdd8bbfa1ff88e682e983ef558585bc899de0 \
+get_src e810ed124fe788b8e4aac2c8960dda1b9a6f8d0ca94ce162f28d3f4d877df8af \
         "https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_CACHE.tar.gz"
 
 get_src 2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2 \
         "https://github.com/openresty/lua-resty-lock/archive/v$LUA_RESTY_LOCK.tar.gz"
 
-get_src 4aca34f324d543754968359672dcf5f856234574ee4da360ce02c778d244572a \
+get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \
         "https://github.com/openresty/lua-resty-dns/archive/v$LUA_RESTY_DNS.tar.gz"
 
-get_src 987d5754a366d3ccbf745d2765f82595dcff5b94ba6c755eeb6d310447996f32 \
-        "https://github.com/ledgetech/lua-resty-http/archive/v$LUA_RESTY_HTTP.tar.gz"
+get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \
+        "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz"
 
-get_src 8257e8fbf78eb2cc2cf2fdca2fda3c2e755f7d3222e7d15cc322111a0f720f9c \
+get_src 42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396 \
         "https://github.com/openresty/lua-resty-memcached/archive/v$LUA_RESTY_MEMCACHED_VERSION.tar.gz"
 
 get_src 3f602af507aacd1f7aaeddfe7b77627fcde095fe9f115cb9d6ad8de2a52520e1 \
         "https://github.com/openresty/lua-resty-redis/archive/v$LUA_RESTY_REDIS_VERSION.tar.gz"
 
-get_src d0eacda122ab36585936256cb222ea9147bc5ad1fc3f24fd3748475653dd27ad \
+get_src b8dbd502751140993a852381bcd8e98a402454596bd91838c1e51268d42db261 \
         "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz"
 
 get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \

From af745bd97dce317a8788589588ae754711df69af Mon Sep 17 00:00:00 2001
From: Eugene Apollonsky <e.apollonsky@gmail.com>
Date: Mon, 9 Aug 2021 15:31:31 +0300
Subject: [PATCH 045/376] use listen to ensure the port is free (#6990) (#7467)

Co-authored-by: boxjan <i@boxjan.li>
---
 internal/net/net.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/net/net.go b/internal/net/net.go
index b7fefb8b3..712262f3a 100644
--- a/internal/net/net.go
+++ b/internal/net/net.go
@@ -29,12 +29,12 @@ func IsIPV6(ip _net.IP) bool {
 
 // IsPortAvailable checks if a TCP port is available or not
 func IsPortAvailable(p int) bool {
-	conn, err := _net.Dial("tcp", fmt.Sprintf(":%v", p))
+	ln, err := _net.Listen("tcp", fmt.Sprintf(":%v", p))
 	if err != nil {
-		return true
+		return false
 	}
-	defer conn.Close()
-	return false
+	defer ln.Close()
+	return true
 }
 
 // IsIPv6Enabled checks if IPV6 is enabled or not and we have

From e53a11e839738b80fc53bad9b481353a6c854ea1 Mon Sep 17 00:00:00 2001
From: kayrus <kayrus@users.noreply.github.com>
Date: Mon, 9 Aug 2021 15:45:31 +0200
Subject: [PATCH 046/376] Add hostname value to override pod's hostname (#7386)

---
 charts/ingress-nginx/templates/controller-daemonset.yaml  | 3 +++
 charts/ingress-nginx/templates/controller-deployment.yaml | 3 +++
 charts/ingress-nginx/values.yaml                          | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 2f6def589..0c94fcdd4 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -41,6 +41,9 @@ spec:
     spec:
     {{- if .Values.controller.dnsConfig }}
       dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.hostname }}
+      hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
     {{- end }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
     {{- if .Values.imagePullSecrets }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index 7e2d223a9..d90f76b32 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -45,6 +45,9 @@ spec:
     spec:
     {{- if .Values.controller.dnsConfig }}
       dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.hostname }}
+      hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
     {{- end }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
     {{- if .Values.imagePullSecrets }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index f2f28ed91..976bc5419 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -49,6 +49,9 @@ controller:
   # Optionally customize the pod dnsConfig.
   dnsConfig: {}
 
+  # Optionally customize the pod hostname.
+  hostname: {}
+
   # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
   # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
   # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.

From 665ec92a2d179894202b233dddc2829488028924 Mon Sep 17 00:00:00 2001
From: "Noah Ispas (iamNoah1)" <noahispas@gmail.com>
Date: Tue, 10 Aug 2021 16:10:07 +0200
Subject: [PATCH 047/376] update to newest image

---
 Makefile                         | 2 +-
 images/echo/Makefile             | 2 +-
 images/nginx/README.md           | 2 +-
 images/nginx/rc.yaml             | 2 +-
 images/test-runner/Makefile      | 2 +-
 test/e2e/framework/deployment.go | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 8a449ede8..edd16e4cc 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ endif
 
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 
-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210530-g6aab4c291@sha256:a7356029dd0c26cc3466bf7a27daec0f4df73aa14ca6c8b871a767022a812c0b
+BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
 
 GOARCH=$(ARCH)
 
diff --git a/images/echo/Makefile b/images/echo/Makefile
index a467b456a..90a544b24 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -36,7 +36,7 @@ build: ensure-buildx
 		--platform=${PLATFORMS} $(OUTPUT) \
 		--progress=$(PROGRESS) \
 		--pull \
-		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210324-g8baef769d@sha256:fcfa3e9d1f8ec3141efedbf77cf659640f452a9c22165c78006ea462b84d06f6 \
+		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17 \
 		--build-arg LUAROCKS_VERSION=3.3.1 \
 		--build-arg LUAROCKS_SHA=837481e408f7c06b59befe7ec194537c657687d624894bca7f79034302141a34 \
 		-t $(IMAGE):$(TAG) rootfs
diff --git a/images/nginx/README.md b/images/nginx/README.md
index a5c649b3c..dde0b618a 100644
--- a/images/nginx/README.md
+++ b/images/nginx/README.md
@@ -18,7 +18,7 @@ This image provides a default configuration file with no backend servers.
 _Using docker_
 
 ```console
-docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210324-g8baef769d@sha256:fcfa3e9d1f8ec3141efedbf77cf659640f452a9c22165c78006ea462b84d06f6
+docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
 ```
 
 _Creating a replication controller_
diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml
index 8a6bec91c..98a3df14b 100644
--- a/images/nginx/rc.yaml
+++ b/images/nginx/rc.yaml
@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
         - name: nginx
-          image: k8s.gcr.io/ingress-nginx/nginx:v20210530-g6aab4c291@sha256:a7356029dd0c26cc3466bf7a27daec0f4df73aa14ca6c8b871a767022a812c0b
+          image: k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
           ports:
             - containerPort: 80
             - containerPort: 443
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index f13a75ee7..57db0c37e 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -23,7 +23,7 @@ REGISTRY ?= local
 
 IMAGE = $(REGISTRY)/e2e-test-runner
 
-NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210530-g6aab4c291@sha256:a7356029dd0c26cc3466bf7a27daec0f4df73aa14ca6c8b871a767022a812c0b
+NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
 
 # required to enable buildx
 export DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index 8725e9950..0705d0fce 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -38,7 +38,7 @@ const SlowEchoService = "slow-echo"
 const HTTPBinService = "httpbin"
 
 // NginxBaseImage use for testing
-const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210530-g6aab4c291@sha256:a7356029dd0c26cc3466bf7a27daec0f4df73aa14ca6c8b871a767022a812c0b"
+const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17"
 
 // NewEchoDeployment creates a new single replica deployment of the echoserver image in a particular namespace
 func (f *Framework) NewEchoDeployment() {

From 45995525e7b3cd7b06194770464dace1672b0e06 Mon Sep 17 00:00:00 2001
From: Sergey Shakuto <sshakuto@infoblox.com>
Date: Fri, 9 Jul 2021 01:08:53 +0300
Subject: [PATCH 048/376] Retry to download maxmind DB if it fails (#7242)

* Retry to download maxmind DB if it fails.

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>

* Add retries count arg, move retry logic into DownloadGeoLite2DB function

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>

* Reorder parameters in DownloadGeoLite2DB

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>

* Remove hardcoded value

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>
---
 cmd/nginx/flags.go               | 13 +++---
 cmd/nginx/flags_test.go          | 13 ++++++
 docs/user-guide/cli-arguments.md |  2 +
 go.mod                           |  1 +
 go.sum                           |  4 +-
 internal/nginx/maxmind.go        | 70 ++++++++++++++++++++++++++++----
 6 files changed, 88 insertions(+), 15 deletions(-)

diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index 62c4ced23..1abe7d9e3 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -23,10 +23,7 @@ import (
 	"time"
 
 	"github.com/spf13/pflag"
-
 	apiv1 "k8s.io/api/core/v1"
-	"k8s.io/klog/v2"
-
 	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/controller"
@@ -34,6 +31,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/status"
 	ing_net "k8s.io/ingress-nginx/internal/net"
 	"k8s.io/ingress-nginx/internal/nginx"
+	klog "k8s.io/klog/v2"
 )
 
 func parseFlags() (bool, *controller.Configuration, error) {
@@ -182,6 +180,8 @@ Takes the form "<host>:port". If not provided, no admission controller is starte
 	flags.StringVar(&nginx.MaxmindLicenseKey, "maxmind-license-key", "", `Maxmind license key to download GeoLite2 Databases.
 https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases`)
 	flags.StringVar(&nginx.MaxmindEditionIDs, "maxmind-edition-ids", "GeoLite2-City,GeoLite2-ASN", `Maxmind edition ids to download GeoLite2 Databases.`)
+	flags.IntVar(&nginx.MaxmindRetriesCount, "maxmind-retries-count", 1, "Number of attempts to download the GeoIP DB.")
+	flags.DurationVar(&nginx.MaxmindRetriesTimeout, "maxmind-retries-timeout", time.Second*0, "Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong.")
 
 	flag.Set("logtostderr", "true")
 
@@ -307,16 +307,17 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		config.RootCAFile = *rootCAFile
 	}
 
+	var err error
 	if (nginx.MaxmindLicenseKey != "" || nginx.MaxmindMirror != "") && nginx.MaxmindEditionIDs != "" {
-		if err := nginx.ValidateGeoLite2DBEditions(); err != nil {
+		if err = nginx.ValidateGeoLite2DBEditions(); err != nil {
 			return false, nil, err
 		}
 		klog.InfoS("downloading maxmind GeoIP2 databases")
-		if err := nginx.DownloadGeoLite2DB(); err != nil {
+		if err = nginx.DownloadGeoLite2DB(nginx.MaxmindRetriesCount, nginx.MaxmindRetriesTimeout); err != nil {
 			klog.ErrorS(err, "unexpected error downloading GeoIP2 database")
 		}
 		config.MaxmindEditionFiles = nginx.MaxmindEditionFiles
 	}
 
-	return false, config, nil
+	return false, config, err
 }
diff --git a/cmd/nginx/flags_test.go b/cmd/nginx/flags_test.go
index 4286d4a20..b25fa7557 100644
--- a/cmd/nginx/flags_test.go
+++ b/cmd/nginx/flags_test.go
@@ -105,3 +105,16 @@ func TestMaxmindMirror(t *testing.T) {
 		t.Fatalf("Expected an error parsing flags but none returned")
 	}
 }
+
+func TestMaxmindRetryDownload(t *testing.T) {
+	resetForTesting(func() { t.Fatal("Parsing failed") })
+
+	oldArgs := os.Args
+	defer func() { os.Args = oldArgs }()
+	os.Args = []string{"cmd", "--publish-service", "namespace/test", "--http-port", "0", "--https-port", "0", "--maxmind-mirror", "http://127.0.0.1", "--maxmind-license-key", "0000000", "--maxmind-edition-ids", "GeoLite2-City", "--maxmind-retries-timeout", "1s", "--maxmind-retries-count", "3"}
+
+	_, _, err := parseFlags()
+	if err == nil {
+		t.Fatalf("Expected an error parsing flags but none returned")
+	}
+}
diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index 799ce7324..d51c75994 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -33,6 +33,8 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
 | `--log_file_max_size`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) |
 | `--logtostderr`                    | log to standard error instead of files (default true) |
 | `--maxmind-edition-ids`            | Maxmind edition ids to download GeoLite2 Databases. (default "GeoLite2-City,GeoLite2-ASN") |
+| `--maxmind-retries-timeout`        | Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong. (default 0s) |
+| `--maxmind-retries-count`          | Number of attempts to download the GeoIP DB. (default 1) |
 | `--maxmind-license-key`            | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
 | `--metrics-per-host`               | Export metrics per-host (default true) |
 | `--profiler-port`                  | Port to use for expose the ingress controller Go profiler when it is enabled. (default 10245) |
diff --git a/go.mod b/go.mod
index 02de2cecf..c0e2b350b 100644
--- a/go.mod
+++ b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/imdario/mergo v0.3.12
 	github.com/json-iterator/go v1.1.11
 	github.com/kylelemons/godebug v1.1.0
+	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/mitchellh/hashstructure v1.1.0
 	github.com/mitchellh/mapstructure v1.4.1
diff --git a/go.sum b/go.sum
index 795d1bf16..2a19bfd54 100644
--- a/go.sum
+++ b/go.sum
@@ -468,8 +468,9 @@ github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
@@ -929,6 +930,7 @@ golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
diff --git a/internal/nginx/maxmind.go b/internal/nginx/maxmind.go
index 0f3c37016..c764be161 100644
--- a/internal/nginx/maxmind.go
+++ b/internal/nginx/maxmind.go
@@ -21,10 +21,17 @@ import (
 	"compress/gzip"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"strings"
+	"syscall"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+	klog "k8s.io/klog/v2"
 )
 
 // MaxmindLicenseKey maxmind license key to download databases
@@ -39,6 +46,15 @@ var MaxmindEditionFiles []string
 // MaxmindMirror maxmind database mirror url (http://geoip.local)
 var MaxmindMirror = ""
 
+// MaxmindRetriesCount number of attempts to download the GeoIP DB
+var MaxmindRetriesCount = 1
+
+// MaxmindRetriesTimeout maxmind download retries timeout in seconds, 0 - do not retry to download if something went wrong
+var MaxmindRetriesTimeout = time.Second * 0
+
+// minimumRetriesCount minimum value of the MaxmindRetriesCount parameter. If MaxmindRetriesCount less than minimumRetriesCount, it will be set to minimumRetriesCount
+const minimumRetriesCount = 1
+
 const (
 	geoIPPath   = "/etc/nginx/geoip"
 	dbExtension = ".mmdb"
@@ -60,15 +76,53 @@ func GeoLite2DBExists() bool {
 
 // DownloadGeoLite2DB downloads the required databases by the
 // GeoIP2 NGINX module using a license key from MaxMind.
-func DownloadGeoLite2DB() error {
-	for _, dbName := range strings.Split(MaxmindEditionIDs, ",") {
-		err := downloadDatabase(dbName)
-		if err != nil {
-			return err
-		}
-		MaxmindEditionFiles = append(MaxmindEditionFiles, dbName+dbExtension)
+func DownloadGeoLite2DB(attempts int, period time.Duration) error {
+	if attempts < minimumRetriesCount {
+		attempts = minimumRetriesCount
 	}
-	return nil
+
+	defaultRetry := wait.Backoff{
+		Steps:    attempts,
+		Duration: period,
+		Factor:   1.5,
+		Jitter:   0.1,
+	}
+	if period == time.Duration(0) {
+		defaultRetry.Steps = minimumRetriesCount
+	}
+
+	var lastErr error
+	retries := 0
+
+	_ = wait.ExponentialBackoff(defaultRetry, func() (bool, error) {
+		var dlError error
+		for _, dbName := range strings.Split(MaxmindEditionIDs, ",") {
+			dlError = downloadDatabase(dbName)
+			if dlError != nil {
+				break
+			}
+			MaxmindEditionFiles = append(MaxmindEditionFiles, dbName+dbExtension)
+		}
+
+		lastErr = dlError
+		if dlError == nil {
+			return true, nil
+		}
+
+		if e, ok := dlError.(*url.Error); ok {
+			if e, ok := e.Err.(*net.OpError); ok {
+				if e, ok := e.Err.(*os.SyscallError); ok {
+					if e.Err == syscall.ECONNREFUSED {
+						retries++
+						klog.InfoS("download failed on attempt " + fmt.Sprint(retries))
+						return false, nil
+					}
+				}
+			}
+		}
+		return true, nil
+	})
+	return lastErr
 }
 
 func createURL(mirror, licenseKey, dbName string) string {

From c9d5b21a657c5267b396893f8e2064d9ec01e60e Mon Sep 17 00:00:00 2001
From: Tom Hayward <thayward@infoblox.com>
Date: Thu, 8 Jul 2021 17:16:53 -0700
Subject: [PATCH 049/376] fix: discover mounted geoip db files (#7228)

* fix: discover mounted geoip db files

* add test

* fix runtime reload of config.MaxmindEditionFiles

* add e2e test

* log missing geoip2 db
---
 cmd/nginx/flags.go                           | 12 ++--
 internal/ingress/controller/config/config.go |  2 +-
 internal/ingress/controller/controller.go    |  2 +-
 internal/nginx/maxmind.go                    | 14 +++-
 internal/nginx/maxmind_test.go               | 75 ++++++++++++++++++++
 test/e2e/settings/geoip2.go                  | 32 +++++++++
 6 files changed, 127 insertions(+), 10 deletions(-)
 create mode 100644 internal/nginx/maxmind_test.go

diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index 1abe7d9e3..b125719fd 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -308,15 +308,17 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 	}
 
 	var err error
-	if (nginx.MaxmindLicenseKey != "" || nginx.MaxmindMirror != "") && nginx.MaxmindEditionIDs != "" {
+	if nginx.MaxmindEditionIDs != "" {
 		if err = nginx.ValidateGeoLite2DBEditions(); err != nil {
 			return false, nil, err
 		}
-		klog.InfoS("downloading maxmind GeoIP2 databases")
-		if err = nginx.DownloadGeoLite2DB(nginx.MaxmindRetriesCount, nginx.MaxmindRetriesTimeout); err != nil {
-			klog.ErrorS(err, "unexpected error downloading GeoIP2 database")
+		if nginx.MaxmindLicenseKey != "" || nginx.MaxmindMirror != "" {
+			klog.InfoS("downloading maxmind GeoIP2 databases")
+			if err = nginx.DownloadGeoLite2DB(nginx.MaxmindRetriesCount, nginx.MaxmindRetriesTimeout); err != nil {
+				klog.ErrorS(err, "unexpected error downloading GeoIP2 database")
+			}
 		}
-		config.MaxmindEditionFiles = nginx.MaxmindEditionFiles
+		config.MaxmindEditionFiles = &nginx.MaxmindEditionFiles
 	}
 
 	return false, config, err
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index f8e79e66e..b96e26772 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -925,7 +925,7 @@ type TemplateConfig struct {
 	ListenPorts              *ListenPorts
 	PublishService           *apiv1.Service
 	EnableMetrics            bool
-	MaxmindEditionFiles      []string
+	MaxmindEditionFiles      *[]string
 	MonitorMaxBatchSize      int
 
 	PID        string
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 08ef2d240..66fbd752d 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -105,7 +105,7 @@ type Configuration struct {
 	ValidationWebhookKeyPath  string
 
 	GlobalExternalAuth  *ngx_config.GlobalExternalAuth
-	MaxmindEditionFiles []string
+	MaxmindEditionFiles *[]string
 
 	MonitorMaxBatchSize int
 
diff --git a/internal/nginx/maxmind.go b/internal/nginx/maxmind.go
index c764be161..df9fd2231 100644
--- a/internal/nginx/maxmind.go
+++ b/internal/nginx/maxmind.go
@@ -64,12 +64,19 @@ const (
 
 // GeoLite2DBExists checks if the required databases for
 // the GeoIP2 NGINX module are present in the filesystem
+// and indexes the discovered databases for iteration in
+// the config.
 func GeoLite2DBExists() bool {
+	files := []string{}
 	for _, dbName := range strings.Split(MaxmindEditionIDs, ",") {
-		if !fileExists(path.Join(geoIPPath, dbName+dbExtension)) {
+		filename := dbName + dbExtension
+		if !fileExists(path.Join(geoIPPath, filename)) {
+			klog.Error(filename, " not found")
 			return false
 		}
+		files = append(files, filename)
 	}
+	MaxmindEditionFiles = files
 
 	return true
 }
@@ -101,7 +108,6 @@ func DownloadGeoLite2DB(attempts int, period time.Duration) error {
 			if dlError != nil {
 				break
 			}
-			MaxmindEditionFiles = append(MaxmindEditionFiles, dbName+dbExtension)
 		}
 
 		lastErr = dlError
@@ -217,7 +223,7 @@ func ValidateGeoLite2DBEditions() error {
 	return nil
 }
 
-func fileExists(filePath string) bool {
+func _fileExists(filePath string) bool {
 	info, err := os.Stat(filePath)
 	if os.IsNotExist(err) {
 		return false
@@ -225,3 +231,5 @@ func fileExists(filePath string) bool {
 
 	return !info.IsDir()
 }
+
+var fileExists = _fileExists
diff --git a/internal/nginx/maxmind_test.go b/internal/nginx/maxmind_test.go
new file mode 100644
index 000000000..ed78c32a1
--- /dev/null
+++ b/internal/nginx/maxmind_test.go
@@ -0,0 +1,75 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nginx
+
+import (
+	"reflect"
+	"testing"
+)
+
+func resetForTesting() {
+	fileExists = _fileExists
+	MaxmindLicenseKey = ""
+	MaxmindEditionIDs = ""
+	MaxmindEditionFiles = []string{}
+	MaxmindMirror = ""
+}
+
+func TestGeoLite2DBExists(t *testing.T) {
+	tests := []struct {
+		name      string
+		setup     func()
+		want      bool
+		wantFiles []string
+	}{
+		{
+			name:      "empty",
+			wantFiles: []string{},
+		},
+		{
+			name: "existing files",
+			setup: func() {
+				MaxmindEditionIDs = "GeoLite2-City,GeoLite2-ASN"
+				fileExists = func(string) bool {
+					return true
+				}
+			},
+			want:      true,
+			wantFiles: []string{"GeoLite2-City.mmdb", "GeoLite2-ASN.mmdb"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resetForTesting()
+			// mimics assignment in flags.go
+			config := &MaxmindEditionFiles
+
+			if tt.setup != nil {
+				tt.setup()
+			}
+			if got := GeoLite2DBExists(); got != tt.want {
+				t.Errorf("GeoLite2DBExists() = %v, want %v", got, tt.want)
+			}
+			if !reflect.DeepEqual(MaxmindEditionFiles, tt.wantFiles) {
+				t.Errorf("nginx.MaxmindEditionFiles = %v, want %v", MaxmindEditionFiles, tt.wantFiles)
+			}
+			if !reflect.DeepEqual(*config, tt.wantFiles) {
+				t.Errorf("config.MaxmindEditionFiles = %v, want %v", *config, tt.wantFiles)
+			}
+		})
+	}
+}
diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go
index 37f99f216..cec35f459 100644
--- a/test/e2e/settings/geoip2.go
+++ b/test/e2e/settings/geoip2.go
@@ -17,15 +17,23 @@ limitations under the License.
 package settings
 
 import (
+	"context"
+	"fmt"
+	"path/filepath"
 	"strings"
 
 	"net/http"
 
 	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
 
+	appsv1 "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
+const testdataURL = "https://github.com/maxmind/MaxMind-DB/blob/5a0be1c0320490b8e4379dbd5295a18a648ff156/test-data/GeoLite2-Country-Test.mmdb?raw=true"
+
 var _ = framework.DescribeSetting("Geoip2", func() {
 	f := framework.NewDefaultFramework("geoip2")
 
@@ -35,6 +43,30 @@ var _ = framework.DescribeSetting("Geoip2", func() {
 		f.NewEchoDeployment()
 	})
 
+	ginkgo.It("should include geoip2 line in config when enabled and db file exists", func() {
+		edition := "GeoLite2-Country"
+
+		err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
+			args := deployment.Spec.Template.Spec.Containers[0].Args
+			args = append(args, "--maxmind-edition-ids="+edition)
+			deployment.Spec.Template.Spec.Containers[0].Args = args
+			_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
+			return err
+		})
+		assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
+
+		filename := fmt.Sprintf("/etc/nginx/geoip/%s.mmdb", edition)
+		exec, err := f.ExecIngressPod(fmt.Sprintf(`sh -c "mkdir -p '%s' && wget -O '%s' '%s' 2>&1"`, filepath.Dir(filename), filename, testdataURL))
+		framework.Logf(exec)
+		assert.Nil(ginkgo.GinkgoT(), err, fmt.Sprintln("error downloading test geoip2 db", filename))
+
+		f.UpdateNginxConfigMapData("use-geoip2", "true")
+		f.WaitForNginxConfiguration(
+			func(cfg string) bool {
+				return strings.Contains(cfg, fmt.Sprintf("geoip2 %s", filename))
+			})
+	})
+
 	ginkgo.It("should only allow requests from specific countries", func() {
 		ginkgo.Skip("GeoIP test are temporarily disabled")
 

From 9a9ad4785704ef7ec0f6428e5cfb2a32d9af5cf3 Mon Sep 17 00:00:00 2001
From: Tom Hayward <thayward@infoblox.com>
Date: Mon, 12 Jul 2021 23:08:29 -0700
Subject: [PATCH 050/376] Fix forwarding of auth-response-headers to gRPC
 backends (#7331)

* add e2e test for auth-response-headers annotation

* add e2e test for grpc with auth-response-headers

* fix forwarding of auth header to GRPC backends

* add test case for proxySetHeader(nil)
---
 .../ingress/controller/template/template.go   |  6 +-
 .../controller/template/template_test.go      | 51 ++++++++-----
 rootfs/etc/nginx/template/nginx.tmpl          |  4 +-
 test/e2e/annotations/auth.go                  | 23 ++++++
 test/e2e/annotations/grpc.go                  | 74 +++++++++++++++++++
 5 files changed, 136 insertions(+), 22 deletions(-)

diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 7a248938f..522407a2f 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -563,7 +563,7 @@ func shouldApplyGlobalAuth(input interface{}, globalExternalAuthURL string) bool
 	return false
 }
 
-func buildAuthResponseHeaders(headers []string) []string {
+func buildAuthResponseHeaders(proxySetHeader string, headers []string) []string {
 	res := []string{}
 
 	if len(headers) == 0 {
@@ -574,7 +574,7 @@ func buildAuthResponseHeaders(headers []string) []string {
 		hvar := strings.ToLower(h)
 		hvar = strings.NewReplacer("-", "_").Replace(hvar)
 		res = append(res, fmt.Sprintf("auth_request_set $authHeader%v $upstream_http_%v;", i, hvar))
-		res = append(res, fmt.Sprintf("proxy_set_header '%v' $authHeader%v;", h, i))
+		res = append(res, fmt.Sprintf("%s '%v' $authHeader%v;", proxySetHeader, h, i))
 	}
 	return res
 }
@@ -668,7 +668,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
 		var xForwardedPrefix string
 
 		if len(location.XForwardedPrefix) > 0 {
-			xForwardedPrefix = fmt.Sprintf("proxy_set_header X-Forwarded-Prefix \"%s\";\n", location.XForwardedPrefix)
+			xForwardedPrefix = fmt.Sprintf("%s X-Forwarded-Prefix \"%s\";\n", proxySetHeader(location), location.XForwardedPrefix)
 		}
 
 		return fmt.Sprintf(`
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index ad0635adf..abe7049b0 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -506,7 +506,7 @@ func TestBuildAuthResponseHeaders(t *testing.T) {
 		"proxy_set_header 'H-With-Caps-And-Dashes' $authHeader1;",
 	}
 
-	headers := buildAuthResponseHeaders(externalAuthResponseHeaders)
+	headers := buildAuthResponseHeaders(proxySetHeader(nil), externalAuthResponseHeaders)
 
 	if !reflect.DeepEqual(expected, headers) {
 		t.Errorf("Expected \n'%v'\nbut returned \n'%v'", expected, headers)
@@ -1182,23 +1182,40 @@ func TestBuildCustomErrorLocationsPerServer(t *testing.T) {
 }
 
 func TestProxySetHeader(t *testing.T) {
-	invalidType := &ingress.Ingress{}
-	expected := "proxy_set_header"
-	actual := proxySetHeader(invalidType)
-
-	if expected != actual {
-		t.Errorf("Expected '%v' but returned '%v'", expected, actual)
+	tests := []struct {
+		name     string
+		loc      interface{}
+		expected string
+	}{
+		{
+			name:     "nil",
+			loc:      nil,
+			expected: "proxy_set_header",
+		},
+		{
+			name:     "invalid type",
+			loc:      &ingress.Ingress{},
+			expected: "proxy_set_header",
+		},
+		{
+			name:     "http backend",
+			loc:      &ingress.Location{},
+			expected: "proxy_set_header",
+		},
+		{
+			name: "gRPC backend",
+			loc: &ingress.Location{
+				BackendProtocol: "GRPC",
+			},
+			expected: "grpc_set_header",
+		},
 	}
-
-	grpcBackend := &ingress.Location{
-		BackendProtocol: "GRPC",
-	}
-
-	expected = "grpc_set_header"
-	actual = proxySetHeader(grpcBackend)
-
-	if expected != actual {
-		t.Errorf("Expected '%v' but returned '%v'", expected, actual)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := proxySetHeader(tt.loc); got != tt.expected {
+				t.Errorf("proxySetHeader() = %v, expected %v", got, tt.expected)
+			}
+		})
 	}
 }
 
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index e6f516f73..4bb5fe18c 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1178,7 +1178,7 @@ stream {
             auth_request        {{ $authPath }};
             auth_request_set    $auth_cookie $upstream_http_set_cookie;
             add_header          Set-Cookie $auth_cookie;
-            {{- range $line := buildAuthResponseHeaders $externalAuth.ResponseHeaders }}
+            {{- range $line := buildAuthResponseHeaders $proxySetHeader $externalAuth.ResponseHeaders }}
             {{ $line }}
             {{- end }}
             {{ end }}
@@ -1196,7 +1196,7 @@ stream {
             auth_digest {{ $location.BasicDigestAuth.Realm | quote }};
             auth_digest_user_file {{ $location.BasicDigestAuth.File }};
             {{ end }}
-            proxy_set_header Authorization "";
+            {{ $proxySetHeader }} Authorization "";
             {{ end }}
             {{ end }}
 
diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go
index 781a32b1b..fac0658c0 100644
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@@ -453,6 +453,29 @@ http {
 				Expect().
 				Status(http.StatusOK)
 		})
+
+		ginkgo.It("should overwrite Foo header with auth response", func() {
+			var (
+				rewriteHeader = "Foo"
+				rewriteVal    = "bar"
+			)
+			annotations["nginx.ingress.kubernetes.io/auth-response-headers"] = rewriteHeader
+			f.UpdateIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("proxy_set_header '%s' $authHeader0;", rewriteHeader))
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithHeader(rewriteHeader, rewriteVal).
+				WithBasicAuth("user", "password").
+				Expect().
+				Status(http.StatusOK).
+				Body().
+				NotContainsFold(fmt.Sprintf("%s=%s", rewriteHeader, rewriteVal))
+		})
 	})
 
 	ginkgo.Context("when external authentication is configured with a custom redirect param", func() {
diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go
index 003277885..9da6fdc15 100644
--- a/test/e2e/annotations/grpc.go
+++ b/test/e2e/annotations/grpc.go
@@ -27,6 +27,7 @@ import (
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/metadata"
 	core "k8s.io/api/core/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -121,6 +122,79 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() {
 		assert.Equal(ginkgo.GinkgoT(), metadata["content-type"].Values[0], "application/grpc")
 	})
 
+	ginkgo.It("authorization metadata should be overwritten by external auth response headers", func() {
+		f.NewGRPCBinDeployment()
+		f.NewHttpbinDeployment()
+
+		host := "echo"
+
+		svc := &core.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "grpcbin-test",
+				Namespace: f.Namespace,
+			},
+			Spec: corev1.ServiceSpec{
+				ExternalName: fmt.Sprintf("grpcbin.%v.svc.cluster.local", f.Namespace),
+				Type:         corev1.ServiceTypeExternalName,
+				Ports: []corev1.ServicePort{
+					{
+						Name:       host,
+						Port:       9000,
+						TargetPort: intstr.FromInt(9000),
+						Protocol:   "TCP",
+					},
+				},
+			},
+		}
+		f.EnsureService(svc)
+
+		err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
+		assert.Nil(ginkgo.GinkgoT(), err)
+
+		e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err)
+
+		assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint")
+		assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint")
+
+		httpbinIP := e.Subsets[0].Addresses[0].IP
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-url":              fmt.Sprintf("http://%s/response-headers?authorization=foo", httpbinIP),
+			"nginx.ingress.kubernetes.io/auth-response-headers": "Authorization",
+			"nginx.ingress.kubernetes.io/backend-protocol":      "GRPC",
+		}
+
+		ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, "grpcbin-test", 9000, annotations)
+
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "grpc_pass grpc://upstream_balancer;")
+			})
+
+		conn, _ := grpc.Dial(f.GetNginxIP()+":443",
+			grpc.WithTransportCredentials(
+				credentials.NewTLS(&tls.Config{
+					ServerName:         "echo",
+					InsecureSkipVerify: true,
+				}),
+			),
+		)
+		defer conn.Close()
+
+		client := pb.NewGRPCBinClient(conn)
+		ctx := metadata.AppendToOutgoingContext(context.Background(),
+			"authorization", "bar")
+
+		res, err := client.HeadersUnary(ctx, &pb.EmptyMessage{})
+		assert.Nil(ginkgo.GinkgoT(), err)
+
+		metadata := res.GetMetadata()
+		assert.Equal(ginkgo.GinkgoT(), "foo", metadata["authorization"].Values[0])
+	})
+
 	ginkgo.It("should return OK for service with backend protocol GRPCS", func() {
 		f.NewGRPCBinDeployment()
 

From 492c7b0d942e894a3e17e8a32e518dce2249efa7 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Tue, 10 Aug 2021 17:22:40 -0300
Subject: [PATCH 051/376] Migrate the webhook-certgen program to inside ingress
 repo (#7475)

---
 images/kube-webhook-certgen/Makefile          |  56 ++
 images/kube-webhook-certgen/README.md         |  86 +++
 images/kube-webhook-certgen/cloudbuild.yaml   |  37 +
 images/kube-webhook-certgen/rootfs/Dockerfile |  29 +
 images/kube-webhook-certgen/rootfs/LICENSE    | 203 +++++
 images/kube-webhook-certgen/rootfs/README.md  |  86 +++
 .../kube-webhook-certgen/rootfs/cmd/create.go |  42 ++
 .../kube-webhook-certgen/rootfs/cmd/patch.go  |  62 ++
 .../kube-webhook-certgen/rootfs/cmd/root.go   |  83 ++
 .../rootfs/cmd/version.go                     |  25 +
 .../rootfs/core/version.go                    |   8 +
 images/kube-webhook-certgen/rootfs/go.mod     |  13 +
 images/kube-webhook-certgen/rootfs/go.sum     | 714 ++++++++++++++++++
 images/kube-webhook-certgen/rootfs/main.go    |   9 +
 .../rootfs/pkg/certs/certs.go                 |  99 +++
 .../rootfs/pkg/certs/certs_test.go            |  61 ++
 .../rootfs/pkg/k8s/k8s.go                     | 138 ++++
 .../rootfs/pkg/k8s/k8s_test.go                | 159 ++++
 18 files changed, 1910 insertions(+)
 create mode 100644 images/kube-webhook-certgen/Makefile
 create mode 100755 images/kube-webhook-certgen/README.md
 create mode 100644 images/kube-webhook-certgen/cloudbuild.yaml
 create mode 100644 images/kube-webhook-certgen/rootfs/Dockerfile
 create mode 100644 images/kube-webhook-certgen/rootfs/LICENSE
 create mode 100755 images/kube-webhook-certgen/rootfs/README.md
 create mode 100755 images/kube-webhook-certgen/rootfs/cmd/create.go
 create mode 100755 images/kube-webhook-certgen/rootfs/cmd/patch.go
 create mode 100755 images/kube-webhook-certgen/rootfs/cmd/root.go
 create mode 100644 images/kube-webhook-certgen/rootfs/cmd/version.go
 create mode 100644 images/kube-webhook-certgen/rootfs/core/version.go
 create mode 100644 images/kube-webhook-certgen/rootfs/go.mod
 create mode 100644 images/kube-webhook-certgen/rootfs/go.sum
 create mode 100644 images/kube-webhook-certgen/rootfs/main.go
 create mode 100644 images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
 create mode 100644 images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
 create mode 100755 images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
 create mode 100644 images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go

diff --git a/images/kube-webhook-certgen/Makefile b/images/kube-webhook-certgen/Makefile
new file mode 100644
index 000000000..8457e0c57
--- /dev/null
+++ b/images/kube-webhook-certgen/Makefile
@@ -0,0 +1,56 @@
+# Copyright 2021 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.DEFAULT_GOAL:=build
+
+SHELL=/bin/bash -o pipefail -o errexit
+
+DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
+INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
+
+TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD)
+REGISTRY ?= local
+
+IMAGE = $(REGISTRY)/kube-webhook-certgen
+
+# required to enable buildx
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+# build with buildx
+PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x
+OUTPUT=
+PROGRESS=plain
+
+build: ensure-buildx
+	docker buildx build \
+		--platform=${PLATFORMS} $(OUTPUT) \
+		--progress=$(PROGRESS) \
+		--pull \
+		-t $(IMAGE):$(TAG) rootfs
+
+# push the cross built image
+push: OUTPUT=--push
+push: build
+
+# enable buildx
+ensure-buildx:
+# this is required for cloudbuild
+ifeq ("$(wildcard $(INIT_BUILDX))","")
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
+else
+	@exec $(INIT_BUILDX)
+endif
+	@echo "done"
+
+.PHONY: build push ensure-buildx
diff --git a/images/kube-webhook-certgen/README.md b/images/kube-webhook-certgen/README.md
new file mode 100755
index 000000000..47a8c74c7
--- /dev/null
+++ b/images/kube-webhook-certgen/README.md
@@ -0,0 +1,86 @@
+# Kubernetes webhook certificate generator and patcher
+
+**This is a copy/fork of the project existing in [jet/kube-webhook-certgen](https://github.com/jet/kube-webhook-certgen/)**
+
+We moved it here so we can change / update the Kubernetes APIs, and we are really thankful to the original
+creators.
+
+## Overview
+Generates a CA and leaf certificate with a long (100y) expiration, then patches [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
+by setting the `caBundle` field with the generated CA. 
+Can optionally patch the hooks `failurePolicy` setting - useful in cases where a single Helm chart needs to provision resources
+and hooks at the same time as patching.
+
+The utility works in two parts, optimized to work better with the Helm provisioning process that leverages pre-install and post-install hooks to execute this as a Kubernetes job.
+
+## Security Considerations
+This tool may not be adequate in all security environments. If a more complete solution is required, you may want to 
+seek alternatives such as [jetstack/cert-manager](https://github.com/jetstack/cert-manager)
+
+## Command line options
+```
+Use this to create a ca and signed certificates and patch admission webhooks to allow for quick
+                   installation and configuration of validating and admission webhooks.
+
+Usage:
+  kube-webhook-certgen [flags]
+  kube-webhook-certgen [command]
+
+Available Commands:
+  create      Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'
+  help        Help about any command
+  patch       Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'
+  version     Prints the CLI version information
+
+Flags:
+  -h, --help                help for kube-webhook-certgen
+      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
+      --log-format string   Log format: text|json (default "text")
+      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")
+```
+
+### Create
+```
+Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'
+
+Usage:
+  kube-webhook-certgen create [flags]
+
+Flags:
+      --cert-name string     Name of cert file in the secret (default "cert")
+  -h, --help                 help for create
+      --host string          Comma-separated hostnames and IPs to generate a certificate for
+      --key-name string      Name of key file in the secret (default "key")
+      --namespace string     Namespace of the secret where certificate information will be written
+      --secret-name string   Name of the secret where certificate information will be written
+
+Global Flags:
+      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
+      --log-format string   Log format: text|json (default "json")
+      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")
+```
+
+### Patch
+```
+Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'
+
+Usage:
+  kube-webhook-certgen patch [flags]
+
+Flags:
+  -h, --help                          help for patch
+      --namespace string              Namespace of the secret where certificate information will be read from
+      --patch-failure-policy string   If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail
+      --patch-mutating                If true, patch mutatingwebhookconfiguration (default true)
+      --patch-validating              If true, patch validatingwebhookconfiguration (default true)
+      --secret-name string            Name of the secret where certificate information will be read from
+      --webhook-name string           Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated
+
+Global Flags:
+      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
+      --log-format string   Log format: text|json (default "text")
+      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")
+```
+
+## Known Users
+- [stable/prometheus-operator](https://github.com/helm/charts/tree/master/stable/prometheus-operator) helm chart
diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml
new file mode 100644
index 000000000..8282daf52
--- /dev/null
+++ b/images/kube-webhook-certgen/cloudbuild.yaml
@@ -0,0 +1,37 @@
+
+# Copyright 2021 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+timeout: 10800s
+options:
+  substitution_option: ALLOW_LOOSE
+steps:
+  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+    entrypoint: bash
+    env:
+      - DOCKER_CLI_EXPERIMENTAL=enabled
+      - TAG=$_GIT_TAG
+      - BASE_REF=$_PULL_BASE_REF
+      - REGISTRY=gcr.io/k8s-staging-ingress-nginx
+      # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx
+      # set the home to /root explicitly to if using docker buildx
+      - HOME=/root
+    args:
+    - -c
+    - |
+      gcloud auth configure-docker \
+      && make push
+substitutions:
+  _GIT_TAG: "12345"
+  _PULL_BASE_REF: "master"
\ No newline at end of file
diff --git a/images/kube-webhook-certgen/rootfs/Dockerfile b/images/kube-webhook-certgen/rootfs/Dockerfile
new file mode 100644
index 000000000..f9020fa41
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/Dockerfile
@@ -0,0 +1,29 @@
+# Copyright 2021 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM --platform=$BUILDPLATFORM golang:1.16 as builder
+ARG BUILDPLATFORM
+ARG TARGETARCH
+
+WORKDIR /workspace
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -o kube-webhook-certgen main.go
+
+FROM --platform=$BUILDPLATFORM gcr.io/distroless/static:nonroot
+ARG BUILDPLATFORM
+ARG TARGETARCH
+WORKDIR /
+COPY --from=builder /workspace/kube-webhook-certgen /kube-webhook-certgen
+USER 65532:65532
+ENTRYPOINT ["/kube-webhook-certgen"]
diff --git a/images/kube-webhook-certgen/rootfs/LICENSE b/images/kube-webhook-certgen/rootfs/LICENSE
new file mode 100644
index 000000000..7cd4c37e3
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/LICENSE
@@ -0,0 +1,203 @@
+Copyright (c) 2019-present, Jet.com, Inc.
+----------------------------------------------------
+                                  Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/images/kube-webhook-certgen/rootfs/README.md b/images/kube-webhook-certgen/rootfs/README.md
new file mode 100755
index 000000000..47a8c74c7
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/README.md
@@ -0,0 +1,86 @@
+# Kubernetes webhook certificate generator and patcher
+
+**This is a copy/fork of the project existing in [jet/kube-webhook-certgen](https://github.com/jet/kube-webhook-certgen/)**
+
+We moved it here so we can change / update the Kubernetes APIs, and we are really thankful to the original
+creators.
+
+## Overview
+Generates a CA and leaf certificate with a long (100y) expiration, then patches [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
+by setting the `caBundle` field with the generated CA. 
+Can optionally patch the hooks `failurePolicy` setting - useful in cases where a single Helm chart needs to provision resources
+and hooks at the same time as patching.
+
+The utility works in two parts, optimized to work better with the Helm provisioning process that leverages pre-install and post-install hooks to execute this as a Kubernetes job.
+
+## Security Considerations
+This tool may not be adequate in all security environments. If a more complete solution is required, you may want to 
+seek alternatives such as [jetstack/cert-manager](https://github.com/jetstack/cert-manager)
+
+## Command line options
+```
+Use this to create a ca and signed certificates and patch admission webhooks to allow for quick
+                   installation and configuration of validating and admission webhooks.
+
+Usage:
+  kube-webhook-certgen [flags]
+  kube-webhook-certgen [command]
+
+Available Commands:
+  create      Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'
+  help        Help about any command
+  patch       Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'
+  version     Prints the CLI version information
+
+Flags:
+  -h, --help                help for kube-webhook-certgen
+      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
+      --log-format string   Log format: text|json (default "text")
+      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")
+```
+
+### Create
+```
+Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'
+
+Usage:
+  kube-webhook-certgen create [flags]
+
+Flags:
+      --cert-name string     Name of cert file in the secret (default "cert")
+  -h, --help                 help for create
+      --host string          Comma-separated hostnames and IPs to generate a certificate for
+      --key-name string      Name of key file in the secret (default "key")
+      --namespace string     Namespace of the secret where certificate information will be written
+      --secret-name string   Name of the secret where certificate information will be written
+
+Global Flags:
+      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
+      --log-format string   Log format: text|json (default "json")
+      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")
+```
+
+### Patch
+```
+Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'
+
+Usage:
+  kube-webhook-certgen patch [flags]
+
+Flags:
+  -h, --help                          help for patch
+      --namespace string              Namespace of the secret where certificate information will be read from
+      --patch-failure-policy string   If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail
+      --patch-mutating                If true, patch mutatingwebhookconfiguration (default true)
+      --patch-validating              If true, patch validatingwebhookconfiguration (default true)
+      --secret-name string            Name of the secret where certificate information will be read from
+      --webhook-name string           Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated
+
+Global Flags:
+      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
+      --log-format string   Log format: text|json (default "text")
+      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")
+```
+
+## Known Users
+- [stable/prometheus-operator](https://github.com/helm/charts/tree/master/stable/prometheus-operator) helm chart
diff --git a/images/kube-webhook-certgen/rootfs/cmd/create.go b/images/kube-webhook-certgen/rootfs/cmd/create.go
new file mode 100755
index 000000000..799d300ca
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/cmd/create.go
@@ -0,0 +1,42 @@
+package cmd
+
+import (
+	"github.com/jet/kube-webhook-certgen/pkg/certs"
+	"github.com/jet/kube-webhook-certgen/pkg/k8s"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+var (
+	create = &cobra.Command{
+		Use:    "create",
+		Short:  "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
+		Long:   "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
+		PreRun: configureLogging,
+		Run:    createCommand}
+)
+
+func createCommand(cmd *cobra.Command, args []string) {
+	k := k8s.New(cfg.kubeconfig)
+	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+	if ca == nil {
+		log.Info("creating new secret")
+		newCa, newCert, newKey := certs.GenerateCerts(cfg.host)
+		ca = newCa
+		k.SaveCertsToSecret(cfg.secretName, cfg.namespace, cfg.certName, cfg.keyName, ca, newCert, newKey)
+	} else {
+		log.Info("secret already exists")
+	}
+}
+
+func init() {
+	rootCmd.AddCommand(create)
+	create.Flags().StringVar(&cfg.host, "host", "", "Comma-separated hostnames and IPs to generate a certificate for")
+	create.Flags().StringVar(&cfg.secretName, "secret-name", "", "Name of the secret where certificate information will be written")
+	create.Flags().StringVar(&cfg.namespace, "namespace", "", "Namespace of the secret where certificate information will be written")
+	create.Flags().StringVar(&cfg.certName, "cert-name", "cert", "Name of cert file in the secret")
+	create.Flags().StringVar(&cfg.keyName, "key-name", "key", "Name of key file in the secret")
+	create.MarkFlagRequired("host")
+	create.MarkFlagRequired("secret-name")
+	create.MarkFlagRequired("namespace")
+}
diff --git a/images/kube-webhook-certgen/rootfs/cmd/patch.go b/images/kube-webhook-certgen/rootfs/cmd/patch.go
new file mode 100755
index 000000000..b74eb1f3a
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/cmd/patch.go
@@ -0,0 +1,62 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/jet/kube-webhook-certgen/pkg/k8s"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+)
+
+var (
+	patch = &cobra.Command{
+		Use:    "patch",
+		Short:  "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
+		Long:   "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
+		PreRun: prePatchCommand,
+		Run:    patchCommand}
+)
+
+func prePatchCommand(cmd *cobra.Command, args []string) {
+	configureLogging(cmd, args)
+	if cfg.patchMutating == false && cfg.patchValidating == false {
+		log.Fatal("patch-validating=false, patch-mutating=false. You must patch at least one kind of webhook, otherwise this command is a no-op")
+		os.Exit(1)
+	}
+	switch cfg.patchFailurePolicy {
+	case "":
+		break
+	case "Ignore":
+	case "Fail":
+		failurePolicy = admissionv1.FailurePolicyType(cfg.patchFailurePolicy)
+		break
+	default:
+		log.Fatalf("patch-failure-policy %s is not valid", cfg.patchFailurePolicy)
+		os.Exit(1)
+	}
+}
+
+func patchCommand(_ *cobra.Command, _ []string) {
+	k := k8s.New(cfg.kubeconfig)
+	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+
+	if ca == nil {
+		log.Fatalf("no secret with '%s' in '%s'", cfg.secretName, cfg.namespace)
+	}
+
+	k.PatchWebhookConfigurations(cfg.webhookName, ca, &failurePolicy, cfg.patchMutating, cfg.patchValidating)
+}
+
+func init() {
+	rootCmd.AddCommand(patch)
+	patch.Flags().StringVar(&cfg.secretName, "secret-name", "", "Name of the secret where certificate information will be read from")
+	patch.Flags().StringVar(&cfg.namespace, "namespace", "", "Namespace of the secret where certificate information will be read from")
+	patch.Flags().StringVar(&cfg.webhookName, "webhook-name", "", "Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated")
+	patch.Flags().BoolVar(&cfg.patchValidating, "patch-validating", true, "If true, patch validatingwebhookconfiguration")
+	patch.Flags().BoolVar(&cfg.patchMutating, "patch-mutating", true, "If true, patch mutatingwebhookconfiguration")
+	patch.Flags().StringVar(&cfg.patchFailurePolicy, "patch-failure-policy", "", "If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail")
+	patch.MarkFlagRequired("secret-name")
+	patch.MarkFlagRequired("namespace")
+	patch.MarkFlagRequired("webhook-name")
+}
diff --git a/images/kube-webhook-certgen/rootfs/cmd/root.go b/images/kube-webhook-certgen/rootfs/cmd/root.go
new file mode 100755
index 000000000..bee41c26c
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/cmd/root.go
@@ -0,0 +1,83 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/onrik/logrus/filename"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+)
+
+var (
+	rootCmd = &cobra.Command{
+		Use:   "kube-webhook-certgen",
+		Short: "Create certificates and patch them to admission hooks",
+		Long: `Use this to create a ca and signed certificates and patch admission webhooks to allow for quick
+	           installation and configuration of validating and admission webhooks.`,
+		PreRun: configureLogging,
+		Run:    rootCommand,
+	}
+
+	cfg = struct {
+		logLevel           string
+		logfmt             string
+		secretName         string
+		namespace          string
+		certName           string
+		keyName            string
+		host               string
+		webhookName        string
+		patchValidating    bool
+		patchMutating      bool
+		patchFailurePolicy string
+		kubeconfig         string
+	}{}
+
+	failurePolicy admissionv1.FailurePolicyType
+)
+
+// Execute is the main entry point for the program
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
+
+func init() {
+	filenameHook := filename.NewHook()
+	filenameHook.Field = "source"
+	log.AddHook(filenameHook)
+	log.SetOutput(os.Stdout)
+	log.SetLevel(log.TraceLevel)
+	rootCmd.Flags()
+	rootCmd.PersistentFlags().StringVar(&cfg.logLevel, "log-level", "info", "Log level: panic|fatal|error|warn|info|debug|trace")
+	rootCmd.PersistentFlags().StringVar(&cfg.logfmt, "log-format", "json", "Log format: text|json")
+	rootCmd.PersistentFlags().StringVar(&cfg.kubeconfig, "kubeconfig", "", "Path to kubeconfig file: e.g. ~/.kube/kind-config-kind")
+}
+
+func configureLogging(_ *cobra.Command, _ []string) {
+	l, err := log.ParseLevel(cfg.logLevel)
+	if err != nil {
+		log.WithField("err", err).Fatal("Invalid error level")
+	}
+	log.SetLevel(l)
+	log.SetFormatter(getFormatter(cfg.logfmt))
+}
+
+func rootCommand(cmd *cobra.Command, _ []string) {
+	cmd.Help()
+	os.Exit(1)
+}
+
+func getFormatter(logfmt string) log.Formatter {
+	switch logfmt {
+	case "json":
+		return &log.JSONFormatter{}
+	case "text":
+		return &log.TextFormatter{}
+	}
+
+	log.Fatalf("invalid log format '%s'", logfmt)
+	return nil
+}
diff --git a/images/kube-webhook-certgen/rootfs/cmd/version.go b/images/kube-webhook-certgen/rootfs/cmd/version.go
new file mode 100644
index 000000000..8ec051acc
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/cmd/version.go
@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/jet/kube-webhook-certgen/core"
+	"github.com/spf13/cobra"
+)
+
+var version = &cobra.Command{
+	Use:   "version",
+	Short: "Prints the CLI version information",
+	Run:   versionCmdRun,
+}
+
+func versionCmdRun(cmd *cobra.Command, args []string) {
+	fmt.Printf("%s\n", core.Version)
+	fmt.Printf("build %s\n", core.BuildTime)
+	fmt.Printf("%s\n", runtime.Version())
+}
+
+func init() {
+	rootCmd.AddCommand(version)
+}
diff --git a/images/kube-webhook-certgen/rootfs/core/version.go b/images/kube-webhook-certgen/rootfs/core/version.go
new file mode 100644
index 000000000..d20623567
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/core/version.go
@@ -0,0 +1,8 @@
+package core
+
+var (
+	// Version is the current Semantic Version
+	Version = "0.0.1-dev"
+	// BuildTime is the timestamp (ISO-8601) of the build
+	BuildTime = "0001-01-01T00:00:00Z"
+)
diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod
new file mode 100644
index 000000000..092a1aa82
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/go.mod
@@ -0,0 +1,13 @@
+module github.com/jet/kube-webhook-certgen
+
+go 1.16
+
+require (
+	github.com/onrik/logrus v0.9.0
+	github.com/sirupsen/logrus v1.8.1
+	github.com/spf13/cobra v1.2.1
+	github.com/tidwall/gjson v1.8.1 // indirect
+	k8s.io/api v0.22.0
+	k8s.io/apimachinery v0.22.0
+	k8s.io/client-go v0.22.0
+)
diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum
new file mode 100644
index 000000000..c7667b99a
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/go.sum
@@ -0,0 +1,714 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
+cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
+cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
+cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
+cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
+cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
+cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
+cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
+cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
+cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
+cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
+cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
+github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
+github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
+github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
+github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
+github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
+github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
+github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
+github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
+github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
+github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
+github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
+github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
+github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
+github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
+github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
+github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/onrik/logrus v0.9.0 h1:oT7VstCUxWBoX7fswYK61fi9bzRBSpROq5CR2b7wxQo=
+github.com/onrik/logrus v0.9.0/go.mod h1:qfe9NeZVAJfIxviw3cYkZo3kvBtLoPRJriAO8zl7qTk=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA=
+github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
+github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
+github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/tidwall/gjson v1.8.1 h1:8j5EE9Hrh3l9Od1OIEDAb7IpezNA20UdRngNAj5N0WU=
+github.com/tidwall/gjson v1.8.1/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk=
+github.com/tidwall/match v1.0.3 h1:FQUVvBImDutD8wJLN6c5eMzWtjgONK9MwIBCOrUJKeE=
+github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.1.0 h1:K3hMW5epkdAVwibsQEfR/7Zj0Qgt4DxtNumTq/VloO8=
+github.com/tidwall/pretty v1.1.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
+go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
+go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
+golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
+golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE=
+golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 h1:0Ja1LBD+yisY6RWM/BH7TJVXWsSjs2VwBSmvSX4HdBc=
+golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=
+golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
+google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
+google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
+google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
+google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
+google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
+google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
+google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
+google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
+google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
+google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/api v0.22.0 h1:elCpMZ9UE8dLdYxr55E06TmSeji9I3KH494qH70/y+c=
+k8s.io/api v0.22.0/go.mod h1:0AoXXqst47OI/L0oGKq9DG61dvGRPXs7X4/B7KyjBCU=
+k8s.io/apimachinery v0.22.0 h1:CqH/BdNAzZl+sr3tc0D3VsK3u6ARVSo3GWyLmfIjbP0=
+k8s.io/apimachinery v0.22.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
+k8s.io/client-go v0.22.0 h1:sD6o9O6tCwUKCENw8v+HFsuAbq2jCu8cWC61/ydwA50=
+k8s.io/client-go v0.22.0/go.mod h1:GUjIuXR5PiEv/RVK5OODUsm6eZk7wtSWZSaSJbpFdGg=
+k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
+k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
+k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
+k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9 h1:imL9YgXQ9p7xmPzHFm/vVd/cF78jad+n4wK1ABwYtMM=
+k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
+sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
+sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/images/kube-webhook-certgen/rootfs/main.go b/images/kube-webhook-certgen/rootfs/main.go
new file mode 100644
index 000000000..e6594e777
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/main.go
@@ -0,0 +1,9 @@
+package main
+
+import (
+	"github.com/jet/kube-webhook-certgen/cmd"
+)
+
+func main() {
+	cmd.Execute()
+}
diff --git a/images/kube-webhook-certgen/rootfs/pkg/certs/certs.go b/images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
new file mode 100644
index 000000000..3e60f3311
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
@@ -0,0 +1,99 @@
+package certs
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	log "github.com/sirupsen/logrus"
+	"math/big"
+	"net"
+	"strings"
+	"time"
+)
+
+// GenerateCerts venerates a ca with a leaf certificate and key and returns the ca, cert and key as PEM encoded slices
+func GenerateCerts(host string) (ca []byte, cert []byte, key []byte) {
+	notBefore := time.Now().Add(time.Minute * -5)
+	notAfter := notBefore.Add(100 * 365 * 24 * time.Hour)
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed to generate serial number")
+	}
+	rootKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed scdsa.GenerateKey")
+	}
+
+	rootTemplate := x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		Subject:               pkix.Name{Organization: []string{"nil1"}},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &rootTemplate, &rootTemplate, &rootKey.PublicKey, rootKey)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed createCertificate for Ca")
+	}
+
+	ca = encodeCert(derBytes)
+
+	leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed createLeafKey for certificate")
+	}
+
+	key = encodeKey(leafKey)
+
+	serialNumber, err = rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed to generate serial number")
+	}
+	leafTemplate := x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  false,
+		Subject:               pkix.Name{Organization: []string{"nil2"}},
+	}
+	hosts := strings.Split(host, ",")
+	for _, h := range hosts {
+		if ip := net.ParseIP(h); ip != nil {
+			leafTemplate.IPAddresses = append(leafTemplate.IPAddresses, ip)
+		} else {
+			leafTemplate.DNSNames = append(leafTemplate.DNSNames, h)
+		}
+	}
+
+	derBytes, err = x509.CreateCertificate(rand.Reader, &leafTemplate, &rootTemplate, &leafKey.PublicKey, rootKey)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed createLeaf certificate")
+	}
+
+	cert = encodeCert(derBytes)
+	return ca, cert, key
+}
+
+func encodeKey(key *ecdsa.PrivateKey) []byte {
+	b, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		log.WithField("err", err).Fatal("unable to marshal ECDSA private key")
+	}
+	return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
+}
+
+func encodeCert(derBytes []byte) []byte {
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+}
diff --git a/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go b/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
new file mode 100644
index 000000000..e8fa0bb18
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
@@ -0,0 +1,61 @@
+package certs
+
+import (
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func handler(w http.ResponseWriter, r *http.Request) {
+	_, _ = fmt.Fprintf(w, "Hello World")
+}
+
+func TestCertificateCreation(t *testing.T) {
+
+	ca, cert, key := GenerateCerts("localhost")
+
+	c, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(ca)
+
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs:    caCertPool,
+			ServerName: "localhost"}}
+
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(handler))
+	ts.TLS = &tls.Config{Certificates: []tls.Certificate{c}}
+	ts.StartTLS()
+	defer ts.Close()
+
+	client := &http.Client{Transport: tr}
+	res, err := client.Get(ts.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		t.Errorf("Response code was %v; want 200", res.StatusCode)
+	}
+
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := []byte("Hello World")
+
+	if bytes.Compare(expected, body) != 0 {
+		t.Errorf("Response body was '%v'; want '%v'", expected, body)
+	}
+}
diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
new file mode 100755
index 000000000..f0f21abd8
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
@@ -0,0 +1,138 @@
+package k8s
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+type k8s struct {
+	clientset kubernetes.Interface
+}
+
+func New(kubeconfig string) *k8s {
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		log.WithError(err).Fatal("error building kubernetes config")
+	}
+
+	c, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.WithError(err).Fatal("error creating kubernetes client")
+	}
+
+	return &k8s{clientset: c}
+}
+
+// PatchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with
+// the provided ca data. If failurePolicy is provided, patch all webhooks with this value
+func (k8s *k8s) PatchWebhookConfigurations(
+	configurationNames string, ca []byte,
+	failurePolicy *admissionv1.FailurePolicyType,
+	patchMutating bool, patchValidating bool) {
+
+	log.Infof("patching webhook configurations '%s' mutating=%t, validating=%t, failurePolicy=%s", configurationNames, patchMutating, patchValidating, *failurePolicy)
+
+	if patchValidating {
+		valHook, err := k8s.clientset.
+			AdmissionregistrationV1().
+			ValidatingWebhookConfigurations().
+			Get(context.TODO(), configurationNames, metav1.GetOptions{})
+
+		if err != nil {
+			log.WithField("err", err).Fatal("failed getting validating webhook")
+		}
+
+		for i := range valHook.Webhooks {
+			h := &valHook.Webhooks[i]
+			h.ClientConfig.CABundle = ca
+			if *failurePolicy != "" {
+				h.FailurePolicy = failurePolicy
+			}
+		}
+
+		if _, err = k8s.clientset.AdmissionregistrationV1().
+			ValidatingWebhookConfigurations().
+			Update(context.TODO(), valHook, metav1.UpdateOptions{}); err != nil {
+			log.WithField("err", err).Fatal("failed patching validating webhook")
+		}
+		log.Debug("patched validating hook")
+	} else {
+		log.Debug("validating hook patching not required")
+	}
+
+	if patchMutating {
+		mutHook, err := k8s.clientset.
+			AdmissionregistrationV1().
+			MutatingWebhookConfigurations().
+			Get(context.TODO(), configurationNames, metav1.GetOptions{})
+		if err != nil {
+			log.WithField("err", err).Fatal("failed getting validating webhook")
+		}
+
+		for i := range mutHook.Webhooks {
+			h := &mutHook.Webhooks[i]
+			h.ClientConfig.CABundle = ca
+			if *failurePolicy != "" {
+				h.FailurePolicy = failurePolicy
+			}
+		}
+
+		if _, err = k8s.clientset.AdmissionregistrationV1().
+			MutatingWebhookConfigurations().
+			Update(context.TODO(), mutHook, metav1.UpdateOptions{}); err != nil {
+			log.WithField("err", err).Fatal("failed patching validating webhook")
+		}
+		log.Debug("patched mutating hook")
+	} else {
+		log.Debug("mutating hook patching not required")
+	}
+
+	log.Info("Patched hook(s)")
+}
+
+// GetCaFromSecret will check for the presence of a secret. If it exists, will return the content of the
+// "ca" from the secret, otherwise will return nil
+func (k8s *k8s) GetCaFromSecret(secretName string, namespace string) []byte {
+	log.Debugf("getting secret '%s' in namespace '%s'", secretName, namespace)
+	secret, err := k8s.clientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			log.WithField("err", err).Info("no secret found")
+			return nil
+		}
+		log.WithField("err", err).Fatal("error getting secret")
+	}
+
+	data := secret.Data["ca"]
+	if data == nil {
+		log.Fatal("got secret, but it did not contain a 'ca' key")
+	}
+	log.Debug("got secret")
+	return data
+}
+
+// SaveCertsToSecret saves the provided ca, cert and key into a secret in the specified namespace.
+func (k8s *k8s) SaveCertsToSecret(secretName, namespace, certName, keyName string, ca, cert, key []byte) {
+
+	log.Debugf("saving to secret '%s' in namespace '%s'", secretName, namespace)
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: secretName,
+		},
+		Data: map[string][]byte{"ca": ca, certName: cert, keyName: key},
+	}
+
+	log.Debug("saving secret")
+	_, err := k8s.clientset.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+	if err != nil {
+		log.WithField("err", err).Fatal("failed creating secret")
+	}
+	log.Debug("saved secret")
+}
diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
new file mode 100644
index 000000000..d2a82682f
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
@@ -0,0 +1,159 @@
+package k8s
+
+import (
+	"bytes"
+	"context"
+	"math/rand"
+	"testing"
+
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+const (
+	testWebhookName = "c7c95710-d8c3-4cc3-a2a8-8d2b46909c76"
+	testSecretName  = "15906410-af2a-4f9b-8a2d-c08ffdd5e129"
+	testNamespace   = "7cad5f92-c0d5-4bc9-87a3-6f44d5a5619d"
+)
+
+var (
+	fail   = admissionv1.Fail
+	ignore = admissionv1.Ignore
+)
+
+func genSecretData() (ca, cert, key []byte) {
+	ca = make([]byte, 4)
+	cert = make([]byte, 4)
+	key = make([]byte, 4)
+	rand.Read(cert)
+	rand.Read(key)
+	return
+}
+
+func newTestSimpleK8s() *k8s {
+	return &k8s{
+		clientset: fake.NewSimpleClientset(),
+	}
+}
+
+func TestGetCaFromCertificate(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, cert, key := genSecretData()
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: testSecretName,
+		},
+		Data: map[string][]byte{"ca": ca, "cert": cert, "key": key},
+	}
+
+	k.clientset.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
+
+	retrievedCa := k.GetCaFromSecret(testSecretName, testNamespace)
+	if !bytes.Equal(retrievedCa, ca) {
+		t.Error("Was not able to retrieve CA information that was saved")
+	}
+}
+
+func TestSaveCertsToSecret(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, cert, key := genSecretData()
+
+	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
+
+	secret, _ := k.clientset.CoreV1().Secrets(testNamespace).Get(context.Background(), testSecretName, metav1.GetOptions{})
+
+	if !bytes.Equal(secret.Data["cert"], cert) {
+		t.Error("'cert' saved data does not match retrieved")
+	}
+
+	if !bytes.Equal(secret.Data["key"], key) {
+		t.Error("'key' saved data does not match retrieved")
+	}
+}
+
+func TestSaveThenLoadSecret(t *testing.T) {
+	k := newTestSimpleK8s()
+	ca, cert, key := genSecretData()
+	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
+	retrievedCert := k.GetCaFromSecret(testSecretName, testNamespace)
+	if !bytes.Equal(retrievedCert, ca) {
+		t.Error("Was not able to retrieve CA information that was saved")
+	}
+}
+
+func TestPatchWebhookConfigurations(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, _, _ := genSecretData()
+
+	k.clientset.
+		AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Create(context.Background(), &admissionv1.MutatingWebhookConfiguration{
+			TypeMeta: metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: testWebhookName,
+			},
+			Webhooks: []admissionv1.MutatingWebhook{{Name: "m1"}, {Name: "m2"}}}, metav1.CreateOptions{})
+
+	k.clientset.
+		AdmissionregistrationV1().
+		ValidatingWebhookConfigurations().
+		Create(context.Background(), &admissionv1.ValidatingWebhookConfiguration{
+			TypeMeta: metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: testWebhookName,
+			},
+			Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}}}, metav1.CreateOptions{})
+
+	k.PatchWebhookConfigurations(testWebhookName, ca, &fail, true, true)
+
+	whmut, err := k.clientset.
+		AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+
+	if err != nil {
+		t.Error(err)
+	}
+
+	whval, err := k.clientset.
+		AdmissionregistrationV1beta1().
+		MutatingWebhookConfigurations().
+		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+
+	if err != nil {
+		t.Error(err)
+	}
+
+	if !bytes.Equal(whmut.Webhooks[0].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from first mutating webhook configuration does not match")
+	}
+	if !bytes.Equal(whmut.Webhooks[1].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from second mutating webhook configuration does not match")
+	}
+	if !bytes.Equal(whval.Webhooks[0].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from first validating webhook configuration does not match")
+	}
+	if !bytes.Equal(whval.Webhooks[1].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from second validating webhook configuration does not match")
+	}
+	if whmut.Webhooks[0].FailurePolicy == nil {
+		t.Errorf("Expected first mutating webhook failure policy to be set to %s", fail)
+	}
+	if whmut.Webhooks[1].FailurePolicy == nil {
+		t.Errorf("Expected second mutating webhook failure policy to be set to %s", fail)
+	}
+	if whval.Webhooks[0].FailurePolicy == nil {
+		t.Errorf("Expected first validating webhook failure policy to be set to %s", fail)
+	}
+	if whval.Webhooks[1].FailurePolicy == nil {
+		t.Errorf("Expected second validating webhook failure policy to be set to %s", fail)
+	}
+
+}

From 576525dd7262a8da5425db664a76b33e9d803a11 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rkatz@vmware.com>
Date: Tue, 10 Aug 2021 18:06:41 -0300
Subject: [PATCH 052/376] Trigger webhook image generation

---
 images/kube-webhook-certgen/cloudbuild.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml
index 8282daf52..8bdd225c5 100644
--- a/images/kube-webhook-certgen/cloudbuild.yaml
+++ b/images/kube-webhook-certgen/cloudbuild.yaml
@@ -34,4 +34,4 @@ steps:
       && make push
 substitutions:
   _GIT_TAG: "12345"
-  _PULL_BASE_REF: "master"
\ No newline at end of file
+  _PULL_BASE_REF: "main"

From 8ee98e9422e2f22b8ce209fd3c3e1b9257546e92 Mon Sep 17 00:00:00 2001
From: Robin Elfrink <robin.elfrink@eu.equinix.com>
Date: Wed, 11 Aug 2021 08:53:44 +0200
Subject: [PATCH 053/376] Make custom-default-backend upstream name more
 unique.

Signed-off-by: Robin Elfrink <robin.elfrink@eu.equinix.com>
---
 internal/ingress/controller/controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 66fbd752d..ab0d9ab6d 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -724,7 +724,7 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 				endps := getEndpoints(location.DefaultBackend, &sp, apiv1.ProtocolTCP, n.store.GetServiceEndpoints)
 				// custom backend is valid only if contains at least one endpoint
 				if len(endps) > 0 {
-					name := fmt.Sprintf("custom-default-backend-%v", location.DefaultBackend.GetName())
+					name := fmt.Sprintf("custom-default-backend-%v-%v", location.DefaultBackend.GetNamespace(), location.DefaultBackend.GetName())
 					klog.V(3).Infof("Creating \"%v\" upstream based on default backend annotation", name)
 
 					nb := upstream.DeepCopy()

From 7842d732b00489daf0df2bf566f1d5f5226707aa Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Thu, 12 Aug 2021 19:35:48 +0200
Subject: [PATCH 054/376] update e2e test images to newest promoted one (#7485)

---
 build/run-in-docker.sh           | 2 +-
 test/e2e-image/Dockerfile        | 2 +-
 test/e2e/framework/deployment.go | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index cbe7b791b..01211c796 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -37,7 +37,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210806-g26768e957@sha256:0f3c0d0bda953aa7f1164c452cc0165ce8a0c72469b550988a9601c539f61608}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210810-g820a21a74@sha256:7d7393a8c6c72d76145282df53ea0679a5b769211fd1cd6b8910b6dda1bd986d}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index 8ff9729b1..f31ed184d 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210806-g26768e957@sha256:0f3c0d0bda953aa7f1164c452cc0165ce8a0c72469b550988a9601c539f61608 AS BASE
+FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210810-g820a21a74@sha256:7d7393a8c6c72d76145282df53ea0679a5b769211fd1cd6b8910b6dda1bd986d AS BASE
 
 FROM alpine:3.12
 
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index 0705d0fce..79da5c2ca 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -55,7 +55,7 @@ func (f *Framework) NewEchoDeploymentWithReplicas(replicas int) {
 // replicas is configurable and
 // name is configurable
 func (f *Framework) NewEchoDeploymentWithNameAndReplicas(name string, replicas int) {
-	deployment := newDeployment(name, f.Namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:b13e44f7bb6852b90633957e743e4a2b34f32f1694da556a9131b43950b8b2b1", 80, int32(replicas),
+	deployment := newDeployment(name, f.Namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:131ece0637b29231470cfaa04690c2966a2e0b147d3c9df080a0857b78982410", 80, int32(replicas),
 		nil,
 		[]corev1.VolumeMount{},
 		[]corev1.Volume{},

From b510b0e930a00f0058521ab3d807a17c73eca712 Mon Sep 17 00:00:00 2001
From: yashikabadaya <34155789+yashikabadaya@users.noreply.github.com>
Date: Thu, 12 Aug 2021 23:37:50 +0530
Subject: [PATCH 055/376] Improved disableaccesslog tests (#7463)

1. Added check to validate if nginx ingress controller is reachable after disabling access log.
2. Added disable-stream-access-log test
---
 test/e2e/annotations/disableaccesslog.go | 31 ++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/test/e2e/annotations/disableaccesslog.go b/test/e2e/annotations/disableaccesslog.go
index dab54c561..1824af27c 100644
--- a/test/e2e/annotations/disableaccesslog.go
+++ b/test/e2e/annotations/disableaccesslog.go
@@ -22,6 +22,7 @@ import (
 	"github.com/onsi/ginkgo"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
+	"net/http"
 )
 
 var _ = framework.DescribeAnnotation("disable-access-log disable-http-access-log disable-stream-access-log", func() {
@@ -41,6 +42,12 @@ var _ = framework.DescribeAnnotation("disable-access-log disable-http-access-log
 		f.WaitForNginxConfiguration(func(ngx string) bool {
 			return strings.Contains(ngx, `access_log off;`)
 		})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 
 	ginkgo.It("disable-http-access-log set access_log off", func() {
@@ -53,5 +60,29 @@ var _ = framework.DescribeAnnotation("disable-access-log disable-http-access-log
 		f.WaitForNginxConfiguration(func(ngx string) bool {
 			return strings.Contains(ngx, `access_log off;`)
 		})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
+	})
+
+	ginkgo.It("disable-stream-access-log set access_log off", func() {
+		host := "disablehttpaccesslog.foo.com"
+
+		f.UpdateNginxConfigMapData("disable-stream-access-log", "true")
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxConfiguration(func(ngx string) bool {
+			return strings.Contains(ngx, `access_log off;`)
+		})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
 	})
 })

From b591adac48d213102991f83a1bdfc21d78d0e733 Mon Sep 17 00:00:00 2001
From: Matthew Silverman <matthew.silverman@shopify.com>
Date: Thu, 12 Aug 2021 14:13:50 -0400
Subject: [PATCH 056/376] allow kb granularity for lua shared dicts (#6750)

Update internal/ingress/controller/template/configmap.go

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
---
 .../nginx-configuration/configmap.md          |  6 ++
 internal/ingress/controller/nginx.go          |  2 +-
 .../ingress/controller/template/configmap.go  | 49 +++++++---
 .../controller/template/configmap_test.go     | 92 +++++++++++++++++--
 .../ingress/controller/template/template.go   | 13 +--
 .../controller/template/template_test.go      |  8 +-
 rootfs/etc/nginx/template/nginx.tmpl          |  4 +-
 7 files changed, 140 insertions(+), 34 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 54449df7c..850354105 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -1046,6 +1046,12 @@ For example following will set default `certificate_data` dictionary to `100M` a
 lua-shared-dicts: "certificate_data: 100, my_custom_plugin: 5"
 ```
 
+You can optionally set a size unit to allow for kilobyte-granularity. Allowed units are 'm' or 'k' (case-insensitive), and it defaults to MB if no unit is provided. Here is a similar example, but the `my_custom_plugin` dict is only 512KB.
+
+```
+lua-shared-dicts: "certificate_data: 100, my_custom_plugin: 512k"
+```
+
 _References:_
 [http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after](http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after)
 
diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index e5c47c9aa..11864ae6b 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -229,7 +229,7 @@ type NGINXController struct {
 	// runningConfig contains the running configuration in the Backend
 	runningConfig *ingress.Configuration
 
-	t ngx_template.TemplateWriter
+	t ngx_template.Writer
 
 	resolver []net.IP
 
diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go
index 93a6b430d..4f3aca444 100644
--- a/internal/ingress/controller/template/configmap.go
+++ b/internal/ingress/controller/template/configmap.go
@@ -19,6 +19,7 @@ package template
 import (
 	"fmt"
 	"net"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -67,21 +68,22 @@ const (
 
 var (
 	validRedirectCodes    = sets.NewInt([]int{301, 302, 307, 308}...)
+	dictSizeRegex         = regexp.MustCompile(`^(\d+)([kKmM])?$`)
 	defaultLuaSharedDicts = map[string]int{
-		"configuration_data":            20,
-		"certificate_data":              20,
-		"balancer_ewma":                 10,
-		"balancer_ewma_last_touched_at": 10,
-		"balancer_ewma_locks":           1,
-		"certificate_servers":           5,
-		"ocsp_response_cache":           5, // keep this same as certificate_servers
-		"global_throttle_cache":         10,
+		"configuration_data":            20480,
+		"certificate_data":              20480,
+		"balancer_ewma":                 10240,
+		"balancer_ewma_last_touched_at": 10240,
+		"balancer_ewma_locks":           1024,
+		"certificate_servers":           5120,
+		"ocsp_response_cache":           5120, // keep this same as certificate_servers
+		"global_throttle_cache":         10240,
 	}
 	defaultGlobalAuthRedirectParam = "rd"
 )
 
 const (
-	maxAllowedLuaDictSize = 200
+	maxAllowedLuaDictSize = 204800
 	maxNumberOfLuaDicts   = 100
 )
 
@@ -117,18 +119,18 @@ func ReadConfig(src map[string]string) config.Configuration {
 			v = strings.Replace(v, " ", "", -1)
 			results := strings.SplitN(v, ":", 2)
 			dictName := results[0]
-			size, err := strconv.Atoi(results[1])
-			if err != nil {
-				klog.Errorf("Ignoring non integer value %v for Lua dictionary %v: %v.", results[1], dictName, err)
+			size := dictStrToKb(results[1])
+			if size < 0 {
+				klog.Errorf("Ignoring poorly formatted value %v for Lua dictionary %v", results[1], dictName)
 				continue
 			}
 			if size > maxAllowedLuaDictSize {
-				klog.Errorf("Ignoring %v for Lua dictionary %v: maximum size is %v.", size, dictName, maxAllowedLuaDictSize)
+				klog.Errorf("Ignoring %v for Lua dictionary %v: maximum size is %vk.", results[1], dictName, maxAllowedLuaDictSize)
 				continue
 			}
 			if len(luaSharedDicts)+1 > maxNumberOfLuaDicts {
 				klog.Errorf("Ignoring %v for Lua dictionary %v: can not configure more than %v dictionaries.",
-					size, dictName, maxNumberOfLuaDicts)
+					results[1], dictName, maxNumberOfLuaDicts)
 				continue
 			}
 
@@ -427,3 +429,22 @@ func splitAndTrimSpace(s, sep string) []string {
 
 	return values
 }
+
+func dictStrToKb(sizeStr string) int {
+	sizeMatch := dictSizeRegex.FindStringSubmatch(sizeStr)
+	if sizeMatch == nil {
+		return -1
+	}
+	size, _ := strconv.Atoi(sizeMatch[1]) // validated already with regex
+	if sizeMatch[2] == "" || strings.ToLower(sizeMatch[2]) == "m" {
+		size *= 1024
+	}
+	return size
+}
+
+func dictKbToStr(size int) string {
+	if size%1024 == 0 {
+		return fmt.Sprintf("%dM", size/1024)
+	}
+	return fmt.Sprintf("%dK", size)
+}
diff --git a/internal/ingress/controller/template/configmap_test.go b/internal/ingress/controller/template/configmap_test.go
index 65bb485ea..1f6ce2fe6 100644
--- a/internal/ingress/controller/template/configmap_test.go
+++ b/internal/ingress/controller/template/configmap_test.go
@@ -344,27 +344,32 @@ func TestLuaSharedDictsParsing(t *testing.T) {
 		{
 			name:   "configuration_data only",
 			entry:  map[string]string{"lua-shared-dicts": "configuration_data:5"},
-			expect: map[string]int{"configuration_data": 5},
+			expect: map[string]int{"configuration_data": 5120},
 		},
 		{
 			name:   "certificate_data only",
 			entry:  map[string]string{"lua-shared-dicts": "certificate_data: 4"},
-			expect: map[string]int{"certificate_data": 4},
+			expect: map[string]int{"certificate_data": 4096},
 		},
 		{
 			name:   "custom dicts",
 			entry:  map[string]string{"lua-shared-dicts": "configuration_data:   10, my_random_dict:15 ,   another_example:2"},
-			expect: map[string]int{"configuration_data": 10, "my_random_dict": 15, "another_example": 2},
+			expect: map[string]int{"configuration_data": 10240, "my_random_dict": 15360, "another_example": 2048},
 		},
 		{
 			name:   "invalid size value should be ignored",
-			entry:  map[string]string{"lua-shared-dicts": "mydict: 10, invalid_dict: 1a"},
-			expect: map[string]int{"mydict": 10},
+			entry:  map[string]string{"lua-shared-dicts": "mydict: 10, invalid_dict: 1a, bad_mb_dict:10mb"},
+			expect: map[string]int{"mydict": 10240},
 		},
 		{
 			name:   "dictionary size can not be larger than 200",
-			entry:  map[string]string{"lua-shared-dicts": "mydict: 10, invalid_dict: 201"},
-			expect: map[string]int{"mydict": 10},
+			entry:  map[string]string{"lua-shared-dicts": "mydict: 10, invalid_dict: 201, invalid_kb: 204801k"},
+			expect: map[string]int{"mydict": 10240},
+		},
+		{
+			name:   "specified units are interpreted properly",
+			entry:  map[string]string{"lua-shared-dicts": "kb_dict_a: 512k, mb_dict_a: 30m, kb_dict_b:16K, mb_dict_b:4M"},
+			expect: map[string]int{"kb_dict_a": 512, "mb_dict_a": 30720, "kb_dict_b": 16, "mb_dict_b": 4096},
 		},
 	}
 
@@ -418,3 +423,76 @@ func TestSplitAndTrimSpace(t *testing.T) {
 		}
 	}
 }
+
+func TestDictStrToKb(t *testing.T) {
+	testCases := []struct {
+		name   string
+		input  string
+		expect int
+	}{
+		{
+			name:   "unitless int size converted to kb",
+			input:  "50",
+			expect: 51200,
+		},
+		{
+			name:   "lowercase k accepted",
+			input:  "512k",
+			expect: 512,
+		},
+		{
+			name:   "uppercase K accepted",
+			input:  "512K",
+			expect: 512,
+		},
+		{
+			name:   "lowercase m accepted",
+			input:  "10m",
+			expect: 10240,
+		},
+		{
+			name:   "uppercase M accepted",
+			input:  "10M",
+			expect: 10240,
+		},
+		{
+			name:   "trailing characters fail",
+			input:  "50kb",
+			expect: -1,
+		},
+		{
+			name:   "leading characters fail",
+			input:  " 50k",
+			expect: -1,
+		},
+	}
+	for _, tc := range testCases {
+		if size := dictStrToKb(tc.input); size != tc.expect {
+			t.Errorf("Testing %v. Expected \"%v\" but \"%v\" was returned", tc.name, tc.expect, size)
+		}
+	}
+}
+
+func TestDictKbToStr(t *testing.T) {
+	testCases := []struct {
+		name   string
+		input  int
+		expect string
+	}{
+		{
+			name:   "mod 1024 reports as M",
+			input:  5120,
+			expect: "5M",
+		},
+		{
+			name:   "non-mod 1024 reports as K",
+			input:  5001,
+			expect: "5001K",
+		},
+	}
+	for _, tc := range testCases {
+		if sizeStr := dictKbToStr(tc.input); sizeStr != tc.expect {
+			t.Errorf("Testing %v. Expected \"%v\" but \"%v\" was returned", tc.name, tc.expect, sizeStr)
+		}
+	}
+}
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 522407a2f..3ba46681e 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -60,8 +60,8 @@ const (
 	stateComment
 )
 
-// TemplateWriter is the interface to render a template
-type TemplateWriter interface {
+// Writer is the interface to render a template
+type Writer interface {
 	Write(conf config.TemplateConfig) ([]byte, error)
 }
 
@@ -329,7 +329,8 @@ func buildLuaSharedDictionaries(c interface{}, s interface{}) string {
 	}
 
 	for name, size := range cfg.LuaSharedDicts {
-		out = append(out, fmt.Sprintf("lua_shared_dict %s %dM", name, size))
+		sizeStr := dictKbToStr(size)
+		out = append(out, fmt.Sprintf("lua_shared_dict %s %s", name, sizeStr))
 	}
 
 	sort.Strings(out)
@@ -341,16 +342,16 @@ func luaConfigurationRequestBodySize(c interface{}) string {
 	cfg, ok := c.(config.Configuration)
 	if !ok {
 		klog.Errorf("expected a 'config.Configuration' type but %T was returned", c)
-		return "100" // just a default number
+		return "100M" // just a default number
 	}
 
 	size := cfg.LuaSharedDicts["configuration_data"]
 	if size < cfg.LuaSharedDicts["certificate_data"] {
 		size = cfg.LuaSharedDicts["certificate_data"]
 	}
-	size = size + 1
+	size = size + 1024
 
-	return fmt.Sprintf("%d", size)
+	return dictKbToStr(size)
 }
 
 // configForLua returns some general configuration as Lua table represented as string
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index abe7049b0..cb2d20b9a 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -214,7 +214,7 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
 	// config lua dict
 	cfg := config.Configuration{
 		LuaSharedDicts: map[string]int{
-			"configuration_data": 10, "certificate_data": 20,
+			"configuration_data": 10240, "certificate_data": 20480,
 		},
 	}
 	actual := buildLuaSharedDictionaries(cfg, invalidType)
@@ -255,13 +255,13 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
 func TestLuaConfigurationRequestBodySize(t *testing.T) {
 	cfg := config.Configuration{
 		LuaSharedDicts: map[string]int{
-			"configuration_data": 10, "certificate_data": 20,
+			"configuration_data": 10240, "certificate_data": 20480,
 		},
 	}
 
 	size := luaConfigurationRequestBodySize(cfg)
-	if size != "21" {
-		t.Errorf("expected the size to be 20 but got: %v", size)
+	if size != "21M" {
+		t.Errorf("expected the size to be 21M but got: %v", size)
 	}
 }
 
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 4bb5fe18c..b4c91ef54 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -676,8 +676,8 @@ http {
         }
 
         location /configuration {
-            client_max_body_size                    {{ luaConfigurationRequestBodySize $cfg }}m;
-            client_body_buffer_size                 {{ luaConfigurationRequestBodySize $cfg }}m;
+            client_max_body_size                    {{ luaConfigurationRequestBodySize $cfg }};
+            client_body_buffer_size                 {{ luaConfigurationRequestBodySize $cfg }};
             proxy_buffering                         off;
 
             content_by_lua_block {

From 2fe827030281440f71b91a7586ab56659d66abc6 Mon Sep 17 00:00:00 2001
From: Jonas Kello <jonaskello@users.noreply.github.com>
Date: Thu, 12 Aug 2021 21:39:51 +0200
Subject: [PATCH 057/376] Add linux node selector as default (#7481)

---
 charts/ingress-nginx/values.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 976bc5419..b561a8730 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -555,7 +555,8 @@ controller:
       ##
       priorityClassName: ""
       podAnnotations: {}
-      nodeSelector: {}
+      nodeSelector:
+        kubernetes.io/os: linux
       tolerations: []
       runAsUser: 2000
 
@@ -732,7 +733,8 @@ defaultBackend:
   ## Node labels for default backend pod assignment
   ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
   ##
-  nodeSelector: {}
+  nodeSelector:
+    kubernetes.io/os: linux
 
   ## Annotations to be added to default backend pods
   ##

From 807fd692097ad2dcc113d9f7716186b961b85a2c Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 12 Aug 2021 18:03:50 -0300
Subject: [PATCH 058/376] Fix default backend annotation test (#7486)

---
 test/e2e/annotations/customhttperrors.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/e2e/annotations/customhttperrors.go b/test/e2e/annotations/customhttperrors.go
index 7369ebe6e..f00ec8859 100644
--- a/test/e2e/annotations/customhttperrors.go
+++ b/test/e2e/annotations/customhttperrors.go
@@ -116,7 +116,7 @@ var _ = framework.DescribeAnnotation("custom-http-errors", func() {
 			}
 			return false
 		})
-		assert.Contains(ginkgo.GinkgoT(), serverConfig, errorBlockName(fmt.Sprintf("custom-default-backend-%s", customDefaultBackend), "503"))
-		assert.Contains(ginkgo.GinkgoT(), serverConfig, fmt.Sprintf("error_page %s = %s", "503", errorBlockName(fmt.Sprintf("custom-default-backend-%s", customDefaultBackend), "503")))
+		assert.Contains(ginkgo.GinkgoT(), serverConfig, errorBlockName(fmt.Sprintf("custom-default-backend-%s-%s", f.Namespace, customDefaultBackend), "503"))
+		assert.Contains(ginkgo.GinkgoT(), serverConfig, fmt.Sprintf("error_page %s = %s", "503", errorBlockName(fmt.Sprintf("custom-default-backend-%s-%s", f.Namespace, customDefaultBackend), "503")))
 	})
 })

From 05a3d144de71933a43d49fd2ea38ef06e76bdaca Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Wed, 18 Aug 2021 19:18:17 +0000
Subject: [PATCH 059/376] tag for release v0.49.0 (#7505)

---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 2268e6061..9dc0e188e 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v0.48.1
+v0.49.0

From f3c50698d98299b1a61f83cb6c4bb7de0b71fb4b Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Sun, 22 Aug 2021 00:49:59 +0800
Subject: [PATCH 060/376] Prepare for v0.49.0 release (#7509)

* Changelog for v0.49

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

* helm: bump version to v0.49.0

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

* docs: bumper version to v0.49.0

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

* explicitly call out details for Changelogs

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 Changelog.md                                  | 58 +++++++++++++
 README.md                                     |  1 +
 charts/ingress-nginx/Chart.yaml               |  7 +-
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 82 ++++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 82 ++++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 82 ++++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 82 ++++++++++---------
 deploy/static/provider/do/deploy.yaml         | 82 ++++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 82 ++++++++++---------
 deploy/static/provider/kind/deploy.yaml       | 82 ++++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 82 ++++++++++---------
 docs/deploy/index.md                          | 18 ++--
 stable.txt                                    |  2 +-
 14 files changed, 419 insertions(+), 327 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 750660764..c92a69301 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,63 @@
 # Changelog
 
+
+### 0.49.0
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef`
+
+_New Features:_
+
+
+_Changes:_
+
+- [x] [#7486](https://github.com/kubernetes/ingress-nginx/pull/7486) Fix default backend annotation test
+- [x] [#7481](https://github.com/kubernetes/ingress-nginx/pull/7481) Add linux node selector as default
+- [x] [#6750](https://github.com/kubernetes/ingress-nginx/pull/6750) allow kb granularity for lua shared dicts
+- [x] [#7463](https://github.com/kubernetes/ingress-nginx/pull/7463) Improved disableaccesslog tests
+- [x] [#7485](https://github.com/kubernetes/ingress-nginx/pull/7485) update e2e test images to newest promoted one
+- [x] [#7479](https://github.com/kubernetes/ingress-nginx/pull/7479) Make custom-default-backend upstream name more unique
+- [x] [#7477](https://github.com/kubernetes/ingress-nginx/pull/7477) Trigger webhook image generation
+- [x] [#7475](https://github.com/kubernetes/ingress-nginx/pull/7475) Migrate the webhook-certgen program to inside ingress repo
+- [x] [#7331](https://github.com/kubernetes/ingress-nginx/pull/7331) Fix forwarding of auth-response-headers to gRPC backends
+- [x] [#7228](https://github.com/kubernetes/ingress-nginx/pull/7228) fix: discover mounted geoip db files
+- [x] [#7242](https://github.com/kubernetes/ingress-nginx/pull/7242) Retry to download maxmind DB if it fails
+- [x] [#7473](https://github.com/kubernetes/ingress-nginx/pull/7473) update to newest image
+- [x] [#7386](https://github.com/kubernetes/ingress-nginx/pull/7386) Add hostname value to override pod's hostname
+- [x] [#7467](https://github.com/kubernetes/ingress-nginx/pull/7467) use listen to ensure the port is free
+- [x] [#7411](https://github.com/kubernetes/ingress-nginx/pull/7411) Update versions of components for base image, including `nginx-http-auth-digest`, `ngx_http_substitutions_filter_module`, `nginx-opentracing`, `opentracing-cpp`, `ModSecurity-nginx`, `yaml-cpp`, `msgpack-c`, `lua-nginx-module`, `stream-lua-nginx-module`, `lua-upstream-nginx-module`, `luajit2`, `dd-opentracing-cpp`, `ngx_http_geoip2_module`, `nginx_ajp_module`, `lua-resty-string`, `lua-resty-balancer`, `lua-resty-core`, `lua-cjson`, `lua-resty-cookie`, `lua-resty-lrucache`, `lua-resty-dns`, `lua-resty-http`, `lua-resty-memcached`, `lua-resty-ipmatcher`.
+- [x] [#7462](https://github.com/kubernetes/ingress-nginx/pull/7462) Update configmap.md
+- [x] [#7369](https://github.com/kubernetes/ingress-nginx/pull/7369) Change all master reference to main
+- [x] [#7245](https://github.com/kubernetes/ingress-nginx/pull/7245) Allow overriding of the default response format
+- [x] [#7449](https://github.com/kubernetes/ingress-nginx/pull/7449) Fix cap for NET_BIND_SERVICE
+- [x] [#7450](https://github.com/kubernetes/ingress-nginx/pull/7450) correct ingress-controller naming
+- [x] [#7437](https://github.com/kubernetes/ingress-nginx/pull/7437) added K8s v1.22 tip for kind cluster,bug-report
+- [x] [#7455](https://github.com/kubernetes/ingress-nginx/pull/7455) Add documentation for monitoring without helm
+- [x] [#7454](https://github.com/kubernetes/ingress-nginx/pull/7454) Update go version to v1.16, modules and remove ioutil
+- [x] [#7452](https://github.com/kubernetes/ingress-nginx/pull/7452) run k8s job ci pipeline with 1.21.2 in main branch
+- [x] [#7451](https://github.com/kubernetes/ingress-nginx/pull/7451) Prepare for go v1.16
+- [x] [#7434](https://github.com/kubernetes/ingress-nginx/pull/7434) Helm - Enable configuring request and limit for containers in webhook jobs
+- [x] [#6864](https://github.com/kubernetes/ingress-nginx/pull/6864) Add scope configuration check
+- [x] [#7421](https://github.com/kubernetes/ingress-nginx/pull/7421) Bump PDB API version to v1
+- [x] [#7431](https://github.com/kubernetes/ingress-nginx/pull/7431) Add http request test to annotaion ssl cipher test
+- [x] [#7426](https://github.com/kubernetes/ingress-nginx/pull/7426) Removed tabs and one extra-space
+- [x] [#7423](https://github.com/kubernetes/ingress-nginx/pull/7423) Fixed chart version
+- [x] [#7424](https://github.com/kubernetes/ingress-nginx/pull/7424) Add dev-v1 branch into helm releaser
+- [x] [#7415](https://github.com/kubernetes/ingress-nginx/pull/7415) added checks to verify backend works with the given configs
+- [x] [#7371](https://github.com/kubernetes/ingress-nginx/pull/7371) Enable session affinity for canaries
+- [x] [#6985](https://github.com/kubernetes/ingress-nginx/pull/6985) auto backend protocol for HTTP/HTTPS
+- [x] [#7394](https://github.com/kubernetes/ingress-nginx/pull/7394) reorder contributing infos
+- [x] [#7224](https://github.com/kubernetes/ingress-nginx/pull/7224) docs：update troubleshooting.md
+- [x] [#7353](https://github.com/kubernetes/ingress-nginx/pull/7353) aws-load-balancer-internal is a boolean value
+- [x] [#7387](https://github.com/kubernetes/ingress-nginx/pull/7387) Automatically add area labels to help triaging
+- [x] [#7360](https://github.com/kubernetes/ingress-nginx/pull/7360) grpc - replaced fortune-builder app with official greeter app
+- [x] [#7361](https://github.com/kubernetes/ingress-nginx/pull/7361) doc: fix monitoring usage docs
+- [x] [#7365](https://github.com/kubernetes/ingress-nginx/pull/7365) update OWNERS and aliases files
+- [x] [#7039](https://github.com/kubernetes/ingress-nginx/pull/7039) Add missing tests for store/endpoint
+- [x] [#7364](https://github.com/kubernetes/ingress-nginx/pull/7364) Add cpanato as Helm chart approver
+- [x] [#7362](https://github.com/kubernetes/ingress-nginx/pull/7362) changed syntax from v1beta1 to v1
+
 ### 0.48.1
 
 **Image:**
diff --git a/README.md b/README.md
index 3675e690c..5d8efeccb 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 |-----------------------|-------------           |----------------|---------------|
 | v1.0.0-alpha.2        | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
 | v1.0.0-alpha.1        | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
+| v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.46.0               | 1.21, 1.20, 1.19       | 3.13.2         |  1.19.6       |
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index de46643ba..996160607 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 3.35.0
-appVersion: 0.48.1
+version: 3.36.0
+appVersion: 0.49.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -21,4 +21,5 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Add namespace field in the namespace scoped resource templates
+    - Migrate the webhook-certgen program inside ingress repo.
+    - Fix forwarding of auth-response-headers to gRPC backends
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index b561a8730..54ee795e6 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v0.48.1"
-    digest: sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+    tag: "v0.49.0"
+    digest: sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 8f890975e..2d4ad3ab7 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -50,10 +50,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -119,10 +119,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -139,10 +139,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -225,10 +225,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -247,10 +247,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -278,10 +278,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -308,10 +308,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -334,7 +334,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -426,10 +426,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -467,10 +467,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -507,10 +507,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -532,10 +532,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -557,10 +557,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -582,10 +582,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -593,10 +593,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -616,6 +616,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -630,10 +632,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -641,10 +643,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -666,6 +668,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index ca406635c..acd8fd604 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -218,10 +218,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +240,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -268,10 +268,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -413,10 +413,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -454,10 +454,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -470,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -494,10 +494,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -519,10 +519,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -544,10 +544,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -569,10 +569,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -580,10 +580,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -603,6 +603,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -617,10 +619,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -628,10 +630,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -653,6 +655,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 2ee36c827..55c2dc5ae 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -218,10 +218,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +240,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -408,10 +408,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -449,10 +449,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -465,10 +465,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -489,10 +489,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -514,10 +514,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -539,10 +539,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -564,10 +564,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -575,10 +575,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -598,6 +598,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -612,10 +614,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -623,10 +625,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -648,6 +650,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 0bd420d92..be69bee73 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -218,10 +218,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +240,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -295,10 +295,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -321,7 +321,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -410,10 +410,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -451,10 +451,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -467,10 +467,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -516,10 +516,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -541,10 +541,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -566,10 +566,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -577,10 +577,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -600,6 +600,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -614,10 +616,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -625,10 +627,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -650,6 +652,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 7f044bc0f..95be9c1e4 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -219,10 +219,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -241,10 +241,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -267,10 +267,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -453,10 +453,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -469,10 +469,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -493,10 +493,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -518,10 +518,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -543,10 +543,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -568,10 +568,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -579,10 +579,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -602,6 +602,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -616,10 +618,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -627,10 +629,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -652,6 +654,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 923051ca6..47b86b9b0 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -218,10 +218,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +240,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -273,10 +273,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -303,10 +303,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -329,7 +329,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -418,10 +418,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -459,10 +459,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -499,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -524,10 +524,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -549,10 +549,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -574,10 +574,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -585,10 +585,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -608,6 +608,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -622,10 +624,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -633,10 +635,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -658,6 +660,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 4f2c6ae99..c53e2ae1b 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -218,10 +218,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +240,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -420,10 +420,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -461,10 +461,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -477,10 +477,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -501,10 +501,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -526,10 +526,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -551,10 +551,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -576,10 +576,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -587,10 +587,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -610,6 +610,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -624,10 +626,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -635,10 +637,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -660,6 +662,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 1d148a7b9..2fd0154d5 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -219,10 +219,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -241,10 +241,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -267,10 +267,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.48.1@sha256:e9fb216ace49dfa4a5983b183067e97496e7a8b307d2093f4278cd550c303899
+          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -453,10 +453,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -469,10 +469,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -493,10 +493,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -518,10 +518,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -543,10 +543,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -568,10 +568,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -579,10 +579,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -602,6 +602,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
@@ -616,10 +618,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.35.0
+    helm.sh/chart: ingress-nginx-3.36.0
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.48.1
+    app.kubernetes.io/version: 0.49.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -627,10 +629,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.35.0
+        helm.sh/chart: ingress-nginx-3.36.0
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.48.1
+        app.kubernetes.io/version: 0.49.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -652,6 +654,8 @@ spec:
                   fieldPath: metadata.namespace
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
+      nodeSelector:
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index afa9f7e41..33345ade2 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -54,7 +54,7 @@ Kubernetes is available in Docker Desktop
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 #### minikube
@@ -82,7 +82,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (ELB)
@@ -91,10 +91,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -140,7 +140,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -149,7 +149,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -157,13 +157,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index f1c0a329b..19b69dedd 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v0.48.1
+controller-v0.49.0

From 90c79689c46497636ac32a7e2828c6ab2dae2fd8 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sat, 21 Aug 2021 17:42:00 -0300
Subject: [PATCH 061/376] Release v1 (#7470)

* Drop v1beta1 from ingress nginx (#7156)

* Drop v1beta1 from ingress nginx

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Fix intorstr logic in controller

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* fixing admission

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* more intorstr fixing

* correct template rendering

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Fix e2e tests for v1 api

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Fix gofmt errors

* This is finally working...almost there...

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Re-add removed validation of AdmissionReview

* Prepare for v1.0.0-alpha.1 release

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Update changelog and matrix table for v1.0.0-alpha.1 (#7274)

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* add docs for syslog feature (#7219)

* Fix link to e2e-tests.md in developer-guide (#7201)

* Use ENV expansion for namespace in args (#7146)

Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does.

* chart: using Helm builtin capabilities check (#7190)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

* Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944)

It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780

* Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107)

* Fix MaxWorkerOpenFiles calculation on high cores nodes

* Add e2e test for rlimit_nofile

* Fix doc for max-worker-open-files

* ingress/tcp: add additional error logging on failed (#7208)

* Add file containing stable release (#7313)

* Handle named (non-numeric) ports correctly (#7311)

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* Updated v1beta1 to v1 as its deprecated (#7308)

* remove mercurial from build (#7031)

* Retry to download maxmind DB if it fails (#7242)

* Retry to download maxmind DB if it fails.

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>

* Add retries count arg, move retry logic into DownloadGeoLite2DB function

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>

* Reorder parameters in DownloadGeoLite2DB

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>

* Remove hardcoded value

Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>

* Release v1.0.0-alpha.1

* Add changelog for v1.0.0-alpha.2

* controller: ignore non-service backends (#7332)

* controller: ignore non-service backends

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* update per feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* fix: allow scope/tcp/udp configmap namespace to altered (#7161)

* Lower webhook timeout for digital ocean (#7319)

* Lower webhook timeout for digital ocean

* Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29

* update OWNERS and aliases files (#7365) (#7366)

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* Downgrade Lua modules for s390x (#7355)

Downgrade Lua modules to last known working version.

* Fix IngressClass logic for newer releases (#7341)

* Fix IngressClass logic for newer releases

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Change e2e tests for the new IngressClass presence

* Fix chart and admission tests

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Fix helm chart test

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>

* Fix reviews

* Remove ingressclass code from admission

* update tag to v1.0.0-beta.1

* update readme and changelog for v1.0.0-beta.1

* Release v1.0.0-beta.1 - helm and manifests (#7422)

* Change the order of annotation just to trigger a new helm release (#7425)

* [cherry-pick] Add dev-v1 branch into helm releaser (#7428)

* Add dev-v1 branch into helm releaser (#7424)

* chore: add link for artifacthub.io/prerelease annotations

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>

* k8s job ci pipeline for dev-v1 br v1.22.0 (#7453)

* k8s job ci pipeline for dev-v1 br v1.22.0

Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>

* k8s job ci pipeline for dev-v1 br v1.21.2

Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>

* remove v1.21.1 version

Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>

* Add controller.watchIngressWithoutClass config option (#7459)

Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com>

* Release new helm chart with certgen fixed (#7478)

* Update go version, modules and remove ioutil

* Release new helm chart with certgen fixed

* changed appversion, chartversion, TAG, image (#7490)

* Fix CI conflict

* Fix CI conflict

* Fix build.sh from rebase process

* Fix controller_test post rebase

Co-authored-by: Tianhao Guo <rggth09@gmail.com>
Co-authored-by: Ray <61553+rctay@users.noreply.github.com>
Co-authored-by: Bill Cassidy <cassid4@gmail.com>
Co-authored-by: Jintao Zhang <tao12345666333@163.com>
Co-authored-by: Sathish Ramani <rsathishx87@gmail.com>
Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com>
Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com>
Co-authored-by: Tom Hayward <thayward@infoblox.com>
Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com>
Co-authored-by: Tore <tore.lonoy@gmail.com>
Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl>
Co-authored-by: Shahid <shahid@us.ibm.com>
Co-authored-by: James Strong <strong.james.e@gmail.com>
Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com>
Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com>
Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com>
Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com>
---
 .github/workflows/ci.yaml                     |  23 +-
 Changelog.md                                  |  76 +++
 README.md                                     |   1 +
 RELEASE.md                                    |   2 +
 TAG                                           |   2 +-
 charts/ingress-nginx/Chart.yaml               |  12 +-
 charts/ingress-nginx/OWNERS                   |   2 +-
 .../controller-custom-ingressclass-flags.yaml |   7 +
 .../ci/daemonset-customconfig-values.yaml     |   4 +
 .../ci/daemonset-customnodeport-values.yaml   |   4 +
 .../ci/daemonset-headers-values.yaml          |   4 +
 .../ci/daemonset-internal-lb-values.yaml      |   4 +
 .../ci/daemonset-nodeport-values.yaml         |   4 +
 .../ci/daemonset-podannotations-values.yaml   |   4 +
 ...set-tcp-udp-configMapNamespace-values.yaml |   4 +
 .../ci/daemonset-tcp-udp-values.yaml          |   4 +
 .../ci/daemonset-tcp-values.yaml              |   4 +
 .../ci/deamonset-default-values.yaml          |   4 +
 .../ci/deamonset-metrics-values.yaml          |   4 +
 .../ci/deamonset-psp-values.yaml              |   4 +
 .../ci/deamonset-webhook-and-psp-values.yaml  |   4 +
 .../ci/deamonset-webhook-values.yaml          |   4 +
 .../ci/deployment-autoscaling-values.yaml     |   4 +
 .../ci/deployment-customconfig-values.yaml    |   4 +
 .../ci/deployment-customnodeport-values.yaml  |   4 +
 .../ci/deployment-default-values.yaml         |   4 +
 .../ci/deployment-headers-values.yaml         |   4 +
 .../ci/deployment-internal-lb-values.yaml     |   4 +
 .../ci/deployment-metrics-values.yaml         |   4 +
 .../ci/deployment-nodeport-values.yaml        |   4 +
 .../ci/deployment-podannotations-values.yaml  |   4 +
 .../ci/deployment-psp-values.yaml             |   4 +
 ...ent-tcp-udp-configMapNamespace-values.yaml |   4 +
 .../ci/deployment-tcp-udp-values.yaml         |   4 +
 .../ci/deployment-tcp-values.yaml             |   4 +
 .../ci/deployment-webhook-and-psp-values.yaml |   4 +
 .../ci/deployment-webhook-values.yaml         |   4 +
 charts/ingress-nginx/templates/NOTES.txt      |   2 +-
 .../validating-webhook.yaml                   |   5 +-
 .../ingress-nginx/templates/clusterrole.yaml  |   8 +-
 .../templates/controller-daemonset.yaml       |  15 +-
 .../templates/controller-deployment.yaml      |  13 +-
 .../templates/controller-ingressclass.yaml    |  12 +-
 .../templates/controller-role.yaml            |  10 +-
 .../templates/controller-servicemonitor.yaml  |   2 +-
 charts/ingress-nginx/values.yaml              |  34 +-
 cmd/nginx/flags.go                            |  35 +-
 cmd/nginx/main.go                             |  36 +-
 cmd/plugin/commands/ingresses/ingresses.go    |  29 +-
 .../commands/ingresses/ingresses_test.go      |  75 +++
 cmd/plugin/commands/lint/main.go              |   2 +-
 cmd/plugin/lints/ingress.go                   |   2 +-
 cmd/plugin/request/request.go                 |   4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 127 ++--
 deploy/static/provider/aws/deploy.yaml        | 125 ++--
 deploy/static/provider/baremetal/deploy.yaml  | 125 ++--
 deploy/static/provider/cloud/deploy.yaml      | 125 ++--
 deploy/static/provider/do/deploy.yaml         | 126 ++--
 deploy/static/provider/exoscale/deploy.yaml   | 127 ++--
 deploy/static/provider/kind/deploy.yaml       | 125 ++--
 deploy/static/provider/scw/deploy.yaml        | 125 ++--
 docs/developer-guide/getting-started.md       |   2 +-
 .../affinity/cookie/ingress-samesite.yaml     |   4 +-
 docs/examples/affinity/cookie/ingress.yaml    |   2 +-
 docs/examples/auth/basic/README.md            |   2 +-
 docs/examples/auth/client-certs/ingress.yaml  |   2 +-
 docs/examples/auth/external-auth/README.md    |   4 +-
 docs/examples/auth/external-auth/ingress.yaml |   2 +-
 .../dashboard-ingress.yaml                    |   4 +-
 docs/examples/chashsubset/deployment.yaml     |   2 +-
 .../configuration-snippets/ingress.yaml       |   2 +-
 .../deploy/echo-service.yaml                  |   4 +-
 .../docker-registry/ingress-with-tls.yaml     |   2 +-
 .../docker-registry/ingress-without-tls.yaml  |   2 +-
 docs/examples/multi-tls/multi-tls.yaml        |   2 +-
 docs/examples/rewrite/README.md               |   4 +-
 docs/examples/static-ip/nginx-ingress.yaml    |   2 +-
 docs/examples/tls-termination/README.md       |   2 +-
 docs/examples/tls-termination/ingress.yaml    |   2 +-
 docs/troubleshooting.md                       |   2 +-
 docs/user-guide/fcgi-services.md              |   2 +-
 docs/user-guide/ingress-path-matching.md      |   8 +-
 .../nginx-configuration/annotations.md        |   2 +-
 .../nginx-configuration/configmap.md          |  19 +-
 .../third-party-addons/opentracing.md         |   2 +-
 go.mod                                        |   2 +-
 hack/generate-deploy-scripts.sh               |   2 +
 images/nginx/rootfs/build.sh                  |  25 +
 internal/admission/controller/convert.go      |  90 ---
 internal/admission/controller/main.go         |  35 +-
 internal/admission/controller/main_test.go    |   4 +-
 internal/admission/controller/server.go       |   2 -
 internal/ingress/annotations/alias/main.go    |   2 +-
 .../ingress/annotations/alias/main_test.go    |   2 +-
 internal/ingress/annotations/annotations.go   |   2 +-
 .../ingress/annotations/annotations_test.go   |  21 +-
 internal/ingress/annotations/auth/main.go     |   2 +-
 .../ingress/annotations/auth/main_test.go     |  21 +-
 internal/ingress/annotations/authreq/main.go  |   2 +-
 .../ingress/annotations/authreq/main_test.go  |  22 +-
 .../ingress/annotations/authreqglobal/main.go |   2 +-
 .../annotations/authreqglobal/main_test.go    |  22 +-
 internal/ingress/annotations/authtls/main.go  |   2 +-
 .../ingress/annotations/authtls/main_test.go  |  21 +-
 .../annotations/backendprotocol/main.go       |   2 +-
 .../annotations/backendprotocol/main_test.go  |  14 +-
 internal/ingress/annotations/canary/main.go   |   2 +-
 .../ingress/annotations/canary/main_test.go   |  21 +-
 internal/ingress/annotations/class/main.go    |  64 --
 .../ingress/annotations/class/main_test.go    | 103 ---
 .../annotations/clientbodybuffersize/main.go  |   2 +-
 .../clientbodybuffersize/main_test.go         |   2 +-
 .../ingress/annotations/connection/main.go    |   2 +-
 .../annotations/connection/main_test.go       |   2 +-
 internal/ingress/annotations/cors/main.go     |   2 +-
 .../ingress/annotations/cors/main_test.go     |  21 +-
 .../annotations/customhttperrors/main.go      |   2 +-
 .../annotations/customhttperrors/main_test.go |  14 +-
 .../annotations/defaultbackend/main.go        |   2 +-
 .../annotations/defaultbackend/main_test.go   |  22 +-
 internal/ingress/annotations/fastcgi/main.go  |   2 +-
 .../ingress/annotations/fastcgi/main_test.go  |  14 +-
 .../annotations/globalratelimit/main.go       |   2 +-
 .../annotations/globalratelimit/main_test.go  |  21 +-
 .../annotations/http2pushpreload/main.go      |   2 +-
 .../annotations/http2pushpreload/main_test.go |   2 +-
 internal/ingress/annotations/influxdb/main.go |   2 +-
 .../ingress/annotations/influxdb/main_test.go |  21 +-
 .../ingress/annotations/ipwhitelist/main.go   |   2 +-
 .../annotations/ipwhitelist/main_test.go      |  21 +-
 .../ingress/annotations/loadbalancing/main.go |   2 +-
 .../annotations/loadbalancing/main_test.go    |   2 +-
 internal/ingress/annotations/log/main.go      |   2 +-
 internal/ingress/annotations/log/main_test.go |  21 +-
 internal/ingress/annotations/mirror/main.go   |   2 +-
 .../ingress/annotations/mirror/main_test.go   |   2 +-
 .../ingress/annotations/modsecurity/main.go   |   2 +-
 .../annotations/modsecurity/main_test.go      |   2 +-
 .../ingress/annotations/opentracing/main.go   |   2 +-
 .../annotations/opentracing/main_test.go      |  21 +-
 internal/ingress/annotations/parser/main.go   |   2 +-
 .../ingress/annotations/parser/main_test.go   |   2 +-
 .../annotations/portinredirect/main.go        |   2 +-
 .../annotations/portinredirect/main_test.go   |  21 +-
 internal/ingress/annotations/proxy/main.go    |   2 +-
 .../ingress/annotations/proxy/main_test.go    |  21 +-
 internal/ingress/annotations/proxyssl/main.go |   2 +-
 .../ingress/annotations/proxyssl/main_test.go |  21 +-
 .../ingress/annotations/ratelimit/main.go     |   2 +-
 .../annotations/ratelimit/main_test.go        |  21 +-
 .../ingress/annotations/redirect/redirect.go  |   2 +-
 .../annotations/redirect/redirect_test.go     |   2 +-
 internal/ingress/annotations/rewrite/main.go  |   2 +-
 .../ingress/annotations/rewrite/main_test.go  |  21 +-
 internal/ingress/annotations/satisfy/main.go  |   2 +-
 .../ingress/annotations/satisfy/main_test.go  |  21 +-
 .../annotations/secureupstream/main.go        |   2 +-
 .../annotations/secureupstream/main_test.go   |  21 +-
 .../ingress/annotations/serversnippet/main.go |   2 +-
 .../annotations/serversnippet/main_test.go    |   2 +-
 .../annotations/serviceupstream/main.go       |   2 +-
 .../annotations/serviceupstream/main_test.go  |  21 +-
 .../annotations/sessionaffinity/main.go       |   2 +-
 .../annotations/sessionaffinity/main_test.go  |  22 +-
 internal/ingress/annotations/snippet/main.go  |   2 +-
 .../ingress/annotations/snippet/main_test.go  |   2 +-
 .../ingress/annotations/sslcipher/main.go     |   2 +-
 .../annotations/sslcipher/main_test.go        |   2 +-
 .../annotations/sslpassthrough/main.go        |   2 +-
 .../annotations/sslpassthrough/main_test.go   |  14 +-
 .../annotations/upstreamhashby/main.go        |   2 +-
 .../annotations/upstreamhashby/main_test.go   |   2 +-
 .../ingress/annotations/upstreamvhost/main.go |   2 +-
 .../annotations/upstreamvhost/main_test.go    |   2 +-
 .../annotations/xforwardedprefix/main.go      |   2 +-
 .../annotations/xforwardedprefix/main_test.go |   2 +-
 internal/ingress/controller/controller.go     |  97 +--
 .../ingress/controller/controller_test.go     | 339 ++++++----
 .../controller/ingressclass/ingressclass.go   |  45 ++
 internal/ingress/controller/location.go       |   2 +-
 internal/ingress/controller/nginx.go          |  19 +-
 .../ingress/controller/store/backend_ssl.go   |   2 +-
 internal/ingress/controller/store/ingress.go  |   2 +-
 .../ingress/controller/store/ingressclass.go  |  39 ++
 internal/ingress/controller/store/store.go    | 161 ++++-
 .../ingress/controller/store/store_test.go    | 592 ++++++++++++++----
 internal/ingress/controller/tcp.go            |   1 +
 .../ingress/controller/template/template.go   |  25 +-
 .../controller/template/template_test.go      | 157 ++++-
 internal/ingress/controller/util.go           |  27 +-
 internal/ingress/metric/main.go               |  11 +-
 internal/ingress/status/status.go             |   2 +-
 internal/ingress/status/status_test.go        |  12 +-
 internal/ingress/types.go                     |   2 +-
 internal/k8s/main.go                          |  29 +-
 stable.txt                                    |   2 +-
 .../forwarded-port-headers/values.yaml        |   4 +-
 test/e2e/admission/admission.go               | 131 ++--
 test/e2e/annotations/affinity.go              |  29 +-
 test/e2e/annotations/auth.go                  |   2 +-
 test/e2e/annotations/canary.go                |  56 +-
 test/e2e/annotations/customhttperrors.go      |   2 +-
 test/e2e/annotations/satisfy.go               |   2 +-
 test/e2e/defaultbackend/with_hosts.go         |  14 +-
 test/e2e/framework/framework.go               |  86 ++-
 test/e2e/framework/k8s.go                     |   8 +-
 test/e2e/framework/util.go                    |  95 ++-
 test/e2e/ingress/multiple_rules.go            |  26 +-
 test/e2e/ingress/pathtype_exact.go            |   7 +-
 test/e2e/ingress/pathtype_mixed.go            |   7 +-
 test/e2e/ingress/without_host.go              |  14 +-
 test/e2e/leaks/lua_ssl.go                     |   2 +-
 test/e2e/lua/dynamic_certificates.go          |  18 +-
 test/e2e/lua/dynamic_configuration.go         |   6 +-
 test/e2e/run-chart-test.sh                    |  24 +-
 test/e2e/run.sh                               |   4 +-
 test/e2e/servicebackend/service_backend.go    |  27 +-
 .../servicebackend/service_externalname.go    |  36 +-
 test/e2e/settings/disable_catch_all.go        |  13 +-
 test/e2e/settings/global_external_auth.go     |   2 +-
 test/e2e/settings/global_options.go           |  58 ++
 test/e2e/settings/ingress_class.go            | 592 +++++++++++-------
 test/e2e/settings/no_auth_locations.go        |  27 +-
 test/e2e/settings/server_tokens.go            |  16 +-
 test/e2e/status/update.go                     |   8 +-
 test/e2e/wait-for-nginx.sh                    |   4 +
 226 files changed, 3518 insertions(+), 1940 deletions(-)
 create mode 100644 charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
 create mode 100644 cmd/plugin/commands/ingresses/ingresses_test.go
 delete mode 100644 internal/admission/controller/convert.go
 delete mode 100644 internal/ingress/annotations/class/main.go
 delete mode 100644 internal/ingress/annotations/class/main_test.go
 create mode 100644 internal/ingress/controller/ingressclass/ingressclass.go
 create mode 100644 internal/ingress/controller/store/ingressclass.go
 mode change 100755 => 100644 test/e2e/settings/global_external_auth.go
 create mode 100644 test/e2e/settings/global_options.go

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 099d7e2a0..7470325cc 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -57,8 +57,6 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     needs: changes
-    if: |
-      (needs.changes.outputs.go == 'true')
 
     steps:
 
@@ -116,6 +114,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - changes
+      - build
     if: |
       (needs.changes.outputs.charts == 'true')
 
@@ -123,6 +122,11 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v2
+    
+      - name: cache
+        uses: actions/download-artifact@v2
+        with:
+          name: docker.tar.gz
 
       - name: Lint
         run: |
@@ -138,12 +142,23 @@ jobs:
         uses: engineerd/setup-kind@v0.5.0
         with:
           version: v0.11.1
-          image: kindest/node:v1.20.2
+          image: kindest/node:v1.21.1
+    
+      - uses: geekyeggo/delete-artifact@v1
+        with:
+          name: docker.tar.gz
+          failOnError: false
+
+      - name: Load images from cache
+        run: |
+          echo "loading docker images..."
+          pigz -dc docker.tar.gz | docker load
 
       - name: Test
         env:
           KIND_CLUSTER_NAME: kind
           SKIP_CLUSTER_CREATION: true
+          SKIP_IMAGE_CREATION: true
         run: |
           kind get kubeconfig > $HOME/.kube/kind-config-kind
           make kind-e2e-chart-tests
@@ -159,7 +174,7 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.16.15, v1.17.17, v1.18.19, v1.19.11, v1.20.7, v1.21.2]
+        k8s: [v1.19.11, v1.20.7, v1.21.2, v1.22.0]
 
     steps:
 
diff --git a/Changelog.md b/Changelog.md
index c92a69301..23a2a1e3e 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -81,6 +81,82 @@ _Changes:_
 - [X] [#7216](https://github.com/kubernetes/ingress-nginx/pull/7216) Admission: Skip validation checks if an ingress 
   is marked as deleted #7216
   
+### 1.0.0-beta.3
+** This is a breaking change**
+
+This release only supports Kubernetes versions >= v1.19. The support for Ingress Object in `networking.k8s.io/v1beta` is being dropped and manifests should now use `networking.k8s.io/v1`.
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695`
+
+Changes:
+
+- [X] [#7487](https://github.com/kubernetes/ingress-nginx/pull/7487)[Cherry - Pick] - Fix default backend annotation and tests
+- [X] [#7459](https://github.com/kubernetes/ingress-nginx/pull/7459) Add controller.watchIngressWithoutClass config option 
+- [X] [#7478](https://github.com/kubernetes/ingress-nginx/pull/7478) Release new helm chart with certgen fixed 
+
+### 1.0.0-beta.1
+**THIS IS A BREAKING CHANGE**
+
+This release only supports Kubernetes versions >= v1.19. The support for Ingress Object in `networking.k8s.io/v1beta` is being dropped and manifests should now use `networking.k8s.io/v1`.
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.1@sha256:f058f3fdc940095957695829745956c6acddcaef839907360965e27fd3348e2e`
+
+_ New Features:_
+
+_Changes:_
+
+- [X] [#7341](https://github.com/kubernetes/ingress-nginx/pull/7341) Fix IngressClass logic for newer releases (#7341)
+- [X] [#7355](https://github.com/kubernetes/ingress-nginx/pull/7355) Downgrade Lua modules for s390x (#7355)
+- [X] [#7319](https://github.com/kubernetes/ingress-nginx/pull/7319) Lower webhook timeout for digital ocean (#7319)
+- [X] [#7161](https://github.com/kubernetes/ingress-nginx/pull/7161) fix: allow scope/tcp/udp configmap namespace to altered (#7161)
+- [X] [#7331](https://github.com/kubernetes/ingress-nginx/pull/7331) Fix forwarding of auth-response-headers to gRPC backends (#7331)
+- [X] [#7332](https://github.com/kubernetes/ingress-nginx/pull/7332) controller: ignore non-service backends (#7332)
+
+### 1.0.0-alpha.2
+**THIS IS A BREAKING CHANGE**
+
+This release only supports Kubernetes versions >= v1.19. The support for Ingress Object in `networking.k8s.io/v1beta` is being dropped and manifests should now use `networking.k8s.io/v1`.
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v1.0.0-alpha.2@sha256:04a0ad3a1279c2a58898e789eed767eafa138ee1e5b9b23a988c6e8485cf958d`
+
+_ New Features:_
+
+- [X] [#7314](https://github.com/kubernetes/ingress-nginx/pull/7314) Add configuration to disable external name service feature
+- [X] [#7313](https://github.com/kubernetes/ingress-nginx/pull/7313) Add file containing stable release 
+- [X] [#7311](https://github.com/kubernetes/ingress-nginx/pull/7311) Handle named (non-numeric) ports correctly
+- [X] [#7308](https://github.com/kubernetes/ingress-nginx/pull/7308) Updated v1beta1 to v1 as its deprecated
+- [X] [#7298](https://github.com/kubernetes/ingress-nginx/pull/7298) Speed up admission hook by eliminating deep copy of Ingresses in CheckIngress 
+- [X] [#7242](https://github.com/kubernetes/ingress-nginx/pull/7242) Retry to download maxmind DB if it fails 
+- [X] [#7228](https://github.com/kubernetes/ingress-nginx/pull/7228) Discover mounted geoip db files
+- [X] [#7208](https://github.com/kubernetes/ingress-nginx/pull/7208) ingress/tcp: add additional error logging on failed
+- [X] [#7190](https://github.com/kubernetes/ingress-nginx/pull/7190) chart: using Helm builtin capabilities check
+- [X] [#7146](https://github.com/kubernetes/ingress-nginx/pull/7146) Use ENV expansion for namespace in args
+- [X] [#7107](https://github.com/kubernetes/ingress-nginx/pull/7107) Fix MaxWorkerOpenFiles calculation on high cores nodes
+- [X] [#7076](https://github.com/kubernetes/ingress-nginx/pull/7076) Rewrite clean-nginx-conf.sh in Go to speed up admission webhook
+- [X] [#7031](https://github.com/kubernetes/ingress-nginx/pull/7031) Remove mercurial from build
+- [X] [#6990](https://github.com/kubernetes/ingress-nginx/pull/6990) Use listen to ensure the port is free
+- [X] [#6944](https://github.com/kubernetes/ingress-nginx/pull/6944) Update proper default value for HTTP2MaxConcurrentStreams in Docs
+- [X] [#6940](https://github.com/kubernetes/ingress-nginx/pull/6940) Fix definition order of modsecurity directives 
+
+### 1.0.0-alpha.1
+**THIS IS A BREAKING CHANGE**
+
+This release only supports Kubernetes versions >= v1.19. The support for Ingress Object in `networking.k8s.io/v1beta` is being dropped and manifests should now use `networking.k8s.io/v1`.
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v1.0.0-alpha.1@sha256:32f3f02a038c0d7cf33b71a14028c3a4ddee6f4c3fe5fadfa14b915e5e0d9faf`
+
+_ New Features:_
+
+- [X] [#7156] Drops support for Ingress Object v1beta1
+
 ### 0.47.0
 
 **Image:**
diff --git a/README.md b/README.md
index 5d8efeccb..a955debc1 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
+| v1.0.0-beta.1         | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
 | v1.0.0-alpha.2        | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
 | v1.0.0-alpha.1        | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
diff --git a/RELEASE.md b/RELEASE.md
index 1ed6eaef7..659617c10 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -74,5 +74,7 @@ The sha is available in output from [cloud build](https://console.cloud.google.c
     * Update the version in [docs/deploy/index.md](docs/deploy/index.md)
     * Update Supported versions in the Support Versions table in the README.md 
     * Merge
+
+* Update the stable.txt file to reflect the release to be created
       
 7. Github release
diff --git a/TAG b/TAG
index 9dc0e188e..cd5e5ef12 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v0.49.0
+v1.0.0-beta.3
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 996160607..e6b8b318a 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 3.36.0
-appVersion: 0.49.0
+version: 4.0.0-beta.3
+appVersion: 1.0.0-beta.3
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -16,10 +16,12 @@ type: application
 maintainers:
   - name: ChiefAlexander
 engine: gotpl
-kubeVersion: ">=1.16.0-0"
+kubeVersion: ">=1.19.0-0"
 annotations:
+  # Use this annotation to indicate that this chart version is a pre-release.
+  # https://artifacthub.io/docs/topics/annotations/helm/
+  artifacthub.io/prerelease: "true"
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Migrate the webhook-certgen program inside ingress repo.
-    - Fix forwarding of auth-response-headers to gRPC backends
+    - Fix default backend annotation and tests
diff --git a/charts/ingress-nginx/OWNERS b/charts/ingress-nginx/OWNERS
index 392bc92f5..6b7e049ca 100644
--- a/charts/ingress-nginx/OWNERS
+++ b/charts/ingress-nginx/OWNERS
@@ -7,4 +7,4 @@ reviewers:
 - ingress-nginx-helm-reviewers
 
 labels:
-- area/helm
\ No newline at end of file
+- area/helm
diff --git a/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml b/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
new file mode 100644
index 000000000..b28a2326e
--- /dev/null
+++ b/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
@@ -0,0 +1,7 @@
+controller:
+  watchIngressWithoutClass: true
+  ingressClassResource:
+    name: custom-nginx
+    enabled: true
+    default: true
+    controllerValue: "k8s.io/custom-nginx"
diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
index e12b53421..43dd2b2ac 100644
--- a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   kind: DaemonSet
   admissionWebhooks:
     enabled: false
diff --git a/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
index cfc545f69..1d94be219 100644
--- a/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
 
diff --git a/charts/ingress-nginx/ci/daemonset-headers-values.yaml b/charts/ingress-nginx/ci/daemonset-headers-values.yaml
index ff82cd9c7..ab7d47bd4 100644
--- a/charts/ingress-nginx/ci/daemonset-headers-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-headers-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   addHeaders:
diff --git a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
index d8948d634..0a200a746 100644
--- a/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
index 6d6605f0e..3b7aa2fcd 100644
--- a/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml b/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
index 04ac58dbd..0b55306a1 100644
--- a/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   metrics:
diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
index afb5487c5..acd86a77a 100644
--- a/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
index 7b4d7cbe7..25ee64d85 100644
--- a/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/daemonset-tcp-values.yaml b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
index a359a6a40..380c8b4b1 100644
--- a/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deamonset-default-values.yaml b/charts/ingress-nginx/ci/deamonset-default-values.yaml
index e63a7f5db..82fa23e85 100644
--- a/charts/ingress-nginx/ci/deamonset-default-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-default-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
index 1e5190afc..cb3cb54be 100644
--- a/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   metrics:
diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml
index 017b60a9c..8026a6356 100644
--- a/charts/ingress-nginx/ci/deamonset-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-psp-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
index 88aafc66f..fccdb134c 100644
--- a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: true
   service:
diff --git a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
index 6e3b371da..54d364df1 100644
--- a/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: true
   service:
diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
index 5314cecb3..b8b3ac686 100644
--- a/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   autoscaling:
     enabled: true
   admissionWebhooks:
diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
index f232531ac..85715ddb7 100644
--- a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   config:
     use-proxy-protocol: "true"
   admissionWebhooks:
diff --git a/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml b/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
index 9eda282b1..a564eaf93 100644
--- a/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deployment-default-values.yaml b/charts/ingress-nginx/ci/deployment-default-values.yaml
index 93a393c97..9f46b4e7e 100644
--- a/charts/ingress-nginx/ci/deployment-default-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-default-values.yaml
@@ -1,4 +1,8 @@
 # Left blank to test default values
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   service:
     type: ClusterIP
diff --git a/charts/ingress-nginx/ci/deployment-headers-values.yaml b/charts/ingress-nginx/ci/deployment-headers-values.yaml
index 665fd48d3..17a11ac37 100644
--- a/charts/ingress-nginx/ci/deployment-headers-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-headers-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   addHeaders:
diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
index c7f22d636..fd8df8de5 100644
--- a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/charts/ingress-nginx/ci/deployment-metrics-values.yaml
index 887ed0f62..9209ad5a6 100644
--- a/charts/ingress-nginx/ci/deployment-metrics-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-metrics-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   metrics:
diff --git a/charts/ingress-nginx/ci/deployment-nodeport-values.yaml b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
index 84f1f7582..cd9b32352 100644
--- a/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml b/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
index b65a0910b..b48d93c46 100644
--- a/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   metrics:
diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/deployment-psp-values.yaml
index e339c69c3..2f332a7b2 100644
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-psp-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   service:
     type: ClusterIP
 
diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
index 141e06b68..c51a4e91f 100644
--- a/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
index bc29abeba..5b45b69dc 100644
--- a/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deployment-tcp-values.yaml b/charts/ingress-nginx/ci/deployment-tcp-values.yaml
index b7f54c09f..ac0b6e60e 100644
--- a/charts/ingress-nginx/ci/deployment-tcp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-tcp-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   service:
     type: ClusterIP
 
diff --git a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
index a829c3614..6195bb339 100644
--- a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: true
   service:
diff --git a/charts/ingress-nginx/ci/deployment-webhook-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-values.yaml
index 4f18a70b9..76669a530 100644
--- a/charts/ingress-nginx/ci/deployment-webhook-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-webhook-values.yaml
@@ -1,4 +1,8 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
   admissionWebhooks:
     enabled: true
   service:
diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt
index 60fb2c1f6..2eebba368 100644
--- a/charts/ingress-nginx/templates/NOTES.txt
+++ b/charts/ingress-nginx/templates/NOTES.txt
@@ -29,7 +29,7 @@ Get the application URL by running these commands:
 
 An example Ingress that makes use of the controller:
 
-  apiVersion: networking.k8s.io/v1beta1
+  apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     annotations:
diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
index 2f3dd7784..712f74fdd 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
@@ -18,7 +18,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -28,12 +28,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: {{ .Release.Namespace | quote }}
         name: {{ include "ingress-nginx.controller.fullname" . }}-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
     {{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
     timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}
     {{- end }}
diff --git a/charts/ingress-nginx/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml
index b546aaea2..c1f901d50 100644
--- a/charts/ingress-nginx/templates/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/clusterrole.yaml
@@ -48,8 +48,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - "networking.k8s.io" # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -64,14 +63,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - "networking.k8s.io" # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - "networking.k8s.io" # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 0c94fcdd4..34986e568 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -77,22 +77,22 @@ spec:
           args:
             - /nginx-ingress-controller
           {{- if .Values.defaultBackend.enabled }}
-            - --default-backend-service={{ .Release.Namespace }}/{{ include "ingress-nginx.defaultBackend.fullname" . }}
+            - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
           {{- end }}
           {{- if .Values.controller.publishService.enabled }}
             - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
           {{- end }}
             - --election-id={{ .Values.controller.electionID }}
-            - --ingress-class={{ .Values.controller.ingressClass }}
-            - --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
+            - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
+            - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
           {{- if .Values.tcp }}
-            - --tcp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
+            - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
           {{- end }}
           {{- if .Values.udp }}
-            - --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp
+            - --udp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp
           {{- end }}
           {{- if .Values.controller.scope.enabled }}
-            - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }}
+            - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
           {{- end }}
           {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
             - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
@@ -111,6 +111,9 @@ spec:
           {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
             - --health-check-path={{ .Values.controller.healthCheckPath }}
           {{- end }}
+          {{- if .Values.controller.watchIngressWithoutClass }}
+            - --watch-ingress-without-class=true
+          {{- end }}
           {{- range $key, $value := .Values.controller.extraArgs }}
             {{- /* Accept keys without values or with false as value */}}
             {{- if eq ($value | quote | len) 2 }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index d90f76b32..f17975de3 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -87,13 +87,13 @@ spec:
             - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
           {{- end }}
             - --election-id={{ .Values.controller.electionID }}
-            - --ingress-class={{ .Values.controller.ingressClass }}
-            - --configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.controller.fullname" . }}
+            - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
+            - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
           {{- if .Values.tcp }}
-            - --tcp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-tcp
+            - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
           {{- end }}
           {{- if .Values.udp }}
-            - --udp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-udp
+            - --udp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp
           {{- end }}
           {{- if .Values.controller.scope.enabled }}
             - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
@@ -112,6 +112,9 @@ spec:
           {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
             - --health-check-path={{ .Values.controller.healthCheckPath }}
           {{- end }}
+          {{- if .Values.controller.watchIngressWithoutClass }}
+            - --watch-ingress-without-class=true
+          {{- end }}
           {{- range $key, $value := .Values.controller.extraArgs }}
             {{- /* Accept keys without values or with false as value */}}
             {{- if eq ($value | quote | len) 2 }}
@@ -143,7 +146,7 @@ spec:
           {{- end }}
           {{- if .Values.controller.extraEnvs }}
             {{- toYaml .Values.controller.extraEnvs | nindent 12 }}
-          {{- end }}          
+          {{- end }}
           {{- if .Values.controller.startupProbe }}
           startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
           {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-ingressclass.yaml b/charts/ingress-nginx/templates/controller-ingressclass.yaml
index f94b9590d..9492784a2 100644
--- a/charts/ingress-nginx/templates/controller-ingressclass.yaml
+++ b/charts/ingress-nginx/templates/controller-ingressclass.yaml
@@ -1,9 +1,7 @@
-{{- if and (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.ingressClassResource.enabled) -}}
-{{- if and (semverCompare "=1.18-0" .Capabilities.KubeVersion.GitVersion)  }}
-apiVersion: networking.k8s.io/v1beta1
-{{- else }}
+{{- if .Values.controller.ingressClassResource.enabled -}}
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
 apiVersion: networking.k8s.io/v1
-{{- end }}
 kind: IngressClass
 metadata:
   labels:
@@ -12,12 +10,12 @@ metadata:
     {{- with .Values.controller.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  name: {{ .Values.controller.ingressClass }}
+  name: {{ .Values.controller.ingressClassResource.name }}
 {{- if .Values.controller.ingressClassResource.default }}
   annotations:
     ingressclass.kubernetes.io/is-default-class: "true"
 {{- end }}
 spec:
-  controller: k8s.io/ingress-nginx
+  controller: {{ .Values.controller.ingressClassResource.controllerValue }}
   {{ template "ingressClass.parameters" . }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml
index 1a5ccd29b..97c627dac 100644
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@@ -34,8 +34,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - "networking.k8s.io" # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -43,14 +42,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - "networking.k8s.io" # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - "networking.k8s.io" # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -62,7 +60,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - {{ .Values.controller.electionID }}-{{ .Values.controller.ingressClass }}
+      - {{ .Values.controller.electionID }}
     verbs:
       - get
       - update
diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index 066488a04..17894c8be 100644
--- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}}
+{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 54ee795e6..1c3c1e021 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v0.49.0"
-    digest: sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+    tag: "v1.0.0-beta.3"
+    digest: sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
@@ -61,6 +61,11 @@ controller:
   # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
   reportNodeInternalIp: false
 
+  # Process Ingress objects without ingressClass annotation/ingressClassName field
+  # Overrides value for --watch-ingress-without-class flag of the controller binary
+  # Defaults to false
+  watchIngressWithoutClass: false
+
   # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged
@@ -79,15 +84,13 @@ controller:
   ##
   electionID: ingress-controller-leader
 
-  ## Name of the ingress class to route through this controller
-  ##
-  ingressClass: nginx
-
   # This section refers to the creation of the IngressClass resource
-  # IngressClass resources are supported since k8s >= 1.18
+  # IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
   ingressClassResource:
-    enabled: false
+    name: nginx
+    enabled: true
     default: false
+    controllerValue: "k8s.io/ingress-nginx"
 
     # Parameters is a link to a custom resource containing additional
     # configuration for the controller. This is optional if the controller
@@ -124,23 +127,23 @@ controller:
   ##
   scope:
     enabled: false
-    namespace: ""   # defaults to .Release.Namespace
+    namespace: ""   # defaults to $(POD_NAMESPACE)
 
   ## Allows customization of the configmap / nginx-configmap namespace
   ##
-  configMapNamespace: ""   # defaults to .Release.Namespace
+  configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
 
   ## Allows customization of the tcp-services-configmap
   ##
   tcp:
-    configMapNamespace: ""   # defaults to .Release.Namespace
+    configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
     ## Annotations to be added to the tcp config configmap
     annotations: {}
 
   ## Allows customization of the udp-services-configmap
   ##
   udp:
-    configMapNamespace: ""   # defaults to .Release.Namespace
+    configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
     ## Annotations to be added to the udp config configmap
     annotations: {}
 
@@ -544,12 +547,13 @@ controller:
     patch:
       enabled: true
       image:
-        registry: docker.io
-        image: jettech/kube-webhook-certgen
+        registry: k8s.gcr.io
+        image: ingress-nginx/kube-webhook-certgen
         # for backwards compatibility consider setting the full image url via the repository value below
         # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         # repository:
-        tag: v1.5.1
+        tag: v1.0
+        digest: sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
         pullPolicy: IfNotPresent
       ## Provide a priority class name to the webhook patching job
       ##
diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index b125719fd..aabade07e 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -24,10 +24,10 @@ import (
 
 	"github.com/spf13/pflag"
 	apiv1 "k8s.io/api/core/v1"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/controller"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
+	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	"k8s.io/ingress-nginx/internal/ingress/status"
 	ing_net "k8s.io/ingress-nginx/internal/net"
 	"k8s.io/ingress-nginx/internal/nginx"
@@ -55,10 +55,18 @@ only when the flag --apiserver-host is specified.`)
 Takes the form "namespace/name". The controller configures NGINX to forward
 requests to the first port of this Service.`)
 
-		ingressClass = flags.String("ingress-class", "",
-			`Name of the ingress class this controller satisfies.
-The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation "kubernetes.io/ingress.class" (deprecated).
-If this parameter is not set, or set to the default value of "nginx", it will handle ingresses with either an empty or "nginx" class name.`)
+		ingressClassAnnotation = flags.String("ingress-class", ingressclass.DefaultAnnotationValue,
+			`[IN DEPRECATION] Name of the ingress class this controller satisfies.
+The class of an Ingress object is set using the annotation "kubernetes.io/ingress.class" (deprecated).
+The parameter --controller-class has precedence over this.`)
+
+		ingressClassController = flags.String("controller-class", ingressclass.DefaultControllerName,
+			`Ingress Class Controller value this Ingress satisfies.
+The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.19.0 or higher. The .spec.controller value of the IngressClass 
+referenced in an Ingress Object should be the same value specified here to make this object be watched.`)
+
+		watchWithoutClass = flags.Bool("watch-ingress-without-class", false,
+			`Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified`)
 
 		configMap = flags.String("configmap", "",
 			`Name of the ConfigMap containing custom global configurations for the controller.`)
@@ -207,18 +215,6 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		status.UpdateInterval = *statusUpdateInterval
 	}
 
-	if *ingressClass != "" {
-		klog.InfoS("Watching for Ingress", "class", *ingressClass)
-
-		if *ingressClass != class.DefaultClass {
-			klog.Warningf("Only Ingresses with class %q will be processed by this Ingress controller", *ingressClass)
-		} else {
-			klog.Warning("Ingresses with an empty class will also be processed by this Ingress controller")
-		}
-
-		class.IngressClass = *ingressClass
-	}
-
 	parser.AnnotationsPrefix = *annotationsPrefix
 
 	// check port collisions
@@ -297,6 +293,11 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 			HTTPS:    *httpsPort,
 			SSLProxy: *sslProxyPort,
 		},
+		IngressClassConfiguration: &ingressclass.IngressClassConfiguration{
+			Controller:        *ingressClassController,
+			AnnotationValue:   *ingressClassAnnotation,
+			WatchWithoutClass: *watchWithoutClass,
+		},
 		DisableCatchAll:           *disableCatchAll,
 		ValidationWebhook:         *validationWebhook,
 		ValidationWebhookCertPath: *validationWebhookCert,
diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index 9c245baa1..b21e1012e 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -43,7 +43,6 @@ import (
 	"k8s.io/klog/v2"
 
 	"k8s.io/ingress-nginx/internal/file"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/controller"
 	"k8s.io/ingress-nginx/internal/ingress/metric"
 	"k8s.io/ingress-nginx/internal/k8s"
@@ -104,35 +103,16 @@ func main() {
 	conf.FakeCertificate = ssl.GetFakeSSLCert()
 	klog.InfoS("SSL fake certificate created", "file", conf.FakeCertificate.PemFileName)
 
-	var isNetworkingIngressAvailable bool
-
-	isNetworkingIngressAvailable, k8s.IsIngressV1Beta1Ready, _ = k8s.NetworkingIngressAvailable(kubeClient)
-	if !isNetworkingIngressAvailable {
-		klog.Fatalf("ingress-nginx requires Kubernetes v1.14.0 or higher")
+	if !k8s.NetworkingIngressAvailable(kubeClient) {
+		klog.Fatalf("ingress-nginx requires Kubernetes v1.19.0 or higher")
 	}
 
-	if k8s.IsIngressV1Beta1Ready {
-		klog.InfoS("Enabling new Ingress features available since Kubernetes v1.18")
-		k8s.IngressClass, err = kubeClient.NetworkingV1beta1().IngressClasses().
-			Get(context.TODO(), class.IngressClass, metav1.GetOptions{})
-		if err != nil {
-			if !errors.IsNotFound(err) {
-				if !errors.IsUnauthorized(err) && !errors.IsForbidden(err) {
-					klog.Fatalf("Error searching IngressClass: %v", err)
-				}
-
-				klog.ErrorS(err, "Searching IngressClass", "class", class.IngressClass)
+	_, err = kubeClient.NetworkingV1().IngressClasses().List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		if !errors.IsNotFound(err) {
+			if errors.IsUnauthorized(err) || !errors.IsForbidden(err) {
+				klog.Fatalf("Error searching IngressClass: Please verify your RBAC and allow Ingress Controller to list and get Ingress Classes: %v", err)
 			}
-
-			klog.Warningf("No IngressClass resource with name %v found. Only annotation will be used.", class.IngressClass)
-
-			// TODO: remove once this is fixed in client-go
-			k8s.IngressClass = nil
-		}
-
-		if k8s.IngressClass != nil && k8s.IngressClass.Spec.Controller != k8s.IngressNGINXController {
-			klog.Errorf(`Invalid IngressClass (Spec.Controller) value "%v". Should be "%v"`, k8s.IngressClass.Spec.Controller, k8s.IngressNGINXController)
-			klog.Fatalf("IngressClass with name %v is not valid for ingress-nginx (invalid Spec.Controller)", class.IngressClass)
 		}
 	}
 
@@ -153,7 +133,7 @@ func main() {
 
 	mc := metric.NewDummyCollector()
 	if conf.EnableMetrics {
-		mc, err = metric.NewCollector(conf.MetricsPerHost, reg)
+		mc, err = metric.NewCollector(conf.MetricsPerHost, reg, conf.IngressClassConfiguration.Controller)
 		if err != nil {
 			klog.Fatalf("Error creating prometheus collector:  %v", err)
 		}
diff --git a/cmd/plugin/commands/ingresses/ingresses.go b/cmd/plugin/commands/ingresses/ingresses.go
index 38da62930..dff967103 100644
--- a/cmd/plugin/commands/ingresses/ingresses.go
+++ b/cmd/plugin/commands/ingresses/ingresses.go
@@ -22,7 +22,8 @@ import (
 	"text/tabwriter"
 
 	"github.com/spf13/cobra"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 
 	"k8s.io/ingress-nginx/cmd/plugin/request"
@@ -157,9 +158,10 @@ func getIngressRows(ingresses *[]networking.Ingress) []ingressRow {
 
 		defaultBackendService := ""
 		defaultBackendPort := ""
-		if ing.Spec.Backend != nil {
-			defaultBackendService = ing.Spec.Backend.ServiceName
-			defaultBackendPort = ing.Spec.Backend.ServicePort.String()
+		if ing.Spec.DefaultBackend != nil {
+			name, port := serviceToNameAndPort(ing.Spec.DefaultBackend.Service)
+			defaultBackendService = name
+			defaultBackendPort = port.String()
 		}
 
 		// Handle catch-all ingress
@@ -197,14 +199,15 @@ func getIngressRows(ingresses *[]networking.Ingress) []ingressRow {
 			}
 
 			for _, path := range rule.HTTP.Paths {
+				svcName, svcPort := serviceToNameAndPort(path.Backend.Service)
 				row := ingressRow{
 					Namespace:   ing.Namespace,
 					IngressName: ing.Name,
 					Host:        rule.Host,
 					Path:        path.Path,
 					TLS:         hasTLS,
-					ServiceName: path.Backend.ServiceName,
-					ServicePort: path.Backend.ServicePort.String(),
+					ServiceName: svcName,
+					ServicePort: svcPort.String(),
 					Address:     address,
 				}
 
@@ -215,3 +218,17 @@ func getIngressRows(ingresses *[]networking.Ingress) []ingressRow {
 
 	return rows
 }
+
+func serviceToNameAndPort(svc *networking.IngressServiceBackend) (string, intstr.IntOrString) {
+	var svcName string
+	if svc != nil {
+		svcName = svc.Name
+		if svc.Port.Number > 0 {
+			return svcName, intstr.FromInt(int(svc.Port.Number))
+		}
+		if svc.Port.Name != "" {
+			return svcName, intstr.FromString(svc.Port.Name)
+		}
+	}
+	return "", intstr.IntOrString{}
+}
diff --git a/cmd/plugin/commands/ingresses/ingresses_test.go b/cmd/plugin/commands/ingresses/ingresses_test.go
new file mode 100644
index 000000000..6a8d8837f
--- /dev/null
+++ b/cmd/plugin/commands/ingresses/ingresses_test.go
@@ -0,0 +1,75 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ingresses
+
+import (
+	"testing"
+
+	networking "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func TestGetIngressInformation(t *testing.T) {
+
+	testcases := map[string]struct {
+		ServiceBackend *networking.IngressServiceBackend
+		wantName       string
+		wantPort       intstr.IntOrString
+	}{
+		"empty ingressServiceBackend": {
+			ServiceBackend: &networking.IngressServiceBackend{},
+			wantName:       "",
+			wantPort:       intstr.IntOrString{},
+		},
+		"ingressServiceBackend with port 8080": {
+			ServiceBackend: &networking.IngressServiceBackend{
+				Name: "test",
+				Port: networking.ServiceBackendPort{
+					Number: 8080,
+				},
+			},
+			wantName: "test",
+			wantPort: intstr.IntOrString{
+				Type:   intstr.Int,
+				IntVal: 8080,
+			},
+		},
+		"ingressServiceBackend with port name a-svc": {
+			ServiceBackend: &networking.IngressServiceBackend{
+				Name: "test",
+				Port: networking.ServiceBackendPort{
+					Name: "a-svc",
+				},
+			},
+			wantName: "test",
+			wantPort: intstr.IntOrString{
+				Type:   intstr.String,
+				StrVal: "a-svc",
+			},
+		},
+	}
+
+	for title, testCase := range testcases {
+		gotName, gotPort := serviceToNameAndPort(testCase.ServiceBackend)
+		if gotName != testCase.wantName {
+			t.Fatalf("%s: expected '%v' but returned %v", title, testCase.wantName, gotName)
+		}
+		if gotPort != testCase.wantPort {
+			t.Fatalf("%s: expected '%v' but returned %v", title, testCase.wantPort, gotPort)
+		}
+	}
+}
diff --git a/cmd/plugin/commands/lint/main.go b/cmd/plugin/commands/lint/main.go
index d120e9311..2daf8eb87 100644
--- a/cmd/plugin/commands/lint/main.go
+++ b/cmd/plugin/commands/lint/main.go
@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 
 	appsv1 "k8s.io/api/apps/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	kmeta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 
diff --git a/cmd/plugin/lints/ingress.go b/cmd/plugin/lints/ingress.go
index 0de4661f4..ea08bfd8b 100644
--- a/cmd/plugin/lints/ingress.go
+++ b/cmd/plugin/lints/ingress.go
@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	kmeta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/cmd/plugin/util"
 )
diff --git a/cmd/plugin/request/request.go b/cmd/plugin/request/request.go
index b8bc4eaae..cae90e9d2 100644
--- a/cmd/plugin/request/request.go
+++ b/cmd/plugin/request/request.go
@@ -22,12 +22,12 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	appsv1client "k8s.io/client-go/kubernetes/typed/apps/v1"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	typednetworking "k8s.io/client-go/kubernetes/typed/networking/v1beta1"
+	typednetworking "k8s.io/client-go/kubernetes/typed/networking/v1"
 
 	"k8s.io/ingress-nginx/cmd/plugin/util"
 )
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 2d4ad3ab7..99b4de04d 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,16 +28,16 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
-  http-snippet: |
+  http-snippet:|
     server{
       listen 2443;
       return 308 https://$host$request_uri;
@@ -50,10 +50,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -83,8 +83,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -99,14 +98,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -119,10 +117,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -139,10 +137,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -174,8 +172,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -183,14 +180,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -202,7 +198,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -225,10 +221,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -247,10 +243,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -278,10 +274,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -308,10 +304,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -334,7 +330,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -345,7 +341,7 @@ spec:
             - /nginx-ingress-controller
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
+            - --controller-class=k8s.io/ingress-nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -419,6 +415,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -426,10 +440,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -440,7 +454,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -450,12 +464,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -467,10 +480,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -483,10 +496,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -507,10 +520,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -532,10 +545,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -557,10 +570,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -582,10 +595,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -593,16 +606,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -632,10 +645,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -643,16 +656,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index acd8fd604..a9a528a4a 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -76,8 +76,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -92,14 +91,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -112,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -167,8 +165,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -176,14 +173,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -195,7 +191,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -218,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -268,10 +264,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -335,7 +331,7 @@ spec:
             - /nginx-ingress-controller
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
+            - --controller-class=k8s.io/ingress-nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -406,6 +402,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -413,10 +427,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -427,7 +441,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -437,12 +451,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -454,10 +467,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -470,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -494,10 +507,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -519,10 +532,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -544,10 +557,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -569,10 +582,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -580,16 +593,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -619,10 +632,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -630,16 +643,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 55c2dc5ae..12d990353 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -76,8 +76,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -92,14 +91,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -112,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -167,8 +165,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -176,14 +173,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -195,7 +191,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -218,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +261,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +290,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +316,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -330,7 +326,7 @@ spec:
           args:
             - /nginx-ingress-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
+            - --controller-class=k8s.io/ingress-nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -401,6 +397,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -408,10 +422,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -422,7 +436,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -432,12 +446,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -449,10 +462,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -465,10 +478,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -489,10 +502,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -514,10 +527,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -539,10 +552,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -564,10 +577,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -575,16 +588,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -614,10 +627,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -625,16 +638,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index be69bee73..80e89b165 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -76,8 +76,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -92,14 +91,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -112,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -167,8 +165,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -176,14 +173,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -195,7 +191,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -218,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +261,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -295,10 +291,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -321,7 +317,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -332,7 +328,7 @@ spec:
             - /nginx-ingress-controller
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
+            - --controller-class=k8s.io/ingress-nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -403,6 +399,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -410,10 +424,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -424,7 +438,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -434,12 +448,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -451,10 +464,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -467,10 +480,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -491,10 +504,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -516,10 +529,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -541,10 +554,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -566,10 +579,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -577,16 +590,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -616,10 +629,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -627,16 +640,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 95be9c1e4..81c0fffdb 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -77,8 +77,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -93,14 +92,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -113,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -168,8 +166,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -177,14 +174,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -196,7 +192,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -219,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -241,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -267,10 +263,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +293,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +319,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -334,7 +330,7 @@ spec:
             - /nginx-ingress-controller
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
+            - --controller-class=k8s.io/ingress-nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -405,6 +401,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -412,10 +426,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -426,7 +440,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -436,12 +450,12 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
+    timeoutSeconds: 29
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -453,10 +467,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -469,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -493,10 +507,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -518,10 +532,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -543,10 +557,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -568,10 +582,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -579,16 +593,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -618,10 +632,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -629,16 +643,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 47b86b9b0..7603d947f 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -76,8 +76,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -92,14 +91,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -112,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -167,8 +165,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -176,14 +173,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -195,7 +191,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -218,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -273,10 +269,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -303,10 +299,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -329,7 +325,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -340,8 +336,8 @@ spec:
             - /nginx-ingress-controller
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
-            - --configmap=ingress-nginx/ingress-nginx-controller
+            - --controller-class=k8s.io/ingress-nginx
+            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
             - --validating-webhook-key=/usr/local/certificates/key
@@ -411,6 +407,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -418,10 +432,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -432,7 +446,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -442,12 +456,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -459,10 +472,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -475,10 +488,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -499,10 +512,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -524,10 +537,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -549,10 +562,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -574,10 +587,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -585,16 +598,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -624,10 +637,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -635,16 +648,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index c53e2ae1b..f5ed6a217 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -76,8 +76,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -92,14 +91,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -112,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -167,8 +165,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -176,14 +173,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -195,7 +191,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -218,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -240,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +261,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +290,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -334,7 +330,7 @@ spec:
           args:
             - /nginx-ingress-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
+            - --controller-class=k8s.io/ingress-nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -413,6 +409,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -420,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -434,7 +448,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -444,12 +458,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -461,10 +474,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -477,10 +490,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -501,10 +514,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -526,10 +539,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -551,10 +564,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -576,10 +589,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -587,16 +600,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -626,10 +639,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -637,16 +650,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 2fd0154d5..2dce4a583 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -77,8 +77,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -93,14 +92,13 @@ rules:
       - create
       - patch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -113,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -168,8 +166,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -177,14 +174,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   - apiGroups:
-      - networking.k8s.io   # k8s 1.14+
+      - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
@@ -196,7 +192,7 @@ rules:
     resources:
       - configmaps
     resourceNames:
-      - ingress-controller-leader-nginx
+      - ingress-controller-leader
     verbs:
       - get
       - update
@@ -219,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -241,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -267,10 +263,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +293,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +319,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -334,7 +330,7 @@ spec:
             - /nginx-ingress-controller
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
             - --election-id=ingress-controller-leader
-            - --ingress-class=nginx
+            - --controller-class=k8s.io/ingress-nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -405,6 +401,24 @@ spec:
           secret:
             secretName: ingress-nginx-admission
 ---
+# Source: ingress-nginx/templates/controller-ingressclass.yaml
+# We don't support namespaced ingressClass yet
+# So a ClusterRole and a ClusterRoleBinding is required
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: nginx
+  namespace: ingress-nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
 # before changing this value, check the required kubernetes version
 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
@@ -412,10 +426,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -426,7 +440,7 @@ webhooks:
       - apiGroups:
           - networking.k8s.io
         apiVersions:
-          - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
@@ -436,12 +450,11 @@ webhooks:
     sideEffects: None
     admissionReviewVersions:
       - v1
-      - v1beta1
     clientConfig:
       service:
         namespace: ingress-nginx
         name: ingress-nginx-controller-admission
-        path: /networking/v1beta1/ingresses
+        path: /networking/v1/ingresses
 ---
 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
 apiVersion: v1
@@ -453,10 +466,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -469,10 +482,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -493,10 +506,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -518,10 +531,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -543,10 +556,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -568,10 +581,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -579,16 +592,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -618,10 +631,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-3.36.0
+    helm.sh/chart: ingress-nginx-4.0.0-beta.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 0.49.0
+    app.kubernetes.io/version: 1.0.0-beta.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -629,16 +642,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-3.36.0
+        helm.sh/chart: ingress-nginx-4.0.0-beta.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 0.49.0
+        app.kubernetes.io/version: 1.0.0-beta.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/docs/developer-guide/getting-started.md b/docs/developer-guide/getting-started.md
index f6a9fdbe0..d63f6e6e8 100644
--- a/docs/developer-guide/getting-started.md
+++ b/docs/developer-guide/getting-started.md
@@ -68,7 +68,7 @@ FOCUS="no-auth-locations" make kind-e2e-test
 
 Valid values are defined in the describe definition of the e2e tests like [Default Backend](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e/defaultbackend/default_backend.go#L29)
 
-The complete list of tests can be found [here](e2e-tests.md)
+The complete list of tests can be found [here](../e2e-tests.md)
 
 ### Custom docker image
 
diff --git a/docs/examples/affinity/cookie/ingress-samesite.yaml b/docs/examples/affinity/cookie/ingress-samesite.yaml
index 42d1c2e2d..b3f8f4b20 100644
--- a/docs/examples/affinity/cookie/ingress-samesite.yaml
+++ b/docs/examples/affinity/cookie/ingress-samesite.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: cookie-samesite-none
@@ -19,7 +19,7 @@ spec:
           servicePort: 80
         path: /
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: cookie-samesite-strict
diff --git a/docs/examples/affinity/cookie/ingress.yaml b/docs/examples/affinity/cookie/ingress.yaml
index 57edbdbd3..eac973fde 100644
--- a/docs/examples/affinity/cookie/ingress.yaml
+++ b/docs/examples/affinity/cookie/ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: nginx-test
diff --git a/docs/examples/auth/basic/README.md b/docs/examples/auth/basic/README.md
index 194bacb3b..a5fa579e0 100644
--- a/docs/examples/auth/basic/README.md
+++ b/docs/examples/auth/basic/README.md
@@ -30,7 +30,7 @@ type: Opaque
 
 ```console
 echo "
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-with-auth
diff --git a/docs/examples/auth/client-certs/ingress.yaml b/docs/examples/auth/client-certs/ingress.yaml
index cf5f701b2..7172081b4 100644
--- a/docs/examples/auth/client-certs/ingress.yaml
+++ b/docs/examples/auth/client-certs/ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/examples/auth/external-auth/README.md b/docs/examples/auth/external-auth/README.md
index a08138373..235cca9cb 100644
--- a/docs/examples/auth/external-auth/README.md
+++ b/docs/examples/auth/external-auth/README.md
@@ -13,7 +13,7 @@ NAME            HOSTS                         ADDRESS       PORTS     AGE
 external-auth   external-auth-01.sample.com   172.17.4.99   80        13s
 
 $ kubectl get ing external-auth -o yaml
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
@@ -23,7 +23,7 @@ metadata:
   name: external-auth
   namespace: default
   resourceVersion: "2068378"
-  selfLink: /apis/networking/v1beta1/namespaces/default/ingresses/external-auth
+  selfLink: /apis/networking/v1/namespaces/default/ingresses/external-auth
   uid: 5c388f1d-8970-11e6-9004-080027d2dc94
 spec:
   rules:
diff --git a/docs/examples/auth/external-auth/ingress.yaml b/docs/examples/auth/external-auth/ingress.yaml
index c7a87a240..2a58ca2e3 100644
--- a/docs/examples/auth/external-auth/ingress.yaml
+++ b/docs/examples/auth/external-auth/ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml b/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
index ade56a9e6..725bf1dc5 100644
--- a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
+++ b/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
@@ -18,7 +18,7 @@ spec:
 
 ---
 
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: oauth2-proxy
diff --git a/docs/examples/chashsubset/deployment.yaml b/docs/examples/chashsubset/deployment.yaml
index 9b1bafcb1..82fdc7ac0 100644
--- a/docs/examples/chashsubset/deployment.yaml
+++ b/docs/examples/chashsubset/deployment.yaml
@@ -54,7 +54,7 @@ spec:
       targetPort: 8080
 
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/examples/customization/configuration-snippets/ingress.yaml b/docs/examples/customization/configuration-snippets/ingress.yaml
index 07af3552f..70d9042c7 100644
--- a/docs/examples/customization/configuration-snippets/ingress.yaml
+++ b/docs/examples/customization/configuration-snippets/ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: nginx-configuration-snippet
diff --git a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml b/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
index 1c3667c7c..075421807 100644
--- a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
+++ b/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
@@ -43,7 +43,7 @@ spec:
   selector:
     k8s-app: demo-echo-service
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: public-demo-echo-service
@@ -61,7 +61,7 @@ spec:
           servicePort: 80
         path: /
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: secure-demo-echo-service
diff --git a/docs/examples/docker-registry/ingress-with-tls.yaml b/docs/examples/docker-registry/ingress-with-tls.yaml
index fc277b20f..11ccf6627 100644
--- a/docs/examples/docker-registry/ingress-with-tls.yaml
+++ b/docs/examples/docker-registry/ingress-with-tls.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/examples/docker-registry/ingress-without-tls.yaml b/docs/examples/docker-registry/ingress-without-tls.yaml
index 1ce1b98fb..2d713cb8c 100644
--- a/docs/examples/docker-registry/ingress-without-tls.yaml
+++ b/docs/examples/docker-registry/ingress-without-tls.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/examples/multi-tls/multi-tls.yaml b/docs/examples/multi-tls/multi-tls.yaml
index 7dda9267e..32f5932c1 100644
--- a/docs/examples/multi-tls/multi-tls.yaml
+++ b/docs/examples/multi-tls/multi-tls.yaml
@@ -92,7 +92,7 @@ spec:
                 fieldPath: status.podIP
 
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: foo-tls
diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md
index 3ad5e4fcd..824b0966f 100644
--- a/docs/examples/rewrite/README.md
+++ b/docs/examples/rewrite/README.md
@@ -34,7 +34,7 @@ Create an Ingress rule with a rewrite annotation:
 
 ```console
 $ echo '
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
@@ -66,7 +66,7 @@ For example, the ingress definition above will result in the following rewrites:
 Create an Ingress rule with an app-root annotation:
 ```
 $ echo "
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/examples/static-ip/nginx-ingress.yaml b/docs/examples/static-ip/nginx-ingress.yaml
index aa4877e56..358942f5c 100644
--- a/docs/examples/static-ip/nginx-ingress.yaml
+++ b/docs/examples/static-ip/nginx-ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-nginx
diff --git a/docs/examples/tls-termination/README.md b/docs/examples/tls-termination/README.md
index 1a17d6d21..f3096db2e 100644
--- a/docs/examples/tls-termination/README.md
+++ b/docs/examples/tls-termination/README.md
@@ -11,7 +11,7 @@ You need a [TLS cert](../PREREQUISITES.md#tls-certificates) and a [test HTTP ser
 Create a `ingress.yaml` file.
 
 ```yaml
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: nginx-test
diff --git a/docs/examples/tls-termination/ingress.yaml b/docs/examples/tls-termination/ingress.yaml
index fc97b3707..2e989d1b0 100644
--- a/docs/examples/tls-termination/ingress.yaml
+++ b/docs/examples/tls-termination/ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: nginx-test
diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index 67d111f5e..6a29638d4 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -32,7 +32,7 @@ Rules:
             /tea      tea-svc:80 (<none>)
             /coffee   coffee-svc:80 (<none>)
 Annotations:
-  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"networking.k8s.io/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"cafe-ingress","namespace":"default","selfLink":"/apis/networking/v1beta1/namespaces/default/ingresses/cafe-ingress"},"spec":{"rules":[{"host":"cafe.com","http":{"paths":[{"backend":{"serviceName":"tea-svc","servicePort":80},"path":"/tea"},{"backend":{"serviceName":"coffee-svc","servicePort":80},"path":"/coffee"}]}}]},"status":{"loadBalancer":{"ingress":[{"ip":"169.48.142.110"}]}}}
+  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{},"name":"cafe-ingress","namespace":"default","selfLink":"/apis/networking/v1/namespaces/default/ingresses/cafe-ingress"},"spec":{"rules":[{"host":"cafe.com","http":{"paths":[{"backend":{"serviceName":"tea-svc","servicePort":80},"path":"/tea"},{"backend":{"serviceName":"coffee-svc","servicePort":80},"path":"/coffee"}]}}]},"status":{"loadBalancer":{"ingress":[{"ip":"169.48.142.110"}]}}}
 
 Events:
   Type    Reason  Age   From                      Message
diff --git a/docs/user-guide/fcgi-services.md b/docs/user-guide/fcgi-services.md
index 7c9dd6138..62271c2ce 100644
--- a/docs/user-guide/fcgi-services.md
+++ b/docs/user-guide/fcgi-services.md
@@ -60,7 +60,7 @@ data:
 
 ---
 
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/user-guide/ingress-path-matching.md b/docs/user-guide/ingress-path-matching.md
index 092cf9264..6812e2cb5 100644
--- a/docs/user-guide/ingress-path-matching.md
+++ b/docs/user-guide/ingress-path-matching.md
@@ -15,7 +15,7 @@ This can be enabled by setting the `nginx.ingress.kubernetes.io/use-regex` annot
 See the [description](./nginx-configuration/annotations.md#use-regex) of the `use-regex` annotation for more details.
 
 ```yaml
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: test-ingress
@@ -51,7 +51,7 @@ In NGINX, regular expressions follow a **first match** policy. In order to enabl
 Let the following two ingress definitions be created:
 
 ```yaml
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: test-ingress-1
@@ -71,7 +71,7 @@ spec:
 ```
 
 ```yaml
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: test-ingress-2
@@ -125,7 +125,7 @@ This case is expected and a result of NGINX's a first match policy for paths tha
 Let the following ingress be defined:
 
 ```yaml
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: test-ingress-3
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index ef9a4e5ef..c6d376702 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -394,7 +394,7 @@ For more information please see [the `server_name` documentation](http://nginx.o
 Using the annotation `nginx.ingress.kubernetes.io/server-snippet` it is possible to add custom configuration in the server configuration block.
 
 ```yaml
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 850354105..575a51afc 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -54,7 +54,7 @@ The following table shows a configuration option's name, type, and the default v
 |[http2-max-field-size](#http2-max-field-size)|string|"4k"|
 |[http2-max-header-size](#http2-max-header-size)|string|"16k"|
 |[http2-max-requests](#http2-max-requests)|int|1000|
-|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|1000|
+|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128|
 |[hsts](#hsts)|bool|"true"|
 |[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"|
 |[hsts-max-age](#hsts-max-age)|string|"15724800"|
@@ -178,6 +178,9 @@ The following table shows a configuration option's name, type, and the default v
 |[proxy-buffering](#proxy-buffering)|string|"off"|
 |[limit-req-status-code](#limit-req-status-code)|int|503|
 |[limit-conn-status-code](#limit-conn-status-code)|int|503|
+|[enable-syslog](#enable-syslog)|bool|false|
+|[syslog-host](#syslog-host)|string|""|
+|[syslog-port](#syslog-port)|int|514|
 |[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"|
 |[global-auth-url](#global-auth-url)|string|""|
 |[global-auth-method](#global-auth-method)|string|""|
@@ -451,7 +454,7 @@ _**default:**_ 16384
 ## max-worker-open-files
 
 Sets the [maximum number of files](http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile) that can be opened by each worker process.
-The default of 0 means "max open files (system's limit) / [worker-processes](#worker-processes) - 1024".
+The default of 0 means "max open files (system's limit) - 1024".
 _**default:**_ 0
 
 ## map-hash-bucket-size
@@ -1077,6 +1080,18 @@ Sets the [status code to return in response to rejected requests](http://nginx.o
 
 Sets the [status code to return in response to rejected connections](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_status). _**default:**_ 503
 
+## enable-syslog
+
+Enable [syslog](http://nginx.org/en/docs/syslog.html) feature for access log and error log. _**default:**_ false
+
+## syslog-host
+
+Sets the address of syslog server. The address can be specified as a domain name or IP address.
+
+## syslog-port
+
+Sets the port of syslog server. _**default:**_ 514
+
 ## no-tls-redirect-locations
 
 A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md
index 3bef8332c..916b29637 100644
--- a/docs/user-guide/third-party-addons/opentracing.md
+++ b/docs/user-guide/third-party-addons/opentracing.md
@@ -168,7 +168,7 @@ In the Zipkin interface we can see the details:
 
     # Apply the Ingress Resource
     $ echo '
-      apiVersion: networking.k8s.io/v1beta1
+      apiVersion: networking.k8s.io/v1
       kind: Ingress
       metadata:
         name: echo-ingress
diff --git a/go.mod b/go.mod
index c0e2b350b..302b451a6 100644
--- a/go.mod
+++ b/go.mod
@@ -41,7 +41,7 @@ require (
 	k8s.io/code-generator v0.21.3
 	k8s.io/component-base v0.21.3
 	k8s.io/klog/v2 v2.10.0
-	k8s.io/utils v0.0.0-20210802155522-efc7438f0176
+	k8s.io/utils v0.0.0-20210802155522-efc7438f0176 // indirect
 	pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732
 	sigs.k8s.io/controller-runtime v0.9.5
 	sigs.k8s.io/mdtoc v1.0.1
diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index e20596c1d..a4872c6d8 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -163,6 +163,8 @@ controller:
       service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
   config:
     use-proxy-protocol: "true"
+  admissionWebhooks:
+    timeoutSeconds: 29
 
 EOF
 
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 42add23b5..46f304ea5 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -131,6 +131,13 @@ export BUILD_PATH=/tmp/build
 
 ARCH=$(uname -m)
 
+if [[ ${ARCH} == "s390x" ]]; then
+  export LUAJIT_VERSION=9d5750d28478abfdcaefdfdc408f87752a21e431
+  export LUA_RESTY_CORE=0.1.17
+  export LUA_NGX_VERSION=0.10.15
+  export LUA_STREAM_NGX_VERSION=0.0.7
+fi
+
 get_src()
 {
   hash="$1"
@@ -229,17 +236,30 @@ get_src 3a3a03060bf5e3fef52c9a2de02e6035cb557f389453d8f3b0c1d3d570636994 \
 get_src 754c3ace499a63e45b77ef4bcab4ee602c2c414f58403bce826b76ffc2f77d0b \
         "https://github.com/msgpack/msgpack-c/archive/cpp-$MSGPACK_VERSION.tar.gz"
 
+if [[ ${ARCH} == "s390x" ]]; then
+get_src 7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2 \
+        "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz"
+get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \
+        "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz"
+else
 get_src 085a9fb2bf9c4466977595a5fe5156d76f3a2d9a2a81be3cacaff2021773393e \
         "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz"
 
 get_src ba38c9f8e4265836ba7f2ac559ddf140693ff2f5ae33ab1e384f51f3992151ab \
         "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz"
 
+fi
+
 get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \
         "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz"
 
+if [[ ${ARCH} == "s390x" ]]; then
+get_src 266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75 \
+        "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz"
+else
 get_src 1ee6dad809a5bb22efb45e6dac767f7ce544ad652d353a93d7f26b605f69fe3f \
         "https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz"
+fi
 
 get_src f29393f2cd9288105a0029a6a324fe1f7558a9e7e852d59a6355f7581bb90e30 \
         "https://github.com/DataDog/dd-opentracing-cpp/archive/$DATADOG_CPP_VERSION.tar.gz"
@@ -262,8 +282,13 @@ get_src 462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853 \
 get_src b3d28adac2acee1e5904e9f65d6e80e0553b01647fa0701b812bc7e464de74ad \
         "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz"
 
+if [[ ${ARCH} == "s390x" ]]; then
+get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \
+        "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz"
+else
 get_src 4d971f711fad48c097070457c128ca36053835d8a3ba25a937e9991547d55d4d \
         "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz"
+fi
 
 get_src 8d602af2669fb386931760916a39f6c9034f2363c4965f215042c086b8215238 \
         "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz"
diff --git a/internal/admission/controller/convert.go b/internal/admission/controller/convert.go
deleted file mode 100644
index 004e5d057..000000000
--- a/internal/admission/controller/convert.go
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
-Copyright 2020 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controller
-
-import (
-	"unsafe"
-
-	admissionv1 "k8s.io/api/admission/v1"
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-)
-
-// these conversions are copied from https://github.com/kubernetes/kubernetes/blob/4db3a096ce8ac730b2280494422e1c4cf5fe875e/pkg/apis/admission/v1beta1/zz_generated.conversion.go
-// to avoid copying in kubernetes/kubernetes
-// they are sightly modified to remove complexity
-
-func convertV1beta1AdmissionReviewToAdmissionAdmissionReview(in *admissionv1beta1.AdmissionReview, out *admissionv1.AdmissionReview) {
-	if in.Request != nil {
-		if out.Request == nil {
-			out.Request = &admissionv1.AdmissionRequest{}
-		}
-		in, out := &in.Request, &out.Request
-		*out = new(admissionv1.AdmissionRequest)
-		convertV1beta1AdmissionRequestToAdmissionAdmissionRequest(*in, *out)
-	} else {
-		out.Request = nil
-	}
-	out.Response = (*admissionv1.AdmissionResponse)(unsafe.Pointer(in.Response)) // #nosec
-}
-
-func convertV1beta1AdmissionRequestToAdmissionAdmissionRequest(in *admissionv1beta1.AdmissionRequest, out *admissionv1.AdmissionRequest) {
-	out.UID = types.UID(in.UID)
-	out.Kind = in.Kind
-	out.Resource = in.Resource
-	out.SubResource = in.SubResource
-	out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))             // #nosec
-	out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource)) // #nosec
-	out.RequestSubResource = in.RequestSubResource
-	out.Name = in.Name
-	out.Namespace = in.Namespace
-	out.Operation = admissionv1.Operation(in.Operation)
-	out.Object = in.Object
-	out.OldObject = in.OldObject
-	out.Options = in.Options
-}
-
-func convertAdmissionAdmissionReviewToV1beta1AdmissionReview(in *admissionv1.AdmissionReview, out *admissionv1beta1.AdmissionReview) {
-	if in.Request != nil {
-		if out.Request == nil {
-			out.Request = &admissionv1beta1.AdmissionRequest{}
-		}
-		in, out := &in.Request, &out.Request
-		*out = new(admissionv1beta1.AdmissionRequest)
-		convertAdmissionAdmissionRequestToV1beta1AdmissionRequest(*in, *out)
-	} else {
-		out.Request = nil
-	}
-	out.Response = (*admissionv1beta1.AdmissionResponse)(unsafe.Pointer(in.Response)) // #nosec
-}
-
-func convertAdmissionAdmissionRequestToV1beta1AdmissionRequest(in *admissionv1.AdmissionRequest, out *admissionv1beta1.AdmissionRequest) {
-	out.UID = types.UID(in.UID)
-	out.Kind = in.Kind
-	out.Resource = in.Resource
-	out.SubResource = in.SubResource
-	out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))             // #nosec
-	out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource)) // #nosec
-	out.RequestSubResource = in.RequestSubResource
-	out.Name = in.Name
-	out.Namespace = in.Namespace
-	out.Operation = admissionv1beta1.Operation(in.Operation)
-	out.Object = in.Object
-	out.OldObject = in.OldObject
-	out.Options = in.Options
-}
diff --git a/internal/admission/controller/main.go b/internal/admission/controller/main.go
index 7c59cdd9e..066747301 100644
--- a/internal/admission/controller/main.go
+++ b/internal/admission/controller/main.go
@@ -21,12 +21,10 @@ import (
 	"net/http"
 
 	admissionv1 "k8s.io/api/admission/v1"
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 	"k8s.io/klog/v2"
 )
@@ -46,7 +44,7 @@ type IngressAdmission struct {
 var (
 	ingressResource = metav1.GroupVersionKind{
 		Group:   networking.GroupName,
-		Version: "v1beta1",
+		Version: "v1",
 		Kind:    "Ingress",
 	}
 )
@@ -55,19 +53,10 @@ var (
 // with Allowed=false if the Object is an ingress that would prevent nginx to reload the configuration
 // with Allowed=true otherwise
 func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object, error) {
-	outputVersion := admissionv1.SchemeGroupVersion
 
 	review, isV1 := obj.(*admissionv1.AdmissionReview)
-
 	if !isV1 {
-		outputVersion = admissionv1beta1.SchemeGroupVersion
-		reviewv1beta1, isv1beta1 := obj.(*admissionv1beta1.AdmissionReview)
-		if !isv1beta1 {
-			return nil, fmt.Errorf("request is not of type AdmissionReview v1 or v1beta1")
-		}
-
-		review = &admissionv1.AdmissionReview{}
-		convertV1beta1AdmissionReviewToAdmissionAdmissionReview(reviewv1beta1, review)
+		return nil, fmt.Errorf("request is not of type AdmissionReview v1 or v1beta1")
 	}
 
 	if !apiequality.Semantic.DeepEqual(review.Request.Kind, ingressResource) {
@@ -94,7 +83,7 @@ func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object,
 		}
 
 		review.Response = status
-		return convertResponse(review, outputVersion), nil
+		return review, nil
 	}
 
 	if err := ia.Checker.CheckIngress(&ingress); err != nil {
@@ -106,24 +95,12 @@ func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object,
 		}
 
 		review.Response = status
-		return convertResponse(review, outputVersion), nil
+		return review, nil
 	}
 
 	klog.InfoS("successfully validated configuration, accepting", "ingress", fmt.Sprintf("%v/%v", review.Request.Name, review.Request.Namespace))
 	status.Allowed = true
 	review.Response = status
 
-	return convertResponse(review, outputVersion), nil
-}
-
-func convertResponse(review *admissionv1.AdmissionReview, outputVersion schema.GroupVersion) runtime.Object {
-	// reply v1
-	if outputVersion.Version == admissionv1.SchemeGroupVersion.Version {
-		return review
-	}
-
-	// reply v1beta1
-	reviewv1beta1 := &admissionv1beta1.AdmissionReview{}
-	convertAdmissionAdmissionReviewToV1beta1AdmissionReview(review, reviewv1beta1)
-	return review
+	return review, nil
 }
diff --git a/internal/admission/controller/main_test.go b/internal/admission/controller/main_test.go
index b745c14a2..7cc3cd7b4 100644
--- a/internal/admission/controller/main_test.go
+++ b/internal/admission/controller/main_test.go
@@ -21,7 +21,7 @@ import (
 	"testing"
 
 	admissionv1 "k8s.io/api/admission/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/json"
@@ -71,7 +71,7 @@ func TestHandleAdmission(t *testing.T) {
 
 	result, err = adm.HandleAdmission(&admissionv1.AdmissionReview{
 		Request: &admissionv1.AdmissionRequest{
-			Kind: v1.GroupVersionKind{Group: networking.GroupName, Version: "v1beta1", Kind: "Ingress"},
+			Kind: v1.GroupVersionKind{Group: networking.GroupName, Version: "v1", Kind: "Ingress"},
 			Object: runtime.RawExtension{
 				Raw: []byte{0xff},
 			},
diff --git a/internal/admission/controller/server.go b/internal/admission/controller/server.go
index 513d812a4..29449de50 100644
--- a/internal/admission/controller/server.go
+++ b/internal/admission/controller/server.go
@@ -21,7 +21,6 @@ import (
 	"net/http"
 
 	admissionv1 "k8s.io/api/admission/v1"
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 	"k8s.io/klog/v2"
@@ -32,7 +31,6 @@ var (
 )
 
 func init() {
-	admissionv1beta1.AddToScheme(scheme)
 	admissionv1.AddToScheme(scheme)
 }
 
diff --git a/internal/ingress/annotations/alias/main.go b/internal/ingress/annotations/alias/main.go
index 6cbe4c6dc..bd2067c9f 100644
--- a/internal/ingress/annotations/alias/main.go
+++ b/internal/ingress/annotations/alias/main.go
@@ -20,7 +20,7 @@ import (
 	"sort"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
diff --git a/internal/ingress/annotations/alias/main_test.go b/internal/ingress/annotations/alias/main_test.go
index a482fc7c1..8e6fca447 100644
--- a/internal/ingress/annotations/alias/main_test.go
+++ b/internal/ingress/annotations/alias/main_test.go
@@ -21,7 +21,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go
index 2c3b3c1cf..9fb53dd1e 100644
--- a/internal/ingress/annotations/annotations.go
+++ b/internal/ingress/annotations/annotations.go
@@ -25,7 +25,7 @@ import (
 	"k8s.io/klog/v2"
 
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/alias"
diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go
index de02a8a16..ada81117d 100644
--- a/internal/ingress/annotations/annotations_test.go
+++ b/internal/ingress/annotations/annotations_test.go
@@ -20,9 +20,8 @@ import (
 	"testing"
 
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
@@ -77,8 +76,12 @@ func (m mockCfg) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error)
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -87,9 +90,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: apiv1.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go
index 84425a95c..0a642f99f 100644
--- a/internal/ingress/annotations/auth/main.go
+++ b/internal/ingress/annotations/auth/main.go
@@ -24,7 +24,7 @@ import (
 
 	"github.com/pkg/errors"
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/client-go/tools/cache"
 
 	"k8s.io/ingress-nginx/internal/file"
diff --git a/internal/ingress/annotations/auth/main_test.go b/internal/ingress/annotations/auth/main_test.go
index d018a8ddc..bffb8e0a8 100644
--- a/internal/ingress/annotations/auth/main_test.go
+++ b/internal/ingress/annotations/auth/main_test.go
@@ -25,9 +25,8 @@ import (
 	"github.com/pkg/errors"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
@@ -35,8 +34,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -45,9 +48,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go
index afcd84a65..6cfcc383d 100644
--- a/internal/ingress/annotations/authreq/main.go
+++ b/internal/ingress/annotations/authreq/main.go
@@ -23,7 +23,7 @@ import (
 
 	"k8s.io/klog/v2"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
diff --git a/internal/ingress/annotations/authreq/main_test.go b/internal/ingress/annotations/authreq/main_test.go
index 276779c1c..da903fe30 100644
--- a/internal/ingress/annotations/authreq/main_test.go
+++ b/internal/ingress/annotations/authreq/main_test.go
@@ -22,18 +22,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
-
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -42,9 +44,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/authreqglobal/main.go b/internal/ingress/annotations/authreqglobal/main.go
index 170f6957d..78dd7d6a5 100644
--- a/internal/ingress/annotations/authreqglobal/main.go
+++ b/internal/ingress/annotations/authreqglobal/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package authreqglobal
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/authreqglobal/main_test.go b/internal/ingress/annotations/authreqglobal/main_test.go
index a4096f7da..0313edcf5 100644
--- a/internal/ingress/annotations/authreqglobal/main_test.go
+++ b/internal/ingress/annotations/authreqglobal/main_test.go
@@ -20,18 +20,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
-
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -40,9 +42,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
index 16e218d33..dd89df4f3 100644
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@@ -18,7 +18,7 @@ package authtls
 
 import (
 	"github.com/pkg/errors"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"regexp"
 
diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go
index d1a54ad70..b2c915d18 100644
--- a/internal/ingress/annotations/authtls/main_test.go
+++ b/internal/ingress/annotations/authtls/main_test.go
@@ -20,9 +20,8 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
@@ -30,8 +29,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -40,9 +43,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go
index 65566d6e9..d8ea72386 100644
--- a/internal/ingress/annotations/backendprotocol/main.go
+++ b/internal/ingress/annotations/backendprotocol/main.go
@@ -20,7 +20,7 @@ import (
 	"regexp"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/klog/v2"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
diff --git a/internal/ingress/annotations/backendprotocol/main_test.go b/internal/ingress/annotations/backendprotocol/main_test.go
index 4a1c1bf31..e8c018998 100644
--- a/internal/ingress/annotations/backendprotocol/main_test.go
+++ b/internal/ingress/annotations/backendprotocol/main_test.go
@@ -20,12 +20,10 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
-
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func buildIngress() *networking.Ingress {
@@ -35,9 +33,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 		},
 	}
diff --git a/internal/ingress/annotations/canary/main.go b/internal/ingress/annotations/canary/main.go
index 2cc88021b..3930b84d7 100644
--- a/internal/ingress/annotations/canary/main.go
+++ b/internal/ingress/annotations/canary/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package canary
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
diff --git a/internal/ingress/annotations/canary/main_test.go b/internal/ingress/annotations/canary/main_test.go
index f755fe865..ddfc0a9c4 100644
--- a/internal/ingress/annotations/canary/main_test.go
+++ b/internal/ingress/annotations/canary/main_test.go
@@ -20,9 +20,8 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 
 	"strconv"
@@ -32,8 +31,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -42,9 +45,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/class/main.go b/internal/ingress/annotations/class/main.go
deleted file mode 100644
index b2fe32d63..000000000
--- a/internal/ingress/annotations/class/main.go
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package class
-
-import (
-	networking "k8s.io/api/networking/v1beta1"
-	"k8s.io/ingress-nginx/internal/k8s"
-)
-
-const (
-	// IngressKey picks a specific "class" for the Ingress.
-	// The controller only processes Ingresses with this annotation either
-	// unset, or set to either the configured value or the empty string.
-	IngressKey = "kubernetes.io/ingress.class"
-)
-
-var (
-	// DefaultClass defines the default class used in the nginx ingress controller
-	DefaultClass = "nginx"
-
-	// IngressClass sets the runtime ingress class to use
-	// An empty string means accept all ingresses without
-	// annotation and the ones configured with class nginx
-	IngressClass = "nginx"
-)
-
-// IsValid returns true if the given Ingress specify the ingress.class
-// annotation or IngressClassName resource for Kubernetes >= v1.18
-func IsValid(ing *networking.Ingress) bool {
-	// 1. with annotation or IngressClass
-	ingress, ok := ing.GetAnnotations()[IngressKey]
-	if !ok && ing.Spec.IngressClassName != nil {
-		ingress = *ing.Spec.IngressClassName
-	}
-
-	// empty ingress and IngressClass equal default
-	if len(ingress) == 0 && IngressClass == DefaultClass {
-		return true
-	}
-
-	// k8s > v1.18.
-	// Processing may be redundant because k8s.IngressClass is obtained by IngressClass
-	// 3. without annotation and IngressClass. Check IngressClass
-	if k8s.IngressClass != nil {
-		return ingress == k8s.IngressClass.Name
-	}
-
-	// 4. with IngressClass
-	return ingress == IngressClass
-}
diff --git a/internal/ingress/annotations/class/main_test.go b/internal/ingress/annotations/class/main_test.go
deleted file mode 100644
index 2d863f072..000000000
--- a/internal/ingress/annotations/class/main_test.go
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package class
-
-import (
-	"testing"
-
-	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
-	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/ingress-nginx/internal/k8s"
-)
-
-func TestIsValidClass(t *testing.T) {
-	dc := DefaultClass
-	ic := IngressClass
-	k8sic := k8s.IngressClass
-	v1Ready := k8s.IsIngressV1Ready
-	// restore original values after the tests
-	defer func() {
-		DefaultClass = dc
-		IngressClass = ic
-		k8s.IngressClass = k8sic
-		k8s.IsIngressV1Ready = v1Ready
-	}()
-
-	tests := []struct {
-		ingress          string
-		controller       string
-		defClass         string
-		annotation       bool
-		ingressClassName bool
-		k8sClass         *networking.IngressClass
-		v1Ready          bool
-		isValid          bool
-	}{
-		{"", "", "nginx", true, false, nil, false, true},
-		{"", "nginx", "nginx", true, false, nil, false, true},
-		{"nginx", "nginx", "nginx", true, false, nil, false, true},
-		{"custom", "custom", "nginx", true, false, nil, false, true},
-		{"", "killer", "nginx", true, false, nil, false, false},
-		{"custom", "nginx", "nginx", true, false, nil, false, false},
-		{"nginx", "nginx", "nginx", false, true, nil, false, true},
-		{"custom", "nginx", "nginx", false, true, nil, true, false},
-		{"nginx", "nginx", "nginx", false, true, nil, true, true},
-		{"", "custom", "nginx", false, false,
-			&networking.IngressClass{
-				ObjectMeta: meta_v1.ObjectMeta{
-					Name: "custom",
-				},
-			},
-			false, false},
-		{"", "custom", "nginx", false, false,
-			&networking.IngressClass{
-				ObjectMeta: meta_v1.ObjectMeta{
-					Name: "custom",
-				},
-			},
-			true, false},
-	}
-
-	for _, test := range tests {
-		ing := &networking.Ingress{
-			ObjectMeta: meta_v1.ObjectMeta{
-				Name:      "foo",
-				Namespace: api.NamespaceDefault,
-			},
-		}
-
-		data := map[string]string{}
-		ing.SetAnnotations(data)
-		if test.annotation {
-			ing.Annotations[IngressKey] = test.ingress
-		}
-		if test.ingressClassName {
-			ing.Spec.IngressClassName = &[]string{test.ingress}[0]
-		}
-
-		IngressClass = test.controller
-		DefaultClass = test.defClass
-		k8s.IngressClass = test.k8sClass
-		k8s.IsIngressV1Ready = test.v1Ready
-
-		b := IsValid(ing)
-		if b != test.isValid {
-			t.Errorf("test %v - expected %v but %v was returned", test, test.isValid, b)
-		}
-	}
-}
diff --git a/internal/ingress/annotations/clientbodybuffersize/main.go b/internal/ingress/annotations/clientbodybuffersize/main.go
index 924ceecd1..9020ee594 100644
--- a/internal/ingress/annotations/clientbodybuffersize/main.go
+++ b/internal/ingress/annotations/clientbodybuffersize/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package clientbodybuffersize
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/clientbodybuffersize/main_test.go b/internal/ingress/annotations/clientbodybuffersize/main_test.go
index 56f64083c..9932f8314 100644
--- a/internal/ingress/annotations/clientbodybuffersize/main_test.go
+++ b/internal/ingress/annotations/clientbodybuffersize/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/connection/main.go b/internal/ingress/annotations/connection/main.go
index 7d45fdc36..e9b0c1865 100644
--- a/internal/ingress/annotations/connection/main.go
+++ b/internal/ingress/annotations/connection/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package connection
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/connection/main_test.go b/internal/ingress/annotations/connection/main_test.go
index d86aeb16a..011a2948c 100644
--- a/internal/ingress/annotations/connection/main_test.go
+++ b/internal/ingress/annotations/connection/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go
index 2f1a0a37b..44947a014 100644
--- a/internal/ingress/annotations/cors/main.go
+++ b/internal/ingress/annotations/cors/main.go
@@ -19,7 +19,7 @@ package cors
 import (
 	"regexp"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go
index 6f75ce6a7..a65bf12cd 100644
--- a/internal/ingress/annotations/cors/main_test.go
+++ b/internal/ingress/annotations/cors/main_test.go
@@ -20,17 +20,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -39,9 +42,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/customhttperrors/main.go b/internal/ingress/annotations/customhttperrors/main.go
index 3c5fbf077..a05fb16c8 100644
--- a/internal/ingress/annotations/customhttperrors/main.go
+++ b/internal/ingress/annotations/customhttperrors/main.go
@@ -20,7 +20,7 @@ import (
 	"strconv"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/customhttperrors/main_test.go b/internal/ingress/annotations/customhttperrors/main_test.go
index 3827d197f..1f87247ed 100644
--- a/internal/ingress/annotations/customhttperrors/main_test.go
+++ b/internal/ingress/annotations/customhttperrors/main_test.go
@@ -22,12 +22,10 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
-
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func buildIngress() *networking.Ingress {
@@ -37,9 +35,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 		},
 	}
diff --git a/internal/ingress/annotations/defaultbackend/main.go b/internal/ingress/annotations/defaultbackend/main.go
index ff4f41ce3..7b239497d 100644
--- a/internal/ingress/annotations/defaultbackend/main.go
+++ b/internal/ingress/annotations/defaultbackend/main.go
@@ -20,7 +20,7 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/defaultbackend/main_test.go b/internal/ingress/annotations/defaultbackend/main_test.go
index 927860215..ec23d32c2 100644
--- a/internal/ingress/annotations/defaultbackend/main_test.go
+++ b/internal/ingress/annotations/defaultbackend/main_test.go
@@ -20,19 +20,21 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
-
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -41,9 +43,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go
index 174a2716c..a7e96a014 100644
--- a/internal/ingress/annotations/fastcgi/main.go
+++ b/internal/ingress/annotations/fastcgi/main.go
@@ -21,7 +21,7 @@ import (
 	"reflect"
 
 	"github.com/pkg/errors"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/client-go/tools/cache"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
diff --git a/internal/ingress/annotations/fastcgi/main_test.go b/internal/ingress/annotations/fastcgi/main_test.go
index 6802a41c2..26d85e7ce 100644
--- a/internal/ingress/annotations/fastcgi/main_test.go
+++ b/internal/ingress/annotations/fastcgi/main_test.go
@@ -20,13 +20,11 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
-
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func buildIngress() *networking.Ingress {
@@ -36,9 +34,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "fastcgi",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 		},
 	}
diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go
index e4b18bd66..02a732847 100644
--- a/internal/ingress/annotations/globalratelimit/main.go
+++ b/internal/ingress/annotations/globalratelimit/main.go
@@ -21,7 +21,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
diff --git a/internal/ingress/annotations/globalratelimit/main_test.go b/internal/ingress/annotations/globalratelimit/main_test.go
index 38da8f4a9..341a9883c 100644
--- a/internal/ingress/annotations/globalratelimit/main_test.go
+++ b/internal/ingress/annotations/globalratelimit/main_test.go
@@ -23,10 +23,9 @@ import (
 
 	"github.com/pkg/errors"
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
@@ -37,8 +36,12 @@ const expectedUID = "31285d47b1504dcfbd6f12c46d769f6e"
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -48,9 +51,13 @@ func buildIngress() *networking.Ingress {
 			UID:       UID,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/http2pushpreload/main.go b/internal/ingress/annotations/http2pushpreload/main.go
index c542f03cf..27d3368f4 100644
--- a/internal/ingress/annotations/http2pushpreload/main.go
+++ b/internal/ingress/annotations/http2pushpreload/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package http2pushpreload
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/http2pushpreload/main_test.go b/internal/ingress/annotations/http2pushpreload/main_test.go
index 6b24ecfae..bb98af93f 100644
--- a/internal/ingress/annotations/http2pushpreload/main_test.go
+++ b/internal/ingress/annotations/http2pushpreload/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/influxdb/main.go b/internal/ingress/annotations/influxdb/main.go
index cec014b89..1aee91f33 100644
--- a/internal/ingress/annotations/influxdb/main.go
+++ b/internal/ingress/annotations/influxdb/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package influxdb
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/influxdb/main_test.go b/internal/ingress/annotations/influxdb/main_test.go
index 97ba14963..13d681509 100644
--- a/internal/ingress/annotations/influxdb/main_test.go
+++ b/internal/ingress/annotations/influxdb/main_test.go
@@ -20,17 +20,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -39,9 +42,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/ipwhitelist/main.go b/internal/ingress/annotations/ipwhitelist/main.go
index 42d424873..4fd40ee2b 100644
--- a/internal/ingress/annotations/ipwhitelist/main.go
+++ b/internal/ingress/annotations/ipwhitelist/main.go
@@ -22,7 +22,7 @@ import (
 
 	"github.com/pkg/errors"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/internal/net"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
diff --git a/internal/ingress/annotations/ipwhitelist/main_test.go b/internal/ingress/annotations/ipwhitelist/main_test.go
index 43aef7573..5042bb200 100644
--- a/internal/ingress/annotations/ipwhitelist/main_test.go
+++ b/internal/ingress/annotations/ipwhitelist/main_test.go
@@ -20,9 +20,8 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
@@ -30,8 +29,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -40,9 +43,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/loadbalancing/main.go b/internal/ingress/annotations/loadbalancing/main.go
index ddae0ccbe..a8b4335e6 100644
--- a/internal/ingress/annotations/loadbalancing/main.go
+++ b/internal/ingress/annotations/loadbalancing/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package loadbalancing
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/loadbalancing/main_test.go b/internal/ingress/annotations/loadbalancing/main_test.go
index bbda79715..e2be5c0ae 100644
--- a/internal/ingress/annotations/loadbalancing/main_test.go
+++ b/internal/ingress/annotations/loadbalancing/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/log/main.go b/internal/ingress/annotations/log/main.go
index 6cf99d9c8..4bc76dcf7 100644
--- a/internal/ingress/annotations/log/main.go
+++ b/internal/ingress/annotations/log/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package log
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/log/main_test.go b/internal/ingress/annotations/log/main_test.go
index 068b1be16..c4632b010 100644
--- a/internal/ingress/annotations/log/main_test.go
+++ b/internal/ingress/annotations/log/main_test.go
@@ -20,17 +20,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -39,9 +42,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/mirror/main.go b/internal/ingress/annotations/mirror/main.go
index b2591347e..e11d4b4fb 100644
--- a/internal/ingress/annotations/mirror/main.go
+++ b/internal/ingress/annotations/mirror/main.go
@@ -19,7 +19,7 @@ package mirror
 import (
 	"fmt"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/mirror/main_test.go b/internal/ingress/annotations/mirror/main_test.go
index 1ecaef3b9..af7ed1b1f 100644
--- a/internal/ingress/annotations/mirror/main_test.go
+++ b/internal/ingress/annotations/mirror/main_test.go
@@ -21,7 +21,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/modsecurity/main.go b/internal/ingress/annotations/modsecurity/main.go
index 91a0a5a94..c53739441 100644
--- a/internal/ingress/annotations/modsecurity/main.go
+++ b/internal/ingress/annotations/modsecurity/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package modsecurity
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
diff --git a/internal/ingress/annotations/modsecurity/main_test.go b/internal/ingress/annotations/modsecurity/main_test.go
index 34d92533d..2ddbdf7e3 100644
--- a/internal/ingress/annotations/modsecurity/main_test.go
+++ b/internal/ingress/annotations/modsecurity/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/opentracing/main.go b/internal/ingress/annotations/opentracing/main.go
index 875d695f7..2ed4a2182 100644
--- a/internal/ingress/annotations/opentracing/main.go
+++ b/internal/ingress/annotations/opentracing/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package opentracing
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/opentracing/main_test.go b/internal/ingress/annotations/opentracing/main_test.go
index f1e06b087..77e29cb5d 100644
--- a/internal/ingress/annotations/opentracing/main_test.go
+++ b/internal/ingress/annotations/opentracing/main_test.go
@@ -20,17 +20,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -39,9 +42,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/parser/main.go b/internal/ingress/annotations/parser/main.go
index 3fae804da..b39e409b9 100644
--- a/internal/ingress/annotations/parser/main.go
+++ b/internal/ingress/annotations/parser/main.go
@@ -22,7 +22,7 @@ import (
 	"strconv"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 
 	"k8s.io/ingress-nginx/internal/ingress/errors"
diff --git a/internal/ingress/annotations/parser/main_test.go b/internal/ingress/annotations/parser/main_test.go
index 218565183..f63560ca3 100644
--- a/internal/ingress/annotations/parser/main_test.go
+++ b/internal/ingress/annotations/parser/main_test.go
@@ -21,7 +21,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
diff --git a/internal/ingress/annotations/portinredirect/main.go b/internal/ingress/annotations/portinredirect/main.go
index bb5925c31..25d665558 100644
--- a/internal/ingress/annotations/portinredirect/main.go
+++ b/internal/ingress/annotations/portinredirect/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package portinredirect
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/portinredirect/main_test.go b/internal/ingress/annotations/portinredirect/main_test.go
index 7087ddcd3..71afd4cdf 100644
--- a/internal/ingress/annotations/portinredirect/main_test.go
+++ b/internal/ingress/annotations/portinredirect/main_test.go
@@ -21,9 +21,8 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
@@ -32,8 +31,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -42,9 +45,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go
index f5c225258..3a89b8855 100644
--- a/internal/ingress/annotations/proxy/main.go
+++ b/internal/ingress/annotations/proxy/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package proxy
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/proxy/main_test.go b/internal/ingress/annotations/proxy/main_test.go
index 418db922e..e377ccb19 100644
--- a/internal/ingress/annotations/proxy/main_test.go
+++ b/internal/ingress/annotations/proxy/main_test.go
@@ -20,9 +20,8 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
@@ -31,8 +30,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -41,9 +44,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go
index da3bbecc0..2452d90da 100644
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@@ -22,7 +22,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/proxyssl/main_test.go b/internal/ingress/annotations/proxyssl/main_test.go
index a52fcb98a..29949796c 100644
--- a/internal/ingress/annotations/proxyssl/main_test.go
+++ b/internal/ingress/annotations/proxyssl/main_test.go
@@ -20,9 +20,8 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
@@ -30,8 +29,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -40,9 +43,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/ratelimit/main.go b/internal/ingress/annotations/ratelimit/main.go
index 7b7d6f4db..4011c2542 100644
--- a/internal/ingress/annotations/ratelimit/main.go
+++ b/internal/ingress/annotations/ratelimit/main.go
@@ -21,7 +21,7 @@ import (
 	"fmt"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/ratelimit/main_test.go b/internal/ingress/annotations/ratelimit/main_test.go
index 7ffbac3ff..9f101cc3b 100644
--- a/internal/ingress/annotations/ratelimit/main_test.go
+++ b/internal/ingress/annotations/ratelimit/main_test.go
@@ -20,10 +20,9 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
@@ -31,8 +30,12 @@ import (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -41,9 +44,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/redirect/redirect.go b/internal/ingress/annotations/redirect/redirect.go
index 02ee1d522..11b08a4a2 100644
--- a/internal/ingress/annotations/redirect/redirect.go
+++ b/internal/ingress/annotations/redirect/redirect.go
@@ -21,7 +21,7 @@ import (
 	"net/url"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
diff --git a/internal/ingress/annotations/redirect/redirect_test.go b/internal/ingress/annotations/redirect/redirect_test.go
index b9bda6688..b5a87a5d3 100644
--- a/internal/ingress/annotations/redirect/redirect_test.go
+++ b/internal/ingress/annotations/redirect/redirect_test.go
@@ -23,7 +23,7 @@ import (
 	"strconv"
 	"testing"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
diff --git a/internal/ingress/annotations/rewrite/main.go b/internal/ingress/annotations/rewrite/main.go
index 902f00f4c..f92d508dc 100644
--- a/internal/ingress/annotations/rewrite/main.go
+++ b/internal/ingress/annotations/rewrite/main.go
@@ -19,7 +19,7 @@ package rewrite
 import (
 	"net/url"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/klog/v2"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
diff --git a/internal/ingress/annotations/rewrite/main_test.go b/internal/ingress/annotations/rewrite/main_test.go
index beece494a..c2cb42c78 100644
--- a/internal/ingress/annotations/rewrite/main_test.go
+++ b/internal/ingress/annotations/rewrite/main_test.go
@@ -20,9 +20,8 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
@@ -35,8 +34,12 @@ const (
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -46,9 +49,13 @@ func buildIngress() *networking.Ingress {
 			Annotations: map[string]string{},
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/satisfy/main.go b/internal/ingress/annotations/satisfy/main.go
index a064bdf96..0d4fd4ff6 100644
--- a/internal/ingress/annotations/satisfy/main.go
+++ b/internal/ingress/annotations/satisfy/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package satisfy
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/satisfy/main_test.go b/internal/ingress/annotations/satisfy/main_test.go
index a3475316a..b45205d9f 100644
--- a/internal/ingress/annotations/satisfy/main_test.go
+++ b/internal/ingress/annotations/satisfy/main_test.go
@@ -20,18 +20,21 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -40,9 +43,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/secureupstream/main.go b/internal/ingress/annotations/secureupstream/main.go
index 631804464..ebaea2058 100644
--- a/internal/ingress/annotations/secureupstream/main.go
+++ b/internal/ingress/annotations/secureupstream/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package secureupstream
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/klog/v2"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
diff --git a/internal/ingress/annotations/secureupstream/main_test.go b/internal/ingress/annotations/secureupstream/main_test.go
index 508d54a84..7546cb5cf 100644
--- a/internal/ingress/annotations/secureupstream/main_test.go
+++ b/internal/ingress/annotations/secureupstream/main_test.go
@@ -21,18 +21,21 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -41,9 +44,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/serversnippet/main.go b/internal/ingress/annotations/serversnippet/main.go
index 33a672650..70f0af8e5 100644
--- a/internal/ingress/annotations/serversnippet/main.go
+++ b/internal/ingress/annotations/serversnippet/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package serversnippet
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/serversnippet/main_test.go b/internal/ingress/annotations/serversnippet/main_test.go
index 066334f69..c9e0979ad 100644
--- a/internal/ingress/annotations/serversnippet/main_test.go
+++ b/internal/ingress/annotations/serversnippet/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/serviceupstream/main.go b/internal/ingress/annotations/serviceupstream/main.go
index ff90f8160..4c44356d6 100644
--- a/internal/ingress/annotations/serviceupstream/main.go
+++ b/internal/ingress/annotations/serviceupstream/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package serviceupstream
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/serviceupstream/main_test.go b/internal/ingress/annotations/serviceupstream/main_test.go
index c7f44598e..3fbdb5785 100644
--- a/internal/ingress/annotations/serviceupstream/main_test.go
+++ b/internal/ingress/annotations/serviceupstream/main_test.go
@@ -20,17 +20,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -39,9 +42,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
diff --git a/internal/ingress/annotations/sessionaffinity/main.go b/internal/ingress/annotations/sessionaffinity/main.go
index 80b24f13b..358be1442 100644
--- a/internal/ingress/annotations/sessionaffinity/main.go
+++ b/internal/ingress/annotations/sessionaffinity/main.go
@@ -19,7 +19,7 @@ package sessionaffinity
 import (
 	"regexp"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/klog/v2"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
diff --git a/internal/ingress/annotations/sessionaffinity/main_test.go b/internal/ingress/annotations/sessionaffinity/main_test.go
index 51d92ffb0..98f0a1eb6 100644
--- a/internal/ingress/annotations/sessionaffinity/main_test.go
+++ b/internal/ingress/annotations/sessionaffinity/main_test.go
@@ -20,17 +20,20 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
 func buildIngress() *networking.Ingress {
 	defaultBackend := networking.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt(80),
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
 	}
 
 	return &networking.Ingress{
@@ -39,9 +42,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 			Rules: []networking.IngressRule{
 				{
@@ -64,7 +71,6 @@ func buildIngress() *networking.Ingress {
 
 func TestIngressAffinityCookieConfig(t *testing.T) {
 	ing := buildIngress()
-
 	data := map[string]string{}
 	data[parser.GetAnnotationWithPrefix(annotationAffinityType)] = "cookie"
 	data[parser.GetAnnotationWithPrefix(annotationAffinityMode)] = "balanced"
diff --git a/internal/ingress/annotations/snippet/main.go b/internal/ingress/annotations/snippet/main.go
index 9a3878603..93ec70cf9 100644
--- a/internal/ingress/annotations/snippet/main.go
+++ b/internal/ingress/annotations/snippet/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package snippet
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/snippet/main_test.go b/internal/ingress/annotations/snippet/main_test.go
index 0abeaed8a..0defc3c1f 100644
--- a/internal/ingress/annotations/snippet/main_test.go
+++ b/internal/ingress/annotations/snippet/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/sslcipher/main.go b/internal/ingress/annotations/sslcipher/main.go
index d100a0da4..e4e5baad2 100644
--- a/internal/ingress/annotations/sslcipher/main.go
+++ b/internal/ingress/annotations/sslcipher/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package sslcipher
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/sslcipher/main_test.go b/internal/ingress/annotations/sslcipher/main_test.go
index 8110697dc..6eb9ec0c2 100644
--- a/internal/ingress/annotations/sslcipher/main_test.go
+++ b/internal/ingress/annotations/sslcipher/main_test.go
@@ -21,7 +21,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/sslpassthrough/main.go b/internal/ingress/annotations/sslpassthrough/main.go
index 20ff1a010..d1def7172 100644
--- a/internal/ingress/annotations/sslpassthrough/main.go
+++ b/internal/ingress/annotations/sslpassthrough/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package sslpassthrough
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
diff --git a/internal/ingress/annotations/sslpassthrough/main_test.go b/internal/ingress/annotations/sslpassthrough/main_test.go
index d5e54b2e2..5cf2f979a 100644
--- a/internal/ingress/annotations/sslpassthrough/main_test.go
+++ b/internal/ingress/annotations/sslpassthrough/main_test.go
@@ -20,12 +20,10 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
-
-	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func buildIngress() *networking.Ingress {
@@ -35,9 +33,13 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			Backend: &networking.IngressBackend{
-				ServiceName: "default-backend",
-				ServicePort: intstr.FromInt(80),
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
 			},
 		},
 	}
diff --git a/internal/ingress/annotations/upstreamhashby/main.go b/internal/ingress/annotations/upstreamhashby/main.go
index bb202f1b0..e6bbca6c3 100644
--- a/internal/ingress/annotations/upstreamhashby/main.go
+++ b/internal/ingress/annotations/upstreamhashby/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package upstreamhashby
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/upstreamhashby/main_test.go b/internal/ingress/annotations/upstreamhashby/main_test.go
index 5a71be56f..d2c2644ca 100644
--- a/internal/ingress/annotations/upstreamhashby/main_test.go
+++ b/internal/ingress/annotations/upstreamhashby/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/upstreamvhost/main.go b/internal/ingress/annotations/upstreamvhost/main.go
index bf761a70f..2eed5607e 100644
--- a/internal/ingress/annotations/upstreamvhost/main.go
+++ b/internal/ingress/annotations/upstreamvhost/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package upstreamvhost
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/upstreamvhost/main_test.go b/internal/ingress/annotations/upstreamvhost/main_test.go
index 1506c4f7f..130d745ee 100644
--- a/internal/ingress/annotations/upstreamvhost/main_test.go
+++ b/internal/ingress/annotations/upstreamvhost/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/xforwardedprefix/main.go b/internal/ingress/annotations/xforwardedprefix/main.go
index 2071b6411..60eed8773 100644
--- a/internal/ingress/annotations/xforwardedprefix/main.go
+++ b/internal/ingress/annotations/xforwardedprefix/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package xforwardedprefix
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/annotations/xforwardedprefix/main_test.go b/internal/ingress/annotations/xforwardedprefix/main_test.go
index c94df3ab2..a78c63d04 100644
--- a/internal/ingress/annotations/xforwardedprefix/main_test.go
+++ b/internal/ingress/annotations/xforwardedprefix/main_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	api "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index ab0d9ab6d..b4c822ba1 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -25,7 +25,7 @@ import (
 
 	"github.com/mitchellh/hashstructure"
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -33,11 +33,11 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/log"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/proxy"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
+	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	"k8s.io/ingress-nginx/internal/ingress/controller/store"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/k8s"
@@ -100,6 +100,8 @@ type Configuration struct {
 
 	DisableCatchAll bool
 
+	IngressClassConfiguration *ingressclass.IngressClassConfiguration
+
 	ValidationWebhook         string
 	ValidationWebhookCertPath string
 	ValidationWebhookKeyPath  string
@@ -221,17 +223,12 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		return nil
 	}
 
-	if !class.IsValid(ing) {
-		klog.Warningf("ignoring ingress %v in %v based on annotation %v", ing.Name, ing.ObjectMeta.Namespace, class.IngressKey)
-		return nil
-	}
-
 	if n.cfg.Namespace != "" && ing.ObjectMeta.Namespace != n.cfg.Namespace {
 		klog.Warningf("ignoring ingress %v in namespace %v different from the namespace watched %s", ing.Name, ing.ObjectMeta.Namespace, n.cfg.Namespace)
 		return nil
 	}
 
-	if n.cfg.DisableCatchAll && ing.Spec.Backend != nil {
+	if n.cfg.DisableCatchAll && ing.Spec.DefaultBackend != nil {
 		return fmt.Errorf("This deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.backend' or set DisableCatchAll flag to false.")
 	}
 
@@ -573,7 +570,13 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 			}
 
 			for _, path := range rule.HTTP.Paths {
-				upsName := upstreamName(ing.Namespace, path.Backend.ServiceName, path.Backend.ServicePort)
+				if path.Backend.Service == nil {
+					// skip non-service backends
+					klog.V(3).Infof("Ingress %q and path %q does not contain a service backend, using default backend", ingKey, path.Path)
+					continue
+				}
+
+				upsName := upstreamName(ing.Namespace, path.Backend.Service)
 
 				ups := upstreams[upsName]
 
@@ -788,11 +791,12 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 	upstreams[defUpstreamName] = du
 
 	for _, ing := range data {
+		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
 		var defBackend string
-		if ing.Spec.Backend != nil {
-			defBackend = upstreamName(ing.Namespace, ing.Spec.Backend.ServiceName, ing.Spec.Backend.ServicePort)
+		if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil {
+			defBackend = upstreamName(ing.Namespace, ing.Spec.DefaultBackend.Service)
 
 			klog.V(3).Infof("Creating upstream %q", defBackend)
 			upstreams[defBackend] = newUpstream(defBackend)
@@ -806,11 +810,11 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 				upstreams[defBackend].LoadBalancing = n.store.GetBackendConfiguration().LoadBalancing
 			}
 
-			svcKey := fmt.Sprintf("%v/%v", ing.Namespace, ing.Spec.Backend.ServiceName)
+			svcKey := fmt.Sprintf("%v/%v", ing.Namespace, ing.Spec.DefaultBackend.Service.Name)
 
 			// add the service ClusterIP as a single Endpoint instead of individual Endpoints
 			if anns.ServiceUpstream {
-				endpoint, err := n.getServiceClusterEndpoint(svcKey, ing.Spec.Backend)
+				endpoint, err := n.getServiceClusterEndpoint(svcKey, ing.Spec.DefaultBackend)
 				if err != nil {
 					klog.Errorf("Failed to determine a suitable ClusterIP Endpoint for Service %q: %v", svcKey, err)
 				} else {
@@ -831,7 +835,8 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 			}
 
 			if len(upstreams[defBackend].Endpoints) == 0 {
-				endps, err := n.serviceEndpoints(svcKey, ing.Spec.Backend.ServicePort.String())
+				_, port := upstreamServiceNameAndPort(ing.Spec.DefaultBackend.Service)
+				endps, err := n.serviceEndpoints(svcKey, port.String())
 				upstreams[defBackend].Endpoints = append(upstreams[defBackend].Endpoints, endps...)
 				if err != nil {
 					klog.Warningf("Error creating upstream %q: %v", defBackend, err)
@@ -851,15 +856,21 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 			}
 
 			for _, path := range rule.HTTP.Paths {
-				name := upstreamName(ing.Namespace, path.Backend.ServiceName, path.Backend.ServicePort)
+				if path.Backend.Service == nil {
+					// skip non-service backends
+					klog.V(3).Infof("Ingress %q and path %q does not contain a service backend, using default backend", ingKey, path.Path)
+					continue
+				}
 
+				name := upstreamName(ing.Namespace, path.Backend.Service)
+				svcName, svcPort := upstreamServiceNameAndPort(path.Backend.Service)
 				if _, ok := upstreams[name]; ok {
 					continue
 				}
 
 				klog.V(3).Infof("Creating upstream %q", name)
 				upstreams[name] = newUpstream(name)
-				upstreams[name].Port = path.Backend.ServicePort
+				upstreams[name].Port = svcPort
 
 				upstreams[name].UpstreamHashBy.UpstreamHashBy = anns.UpstreamHashBy.UpstreamHashBy
 				upstreams[name].UpstreamHashBy.UpstreamHashBySubset = anns.UpstreamHashBy.UpstreamHashBySubset
@@ -870,7 +881,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 					upstreams[name].LoadBalancing = n.store.GetBackendConfiguration().LoadBalancing
 				}
 
-				svcKey := fmt.Sprintf("%v/%v", ing.Namespace, path.Backend.ServiceName)
+				svcKey := fmt.Sprintf("%v/%v", ing.Namespace, svcName)
 
 				// add the service ClusterIP as a single Endpoint instead of individual Endpoints
 				if anns.ServiceUpstream {
@@ -895,7 +906,8 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 				}
 
 				if len(upstreams[name].Endpoints) == 0 {
-					endp, err := n.serviceEndpoints(svcKey, path.Backend.ServicePort.String())
+					_, port := upstreamServiceNameAndPort(path.Backend.Service)
+					endp, err := n.serviceEndpoints(svcKey, port.String())
 					if err != nil {
 						klog.Warningf("Error obtaining Endpoints for Service %q: %v", svcKey, err)
 						continue
@@ -933,20 +945,23 @@ func (n *NGINXController) getServiceClusterEndpoint(svcKey string, backend *netw
 
 	// if the Service port is referenced by name in the Ingress, lookup the
 	// actual port in the service spec
-	if backend.ServicePort.Type == intstr.String {
-		var port int32 = -1
-		for _, svcPort := range svc.Spec.Ports {
-			if svcPort.Name == backend.ServicePort.String() {
-				port = svcPort.Port
-				break
+	if backend.Service != nil {
+		_, svcportintorstr := upstreamServiceNameAndPort(backend.Service)
+		if svcportintorstr.Type == intstr.String {
+			var port int32 = -1
+			for _, svcPort := range svc.Spec.Ports {
+				if svcPort.Name == svcportintorstr.String() {
+					port = svcPort.Port
+					break
+				}
 			}
+			if port == -1 {
+				return endpoint, fmt.Errorf("service %q does not have a port named %q", svc.Name, svcportintorstr.String())
+			}
+			endpoint.Port = fmt.Sprintf("%d", port)
+		} else {
+			endpoint.Port = svcportintorstr.String()
 		}
-		if port == -1 {
-			return endpoint, fmt.Errorf("service %q does not have a port named %q", svc.Name, backend.ServicePort)
-		}
-		endpoint.Port = fmt.Sprintf("%d", port)
-	} else {
-		endpoint.Port = backend.ServicePort.String()
 	}
 
 	return endpoint, err
@@ -1077,8 +1092,8 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 			continue
 		}
 
-		if ing.Spec.Backend != nil {
-			defUpstream := upstreamName(ing.Namespace, ing.Spec.Backend.ServiceName, ing.Spec.Backend.ServicePort)
+		if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil {
+			defUpstream := upstreamName(ing.Namespace, ing.Spec.DefaultBackend.Service)
 
 			if backendUpstream, ok := upstreams[defUpstream]; ok {
 				// use backend specified in Ingress as the default backend for all its rules
@@ -1347,8 +1362,8 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres
 	servers map[string]*ingress.Server) {
 
 	// merge catch-all alternative backends
-	if ing.Spec.Backend != nil {
-		upsName := upstreamName(ing.Namespace, ing.Spec.Backend.ServiceName, ing.Spec.Backend.ServicePort)
+	if ing.Spec.DefaultBackend != nil {
+		upsName := upstreamName(ing.Namespace, ing.Spec.DefaultBackend.Service)
 
 		altUps := upstreams[upsName]
 
@@ -1390,7 +1405,13 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres
 		}
 
 		for _, path := range rule.HTTP.Paths {
-			upsName := upstreamName(ing.Namespace, path.Backend.ServiceName, path.Backend.ServicePort)
+			if path.Backend.Service == nil {
+				// skip non-service backends
+				klog.V(3).Infof("Ingress %q and path %q does not contain a service backend, using default backend", k8s.MetaNamespaceKey(ing), path.Path)
+				continue
+			}
+
+			upsName := upstreamName(ing.Namespace, path.Backend.Service)
 
 			altUps := upstreams[upsName]
 
@@ -1606,6 +1627,12 @@ func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers
 		}
 
 		for _, path := range rule.HTTP.Paths {
+			if path.Backend.Service == nil {
+				// skip non-service backends
+				klog.V(3).Infof("Ingress %q and path %q does not contain a service backend, using default backend", k8s.MetaNamespaceKey(ing), path.Path)
+				continue
+			}
+
 			if path.Path == "" {
 				path.Path = rootLocation
 			}
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index 34ee87bdb..86110c3ca 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -33,9 +33,8 @@ import (
 	"github.com/eapache/channels"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes/fake"
 
 	"k8s.io/ingress-nginx/internal/file"
@@ -47,6 +46,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity"
 	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
+	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	"k8s.io/ingress-nginx/internal/ingress/controller/store"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
 	"k8s.io/ingress-nginx/internal/ingress/metric"
@@ -190,18 +190,6 @@ func TestCheckIngress(t *testing.T) {
 			},
 		},
 	}
-
-	t.Run("When the ingress class differs from nginx", func(t *testing.T) {
-		ing.ObjectMeta.Annotations["kubernetes.io/ingress.class"] = "different"
-		nginx.command = testNginxTestCommand{
-			t:   t,
-			err: fmt.Errorf("test error"),
-		}
-		if nginx.CheckIngress(ing) != nil {
-			t.Errorf("with a different ingress class, no error should be returned")
-		}
-	})
-
 	t.Run("when the class is the nginx one", func(t *testing.T) {
 		ing.ObjectMeta.Annotations["kubernetes.io/ingress.class"] = "nginx"
 		nginx.command = testNginxTestCommand{
@@ -258,7 +246,7 @@ func TestCheckIngress(t *testing.T) {
 		})
 
 		t.Run("When a new catch-all ingress is being created despite catch-alls being disabled ", func(t *testing.T) {
-			backendBefore := ing.Spec.Backend
+			backendBefore := ing.Spec.DefaultBackend
 			disableCatchAllBefore := nginx.cfg.DisableCatchAll
 
 			nginx.command = testNginxTestCommand{
@@ -267,10 +255,12 @@ func TestCheckIngress(t *testing.T) {
 			}
 			nginx.cfg.DisableCatchAll = true
 
-			ing.Spec.Backend = &networking.IngressBackend{
-				ServiceName: "http-svc",
-				ServicePort: intstr.IntOrString{
-					IntVal: 80,
+			ing.Spec.DefaultBackend = &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "http-svc",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
 				},
 			}
 
@@ -279,7 +269,7 @@ func TestCheckIngress(t *testing.T) {
 			}
 
 			// reset backend and catch-all flag
-			ing.Spec.Backend = backendBefore
+			ing.Spec.DefaultBackend = backendBefore
 			nginx.cfg.DisableCatchAll = disableCatchAllBefore
 		})
 
@@ -332,10 +322,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														Type:   intstr.Int,
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -416,10 +407,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "foo-http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														Type:   intstr.Int,
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "foo-http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -436,10 +428,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														Type:   intstr.Int,
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -554,10 +547,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														Type:   intstr.Int,
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -589,10 +583,12 @@ func TestMergeAlternativeBackends(t *testing.T) {
 						Namespace: "example",
 					},
 					Spec: networking.IngressSpec{
-						Backend: &networking.IngressBackend{
-							ServiceName: "http-svc-canary",
-							ServicePort: intstr.IntOrString{
-								IntVal: 80,
+						DefaultBackend: &networking.IngressBackend{
+							Service: &networking.IngressServiceBackend{
+								Name: "http-svc-canary",
+								Port: networking.ServiceBackendPort{
+									Number: 80,
+								},
 							},
 						},
 					},
@@ -657,10 +653,12 @@ func TestMergeAlternativeBackends(t *testing.T) {
 						Namespace: "example",
 					},
 					Spec: networking.IngressSpec{
-						Backend: &networking.IngressBackend{
-							ServiceName: "http-svc-canary",
-							ServicePort: intstr.IntOrString{
-								IntVal: 80,
+						DefaultBackend: &networking.IngressBackend{
+							Service: &networking.IngressServiceBackend{
+								Name: "http-svc-canary",
+								Port: networking.ServiceBackendPort{
+									Number: 80,
+								},
 							},
 						},
 					},
@@ -721,9 +719,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -804,9 +804,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -913,9 +915,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -1022,9 +1026,11 @@ func TestMergeAlternativeBackends(t *testing.T) {
 												Path:     "/",
 												PathType: &pathTypePrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "http-svc-canary",
-													ServicePort: intstr.IntOrString{
-														IntVal: 80,
+													Service: &networking.IngressServiceBackend{
+														Name: "http-svc-canary",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
 													},
 												},
 											},
@@ -1322,10 +1328,12 @@ func TestGetBackendServers(t *testing.T) {
 							Namespace: "example",
 						},
 						Spec: networking.IngressSpec{
-							Backend: &networking.IngressBackend{
-								ServiceName: "http-svc-canary",
-								ServicePort: intstr.IntOrString{
-									IntVal: 80,
+							DefaultBackend: &networking.IngressBackend{
+								Service: &networking.IngressServiceBackend{
+									Name: "http-svc-canary",
+									Port: networking.ServiceBackendPort{
+										Number: 80,
+									},
 								},
 							},
 						},
@@ -1365,10 +1373,12 @@ func TestGetBackendServers(t *testing.T) {
 							Namespace: "example",
 						},
 						Spec: networking.IngressSpec{
-							Backend: &networking.IngressBackend{
-								ServiceName: "http-svc-canary",
-								ServicePort: intstr.IntOrString{
-									IntVal: 80,
+							DefaultBackend: &networking.IngressBackend{
+								Service: &networking.IngressServiceBackend{
+									Name: "http-svc-canary",
+									Port: networking.ServiceBackendPort{
+										Number: 80,
+									},
 								},
 							},
 						},
@@ -1385,10 +1395,12 @@ func TestGetBackendServers(t *testing.T) {
 							Namespace: "example",
 						},
 						Spec: networking.IngressSpec{
-							Backend: &networking.IngressBackend{
-								ServiceName: "http-svc",
-								ServicePort: intstr.IntOrString{
-									IntVal: 80,
+							DefaultBackend: &networking.IngressBackend{
+								Service: &networking.IngressServiceBackend{
+									Name: "http-svc",
+									Port: networking.ServiceBackendPort{
+										Number: 80,
+									},
 								},
 							},
 						},
@@ -1438,10 +1450,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-canary",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-canary",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1498,10 +1511,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1535,10 +1549,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-canary",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-canary",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1604,10 +1619,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/a",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-1",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-1",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1641,10 +1657,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/a",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-2",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-2",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1678,10 +1695,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/b",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-2",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-2",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1715,10 +1733,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/b",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-1",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-1",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1752,10 +1771,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/c",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-1",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-1",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1789,10 +1809,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/c",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "http-svc-2",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "http-svc-2",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1874,10 +1895,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/path1",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "path1-svc",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "path1-svc",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1914,10 +1936,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/path2",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "path2-svc",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "path2-svc",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -1979,10 +2002,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/path1",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "path1-svc",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "path1-svc",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -2019,10 +2043,11 @@ func TestGetBackendServers(t *testing.T) {
 													Path:     "/path2",
 													PathType: &pathTypePrefix,
 													Backend: networking.IngressBackend{
-														ServiceName: "path2-svc",
-														ServicePort: intstr.IntOrString{
-															Type:   intstr.Int,
-															IntVal: 80,
+														Service: &networking.IngressServiceBackend{
+															Name: "path2-svc",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
 														},
 													},
 												},
@@ -2075,6 +2100,67 @@ func TestGetBackendServers(t *testing.T) {
 				}
 			},
 		},
+		{
+			Ingresses: []*ingress.Ingress{
+				{
+					Ingress: networking.Ingress{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "proxy-ssl-1",
+							Namespace: "proxyssl",
+						},
+						Spec: networking.IngressSpec{
+							Rules: []networking.IngressRule{
+								{
+									Host: "example.com",
+									IngressRuleValue: networking.IngressRuleValue{
+										HTTP: &networking.HTTPIngressRuleValue{
+											Paths: []networking.HTTPIngressPath{
+												{
+													Path:     "/path1",
+													PathType: &pathTypePrefix,
+													Backend:  networking.IngressBackend{},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+					ParsedAnnotations: &annotations.Ingress{
+						ProxySSL: proxyssl.Config{
+							AuthSSLCert: resolver.AuthSSLCert{
+								CAFileName: "cafile1.crt",
+								Secret:     "secret1",
+							},
+						},
+					},
+				},
+			},
+			Validate: func(ingresses []*ingress.Ingress, upstreams []*ingress.Backend, servers []*ingress.Server) {
+				if len(servers) != 2 {
+					t.Errorf("servers count should be 1, got %d", len(servers))
+					return
+				}
+
+				s := servers[1]
+
+				if s.Locations[0].Backend != "upstream-default-backend" {
+					t.Errorf("backend should be upstream-default-backend, got '%s'", s.Locations[0].Backend)
+				}
+			},
+			SetConfigMap: func(ns string) *v1.ConfigMap {
+				return &v1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:     "config",
+						SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns),
+					},
+					Data: map[string]string{
+						"proxy-ssl-location-only": "true",
+					},
+				}
+			},
+		},
 	}
 
 	for _, testCase := range testCases {
@@ -2129,7 +2215,12 @@ func newNGINXController(t *testing.T) *NGINXController {
 		10*time.Minute,
 		clientSet,
 		channels.NewRingChannel(10),
-		false)
+		false,
+		&ingressclass.IngressClassConfiguration{
+			Controller:      "k8s.io/ingress-nginx",
+			AnnotationValue: "nginx",
+		},
+	)
 
 	sslCert := ssl.GetFakeSSLCert()
 	config := &Configuration{
@@ -2187,7 +2278,11 @@ func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.Confi
 		10*time.Minute,
 		clientSet,
 		channels.NewRingChannel(10),
-		false)
+		false,
+		&ingressclass.IngressClassConfiguration{
+			Controller:      "k8s.io/ingress-nginx",
+			AnnotationValue: "nginx",
+		})
 
 	sslCert := ssl.GetFakeSSLCert()
 	config := &Configuration{
diff --git a/internal/ingress/controller/ingressclass/ingressclass.go b/internal/ingress/controller/ingressclass/ingressclass.go
new file mode 100644
index 000000000..025a4e2a5
--- /dev/null
+++ b/internal/ingress/controller/ingressclass/ingressclass.go
@@ -0,0 +1,45 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ingressclass
+
+const (
+	// IngressKey picks a specific "class" for the Ingress.
+	// The controller only processes Ingresses with this annotation either
+	// unset, or set to either the configured value or the empty string.
+	IngressKey = "kubernetes.io/ingress.class"
+
+	// DefaultControllerName defines the default controller name for Ingress NGINX
+	DefaultControllerName = "k8s.io/ingress-nginx"
+
+	// DefaultAnnotationValue defines the default annotation value for the ingress-nginx controller
+	DefaultAnnotationValue = "nginx"
+)
+
+// IngressClassConfiguration defines the various aspects of IngressClass parsing
+// and how the controller should behave in each case
+type IngressClassConfiguration struct {
+	// Controller defines the controller value this daemon watch to.
+	// Defaults to "k8s.io/ingress-nginx" defined in flags
+	Controller string
+	// AnnotationValue defines the annotation value this Controller watch to, in case of the
+	// ingressSpecName is not found but the annotation is.
+	// The Annotation is deprecated and should not be used in future releases
+	AnnotationValue string
+	// WatchWithoutClass defines if Controller should watch to Ingress Objects that does
+	// not contain an IngressClass configuration
+	WatchWithoutClass bool
+}
diff --git a/internal/ingress/controller/location.go b/internal/ingress/controller/location.go
index c5db878c5..d40e88960 100644
--- a/internal/ingress/controller/location.go
+++ b/internal/ingress/controller/location.go
@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"strings"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/internal/ingress"
 )
 
diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index 11864ae6b..ddde11bc8 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -49,7 +49,6 @@ import (
 	adm_controller "k8s.io/ingress-nginx/internal/admission/controller"
 	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
 	"k8s.io/ingress-nginx/internal/ingress/controller/process"
 	"k8s.io/ingress-nginx/internal/ingress/controller/store"
@@ -130,7 +129,8 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro
 		config.ResyncPeriod,
 		config.Client,
 		n.updateCh,
-		config.DisableCatchAll)
+		config.DisableCatchAll,
+		config.IngressClassConfiguration)
 
 	n.syncQueue = task.NewTaskQueue(n.syncIngress)
 
@@ -256,10 +256,10 @@ func (n *NGINXController) Start() {
 
 	// we need to use the defined ingress class to allow multiple leaders
 	// in order to update information about ingress status
-	electionID := fmt.Sprintf("%v-%v", n.cfg.ElectionID, class.DefaultClass)
-	if class.IngressClass != "" {
-		electionID = fmt.Sprintf("%v-%v", n.cfg.ElectionID, class.IngressClass)
-	}
+	// TODO: For now, as the the IngressClass logics has changed, is up to the
+	// cluster admin to create different Leader Election IDs.
+	// Should revisit this in a future
+	electionID := n.cfg.ElectionID
 
 	setupLeaderElection(&leaderElectionConfig{
 		Client:     n.cfg.Client,
@@ -511,12 +511,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC
 	if cfg.MaxWorkerOpenFiles == 0 {
 		// the limit of open files is per worker process
 		// and we leave some room to avoid consuming all the FDs available
-		wp, err := strconv.Atoi(cfg.WorkerProcesses)
-		klog.V(3).InfoS("Worker processes", "count", wp)
-		if err != nil {
-			wp = 1
-		}
-		maxOpenFiles := (rlimitMaxNumFiles() / wp) - 1024
+		maxOpenFiles := rlimitMaxNumFiles() - 1024
 		klog.V(3).InfoS("Maximum number of open file descriptors", "value", maxOpenFiles)
 		if maxOpenFiles < 1024 {
 			// this means the value of RLIMIT_NOFILE is too low.
diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go
index fe9138c6f..377f62015 100644
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@@ -24,7 +24,7 @@ import (
 
 	"github.com/pkg/errors"
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/internal/file"
diff --git a/internal/ingress/controller/store/ingress.go b/internal/ingress/controller/store/ingress.go
index dafc48924..1d8ccb342 100644
--- a/internal/ingress/controller/store/ingress.go
+++ b/internal/ingress/controller/store/ingress.go
@@ -17,7 +17,7 @@ limitations under the License.
 package store
 
 import (
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/ingress-nginx/internal/ingress"
 )
diff --git a/internal/ingress/controller/store/ingressclass.go b/internal/ingress/controller/store/ingressclass.go
new file mode 100644
index 000000000..da613d035
--- /dev/null
+++ b/internal/ingress/controller/store/ingressclass.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	networking "k8s.io/api/networking/v1"
+	"k8s.io/client-go/tools/cache"
+)
+
+// IngressClassLister makes a Store that lists IngressClass.
+type IngressClassLister struct {
+	cache.Store
+}
+
+// ByKey returns the Ingress matching key in the local Ingress Store.
+func (il IngressClassLister) ByKey(key string) (*networking.IngressClass, error) {
+	i, exists, err := il.GetByKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, NotExistsError(key)
+	}
+	return i.(*networking.IngressClass), nil
+}
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index 14096d270..f65098a21 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -28,7 +28,7 @@ import (
 
 	"github.com/eapache/channels"
 	corev1 "k8s.io/api/core/v1"
-	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
@@ -41,14 +41,13 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog/v2"
-	"k8s.io/utils/pointer"
 
 	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
+	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	ngx_template "k8s.io/ingress-nginx/internal/ingress/controller/template"
 	"k8s.io/ingress-nginx/internal/ingress/defaults"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
@@ -121,16 +120,18 @@ type Event struct {
 
 // Informer defines the required SharedIndexInformers that interact with the API server.
 type Informer struct {
-	Ingress   cache.SharedIndexInformer
-	Endpoint  cache.SharedIndexInformer
-	Service   cache.SharedIndexInformer
-	Secret    cache.SharedIndexInformer
-	ConfigMap cache.SharedIndexInformer
+	Ingress      cache.SharedIndexInformer
+	IngressClass cache.SharedIndexInformer
+	Endpoint     cache.SharedIndexInformer
+	Service      cache.SharedIndexInformer
+	Secret       cache.SharedIndexInformer
+	ConfigMap    cache.SharedIndexInformer
 }
 
 // Lister contains object listers (stores).
 type Lister struct {
 	Ingress               IngressLister
+	IngressClass          IngressClassLister
 	Service               ServiceLister
 	Endpoint              EndpointLister
 	Secret                SecretLister
@@ -150,6 +151,7 @@ func (e NotExistsError) Error() string {
 func (i *Informer) Run(stopCh chan struct{}) {
 	go i.Secret.Run(stopCh)
 	go i.Endpoint.Run(stopCh)
+	go i.IngressClass.Run(stopCh)
 	go i.Service.Run(stopCh)
 	go i.ConfigMap.Run(stopCh)
 
@@ -157,6 +159,7 @@ func (i *Informer) Run(stopCh chan struct{}) {
 	// from the queue
 	if !cache.WaitForCacheSync(stopCh,
 		i.Endpoint.HasSynced,
+		i.IngressClass.HasSynced,
 		i.Service.HasSynced,
 		i.Secret.HasSynced,
 		i.ConfigMap.HasSynced,
@@ -221,7 +224,8 @@ func New(
 	resyncPeriod time.Duration,
 	client clientset.Interface,
 	updateCh *channels.RingChannel,
-	disableCatchAll bool) Storer {
+	disableCatchAll bool,
+	icConfig *ingressclass.IngressClassConfiguration) Storer {
 
 	store := &k8sStore{
 		informers:             &Informer{},
@@ -293,9 +297,12 @@ func New(
 		informers.WithTweakListOptions(secretsTweakListOptionsFunc),
 	)
 
-	store.informers.Ingress = infFactory.Networking().V1beta1().Ingresses().Informer()
+	store.informers.Ingress = infFactory.Networking().V1().Ingresses().Informer()
 	store.listers.Ingress.Store = store.informers.Ingress.GetStore()
 
+	store.informers.IngressClass = infFactory.Networking().V1().IngressClasses().Informer()
+	store.listers.IngressClass.Store = cache.NewStore(cache.MetaNamespaceKeyFunc)
+
 	store.informers.Endpoint = infFactory.Core().V1().Endpoints().Informer()
 	store.listers.Endpoint.Store = store.informers.Endpoint.GetStore()
 
@@ -317,14 +324,16 @@ func New(
 				klog.ErrorS(nil, "Error obtaining object from tombstone", "key", obj)
 				return
 			}
-			ing, ok = tombstone.Obj.(*networkingv1beta1.Ingress)
+			ing, ok = tombstone.Obj.(*networkingv1.Ingress)
 			if !ok {
 				klog.Errorf("Tombstone contained object that is not an Ingress: %#v", obj)
 				return
 			}
 		}
 
-		if !class.IsValid(ing) {
+		_, err := store.GetIngressClass(ing, icConfig)
+		if err != nil {
+			klog.InfoS("Ignoring ingress because of error while validating ingress class", "ingress", klog.KObj(ing), "error", err)
 			return
 		}
 
@@ -347,12 +356,14 @@ func New(
 	ingEventHandler := cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
 			ing, _ := toIngress(obj)
-			if !class.IsValid(ing) {
-				ingressClass, _ := parser.GetStringAnnotation(class.IngressKey, ing)
-				klog.InfoS("Ignoring ingress", "ingress", klog.KObj(ing), "kubernetes.io/ingress.class", ingressClass, "ingressClassName", pointer.StringPtrDerefOr(ing.Spec.IngressClassName, ""))
+			ic, err := store.GetIngressClass(ing, icConfig)
+			if err != nil {
+				klog.InfoS("Ignoring ingress because of error while validating ingress class", "ingress", klog.KObj(ing), "error", err)
 				return
 			}
 
+			klog.InfoS("Found valid IngressClass", "ingress", klog.KObj(ing), "ingressclass", ic)
+
 			if hasCatchAllIngressRule(ing.Spec) && disableCatchAll {
 				klog.InfoS("Ignoring add for catch-all ingress because of --disable-catch-all", "ingress", klog.KObj(ing))
 				return
@@ -374,21 +385,21 @@ func New(
 			oldIng, _ := toIngress(old)
 			curIng, _ := toIngress(cur)
 
-			validOld := class.IsValid(oldIng)
-			validCur := class.IsValid(curIng)
-			if !validOld && validCur {
+			_, errOld := store.GetIngressClass(oldIng, icConfig)
+			classCur, errCur := store.GetIngressClass(curIng, icConfig)
+			if errOld != nil && errCur == nil {
 				if hasCatchAllIngressRule(curIng.Spec) && disableCatchAll {
 					klog.InfoS("ignoring update for catch-all ingress because of --disable-catch-all", "ingress", klog.KObj(curIng))
 					return
 				}
 
-				klog.InfoS("creating ingress", "ingress", klog.KObj(curIng), "class", class.IngressKey)
+				klog.InfoS("creating ingress", "ingress", klog.KObj(curIng), "ingressclass", classCur)
 				recorder.Eventf(curIng, corev1.EventTypeNormal, "Sync", "Scheduled for sync")
-			} else if validOld && !validCur {
-				klog.InfoS("removing ingress", "ingress", klog.KObj(curIng), "class", class.IngressKey)
+			} else if errOld == nil && errCur != nil {
+				klog.InfoS("removing ingress because of unknown ingressclass", "ingress", klog.KObj(curIng))
 				ingDeleteHandler(old)
 				return
-			} else if validCur && !reflect.DeepEqual(old, cur) {
+			} else if errCur == nil && !reflect.DeepEqual(old, cur) {
 				if hasCatchAllIngressRule(curIng.Spec) && disableCatchAll {
 					klog.InfoS("ignoring update for catch-all ingress and delete old one because of --disable-catch-all", "ingress", klog.KObj(curIng))
 					ingDeleteHandler(old)
@@ -412,6 +423,63 @@ func New(
 		},
 	}
 
+	ingressClassEventHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			ingressclass := obj.(*networkingv1.IngressClass)
+			if ingressclass.Spec.Controller != icConfig.Controller {
+				klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(ingressclass))
+				return
+			}
+			err := store.listers.IngressClass.Add(ingressclass)
+			if err != nil {
+				klog.InfoS("error adding ingressclass to store", "ingressclass", klog.KObj(ingressclass), "error", err)
+				return
+			}
+
+			updateCh.In() <- Event{
+				Type: CreateEvent,
+				Obj:  obj,
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			ingressclass := obj.(*networkingv1.IngressClass)
+			if ingressclass.Spec.Controller != icConfig.Controller {
+				klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(ingressclass))
+				return
+			}
+			err := store.listers.IngressClass.Delete(ingressclass)
+			if err != nil {
+				klog.InfoS("error removing ingressclass from store", "ingressclass", klog.KObj(ingressclass), "error", err)
+				return
+			}
+			updateCh.In() <- Event{
+				Type: DeleteEvent,
+				Obj:  obj,
+			}
+		},
+		UpdateFunc: func(old, cur interface{}) {
+			oic := old.(*networkingv1.IngressClass)
+			cic := cur.(*networkingv1.IngressClass)
+			if cic.Spec.Controller != icConfig.Controller {
+				klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(cic))
+				return
+			}
+			// TODO: In a future we might be interested in parse parameters and use as
+			// current IngressClass for this case, crossing with configmap
+			if !reflect.DeepEqual(cic.Spec.Parameters, oic.Spec.Parameters) {
+				err := store.listers.IngressClass.Update(cic)
+				if err != nil {
+					klog.InfoS("error updating ingressclass in store", "ingressclass", klog.KObj(cic), "error", err)
+					return
+				}
+				updateCh.In() <- Event{
+					Type: UpdateEvent,
+					Obj:  cur,
+				}
+			}
+		},
+	}
+
 	secrEventHandler := cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
 			sec := obj.(*corev1.Secret)
@@ -608,6 +676,7 @@ func New(
 	}
 
 	store.informers.Ingress.AddEventHandler(ingEventHandler)
+	store.informers.IngressClass.AddEventHandler(ingressClassEventHandler)
 	store.informers.Endpoint.AddEventHandler(epEventHandler)
 	store.informers.Secret.AddEventHandler(secrEventHandler)
 	store.informers.ConfigMap.AddEventHandler(cmEventHandler)
@@ -626,17 +695,17 @@ func New(
 
 // hasCatchAllIngressRule returns whether or not an ingress produces a
 // catch-all server, and so should be ignored when --disable-catch-all is set
-func hasCatchAllIngressRule(spec networkingv1beta1.IngressSpec) bool {
-	return spec.Backend != nil
+func hasCatchAllIngressRule(spec networkingv1.IngressSpec) bool {
+	return spec.DefaultBackend != nil
 }
 
 // syncIngress parses ingress annotations converting the value of the
 // annotation to a go struct
-func (s *k8sStore) syncIngress(ing *networkingv1beta1.Ingress) {
+func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) {
 	key := k8s.MetaNamespaceKey(ing)
 	klog.V(3).Infof("updating annotations information for ingress %v", key)
 
-	copyIng := &networkingv1beta1.Ingress{}
+	copyIng := &networkingv1.Ingress{}
 	ing.ObjectMeta.DeepCopyInto(&copyIng.ObjectMeta)
 	ing.Spec.DeepCopyInto(&copyIng.Spec)
 	ing.Status.DeepCopyInto(&copyIng.Status)
@@ -666,7 +735,7 @@ func (s *k8sStore) syncIngress(ing *networkingv1beta1.Ingress) {
 
 // updateSecretIngressMap takes an Ingress and updates all Secret objects it
 // references in secretIngressMap.
-func (s *k8sStore) updateSecretIngressMap(ing *networkingv1beta1.Ingress) {
+func (s *k8sStore) updateSecretIngressMap(ing *networkingv1.Ingress) {
 	key := k8s.MetaNamespaceKey(ing)
 	klog.V(3).Infof("updating references to secrets for ingress %v", key)
 
@@ -710,7 +779,7 @@ func (s *k8sStore) updateSecretIngressMap(ing *networkingv1beta1.Ingress) {
 
 // objectRefAnnotationNsKey returns an object reference formatted as a
 // 'namespace/name' key from the given annotation name.
-func objectRefAnnotationNsKey(ann string, ing *networkingv1beta1.Ingress) (string, error) {
+func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress) (string, error) {
 	annValue, err := parser.GetStringAnnotation(ann, ing)
 	if err != nil {
 		return "", err
@@ -729,7 +798,7 @@ func objectRefAnnotationNsKey(ann string, ing *networkingv1beta1.Ingress) (strin
 
 // syncSecrets synchronizes data from all Secrets referenced by the given
 // Ingress with the local store and file system.
-func (s *k8sStore) syncSecrets(ing *networkingv1beta1.Ingress) {
+func (s *k8sStore) syncSecrets(ing *networkingv1.Ingress) {
 	key := k8s.MetaNamespaceKey(ing)
 	for _, secrKey := range s.secretIngressMap.ReferencedBy(key) {
 		s.syncSecret(secrKey)
@@ -758,8 +827,34 @@ func (s *k8sStore) GetService(key string) (*corev1.Service, error) {
 	return s.listers.Service.ByKey(key)
 }
 
+func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) {
+	// First we try ingressClassName
+	if ing.Spec.IngressClassName != nil {
+		iclass, err := s.listers.IngressClass.ByKey(*ing.Spec.IngressClassName)
+		if err != nil {
+			return "", err
+		}
+		return iclass.Name, nil
+	}
+
+	// Then we try annotation
+	if ingressclass, ok := ing.GetAnnotations()[ingressclass.IngressKey]; ok {
+		if ingressclass != icConfig.AnnotationValue {
+			return "", fmt.Errorf("ingress class annotation is not equal to the expected by Ingress Controller")
+		}
+		return ingressclass, nil
+	}
+
+	// Then we accept if the WithoutClass is enabled
+	if icConfig.WatchWithoutClass {
+		// Reserving "_" as a "wildcard" name
+		return "_", nil
+	}
+	return "", fmt.Errorf("ingress does not contain a valid IngressClass")
+}
+
 // getIngress returns the Ingress matching key.
-func (s *k8sStore) getIngress(key string) (*networkingv1beta1.Ingress, error) {
+func (s *k8sStore) getIngress(key string) (*networkingv1.Ingress, error) {
 	ing, err := s.listers.IngressWithAnnotation.ByKey(key)
 	if err != nil {
 		return nil, err
@@ -900,11 +995,11 @@ func (s *k8sStore) Run(stopCh chan struct{}) {
 var runtimeScheme = k8sruntime.NewScheme()
 
 func init() {
-	utilruntime.Must(networkingv1beta1.AddToScheme(runtimeScheme))
+	utilruntime.Must(networkingv1.AddToScheme(runtimeScheme))
 }
 
-func toIngress(obj interface{}) (*networkingv1beta1.Ingress, bool) {
-	if ing, ok := obj.(*networkingv1beta1.Ingress); ok {
+func toIngress(obj interface{}) (*networkingv1.Ingress, bool) {
+	if ing, ok := obj.(*networkingv1.Ingress); ok {
 		k8s.SetDefaultNGINXPathType(ing)
 		return ing, true
 	}
diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go
index 963d36af6..35e5955b1 100644
--- a/internal/ingress/controller/store/store_test.go
+++ b/internal/ingress/controller/store/store_test.go
@@ -28,24 +28,61 @@ import (
 
 	"github.com/eapache/channels"
 	v1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 
 	"k8s.io/ingress-nginx/internal/ingress"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
+var pathPrefix networking.PathType = networking.PathTypePrefix
+
+var DefaultClassConfig = &ingressclass.IngressClassConfiguration{
+	Controller:        ingressclass.DefaultControllerName,
+	AnnotationValue:   ingressclass.DefaultAnnotationValue,
+	WatchWithoutClass: false,
+}
+
+var (
+	commonIngressSpec = networking.IngressSpec{
+		Rules: []networking.IngressRule{
+			{
+				Host: "dummy",
+				IngressRuleValue: networking.IngressRuleValue{
+					HTTP: &networking.HTTPIngressRuleValue{
+						Paths: []networking.HTTPIngressPath{
+							{
+								Path:     "/",
+								PathType: &pathPrefix,
+								Backend: networking.IngressBackend{
+									Service: &networking.IngressServiceBackend{
+										Name: "http-svc",
+										Port: networking.ServiceBackendPort{
+											Number: 80,
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+)
+
 func TestStore(t *testing.T) {
 	//TODO: move env definition to docker image?
 	os.Setenv("KUBEBUILDER_ASSETS", "/usr/local/bin")
 
+	pathPrefix = networking.PathTypePrefix
+
 	te := &envtest.Environment{}
 	cfg, err := te.Start()
 	if err != nil {
@@ -82,7 +119,8 @@ func TestStore(t *testing.T) {
 			10*time.Minute,
 			clientSet,
 			updateCh,
-			false)
+			false,
+			DefaultClassConfig)
 
 		storer.Run(stopCh)
 
@@ -108,13 +146,14 @@ func TestStore(t *testing.T) {
 			t.Errorf("expected an error but none returned")
 		}
 		if svc != nil {
-			t.Errorf("expected an Ingres but none returned")
+			t.Errorf("expected an Ingress but none returned")
 		}
 	})
 
-	t.Run("should return one event for add, update and delete of ingress", func(t *testing.T) {
+	t.Run("should return no event for add, update and delete of ingress as the existing ingressclass is not the expected", func(t *testing.T) {
 		ns := createNamespace(clientSet, t)
 		defer deleteNamespace(ns, clientSet, t)
+
 		createConfigMap(clientSet, ns, t)
 
 		stopCh := make(chan struct{})
@@ -159,35 +198,20 @@ func TestStore(t *testing.T) {
 			10*time.Minute,
 			clientSet,
 			updateCh,
-			false)
+			false,
+			DefaultClassConfig)
 
 		storer.Run(stopCh)
-
+		ic := createIngressClass(clientSet, t, "not-k8s.io/not-ingress-nginx")
+		defer deleteIngressClass(ic, clientSet, t)
+		validSpec := commonIngressSpec
+		validSpec.IngressClassName = &ic
 		ing := ensureIngress(&networking.Ingress{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "dummy",
+				Name:      "dummy-no-class",
 				Namespace: ns,
 			},
-			Spec: networking.IngressSpec{
-				Rules: []networking.IngressRule{
-					{
-						Host: "dummy",
-						IngressRuleValue: networking.IngressRuleValue{
-							HTTP: &networking.HTTPIngressRuleValue{
-								Paths: []networking.HTTPIngressPath{
-									{
-										Path: "/",
-										Backend: networking.IngressBackend{
-											ServiceName: "http-svc",
-											ServicePort: intstr.FromInt(80),
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
+			Spec: validSpec,
 		}, clientSet, t)
 
 		err := framework.WaitForIngressInNamespace(clientSet, ns, ing.Name)
@@ -196,35 +220,113 @@ func TestStore(t *testing.T) {
 		}
 		time.Sleep(1 * time.Second)
 
-		// create an invalid ingress (different class)
+		ni := ing.DeepCopy()
+		ni.Spec.Rules[0].Host = "update-dummy"
+		_ = ensureIngress(ni, clientSet, t)
+		if err != nil {
+			t.Errorf("error creating ingress: %v", err)
+		}
+		// Secret takes a bit to update
+		time.Sleep(3 * time.Second)
+
+		err = clientSet.NetworkingV1().Ingresses(ni.Namespace).Delete(context.TODO(), ni.Name, metav1.DeleteOptions{})
+		if err != nil {
+			t.Errorf("error deleting ingress: %v", err)
+		}
+
+		err = framework.WaitForNoIngressInNamespace(clientSet, ni.Namespace, ni.Name)
+		if err != nil {
+			t.Errorf("error waiting for secret: %v", err)
+		}
+		time.Sleep(1 * time.Second)
+
+		if atomic.LoadUint64(&add) != 0 {
+			t.Errorf("expected 0 event of type Create but %v occurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 0 {
+			t.Errorf("expected 0 event of type Update but %v occurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 0 {
+			t.Errorf("expected 0 event of type Delete but %v occurred", del)
+		}
+	})
+
+	t.Run("should return one event for add, update and delete of ingress", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+		ic := createIngressClass(clientSet, t, ingressclass.DefaultControllerName)
+		defer deleteIngressClass(ic, clientSet, t)
+		createConfigMap(clientSet, ns, t)
+
+		stopCh := make(chan struct{})
+		updateCh := channels.NewRingChannel(1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		go func(ch *channels.RingChannel) {
+			for {
+				evt, ok := <-ch.Out()
+				if !ok {
+					return
+				}
+
+				e := evt.(Event)
+				if e.Obj == nil {
+					continue
+				}
+				if _, ok := e.Obj.(*networking.Ingress); !ok {
+					continue
+				}
+
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
+		storer := New(
+			ns,
+			fmt.Sprintf("%v/config", ns),
+			fmt.Sprintf("%v/tcp", ns),
+			fmt.Sprintf("%v/udp", ns),
+			"",
+			10*time.Minute,
+			clientSet,
+			updateCh,
+			false,
+			DefaultClassConfig)
+
+		storer.Run(stopCh)
+		validSpec := commonIngressSpec
+		validSpec.IngressClassName = &ic
+		ing := ensureIngress(&networking.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "dummy-class",
+				Namespace: ns,
+			},
+			Spec: validSpec,
+		}, clientSet, t)
+
+		err := framework.WaitForIngressInNamespace(clientSet, ns, ing.Name)
+		if err != nil {
+			t.Errorf("error waiting for secret: %v", err)
+		}
+		time.Sleep(1 * time.Second)
+
+		// create an invalid ingress (no ingress class and no watchWithoutClass config)
 		invalidIngress := ensureIngress(&networking.Ingress{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "custom-class",
+				Name:      "no-class",
 				Namespace: ns,
-				Annotations: map[string]string{
-					class.IngressKey: "something",
-				},
-			},
-			Spec: networking.IngressSpec{
-				Rules: []networking.IngressRule{
-					{
-						Host: "dummy",
-						IngressRuleValue: networking.IngressRuleValue{
-							HTTP: &networking.HTTPIngressRuleValue{
-								Paths: []networking.HTTPIngressPath{
-									{
-										Path: "/",
-										Backend: networking.IngressBackend{
-											ServiceName: "http-svc",
-											ServicePort: intstr.FromInt(80),
-										},
-									},
-								},
-							},
-						},
-					},
-				},
 			},
+			Spec: commonIngressSpec,
 		}, clientSet, t)
 		defer deleteIngress(invalidIngress, clientSet, t)
 
@@ -237,9 +339,9 @@ func TestStore(t *testing.T) {
 		// Secret takes a bit to update
 		time.Sleep(3 * time.Second)
 
-		err = clientSet.NetworkingV1beta1().Ingresses(ni.Namespace).Delete(context.TODO(), ni.Name, metav1.DeleteOptions{})
+		err = clientSet.NetworkingV1().Ingresses(ni.Namespace).Delete(context.TODO(), ni.Name, metav1.DeleteOptions{})
 		if err != nil {
-			t.Errorf("error creating ingress: %v", err)
+			t.Errorf("error deleting ingress: %v", err)
 		}
 
 		err = framework.WaitForNoIngressInNamespace(clientSet, ni.Namespace, ni.Name)
@@ -259,7 +361,7 @@ func TestStore(t *testing.T) {
 		}
 	})
 
-	t.Run("should not receive updates for ingress with invalid class", func(t *testing.T) {
+	t.Run("should return two events for add and delete and one for update of ingress and watch-without-class", func(t *testing.T) {
 		ns := createNamespace(clientSet, t)
 		defer deleteNamespace(ns, clientSet, t)
 		createConfigMap(clientSet, ns, t)
@@ -297,6 +399,224 @@ func TestStore(t *testing.T) {
 			}
 		}(updateCh)
 
+		ingressClassconfig := &ingressclass.IngressClassConfiguration{
+			Controller:        ingressclass.DefaultControllerName,
+			AnnotationValue:   ingressclass.DefaultAnnotationValue,
+			WatchWithoutClass: true,
+		}
+
+		storer := New(
+			ns,
+			fmt.Sprintf("%v/config", ns),
+			fmt.Sprintf("%v/tcp", ns),
+			fmt.Sprintf("%v/udp", ns),
+			"",
+			10*time.Minute,
+			clientSet,
+			updateCh,
+			false,
+			ingressClassconfig)
+
+		storer.Run(stopCh)
+
+		validIngress1 := ensureIngress(&networking.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "ing1",
+				Namespace: ns,
+			},
+			Spec: commonIngressSpec,
+		}, clientSet, t)
+		err := framework.WaitForIngressInNamespace(clientSet, ns, validIngress1.Name)
+		if err != nil {
+			t.Errorf("error waiting for ingress: %v", err)
+		}
+
+		otherIngress := commonIngressSpec
+		otherIngress.Rules[0].Host = "other-ingress"
+		validIngress2 := ensureIngress(&networking.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "ing2",
+				Namespace: ns,
+			},
+			Spec: otherIngress,
+		}, clientSet, t)
+		err = framework.WaitForIngressInNamespace(clientSet, ns, validIngress2.Name)
+		if err != nil {
+			t.Errorf("error waiting for ingress: %v", err)
+		}
+
+		time.Sleep(1 * time.Second)
+
+		validIngressUpdated := validIngress1.DeepCopy()
+		validIngressUpdated.Spec.Rules[0].Host = "update-dummy"
+		_ = ensureIngress(validIngressUpdated, clientSet, t)
+		if err != nil {
+			t.Errorf("error updating ingress: %v", err)
+		}
+		// Secret takes a bit to update
+		time.Sleep(3 * time.Second)
+
+		err = clientSet.NetworkingV1().Ingresses(validIngressUpdated.Namespace).Delete(context.TODO(), validIngressUpdated.Name, metav1.DeleteOptions{})
+		if err != nil {
+			t.Errorf("error deleting ingress: %v", err)
+		}
+		err = clientSet.NetworkingV1().Ingresses(validIngress2.Namespace).Delete(context.TODO(), validIngress2.Name, metav1.DeleteOptions{})
+		if err != nil {
+			t.Errorf("error deleting ingress: %v", err)
+		}
+
+		err = framework.WaitForNoIngressInNamespace(clientSet, validIngressUpdated.Namespace, validIngressUpdated.Name)
+		if err != nil {
+			t.Errorf("error waiting for ingress deletion: %v", err)
+		}
+		err = framework.WaitForNoIngressInNamespace(clientSet, validIngress2.Namespace, validIngress2.Name)
+		if err != nil {
+			t.Errorf("error waiting for ingress deletion: %v", err)
+		}
+		time.Sleep(1 * time.Second)
+
+		if atomic.LoadUint64(&add) != 2 {
+			t.Errorf("expected 0 event of type Create but %v occurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 1 {
+			t.Errorf("expected 0 event of type Update but %v occurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 2 {
+			t.Errorf("expected 0 event of type Delete but %v occurred", del)
+		}
+	})
+
+	t.Run("should not receive updates for ingress with invalid class annotation", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+		createConfigMap(clientSet, ns, t)
+
+		stopCh := make(chan struct{})
+		updateCh := channels.NewRingChannel(1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		// TODO: This repeats a lot, transform in a local function
+		go func(ch *channels.RingChannel) {
+			for {
+				evt, ok := <-ch.Out()
+				if !ok {
+					return
+				}
+
+				e := evt.(Event)
+				if e.Obj == nil {
+					continue
+				}
+				if _, ok := e.Obj.(*networking.Ingress); !ok {
+					continue
+				}
+
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
+		storer := New(
+			ns,
+			fmt.Sprintf("%v/config", ns),
+			fmt.Sprintf("%v/tcp", ns),
+			fmt.Sprintf("%v/udp", ns),
+			"",
+			10*time.Minute,
+			clientSet,
+			updateCh,
+			false,
+			DefaultClassConfig)
+
+		storer.Run(stopCh)
+
+		// create an invalid ingress (different class)
+		invalidIngress := ensureIngress(&networking.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "custom-class",
+				Namespace: ns,
+				Annotations: map[string]string{
+					ingressclass.IngressKey: "something",
+				},
+			},
+			Spec: commonIngressSpec,
+		}, clientSet, t)
+		err := framework.WaitForIngressInNamespace(clientSet, ns, invalidIngress.Name)
+		if err != nil {
+			t.Errorf("error waiting for ingress: %v", err)
+		}
+		time.Sleep(1 * time.Second)
+
+		invalidIngressUpdated := invalidIngress.DeepCopy()
+		invalidIngressUpdated.Spec.Rules[0].Host = "update-dummy"
+		_ = ensureIngress(invalidIngressUpdated, clientSet, t)
+		if err != nil {
+			t.Errorf("error creating ingress: %v", err)
+		}
+		// Secret takes a bit to update
+		time.Sleep(3 * time.Second)
+
+		if atomic.LoadUint64(&add) != 0 {
+			t.Errorf("expected 0 event of type Create but %v occurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 0 {
+			t.Errorf("expected 0 event of type Update but %v occurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 0 {
+			t.Errorf("expected 0 event of type Delete but %v occurred", del)
+		}
+	})
+
+	t.Run("should not receive updates for ingress with invalid class specification", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+		ic := createIngressClass(clientSet, t, ingressclass.DefaultControllerName)
+		defer deleteIngressClass(ic, clientSet, t)
+
+		createConfigMap(clientSet, ns, t)
+
+		stopCh := make(chan struct{})
+		updateCh := channels.NewRingChannel(1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		go func(ch *channels.RingChannel) {
+			for {
+				evt, ok := <-ch.Out()
+				if !ok {
+					return
+				}
+
+				e := evt.(Event)
+				if e.Obj == nil {
+					continue
+				}
+				if _, ok := e.Obj.(*networking.Ingress); !ok {
+					continue
+				}
+
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
 		storer := New(
 			ns,
 			fmt.Sprintf("%v/config", ns),
@@ -306,39 +626,20 @@ func TestStore(t *testing.T) {
 			10*time.Minute,
 			clientSet,
 			updateCh,
-			false)
+			false,
+			DefaultClassConfig)
 
 		storer.Run(stopCh)
-
+		invalidSpec := commonIngressSpec
+		invalidClassName := "blo123"
+		invalidSpec.IngressClassName = &invalidClassName
 		// create an invalid ingress (different class)
 		invalidIngress := ensureIngress(&networking.Ingress{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "custom-class",
 				Namespace: ns,
-				Annotations: map[string]string{
-					class.IngressKey: "something",
-				},
-			},
-			Spec: networking.IngressSpec{
-				Rules: []networking.IngressRule{
-					{
-						Host: "dummy",
-						IngressRuleValue: networking.IngressRuleValue{
-							HTTP: &networking.HTTPIngressRuleValue{
-								Paths: []networking.HTTPIngressPath{
-									{
-										Path: "/",
-										Backend: networking.IngressBackend{
-											ServiceName: "http-svc",
-											ServicePort: intstr.FromInt(80),
-										},
-									},
-								},
-							},
-						},
-					},
-				},
 			},
+			Spec: invalidSpec,
 		}, clientSet, t)
 		err := framework.WaitForIngressInNamespace(clientSet, ns, invalidIngress.Name)
 		if err != nil {
@@ -409,7 +710,8 @@ func TestStore(t *testing.T) {
 			10*time.Minute,
 			clientSet,
 			updateCh,
-			false)
+			false,
+			DefaultClassConfig)
 
 		storer.Run(stopCh)
 
@@ -455,6 +757,8 @@ func TestStore(t *testing.T) {
 	t.Run("should receive events from secret referenced from ingress", func(t *testing.T) {
 		ns := createNamespace(clientSet, t)
 		defer deleteNamespace(ns, clientSet, t)
+		ic := createIngressClass(clientSet, t, ingressclass.DefaultControllerName)
+		defer deleteIngressClass(ic, clientSet, t)
 		createConfigMap(clientSet, ns, t)
 
 		stopCh := make(chan struct{})
@@ -475,6 +779,11 @@ func TestStore(t *testing.T) {
 				if e.Obj == nil {
 					continue
 				}
+
+				// We should skip IngressClass events
+				if _, ok := e.Obj.(*networking.IngressClass); ok {
+					continue
+				}
 				switch e.Type {
 				case CreateEvent:
 					atomic.AddUint64(&add, 1)
@@ -495,7 +804,8 @@ func TestStore(t *testing.T) {
 			10*time.Minute,
 			clientSet,
 			updateCh,
-			false)
+			false,
+			DefaultClassConfig)
 
 		storer.Run(stopCh)
 
@@ -508,14 +818,19 @@ func TestStore(t *testing.T) {
 				Namespace: ns,
 			},
 			Spec: networking.IngressSpec{
+				IngressClassName: &ic,
 				TLS: []networking.IngressTLS{
 					{
 						SecretName: secretName,
 					},
 				},
-				Backend: &networking.IngressBackend{
-					ServiceName: "http-svc",
-					ServicePort: intstr.FromInt(80),
+				DefaultBackend: &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "http-svc",
+						Port: networking.ServiceBackendPort{
+							Number: 80,
+						},
+					},
 				},
 			},
 		}, clientSet, t)
@@ -563,6 +878,8 @@ func TestStore(t *testing.T) {
 	t.Run("should create an ingress with a secret which does not exist", func(t *testing.T) {
 		ns := createNamespace(clientSet, t)
 		defer deleteNamespace(ns, clientSet, t)
+		ic := createIngressClass(clientSet, t, ingressclass.DefaultControllerName)
+		defer deleteIngressClass(ic, clientSet, t)
 		createConfigMap(clientSet, ns, t)
 
 		stopCh := make(chan struct{})
@@ -583,6 +900,12 @@ func TestStore(t *testing.T) {
 				if e.Obj == nil {
 					continue
 				}
+
+				// We should skip IngressClass objects here
+				if _, ok := e.Obj.(*networking.IngressClass); ok {
+					continue
+				}
+
 				switch e.Type {
 				case CreateEvent:
 					atomic.AddUint64(&add, 1)
@@ -603,7 +926,8 @@ func TestStore(t *testing.T) {
 			10*time.Minute,
 			clientSet,
 			updateCh,
-			false)
+			false,
+			DefaultClassConfig)
 
 		storer.Run(stopCh)
 
@@ -616,6 +940,7 @@ func TestStore(t *testing.T) {
 				Namespace: ns,
 			},
 			Spec: networking.IngressSpec{
+				IngressClassName: &ic,
 				TLS: []networking.IngressTLS{
 					{
 						Hosts:      secretHosts,
@@ -629,10 +954,15 @@ func TestStore(t *testing.T) {
 							HTTP: &networking.HTTPIngressRuleValue{
 								Paths: []networking.HTTPIngressPath{
 									{
-										Path: "/",
+										Path:     "/",
+										PathType: &pathPrefix,
 										Backend: networking.IngressBackend{
-											ServiceName: "http-svc",
-											ServicePort: intstr.FromInt(80),
+											Service: &networking.IngressServiceBackend{
+												Name: "http-svc",
+												Port: networking.ServiceBackendPort{
+													Number: 80,
+												},
+											},
 										},
 									},
 								},
@@ -705,6 +1035,33 @@ func deleteNamespace(ns string, clientSet kubernetes.Interface, t *testing.T) {
 	}
 }
 
+func createIngressClass(clientSet kubernetes.Interface, t *testing.T, controller string) string {
+	t.Helper()
+	ingressclass := &networking.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf("ingress-nginx-%v", time.Now().Unix()),
+			//Namespace: "xpto" // TODO: We don't support namespaced ingress-class yet
+		},
+		Spec: networking.IngressClassSpec{
+			Controller: controller,
+		},
+	}
+	ic, err := clientSet.NetworkingV1().IngressClasses().Create(context.TODO(), ingressclass, metav1.CreateOptions{})
+	if err != nil {
+		t.Errorf("error creating ingress class: %v", err)
+	}
+	return ic.Name
+}
+
+func deleteIngressClass(ic string, clientSet kubernetes.Interface, t *testing.T) {
+	t.Helper()
+
+	err := clientSet.NetworkingV1().IngressClasses().Delete(context.TODO(), ic, metav1.DeleteOptions{})
+	if err != nil {
+		t.Errorf("error deleting the ingress class: %v", err)
+	}
+}
+
 func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) string {
 	t.Helper()
 
@@ -724,13 +1081,13 @@ func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) st
 
 func ensureIngress(ingress *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) *networking.Ingress {
 	t.Helper()
-	ing, err := clientSet.NetworkingV1beta1().Ingresses(ingress.Namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{})
+	ing, err := clientSet.NetworkingV1().Ingresses(ingress.Namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{})
 
 	if err != nil {
 		if k8sErrors.IsNotFound(err) {
 			t.Logf("Ingress %v not found, creating", ingress)
 
-			ing, err = clientSet.NetworkingV1beta1().Ingresses(ingress.Namespace).Create(context.TODO(), ingress, metav1.CreateOptions{})
+			ing, err = clientSet.NetworkingV1().Ingresses(ingress.Namespace).Create(context.TODO(), ingress, metav1.CreateOptions{})
 			if err != nil {
 				t.Fatalf("error creating ingress %+v: %v", ingress, err)
 			}
@@ -747,7 +1104,7 @@ func ensureIngress(ingress *networking.Ingress, clientSet kubernetes.Interface,
 
 func deleteIngress(ingress *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) {
 	t.Helper()
-	err := clientSet.NetworkingV1beta1().Ingresses(ingress.Namespace).Delete(context.TODO(), ingress.Name, metav1.DeleteOptions{})
+	err := clientSet.NetworkingV1().Ingresses(ingress.Namespace).Delete(context.TODO(), ingress.Name, metav1.DeleteOptions{})
 
 	if err != nil {
 		t.Errorf("failed to delete ingress %+v: %v", ingress, err)
@@ -762,6 +1119,7 @@ func newStore(t *testing.T) *k8sStore {
 	return &k8sStore{
 		listers: &Lister{
 			// add more listers if needed
+			IngressClass:          IngressClassLister{cache.NewStore(cache.MetaNamespaceKeyFunc)},
 			Ingress:               IngressLister{cache.NewStore(cache.MetaNamespaceKeyFunc)},
 			IngressWithAnnotation: IngressWithAnnotationsLister{cache.NewStore(cache.DeletionHandlingMetaNamespaceKeyFunc)},
 		},
@@ -839,21 +1197,25 @@ func TestUpdateSecretIngressMap(t *testing.T) {
 
 func TestListIngresses(t *testing.T) {
 	s := newStore(t)
+	invalidIngressClass := "something"
+	validIngressClass := ingressclass.DefaultControllerName
 
 	ingressToIgnore := &ingress.Ingress{
 		Ingress: networking.Ingress{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "test-2",
-				Namespace: "testns",
-				Annotations: map[string]string{
-					class.IngressKey: "something",
-				},
+				Name:              "test-2",
+				Namespace:         "testns",
 				CreationTimestamp: metav1.NewTime(time.Now()),
 			},
 			Spec: networking.IngressSpec{
-				Backend: &networking.IngressBackend{
-					ServiceName: "demo",
-					ServicePort: intstr.FromInt(80),
+				IngressClassName: &invalidIngressClass,
+				DefaultBackend: &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "demo",
+						Port: networking.ServiceBackendPort{
+							Number: 80,
+						},
+					},
 				},
 			},
 		},
@@ -868,6 +1230,7 @@ func TestListIngresses(t *testing.T) {
 				CreationTimestamp: metav1.NewTime(time.Now()),
 			},
 			Spec: networking.IngressSpec{
+				IngressClassName: &validIngressClass,
 				Rules: []networking.IngressRule{
 					{
 						Host: "foo.bar",
@@ -876,8 +1239,12 @@ func TestListIngresses(t *testing.T) {
 								Paths: []networking.HTTPIngressPath{
 									{
 										Backend: networking.IngressBackend{
-											ServiceName: "demo",
-											ServicePort: intstr.FromInt(80),
+											Service: &networking.IngressServiceBackend{
+												Name: "demo",
+												Port: networking.ServiceBackendPort{
+													Number: 80,
+												},
+											},
 										},
 									},
 								},
@@ -890,13 +1257,13 @@ func TestListIngresses(t *testing.T) {
 	}
 	s.listers.IngressWithAnnotation.Add(ingressWithoutPath)
 
-	ingressWithNginxClass := &ingress.Ingress{
+	ingressWithNginxClassAnnotation := &ingress.Ingress{
 		Ingress: networking.Ingress{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "test-4",
 				Namespace: "testns",
 				Annotations: map[string]string{
-					class.IngressKey: "nginx",
+					ingressclass.IngressKey: ingressclass.DefaultAnnotationValue,
 				},
 				CreationTimestamp: metav1.NewTime(time.Now()),
 			},
@@ -908,10 +1275,15 @@ func TestListIngresses(t *testing.T) {
 							HTTP: &networking.HTTPIngressRuleValue{
 								Paths: []networking.HTTPIngressPath{
 									{
-										Path: "/demo",
+										Path:     "/demo",
+										PathType: &pathPrefix,
 										Backend: networking.IngressBackend{
-											ServiceName: "demo",
-											ServicePort: intstr.FromInt(80),
+											Service: &networking.IngressServiceBackend{
+												Name: "demo",
+												Port: networking.ServiceBackendPort{
+													Number: 80,
+												},
+											},
 										},
 									},
 								},
@@ -922,7 +1294,7 @@ func TestListIngresses(t *testing.T) {
 			},
 		},
 	}
-	s.listers.IngressWithAnnotation.Add(ingressWithNginxClass)
+	s.listers.IngressWithAnnotation.Add(ingressWithNginxClassAnnotation)
 
 	ingresses := s.ListIngresses()
 
diff --git a/internal/ingress/controller/tcp.go b/internal/ingress/controller/tcp.go
index a97c46a7e..eedecc71a 100644
--- a/internal/ingress/controller/tcp.go
+++ b/internal/ingress/controller/tcp.go
@@ -82,6 +82,7 @@ func (p *TCPProxy) Handle(conn net.Conn) {
 	hostPort := net.JoinHostPort(proxy.IP, fmt.Sprintf("%v", proxy.Port))
 	clientConn, err := net.Dial("tcp", hostPort)
 	if err != nil {
+		klog.V(4).ErrorS(err, "error dialing proxy", "ip", proxy.IP, "port", proxy.Port, "hostname", proxy.Hostname)
 		return
 	}
 	defer clientConn.Close()
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 3ba46681e..3f7e4af50 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -31,13 +31,14 @@ import (
 	"reflect"
 	"regexp"
 	"sort"
+	"strconv"
 	"strings"
 	text_template "text/template"
 	"time"
 
 	"github.com/pkg/errors"
 
-	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 
@@ -519,7 +520,7 @@ func buildLocation(input interface{}, enforceRegex bool) string {
 		return fmt.Sprintf(`~* "^%s"`, path)
 	}
 
-	if location.PathType != nil && *location.PathType == networkingv1beta1.PathTypeExact {
+	if location.PathType != nil && *location.PathType == networkingv1.PathTypeExact {
 		return fmt.Sprintf(`= %s`, path)
 	}
 
@@ -985,10 +986,12 @@ func getIngressInformation(i, h, p interface{}) *ingressInformation {
 		info.Path = "/"
 	}
 
-	if ing.Spec.Backend != nil {
-		info.Service = ing.Spec.Backend.ServiceName
-		if ing.Spec.Backend.ServicePort.String() != "0" {
-			info.ServicePort = ing.Spec.Backend.ServicePort.String()
+	if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil {
+		info.Service = ing.Spec.DefaultBackend.Service.Name
+		if ing.Spec.DefaultBackend.Service.Port.Number > 0 {
+			info.ServicePort = strconv.Itoa(int(ing.Spec.DefaultBackend.Service.Port.Number))
+		} else {
+			info.ServicePort = ing.Spec.DefaultBackend.Service.Port.Name
 		}
 	}
 
@@ -1015,14 +1018,16 @@ func getIngressInformation(i, h, p interface{}) *ingressInformation {
 				continue
 			}
 
-			if info.Service != "" && rPath.Backend.ServiceName == "" {
+			if info.Service != "" && rPath.Backend.Service.Name == "" {
 				// empty rule. Only contains a Path and PathType
 				return info
 			}
 
-			info.Service = rPath.Backend.ServiceName
-			if rPath.Backend.ServicePort.String() != "0" {
-				info.ServicePort = rPath.Backend.ServicePort.String()
+			info.Service = rPath.Backend.Service.Name
+			if rPath.Backend.Service.Port.Number > 0 {
+				info.ServicePort = strconv.Itoa(int(rPath.Backend.Service.Port.Number))
+			} else {
+				info.ServicePort = rPath.Backend.Service.Port.Name
 			}
 
 			return info
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index cb2d20b9a..4a64a0962 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -31,9 +31,8 @@ import (
 	jsoniter "github.com/json-iterator/go"
 	"github.com/pmezard/go-difflib/difflib"
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
@@ -56,6 +55,8 @@ func init() {
 }
 
 var (
+	pathPrefix networking.PathType = networking.PathTypePrefix
+
 	// TODO: add tests for SSLPassthrough
 	tmplFuncTestcases = map[string]struct {
 		Path              string
@@ -226,11 +227,11 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
 	servers := []*ingress.Server{
 		{
 			Hostname:  "foo.bar",
-			Locations: []*ingress.Location{{Path: "/"}},
+			Locations: []*ingress.Location{{Path: "/", PathType: &pathPrefix}},
 		},
 		{
 			Hostname:  "another.host",
-			Locations: []*ingress.Location{{Path: "/"}},
+			Locations: []*ingress.Location{{Path: "/", PathType: &pathPrefix}},
 		},
 	}
 	// returns value from config
@@ -312,8 +313,9 @@ func TestBuildLocation(t *testing.T) {
 
 	for k, tc := range tmplFuncTestcases {
 		loc := &ingress.Location{
-			Path:    tc.Path,
-			Rewrite: rewrite.Config{Target: tc.Target},
+			Path:     tc.Path,
+			PathType: &pathPrefix,
+			Rewrite:  rewrite.Config{Target: tc.Target},
 		}
 
 		newLoc := buildLocation(loc, tc.enforceRegex)
@@ -330,6 +332,7 @@ func TestBuildProxyPass(t *testing.T) {
 	for k, tc := range tmplFuncTestcases {
 		loc := &ingress.Location{
 			Path:             tc.Path,
+			PathType:         &pathPrefix,
 			Rewrite:          rewrite.Config{Target: tc.Target},
 			Backend:          defaultBackend,
 			XForwardedPrefix: tc.XForwardedPrefix,
@@ -899,6 +902,7 @@ func TestBuildUpstreamName(t *testing.T) {
 	for k, tc := range tmplFuncTestcases {
 		loc := &ingress.Location{
 			Path:             tc.Path,
+			PathType:         &pathPrefix,
 			Rewrite:          rewrite.Config{Target: tc.Target},
 			Backend:          defaultBackend,
 			XForwardedPrefix: tc.XForwardedPrefix,
@@ -998,6 +1002,76 @@ func TestGetIngressInformation(t *testing.T) {
 			10,
 			&ingressInformation{},
 		},
+		"valid ingress definition with name validIng in namespace default  using a service with name a-svc port number 8080": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "validIng",
+						Namespace: apiv1.NamespaceDefault,
+						Annotations: map[string]string{
+							"ingress.annotation": "ok",
+						},
+					},
+					Spec: networking.IngressSpec{
+						DefaultBackend: &networking.IngressBackend{
+							Service: &networking.IngressServiceBackend{
+								Name: "a-svc",
+								Port: networking.ServiceBackendPort{
+									Number: 8080,
+								},
+							},
+						},
+					},
+				},
+			},
+			"host1",
+			"",
+			&ingressInformation{
+				Namespace: "default",
+				Rule:      "validIng",
+				Path:      "/",
+				Annotations: map[string]string{
+					"ingress.annotation": "ok",
+				},
+				Service:     "a-svc",
+				ServicePort: "8080",
+			},
+		},
+		"valid ingress definition with name validIng in namespace default  using a service with name a-svc port name b-svc": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "validIng",
+						Namespace: apiv1.NamespaceDefault,
+						Annotations: map[string]string{
+							"ingress.annotation": "ok",
+						},
+					},
+					Spec: networking.IngressSpec{
+						DefaultBackend: &networking.IngressBackend{
+							Service: &networking.IngressServiceBackend{
+								Name: "a-svc",
+								Port: networking.ServiceBackendPort{
+									Name: "b-svc",
+								},
+							},
+						},
+					},
+				},
+			},
+			"host1",
+			"",
+			&ingressInformation{
+				Namespace: "default",
+				Rule:      "validIng",
+				Path:      "/",
+				Annotations: map[string]string{
+					"ingress.annotation": "ok",
+				},
+				Service:     "a-svc",
+				ServicePort: "b-svc",
+			},
+		},
 		"valid ingress definition with name validIng in namespace default": {
 			&ingress.Ingress{
 				Ingress: networking.Ingress{
@@ -1009,8 +1083,10 @@ func TestGetIngressInformation(t *testing.T) {
 						},
 					},
 					Spec: networking.IngressSpec{
-						Backend: &networking.IngressBackend{
-							ServiceName: "a-svc",
+						DefaultBackend: &networking.IngressBackend{
+							Service: &networking.IngressServiceBackend{
+								Name: "a-svc",
+							},
 						},
 					},
 				},
@@ -1020,6 +1096,7 @@ func TestGetIngressInformation(t *testing.T) {
 			&ingressInformation{
 				Namespace: "default",
 				Rule:      "validIng",
+				Path:      "/",
 				Annotations: map[string]string{
 					"ingress.annotation": "ok",
 				},
@@ -1044,10 +1121,15 @@ func TestGetIngressInformation(t *testing.T) {
 									HTTP: &networking.HTTPIngressRuleValue{
 										Paths: []networking.HTTPIngressPath{
 											{
-												Path: "/ok",
+												Path:     "/ok",
+												PathType: &pathPrefix,
 												Backend: networking.IngressBackend{
-													ServiceName: "b-svc",
-													ServicePort: intstr.FromInt(80),
+													Service: &networking.IngressServiceBackend{
+														Name: "b-svc",
+														Port: networking.ServiceBackendPort{
+															Number: 80,
+														},
+													},
 												},
 											},
 										},
@@ -1071,6 +1153,56 @@ func TestGetIngressInformation(t *testing.T) {
 				ServicePort: "80",
 			},
 		},
+		"valid ingress definition with name demo in namespace something and path /ok using a service with name b-svc port name b-svc-80": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "demo",
+						Namespace: "something",
+						Annotations: map[string]string{
+							"ingress.annotation": "ok",
+						},
+					},
+					Spec: networking.IngressSpec{
+						Rules: []networking.IngressRule{
+							{
+								Host: "foo.bar",
+								IngressRuleValue: networking.IngressRuleValue{
+									HTTP: &networking.HTTPIngressRuleValue{
+										Paths: []networking.HTTPIngressPath{
+											{
+												Path:     "/ok",
+												PathType: &pathPrefix,
+												Backend: networking.IngressBackend{
+													Service: &networking.IngressServiceBackend{
+														Name: "b-svc",
+														Port: networking.ServiceBackendPort{
+															Name: "b-svc-80",
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+							{},
+						},
+					},
+				},
+			},
+			"foo.bar",
+			"/ok",
+			&ingressInformation{
+				Namespace: "something",
+				Rule:      "demo",
+				Annotations: map[string]string{
+					"ingress.annotation": "ok",
+				},
+				Service:     "b-svc",
+				ServicePort: "b-svc-80",
+			},
+		},
 	}
 
 	for title, testCase := range testcases {
@@ -1338,7 +1470,8 @@ func TestEnforceRegexModifier(t *testing.T) {
 				Target:   "/alright",
 				UseRegex: true,
 			},
-			Path: "/ok",
+			Path:     "/ok",
+			PathType: &pathPrefix,
 		},
 	}
 	expected = true
diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go
index b84f2c2e4..91e0c3acf 100644
--- a/internal/ingress/controller/util.go
+++ b/internal/ingress/controller/util.go
@@ -26,6 +26,7 @@ import (
 	"syscall"
 
 	api "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/klog/v2"
@@ -46,8 +47,30 @@ func newUpstream(name string) *ingress.Backend {
 }
 
 // upstreamName returns a formatted upstream name based on namespace, service, and port
-func upstreamName(namespace string, service string, port intstr.IntOrString) string {
-	return fmt.Sprintf("%v-%v-%v", namespace, service, port.String())
+func upstreamName(namespace string, service *networking.IngressServiceBackend) string {
+	if service != nil {
+		if service.Port.Number > 0 {
+			return fmt.Sprintf("%s-%s-%d", namespace, service.Name, service.Port.Number)
+		}
+		if service.Port.Name != "" {
+			return fmt.Sprintf("%s-%s-%s", namespace, service.Name, service.Port.Name)
+		}
+	}
+	return fmt.Sprintf("%s-INVALID", namespace)
+}
+
+// upstreamServiceNameAndPort verifies if service is not nil, and then return the
+// correct serviceName and Port
+func upstreamServiceNameAndPort(service *networking.IngressServiceBackend) (string, intstr.IntOrString) {
+	if service != nil {
+		if service.Port.Number > 0 {
+			return service.Name, intstr.FromInt(int(service.Port.Number))
+		}
+		if service.Port.Name != "" {
+			return service.Name, intstr.FromString(service.Port.Name)
+		}
+	}
+	return "", intstr.IntOrString{}
 }
 
 // sysctlSomaxconn returns the maximum number of connections that can be queued
diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go
index d85e1c979..64810dd36 100644
--- a/internal/ingress/metric/main.go
+++ b/internal/ingress/metric/main.go
@@ -26,7 +26,6 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/ingress-nginx/internal/ingress"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/metric/collectors"
 )
 
@@ -66,7 +65,7 @@ type collector struct {
 }
 
 // NewCollector creates a new metric collector the for ingress controller
-func NewCollector(metricsPerHost bool, registry *prometheus.Registry) (Collector, error) {
+func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingressclass string) (Collector, error) {
 	podNamespace := os.Getenv("POD_NAMESPACE")
 	if podNamespace == "" {
 		podNamespace = "default"
@@ -74,22 +73,22 @@ func NewCollector(metricsPerHost bool, registry *prometheus.Registry) (Collector
 
 	podName := os.Getenv("POD_NAME")
 
-	nc, err := collectors.NewNGINXStatus(podName, podNamespace, class.IngressClass)
+	nc, err := collectors.NewNGINXStatus(podName, podNamespace, ingressclass)
 	if err != nil {
 		return nil, err
 	}
 
-	pc, err := collectors.NewNGINXProcess(podName, podNamespace, class.IngressClass)
+	pc, err := collectors.NewNGINXProcess(podName, podNamespace, ingressclass)
 	if err != nil {
 		return nil, err
 	}
 
-	s, err := collectors.NewSocketCollector(podName, podNamespace, class.IngressClass, metricsPerHost)
+	s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost)
 	if err != nil {
 		return nil, err
 	}
 
-	ic := collectors.NewController(podName, podNamespace, class.IngressClass)
+	ic := collectors.NewController(podName, podNamespace, ingressclass)
 
 	return Collector(&collector{
 		nginxStatus:  nc,
diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go
index 506ae398c..cabc6b3a2 100644
--- a/internal/ingress/status/status.go
+++ b/internal/ingress/status/status.go
@@ -275,7 +275,7 @@ func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress,
 			return nil, nil
 		}
 
-		ingClient := client.NetworkingV1beta1().Ingresses(ing.Namespace)
+		ingClient := client.NetworkingV1().Ingresses(ing.Namespace)
 		currIng, err := ingClient.Get(context.TODO(), ing.Name, metav1.GetOptions{})
 		if err != nil {
 			return nil, errors.Wrap(err, fmt.Sprintf("unexpected error searching Ingress %v/%v", ing.Namespace, ing.Name))
diff --git a/internal/ingress/status/status_test.go b/internal/ingress/status/status_test.go
index 9ad0c29cf..79bb85891 100644
--- a/internal/ingress/status/status_test.go
+++ b/internal/ingress/status/status_test.go
@@ -24,12 +24,12 @@ import (
 	"time"
 
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	testclient "k8s.io/client-go/kubernetes/fake"
 
 	"k8s.io/ingress-nginx/internal/ingress"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
+	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	"k8s.io/ingress-nginx/internal/k8s"
 	"k8s.io/ingress-nginx/internal/task"
 )
@@ -214,7 +214,7 @@ func buildExtensionsIngresses() []networking.Ingress {
 				Name:      "foo_ingress_different_class",
 				Namespace: metav1.NamespaceDefault,
 				Annotations: map[string]string{
-					class.IngressKey: "no-nginx",
+					ingressclass.IngressKey: "no-nginx",
 				},
 			},
 			Status: networking.IngressStatus{
@@ -328,7 +328,7 @@ func TestStatusActions(t *testing.T) {
 	newIPs := []apiv1.LoadBalancerIngress{{
 		IP: "11.0.0.2",
 	}}
-	fooIngress1, err1 := fk.Client.NetworkingV1beta1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{})
+	fooIngress1, err1 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{})
 	if err1 != nil {
 		t.Fatalf("unexpected error")
 	}
@@ -343,7 +343,7 @@ func TestStatusActions(t *testing.T) {
 	fk.Shutdown()
 	// ingress should be empty
 	newIPs2 := []apiv1.LoadBalancerIngress{}
-	fooIngress2, err2 := fk.Client.NetworkingV1beta1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{})
+	fooIngress2, err2 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{})
 	if err2 != nil {
 		t.Fatalf("unexpected error")
 	}
@@ -352,7 +352,7 @@ func TestStatusActions(t *testing.T) {
 		t.Fatalf("returned %v but expected %v", fooIngress2CurIPs, newIPs2)
 	}
 
-	oic, err := fk.Client.NetworkingV1beta1().Ingresses(metav1.NamespaceDefault).Get(context.TODO(), "foo_ingress_different_class", metav1.GetOptions{})
+	oic, err := fk.Client.NetworkingV1().Ingresses(metav1.NamespaceDefault).Get(context.TODO(), "foo_ingress_different_class", metav1.GetOptions{})
 	if err != nil {
 		t.Fatalf("unexpected error")
 	}
diff --git a/internal/ingress/types.go b/internal/ingress/types.go
index 84d964b7a..a1cbdf685 100644
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@@ -18,7 +18,7 @@ package ingress
 
 import (
 	apiv1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations"
diff --git a/internal/k8s/main.go b/internal/k8s/main.go
index 364d7c8ec..1487e892a 100644
--- a/internal/k8s/main.go
+++ b/internal/k8s/main.go
@@ -25,7 +25,7 @@ import (
 	"k8s.io/klog/v2"
 
 	apiv1 "k8s.io/api/core/v1"
-	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/version"
 	clientset "k8s.io/client-go/kubernetes"
@@ -121,46 +121,37 @@ func MetaNamespaceKey(obj interface{}) string {
 	return key
 }
 
-// IsIngressV1Beta1Ready indicates if the running Kubernetes version is at least v1.18.0
-var IsIngressV1Beta1Ready bool
-
 // IsIngressV1Ready indicates if the running Kubernetes version is at least v1.19.0
 var IsIngressV1Ready bool
 
-// IngressClass indicates the class of the Ingress to use as filter
-var IngressClass *networkingv1beta1.IngressClass
-
 // IngressNGINXController defines the valid value of IngressClass
 // Controller field for ingress-nginx
 const IngressNGINXController = "k8s.io/ingress-nginx"
 
-// NetworkingIngressAvailable checks if the package "k8s.io/api/networking/v1beta1"
-// is available or not and if Ingress V1 is supported (k8s >= v1.18.0)
-func NetworkingIngressAvailable(client clientset.Interface) (bool, bool, bool) {
-	// check kubernetes version to use new ingress package or not
-	version114, _ := version.ParseGeneric("v1.14.0")
-	version118, _ := version.ParseGeneric("v1.18.0")
+// NetworkingIngressAvailable checks if the package "k8s.io/api/networking/v1"
+// is available or not and if Ingress V1 is supported (k8s >= v1.19.0)
+func NetworkingIngressAvailable(client clientset.Interface) bool {
 	version119, _ := version.ParseGeneric("v1.19.0")
 
 	serverVersion, err := client.Discovery().ServerVersion()
 	if err != nil {
-		return false, false, false
+		return false
 	}
 
 	runningVersion, err := version.ParseGeneric(serverVersion.String())
 	if err != nil {
 		klog.ErrorS(err, "unexpected error parsing running Kubernetes version")
-		return false, false, false
+		return false
 	}
 
-	return runningVersion.AtLeast(version114), runningVersion.AtLeast(version118), runningVersion.AtLeast(version119)
+	return runningVersion.AtLeast(version119)
 }
 
 // default path type is Prefix to not break existing definitions
-var defaultPathType = networkingv1beta1.PathTypePrefix
+var defaultPathType = networkingv1.PathTypePrefix
 
 // SetDefaultNGINXPathType sets a default PathType when is not defined.
-func SetDefaultNGINXPathType(ing *networkingv1beta1.Ingress) {
+func SetDefaultNGINXPathType(ing *networkingv1.Ingress) {
 	for _, rule := range ing.Spec.Rules {
 		if rule.IngressRuleValue.HTTP == nil {
 			continue
@@ -172,7 +163,7 @@ func SetDefaultNGINXPathType(ing *networkingv1beta1.Ingress) {
 				p.PathType = &defaultPathType
 			}
 
-			if *p.PathType == networkingv1beta1.PathTypeImplementationSpecific {
+			if *p.PathType == networkingv1.PathTypeImplementationSpecific {
 				p.PathType = &defaultPathType
 			}
 		}
diff --git a/stable.txt b/stable.txt
index 19b69dedd..c23a4ae6d 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v0.49.0
+controller-v0.49.0
\ No newline at end of file
diff --git a/test/e2e-image/namespace-overlays/forwarded-port-headers/values.yaml b/test/e2e-image/namespace-overlays/forwarded-port-headers/values.yaml
index c79154d28..4fef671a7 100644
--- a/test/e2e-image/namespace-overlays/forwarded-port-headers/values.yaml
+++ b/test/e2e-image/namespace-overlays/forwarded-port-headers/values.yaml
@@ -14,7 +14,9 @@ controller:
     https-port: "1443"
     # e2e tests do not require information about ingress status
     update-status: "false"
-
+  ingressClassResource:
+    # We will create and remove each IC/ClusterRole/ClusterRoleBinding per test so there's no conflict
+    enabled: false
   scope:
     enabled: true
 
diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go
index b6cf638fe..121d0d37a 100644
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@@ -56,14 +56,14 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 
 		ginkgo.By("rejects ingress when memcached is not configured")
 
-		_, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{})
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with global throttle annotations when memcached is not configured")
 
 		ginkgo.By("accepts ingress when memcached is not configured")
 
 		f.UpdateNginxConfigMapData("global-rate-limit-memcached-host", "memc.default.svc.cluster.local")
 
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{})
+		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "creating ingress with global throttle annotations when memcached is configured")
 
 		f.WaitForNginxServer(host,
@@ -76,7 +76,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		host := "admission-test"
 
 		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil)
-		_, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "creating ingress")
 
 		f.WaitForNginxServer(host,
@@ -85,7 +85,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 			})
 
 		secondIngress := framework.NewSingleIngress("second-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil)
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{})
+		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with the same host and path should return an error")
 	})
 
@@ -93,7 +93,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		host := "admission-test"
 
 		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil)
-		_, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "creating ingress")
 
 		f.WaitForNginxServer(host,
@@ -106,7 +106,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 			"nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader",
 		}
 		secondIngress := framework.NewSingleIngress("second-ingress", "/", host, f.Namespace, framework.SlowEchoService, 80, canaryAnnotations)
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{})
+		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with the same host and path should not return an error using a canary annotation")
 	})
 
@@ -117,40 +117,11 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 			"nginx.ingress.kubernetes.io/configuration-snippet": "something invalid",
 		}
 		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations)
-		_, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
 	})
 
-	ginkgo.It("should not return an error the ingress definition uses the deprecated extensions package", func() {
-		err := createIngress(f.Namespace, validIngress)
-		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
-
-		f.WaitForNginxConfiguration(func(cfg string) bool {
-			return strings.Contains(cfg, "extensions")
-		})
-
-		f.HTTPTestClient().
-			GET("/").
-			WithHeader("Host", "extensions").
-			Expect().
-			Status(http.StatusOK)
-	})
-
-	ginkgo.It("should return an error if the ingress definition uses the deprecated extensions package and invalid annotations", func() {
-		err := createIngress(f.Namespace, invalidIngress)
-		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
-
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), "extensions", metav1.GetOptions{})
-		if !apierrors.IsNotFound(err) {
-			assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
-		}
-	})
-
-	ginkgo.It("should not return an error if the Ingress V1 definition is valid", func() {
-		if !f.IsIngressV1Ready {
-			ginkgo.Skip("Test requires Kubernetes v1.19 or higher")
-		}
-
+	ginkgo.It("should not return an error if the Ingress V1 definition is valid with Ingress Class", func() {
 		err := createIngress(f.Namespace, validV1Ingress)
 		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
 
@@ -165,15 +136,26 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 			Status(http.StatusOK)
 	})
 
-	ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() {
-		if !f.IsIngressV1Ready {
-			ginkgo.Skip("Test requires Kubernetes v1.19 or higher")
-		}
+	ginkgo.It("should not return an error if the Ingress V1 definition is valid with IngressClass annotation", func() {
+		err := createIngress(f.Namespace, validV1IngressAnnotation)
+		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
 
+		f.WaitForNginxConfiguration(func(cfg string) bool {
+			return strings.Contains(cfg, "extensions-class")
+		})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", "extensions-class").
+			Expect().
+			Status(http.StatusOK)
+	})
+
+	ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() {
 		err := createIngress(f.Namespace, invalidV1Ingress)
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
 
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), "extensions", metav1.GetOptions{})
+		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), "extensions-invalid", metav1.GetOptions{})
 		if !apierrors.IsNotFound(err) {
 			assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
 		}
@@ -191,49 +173,13 @@ func uninstallChart(f *framework.Framework) error {
 }
 
 const (
-	validIngress = `
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: extensions
-spec:
-  rules:
-  - host: extensions
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: echo
-          servicePort: 80
----
-`
-
-	invalidIngress = `
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: extensions
-  annotations:
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      invalid directive
-spec:
-  rules:
-  - host: extensions
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: echo
-          servicePort: 80
----
-`
-
 	validV1Ingress = `
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: extensions
 spec:
+  ingressClassName: nginx
   rules:
   - host: extensions
     http:
@@ -246,6 +192,28 @@ spec:
             port:
               number: 80
 
+---
+`
+	validV1IngressAnnotation = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: extensions-class
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+  - host: extensions-class
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: echo
+            port:
+              number: 80
+
 ---
 `
 
@@ -253,13 +221,14 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: extensions
+  name: extensions-invalid
   annotations:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       invalid directive
 spec:
+  ingressClassName: nginx
   rules:
-  - host: extensions
+  - host: extensions-invalid
     http:
       paths:
       - path: /
diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go
index a17df1cc6..998eca82f 100644
--- a/test/e2e/annotations/affinity.go
+++ b/test/e2e/annotations/affinity.go
@@ -25,9 +25,8 @@ import (
 
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
@@ -84,7 +83,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 
 		ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "OTHERCOOKIENAME"
 
-		_, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "updating ingress")
 		framework.Sleep()
 
@@ -119,6 +118,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 	})
 
 	ginkgo.It("does not set the path to / on the generated cookie if there's more than one rule referring to the same backend", func() {
+		pathtype := networking.PathTypePrefix
 		host := "morethanonerule.foo.com"
 		annotations := make(map[string]string)
 		annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie"
@@ -131,6 +131,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 				Annotations: annotations,
 			},
 			Spec: networking.IngressSpec{
+				IngressClassName: &f.IngressClass,
 				Rules: []networking.IngressRule{
 					{
 						Host: host,
@@ -138,17 +139,27 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 							HTTP: &networking.HTTPIngressRuleValue{
 								Paths: []networking.HTTPIngressPath{
 									{
-										Path: "/something",
+										Path:     "/something",
+										PathType: &pathtype,
 										Backend: networking.IngressBackend{
-											ServiceName: framework.EchoService,
-											ServicePort: intstr.FromInt(80),
+											Service: &networking.IngressServiceBackend{
+												Name: framework.EchoService,
+												Port: networking.ServiceBackendPort{
+													Number: int32(80),
+												},
+											},
 										},
 									},
 									{
-										Path: "/somewhereelse",
+										Path:     "/somewhereelse",
+										PathType: &pathtype,
 										Backend: networking.IngressBackend{
-											ServiceName: framework.EchoService,
-											ServicePort: intstr.FromInt(80),
+											Service: &networking.IngressServiceBackend{
+												Name: framework.EchoService,
+												Port: networking.ServiceBackendPort{
+													Number: int32(80),
+												},
+											},
 										},
 									},
 								},
diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go
index fac0658c0..f2c1a59d6 100644
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@@ -30,7 +30,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	corev1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go
index c66e9b981..fe3e1544f 100644
--- a/test/e2e/annotations/canary.go
+++ b/test/e2e/annotations/canary.go
@@ -22,9 +22,7 @@ import (
 	"strings"
 
 	"github.com/onsi/ginkgo"
-	"github.com/stretchr/testify/assert"
 
-	networking "k8s.io/api/networking/v1beta1"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
@@ -32,7 +30,7 @@ const (
 	canaryService = "echo-canary"
 )
 
-var _ = framework.DescribeAnnotation("canary-*", func() {
+var _ = framework.DescribeAnnotation("canary", func() {
 	f := framework.NewDefaultFramework("canary")
 
 	ginkgo.BeforeEach(func() {
@@ -327,15 +325,25 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 				f.Namespace, canaryService, 80, canaryAnnotations)
 			f.EnsureIngress(canaryIng)
 
-			err := framework.UpdateIngress(f.KubeClientSet, f.Namespace, canaryIngName,
-				func(ingress *networking.Ingress) error {
-					ingress.ObjectMeta.Annotations = map[string]string{
-						"nginx.ingress.kubernetes.io/canary":           "true",
-						"nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader2",
-					}
-					return nil
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
+				})
+
+			newAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":           "true",
+				"nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader2",
+			}
+
+			modIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, newAnnotations)
+
+			f.UpdateIngress(modIng)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
 				})
-			assert.Nil(ginkgo.GinkgoT(), err)
 
 			ginkgo.By("routing requests destined for the mainline ingress to the mainline upstream")
 			f.HTTPTestClient().
@@ -707,6 +715,11 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 				f.Namespace, canaryService, 80, canaryAnnotations)
 			f.EnsureIngress(canaryIng)
 
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
+				})
+
 			ginkgo.By("returning requests from the mainline only when weight is equal to 0")
 			f.HTTPTestClient().
 				GET("/").
@@ -719,15 +732,20 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 
 			ginkgo.By("returning requests from the canary only when weight is equal to 100")
 
-			err := framework.UpdateIngress(f.KubeClientSet, f.Namespace, canaryIngName,
-				func(ingress *networking.Ingress) error {
-					ingress.ObjectMeta.Annotations = map[string]string{
-						"nginx.ingress.kubernetes.io/canary":        "true",
-						"nginx.ingress.kubernetes.io/canary-weight": "100",
-					}
-					return nil
+			newAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":        "true",
+				"nginx.ingress.kubernetes.io/canary-weight": "100",
+			}
+
+			modIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, newAnnotations)
+
+			f.UpdateIngress(modIng)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
 				})
-			assert.Nil(ginkgo.GinkgoT(), err)
 
 			f.HTTPTestClient().
 				GET("/").
diff --git a/test/e2e/annotations/customhttperrors.go b/test/e2e/annotations/customhttperrors.go
index f00ec8859..c0115cb52 100644
--- a/test/e2e/annotations/customhttperrors.go
+++ b/test/e2e/annotations/customhttperrors.go
@@ -22,7 +22,7 @@ import (
 
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
diff --git a/test/e2e/annotations/satisfy.go b/test/e2e/annotations/satisfy.go
index dba710b4b..8c0f88d2f 100644
--- a/test/e2e/annotations/satisfy.go
+++ b/test/e2e/annotations/satisfy.go
@@ -26,7 +26,7 @@ import (
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
diff --git a/test/e2e/defaultbackend/with_hosts.go b/test/e2e/defaultbackend/with_hosts.go
index 9a3d87a27..c59b5807b 100644
--- a/test/e2e/defaultbackend/with_hosts.go
+++ b/test/e2e/defaultbackend/with_hosts.go
@@ -22,9 +22,8 @@ import (
 
 	"github.com/onsi/ginkgo"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
@@ -48,9 +47,14 @@ var _ = framework.IngressNginxDescribe("[Default Backend] change default setting
 				Annotations: annotations,
 			},
 			Spec: networking.IngressSpec{
-				Backend: &networking.IngressBackend{
-					ServiceName: framework.EchoService,
-					ServicePort: intstr.FromInt(80),
+				IngressClassName: &f.IngressClass,
+				DefaultBackend: &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: framework.EchoService,
+						Port: networking.ServiceBackendPort{
+							Number: int32(80),
+						},
+					},
 				},
 				Rules: []networking.IngressRule{
 					{
diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go
index 8f5fb3884..e31fd1e4e 100644
--- a/test/e2e/framework/framework.go
+++ b/test/e2e/framework/framework.go
@@ -29,12 +29,11 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	apiextcs "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -62,15 +61,15 @@ var (
 type Framework struct {
 	BaseName string
 
-	IsIngressV1Ready      bool
-	IsIngressV1Beta1Ready bool
+	IsIngressV1Ready bool
 
 	// A Kubernetes and Service Catalog client
 	KubeClientSet          kubernetes.Interface
 	KubeConfig             *restclient.Config
 	APIExtensionsClientSet apiextcs.Interface
 
-	Namespace string
+	Namespace    string
+	IngressClass string
 
 	pod *corev1.Pod
 }
@@ -104,12 +103,15 @@ func (f *Framework) BeforeEach() {
 		f.KubeClientSet, err = kubernetes.NewForConfig(f.KubeConfig)
 		assert.Nil(ginkgo.GinkgoT(), err, "creating a kubernetes client")
 
-		_, f.IsIngressV1Beta1Ready, f.IsIngressV1Ready = k8s.NetworkingIngressAvailable(f.KubeClientSet)
+		f.IsIngressV1Ready = k8s.NetworkingIngressAvailable(f.KubeClientSet)
 	}
 
 	f.Namespace, err = CreateKubeNamespace(f.BaseName, f.KubeClientSet)
 	assert.Nil(ginkgo.GinkgoT(), err, "creating namespace")
 
+	f.IngressClass, err = CreateIngressClass(f.Namespace, f.KubeClientSet)
+	assert.Nil(ginkgo.GinkgoT(), err, "creating IngressClass")
+
 	err = f.newIngressController(f.Namespace, f.BaseName)
 	assert.Nil(ginkgo.GinkgoT(), err, "deploying the ingress controller")
 
@@ -129,6 +131,14 @@ func (f *Framework) AfterEach() {
 		}()
 	}(f.KubeClientSet, f.Namespace)
 
+	defer func(kubeClient kubernetes.Interface, ingressclass string) {
+		go func() {
+			defer ginkgo.GinkgoRecover()
+			err := deleteIngressClass(kubeClient, ingressclass)
+			assert.Nil(ginkgo.GinkgoT(), err, "deleting IngressClass")
+		}()
+	}(f.KubeClientSet, f.IngressClass)
+
 	if !ginkgo.CurrentGinkgoTestDescription().Failed {
 		return
 	}
@@ -542,7 +552,7 @@ func waitForDeploymentRollout(kubeClientSet kubernetes.Interface, resource *apps
 
 // UpdateIngress runs the given updateFunc on the ingress
 func UpdateIngress(kubeClientSet kubernetes.Interface, namespace string, name string, updateFunc func(d *networking.Ingress) error) error {
-	ingress, err := kubeClientSet.NetworkingV1beta1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	ingress, err := kubeClientSet.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
 	if err != nil {
 		return err
 	}
@@ -559,7 +569,7 @@ func UpdateIngress(kubeClientSet kubernetes.Interface, namespace string, name st
 		return err
 	}
 
-	_, err = kubeClientSet.NetworkingV1beta1().Ingresses(namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{})
+	_, err = kubeClientSet.NetworkingV1().Ingresses(namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{})
 	if err != nil {
 		return err
 	}
@@ -580,7 +590,9 @@ func NewSingleIngress(name, path, host, ns, service string, port int, annotation
 
 // NewSingleIngressWithMultiplePaths creates a simple ingress rule with multiple paths
 func NewSingleIngressWithMultiplePaths(name string, paths []string, host, ns, service string, port int, annotations map[string]string) *networking.Ingress {
+	pathtype := networking.PathTypePrefix
 	spec := networking.IngressSpec{
+		IngressClassName: GetIngressClassName(ns),
 		Rules: []networking.IngressRule{
 			{
 				Host: host,
@@ -593,10 +605,15 @@ func NewSingleIngressWithMultiplePaths(name string, paths []string, host, ns, se
 
 	for _, path := range paths {
 		spec.Rules[0].IngressRuleValue.HTTP.Paths = append(spec.Rules[0].IngressRuleValue.HTTP.Paths, networking.HTTPIngressPath{
-			Path: path,
+			Path:     path,
+			PathType: &pathtype,
 			Backend: networking.IngressBackend{
-				ServiceName: service,
-				ServicePort: intstr.FromInt(port),
+				Service: &networking.IngressServiceBackend{
+					Name: service,
+					Port: networking.ServiceBackendPort{
+						Number: int32(port),
+					},
+				},
 			},
 		})
 	}
@@ -605,17 +622,24 @@ func NewSingleIngressWithMultiplePaths(name string, paths []string, host, ns, se
 }
 
 func newSingleIngressWithRules(name, path, host, ns, service string, port int, annotations map[string]string, tlsHosts []string) *networking.Ingress {
+	pathtype := networking.PathTypePrefix
 	spec := networking.IngressSpec{
+		IngressClassName: GetIngressClassName(ns),
 		Rules: []networking.IngressRule{
 			{
 				IngressRuleValue: networking.IngressRuleValue{
 					HTTP: &networking.HTTPIngressRuleValue{
 						Paths: []networking.HTTPIngressPath{
 							{
-								Path: path,
+								Path:     path,
+								PathType: &pathtype,
 								Backend: networking.IngressBackend{
-									ServiceName: service,
-									ServicePort: intstr.FromInt(port),
+									Service: &networking.IngressServiceBackend{
+										Name: service,
+										Port: networking.ServiceBackendPort{
+											Number: int32(port),
+										},
+									},
 								},
 							},
 						},
@@ -644,10 +668,16 @@ func newSingleIngressWithRules(name, path, host, ns, service string, port int, a
 
 // NewSingleIngressWithBackendAndRules creates an ingress with both a default backend and a rule
 func NewSingleIngressWithBackendAndRules(name, path, host, ns, defaultService string, defaultPort int, service string, port int, annotations map[string]string) *networking.Ingress {
+	pathtype := networking.PathTypePrefix
 	spec := networking.IngressSpec{
-		Backend: &networking.IngressBackend{
-			ServiceName: defaultService,
-			ServicePort: intstr.FromInt(defaultPort),
+		IngressClassName: GetIngressClassName(ns),
+		DefaultBackend: &networking.IngressBackend{
+			Service: &networking.IngressServiceBackend{
+				Name: defaultService,
+				Port: networking.ServiceBackendPort{
+					Number: int32(defaultPort),
+				},
+			},
 		},
 		Rules: []networking.IngressRule{
 			{
@@ -656,10 +686,15 @@ func NewSingleIngressWithBackendAndRules(name, path, host, ns, defaultService st
 					HTTP: &networking.HTTPIngressRuleValue{
 						Paths: []networking.HTTPIngressPath{
 							{
-								Path: path,
+								Path:     path,
+								PathType: &pathtype,
 								Backend: networking.IngressBackend{
-									ServiceName: service,
-									ServicePort: intstr.FromInt(port),
+									Service: &networking.IngressServiceBackend{
+										Name: service,
+										Port: networking.ServiceBackendPort{
+											Number: int32(port),
+										},
+									},
 								},
 							},
 						},
@@ -675,9 +710,14 @@ func NewSingleIngressWithBackendAndRules(name, path, host, ns, defaultService st
 // NewSingleCatchAllIngress creates a simple ingress with a catch-all backend
 func NewSingleCatchAllIngress(name, ns, service string, port int, annotations map[string]string) *networking.Ingress {
 	spec := networking.IngressSpec{
-		Backend: &networking.IngressBackend{
-			ServiceName: service,
-			ServicePort: intstr.FromInt(port),
+		IngressClassName: GetIngressClassName(ns),
+		DefaultBackend: &networking.IngressBackend{
+			Service: &networking.IngressServiceBackend{
+				Name: service,
+				Port: networking.ServiceBackendPort{
+					Number: int32(port),
+				},
+			},
 		},
 	}
 	return newSingleIngress(name, ns, annotations, spec)
diff --git a/test/e2e/framework/k8s.go b/test/e2e/framework/k8s.go
index 3ca4a3c46..14937e6bd 100644
--- a/test/e2e/framework/k8s.go
+++ b/test/e2e/framework/k8s.go
@@ -28,7 +28,7 @@ import (
 	api "k8s.io/api/core/v1"
 	core "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
@@ -63,7 +63,7 @@ func (f *Framework) EnsureConfigMap(configMap *api.ConfigMap) (*api.ConfigMap, e
 
 // GetIngress gets an Ingress object from the given namespace, name and returns it, throws error if it does not exists.
 func (f *Framework) GetIngress(namespace string, name string) *networking.Ingress {
-	ing, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	ing, err := f.KubeClientSet.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
 	assert.Nil(ginkgo.GinkgoT(), err, "getting ingress")
 	assert.NotNil(ginkgo.GinkgoT(), ing, "expected an ingress but none returned")
 	return ing
@@ -334,7 +334,7 @@ func createIngressWithRetries(c kubernetes.Interface, namespace string, obj *net
 		return fmt.Errorf("Object provided to create is empty")
 	}
 	createFunc := func() (bool, error) {
-		_, err := c.NetworkingV1beta1().Ingresses(namespace).Create(context.TODO(), obj, metav1.CreateOptions{})
+		_, err := c.NetworkingV1().Ingresses(namespace).Create(context.TODO(), obj, metav1.CreateOptions{})
 		if err == nil {
 			return true, nil
 		}
@@ -355,7 +355,7 @@ func updateIngressWithRetries(c kubernetes.Interface, namespace string, obj *net
 		return fmt.Errorf("Object provided to create is empty")
 	}
 	updateFunc := func() (bool, error) {
-		_, err := c.NetworkingV1beta1().Ingresses(namespace).Update(context.TODO(), obj, metav1.UpdateOptions{})
+		_, err := c.NetworkingV1().Ingresses(namespace).Update(context.TODO(), obj, metav1.UpdateOptions{})
 		if err == nil {
 			return true, nil
 		}
diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go
index e094166f1..75fcb58ea 100644
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@@ -24,6 +24,8 @@ import (
 
 	"github.com/onsi/ginkgo"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
@@ -31,6 +33,8 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/clientcmd/api"
+
+	"k8s.io/ingress-nginx/internal/k8s"
 )
 
 const (
@@ -117,6 +121,93 @@ func deleteKubeNamespace(c kubernetes.Interface, namespace string) error {
 	})
 }
 
+// CreateIngressClass creates a new IngressClass related to a test/namespace and also
+// the required ClusterRole/ClusterRoleBinding
+func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error) {
+	icname := fmt.Sprintf("ic-%s", namespace)
+	var err error
+
+	ic, err := c.NetworkingV1().IngressClasses().
+		Create(context.TODO(), &networkingv1.IngressClass{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: icname,
+			},
+			Spec: networkingv1.IngressClassSpec{
+				Controller: k8s.IngressNGINXController,
+			},
+		}, metav1.CreateOptions{})
+	if err != nil {
+		return "", fmt.Errorf("Unexpected error creating IngressClass %s: %v", icname, err)
+	}
+
+	_, err = c.RbacV1().ClusterRoles().Create(context.TODO(), &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: icname},
+		Rules: []rbacv1.PolicyRule{{
+			APIGroups: []string{"networking.k8s.io"},
+			Resources: []string{"ingressclasses"},
+			Verbs:     []string{"get", "list", "watch"},
+		}},
+	}, metav1.CreateOptions{})
+	if err != nil {
+		return "", fmt.Errorf("Unexpected error creating IngressClass ClusterRole %s: %v", icname, err)
+	}
+
+	_, err = c.RbacV1().ClusterRoleBindings().Create(context.TODO(), &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: icname,
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     icname,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				APIGroup:  "",
+				Kind:      "ServiceAccount",
+				Namespace: namespace,
+				Name:      "nginx-ingress",
+			},
+		},
+	}, metav1.CreateOptions{})
+	if err != nil {
+		return "", fmt.Errorf("Unexpected error creating IngressClass ClusterRoleBinding %s: %v", icname, err)
+	}
+	return ic.Name, nil
+}
+
+//deleteIngressClass deletes an IngressClass and its related ClusterRole* objects
+func deleteIngressClass(c kubernetes.Interface, ingressclass string) error {
+	var err error
+	grace := int64(0)
+	pb := metav1.DeletePropagationBackground
+	deleteOptions := metav1.DeleteOptions{
+		GracePeriodSeconds: &grace,
+		PropagationPolicy:  &pb,
+	}
+	err = c.NetworkingV1().IngressClasses().Delete(context.TODO(), ingressclass, deleteOptions)
+	if err != nil {
+		return fmt.Errorf("Unexpected error deleting IngressClass %s: %v", ingressclass, err)
+	}
+
+	err = c.RbacV1().ClusterRoleBindings().Delete(context.TODO(), ingressclass, deleteOptions)
+	if err != nil {
+		return fmt.Errorf("Unexpected error deleting IngressClass ClusterRoleBinding %s: %v", ingressclass, err)
+	}
+	err = c.RbacV1().ClusterRoles().Delete(context.TODO(), ingressclass, deleteOptions)
+	if err != nil {
+		return fmt.Errorf("Unexpected error deleting IngressClass ClusterRole %s: %v", ingressclass, err)
+	}
+
+	return nil
+}
+
+//GetIngressClassName returns the default IngressClassName given a namespace
+func GetIngressClassName(namespace string) *string {
+	icname := fmt.Sprintf("ic-%s", namespace)
+	return &icname
+}
+
 // WaitForKubeNamespaceNotExist waits until a namespaces is not present in the cluster
 func WaitForKubeNamespaceNotExist(c kubernetes.Interface, namespace string) error {
 	return wait.Poll(Poll, DefaultTimeout, namespaceNotExist(c, namespace))
@@ -223,7 +314,7 @@ func WaitForNoIngressInNamespace(c kubernetes.Interface, namespace, name string)
 
 func noIngressInNamespace(c kubernetes.Interface, namespace, name string) wait.ConditionFunc {
 	return func() (bool, error) {
-		ing, err := c.NetworkingV1beta1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+		ing, err := c.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
 		if apierrors.IsNotFound(err) {
 			return true, nil
 		}
@@ -245,7 +336,7 @@ func WaitForIngressInNamespace(c kubernetes.Interface, namespace, name string) e
 
 func ingressInNamespace(c kubernetes.Interface, namespace, name string) wait.ConditionFunc {
 	return func() (bool, error) {
-		ing, err := c.NetworkingV1beta1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+		ing, err := c.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
 		if apierrors.IsNotFound(err) {
 			return false, nil
 		}
diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go
index dd5abd7ae..030be172a 100644
--- a/test/e2e/ingress/multiple_rules.go
+++ b/test/e2e/ingress/multiple_rules.go
@@ -22,15 +22,14 @@ import (
 
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
-	networkingv1beta1 "k8s.io/api/networking/v1beta1"
-	"k8s.io/apimachinery/pkg/util/intstr"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
 var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func() {
 	f := framework.NewDefaultFramework("simh")
-
+	pathprefix := networking.PathTypePrefix
 	ginkgo.BeforeEach(func() {
 		f.NewEchoDeploymentWithNameAndReplicas("first-service", 1)
 		f.NewEchoDeploymentWithNameAndReplicas("second-service", 1)
@@ -43,16 +42,21 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func()
 
 		ing := framework.NewSingleIngress("simh", "/", "first.host", f.Namespace, "first-service", 80, annotations)
 
-		ing.Spec.Rules = append(ing.Spec.Rules, networkingv1beta1.IngressRule{
+		ing.Spec.Rules = append(ing.Spec.Rules, networking.IngressRule{
 			Host: "second.host",
-			IngressRuleValue: networkingv1beta1.IngressRuleValue{
-				HTTP: &networkingv1beta1.HTTPIngressRuleValue{
-					Paths: []networkingv1beta1.HTTPIngressPath{
+			IngressRuleValue: networking.IngressRuleValue{
+				HTTP: &networking.HTTPIngressRuleValue{
+					Paths: []networking.HTTPIngressPath{
 						{
-							Path: "/",
-							Backend: networkingv1beta1.IngressBackend{
-								ServiceName: "second-service",
-								ServicePort: intstr.FromInt(80),
+							Path:     "/",
+							PathType: &pathprefix,
+							Backend: networking.IngressBackend{
+								Service: &networking.IngressServiceBackend{
+									Name: "second-service",
+									Port: networking.ServiceBackendPort{
+										Number: int32(80),
+									},
+								},
 							},
 						},
 					},
diff --git a/test/e2e/ingress/pathtype_exact.go b/test/e2e/ingress/pathtype_exact.go
index 01e37836a..38df19fcc 100644
--- a/test/e2e/ingress/pathtype_exact.go
+++ b/test/e2e/ingress/pathtype_exact.go
@@ -22,7 +22,7 @@ import (
 
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
-	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
@@ -35,9 +35,6 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() {
 	})
 
 	ginkgo.It("should choose exact location for /exact", func() {
-		if !f.IsIngressV1Beta1Ready {
-			ginkgo.Skip("Test requires Kubernetes v1.18 or higher")
-		}
 
 		host := "exact.path"
 
@@ -45,7 +42,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() {
 			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";`,
 		}
 
-		var exactPathType = networkingv1beta1.PathTypeExact
+		var exactPathType = networking.PathTypeExact
 		ing := framework.NewSingleIngress("exact", "/exact", host, f.Namespace, framework.EchoService, 80, annotations)
 		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType
 		f.EnsureIngress(ing)
diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go
index aac7d9ffa..28e3049c9 100644
--- a/test/e2e/ingress/pathtype_mixed.go
+++ b/test/e2e/ingress/pathtype_mixed.go
@@ -23,7 +23,7 @@ import (
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
 
-	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
@@ -34,12 +34,9 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
 		f.NewEchoDeployment()
 	})
 
-	var exactPathType = networkingv1beta1.PathTypeExact
+	var exactPathType = networking.PathTypeExact
 
 	ginkgo.It("should choose the correct location", func() {
-		if !f.IsIngressV1Beta1Ready {
-			ginkgo.Skip("Test requires Kubernetes v1.18 or higher")
-		}
 
 		host := "mixed.path"
 
diff --git a/test/e2e/ingress/without_host.go b/test/e2e/ingress/without_host.go
index 154767fa4..c0c2d3b12 100644
--- a/test/e2e/ingress/without_host.go
+++ b/test/e2e/ingress/without_host.go
@@ -22,9 +22,8 @@ import (
 	"strings"
 
 	"github.com/onsi/ginkgo"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
@@ -62,9 +61,14 @@ var _ = framework.IngressNginxDescribe("[Ingress] definition without host", func
 				Namespace: f.Namespace,
 			},
 			Spec: networking.IngressSpec{
-				Backend: &networking.IngressBackend{
-					ServiceName: framework.EchoService,
-					ServicePort: intstr.FromInt(80),
+				IngressClassName: &f.IngressClass,
+				DefaultBackend: &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: framework.EchoService,
+						Port: networking.ServiceBackendPort{
+							Number: int32(80),
+						},
+					},
 				},
 				Rules: []networking.IngressRule{
 					{
diff --git a/test/e2e/leaks/lua_ssl.go b/test/e2e/leaks/lua_ssl.go
index 6eb8bbc63..8756a973d 100644
--- a/test/e2e/leaks/lua_ssl.go
+++ b/test/e2e/leaks/lua_ssl.go
@@ -103,7 +103,7 @@ func checkIngress(hostname string, f *framework.Framework) {
 }
 
 func deleteIngress(hostname string, f *framework.Framework) {
-	err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Delete(context.TODO(), hostname, metav1.DeleteOptions{})
+	err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Delete(context.TODO(), hostname, metav1.DeleteOptions{})
 	assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting ingress")
 }
 
diff --git a/test/e2e/lua/dynamic_certificates.go b/test/e2e/lua/dynamic_certificates.go
index 455bf0fc2..f5585995e 100644
--- a/test/e2e/lua/dynamic_certificates.go
+++ b/test/e2e/lua/dynamic_certificates.go
@@ -28,7 +28,7 @@ import (
 	"github.com/prometheus/common/expfmt"
 	"github.com/prometheus/common/model"
 	"github.com/stretchr/testify/assert"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
@@ -45,7 +45,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() {
 	ginkgo.It("picks up the certificate when we add TLS spec to existing ingress", func() {
 		ensureIngress(f, host, framework.EchoService)
 
-		ing, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
+		ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err)
 		ing.Spec.TLS = []networking.IngressTLS{
 			{
@@ -59,7 +59,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() {
 			ing.Namespace)
 		assert.Nil(ginkgo.GinkgoT(), err)
 
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
+		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err)
 
 		time.Sleep(waitForLuaSync)
@@ -147,7 +147,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() {
 		})
 
 		ginkgo.It("picks up the updated certificate without reloading", func() {
-			ing, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
+			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			ensureHTTPSRequest(f, fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.GetURL(framework.HTTPS)), host, host)
@@ -183,7 +183,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() {
 		})
 
 		ginkgo.It("falls back to using default certificate when secret gets deleted without reloading", func() {
-			ing, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
+			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			ensureHTTPSRequest(f, fmt.Sprintf("%s?id=dummy_log_splitter_foo_bar", f.GetURL(framework.HTTPS)), host, host)
@@ -217,11 +217,11 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() {
 
 		ginkgo.It("picks up a non-certificate only change", func() {
 			newHost := "foo2.com"
-			ing, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
+			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			ing.Spec.Rules[0].Host = newHost
-			_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			time.Sleep(waitForLuaSync)
@@ -231,11 +231,11 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() {
 		})
 
 		ginkgo.It("removes HTTPS configuration when we delete TLS spec", func() {
-			ing, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
+			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			ing.Spec.TLS = []networking.IngressTLS{}
-			_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			time.Sleep(waitForLuaSync)
diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go
index 5fcebac7d..0a88fb07b 100644
--- a/test/e2e/lua/dynamic_configuration.go
+++ b/test/e2e/lua/dynamic_configuration.go
@@ -26,7 +26,7 @@ import (
 
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
@@ -172,11 +172,11 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() {
 				return true
 			})
 
-			ingress, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), "foo.com", metav1.GetOptions{})
+			ingress, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), "foo.com", metav1.GetOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			ingress.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/load-balance"] = "round_robin"
-			_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{})
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err)
 
 			f.HTTPTestClient().
diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh
index 841c05e7d..0e618244c 100755
--- a/test/e2e/run-chart-test.sh
+++ b/test/e2e/run-chart-test.sh
@@ -36,6 +36,8 @@ cleanup() {
 
 trap cleanup EXIT
 
+export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev}
+
 if ! command -v kind --version &> /dev/null; then
   echo "kind is not installed. Use the package manager or visit the official site https://kind.sigs.k8s.io/"
   exit 1
@@ -43,14 +45,17 @@ fi
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev}
+# Use 1.0.0-dev to make sure we use the latest configuration in the helm template
+export TAG=1.0.0-dev
+export ARCH=${ARCH:-amd64}
+export REGISTRY=ingress-controller
 
 export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}"
 
 if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then
   echo "[dev-env] creating Kubernetes cluster with kind"
 
-  export K8S_VERSION=${K8S_VERSION:-v1.20.2@sha256:8f7ea6e7642c0da54f04a7ee10431549c0257315b3a634f6ef2fecaaedb19bab}
+  export K8S_VERSION=${K8S_VERSION:-v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6}
 
   kind create cluster \
     --verbosity=${KIND_LOG_LEVEL} \
@@ -61,8 +66,23 @@ if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then
 
   echo "Kubernetes cluster:"
   kubectl get nodes -o wide
+
 fi
 
+if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then
+  if ! command -v ginkgo &> /dev/null; then
+    go get github.com/onsi/ginkgo/ginkgo@v1.16.4
+  fi
+  echo "[dev-env] building image"
+  make -C ${DIR}/../../ clean-image build image
+fi
+  
+
+KIND_WORKERS=$(kind get nodes --name="${KIND_CLUSTER_NAME}" | awk '{printf (NR>1?",":"") $1}')
+echo "[dev-env] copying docker images to cluster..."
+
+kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG}
+
 echo "[dev-env] running helm chart e2e tests..."
 # Uses a custom chart-testing image to avoid timeouts waiting for namespace deletion.
 # The changes can be found here: https://github.com/aledbf/chart-testing/commit/41fe0ae0733d0c9a538099fb3cec522e888e3d82
diff --git a/test/e2e/run.sh b/test/e2e/run.sh
index d3caf2537..bfe13b428 100755
--- a/test/e2e/run.sh
+++ b/test/e2e/run.sh
@@ -58,7 +58,7 @@ export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}"
 if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then
   echo "[dev-env] creating Kubernetes cluster with kind"
 
-  export K8S_VERSION=${K8S_VERSION:-v1.20.2@sha256:8f7ea6e7642c0da54f04a7ee10431549c0257315b3a634f6ef2fecaaedb19bab}
+  export K8S_VERSION=${K8S_VERSION:-v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6}
 
   kind create cluster \
     --verbosity=${KIND_LOG_LEVEL} \
@@ -73,7 +73,7 @@ fi
 
 if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then
   if ! command -v ginkgo &> /dev/null; then
-    go get github.com/onsi/ginkgo/ginkgo
+    go get github.com/onsi/ginkgo/ginkgo@v1.16.4
   fi
 
   echo "[dev-env] building image"
diff --git a/test/e2e/servicebackend/service_backend.go b/test/e2e/servicebackend/service_backend.go
index 86f39b842..0467e434e 100644
--- a/test/e2e/servicebackend/service_backend.go
+++ b/test/e2e/servicebackend/service_backend.go
@@ -22,13 +22,14 @@ import (
 
 	"github.com/onsi/ginkgo"
 	corev1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
+var pathtype = networking.PathTypePrefix
 var _ = framework.IngressNginxDescribe("[Service] backend status code 503", func() {
 	f := framework.NewDefaultFramework("service-backend")
 
@@ -79,6 +80,7 @@ func buildIngressWithNonexistentService(host, namespace, path string) *networkin
 			Namespace: namespace,
 		},
 		Spec: networking.IngressSpec{
+			IngressClassName: framework.GetIngressClassName(namespace),
 			Rules: []networking.IngressRule{
 				{
 					Host: host,
@@ -86,10 +88,15 @@ func buildIngressWithNonexistentService(host, namespace, path string) *networkin
 						HTTP: &networking.HTTPIngressRuleValue{
 							Paths: []networking.HTTPIngressPath{
 								{
-									Path: path,
+									Path:     path,
+									PathType: &pathtype,
 									Backend: networking.IngressBackend{
-										ServiceName: backendService,
-										ServicePort: intstr.FromInt(80),
+										Service: &networking.IngressServiceBackend{
+											Name: backendService,
+											Port: networking.ServiceBackendPort{
+												Number: int32(80),
+											},
+										},
 									},
 								},
 							},
@@ -109,6 +116,7 @@ func buildIngressWithUnavailableServiceEndpoints(host, namespace, path string) (
 				Namespace: namespace,
 			},
 			Spec: networking.IngressSpec{
+				IngressClassName: framework.GetIngressClassName(namespace),
 				Rules: []networking.IngressRule{
 					{
 						Host: host,
@@ -116,10 +124,15 @@ func buildIngressWithUnavailableServiceEndpoints(host, namespace, path string) (
 							HTTP: &networking.HTTPIngressRuleValue{
 								Paths: []networking.HTTPIngressPath{
 									{
-										Path: path,
+										Path:     path,
+										PathType: &pathtype,
 										Backend: networking.IngressBackend{
-											ServiceName: backendService,
-											ServicePort: intstr.FromInt(80),
+											Service: &networking.IngressServiceBackend{
+												Name: backendService,
+												Port: networking.ServiceBackendPort{
+													Number: int32(80),
+												},
+											},
 										},
 									},
 								},
diff --git a/test/e2e/servicebackend/service_externalname.go b/test/e2e/servicebackend/service_externalname.go
index bd10519e7..2c33c020f 100644
--- a/test/e2e/servicebackend/service_externalname.go
+++ b/test/e2e/servicebackend/service_externalname.go
@@ -25,8 +25,8 @@ import (
 	"github.com/gavv/httpexpect/v2"
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
-	core "k8s.io/api/core/v1"
 	corev1 "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
@@ -42,7 +42,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 
 		host := "echo"
 
-		svc := &core.Service{
+		svc := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      framework.HTTPBinService,
 				Namespace: f.Namespace,
@@ -73,7 +73,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should return 200 for service type=ExternalName without a port defined", func() {
 		host := "echo"
 
-		svc := &core.Service{
+		svc := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      framework.HTTPBinService,
 				Namespace: f.Namespace,
@@ -107,7 +107,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should return 200 for service type=ExternalName with a port defined", func() {
 		host := "echo"
 
-		svc := &core.Service{
+		svc := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      framework.HTTPBinService,
 				Namespace: f.Namespace,
@@ -148,7 +148,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should return status 502 for service type=ExternalName with an invalid host", func() {
 		host := "echo"
 
-		svc := &core.Service{
+		svc := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      framework.HTTPBinService,
 				Namespace: f.Namespace,
@@ -179,7 +179,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should return 200 for service type=ExternalName using a port name", func() {
 		host := "echo"
 
-		svc := &core.Service{
+		svc := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      framework.HTTPBinService,
 				Namespace: f.Namespace,
@@ -203,7 +203,15 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 			"nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org",
 		}
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations)
-		ing.Spec.Rules[0].HTTP.Paths[0].Backend.ServicePort = intstr.FromString(host)
+		namedBackend := networking.IngressBackend{
+			Service: &networking.IngressServiceBackend{
+				Name: framework.HTTPBinService,
+				Port: networking.ServiceBackendPort{
+					Name: host,
+				},
+			},
+		}
+		ing.Spec.Rules[0].HTTP.Paths[0].Backend = namedBackend
 		f.EnsureIngress(ing)
 
 		f.WaitForNginxServer(host,
@@ -221,7 +229,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should return 200 for service type=ExternalName using FQDN with trailing dot", func() {
 		host := "echo"
 
-		svc := &core.Service{
+		svc := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      framework.HTTPBinService,
 				Namespace: f.Namespace,
@@ -252,7 +260,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should update the external name after a service update", func() {
 		host := "echo"
 
-		svc := &core.Service{
+		svc := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      framework.HTTPBinService,
 				Namespace: f.Namespace,
@@ -276,7 +284,15 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 			"nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org",
 		}
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations)
-		ing.Spec.Rules[0].HTTP.Paths[0].Backend.ServicePort = intstr.FromString(host)
+		namedBackend := networking.IngressBackend{
+			Service: &networking.IngressServiceBackend{
+				Name: framework.HTTPBinService,
+				Port: networking.ServiceBackendPort{
+					Name: host,
+				},
+			},
+		}
+		ing.Spec.Rules[0].HTTP.Paths[0].Backend = namedBackend
 		f.EnsureIngress(ing)
 
 		f.WaitForNginxServer(host,
diff --git a/test/e2e/settings/disable_catch_all.go b/test/e2e/settings/disable_catch_all.go
index 1a8791d80..f5d9bfadc 100644
--- a/test/e2e/settings/disable_catch_all.go
+++ b/test/e2e/settings/disable_catch_all.go
@@ -24,9 +24,8 @@ import (
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
@@ -98,9 +97,13 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() {
 
 		err := framework.UpdateIngress(f.KubeClientSet, f.Namespace, host, func(ingress *networking.Ingress) error {
 			ingress.Spec.Rules = nil
-			ingress.Spec.Backend = &networking.IngressBackend{
-				ServiceName: framework.EchoService,
-				ServicePort: intstr.FromInt(80),
+			ingress.Spec.DefaultBackend = &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: framework.EchoService,
+					Port: networking.ServiceBackendPort{
+						Number: int32(80),
+					},
+				},
 			}
 			return nil
 		})
diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go
old mode 100755
new mode 100644
index 7960b6ca7..1e5bf4301
--- a/test/e2e/settings/global_external_auth.go
+++ b/test/e2e/settings/global_external_auth.go
@@ -25,7 +25,7 @@ import (
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
diff --git a/test/e2e/settings/global_options.go b/test/e2e/settings/global_options.go
new file mode 100644
index 000000000..ef0487cc5
--- /dev/null
+++ b/test/e2e/settings/global_options.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"fmt"
+	"strings"
+	"syscall"
+
+	"github.com/onsi/ginkgo"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("global-options", func() {
+	f := framework.NewDefaultFramework("global-options")
+
+	ginkgo.It("should have worker_rlimit_nofile option", func() {
+		f.WaitForNginxConfiguration(func(server string) bool {
+			return strings.Contains(server, fmt.Sprintf("worker_rlimit_nofile %d;", rlimitMaxNumFiles()-1024))
+
+		})
+	})
+
+	ginkgo.It("should have worker_rlimit_nofile option and be independent on amount of worker processes", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"worker-processes": "11",
+		})
+
+		f.WaitForNginxConfiguration(func(server string) bool {
+			return strings.Contains(server, "worker_processes 11;") &&
+				strings.Contains(server, fmt.Sprintf("worker_rlimit_nofile %d;", rlimitMaxNumFiles()-1024))
+		})
+	})
+})
+
+// rlimitMaxNumFiles returns hard limit for RLIMIT_NOFILE
+func rlimitMaxNumFiles() int {
+	var rLimit syscall.Rlimit
+	err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &rLimit)
+	if err != nil {
+		return 0
+	}
+	return int(rLimit.Max)
+}
diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go
index 1fa02183f..3ba42f311 100644
--- a/test/e2e/settings/ingress_class.go
+++ b/test/e2e/settings/ingress_class.go
@@ -18,7 +18,6 @@ package settings
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"strings"
 	"sync"
@@ -26,13 +25,11 @@ import (
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
-	networking "k8s.io/api/networking/v1beta1"
-	rbacv1 "k8s.io/api/rbac/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
-	"k8s.io/ingress-nginx/internal/k8s"
+	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
@@ -41,43 +38,20 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 
 	var doOnce sync.Once
 
-	testIngressClassName := "test-new-ingress-class"
+	otherIngressClassName := "test-new-ingress-class"
+	otherController := "k8s.io/other-class"
 
 	ginkgo.BeforeEach(func() {
 		f.NewEchoDeploymentWithReplicas(1)
 
 		doOnce.Do(func() {
-			f.KubeClientSet.RbacV1().ClusterRoles().Create(context.TODO(), &rbacv1.ClusterRole{
-				ObjectMeta: metav1.ObjectMeta{Name: "ingress-nginx-class"},
-				Rules: []rbacv1.PolicyRule{{
-					APIGroups: []string{"networking.k8s.io"},
-					Resources: []string{"ingressclasses"},
-					Verbs:     []string{"get", "list", "watch"},
-				}},
-			}, metav1.CreateOptions{})
-
-			f.KubeClientSet.RbacV1().ClusterRoleBindings().Create(context.TODO(), &rbacv1.ClusterRoleBinding{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "ingress-nginx-class",
-				},
-				RoleRef: rbacv1.RoleRef{
-					APIGroup: "rbac.authorization.k8s.io",
-					Kind:     "ClusterRole",
-					Name:     "ingress-nginx-class",
-				},
-			}, metav1.CreateOptions{})
-
-			if !f.IsIngressV1Beta1Ready {
-				return
-			}
-
-			_, err := f.KubeClientSet.NetworkingV1beta1().IngressClasses().
-				Create(context.TODO(), &networking.IngressClass{
+			_, err := f.KubeClientSet.NetworkingV1().IngressClasses().
+				Create(context.TODO(), &networkingv1.IngressClass{
 					ObjectMeta: metav1.ObjectMeta{
-						Name: testIngressClassName,
+						Name: otherIngressClassName,
 					},
-					Spec: networking.IngressClassSpec{
-						Controller: k8s.IngressNGINXController,
+					Spec: networkingv1.IngressClassSpec{
+						Controller: otherController,
 					},
 				}, metav1.CreateOptions{})
 
@@ -87,17 +61,23 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 		})
 	})
 
-	ginkgo.Context("Without a specific ingress-class", func() {
-		ginkgo.It("should ignore Ingress with class", func() {
+	ginkgo.Context("With default ingress class config", func() {
+		ginkgo.It("should ignore Ingress with a different class annotation", func() {
 			invalidHost := "foo"
 			annotations := map[string]string{
-				class.IngressKey: "testclass",
+				ingressclass.IngressKey: "testclass",
 			}
 			ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, annotations)
+			// We should drop the ingressClassName here as we just want to rely on the annotation in this test
+			ing.Spec.IngressClassName = nil
 			f.EnsureIngress(ing)
 
 			validHost := "bar"
-			ing = framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, nil)
+			annotationClass := map[string]string{
+				ingressclass.IngressKey: ingressclass.DefaultAnnotationValue,
+			}
+			ing = framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, annotationClass)
+			ing.Spec.IngressClassName = nil
 			f.EnsureIngress(ing)
 
 			f.WaitForNginxConfiguration(func(cfg string) bool {
@@ -117,14 +97,300 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 				Expect().
 				Status(http.StatusOK)
 		})
+
+		ginkgo.It("should ignore Ingress with different controller class", func() {
+			invalidHost := "foo-1"
+			ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = &otherIngressClassName
+			f.EnsureIngress(ing)
+
+			validHost := "bar-1"
+			ing = framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, nil)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return !strings.Contains(cfg, "server_name foo-1") &&
+					strings.Contains(cfg, "server_name bar-1")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", invalidHost).
+				Expect().
+				Status(http.StatusNotFound)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHost).
+				Expect().
+				Status(http.StatusOK)
+		})
+
+		ginkgo.It("should accept both Ingresses with default IngressClassName and IngressClass annotation", func() {
+			validHostAnnotation := "foo-ok"
+			annotationClass := map[string]string{
+				ingressclass.IngressKey: ingressclass.DefaultAnnotationValue,
+			}
+			ing := framework.NewSingleIngress(validHostAnnotation, "/", validHostAnnotation, f.Namespace, framework.EchoService, 80, annotationClass)
+			// We need to drop the Class here as we just want the annotation
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			validHostClass := "bar-ok"
+			ing = framework.NewSingleIngress(validHostClass, "/", validHostClass, f.Namespace, framework.EchoService, 80, nil)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name foo-ok") &&
+					strings.Contains(cfg, "server_name bar-ok")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHostAnnotation).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHostClass).
+				Expect().
+				Status(http.StatusOK)
+		})
+
+		ginkgo.It("should ignore Ingress without IngressClass configuration", func() {
+			invalidHost := "foo-invalid"
+			ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			validHostClass := "bar-valid"
+			ing = framework.NewSingleIngress(validHostClass, "/", validHostClass, f.Namespace, framework.EchoService, 80, nil)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return !strings.Contains(cfg, "server_name foo-invalid") &&
+					strings.Contains(cfg, "server_name bar-valid")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", invalidHost).
+				Expect().
+				Status(http.StatusNotFound)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHostClass).
+				Expect().
+				Status(http.StatusOK)
+		})
+
+		ginkgo.It("should delete Ingress when class is removed", func() {
+			hostAnnotation := "foo-annotation"
+
+			annotations := map[string]string{
+				ingressclass.IngressKey: ingressclass.DefaultAnnotationValue,
+			}
+			ing := framework.NewSingleIngress(hostAnnotation, "/", hostAnnotation, f.Namespace, framework.EchoService, 80, annotations)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			hostClass := "foo-class"
+			ing = framework.NewSingleIngress(hostClass, "/", hostClass, f.Namespace, framework.EchoService, 80, nil)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name foo-annotation") &&
+					strings.Contains(cfg, "server_name foo-class")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostAnnotation).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostClass).
+				Expect().
+				Status(http.StatusOK)
+
+			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), hostAnnotation, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			delete(ing.Annotations, ingressclass.IngressKey)
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(ing.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			ingWithClass, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), hostClass, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			ingWithClass.Spec.IngressClassName = nil
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(ingWithClass.Namespace).Update(context.TODO(), ingWithClass, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			framework.Sleep()
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return !strings.Contains(cfg, "server_name foo-annotation") &&
+					!strings.Contains(cfg, "server_name foo-class")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostAnnotation).
+				Expect().
+				Status(http.StatusNotFound)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostClass).
+				Expect().
+				Status(http.StatusNotFound)
+		})
+
+		ginkgo.It("should serve Ingress when class is added", func() {
+			hostNoAnnotation := "foo-no-annotation"
+
+			ing := framework.NewSingleIngress(hostNoAnnotation, "/", hostNoAnnotation, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			hostNoClass := "foo-no-class"
+			ing = framework.NewSingleIngress(hostNoClass, "/", hostNoClass, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return !strings.Contains(cfg, "server_name foo-no-nnotation") &&
+					!strings.Contains(cfg, "server_name foo-no-class")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostNoAnnotation).
+				Expect().
+				Status(http.StatusNotFound)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostNoClass).
+				Expect().
+				Status(http.StatusNotFound)
+
+			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), hostNoAnnotation, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			annotation := map[string]string{
+				ingressclass.IngressKey: ingressclass.DefaultAnnotationValue,
+			}
+			ing.Annotations = annotation
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(ing.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			ingWithClass, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), hostNoClass, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			ingWithClass.Spec.IngressClassName = framework.GetIngressClassName(f.Namespace)
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(ingWithClass.Namespace).Update(context.TODO(), ingWithClass, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			framework.Sleep()
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name foo-no-annotation") &&
+					strings.Contains(cfg, "server_name foo-no-class")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostNoAnnotation).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostNoClass).
+				Expect().
+				Status(http.StatusOK)
+		})
+
+		ginkgo.It("should serve Ingress when class is updated between annotation and ingressClassName", func() {
+			hostAnnotation2class := "foo-annotation2class"
+			annotationClass := map[string]string{
+				ingressclass.IngressKey: ingressclass.DefaultAnnotationValue,
+			}
+			ing := framework.NewSingleIngress(hostAnnotation2class, "/", hostAnnotation2class, f.Namespace, framework.EchoService, 80, annotationClass)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			hostClass2Annotation := "foo-class2annotation"
+			ing = framework.NewSingleIngress(hostClass2Annotation, "/", hostClass2Annotation, f.Namespace, framework.EchoService, 80, nil)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name foo-annotation2class") &&
+					strings.Contains(cfg, "server_name foo-class2annotation")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostAnnotation2class).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostClass2Annotation).
+				Expect().
+				Status(http.StatusOK)
+
+			ingAnnotation2Class, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), hostAnnotation2class, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			delete(ingAnnotation2Class.Annotations, ingressclass.IngressKey)
+			ingAnnotation2Class.Spec.IngressClassName = framework.GetIngressClassName(ingAnnotation2Class.Namespace)
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(ingAnnotation2Class.Namespace).Update(context.TODO(), ingAnnotation2Class, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			ingClass2Annotation, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), hostClass2Annotation, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			ingClass2Annotation.Spec.IngressClassName = nil
+			ingClass2Annotation.Annotations = annotationClass
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(ingClass2Annotation.Namespace).Update(context.TODO(), ingClass2Annotation, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			framework.Sleep()
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name foo-annotation2class") &&
+					strings.Contains(cfg, "server_name foo-class2annotation")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostAnnotation2class).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", hostClass2Annotation).
+				Expect().
+				Status(http.StatusOK)
+		})
+
 	})
 
-	ginkgo.Context("With a specific ingress-class", func() {
+	ginkgo.Context("With specific ingress-class flags", func() {
 		ginkgo.BeforeEach(func() {
 			err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
 				args := []string{}
 				for _, v := range deployment.Spec.Template.Spec.Containers[0].Args {
-					if strings.Contains(v, "--ingress-class") {
+					if strings.Contains(v, "--ingress-class") && strings.Contains(v, "--controller-class") {
 						continue
 					}
 
@@ -132,6 +398,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 				}
 
 				args = append(args, "--ingress-class=testclass")
+				args = append(args, "--controller-class=k8s.io/other-class")
 				deployment.Spec.Template.Spec.Containers[0].Args = args
 				_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
 
@@ -140,25 +407,93 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 			assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
 		})
 
-		ginkgo.It("should ignore Ingress with no class", func() {
+		ginkgo.It("should ignore Ingress with no class and accept the correctly configured Ingresses", func() {
 			invalidHost := "bar"
 
 			ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = nil
 			f.EnsureIngress(ing)
 
 			validHost := "foo"
 			annotations := map[string]string{
-				class.IngressKey: "testclass",
+				ingressclass.IngressKey: "testclass",
 			}
 			ing = framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, annotations)
+			// Delete the IngressClass as we want just the annotation here
+			ing.Spec.IngressClassName = nil
 			f.EnsureIngress(ing)
 
-			f.WaitForNginxServer(validHost, func(cfg string) bool {
-				return strings.Contains(cfg, "server_name foo")
-			})
+			validHostClass := "foobar123"
+			ing = framework.NewSingleIngress(validHostClass, "/", validHostClass, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = &otherIngressClassName
+			f.EnsureIngress(ing)
 
 			f.WaitForNginxConfiguration(func(cfg string) bool {
-				return !strings.Contains(cfg, "server_name bar")
+				return !strings.Contains(cfg, "server_name bar") &&
+					strings.Contains(cfg, "server_name foo") &&
+					strings.Contains(cfg, "server_name foobar123")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHost).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHostClass).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", invalidHost).
+				Expect().
+				Status(http.StatusNotFound)
+		})
+
+	})
+
+	ginkgo.Context("With watch-ingress-without-class flag", func() {
+		ginkgo.BeforeEach(func() {
+			err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
+				args := []string{}
+				for _, v := range deployment.Spec.Template.Spec.Containers[0].Args {
+					if strings.Contains(v, "--watch-ingress-without-class") && strings.Contains(v, "--controller-class") {
+						continue
+					}
+
+					args = append(args, v)
+				}
+
+				args = append(args, "--watch-ingress-without-class")
+				deployment.Spec.Template.Spec.Containers[0].Args = args
+				_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
+
+				return err
+			})
+			assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
+		})
+
+		ginkgo.It("should watch Ingress with no class and ignore ingress with a different class", func() {
+			validHost := "bar"
+
+			ing := framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			invalidHost := "foo"
+			annotations := map[string]string{
+				ingressclass.IngressKey: "testclass123",
+			}
+			ing = framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, annotations)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name bar") &&
+					!strings.Contains(cfg, "server_name foo")
 			})
 
 			f.HTTPTestClient().
@@ -174,168 +509,5 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 				Status(http.StatusNotFound)
 		})
 
-		ginkgo.It("should delete Ingress when class is removed", func() {
-			host := "foo"
-			annotations := map[string]string{
-				class.IngressKey: "testclass",
-			}
-			ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
-			f.EnsureIngress(ing)
-
-			f.WaitForNginxServer(host, func(cfg string) bool {
-				return strings.Contains(cfg, "server_name foo")
-			})
-
-			f.HTTPTestClient().
-				GET("/").
-				WithHeader("Host", host).
-				Expect().
-				Status(http.StatusOK)
-
-			ing, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
-			assert.Nil(ginkgo.GinkgoT(), err)
-
-			delete(ing.Annotations, class.IngressKey)
-			_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(ing.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
-			assert.Nil(ginkgo.GinkgoT(), err)
-
-			framework.Sleep()
-
-			f.WaitForNginxConfiguration(func(cfg string) bool {
-				return !strings.Contains(cfg, "server_name foo")
-			})
-
-			f.HTTPTestClient().
-				GET("/").
-				WithHeader("Host", host).
-				Expect().
-				Status(http.StatusNotFound)
-		})
-	})
-
-	ginkgo.It("check scenarios for IngressClass and ingress.class annotation", func() {
-		if !f.IsIngressV1Beta1Ready {
-			ginkgo.Skip("Test requires Kubernetes v1.18 or higher")
-		}
-
-		pod := f.GetIngressNGINXPod()
-
-		crb, err := f.KubeClientSet.RbacV1().ClusterRoleBindings().Get(context.Background(), "ingress-nginx-class", metav1.GetOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err, "searching cluster role binding")
-
-		// add service of current namespace
-		crb.Subjects = append(crb.Subjects, rbacv1.Subject{
-			APIGroup:  "",
-			Kind:      "ServiceAccount",
-			Name:      pod.Spec.ServiceAccountName,
-			Namespace: f.Namespace,
-		})
-
-		_, err = f.KubeClientSet.RbacV1().ClusterRoleBindings().Update(context.Background(), crb, metav1.UpdateOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err, "searching cluster role binding")
-
-		err = f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
-			args := []string{}
-			for _, v := range deployment.Spec.Template.Spec.Containers[0].Args {
-				if strings.Contains(v, "--ingress-class") {
-					continue
-				}
-
-				args = append(args, v)
-			}
-
-			args = append(args, fmt.Sprintf("--ingress-class=%v", testIngressClassName))
-			deployment.Spec.Template.Spec.Containers[0].Args = args
-			_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
-			return err
-		})
-		assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
-
-		host := "ingress.class"
-
-		ginkgo.By("only having IngressClassName")
-		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
-		ing.Spec.IngressClassName = &testIngressClassName
-		f.EnsureIngress(ing)
-
-		f.WaitForNginxConfiguration(func(cfg string) bool {
-			return strings.Contains(cfg, fmt.Sprintf("server_name %v", host))
-		})
-
-		f.HTTPTestClient().
-			GET("/").
-			WithHeader("Host", host).
-			Expect().
-			Status(http.StatusOK)
-
-		ginkgo.By("only having ingress.class annotation")
-		ing, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err)
-
-		ing.Annotations = map[string]string{
-			class.IngressKey: testIngressClassName,
-		}
-		ing.Spec.IngressClassName = nil
-
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err)
-
-		f.WaitForNginxConfiguration(func(cfg string) bool {
-			return strings.Contains(cfg, fmt.Sprintf("server_name %v", host))
-		})
-
-		framework.Sleep()
-
-		f.HTTPTestClient().
-			GET("/").
-			WithHeader("Host", host).
-			Expect().
-			Status(http.StatusOK)
-
-		ginkgo.By("having an invalid ingress.class annotation and no IngressClassName")
-		ing, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err)
-
-		ing.Annotations = map[string]string{
-			class.IngressKey: "invalid",
-		}
-		ing.Spec.IngressClassName = nil
-
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err)
-
-		framework.Sleep()
-
-		f.WaitForNginxConfiguration(func(cfg string) bool {
-			return !strings.Contains(cfg, fmt.Sprintf("server_name %v", host))
-		})
-
-		f.HTTPTestClient().
-			GET("/").
-			WithHeader("Host", host).
-			Expect().
-			Status(http.StatusNotFound)
-
-		ginkgo.By("not having ingress.class annotation and invalid IngressClassName")
-		ing, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err)
-		ing.Annotations = map[string]string{}
-		invalidClassName := "invalidclass"
-		ing.Spec.IngressClassName = &invalidClassName
-
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err)
-
-		framework.Sleep()
-
-		f.WaitForNginxConfiguration(func(cfg string) bool {
-			return !strings.Contains(cfg, fmt.Sprintf("server_name %v", host))
-		})
-
-		f.HTTPTestClient().
-			GET("/").
-			WithHeader("Host", host).
-			Expect().
-			Status(http.StatusNotFound)
 	})
 })
diff --git a/test/e2e/settings/no_auth_locations.go b/test/e2e/settings/no_auth_locations.go
index dd7112b5a..2d32b05d6 100644
--- a/test/e2e/settings/no_auth_locations.go
+++ b/test/e2e/settings/no_auth_locations.go
@@ -25,9 +25,8 @@ import (
 	"github.com/onsi/ginkgo"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
@@ -96,6 +95,7 @@ var _ = framework.DescribeSetting("[Security] no-auth-locations", func() {
 })
 
 func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName string) *networking.Ingress {
+	pathtype := networking.PathTypePrefix
 	return &networking.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      host,
@@ -106,6 +106,7 @@ func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName s
 			},
 		},
 		Spec: networking.IngressSpec{
+			IngressClassName: framework.GetIngressClassName(namespace),
 			Rules: []networking.IngressRule{
 				{
 					Host: host,
@@ -113,17 +114,27 @@ func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName s
 						HTTP: &networking.HTTPIngressRuleValue{
 							Paths: []networking.HTTPIngressPath{
 								{
-									Path: "/",
+									Path:     "/",
+									PathType: &pathtype,
 									Backend: networking.IngressBackend{
-										ServiceName: framework.EchoService,
-										ServicePort: intstr.FromInt(80),
+										Service: &networking.IngressServiceBackend{
+											Name: framework.EchoService,
+											Port: networking.ServiceBackendPort{
+												Number: int32(80),
+											},
+										},
 									},
 								},
 								{
-									Path: pathName,
+									Path:     pathName,
+									PathType: &pathtype,
 									Backend: networking.IngressBackend{
-										ServiceName: framework.EchoService,
-										ServicePort: intstr.FromInt(80),
+										Service: &networking.IngressServiceBackend{
+											Name: framework.EchoService,
+											Port: networking.ServiceBackendPort{
+												Number: int32(80),
+											},
+										},
 									},
 								},
 							},
diff --git a/test/e2e/settings/server_tokens.go b/test/e2e/settings/server_tokens.go
index 43ccc86d3..e84639b08 100644
--- a/test/e2e/settings/server_tokens.go
+++ b/test/e2e/settings/server_tokens.go
@@ -21,13 +21,13 @@ import (
 
 	"github.com/onsi/ginkgo"
 
-	networking "k8s.io/api/networking/v1beta1"
+	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
 var _ = framework.DescribeSetting("server-tokens", func() {
+	pathtype := networking.PathTypePrefix
 	f := framework.NewDefaultFramework("server-tokens")
 	serverTokens := "server-tokens"
 
@@ -57,6 +57,7 @@ var _ = framework.DescribeSetting("server-tokens", func() {
 				Annotations: map[string]string{},
 			},
 			Spec: networking.IngressSpec{
+				IngressClassName: &f.IngressClass,
 				Rules: []networking.IngressRule{
 					{
 						Host: serverTokens,
@@ -64,10 +65,15 @@ var _ = framework.DescribeSetting("server-tokens", func() {
 							HTTP: &networking.HTTPIngressRuleValue{
 								Paths: []networking.HTTPIngressPath{
 									{
-										Path: "/",
+										Path:     "/",
+										PathType: &pathtype,
 										Backend: networking.IngressBackend{
-											ServiceName: framework.EchoService,
-											ServicePort: intstr.FromInt(80),
+											Service: &networking.IngressServiceBackend{
+												Name: framework.EchoService,
+												Port: networking.ServiceBackendPort{
+													Number: int32(80),
+												},
+											},
 										},
 									},
 								},
diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go
index af0c6b9a4..23679afdc 100644
--- a/test/e2e/status/update.go
+++ b/test/e2e/status/update.go
@@ -84,17 +84,17 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() {
 		err = cmd.Process.Kill()
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error terminating kubectl proxy")
 
-		ing, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
+		ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error getting %s/%v Ingress", f.Namespace, host)
 
 		ing.Status.LoadBalancer.Ingress = []apiv1.LoadBalancerIngress{}
-		_, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).UpdateStatus(context.TODO(), ing, metav1.UpdateOptions{})
+		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).UpdateStatus(context.TODO(), ing, metav1.UpdateOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error cleaning Ingress status")
 		framework.Sleep(10 * time.Second)
 
 		err = f.KubeClientSet.CoreV1().
 			ConfigMaps(f.Namespace).
-			Delete(context.TODO(), "ingress-controller-leader-nginx", metav1.DeleteOptions{})
+			Delete(context.TODO(), "ingress-controller-leader", metav1.DeleteOptions{})
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting leader election configmap")
 
 		_, cmd, err = f.KubectlProxy(port)
@@ -109,7 +109,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() {
 		}()
 
 		err = wait.Poll(5*time.Second, 4*time.Minute, func() (done bool, err error) {
-			ing, err = f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
+			ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{})
 			if err != nil {
 				return false, nil
 			}
diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh
index 1eb8b32cc..9a37d1ffc 100755
--- a/test/e2e/wait-for-nginx.sh
+++ b/test/e2e/wait-for-nginx.sh
@@ -73,6 +73,10 @@ controller:
     periodSeconds: 1
   service:
     type: NodePort
+  electionID: ingress-controller-leader
+  ingressClassResource:
+    # We will create and remove each IC/ClusterRole/ClusterRoleBinding per test so there's no conflict
+    enabled: false
   extraArgs:
     tcp-services-configmap: $NAMESPACE/tcp-services
     # e2e tests do not require information about ingress status

From 5e5faa24d2bc6f0aab686ef45152fcf6d985ca95 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 22 Aug 2021 15:39:59 -0300
Subject: [PATCH 062/376] Update runner go version (#7526)

---
 images/test-runner/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index 57db0c37e..5c7b47d66 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -39,7 +39,7 @@ build: ensure-buildx
 		--progress=$(PROGRESS) \
 		--pull \
 		--build-arg BASE_IMAGE=$(NGINX_BASE_IMAGE) \
-		--build-arg GOLANG_VERSION=1.16.7 \
+		--build-arg GOLANG_VERSION=1.17.0 \
 		--build-arg ETCD_VERSION=3.4.3-0 \
 		--build-arg K8S_RELEASE=v1.21.3 \
 		--build-arg RESTY_CLI_VERSION=0.27 \

From 605c243d7ae49e11202ea106bebc205b45b26333 Mon Sep 17 00:00:00 2001
From: amirschw <24677563+amirschw@users.noreply.github.com>
Date: Sun, 22 Aug 2021 22:05:59 +0300
Subject: [PATCH 063/376] [Helm] Make HPA behavior configurable (#7203)

Signed-off-by: amirschw <24677563+amirschw@users.noreply.github.com>
---
 .../ci/deployment-autoscaling-behavior-values.yaml | 14 ++++++++++++++
 charts/ingress-nginx/templates/controller-hpa.yaml | 12 ++++++++----
 charts/ingress-nginx/values.yaml                   | 13 +++++++++++++
 3 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml

diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml b/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
new file mode 100644
index 000000000..dca3f35f8
--- /dev/null
+++ b/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
@@ -0,0 +1,14 @@
+controller:
+  autoscaling:
+    enabled: true
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 300
+        policies:
+        - type: Pods
+          value: 1
+          periodSeconds: 180
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml
index fb14bdf6a..876315f33 100644
--- a/charts/ingress-nginx/templates/controller-hpa.yaml
+++ b/charts/ingress-nginx/templates/controller-hpa.yaml
@@ -22,9 +22,9 @@ spec:
   maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
   metrics:
   {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
-  - type: Resource 
-    resource: 
-      name: memory 
+  - type: Resource
+    resource:
+      name: memory
       target:
         type: Utilization
         averageUtilization: {{ . }}
@@ -38,7 +38,11 @@ spec:
         averageUtilization: {{ . }}
   {{- end }}
   {{- with .Values.controller.autoscalingTemplate }}
-{{- toYaml . | nindent 2 }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.controller.autoscaling.behavior }}
+  behavior:
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 1c3c1e021..08f915661 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -338,6 +338,19 @@ controller:
     maxReplicas: 11
     targetCPUUtilizationPercentage: 50
     targetMemoryUtilizationPercentage: 50
+    behavior: {}
+      # scaleDown:
+      #   stabilizationWindowSeconds: 300
+      #  policies:
+      #   - type: Pods
+      #     value: 1
+      #     periodSeconds: 180
+      # scaleUp:
+      #   stabilizationWindowSeconds: 300
+      #   policies:
+      #   - type: Pods
+      #     value: 2
+      #     periodSeconds: 60
 
   autoscalingTemplate: []
   # Custom or additional autoscaling metrics

From f8372dbce9b583140cce7f379bc7f746712c3dcb Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Mon, 23 Aug 2021 08:38:00 -0700
Subject: [PATCH 064/376] improve RELEASE.md (#7525)

---
 RELEASE.md | 277 ++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 219 insertions(+), 58 deletions(-)

diff --git a/RELEASE.md b/RELEASE.md
index 659617c10..f352d98ac 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,80 +1,241 @@
-1. [NGINX](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx)
+# RELEASE PROCESS
 
-* Open pull request
-  
-If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as 
-  well, the cloud build will fail with an exit 10 if not.  
-Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21),
-[SHA256](images/nginx/rootfs/build.sh#L124) 
-* Merge
-* Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+## 1. BUILD the new Ingress-Nginx-Controller image 
 
-1a. Promote images:
+### a. Make changes in codebase
 
-Open pull request to promote staging image:
-[add sha - version](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml#L1)
+- Make changes as per issue
 
-The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+### b. Make changes to appropriate files in [images directory ](images)
 
-2. Change to images:
+- Make changes in /images 
+
+### c. Create PR
+
+- Open a PR to fire cloudbuild of a new image for the Ingress-Nginx-Controller
+
+  - In case of rare CVE fix or other reason to rebuild the nginx-base-image itself, look at the /images directory  [NGINX Base Image](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx)
+
+  - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21),
+
+  - [SHA256](images/nginx/rootfs/build.sh#L124) 
+
+  - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.  
+
+### d. Merge
+
+- Merging success should fire cloudbuild
+
+### e. Make sure cloudbuild is a success
+
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 2. If applicable, BUILD other images
+
+- If applicable, then build a new image of any other related component, ONLY IF APPLICABLE TO THE RELEASE
+
+### a. If applicable then make changes in relevant codebase
+
+- Change code as per issue
+
+### b. Make changes to appropriate files in [images directory ](images)
+
+- Sometimes, you may also be needing to rebuild, images for one or multiple other related components of the Ingress-Nginx-Controller ecosystem. Make changes to the required files in the /images directory, if/as applicable, in the context of the release you are attempting.  :
    
-* [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/images/test-runner)
+  - [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e-image)
 
-    * [test-runner](https://github.com/kubernetes/ingress-nginx/tree/main/images/echo)
-    * [echo](https://github.com/kubernetes/ingress-nginx/tree/main/images/echo)
-    * [cfssl](https://github.com/kubernetes/ingress-nginx/tree/main/images/cfssl)
-    * [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/main/images/fastcgi-helloserver)
-    * [httpbin](https://github.com/kubernetes/ingress-nginx/tree/main/images/httpbin)
+    - Update references to e2e-test-runner image [If applicable] :
 
-* Open pull request
-* Merge
-* Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+      - [e2e-image](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e-image/Dockerfile#L1)
+      - [run-in-docker.sh](https://github.com/kubernetes/ingress-nginx/blob/main/build/run-in-docker.sh#L37)
 
-2a. Promote images:
+  - [test-runner](https://github.com/kubernetes/ingress-nginx/tree/main/images/test-runner)
 
-* Open pull request to promote [staging image](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)
-    * e2e-test-runner
-    * e2e-test-cfssl
-    * e2e-test-echo
-    * e2e-test-fastcgi-helloserver
-    * e2e-test-httpbin
+  - [echo](https://github.com/kubernetes/ingress-nginx/tree/main/images/echo)
 
-3. Update references to e2e-test-runner image:
+  - [cfssl](https://github.com/kubernetes/ingress-nginx/tree/main/images/cfssl)
 
-* [e2e-image](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e-image/Dockerfile#L1)
-* [run-in-docker.sh](https://github.com/kubernetes/ingress-nginx/blob/ff60aa9e2b5377db1544091b98f475a90a630297/build/run-in-docker.sh#L37)
+  - [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/main/images/fastcgi-helloserver)
 
-4. Prepare for a new release:
+  - [httpbin](https://github.com/kubernetes/ingress-nginx/tree/main/images/httpbin)
 
-* Change [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1)
-* Open pull request
-* Merge
-* [Wait for cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+  - [kube-webhook-certgen](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen)
 
-4a. Promote images:
+### c. Create PR
 
-* Open pull request to promote [staging image](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)
-  * controller
+- Open pull request(s) accordingly, to fire cloudbuild for rebuilding the component's image (if applicable).
 
-5. Release helm chart:
+### d. Merge
 
-* Open pull request updating [Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml#L3-L4)
-* Merge
-* [New helm chart is available](https://github.com/kubernetes/ingress-nginx/blob/main/.github/workflows/main.yaml#L47-L68)
+- Merging success should fire cloudbuild
 
-6. New release:
+### e. Make sure cloudbuild is a success
 
-* Update static scripts:
-    * [generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
-    * Open pull request with the updates
-    * Merge
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
 
-* Update Changelog and Documentation:
-    * Open pull request updating [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md)
-    * Update the version in [docs/deploy/index.md](docs/deploy/index.md)
-    * Update Supported versions in the Support Versions table in the README.md 
-    * Merge
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
 
-* Update the stable.txt file to reflect the release to be created
-      
-7. Github release
+
+## 3. PROMOTE the Image(s):
+
+### a. Get the sha
+
+- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above 
+
+  - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+
+  - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller
+
+### b. Insert the sha(s) in another project
+
+- This sha(s) (and the tag(s) for the new image(s) has to be inserted, as a new line, in a file, in another project of Kubernetes. 
+
+- Fork that other project (if you don't have a fork already).
+
+- Other project to fork  [Github repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io)
+
+- Fetch --all and rebase to upstream if already forked.
+
+- Create a branch in your fork, named as the issue number for this release
+
+- In the related branch, of your fork, edit the file /k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml.
+
+- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake.
+
+- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before 
+
+- Save and commit
+
+### c. Create PR
+
+- Open pull request to promote the new controller image.
+
+### d. Merge
+
+- Merge success is required for next step
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 4. PREPARE for a new Release
+
+- This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.
+
+### a. Make sure your git workspace is ready
+
+- Get your git workspace ready 
+
+  - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx
+
+  - Clone (to laptop or wherever)
+
+  - Add upstream
+
+  - Set upstream url to no_push
+
+  - Checkout & switch to branch, named as per related new-release-issue-number
+
+  - If already forked, and upstream already added, then `git fetch --all` and `git rebase upstream/main` (not  origin)
+
+  - Checkout a branch in your fork's clone
+
+  - Perform any other diligence as needed
+
+- Prefer to edit only and only in your branch, in your Fork
+
+### b. Edit the semver tag
+  - [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1)
+
+### c. Edit the helm Chart
+  - Change the below mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml)
+    - version
+    - appVersion
+    - kubeVersion (**ONLY if applicable**)
+    - annotations
+      - artifacthub.io/prerelease: "true" 
+      - artifacthub.io/changes: |
+        - Add the titles of the PRs merged after previous release
+
+### d. Edit the values.yaml
+  - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
+
+    - tag
+    - digest
+
+### e. Edit the static manifests
+
+  - Prepare to use a script to update the edit the static manifests and set the "image", "digest", "version" etc. fields to the desired value.
+
+
+  - This script depends on python and a specific python package `pip3 install ruamel.yaml`
+
+  - Execute the script to update static manifests using that script [generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
+  - Open some of the manifests and check if the script worked properly
+
+  - Use grep -ir to search for any misses by the script or undesired changes
+
+  - The script should properly set the image and the digest fields to the desired tag and semver
+
+  - Manually fix one problem that the script can not take care of.
+
+    - This problem is wrong formatting of a snippet in the file [deploy-tls-termination.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/static/provider/aws/deploy-tls-termination.yaml)
+    - In the configMap section, for the configMap named ingress-nginx-controller, the "configMap.data" spec has a snippet
+
+    - This snippet becomes a single line, formatted with the newline character "\n"
+
+    - That single line formatted with "\n" needs to be changed as it does not meet yaml requirements
+
+    - At the time of writing this doc, the 'configMap.data' spec is at line number 39.
+
+    - So editing begins at line 40 (at the time of writing this doc)
+
+    - Make that snippet look like this ;
+      ```
+      data:
+        http-snippet:|
+          server{
+          listen 2443;
+          return 308 https://$host$request_uri;
+          }
+      ```
+
+### f. Edit the changelog
+  [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) 
+    - Add the PRs merged after previous release
+    - One useful command to get this list is
+      ```
+      git log controller-v0.48.1..HEAD --pretty=%s
+      ```
+
+### g. Edit the Documentation:
+    - Update the version in [docs/deploy/index.md](docs/deploy/index.md)
+    - Update Supported versions in the Support Versions table in the README.md 
+
+### h. Edit stable.txt
+
+- Edit the [stable.txt](stable.txt) file(if applicable), in the root of the repo, to reflect the release to be created
+- Criteria is a release that has been GA for a while but reported issues are not bugs but mostly /kind support or feature
+
+## 5. RELEASE new version
+
+### a. Create PR
+
+- Open PR for releasing the new version of the Ingress-Nginx-Controller ;
+  - Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/7490)
+  - Create a PR 
+
+### b. Merge
+
+- Merge should produce manifests as well as chart
+- Check
+ - `helm repo update`
+ - `helm search repo ingress-nginx`
+
+## 6. Github release
+
+- Release to github
+
+- Edit the ghpages file as needed

From 623436ef65ec2f30edcf9c845f6976ccce1a986d Mon Sep 17 00:00:00 2001
From: Emily L Shepherd <emily@redcoat.dev>
Date: Mon, 23 Aug 2021 18:08:01 +0100
Subject: [PATCH 065/376] Add appProtocol field to all ServicePorts (#7493)

Minor update to the helm chart to set the [appProtocol][1] field on all
http / https ports defined in the various services created by the helm
chart:

- http and https for controller-service
- http and https for controller-service-internal
- https for controler-service-webhook
- http for default-backend-service

These are only added in kubernetes >= 1.20, which is when this feature
became stable.

[1]: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
---
 .../templates/controller-service-internal.yaml              | 6 ++++++
 .../ingress-nginx/templates/controller-service-webhook.yaml | 3 +++
 charts/ingress-nginx/templates/controller-service.yaml      | 6 ++++++
 charts/ingress-nginx/templates/default-backend-service.yaml | 3 +++
 4 files changed, 18 insertions(+)

diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml
index 0bb966127..09c942eb2 100644
--- a/charts/ingress-nginx/templates/controller-service-internal.yaml
+++ b/charts/ingress-nginx/templates/controller-service-internal.yaml
@@ -32,6 +32,9 @@ spec:
       port: {{ .Values.controller.service.ports.http }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.http }}
+    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+      appProtocol: http
+    {{- end }}
     {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
       nodePort: {{ .Values.controller.service.nodePorts.http }}
     {{- end }}
@@ -41,6 +44,9 @@ spec:
       port: {{ .Values.controller.service.ports.https }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.https }}
+    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+      appProtocol: https
+    {{- end }}
     {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
       nodePort: {{ .Values.controller.service.nodePorts.https }}
     {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml
index 228cb59d8..ae3b1fc92 100644
--- a/charts/ingress-nginx/templates/controller-service-webhook.yaml
+++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml
@@ -28,6 +28,9 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+      appProtocol: https
+    {{- end }}
   selector:
     {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: controller
diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml
index 908291cff..924881845 100644
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@@ -44,6 +44,9 @@ spec:
       port: {{ .Values.controller.service.ports.http }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.http }}
+    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+      appProtocol: http
+    {{- end }}
     {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
       nodePort: {{ .Values.controller.service.nodePorts.http }}
     {{- end }}
@@ -53,6 +56,9 @@ spec:
       port: {{ .Values.controller.service.ports.https }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.https }}
+    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+      appProtocol: https
+    {{- end }}
     {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
       nodePort: {{ .Values.controller.service.nodePorts.https }}
     {{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml
index 7624ab36c..f59eb1e7c 100644
--- a/charts/ingress-nginx/templates/default-backend-service.yaml
+++ b/charts/ingress-nginx/templates/default-backend-service.yaml
@@ -29,6 +29,9 @@ spec:
       port: {{ .Values.defaultBackend.service.servicePort }}
       protocol: TCP
       targetPort: http
+    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+      appProtocol: http
+    {{- end }}
   selector:
     {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend

From c43ea4d6e1ef2a581684871b7f6661c3d65f1448 Mon Sep 17 00:00:00 2001
From: Swift <yuswift2018@gmail.com>
Date: Tue, 24 Aug 2021 05:25:25 +0800
Subject: [PATCH 066/376] Update ingress to go 1.17 (#7521)

* bump go.mod to 1.17

* bump github ci workflow to go 1.17

* bump e2e-test-runner version

* fix go mod error

* fix go fmt error

* fix boilerplate verification
---
 .github/workflows/ci.yaml                 |   4 +-
 build/run-in-docker.sh                    |   2 +-
 go.mod                                    | 103 +++++++++++++++++++++-
 hack/boilerplate/boilerplate.py           |   2 +-
 hack/tools.go                             |   1 +
 internal/ingress/zz_generated.deepcopy.go |   1 +
 internal/k8s/zz_generated.deepcopy.go     |   1 +
 internal/runtime/cpu_linux.go             |   1 +
 internal/runtime/cpu_notlinux.go          |   1 +
 test/e2e-image/Dockerfile                 |   2 +-
 10 files changed, 112 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7470325cc..703be9cb3 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -63,11 +63,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
-      - name: Set up Go 1.16
+      - name: Set up Go 1.17
         id: go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16
+          go-version: 1.17
 
       - name: Set up Docker Buildx
         id: buildx
diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index 01211c796..debbe9752 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -37,7 +37,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210810-g820a21a74@sha256:7d7393a8c6c72d76145282df53ea0679a5b769211fd1cd6b8910b6dda1bd986d}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210822-g5e5faa24d@sha256:55c568d9e35e15d94b3ab41fe549b8ee4cd910cc3e031ddcccd06256755c5d89}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
diff --git a/go.mod b/go.mod
index 302b451a6..4c8d4596f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module k8s.io/ingress-nginx
 
-go 1.16
+go 1.17
 
 require (
 	github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a
@@ -46,3 +46,104 @@ require (
 	sigs.k8s.io/controller-runtime v0.9.5
 	sigs.k8s.io/mdtoc v1.0.1
 )
+
+require (
+	cloud.google.com/go v0.81.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.12 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.5 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.0 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/BurntSushi/toml v0.3.1 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/ajg/form v1.5.1 // indirect
+	github.com/andybalholm/brotli v1.0.2 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/eapache/queue v1.1.0 // indirect
+	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
+	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
+	github.com/fatih/structs v1.0.0 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.2+incompatible // indirect
+	github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect
+	github.com/go-errors/errors v1.0.1 // indirect
+	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.3 // indirect
+	github.com/go-openapi/jsonreference v0.19.3 // indirect
+	github.com/go-openapi/spec v0.19.5 // indirect
+	github.com/go-openapi/swag v0.19.5 // indirect
+	github.com/godbus/dbus/v5 v5.0.4 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 // indirect
+	github.com/google/btree v1.0.0 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/go-querystring v1.0.0 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.2.0 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/imkira/go-interpol v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/klauspost/compress v1.12.2 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/mailru/easyjson v0.7.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mmarkdown/mmark v2.0.40+incompatible // indirect
+	github.com/moby/sys/mountinfo v0.4.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasthttp v1.27.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.1.0 // indirect
+	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
+	github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0 // indirect
+	github.com/yudai/gojsondiff v1.0.0 // indirect
+	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
+	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/zap v1.18.1 // indirect
+	golang.org/x/mod v0.4.2 // indirect
+	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
+	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	golang.org/x/tools v0.1.2 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 // indirect
+	k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 // indirect
+	moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e // indirect
+	sigs.k8s.io/kustomize/api v0.8.8 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.10.17 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
+)
diff --git a/hack/boilerplate/boilerplate.py b/hack/boilerplate/boilerplate.py
index 614c6ef67..01a74d067 100755
--- a/hack/boilerplate/boilerplate.py
+++ b/hack/boilerplate/boilerplate.py
@@ -193,7 +193,7 @@ def get_regexs():
         '(%s)' % "|".join(map(lambda l: str(l), years)))
     # strip // +build \n\n build constraints
     regexs["go_build_constraints"] = re.compile(
-        r"^(// \+build.*\n)+\n", re.MULTILINE)
+        r"^((// \+build.*\n)|(//go:build.*\n))+\n", re.MULTILINE)
     # strip #!.* from shell scripts
     regexs["shebang"] = re.compile(r"^(#!.*\n)\n*", re.MULTILINE)
     return regexs
diff --git a/hack/tools.go b/hack/tools.go
index aad9b7438..489a3ccb0 100644
--- a/hack/tools.go
+++ b/hack/tools.go
@@ -1,3 +1,4 @@
+//go:build tools
 // +build tools
 
 /*
diff --git a/internal/ingress/zz_generated.deepcopy.go b/internal/ingress/zz_generated.deepcopy.go
index 5d49fb05e..410173e26 100644
--- a/internal/ingress/zz_generated.deepcopy.go
+++ b/internal/ingress/zz_generated.deepcopy.go
@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
 /*
diff --git a/internal/k8s/zz_generated.deepcopy.go b/internal/k8s/zz_generated.deepcopy.go
index 0261457fe..29f1163bc 100644
--- a/internal/k8s/zz_generated.deepcopy.go
+++ b/internal/k8s/zz_generated.deepcopy.go
@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
 /*
diff --git a/internal/runtime/cpu_linux.go b/internal/runtime/cpu_linux.go
index 7b6a96d60..e7513d619 100644
--- a/internal/runtime/cpu_linux.go
+++ b/internal/runtime/cpu_linux.go
@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 /*
diff --git a/internal/runtime/cpu_notlinux.go b/internal/runtime/cpu_notlinux.go
index 86a649e62..2a1b48252 100644
--- a/internal/runtime/cpu_notlinux.go
+++ b/internal/runtime/cpu_notlinux.go
@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 /*
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index f31ed184d..28cd272b6 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210810-g820a21a74@sha256:7d7393a8c6c72d76145282df53ea0679a5b769211fd1cd6b8910b6dda1bd986d AS BASE
+FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210822-g5e5faa24d@sha256:55c568d9e35e15d94b3ab41fe549b8ee4cd910cc3e031ddcccd06256755c5d89 AS BASE
 
 FROM alpine:3.12
 

From 6593cb244b21f6312c7a438708568807a9135a44 Mon Sep 17 00:00:00 2001
From: wenhuwang <976400757@qq.com>
Date: Tue, 24 Aug 2021 09:58:14 +0800
Subject: [PATCH 067/376] fix ingress-nginx panic when the certificate format
 is wrong. (#7443)

* fix ingress-nginx panic when the certificate format is wrong.

Signed-off-by: wang_wenhu <976400757@qq.com>

* Add unit test.

Signed-off-by: wang_wenhu <976400757@qq.com>

* Update controller_test.go
---
 internal/ingress/controller/controller.go     |  2 +-
 .../ingress/controller/controller_test.go     | 50 +++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index b4c822ba1..e7b53b770 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -1493,7 +1493,7 @@ func extractTLSSecretName(host string, ing *ingress.Ingress,
 			continue
 		}
 
-		if cert == nil { // for tests
+		if cert == nil || cert.Certificate == nil {
 			continue
 		}
 
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index 86110c3ca..139e7b254 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -21,6 +21,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
@@ -1301,6 +1302,55 @@ func TestExtractTLSSecretName(t *testing.T) {
 			},
 			"demo",
 		},
+		"ingress tls, hosts, bad format cert, host not in tls Hosts": {
+			"foo1.bar",
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "test",
+					},
+					Spec: networking.IngressSpec{
+						TLS: []networking.IngressTLS{
+							{
+								Hosts:      []string{"foo.bar"},
+								SecretName: "demo",
+							},
+						},
+						Rules: []networking.IngressRule{
+							{
+								Host: "foo.bar",
+							},
+							{
+								Host: "foo1.bar",
+							},
+						},
+					},
+				},
+			},
+			func(string) (*ingress.SSLCert, error) {
+				secretData := map[string]string{
+					"ca.crt":    "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01EVXhOVEEzTXpJMU5sb1hEVE13TURVeE16QTNNekkxTmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUpGClVDcXBxY09mb2pPeUduTGRsRDlZSG5VVVFiTEQzZkxyN0FzM0RNTk9FNVkyTDJ2TUFhRXQxYkRvYWNqUDFMRlkKcy9ieFBVRmFmVEZ5cmY0SU1iN1FHUlZMYW84aVhmU3p4TlcwanE2dTc0OGZHN3E3c3QvNWR2c28yekpxcHNrcQo2QzNIS3liajMxMTBPNlh2N1I2VDlqdkxzT0M2Vm5VK3BtVHo4RzZ0YVdUeTFBdktQdU5Cc1puUWVRWis3Nk5hClRqSVpsaGlIMnZTUStSMFFzenBoU2tDQmVYbmdkaFloSDYyRVJvZDVZaDNiV1E3T2U0UjFKbHpNUjN3VzFSVGcKZE83aXoxSXdJT3drdlN6T1RlaElqU0pISHVWV3pJOXVqOTBkRTJUQmladzNheUVxdnhrbUxFT3Y1SFRONzRvbwpJQ216WEZzK1kxOFRCb2ZNRXNNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKajArK3lCVXBIekYxdWMxSmcyczhGRGNRRHIKdFBuanFROWE0QkwwN2JZdWZyeUJqdUlpaDJReWVKcFB3cTh0RklFa3ZuWjI4VDY4bDFLajRmMnRIU0Y0MG14WAoxVGlkNWxMc1ZjZytja1B2YWVRL1MrUmxnZDNCT1hjY3FFUWR0dithanhqOTdCZXZSelQ1SWd6UFVna3VtSU5wCkxrNS9kSWdxYTIrbmorVUpxdm9TWEhtZG4rMEdvNFJRMXMyZlBJUDhhRFIyL1paQThSTE1rSTJ2R1FVVUJ3RHMKeVkzVy9oWmRWeUhpWEcvRkJKRHNZU1cyZjFrZ1AzRzlyNjdnZG1WT05JckNCdHBSWkU3NllTRjFqNUtocFlUNgp3UDFpSVNDOUc0ZmRCeGxkaXJqRWM3VU9PQTlNQ0JzYXZ4R1IreCtBTEVnTnhOUlVZdnEvZWl0OGtRVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
+					"namespace": "ZGVtbw==",
+					"token":     "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqaExObWcyVnpWM01ERm9Ua1ZpVFVwTlYwbDRPV3RMVkhaTE1XRnpOa010VjI5WE55MTRaRzR6VFVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWlcxdklpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxabUYxYkhRdGRHOXJaVzR0Wkc0MmVHSWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2laR1ZtWVhWc2RDSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNkltVm1OR0kxWW1NMExUTXdPREV0TkRFNU15MWlZakl6TFRoaE5qRmhNV0ptTWpRNFlTSXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHBrWlcxdk9tUmxabUYxYkhRaWZRLnEzaGFxVVFDN2Z6a1V3UldKazM0RjRsamktbWs5cWdPcDJHSFlSZ1JrWUk0WW8xclhoSURCSnUzWkFPdjhMN3doZkgzcmo4ZjFnNFpMSFBkd3JKT2lZdWlvXzVXdDZPSXZtbXFaU2VncnRmV1MwUFZXYzJ1d0xweDJpSElTbUlHd21uQ1hYQzNRX05RNFRlQnZxWEMyUHR4REFwM19QM3QyZnRKN0w2Z1kzTkcyZUsyQTVFZG82azQtR2wzN0Zaam51NmRzc0FocVZaeld0NE9ZS3hTWWtpN003dnh5ZWtJQ091UmJ6SW5DNmhldEhtbHhyaF9ObWplMHhfY2M4V3ZkUnJYbFlpRWxnYXZCY1FtMTJ2YkxBQWlzWkFrT2Y1T3VvaEhLUmpEOGlMS1pRMXdKRHNnRmYzd1BFWGxTWkg2QkVZdS1TU0laSDNKYWVWU3llWjExdw==",
+				}
+				ca, err := base64.StdEncoding.DecodeString(secretData["ca.crt"])
+				if err != nil {
+					t.Fatalf("unexpected error decoding ca.crt: %v", err)
+				}
+				cert, err := ssl.CreateCACert(ca)
+				if err != nil {
+					t.Fatalf("unexpected error creating SSL Cert: %v", err)
+				}
+				err = ssl.ConfigureCACert("demo", ca, cert)
+				if err != nil {
+					t.Fatalf("error configuring CA certificate: %v", err)
+				}
+				cert.Name = "default-token-dn6xb"
+				cert.Namespace = "demo"
+				return cert, nil
+			},
+			"",
+		},
 	}
 
 	for title, tc := range testCases {

From 1510c06045ece4e199ebec85e7ec90cf15e19747 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Tue, 24 Aug 2021 04:57:13 -0700
Subject: [PATCH 068/376] docs for migration to apiVersion networking.k8s.io/v1
 (#7524)

---
 docs/index.md | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 158 insertions(+)

diff --git a/docs/index.md b/docs/index.md
index 8eeaaa080..3012ffbea 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -9,3 +9,161 @@ Learn more about using Ingress on [k8s.io](http://kubernetes.io/docs/user-guide/
 ## Getting Started
 
 See [Deployment](./deploy/) for a whirlwind tour that will get you started.
+
+
+# FAQ - Migration to apiVersion networking.k8s.io/v1
+
+- Please read this [official blog on deprecated ingress api versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) If you are using ingress objects in your pre K8s v1.22 cluster, and you upgrade to K8s v1.22, then this document may be relevant to you.
+
+- Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
+
+## What is an ingressClass and why is it important for users of Ingress-NGINX controller now ?
+
+IngressClass is a Kubernetes resource. See the description below.
+Its important because until now, a default install of the Ingress-NGINX controller did not require a ingressClass object. But from version 1.0.0 of the Ingress-NGINX Controller, a ingressclass object is required.
+
+On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress object they must serve. The ingressClass field of a ingress object is the way to let the controller know about that. 
+
+```
+_$ k explain ingressClass                                                           
+KIND:     IngressClass                                                               
+VERSION:  networking.k8s.io/v1                     
+
+DESCRIPTION:    
+     IngressClass represents the class of the Ingress, referenced by the Ingress
+     Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
+     used to indicate that an IngressClass should be considered default. When a
+     single IngressClass resource has this annotation set to true, new Ingress       
+     resources without a class specified will be assigned this default class.                         
+
+FIELDS:                                   
+   apiVersion   <string>                                                             
+     APIVersion defines the versioned schema of this representation of an            
+     object. Servers should convert recognized schemas to the latest internal                         
+     value, and may reject unrecognized values. More info:                                            
+     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+                                                                                     
+   kind <string>                                                                     
+     Kind is a string value representing the REST resource this object                                
+     represents. Servers may infer this from the endpoint the client submits                          
+     requests to. Cannot be updated. In CamelCase. More info:            
+     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+   metadata     <Object>                           
+     Standard object's metadata. More info:                                                           
+     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+   spec <Object>                                   
+     Spec is the desired state of the IngressClass. More info:                                        
+     https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status`
+
+```
+
+## What has caused this change in behaviour ?
+
+There are 2 reasons primarily.
+
+(Reason #1) Until K8s version 1.21, it was was possible to create a ingress resource, with the "apiVersion:" field set to a value like ;
+  - extensions/v1beta1
+  - networking.k8s.io/v1beta1
+
+    (You would get a message about deprecation but the ingress resource would get created.)
+
+From K8s version 1.22 onwards, you can ONLY set the "apiVersion:" field of a ingress resource, to the value "networking.k8s.io/v1". The reason is [official blog on deprecated ingress api versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/).
+
+(Reason #2) When you upgrade to K8s version v1.22, while you are already using the Ingress-NGINX controller, there are several scenarios where the old existing ingress objects will not work. Read this FAQ to check which scenario matches your use case.
+
+## What is ingressClassName field ?
+
+ingressClassName is a field in the specs of a ingress object.
+
+```
+% k explain ingress.spec.ingressClassName
+KIND:     Ingress
+VERSION:  networking.k8s.io/v1
+
+FIELD:    ingressClassName <string>
+
+DESCRIPTION:
+     IngressClassName is the name of the IngressClass cluster resource. The
+     associated IngressClass defines which controller will implement the
+     resource. This replaces the deprecated `kubernetes.io/ingress.class`
+     annotation. For backwards compatibility, when that annotation is set, it
+     must be given precedence over this field. The controller may emit a warning
+     if the field and annotation have different values. Implementations of this
+     API should ignore Ingresses without a class specified. An IngressClass
+     resource may be marked as default, which can be used to set a default value
+     for this field. For more information, refer to the IngressClass
+     documentation.
+```
+ the spec.ingressClassName behavior has precedence over the annotation.
+
+
+
+## I have only one instance of the Ingresss-NGINX controller in my cluster. What should I do ?
+
+- If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use ingressclass, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your ingress class, so any new Ingress objects will have this one as default ingressClass.
+
+In this case, you need to make your Controller aware of the objects. If you have several Ingress objects and they don't yet have the [ingressClassName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#ingress-v1-networking-k8s-io) field, or the ingress annotation (`kubernetes.io/ingress.class`),  then you should start your ingress-controller with the flag [--watch-ingress-without-class=true](## What is the flag '--watch-without-ingress-class' ?) .
+
+You can configure your helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. 
+
+We highly recommend that you create the ingressClass as shown below:
+```
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+  name: nginx
+  annotations:
+    ingressclass.kubernetes.io/is-default-class: "true"
+spec:
+  controller: k8s.io/ingress-nginx
+```
+And add the value "spec.ingressClassName=nginx" in your Ingress objects
+
+## I have multiple ingress objects in my cluster. What should I do ?
+- If you don't care about ingressClass, or you have a lot of ingress objects without ingressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`.
+
+## What is the flag '--watch-without-ingress-class' ?
+- Its a flag that is passed,as an argument, to the ingress-controller executable, in the pod spec. It looks like this ;
+```
+...
+...
+args:
+  - /nginx-ingress-controller
+  - --publish-service=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller
+  - --election-id=ingress-controller-leader
+  - --controller-class=k8s.io/ingress-nginx
+  - --configmap=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller
+  - --validating-webhook=:8443
+  - --validating-webhook-certificate=/usr/local/certificates/cert
+  - --validating-webhook-key=/usr/local/certificates/key
+  - --watch-ingress-without-class=true
+...
+...
+```
+
+## I have more than one controller in my cluster and already use the annotation ?
+No problem. This should still keep working, but we highly recommend you to test!
+
+## I have more than one controller running in my cluster, and I want to use the new spec ?
+In this scenario, you need to create multiple ingressClasses (see example one). But be aware that ingressClass works in a very specific way: you will need to change the .spec.controller value in your IngressClass and point the controller to the relevant ingressClass. Let's see some example, supposing that you have two Ingress Classes:
+
+- Ingress-Nginx-IngressClass-1 with .spec.controller equals to "k8s.io/ingress-nginx1"
+- Ingress-Nginx-IngressClass-2 with .spec.controller equals to "k8s.io/ingress-nginx2"
+When deploying your ingress controllers, you will have to change the `--controller-class` field as follows:
+
+Ingress-Nginx-Controller-nginx1 with `k8s.io/ingress-nginx1`
+Ingress-Nginx-Controller-nginx2 with `k8s.io/ingress-nginx2`
+Then, when you create an Ingress Object with IngressClassName = `ingress-nginx2`, it will look for controllers with `controller-class=k8s.io/ingress-nginx2` and as `Ingress-Nginx-Controller-nginx2` is watching objects that points to `ingressClass="k8s.io/ingress-nginx2`, it will serve that object, while `Ingress-Nginx-Controller-nginx1` will ignore the ingress object.
+
+Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the flag `--watch-ingress-without-class=true`, then it will serve ;
+- objects without ingress-class
+- objects with the annotation configured in flag `--ingress-class` and same class value
+- and also objects pointing to the ingressClass that have the same .spec.controller as configured in `--controller-class`
+
+
+## Why is the ingressClassResource disabled by default in the helm chart ?
+- If this field is set to enabled value and there are existing ingress objects in the cluster, then the existing ingress objects will not be honored and only any new ingress object you create will inherit the ingressClass value.

From f84006d62f796621532948e66c51ababe6bc093c Mon Sep 17 00:00:00 2001
From: Sandip Bhattacharya <sandipb@showmethesource.org>
Date: Tue, 24 Aug 2021 13:59:13 +0200
Subject: [PATCH 069/376] docs: Clarify default-backend behavior (#7489)

Clarify default-backend behaviour for services with multiple ports.

Also minor fixes for typos and language consistency.
---
 docs/user-guide/nginx-configuration/annotations.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index c6d376702..421065b11 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -320,9 +320,9 @@ nginx.ingress.kubernetes.io/custom-http-errors: "404,415"
 
 ### Default Backend
 
-This annotation is of the form `nginx.ingress.kubernetes.io/default-backend: <svc name>` to specify a custom default backend.  This `<svc name>` is a reference to a service inside of the same namespace in which you are applying this annotation. This annotation overrides the global default backend.
+This annotation is of the form `nginx.ingress.kubernetes.io/default-backend: <svc name>` to specify a custom default backend.  This `<svc name>` is a reference to a service inside of the same namespace in which you are applying this annotation. This annotation overrides the global default backend. In case the service has [multiple ports](https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services), the first one is the one which will received the backend traffic. 
 
-This service will be handle the response when the service in the Ingress rule does not have active endpoints. It will also handle the error responses if both this annotation and the [custom-http-errors annotation](#custom-http-errors) is set.
+This service will be used to handle the response when the configured service in the Ingress rule does not have any active endpoints. It will also be used to handle the error responses if both this annotation and the [custom-http-errors annotation](#custom-http-errors) are set.
 
 ### Enable CORS
 

From 3fb312ee2c64a1e8e73d03a3ae513839595b45f9 Mon Sep 17 00:00:00 2001
From: wasker <wasker@users.noreply.github.com>
Date: Tue, 24 Aug 2021 05:05:14 -0700
Subject: [PATCH 070/376] End-to-end tests for canary affinity (#7529)

---
 .../nginx-configuration/annotations.md        |   2 +-
 test/e2e/annotations/canary.go                | 324 ++++++++++++++++--
 test/e2e/loadbalance/round_robin.go           |   2 +-
 3 files changed, 289 insertions(+), 39 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 421065b11..67bc10c58 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -141,7 +141,7 @@ In some cases, you may want to "canary" a new set of changes by sending a small
 Canary rules are evaluated in order of precedence. Precedence is as follows:
 `canary-by-header -> canary-by-cookie -> canary-weight`
 
-**Note** that when you mark an ingress as canary, then all the other non-canary annotations will be ignored (inherited from the corresponding main ingress) except `nginx.ingress.kubernetes.io/load-balance`, `nginx.ingress.kubernetes.io/upstream-hash-by`, and [annotations related to session affinity](#session-affinity). If you want to restore the original behavior of canaries when session affinity was ignored, set `nginx.ingress.kubernetes.io/affinity-canary-behavior` annotation with value `legacy` on the non-canary ingress definition.
+**Note** that when you mark an ingress as canary, then all the other non-canary annotations will be ignored (inherited from the corresponding main ingress) except `nginx.ingress.kubernetes.io/load-balance`, `nginx.ingress.kubernetes.io/upstream-hash-by`, and [annotations related to session affinity](#session-affinity). If you want to restore the original behavior of canaries when session affinity was ignored, set `nginx.ingress.kubernetes.io/affinity-canary-behavior` annotation with value `legacy` on the canary ingress definition.
 
 **Known Limitations**
 
diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go
index fe3e1544f..07b307abb 100644
--- a/test/e2e/annotations/canary.go
+++ b/test/e2e/annotations/canary.go
@@ -18,10 +18,14 @@ package annotations
 
 import (
 	"fmt"
+	"math"
 	"net/http"
+	"reflect"
+	"regexp"
 	"strings"
 
 	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
@@ -30,12 +34,12 @@ const (
 	canaryService = "echo-canary"
 )
 
-var _ = framework.DescribeAnnotation("canary", func() {
+var _ = framework.DescribeAnnotation("canary-*", func() {
 	f := framework.NewDefaultFramework("canary")
 
 	ginkgo.BeforeEach(func() {
 		// Deployment for main backend
-		f.NewEchoDeployment()
+		f.NewEchoDeploymentWithReplicas(1)
 
 		// Deployment for canary backend
 		f.NewEchoDeploymentWithNameAndReplicas(canaryService, 1)
@@ -637,7 +641,7 @@ var _ = framework.DescribeAnnotation("canary", func() {
 	})
 
 	ginkgo.Context("when canaried by cookie", func() {
-		ginkgo.It("should route requests to the correct upstream", func() {
+		ginkgo.It("respects always and never values", func() {
 			host := "foo"
 			annotations := map[string]string{}
 
@@ -662,37 +666,44 @@ var _ = framework.DescribeAnnotation("canary", func() {
 			f.EnsureIngress(canaryIng)
 
 			ginkgo.By("routing requests to the canary upstream when cookie is set to 'always'")
-			f.HTTPTestClient().
-				GET("/").
-				WithHeader("Host", host).
-				WithCookie("Canary-By-Cookie", "always").
-				Expect().
-				Status(http.StatusOK).
-				Body().Contains(canaryService)
+			for i := 0; i < 50; i++ {
+				f.HTTPTestClient().
+					GET("/").
+					WithHeader("Host", host).
+					WithCookie("Canary-By-Cookie", "always").
+					Expect().
+					Status(http.StatusOK).
+					Body().Contains(canaryService)
+			}
 
 			ginkgo.By("routing requests to the mainline upstream when cookie is set to 'never'")
-			f.HTTPTestClient().
-				GET("/").
-				WithHeader("Host", host).
-				WithCookie("Canary-By-Cookie", "never").
-				Expect().
-				Status(http.StatusOK).
-				Body().Contains(framework.EchoService).NotContains(canaryService)
+			for i := 0; i < 50; i++ {
+				f.HTTPTestClient().
+					GET("/").
+					WithHeader("Host", host).
+					WithCookie("Canary-By-Cookie", "never").
+					Expect().
+					Status(http.StatusOK).
+					Body().Contains(framework.EchoService).NotContains(canaryService)
+			}
 
 			ginkgo.By("routing requests to the mainline upstream when cookie is set to anything else")
-			f.HTTPTestClient().
-				GET("/").
-				WithHeader("Host", host).
-				WithCookie("Canary-By-Cookie", "badcookievalue").
-				Expect().
-				Status(http.StatusOK).
-				Body().Contains(framework.EchoService).NotContains(canaryService)
+			for i := 0; i < 50; i++ {
+				// This test relies on canary cookie not parsing into the valid
+				// affinity data and canary weight not being specified at all.
+				f.HTTPTestClient().
+					GET("/").
+					WithHeader("Host", host).
+					WithCookie("Canary-By-Cookie", "badcookievalue").
+					Expect().
+					Status(http.StatusOK).
+					Body().Contains(framework.EchoService).NotContains(canaryService)
+			}
 		})
 	})
 
-	// TODO: add testing for canary-weight 0 < weight < 100
 	ginkgo.Context("when canaried by weight", func() {
-		ginkgo.It("should route requests to the correct upstream", func() {
+		ginkgo.It("should route requests only to mainline if canary weight is 0", func() {
 			host := "foo"
 			annotations := map[string]string{}
 
@@ -720,7 +731,6 @@ var _ = framework.DescribeAnnotation("canary", func() {
 					return strings.Contains(server, "server_name foo")
 				})
 
-			ginkgo.By("returning requests from the mainline only when weight is equal to 0")
 			f.HTTPTestClient().
 				GET("/").
 				WithHeader("Host", host).
@@ -729,24 +739,31 @@ var _ = framework.DescribeAnnotation("canary", func() {
 				Body().
 				Contains(framework.EchoService).
 				NotContains(canaryService)
+		})
 
-			ginkgo.By("returning requests from the canary only when weight is equal to 100")
+		ginkgo.It("should route requests only to canary if canary weight is 100", func() {
+			host := "foo"
+			annotations := map[string]string{}
 
-			newAnnotations := map[string]string{
-				"nginx.ingress.kubernetes.io/canary":        "true",
-				"nginx.ingress.kubernetes.io/canary-weight": "100",
-			}
-
-			modIng := framework.NewSingleIngress(canaryIngName, "/", host,
-				f.Namespace, canaryService, 80, newAnnotations)
-
-			f.UpdateIngress(modIng)
+			ing := framework.NewSingleIngress(host, "/", host,
+				f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
 
 			f.WaitForNginxServer(host,
 				func(server string) bool {
 					return strings.Contains(server, "server_name foo")
 				})
 
+			canaryIngName := fmt.Sprintf("%v-canary", host)
+			canaryAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":        "true",
+				"nginx.ingress.kubernetes.io/canary-weight": "100",
+			}
+
+			canaryIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, canaryAnnotations)
+			f.EnsureIngress(canaryIng)
+
 			f.HTTPTestClient().
 				GET("/").
 				WithHeader("Host", host).
@@ -755,6 +772,32 @@ var _ = framework.DescribeAnnotation("canary", func() {
 				Body().
 				Contains(canaryService)
 		})
+
+		ginkgo.It("should route requests evenly split between mainline and canary if canary weight is 50", func() {
+			host := "foo"
+			annotations := map[string]string{}
+
+			ing := framework.NewSingleIngress(host, "/", host,
+				f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
+				})
+
+			canaryIngName := fmt.Sprintf("%v-canary", host)
+			canaryAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":        "true",
+				"nginx.ingress.kubernetes.io/canary-weight": "50",
+			}
+
+			canaryIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, canaryAnnotations)
+			f.EnsureIngress(canaryIng)
+
+			TestEvenMainlineCanaryDistribution(f, host)
+		})
 	})
 
 	ginkgo.Context("Single canary Ingress", func() {
@@ -832,4 +875,211 @@ var _ = framework.DescribeAnnotation("canary", func() {
 				return strings.Contains(server, "server_name foo")
 			})
 	})
+
+	ginkgo.Context("canary affinity behavior", func() {
+		host := "foo"
+		affinityCookieName := "aff"
+		canaryIngName := fmt.Sprintf("%v-canary", host)
+
+		ginkgo.It("always routes traffic to canary if first request was affinitized to canary (default behavior)", func() {
+			annotations := map[string]string{
+				"nginx.ingress.kubernetes.io/affinity":            "cookie",
+				"nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName,
+			}
+
+			ing := framework.NewSingleIngress(host, "/", host,
+				f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
+				})
+
+			// Canary weight is 1% to ensure affinity cookie does its job.
+			// affinity-canary-behavior annotation is not explicitly configured.
+			canaryAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":                 "true",
+				"nginx.ingress.kubernetes.io/canary-by-header":       "ForceCanary",
+				"nginx.ingress.kubernetes.io/canary-by-header-value": "yes",
+				"nginx.ingress.kubernetes.io/canary-weight":          "1",
+			}
+
+			canaryIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, canaryAnnotations)
+			f.EnsureIngress(canaryIng)
+
+			// This request will produce affinity cookie coming from the canary
+			// backend.
+			forcedRequestToCanary := f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithHeader("ForceCanary", "yes").
+				Expect().
+				Status(http.StatusOK)
+
+			// Make sure we got response from canary.
+			forcedRequestToCanary.
+				Body().Contains(canaryService)
+
+			affinityCookie := forcedRequestToCanary.
+				Cookie(affinityCookieName)
+
+			// As long as affinity cookie is present, all requests will be
+			// routed to a specific backend.
+			for i := 0; i < 50; i++ {
+				f.HTTPTestClient().
+					GET("/").
+					WithHeader("Host", host).
+					WithCookie(affinityCookieName, affinityCookie.Raw().Value).
+					Expect().
+					Status(http.StatusOK).
+					Body().Contains(canaryService)
+			}
+		})
+
+		ginkgo.It("always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)", func() {
+			annotations := map[string]string{
+				"nginx.ingress.kubernetes.io/affinity":            "cookie",
+				"nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName,
+			}
+
+			ing := framework.NewSingleIngress(host, "/", host,
+				f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
+				})
+
+			// Canary weight is 1% to ensure affinity cookie does its job.
+			// Explicitly set affinity-canary-behavior annotation to "sticky".
+			canaryAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":                   "true",
+				"nginx.ingress.kubernetes.io/canary-by-header":         "ForceCanary",
+				"nginx.ingress.kubernetes.io/canary-by-header-value":   "yes",
+				"nginx.ingress.kubernetes.io/canary-weight":            "1",
+				"nginx.ingress.kubernetes.io/affinity-canary-behavior": "sticky",
+			}
+
+			canaryIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, canaryAnnotations)
+			f.EnsureIngress(canaryIng)
+
+			// This request will produce affinity cookie coming from the canary
+			// backend.
+			forcedRequestToCanary := f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithHeader("ForceCanary", "yes").
+				Expect().
+				Status(http.StatusOK)
+
+			// Make sure we got response from canary.
+			forcedRequestToCanary.
+				Body().Contains(canaryService)
+
+			affinityCookie := forcedRequestToCanary.
+				Cookie(affinityCookieName)
+
+			// As long as affinity cookie is present, all requests will be
+			// routed to a specific backend.
+			for i := 0; i < 50; i++ {
+				f.HTTPTestClient().
+					GET("/").
+					WithHeader("Host", host).
+					WithCookie(affinityCookieName, affinityCookie.Raw().Value).
+					Expect().
+					Status(http.StatusOK).
+					Body().Contains(canaryService)
+			}
+		})
+
+		ginkgo.It("routes traffic to either mainline or canary backend (legacy behavior)", func() {
+			annotations := map[string]string{
+				"nginx.ingress.kubernetes.io/affinity":            "cookie",
+				"nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName,
+			}
+
+			ing := framework.NewSingleIngress(host, "/", host,
+				f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
+				})
+
+			// Canary weight is 50% to ensure requests are going there.
+			// Explicitly set affinity-canary-behavior annotation to "legacy".
+			canaryAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":                   "true",
+				"nginx.ingress.kubernetes.io/canary-by-header":         "ForceCanary",
+				"nginx.ingress.kubernetes.io/canary-by-header-value":   "yes",
+				"nginx.ingress.kubernetes.io/canary-weight":            "50",
+				"nginx.ingress.kubernetes.io/affinity-canary-behavior": "legacy",
+			}
+
+			canaryIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, canaryAnnotations)
+			f.EnsureIngress(canaryIng)
+
+			// This request will produce affinity cookie coming from the canary
+			// backend.
+			forcedRequestToCanary := f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithHeader("ForceCanary", "yes").
+				Expect().
+				Status(http.StatusOK)
+
+			// Make sure we got response from canary.
+			forcedRequestToCanary.
+				Body().Contains(canaryService)
+
+			// Legacy behavior results in affinity cookie not being set in
+			// response.
+			for _, c := range forcedRequestToCanary.Cookies().Iter() {
+				if c.String().Raw() == affinityCookieName {
+					ginkgo.GinkgoT().Error("Affinity cookie is present in response, but was not expected.")
+				}
+			}
+
+			TestEvenMainlineCanaryDistribution(f, host)
+		})
+	})
+
 })
+
+// This method assumes canary weight being configured at 50%.
+func TestEvenMainlineCanaryDistribution(f *framework.Framework, host string) {
+	re := regexp.MustCompile(fmt.Sprintf(`%s.*`, framework.EchoService))
+	replicaRequestCount := map[string]int{}
+
+	for i := 0; i < 200; i++ {
+		body := f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Body().Raw()
+
+		replica := re.FindString(body)
+		assert.NotEmpty(ginkgo.GinkgoT(), replica)
+
+		if _, ok := replicaRequestCount[replica]; !ok {
+			replicaRequestCount[replica] = 1
+		} else {
+			replicaRequestCount[replica]++
+		}
+	}
+
+	keys := reflect.ValueOf(replicaRequestCount).MapKeys()
+
+	assert.Equal(ginkgo.GinkgoT(), 2, len(keys))
+
+	// The implmentation of choice by weight doesn't guarantee exact
+	// number of requests, so verify if request imbalance is within an
+	// acceptable range.
+	assert.LessOrEqual(ginkgo.GinkgoT(), math.Abs(float64(replicaRequestCount[keys[0].String()]-replicaRequestCount[keys[1].String()]))/math.Max(float64(replicaRequestCount[keys[0].String()]), float64(replicaRequestCount[keys[1].String()])), 0.2)
+}
diff --git a/test/e2e/loadbalance/round_robin.go b/test/e2e/loadbalance/round_robin.go
index 9e37d1596..f035005dd 100644
--- a/test/e2e/loadbalance/round_robin.go
+++ b/test/e2e/loadbalance/round_robin.go
@@ -66,7 +66,7 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() {
 		}
 
 		for _, v := range replicaRequestCount {
-			assert.Equal(ginkgo.GinkgoT(), v, 200)
+			assert.Equal(ginkgo.GinkgoT(), 200, v)
 		}
 	})
 })

From f3af7e6bf5eae333fd6f86dc5ebcf5cbbef452a6 Mon Sep 17 00:00:00 2001
From: Neha Lohia <nehapithadiya444@gmail.com>
Date: Tue, 24 Aug 2021 17:47:11 +0530
Subject: [PATCH 071/376] update tag to v1.0.0

---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index cd5e5ef12..0ec25f750 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.0.0-beta.3
+v1.0.0

From f207702c3080d679ae86307eafbc16b0d3098e6c Mon Sep 17 00:00:00 2001
From: Neha Lohia <nehapithadiya444@gmail.com>
Date: Tue, 24 Aug 2021 21:01:14 +0530
Subject: [PATCH 072/376] release v1.0.0 (#7535)

Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>
---
 Changelog.md                                  | 48 +++++++++++
 README.md                                     |  4 +-
 charts/ingress-nginx/Chart.yaml               | 10 ++-
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 85 ++++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 85 ++++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 85 ++++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 85 ++++++++++---------
 deploy/static/provider/do/deploy.yaml         | 85 ++++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 85 ++++++++++---------
 deploy/static/provider/kind/deploy.yaml       | 85 ++++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 85 ++++++++++---------
 docs/deploy/index.md                          | 20 ++---
 stable.txt                                    |  2 +-
 14 files changed, 420 insertions(+), 348 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 23a2a1e3e..ee762e42c 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,53 @@
 # Changelog
 
+### 1.0.0
+**This is a breaking change**
+
+This release only supports Kubernetes versions >= v1.19. The support for Ingress Object in `networking.k8s.io/v1beta` is being dropped and manifests should now use `networking.k8s.io/v1`.
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6`
+
+**Known Issues**
+Ingress Controller only supports cluster scoped IngressClass and needs cluster wide permission for this object, otherwise it is not going to start.
+We plan to fix this in v1.0.1
+
+Changes:
+- [X] [#7529](https://github.com/kubernetes/ingress-nginx/pull/7529) End-to-end tests for canary affinity
+- [X] [#7489](https://github.com/kubernetes/ingress-nginx/pull/7489) docs: Clarify default-backend behavior
+- [X] [#7524](https://github.com/kubernetes/ingress-nginx/pull/7524) docs for migration to apiVersion networking.k8s.io/v1
+- [X] [#7443](https://github.com/kubernetes/ingress-nginx/pull/7443) fix ingress-nginx panic when the certificate format is wrong.
+- [X] [#7521](https://github.com/kubernetes/ingress-nginx/pull/7521) Update ingress to go 1.17
+- [X] [#7493](https://github.com/kubernetes/ingress-nginx/pull/7493) Add appProtocol field to all ServicePorts
+- [X] [#7525](https://github.com/kubernetes/ingress-nginx/pull/7525) improve RELEASE.md 
+- [X] [#7203](https://github.com/kubernetes/ingress-nginx/pull/7203) Make HPA behavior configurable
+- [X] [#7487](https://github.com/kubernetes/ingress-nginx/pull/7487)[Cherry - Pick] - Fix default backend annotation and tests
+- [X] [#7459](https://github.com/kubernetes/ingress-nginx/pull/7459) Add controller.watchIngressWithoutClass config option 
+- [X] [#7478](https://github.com/kubernetes/ingress-nginx/pull/7478) Release new helm chart with certgen fixed 
+- [X] [#7341](https://github.com/kubernetes/ingress-nginx/pull/7341) Fix IngressClass logic for newer releases (#7341)
+- [X] [#7355](https://github.com/kubernetes/ingress-nginx/pull/7355) Downgrade Lua modules for s390x (#7355)
+- [X] [#7319](https://github.com/kubernetes/ingress-nginx/pull/7319) Lower webhook timeout for digital ocean (#7319)
+- [X] [#7161](https://github.com/kubernetes/ingress-nginx/pull/7161) fix: allow scope/tcp/udp configmap namespace to altered (#7161)
+- [X] [#7331](https://github.com/kubernetes/ingress-nginx/pull/7331) Fix forwarding of auth-response-headers to gRPC backends (#7331)
+- [X] [#7332](https://github.com/kubernetes/ingress-nginx/pull/7332) controller: ignore non-service backends (#7332)
+- [X] [#7314](https://github.com/kubernetes/ingress-nginx/pull/7314) Add configuration to disable external name service feature
+- [X] [#7313](https://github.com/kubernetes/ingress-nginx/pull/7313) Add file containing stable release 
+- [X] [#7311](https://github.com/kubernetes/ingress-nginx/pull/7311) Handle named (non-numeric) ports correctly
+- [X] [#7308](https://github.com/kubernetes/ingress-nginx/pull/7308) Updated v1beta1 to v1 as its deprecated
+- [X] [#7298](https://github.com/kubernetes/ingress-nginx/pull/7298) Speed up admission hook by eliminating deep copy of Ingresses in CheckIngress 
+- [X] [#7242](https://github.com/kubernetes/ingress-nginx/pull/7242) Retry to download maxmind DB if it fails 
+- [X] [#7228](https://github.com/kubernetes/ingress-nginx/pull/7228) Discover mounted geoip db files
+- [X] [#7208](https://github.com/kubernetes/ingress-nginx/pull/7208) ingress/tcp: add additional error logging on failed
+- [X] [#7190](https://github.com/kubernetes/ingress-nginx/pull/7190) chart: using Helm builtin capabilities check
+- [X] [#7146](https://github.com/kubernetes/ingress-nginx/pull/7146) Use ENV expansion for namespace in args
+- [X] [#7107](https://github.com/kubernetes/ingress-nginx/pull/7107) Fix MaxWorkerOpenFiles calculation on high cores nodes
+- [X] [#7076](https://github.com/kubernetes/ingress-nginx/pull/7076) Rewrite clean-nginx-conf.sh in Go to speed up admission webhook
+- [X] [#7031](https://github.com/kubernetes/ingress-nginx/pull/7031) Remove mercurial from build
+- [X] [#6990](https://github.com/kubernetes/ingress-nginx/pull/6990) Use listen to ensure the port is free
+- [X] [#6944](https://github.com/kubernetes/ingress-nginx/pull/6944) Update proper default value for HTTP2MaxConcurrentStreams in Docs
+- [X] [#6940](https://github.com/kubernetes/ingress-nginx/pull/6940) Fix definition order of modsecurity directives 
+- [X] [#7156] Drops support for Ingress Object v1beta1
 
 ### 0.49.0
 
diff --git a/README.md b/README.md
index a955debc1..3a7755ab5 100644
--- a/README.md
+++ b/README.md
@@ -30,9 +30,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
-| v1.0.0-beta.1         | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
-| v1.0.0-alpha.2        | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
-| v1.0.0-alpha.1        | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
+| v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
 | v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index e6b8b318a..02621b9bb 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.0-beta.3
-appVersion: 1.0.0-beta.3
+version: 4.0.1
+appVersion: 1.0.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -20,8 +20,10 @@ kubeVersion: ">=1.19.0-0"
 annotations:
   # Use this annotation to indicate that this chart version is a pre-release.
   # https://artifacthub.io/docs/topics/annotations/helm/
-  artifacthub.io/prerelease: "true"
+  artifacthub.io/prerelease: "false"
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Fix default backend annotation and tests
+    - Support for Ingress object v1 and drop support for v1beta1
+    - Update to go 1.17
+    - Fix some bugs
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 08f915661..e64e4ca2f 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v1.0.0-beta.3"
-    digest: sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+    tag: "v1.0.0"
+    digest: sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 99b4de04d..bf442df89 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -50,10 +50,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -117,10 +117,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -137,10 +137,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,10 +221,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,10 +243,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -257,6 +257,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -274,10 +275,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -290,10 +291,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: tohttps
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: http
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -304,10 +307,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -330,7 +333,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -422,10 +425,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -440,10 +443,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -480,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -496,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -520,10 +523,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -545,10 +548,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -570,10 +573,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -595,10 +598,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -606,10 +609,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -645,10 +648,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -656,10 +659,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index a9a528a4a..6c3947d0e 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -250,6 +250,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -264,10 +265,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -280,10 +281,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: http
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: https
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -294,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -409,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -427,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -467,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -483,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -507,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -532,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -557,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -582,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -593,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -632,10 +635,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -643,10 +646,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 12d990353..1ecedee18 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -250,6 +250,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -261,10 +262,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -276,10 +277,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: http
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: https
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -290,10 +293,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -316,7 +319,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -404,10 +407,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -422,10 +425,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -462,10 +465,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -478,10 +481,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -502,10 +505,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -527,10 +530,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -552,10 +555,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -577,10 +580,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -588,10 +591,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -627,10 +630,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -638,10 +641,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 80e89b165..3cc902135 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -250,6 +250,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -261,10 +262,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -277,10 +278,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: http
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: https
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -291,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -317,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -406,10 +409,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -424,10 +427,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -464,10 +467,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -480,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -504,10 +507,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -529,10 +532,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -554,10 +557,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -579,10 +582,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -590,10 +593,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -629,10 +632,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -640,10 +643,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 81c0fffdb..3e808aaac 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -251,6 +251,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -263,10 +264,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -279,10 +280,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: http
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: https
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -293,10 +296,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -319,7 +322,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -408,10 +411,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -426,10 +429,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -467,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -483,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -507,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -532,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -557,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -582,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -593,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -632,10 +635,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -643,10 +646,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 7603d947f..66491a116 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -250,6 +250,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -269,10 +270,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -285,10 +286,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: http
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: https
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -299,10 +302,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -325,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -414,10 +417,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -432,10 +435,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -472,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -488,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -512,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -537,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -562,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -587,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -598,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -637,10 +640,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -648,10 +651,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index f5ed6a217..88c512162 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -250,6 +250,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -261,10 +262,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -276,10 +277,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: http
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: https
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -290,10 +293,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,10 +419,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -434,10 +437,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -474,10 +477,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -490,10 +493,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -514,10 +517,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -539,10 +542,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -564,10 +567,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -589,10 +592,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -600,10 +603,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -639,10 +642,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -650,10 +653,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 2dce4a583..006485a44 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -251,6 +251,7 @@ spec:
     - name: https-webhook
       port: 443
       targetPort: webhook
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -263,10 +264,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -279,10 +280,12 @@ spec:
       port: 80
       protocol: TCP
       targetPort: http
+      appProtocol: http
     - name: https
       port: 443
       protocol: TCP
       targetPort: https
+      appProtocol: https
   selector:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
@@ -293,10 +296,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -319,7 +322,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -408,10 +411,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -426,10 +429,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -466,10 +469,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -482,10 +485,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -506,10 +509,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -531,10 +534,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -556,10 +559,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -581,10 +584,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -592,10 +595,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -631,10 +634,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.0-beta.3
+    helm.sh/chart: ingress-nginx-4.0.1
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0-beta.3
+    app.kubernetes.io/version: 1.0.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -642,10 +645,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.0-beta.3
+        helm.sh/chart: ingress-nginx-4.0.1
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0-beta.3
+        app.kubernetes.io/version: 1.0.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 33345ade2..db1f83655 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -54,7 +54,7 @@ Kubernetes is available in Docker Desktop
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 #### minikube
@@ -82,7 +82,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (ELB)
@@ -91,10 +91,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -140,7 +140,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -149,7 +149,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -157,13 +157,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -177,7 +177,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index c23a4ae6d..ae67461b9 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v0.49.0
\ No newline at end of file
+controller-v1.0.0
\ No newline at end of file

From b5679e620b2f03ee811af468136ee6d4273c12a3 Mon Sep 17 00:00:00 2001
From: Neha Lohia <nehapithadiya444@gmail.com>
Date: Tue, 24 Aug 2021 22:01:14 +0530
Subject: [PATCH 073/376] add known issues in changelog.md for release v1.0.0
 (#7536)

* release v1.0.0

Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>

* add the known issues no in changelog.md for release v1.0.0

Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>
---
 Changelog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Changelog.md b/Changelog.md
index ee762e42c..59cff2a55 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -11,7 +11,7 @@ This release only supports Kubernetes versions >= v1.19. The support for Ingress
 
 **Known Issues**
 Ingress Controller only supports cluster scoped IngressClass and needs cluster wide permission for this object, otherwise it is not going to start.
-We plan to fix this in v1.0.1
+We plan to fix this in v1.0.1 and issues #7510 and #7502 are tracking this.
 
 Changes:
 - [X] [#7529](https://github.com/kubernetes/ingress-nginx/pull/7529) End-to-end tests for canary affinity

From f5fe7615aca08a9a1bdf7963ed0369b14736c2d3 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Wed, 25 Aug 2021 07:30:40 +0530
Subject: [PATCH 074/376] improve docs for release - added step to edit README
 for support matrix (#7537)

---
 RELEASE.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/RELEASE.md b/RELEASE.md
index f352d98ac..2765ff7de 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -219,6 +219,9 @@
 - Edit the [stable.txt](stable.txt) file(if applicable), in the root of the repo, to reflect the release to be created
 - Criteria is a release that has been GA for a while but reported issues are not bugs but mostly /kind support or feature
 
+### i. Update README.md
+- Update the table in README.md in the root of the projet to reflect the support matrix. Add the new release version and details in there.
+
 ## 5. RELEASE new version
 
 ### a. Create PR

From 638a93835a8a0ce7de28975da07ea59ff0bd2045 Mon Sep 17 00:00:00 2001
From: Marcos Nery <marcosnery.comp@gmail.com>
Date: Wed, 25 Aug 2021 21:45:23 -0300
Subject: [PATCH 075/376] Improving e2e tests for non-service backends #7544
 (#7545)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Adding test cases for backend with nil service

Signed-off-by: Marcos <marcosnery.comp@gmail.com>
Co-authored-by: Renato Araujo <renatobritto@protonmail.com>
Co-authored-by: André Goretti <andremotta96@gmail.com>
Co-authored-by: Kalebe Lopes <calbkalebe@gmail.com>

* Add e2e test for backend nil service and add nil safeguard (#7344)

Co-authored-by: Renato Araujo <renatobritto@protonmail.com>
Co-authored-by: André Goretti <andremotta96@gmail.com>
Co-authored-by: Kalebe Lopes <calbkalebe@gmail.com>

* changing portuguese names to english in order to maintain the pattern

* updating boilerplate header

* adding second test case to also test valid path

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>

* Updating boilerplate

* fixing boilerplate

Signed-off-by: MarcosN <marcosnery.comp@gmail.com>
Co-authored-by: André Goretti <andremotta96@gmail.com>
Co-authored-by: Gabriel Albino <enggabrielalbino@gmail.com>

* Improving template test for cases where a nil backend service is included

Signed-off-by: MarcosN <marcosnery.comp@gmail.com>
Co-authored-by: André Goretti <andremotta96@gmail.com>
Co-authored-by: Gabriel Albino <enggabrielalbino@gmail.com>

Co-authored-by: Renato Araujo <renatobritto@protonmail.com>
Co-authored-by: André Goretti <andremotta96@gmail.com>
Co-authored-by: Kalebe Lopes <calbkalebe@gmail.com>
Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
Co-authored-by: Gabriel Albino <enggabrielalbino@gmail.com>
---
 .../ingress/controller/template/template.go   |   4 +
 .../controller/template/template_test.go      | 100 +++++++++++++++++
 .../e2e/servicebackend/service_nil_backend.go | 106 ++++++++++++++++++
 3 files changed, 210 insertions(+)
 create mode 100644 test/e2e/servicebackend/service_nil_backend.go

diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 3f7e4af50..b06f5a216 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -1018,6 +1018,10 @@ func getIngressInformation(i, h, p interface{}) *ingressInformation {
 				continue
 			}
 
+			if rPath.Backend.Service == nil {
+				continue
+			}
+
 			if info.Service != "" && rPath.Backend.Service.Name == "" {
 				// empty rule. Only contains a Path and PathType
 				return info
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index 4a64a0962..14291dbf2 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -1203,6 +1203,106 @@ func TestGetIngressInformation(t *testing.T) {
 				ServicePort: "b-svc-80",
 			},
 		},
+		"valid ingress definition with name demo in namespace something and path /ok with a nil backend service": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "demo",
+						Namespace: "something",
+						Annotations: map[string]string{
+							"ingress.annotation": "ok",
+						},
+					},
+					Spec: networking.IngressSpec{
+						Rules: []networking.IngressRule{
+							{
+								Host: "foo.bar",
+								IngressRuleValue: networking.IngressRuleValue{
+									HTTP: &networking.HTTPIngressRuleValue{
+										Paths: []networking.HTTPIngressPath{
+											{
+												Path:     "/ok",
+												PathType: &pathPrefix,
+												Backend: networking.IngressBackend{
+													Service: nil,
+												},
+											},
+										},
+									},
+								},
+							},
+							{},
+						},
+					},
+				},
+			},
+			"foo.bar",
+			"/ok",
+			&ingressInformation{
+				Namespace: "something",
+				Rule:      "demo",
+				Annotations: map[string]string{
+					"ingress.annotation": "ok",
+				},
+			},
+		},
+		"valid ingress definition with name demo in namespace something and path /ok with both a nil service and a valid one": {
+			&ingress.Ingress{
+				Ingress: networking.Ingress{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "demo",
+						Namespace: "something",
+						Annotations: map[string]string{
+							"ingress.annotation": "ok",
+						},
+					},
+					Spec: networking.IngressSpec{
+						Rules: []networking.IngressRule{
+							{
+								Host: "foo.bar",
+								IngressRuleValue: networking.IngressRuleValue{
+									HTTP: &networking.HTTPIngressRuleValue{
+										Paths: []networking.HTTPIngressPath{
+											{
+												Path:     "/ok",
+												PathType: &pathPrefix,
+												Backend: networking.IngressBackend{
+													Service: nil,
+												},
+											},
+											{
+												Path:     "/oksvc",
+												PathType: &pathPrefix,
+												Backend: networking.IngressBackend{
+													Service: &networking.IngressServiceBackend{
+														Name: "b-svc",
+														Port: networking.ServiceBackendPort{
+															Name: "b-svc-80",
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+							{},
+						},
+					},
+				},
+			},
+			"foo.bar",
+			"/oksvc",
+			&ingressInformation{
+				Namespace: "something",
+				Rule:      "demo",
+				Annotations: map[string]string{
+					"ingress.annotation": "ok",
+				},
+				Service:     "b-svc",
+				ServicePort: "b-svc-80",
+			},
+		},
 	}
 
 	for title, testCase := range testcases {
diff --git a/test/e2e/servicebackend/service_nil_backend.go b/test/e2e/servicebackend/service_nil_backend.go
new file mode 100644
index 000000000..864f94fbe
--- /dev/null
+++ b/test/e2e/servicebackend/service_nil_backend.go
@@ -0,0 +1,106 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package servicebackend
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+	corev1 "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("[Service] Nil Service Backend", func() {
+	f := framework.NewDefaultFramework("service-nil-backend")
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.It("should return 404 when backend service is nil", func() {
+		ginkgo.By("setting an ingress with a nil backend")
+		validHost := "valid.svc.com"
+		invalidHost := "nilbackend.svc.com"
+
+		ing := framework.NewSingleIngress(validHost, "/", validHost, f.Namespace,
+			framework.EchoService, 80, nil)
+
+		bi := buildIngressWithNonServiceBackend(invalidHost, f.Namespace, "/")
+
+		f.EnsureIngress(bi)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxConfiguration(func(cfg string) bool {
+			return strings.Contains(cfg, "server_name nilbackend.svc.com") &&
+				strings.Contains(cfg, "server_name valid.svc.com")
+		})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", validHost).
+			Expect().
+			Status(http.StatusOK)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", invalidHost).
+			Expect().
+			Status(http.StatusNotFound)
+
+	})
+})
+
+func buildIngressWithNonServiceBackend(host, namespace, path string) *networking.Ingress {
+	apiGroup := "otherobj.testingress.com"
+	obj := corev1.TypedLocalObjectReference{
+		Kind:     "Anything",
+		Name:     "mytest",
+		APIGroup: &apiGroup,
+	}
+
+	return &networking.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      host,
+			Namespace: namespace,
+		},
+		Spec: networking.IngressSpec{
+			IngressClassName: framework.GetIngressClassName(namespace),
+			Rules: []networking.IngressRule{
+				{
+					Host: host,
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{
+								{
+									Path:     path,
+									PathType: &pathtype,
+									Backend: networking.IngressBackend{
+										Resource: &obj,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}

From 37fbcc0bd9ecabe40bb4a0bf31ecee44801d6661 Mon Sep 17 00:00:00 2001
From: Tsachi Nimni <tsachi.nimni@gmail.com>
Date: Thu, 26 Aug 2021 03:51:23 +0300
Subject: [PATCH 076/376] Update docs for new ingress api in cluster version
 >=1.19 (#7264)

* Update docs to support Ingress in cluster version 1.19 or greater

* Update docs

* Update basic-usage.md

* Update basic-usage.md
---
 docs/user-guide/basic-usage.md | 48 ++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md
index 5ccb9bd38..ae913b6a4 100644
--- a/docs/user-guide/basic-usage.md
+++ b/docs/user-guide/basic-usage.md
@@ -49,6 +49,54 @@ spec:
 When you apply this yaml, 2 ingress resources will be created managed by the **ingress-nginx** instance. Nginx is configured to automatically discover all ingress with the `kubernetes.io/ingress.class: "nginx"` annotation.
 Please note that the ingress resource should be placed inside the same namespace of the backend resource.
 
+If cluster version >= 1.19 the Ingress resource above will not work.
+You need to deploy the following so that it match the new api version.
+This will require changes to the Ingress objects as shown below, and a new object from type "kind: IngressClass"
+```
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-myservicea
+spec:
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: myservicea
+            port: 
+              number: 80
+  ingressClassName: nginx
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-myserviceb
+spec:
+  rules:
+  - host: myserviceb.foo.org
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: myserviceb
+            port: 
+              number: 80
+  ingressClassName: nginx
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+```
+
 On many cloud providers ingress-nginx will also create the corresponding Load Balancer resource. All you have to do is get the external IP and add a DNS `A record` inside your DNS provider that point myServiceA.foo.org and myServiceB.foo.org to the nginx external IP. Get the external IP by running:
 
 ```

From 66c2a716daca2dee74a227da001d03517611742a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A5l=20Kristensen?= <paalkr@users.noreply.github.com>
Date: Thu, 26 Aug 2021 02:53:23 +0200
Subject: [PATCH 077/376] Document the keep-alive 0 effect on http/2 requests
 (#7503)

---
 .../nginx-configuration/configmap.md           | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 575a51afc..6e6152c5f 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -397,6 +397,24 @@ Sets the time during which a keep-alive client connection will stay open on the
 _References:_
 [http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout)
 
+!!! important
+    Setting `keep-alive: '0'` will most likely break concurrent http/2 requests due to changes introduced with nginx 1.19.7
+
+```
+Changes with nginx 1.19.7                                        16 Feb 2021
+
+    *) Change: connections handling in HTTP/2 has been changed to better
+       match HTTP/1.x; the "http2_recv_timeout", "http2_idle_timeout", and
+       "http2_max_requests" directives have been removed, the
+       "keepalive_timeout" and "keepalive_requests" directives should be
+       used instead.
+```
+
+_References:_
+[nginx change log](http://nginx.org/en/CHANGES)
+[nginx issue tracker](https://trac.nginx.org/nginx/ticket/2155)
+[nginx mailing list](https://mailman.nginx.org/pipermail/nginx/2021-May/060697.html)
+
 ## keep-alive-requests
 
 Sets the maximum number of requests that can be served through one keep-alive connection.

From 4c4013904a2a4f5c42245db3fbf0515ec1be33d7 Mon Sep 17 00:00:00 2001
From: Maksim Nabokikh <max.nabokih@gmail.com>
Date: Thu, 26 Aug 2021 16:13:23 +0400
Subject: [PATCH 078/376] Add a flag to specify address to bind the healthz
 server (#7541)

* Add a flag to specify address to bind the healthz server

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Add healthz host to the helm chart

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Apply suggestions from code review

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
---
 charts/ingress-nginx/templates/controller-daemonset.yaml  | 3 +++
 charts/ingress-nginx/templates/controller-deployment.yaml | 3 +++
 charts/ingress-nginx/values.yaml                          | 5 +++++
 cmd/nginx/flags.go                                        | 2 ++
 cmd/nginx/main.go                                         | 6 +++---
 docs/user-guide/cli-arguments.md                          | 1 +
 internal/ingress/controller/controller.go                 | 3 ++-
 7 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 34986e568..2e6b32170 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -111,6 +111,9 @@ spec:
           {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
             - --health-check-path={{ .Values.controller.healthCheckPath }}
           {{- end }}
+          {{- if .Values.controller.healthCheckHost }}
+            - --healthz-host={{ .Values.controller.healthCheckHost }}
+          {{- end }}
           {{- if .Values.controller.watchIngressWithoutClass }}
             - --watch-ingress-without-class=true
           {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index f17975de3..681955f6f 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -109,6 +109,9 @@ spec:
           {{- if .Values.controller.maxmindLicenseKey }}
             - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
           {{- end }}
+          {{- if .Values.controller.healthCheckHost }}
+            - --healthz-host={{ .Values.controller.healthCheckHost }}
+          {{- end }}
           {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
             - --health-check-path={{ .Values.controller.healthCheckPath }}
           {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index e64e4ca2f..8ef8ea8e7 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -311,6 +311,11 @@ controller:
   # the healthz-port parameter are forwarded internally to this path.
   healthCheckPath: "/healthz"
 
+  # Address to bind the health check endpoint.
+  # It is better to set this option to the internal node address
+  # if the ingress nginx controller is running in the hostNetwork: true mode.
+  healthCheckHost: ""
+
   ## Annotations to be added to controller pods
   ##
   podAnnotations: {}
diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index aabade07e..7e6db6533 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -162,6 +162,7 @@ Requires the update-status parameter.`)
 		sslProxyPort  = flags.Int("ssl-passthrough-proxy-port", 442, `Port to use internally for SSL Passthrough.`)
 		defServerPort = flags.Int("default-server-port", 8181, `Port to use for exposing the default server (catch-all).`)
 		healthzPort   = flags.Int("healthz-port", 10254, "Port to use for the healthz endpoint.")
+		healthzHost   = flags.String("healthz-host", "", "Address to bind the healthz endpoint.")
 
 		disableCatchAll = flags.Bool("disable-catch-all", false,
 			`Disable support for catch-all Ingresses`)
@@ -286,6 +287,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		ShutdownGracePeriod:        *shutdownGracePeriod,
 		UseNodeInternalIP:          *useNodeInternalIP,
 		SyncRateLimit:              *syncRateLimit,
+		HealthCheckHost:            *healthzHost,
 		ListenPorts: &ngx_config.ListenPorts{
 			Default:  *defServerPort,
 			Health:   *healthzPort,
diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index b21e1012e..cd98effb0 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -150,7 +150,7 @@ func main() {
 	registerHealthz(nginx.HealthPath, ngx, mux)
 	registerMetrics(reg, mux)
 
-	go startHTTPServer(conf.ListenPorts.Health, mux)
+	go startHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux)
 	go ngx.Start()
 
 	handleSigterm(ngx, func(code int) {
@@ -324,9 +324,9 @@ func registerProfiler() {
 	klog.Fatal(server.ListenAndServe())
 }
 
-func startHTTPServer(port int, mux *http.ServeMux) {
+func startHTTPServer(host string, port int, mux *http.ServeMux) {
 	server := &http.Server{
-		Addr:              fmt.Sprintf(":%v", port),
+		Addr:              fmt.Sprintf("%s:%v", host, port),
 		Handler:           mux,
 		ReadTimeout:       10 * time.Second,
 		ReadHeaderTimeout: 10 * time.Second,
diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index d51c75994..9c9ce0a9b 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -23,6 +23,7 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
 | `--health-check-path`              | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") |
 | `--health-check-timeout`           | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) |
 | `--healthz-port`                   | Port to use for the healthz endpoint. (default 10254) |
+| `--healthz-host`                   | Address to bind the healthz endpoint. |
 | `--http-port`                      | Port to use for servicing HTTP traffic. (default 80) |
 | `--https-port`                     | Port to use for servicing HTTPS traffic. (default 443) |
 | `--ingress-class`                  | Name of the ingress class this controller satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation "kubernetes.io/ingress.class" (deprecated). If this parameter is not set, or set to the default value of "nginx", it will handle ingresses with either an empty or "nginx" class name. |
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index e7b53b770..72a1afa63 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -83,7 +83,8 @@ type Configuration struct {
 	ElectionID             string
 	UpdateStatusOnShutdown bool
 
-	ListenPorts *ngx_config.ListenPorts
+	HealthCheckHost string
+	ListenPorts     *ngx_config.ListenPorts
 
 	DisableServiceExternalName bool
 

From c6bc9870f1458abc5ba5de7044c1879a2696f255 Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Fri, 27 Aug 2021 10:20:05 -0400
Subject: [PATCH 079/376] Update base nginx (#7552)

* upgrade alpine

* use nginx 1.19.9 and corresponding patches from openresty

* include openresty CVE-2021-23017 patch too
---
 images/nginx/rootfs/Dockerfile                |   4 +-
 images/nginx/rootfs/build.sh                  |   4 +-
 .../patches/nginx-1.19.3-no_Werror.patch      |  36 --
 ....19.9-always_enable_cc_feature_tests.patch |  11 +
 ...> nginx-1.19.9-balancer_status_code.patch} |   0
 ... => nginx-1.19.9-cache_manager_exit.patch} |   2 +-
 .../nginx-1.19.9-daemon_destroy_pool.patch    |  12 +
 ... nginx-1.19.9-delayed_posted_events.patch} |   0
 ...patch => nginx-1.19.9-hash_overflow.patch} |   0
 ...ginx-1.19.9-init_cycle_pool_release.patch} |  26 +-
 .../nginx-1.19.9-intercept_error_log.patch    |  60 ++
 ...> nginx-1.19.9-larger_max_error_str.patch} |   4 +-
 .../nginx-1.19.9-log_escape_non_ascii.patch   | 117 ++++
 .../patches/nginx-1.19.9-no_Werror.patch      |  36 ++
 .../patches/nginx-1.19.9-no_error_pages.patch |  91 +++
 .../rootfs/patches/nginx-1.19.9-no_pool.patch | 587 ++++++++++++++++++
 .../patches/nginx-1.19.9-pcre_conf_opt.patch  |  26 +
 ...ginx-1.19.9-privileged_agent_process.patch | 203 ++++++
 ...privileged_agent_process_connections.patch |  53 ++
 ...> nginx-1.19.9-proxy_host_port_vars.patch} |   4 +-
 ... nginx-1.19.9-resolver_conf_parsing.patch} |   0
 ...x-1.19.9-reuseport_close_unused_fds.patch} |   0
 ...inx-1.19.9-safe_resolver_ipv6_option.patch |  56 ++
 .../patches/nginx-1.19.9-server_header.patch  |  39 ++
 ...-1.19.9-setting_args_invalidates_uri.patch |  44 ++
 ...1.19.9-single_process_graceful_exit.patch} |   0
 ...atch => nginx-1.19.9-socket_cloexec.patch} |   2 +-
 ...h => nginx-1.19.9-ssl_cert_cb_yield.patch} |   0
 ...h => nginx-1.19.9-ssl_sess_cb_yield.patch} |   0
 ...inx-1.19.9-static_mod_escape_loc_hdr.patch |  50 ++
 .../nginx-1.19.9-stream_balancer_export.patch |  53 ++
 ...tream_proxy_get_next_upstream_tries.patch} |   0
 ...x-1.19.9-stream_proxy_timeout_fields.patch | 182 ++++++
 ...x-1.19.9-stream_ssl_preread_no_skip.patch} |   0
 ...=> nginx-1.19.9-upstream_pipelining.patch} |   0
 ...ginx-1.19.9-upstream_timeout_fields.patch} |   0
 .../nginx-1.19.9-win32_max_err_str.patch      |  15 +
 .../rootfs/patches/patch.2021.resolver.txt    |  23 +
 38 files changed, 1681 insertions(+), 59 deletions(-)
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-balancer_status_code.patch => nginx-1.19.9-balancer_status_code.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-cache_manager_exit.patch => nginx-1.19.9-cache_manager_exit.patch} (96%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-delayed_posted_events.patch => nginx-1.19.9-delayed_posted_events.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-hash_overflow.patch => nginx-1.19.9-hash_overflow.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-init_cycle_pool_release.patch => nginx-1.19.9-init_cycle_pool_release.patch} (62%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-larger_max_error_str.patch => nginx-1.19.9-larger_max_error_str.patch} (62%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-proxy_host_port_vars.patch => nginx-1.19.9-proxy_host_port_vars.patch} (87%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-resolver_conf_parsing.patch => nginx-1.19.9-resolver_conf_parsing.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-reuseport_close_unused_fds.patch => nginx-1.19.9-reuseport_close_unused_fds.patch} (100%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-single_process_graceful_exit.patch => nginx-1.19.9-single_process_graceful_exit.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-socket_cloexec.patch => nginx-1.19.9-socket_cloexec.patch} (98%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-ssl_cert_cb_yield.patch => nginx-1.19.9-ssl_cert_cb_yield.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-ssl_sess_cb_yield.patch => nginx-1.19.9-ssl_sess_cb_yield.patch} (100%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch => nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch} (100%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-stream_ssl_preread_no_skip.patch => nginx-1.19.9-stream_ssl_preread_no_skip.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-upstream_pipelining.patch => nginx-1.19.9-upstream_pipelining.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-upstream_timeout_fields.patch => nginx-1.19.9-upstream_timeout_fields.patch} (100%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch
 create mode 100644 images/nginx/rootfs/patches/patch.2021.resolver.txt

diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index e639687f1..676083bf8 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 
-FROM alpine:3.13 as builder
+FROM alpine:3.14.1 as builder
 
 COPY . /
 
@@ -23,7 +23,7 @@ RUN apk update \
   && /build.sh
 
 # Use a multi-stage build
-FROM alpine:3.13
+FROM alpine:3.14.1
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 46f304ea5..be4cbda9c 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -18,7 +18,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-export NGINX_VERSION=1.20.1
+export NGINX_VERSION=1.19.9
 
 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master
 export NDK_VERSION=0.3.1
@@ -197,7 +197,7 @@ mkdir --verbose -p "$BUILD_PATH"
 cd "$BUILD_PATH"
 
 # download, verify and extract the source files
-get_src e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49 \
+get_src 2e35dff06a9826e8aca940e9e8be46b7e4b12c19a48d55bfc2dc28fc9cc7d841 \
         "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
 
 get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
deleted file mode 100644
index 2cf7cd9c7..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-diff -urp nginx-1.19.3/auto/cc/clang nginx-1.19.3-patched/auto/cc/clang
---- nginx-1.19.3/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.3-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
-@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
- CFLAGS="$CFLAGS -Wno-unused-parameter"
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.19.3/auto/cc/gcc nginx-1.19.3-patched/auto/cc/gcc
---- nginx-1.19.3/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.3-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
-@@ -168,7 +168,7 @@ esac
- 
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.19.3/auto/cc/icc nginx-1.19.3-patched/auto/cc/icc
---- nginx-1.19.3/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.3-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
-@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
- esac
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch b/images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch
new file mode 100644
index 000000000..62034509d
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch
@@ -0,0 +1,11 @@
+--- nginx-1.19.9/auto/cc/conf	2015-10-30 22:47:50.000000000 +0800
++++ nginx-1.19.9-patched/auto/cc/conf	2015-11-02 12:23:05.385156987 +0800
+@@ -136,7 +136,7 @@ fi
+ CFLAGS="$CFLAGS $NGX_CC_OPT"
+ NGX_TEST_LD_OPT="$NGX_LD_OPT"
+ 
+-if [ "$NGX_PLATFORM" != win32 ]; then
++if [ 1 ]; then
+ 
+     if test -n "$NGX_LD_OPT"; then
+         ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-balancer_status_code.patch b/images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-balancer_status_code.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch b/images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
similarity index 96%
rename from images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
index f1f81da2c..91ee63a26 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
@@ -8,7 +8,7 @@ Cache: gracefully exit the cache manager process.
 diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c
 --- a/src/os/unix/ngx_process_cycle.c	Thu Oct 31 18:23:49 2013 +0400
 +++ b/src/os/unix/ngx_process_cycle.c	Mon Nov 04 12:48:50 2013 -0800
-@@ -1335,7 +1335,7 @@
+@@ -1134,7 +1134,7 @@
  
          if (ngx_terminate || ngx_quit) {
              ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch b/images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch
new file mode 100644
index 000000000..5690b88f0
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch
@@ -0,0 +1,12 @@
+diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c
+index ab672110..f259af31 100644
+--- a/src/os/unix/ngx_daemon.c
++++ b/src/os/unix/ngx_daemon.c
+@@ -23,6 +23,8 @@ ngx_daemon(ngx_log_t *log)
+         break;
+
+     default:
++        /* just to make it ASAN or Valgrind clean */
++        ngx_destroy_pool(ngx_cycle->pool);
+         exit(0);
+     }
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-delayed_posted_events.patch b/images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-delayed_posted_events.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-hash_overflow.patch b/images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-hash_overflow.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
similarity index 62%
rename from images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
index b6f46674f..aa2df4660 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
@@ -1,6 +1,6 @@
-diff -rup nginx-1.19.3/src/core/nginx.c nginx-1.19.3-patched/src/core/nginx.c
---- nginx-1.19.3/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
-+++ nginx-1.19.3-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
+diff -rup nginx-1.19.9/src/core/nginx.c nginx-1.19.9-patched/src/core/nginx.c
+--- nginx-1.19.9/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
++++ nginx-1.19.9-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
 @@ -186,6 +186,7 @@ static u_char      *ngx_prefix;
  static u_char      *ngx_conf_file;
  static u_char      *ngx_conf_params;
@@ -18,9 +18,9 @@ diff -rup nginx-1.19.3/src/core/nginx.c nginx-1.19.3-patched/src/core/nginx.c
      if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
          return 1;
      }
-diff -rup nginx-1.19.3/src/core/ngx_core.h nginx-1.19.3-patched/src/core/ngx_core.h
---- nginx-1.19.3/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.19.3-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
+diff -rup nginx-1.19.9/src/core/ngx_core.h nginx-1.19.9-patched/src/core/ngx_core.h
+--- nginx-1.19.9/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
 @@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
  #define NGX_DISABLE_SYMLINKS_NOTOWNER   2
  #endif
@@ -28,9 +28,9 @@ diff -rup nginx-1.19.3/src/core/ngx_core.h nginx-1.19.3-patched/src/core/ngx_cor
 +extern ngx_pool_t        *saved_init_cycle_pool;
 +
  #endif /* _NGX_CORE_H_INCLUDED_ */
-diff -rup nginx-1.19.3/src/core/ngx_cycle.c nginx-1.19.3-patched/src/core/ngx_cycle.c
---- nginx-1.19.3/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.19.3-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
+diff -rup nginx-1.19.9/src/core/ngx_cycle.c nginx-1.19.9-patched/src/core/ngx_cycle.c
+--- nginx-1.19.9/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
 @@ -748,6 +748,10 @@ old_shm_zone_done:
  
      if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
@@ -42,10 +42,10 @@ diff -rup nginx-1.19.3/src/core/ngx_cycle.c nginx-1.19.3-patched/src/core/ngx_cy
          ngx_destroy_pool(old_cycle->pool);
          cycle->old_cycle = NULL;
  
-diff -rup nginx-1.19.3/src/os/unix/ngx_process_cycle.c nginx-1.19.3-patched/src/os/unix/ngx_process_cycle.c
---- nginx-1.19.3/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
-+++ nginx-1.19.3-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
-@@ -783,6 +783,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
+diff -rup nginx-1.19.9/src/os/unix/ngx_process_cycle.c nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c
+--- nginx-1.19.9/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
++++ nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
+@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
      ngx_exit_cycle.files_n = ngx_cycle->files_n;
      ngx_cycle = &ngx_exit_cycle;
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch b/images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch
new file mode 100644
index 000000000..5de769517
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch
@@ -0,0 +1,60 @@
+diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h
+index c51b7ff..4c335b9 100644
+--- a/src/core/ngx_cycle.h
++++ b/src/core/ngx_cycle.h
+@@ -22,9 +22,14 @@
+ #define NGX_DEBUG_POINTS_ABORT  2
+ 
+ 
++#define HAVE_INTERCEPT_ERROR_LOG_PATCH
++
++
+ typedef struct ngx_shm_zone_s  ngx_shm_zone_t;
+ 
+ typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data);
++typedef ngx_int_t (*ngx_log_intercept_pt) (ngx_log_t *log, ngx_uint_t level,
++    u_char *buf, size_t len);
+ 
+ struct ngx_shm_zone_s {
+     void                     *data;
+@@ -75,6 +80,10 @@ struct ngx_cycle_s {
+     ngx_str_t                 prefix;
+     ngx_str_t                 lock_file;
+     ngx_str_t                 hostname;
++
++    ngx_log_intercept_pt      intercept_error_log_handler;
++    void                     *intercept_error_log_data;
++    unsigned                  entered_logger;    /* :1 */
+ };
+ 
+ 
+diff --git a/src/core/ngx_log.c b/src/core/ngx_log.c
+index 8e9408d..ed9b11b 100644
+--- a/src/core/ngx_log.c
++++ b/src/core/ngx_log.c
+@@ -112,6 +112,8 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
+     ngx_uint_t   wrote_stderr, debug_connection;
+     u_char       errstr[NGX_MAX_ERROR_STR];
+ 
++    ngx_log_intercept_pt    log_intercept = NULL;
++
+     last = errstr + NGX_MAX_ERROR_STR;
+ 
+     p = ngx_cpymem(errstr, ngx_cached_err_log_time.data,
+@@ -153,6 +155,16 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
+         p = last - NGX_LINEFEED_SIZE;
+     }
+ 
++    if (ngx_cycle) {
++        log_intercept = ngx_cycle->intercept_error_log_handler;
++    }
++
++    if (log_intercept && !ngx_cycle->entered_logger) {
++        ngx_cycle->entered_logger = 1;
++        log_intercept(log, level, errstr, p - errstr);
++        ngx_cycle->entered_logger = 0;
++    }
++
+     ngx_linefeed(p);
+ 
+     wrote_stderr = 0;
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch b/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
similarity index 62%
rename from images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
index c7013e05d..0628d3abb 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
@@ -1,5 +1,5 @@
---- nginx-1.19.3/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
-+++ nginx-1.19.3-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
+--- nginx-1.19.9/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
 @@ -64,7 +64,9 @@ struct ngx_log_s {
  };
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch b/images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch
new file mode 100644
index 000000000..bea6e52ee
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch
@@ -0,0 +1,117 @@
+diff --git a/src/http/modules/ngx_http_log_module.c b/src/http/modules/ngx_http_log_module.c
+index 917ed55f..b769dfd3 100644
+--- a/src/http/modules/ngx_http_log_module.c
++++ b/src/http/modules/ngx_http_log_module.c
+@@ -79,6 +79,8 @@ typedef struct {
+     time_t                      open_file_cache_valid;
+     ngx_uint_t                  open_file_cache_min_uses;
+ 
++    ngx_flag_t                  escape_non_ascii;
++
+     ngx_uint_t                  off;        /* unsigned  off:1 */
+ } ngx_http_log_loc_conf_t;
+ 
+@@ -131,7 +133,8 @@ static size_t ngx_http_log_variable_getlen(ngx_http_request_t *r,
+     uintptr_t data);
+ static u_char *ngx_http_log_variable(ngx_http_request_t *r, u_char *buf,
+     ngx_http_log_op_t *op);
+-static uintptr_t ngx_http_log_escape(u_char *dst, u_char *src, size_t size);
++static uintptr_t ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst,
++    u_char *src, size_t size);
+ static size_t ngx_http_log_json_variable_getlen(ngx_http_request_t *r,
+     uintptr_t data);
+ static u_char *ngx_http_log_json_variable(ngx_http_request_t *r, u_char *buf,
+@@ -177,6 +180,13 @@ static ngx_command_t  ngx_http_log_commands[] = {
+       0,
+       NULL },
+ 
++    { ngx_string("log_escape_non_ascii"),
++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
++      ngx_conf_set_flag_slot,
++      NGX_HTTP_LOC_CONF_OFFSET,
++      offsetof(ngx_http_log_loc_conf_t, escape_non_ascii),
++      NULL },
++
+       ngx_null_command
+ };
+ 
+@@ -935,6 +945,7 @@ static size_t
+ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data)
+ {
+     uintptr_t                   len;
++    ngx_http_log_loc_conf_t    *lcf;
+     ngx_http_variable_value_t  *value;
+ 
+     value = ngx_http_get_indexed_variable(r, data);
+@@ -943,7 +954,9 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data)
+         return 1;
+     }
+ 
+-    len = ngx_http_log_escape(NULL, value->data, value->len);
++    lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module);
++
++    len = ngx_http_log_escape(lcf, NULL, value->data, value->len);
+ 
+     value->escape = len ? 1 : 0;
+ 
+@@ -954,6 +967,7 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data)
+ static u_char *
+ ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op)
+ {
++    ngx_http_log_loc_conf_t    *lcf;
+     ngx_http_variable_value_t  *value;
+ 
+     value = ngx_http_get_indexed_variable(r, op->data);
+@@ -967,16 +981,18 @@ ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op)
+         return ngx_cpymem(buf, value->data, value->len);
+ 
+     } else {
+-        return (u_char *) ngx_http_log_escape(buf, value->data, value->len);
++        lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module);
++        return (u_char *) ngx_http_log_escape(lcf, buf, value->data, value->len);
+     }
+ }
+ 
+ 
+ static uintptr_t
+-ngx_http_log_escape(u_char *dst, u_char *src, size_t size)
++ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst, u_char *src,
++    size_t size)
+ {
+-    ngx_uint_t      n;
+-    static u_char   hex[] = "0123456789ABCDEF";
++    ngx_uint_t                   n;
++    static u_char                hex[] = "0123456789ABCDEF";
+ 
+     static uint32_t   escape[] = {
+         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+@@ -996,6 +1012,12 @@ ngx_http_log_escape(u_char *dst, u_char *src, size_t size)
+         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+     };
+ 
++    if (lcf->escape_non_ascii) {
++        ngx_memset(&escape[4], 0xff, sizeof(uint32_t) * 4);
++
++    } else {
++        ngx_memzero(&escape[4], sizeof(uint32_t) * 4);
++    }
+ 
+     if (dst == NULL) {
+ 
+@@ -1120,6 +1142,7 @@ ngx_http_log_create_loc_conf(ngx_conf_t *cf)
+     }
+ 
+     conf->open_file_cache = NGX_CONF_UNSET_PTR;
++    conf->escape_non_ascii = NGX_CONF_UNSET;
+ 
+     return conf;
+ }
+@@ -1135,6 +1158,8 @@ ngx_http_log_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
+     ngx_http_log_fmt_t        *fmt;
+     ngx_http_log_main_conf_t  *lmcf;
+ 
++    ngx_conf_merge_value(conf->escape_non_ascii, prev->escape_non_ascii, 1);
++
+     if (conf->open_file_cache == NGX_CONF_UNSET_PTR) {
+ 
+         conf->open_file_cache = prev->open_file_cache;
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
new file mode 100644
index 000000000..7bb0ac902
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
@@ -0,0 +1,36 @@
+diff -urp nginx-1.19.9/auto/cc/clang nginx-1.19.9-patched/auto/cc/clang
+--- nginx-1.19.9/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.9-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
+@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
+ CFLAGS="$CFLAGS -Wno-unused-parameter"
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.19.9/auto/cc/gcc nginx-1.19.9-patched/auto/cc/gcc
+--- nginx-1.19.9/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.9-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
+@@ -168,7 +168,7 @@ esac
+ 
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.19.9/auto/cc/icc nginx-1.19.9-patched/auto/cc/icc
+--- nginx-1.19.9/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.9-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
+@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
+ esac
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch
new file mode 100644
index 000000000..f57930768
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch
@@ -0,0 +1,91 @@
+diff -upr nginx-1.19.9/src/http/ngx_http_core_module.c nginx-1.19.9-patched/src/http/ngx_http_core_module.c
+--- nginx-1.19.9/src/http/ngx_http_core_module.c	2017-08-31 18:14:41.000000000 -0700
++++ nginx-1.19.9-patched/src/http/ngx_http_core_module.c	2017-08-31 18:21:31.638098196 -0700
+@@ -61,6 +61,8 @@ static char *ngx_http_core_directio(ngx_
+     void *conf);
+ static char *ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd,
+     void *conf);
++static char *ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd,
++    void *conf);
+ static char *ngx_http_core_open_file_cache(ngx_conf_t *cf, ngx_command_t *cmd,
+     void *conf);
+ static char *ngx_http_core_error_log(ngx_conf_t *cf, ngx_command_t *cmd,
+@@ -647,6 +649,14 @@ static ngx_command_t  ngx_http_core_comm
+       0,
+       NULL },
+ 
++    { ngx_string("no_error_pages"),
++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
++                        |NGX_CONF_NOARGS,
++      ngx_http_core_no_error_pages,
++      NGX_HTTP_LOC_CONF_OFFSET,
++      0,
++      NULL },
++
+     { ngx_string("post_action"),
+       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
+                         |NGX_CONF_TAKE1,
+@@ -3334,7 +3344,6 @@ ngx_http_core_create_loc_conf(ngx_conf_t
+      *     clcf->types = NULL;
+      *     clcf->default_type = { 0, NULL };
+      *     clcf->error_log = NULL;
+-     *     clcf->error_pages = NULL;
+      *     clcf->client_body_path = NULL;
+      *     clcf->regex = NULL;
+      *     clcf->exact_match = 0;
+@@ -3344,6 +3353,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t
+      *     clcf->keepalive_disable = 0;
+      */
+ 
++    clcf->error_pages = NGX_CONF_UNSET_PTR;
+     clcf->client_max_body_size = NGX_CONF_UNSET;
+     clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE;
+     clcf->client_body_timeout = NGX_CONF_UNSET_MSEC;
+@@ -3543,9 +3553,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t
+         }
+     }
+ 
+-    if (conf->error_pages == NULL && prev->error_pages) {
+-        conf->error_pages = prev->error_pages;
+-    }
++    ngx_conf_merge_ptr_value(conf->error_pages, prev->error_pages, NULL);
+ 
+     ngx_conf_merge_str_value(conf->default_type,
+                               prev->default_type, "text/plain");
+@@ -4553,6 +4561,10 @@ ngx_http_core_error_page(ngx_conf_t *cf,
+     ngx_http_compile_complex_value_t   ccv;
+ 
+     if (clcf->error_pages == NULL) {
++        return "conflicts with \"no_error_pages\"";
++    }
++
++    if (clcf->error_pages == NGX_CONF_UNSET_PTR) {
+         clcf->error_pages = ngx_array_create(cf->pool, 4,
+                                              sizeof(ngx_http_err_page_t));
+         if (clcf->error_pages == NULL) {
+@@ -4655,6 +4667,25 @@ ngx_http_core_error_page(ngx_conf_t *cf,
+ 
+     return NGX_CONF_OK;
+ }
++
++
++static char *
++ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
++{
++    ngx_http_core_loc_conf_t *clcf = conf;
++
++    if (clcf->error_pages == NULL) {
++        return "is duplicate";
++    }
++
++    if (clcf->error_pages != NGX_CONF_UNSET_PTR) {
++        return "conflicts with \"error_page\"";
++    }
++
++    clcf->error_pages = NULL;
++
++    return NGX_CONF_OK;
++}
+ 
+ 
+ static char *
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch
new file mode 100644
index 000000000..aa3c37ae6
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch
@@ -0,0 +1,587 @@
+diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/nginx.h nginx-1.19.9-patched/src/core/nginx.h
+--- nginx-1.19.9/src/core/nginx.h	2016-04-19 09:02:38.000000000 -0700
++++ nginx-1.19.9-patched/src/core/nginx.h	2016-04-21 16:25:07.452944624 -0700
+@@ -10,7 +10,7 @@
+ 
+ 
+ #define nginx_version      1019009
+ #define NGINX_VERSION      "1.19.9"
+-#define NGINX_VER          "openresty/" NGINX_VERSION ".unknown"
++#define NGINX_VER          "openresty/" NGINX_VERSION ".unknown (no pool)"
+ 
+ #ifdef NGX_BUILD
+diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_array.c nginx-1.19.9-patched/src/core/ngx_array.c
+--- nginx-1.19.9/src/core/ngx_array.c	2016-04-19 09:02:38.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_array.c	2016-04-21 16:25:07.453947190 -0700
+@@ -30,26 +30,30 @@ ngx_array_create(ngx_pool_t *p, ngx_uint
+ void
+ ngx_array_destroy(ngx_array_t *a)
+ {
+-    ngx_pool_t  *p;
++    ngx_pool_t          *p;
++    ngx_array_link_t    *link;
+ 
+     p = a->pool;
+ 
+-    if ((u_char *) a->elts + a->size * a->nalloc == p->d.last) {
+-        p->d.last -= a->size * a->nalloc;
++    if (a->elts) {
++        ngx_pfree(p, a->elts);
+     }
+ 
+-    if ((u_char *) a + sizeof(ngx_array_t) == p->d.last) {
+-        p->d.last = (u_char *) a;
++    for (link = a->old_elts; link; link = link->next) {
++        ngx_pfree(p, link->elts);
+     }
++
++    ngx_pfree(p, a);
+ }
+ 
+ 
+ void *
+ ngx_array_push(ngx_array_t *a)
+ {
+-    void        *elt, *new;
+-    size_t       size;
+-    ngx_pool_t  *p;
++    void                *elt, *new;
++    size_t               size;
++    ngx_pool_t          *p;
++    ngx_array_link_t    *link;
+ 
+     if (a->nelts == a->nalloc) {
+ 
+@@ -59,29 +63,27 @@ ngx_array_push(ngx_array_t *a)
+ 
+         p = a->pool;
+ 
+-        if ((u_char *) a->elts + size == p->d.last
+-            && p->d.last + a->size <= p->d.end)
+-        {
+-            /*
+-             * the array allocation is the last in the pool
+-             * and there is space for new allocation
+-             */
+-
+-            p->d.last += a->size;
+-            a->nalloc++;
++        /* allocate a new array */
+ 
+-        } else {
+-            /* allocate a new array */
++        new = ngx_palloc(p, 2 * size);
++        if (new == NULL) {
++            return NULL;
++        }
+ 
+-            new = ngx_palloc(p, 2 * size);
+-            if (new == NULL) {
+-                return NULL;
+-            }
++        ngx_memcpy(new, a->elts, size);
+ 
+-            ngx_memcpy(new, a->elts, size);
+-            a->elts = new;
+-            a->nalloc *= 2;
++        link = ngx_palloc(p, sizeof(ngx_array_link_t));
++        if (link == NULL) {
++            ngx_pfree(p, new);
++            return NULL;
+         }
++
++        link->next = a->old_elts;
++        link->elts = a->elts;
++        a->old_elts = link;
++
++        a->elts = new;
++        a->nalloc *= 2;
+     }
+ 
+     elt = (u_char *) a->elts + a->size * a->nelts;
+@@ -95,11 +97,10 @@ void *
+ ngx_array_push_n(ngx_array_t *a, ngx_uint_t n)
+ {
+     void        *elt, *new;
+-    size_t       size;
+     ngx_uint_t   nalloc;
+     ngx_pool_t  *p;
+ 
+-    size = n * a->size;
++    ngx_array_link_t    *link;
+ 
+     if (a->nelts + n > a->nalloc) {
+ 
+@@ -107,31 +108,27 @@ ngx_array_push_n(ngx_array_t *a, ngx_uin
+ 
+         p = a->pool;
+ 
+-        if ((u_char *) a->elts + a->size * a->nalloc == p->d.last
+-            && p->d.last + size <= p->d.end)
+-        {
+-            /*
+-             * the array allocation is the last in the pool
+-             * and there is space for new allocation
+-             */
++        nalloc = 2 * ((n >= a->nalloc) ? n : a->nalloc);
+ 
+-            p->d.last += size;
+-            a->nalloc += n;
++        new = ngx_palloc(p, nalloc * a->size);
++        if (new == NULL) {
++            return NULL;
++        }
+ 
+-        } else {
+-            /* allocate a new array */
++        ngx_memcpy(new, a->elts, a->nelts * a->size);
+ 
+-            nalloc = 2 * ((n >= a->nalloc) ? n : a->nalloc);
++        link = ngx_palloc(p, sizeof(ngx_array_link_t));
++        if (link == NULL) {
++            ngx_pfree(p, new);
++            return NULL;
++        }
+ 
+-            new = ngx_palloc(p, nalloc * a->size);
+-            if (new == NULL) {
+-                return NULL;
+-            }
++        link->next = a->old_elts;
++        link->elts = a->elts;
++        a->old_elts = link;
+ 
+-            ngx_memcpy(new, a->elts, a->nelts * a->size);
+-            a->elts = new;
+-            a->nalloc = nalloc;
+-        }
++        a->elts = new;
++        a->nalloc = nalloc;
+     }
+ 
+     elt = (u_char *) a->elts + a->size * a->nelts;
+diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_array.h nginx-1.19.9-patched/src/core/ngx_array.h
+--- nginx-1.19.9/src/core/ngx_array.h	2016-04-19 09:02:38.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_array.h	2016-04-21 16:25:07.453947190 -0700
+@@ -13,12 +13,23 @@
+ #include <ngx_core.h>
+ 
+ 
++typedef struct ngx_array_link_s ngx_array_link_t;
++
++
++struct ngx_array_link_s {
++    void                    *elts;
++    ngx_array_link_t        *next;
++};
++
++
+ typedef struct {
+     void        *elts;
+     ngx_uint_t   nelts;
+     size_t       size;
+     ngx_uint_t   nalloc;
+     ngx_pool_t  *pool;
++
++    ngx_array_link_t *old_elts;
+ } ngx_array_t;
+ 
+ 
+@@ -40,6 +51,7 @@ ngx_array_init(ngx_array_t *array, ngx_p
+     array->size = size;
+     array->nalloc = n;
+     array->pool = pool;
++    array->old_elts = NULL;
+ 
+     array->elts = ngx_palloc(pool, n * size);
+     if (array->elts == NULL) {
+diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_palloc.c nginx-1.19.9-patched/src/core/ngx_palloc.c
+--- nginx-1.19.9/src/core/ngx_palloc.c	2016-04-19 09:02:38.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_palloc.c	2016-04-21 16:25:45.912282685 -0700
+@@ -9,34 +9,26 @@
+ #include <ngx_core.h>
+ 
+ 
+-static ngx_inline void *ngx_palloc_small(ngx_pool_t *pool, size_t size,
+-    ngx_uint_t align);
+-static void *ngx_palloc_block(ngx_pool_t *pool, size_t size);
+-static void *ngx_palloc_large(ngx_pool_t *pool, size_t size);
++static void * ngx_malloc(ngx_pool_t *pool, size_t size);
+ 
+ 
+ ngx_pool_t *
+ ngx_create_pool(size_t size, ngx_log_t *log)
+ {
+-    ngx_pool_t  *p;
++    ngx_pool_t        *p;
+ 
+-    p = ngx_memalign(NGX_POOL_ALIGNMENT, size, log);
++    size = sizeof(ngx_pool_t);
++    p = ngx_alloc(size, log);
+     if (p == NULL) {
+         return NULL;
+     }
+ 
+-    p->d.last = (u_char *) p + sizeof(ngx_pool_t);
+-    p->d.end = (u_char *) p + size;
+-    p->d.next = NULL;
+-    p->d.failed = 0;
++    ngx_memzero(p, size);
+ 
+     size = size - sizeof(ngx_pool_t);
+     p->max = (size < NGX_MAX_ALLOC_FROM_POOL) ? size : NGX_MAX_ALLOC_FROM_POOL;
+ 
+     p->current = p;
+-    p->chain = NULL;
+-    p->large = NULL;
+-    p->cleanup = NULL;
+     p->log = log;
+ 
+     return p;
+@@ -46,8 +38,7 @@ ngx_create_pool(size_t size, ngx_log_t *
+ void
+ ngx_destroy_pool(ngx_pool_t *pool)
+ {
+-    ngx_pool_t          *p, *n;
+-    ngx_pool_large_t    *l;
++    ngx_pool_data_t     *d, *n;
+     ngx_pool_cleanup_t  *c;
+ 
+     for (c = pool->cleanup; c; c = c->next) {
+@@ -58,6 +49,11 @@ ngx_destroy_pool(ngx_pool_t *pool)
+         }
+     }
+ 
++    if (pool->d == NULL) {
++        ngx_free(pool);
++        return;
++    }
++
+ #if (NGX_DEBUG)
+ 
+     /*
+@@ -65,13 +61,9 @@ ngx_destroy_pool(ngx_pool_t *pool)
+      * so we cannot use this log while free()ing the pool
+      */
+ 
+-    for (l = pool->large; l; l = l->next) {
+-        ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
+-    }
+-
+-    for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
++    for (d = pool->d, n = d->next; ; d = n, n = n->next) {
+         ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
+-                       "free: %p, unused: %uz", p, p->d.end - p->d.last);
++                       "free: %p, unused: %d", d, 0);
+ 
+         if (n == NULL) {
+             break;
+@@ -80,171 +72,82 @@ ngx_destroy_pool(ngx_pool_t *pool)
+ 
+ #endif
+ 
+-    for (l = pool->large; l; l = l->next) {
+-        if (l->alloc) {
+-            ngx_free(l->alloc);
+-        }
+-    }
+-
+-    for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
+-        ngx_free(p);
++    for (d = pool->d, n = d->next; ; d = n, n = n->next) {
++        ngx_free(d->alloc);
++        ngx_free(d);
+ 
+         if (n == NULL) {
+             break;
+         }
+     }
++
++    pool->d = NULL;
++    ngx_free(pool);
+ }
+ 
+ 
+ void
+ ngx_reset_pool(ngx_pool_t *pool)
+ {
+-    ngx_pool_t        *p;
+-    ngx_pool_large_t  *l;
++    ngx_pool_data_t     *d, *n;
++    ngx_pool_data_t     *saved = NULL;
+ 
+-    for (l = pool->large; l; l = l->next) {
+-        if (l->alloc) {
+-            ngx_free(l->alloc);
++    if (pool->d) {
++        for (d = pool->d, n = d->next; ; d = n, n = n->next) {
++            if (d->alloc == pool->log) {
++                saved = d;
++                continue;
++            }
++
++            ngx_free(d->alloc);
++            ngx_free(d);
++
++            if (n == NULL) {
++                break;
++            }
+         }
+-    }
+ 
+-    for (p = pool; p; p = p->d.next) {
+-        p->d.last = (u_char *) p + sizeof(ngx_pool_t);
+-        p->d.failed = 0;
++        pool->d = saved;
++        pool->current = pool;
++        pool->chain = NULL;
+     }
+-
+-    pool->current = pool;
+-    pool->chain = NULL;
+-    pool->large = NULL;
+ }
+ 
+ 
+ void *
+ ngx_palloc(ngx_pool_t *pool, size_t size)
+ {
+-#if !(NGX_DEBUG_PALLOC)
+-    if (size <= pool->max) {
+-        return ngx_palloc_small(pool, size, 1);
+-    }
+-#endif
+-
+-    return ngx_palloc_large(pool, size);
++    return ngx_malloc(pool, size);
+ }
+ 
+ 
+ void *
+ ngx_pnalloc(ngx_pool_t *pool, size_t size)
+ {
+-#if !(NGX_DEBUG_PALLOC)
+-    if (size <= pool->max) {
+-        return ngx_palloc_small(pool, size, 0);
+-    }
+-#endif
+-
+-    return ngx_palloc_large(pool, size);
+-}
+-
+-
+-static ngx_inline void *
+-ngx_palloc_small(ngx_pool_t *pool, size_t size, ngx_uint_t align)
+-{
+-    u_char      *m;
+-    ngx_pool_t  *p;
+-
+-    p = pool->current;
+-
+-    do {
+-        m = p->d.last;
+-
+-        if (align) {
+-            m = ngx_align_ptr(m, NGX_ALIGNMENT);
+-        }
+-
+-        if ((size_t) (p->d.end - m) >= size) {
+-            p->d.last = m + size;
+-
+-            return m;
+-        }
+-
+-        p = p->d.next;
+-
+-    } while (p);
+-
+-    return ngx_palloc_block(pool, size);
+-}
+-
+-
+-static void *
+-ngx_palloc_block(ngx_pool_t *pool, size_t size)
+-{
+-    u_char      *m;
+-    size_t       psize;
+-    ngx_pool_t  *p, *new;
+-
+-    psize = (size_t) (pool->d.end - (u_char *) pool);
+-
+-    m = ngx_memalign(NGX_POOL_ALIGNMENT, psize, pool->log);
+-    if (m == NULL) {
+-        return NULL;
+-    }
+-
+-    new = (ngx_pool_t *) m;
+-
+-    new->d.end = m + psize;
+-    new->d.next = NULL;
+-    new->d.failed = 0;
+-
+-    m += sizeof(ngx_pool_data_t);
+-    m = ngx_align_ptr(m, NGX_ALIGNMENT);
+-    new->d.last = m + size;
+-
+-    for (p = pool->current; p->d.next; p = p->d.next) {
+-        if (p->d.failed++ > 4) {
+-            pool->current = p->d.next;
+-        }
+-    }
+-
+-    p->d.next = new;
+-
+-    return m;
++    return ngx_malloc(pool, size);
+ }
+ 
+ 
+ static void *
+-ngx_palloc_large(ngx_pool_t *pool, size_t size)
++ngx_malloc(ngx_pool_t *pool, size_t size)
+ {
+-    void              *p;
+-    ngx_uint_t         n;
+-    ngx_pool_large_t  *large;
++    void                *p;
++    ngx_pool_data_t     *d;
+ 
+     p = ngx_alloc(size, pool->log);
+     if (p == NULL) {
+         return NULL;
+     }
+ 
+-    n = 0;
+-
+-    for (large = pool->large; large; large = large->next) {
+-        if (large->alloc == NULL) {
+-            large->alloc = p;
+-            return p;
+-        }
+-
+-        if (n++ > 3) {
+-            break;
+-        }
+-    }
+-
+-    large = ngx_palloc_small(pool, sizeof(ngx_pool_large_t), 1);
+-    if (large == NULL) {
++    d = ngx_alloc(sizeof(ngx_pool_data_t), pool->log);
++    if (d == NULL){
+         ngx_free(p);
+         return NULL;
+     }
+ 
+-    large->alloc = p;
+-    large->next = pool->large;
+-    pool->large = large;
+-
++    d->alloc = p;
++    d->next = pool->d;
++    pool->d = d;
+     return p;
+ }
+ 
+@@ -253,38 +156,48 @@ void *
+ ngx_pmemalign(ngx_pool_t *pool, size_t size, size_t alignment)
+ {
+     void              *p;
+-    ngx_pool_large_t  *large;
++    ngx_pool_data_t   *d;
+ 
+     p = ngx_memalign(alignment, size, pool->log);
+     if (p == NULL) {
+         return NULL;
+     }
+ 
+-    large = ngx_palloc_small(pool, sizeof(ngx_pool_large_t), 1);
+-    if (large == NULL) {
++    d = ngx_alloc(sizeof(ngx_pool_data_t), pool->log);
++    if (d == NULL){
+         ngx_free(p);
+         return NULL;
+     }
+ 
+-    large->alloc = p;
+-    large->next = pool->large;
+-    pool->large = large;
+-
++    d->alloc = p;
++    d->next = pool->d;
++    pool->d = d;
+     return p;
+ }
+ 
+ 
+ ngx_int_t
+-ngx_pfree(ngx_pool_t *pool, void *p)
++ngx_pfree(ngx_pool_t *pool, void *data)
+ {
+-    ngx_pool_large_t  *l;
++    ngx_pool_data_t     *p, *d;
+ 
+-    for (l = pool->large; l; l = l->next) {
+-        if (p == l->alloc) {
+-            ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
+-                           "free: %p", l->alloc);
+-            ngx_free(l->alloc);
+-            l->alloc = NULL;
++    p = NULL;
++    for (d = pool->d; d; p = d, d = d->next) {
++        if (data == d->alloc) {
++
++            ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", d->alloc);
++
++            ngx_free(d->alloc);
++            d->alloc = NULL;
++
++            if (p) {
++                p->next = d->next;
++
++            } else {
++                pool->d = d->next;
++            }
++
++            ngx_free(d);
+ 
+             return NGX_OK;
+         }
+diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_palloc.h nginx-1.19.9-patched/src/core/ngx_palloc.h
+--- nginx-1.19.9/src/core/ngx_palloc.h	2016-04-19 09:02:38.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_palloc.h	2016-04-21 16:25:07.454949755 -0700
+@@ -38,28 +38,21 @@ struct ngx_pool_cleanup_s {
+ };
+ 
+ 
+-typedef struct ngx_pool_large_s  ngx_pool_large_t;
+-
+-struct ngx_pool_large_s {
+-    ngx_pool_large_t     *next;
+-    void                 *alloc;
+-};
++typedef struct ngx_pool_data_s   ngx_pool_large_t;
++typedef struct ngx_pool_data_s   ngx_pool_data_t;
+ 
+ 
+-typedef struct {
+-    u_char               *last;
+-    u_char               *end;
+-    ngx_pool_t           *next;
+-    ngx_uint_t            failed;
+-} ngx_pool_data_t;
++struct ngx_pool_data_s {
++    ngx_pool_data_t        *next;
++    void                   *alloc;
++};
+ 
+ 
+ struct ngx_pool_s {
+-    ngx_pool_data_t       d;
++    ngx_pool_data_t      *d;
+     size_t                max;
+     ngx_pool_t           *current;
+     ngx_chain_t          *chain;
+-    ngx_pool_large_t     *large;
+     ngx_pool_cleanup_t   *cleanup;
+     ngx_log_t            *log;
+ };
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch b/images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch
new file mode 100644
index 000000000..eb17e0642
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch
@@ -0,0 +1,26 @@
+# HG changeset patch
+# User Yichun Zhang <agentzh@gmail.com>
+# Date 1386694955 28800
+# Node ID 9ba6b149669f1f02eeb4cdc0ebd364a949b5c469
+# Parent  30e806b8636af5fd3f03ec17df24801f390f7511
+Configure: added new option --with-pcre-conf-opt=OPTIONS.
+
+diff -r 30e806b8636a -r 9ba6b149669f auto/options
+--- a/auto/options	Mon Dec 09 10:16:44 2013 +0400
++++ b/auto/options	Tue Dec 10 09:02:35 2013 -0800
+@@ -286,6 +286,7 @@
+         --with-pcre)                     USE_PCRE=YES               ;;
+         --with-pcre=*)                   PCRE="$value"              ;;
+         --with-pcre-opt=*)               PCRE_OPT="$value"          ;;
++        --with-pcre-conf-opt=*)          PCRE_CONF_OPT="$value"     ;;
+         --with-pcre-jit)                 PCRE_JIT=YES               ;;
+ 
+         --with-openssl=*)                OPENSSL="$value"           ;;
+@@ -441,6 +442,7 @@
+   --with-pcre                        force PCRE library usage
+   --with-pcre=DIR                    set path to PCRE library sources
+   --with-pcre-opt=OPTIONS            set additional build options for PCRE
++  --with-pcre-conf-opt=OPTIONS       set additional configure options for PCRE
+   --with-pcre-jit                    build PCRE with JIT compilation support
+ 
+   --with-md5=DIR                     set path to md5 library sources
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch b/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch
new file mode 100644
index 000000000..164004eba
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch
@@ -0,0 +1,203 @@
+diff --git a/src/core/nginx.c b/src/core/nginx.c
+index 60f8fe7..4bd244b 100644
+--- a/src/core/nginx.c
++++ b/src/core/nginx.c
+@@ -981,6 +981,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle)
+ 
+     ccf->daemon = NGX_CONF_UNSET;
+     ccf->master = NGX_CONF_UNSET;
++    ccf->privileged_agent = NGX_CONF_UNSET;
+     ccf->timer_resolution = NGX_CONF_UNSET_MSEC;
+ 
+     ccf->worker_processes = NGX_CONF_UNSET;
+@@ -1009,6 +1010,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf)
+ 
+     ngx_conf_init_value(ccf->daemon, 1);
+     ngx_conf_init_value(ccf->master, 1);
++    ngx_conf_init_value(ccf->privileged_agent, 0);
+     ngx_conf_init_msec_value(ccf->timer_resolution, 0);
+ 
+     ngx_conf_init_value(ccf->worker_processes, 1);
+diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h
+index c51b7ff..3261f90 100644
+--- a/src/core/ngx_cycle.h
++++ b/src/core/ngx_cycle.h
+@@ -22,6 +22,9 @@
+ #define NGX_DEBUG_POINTS_ABORT  2
+ 
+ 
++#define HAVE_PRIVILEGED_PROCESS_PATCH   1
++
++
+ typedef struct ngx_shm_zone_s  ngx_shm_zone_t;
+ 
+ typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data);
+@@ -81,6 +84,7 @@ struct ngx_cycle_s {
+ typedef struct {
+     ngx_flag_t                daemon;
+     ngx_flag_t                master;
++    ngx_flag_t                privileged_agent;
+ 
+     ngx_msec_t                timer_resolution;
+ 
+diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
+index 7cee1c5..c4f70d6 100644
+--- a/src/os/unix/ngx_process_cycle.c
++++ b/src/os/unix/ngx_process_cycle.c
+@@ -15,6 +15,8 @@ static void ngx_start_worker_processes(ngx_cycle_t *cycle, ngx_int_t n,
+     ngx_int_t type);
+ static void ngx_start_cache_manager_processes(ngx_cycle_t *cycle,
+     ngx_uint_t respawn);
++static void ngx_start_privileged_agent_processes(ngx_cycle_t *cycle,
++    ngx_uint_t respawn);
+ static void ngx_pass_open_channel(ngx_cycle_t *cycle);
+ static void ngx_signal_worker_processes(ngx_cycle_t *cycle, int signo);
+ static ngx_uint_t ngx_reap_children(ngx_cycle_t *cycle);
+@@ -24,6 +26,7 @@ static void ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker);
+ static void ngx_worker_process_exit(ngx_cycle_t *cycle);
+ static void ngx_channel_handler(ngx_event_t *ev);
+ static void ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data);
++static void ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data);
+ static void ngx_cache_manager_process_handler(ngx_event_t *ev);
+ static void ngx_cache_loader_process_handler(ngx_event_t *ev);
+ 
+@@ -51,6 +54,8 @@ sig_atomic_t  ngx_noaccept;
+ ngx_uint_t    ngx_noaccepting;
+ ngx_uint_t    ngx_restart;
+ 
++ngx_uint_t    ngx_is_privileged_agent;
++
+ 
+ static u_char  master_process[] = "master process";
+ 
+@@ -130,6 +135,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
+     ngx_start_worker_processes(cycle, ccf->worker_processes,
+                                NGX_PROCESS_RESPAWN);
+     ngx_start_cache_manager_processes(cycle, 0);
++    ngx_start_privileged_agent_processes(cycle, 0);
+ 
+     ngx_new_binary = 0;
+     delay = 0;
+@@ -215,6 +221,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
+                 ngx_start_worker_processes(cycle, ccf->worker_processes,
+                                            NGX_PROCESS_RESPAWN);
+                 ngx_start_cache_manager_processes(cycle, 0);
++                ngx_start_privileged_agent_processes(cycle, 0);
+                 ngx_noaccepting = 0;
+ 
+                 continue;
+@@ -234,6 +241,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
+             ngx_start_worker_processes(cycle, ccf->worker_processes,
+                                        NGX_PROCESS_JUST_RESPAWN);
+             ngx_start_cache_manager_processes(cycle, 1);
++            ngx_start_privileged_agent_processes(cycle, 1);
+ 
+             /* allow new processes to start */
+             ngx_msleep(100);
+@@ -248,6 +256,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
+             ngx_start_worker_processes(cycle, ccf->worker_processes,
+                                        NGX_PROCESS_RESPAWN);
+             ngx_start_cache_manager_processes(cycle, 0);
++            ngx_start_privileged_agent_processes(cycle, 0);
+             live = 1;
+         }
+ 
+@@ -393,6 +431,26 @@ ngx_start_cache_manager_processes(ngx_cycle_t *cycle, ngx_uint_t respawn)
+ 
+ 
+ static void
++ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, ngx_uint_t respawn)
++{
++    ngx_core_conf_t       *ccf;
++
++    ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx,
++                                           ngx_core_module);
++
++    if (!ccf->privileged_agent) {
++        return;
++    }
++
++    ngx_spawn_process(cycle, ngx_privileged_agent_process_cycle,
++                      "privileged agent process", "privileged agent process",
++                      respawn ? NGX_PROCESS_JUST_RESPAWN : NGX_PROCESS_RESPAWN);
++
++    ngx_pass_open_channel(cycle);
++}
++
++
++static void
+ ngx_pass_open_channel(ngx_cycle_t *cycle)
+ {
+     ngx_int_t  i;
+@@ -794,7 +860,10 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
+         }
+     }
+ 
+-    if (geteuid() == 0) {
++    /*
++     * privileged agent process has the same permission as master process
++     */
++    if (!ngx_is_privileged_agent && geteuid() == 0) {
+         if (setgid(ccf->group) == -1) {
+             ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+                           "setgid(%d) failed", ccf->group);
+@@ -1149,6 +1216,47 @@ ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data)
+ 
+ 
+ static void
++ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
++{
++    char   *name = data;
++
++    /*
++     * Set correct process type since closing listening Unix domain socket
++     * in a master process also removes the Unix domain socket file.
++     */
++    ngx_process = NGX_PROCESS_HELPER;
++    ngx_is_privileged_agent = 1;
++
++    ngx_close_listening_sockets(cycle);
++
++    /* Set a moderate number of connections for a helper process. */
++    cycle->connection_n = 512;
++
++    ngx_worker_process_init(cycle, -1);
++
++    ngx_use_accept_mutex = 0;
++
++    ngx_setproctitle(name);
++
++    for ( ;; ) {
++
++        if (ngx_terminate || ngx_quit) {
++            ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
++            ngx_worker_process_exit(cycle);
++        }
++
++        if (ngx_reopen) {
++            ngx_reopen = 0;
++            ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs");
++            ngx_reopen_files(cycle, -1);
++        }
++
++        ngx_process_events_and_timers(cycle);
++    }
++}
++
++
++static void
+ ngx_cache_manager_process_handler(ngx_event_t *ev)
+ {
+     time_t        next, n;
+diff --git a/src/os/unix/ngx_process_cycle.h b/src/os/unix/ngx_process_cycle.h
+index 69495d5..5149396 100644
+--- a/src/os/unix/ngx_process_cycle.h
++++ b/src/os/unix/ngx_process_cycle.h
+@@ -45,6 +45,7 @@ extern ngx_pid_t       ngx_new_binary;
+ extern ngx_uint_t      ngx_inherited;
+ extern ngx_uint_t      ngx_daemonized;
+ extern ngx_uint_t      ngx_exiting;
++extern ngx_uint_t      ngx_is_privileged_agent;
+ 
+ extern sig_atomic_t    ngx_reap;
+ extern sig_atomic_t    ngx_sigio;
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch b/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch
new file mode 100644
index 000000000..c642cfa4c
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch
@@ -0,0 +1,53 @@
+diff --git a/src/core/nginx.c b/src/core/nginx.c
+index 269ff84..48329bd 100644
+--- a/src/core/nginx.c
++++ b/src/core/nginx.c
+@@ -1062,6 +1062,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle)
+     ccf->daemon = NGX_CONF_UNSET;
+     ccf->master = NGX_CONF_UNSET;
+     ccf->privileged_agent = NGX_CONF_UNSET;
++    ccf->privileged_agent_connections = NGX_CONF_UNSET_UINT;
+     ccf->timer_resolution = NGX_CONF_UNSET_MSEC;
+     ccf->shutdown_timeout = NGX_CONF_UNSET_MSEC;
+ 
+@@ -1092,6 +1093,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf)
+     ngx_conf_init_value(ccf->daemon, 1);
+     ngx_conf_init_value(ccf->master, 1);
+     ngx_conf_init_value(ccf->privileged_agent, 0);
++    ngx_conf_init_uint_value(ccf->privileged_agent_connections, 512);
+     ngx_conf_init_msec_value(ccf->timer_resolution, 0);
+     ngx_conf_init_msec_value(ccf->shutdown_timeout, 0);
+ 
+diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h
+index 6a9583e..4469390 100644
+--- a/src/core/ngx_cycle.h
++++ b/src/core/ngx_cycle.h
+@@ -93,6 +93,7 @@ typedef struct {
+     ngx_flag_t                daemon;
+     ngx_flag_t                master;
+     ngx_flag_t                privileged_agent;
++    ngx_uint_t                privileged_agent_connections;
+ 
+     ngx_msec_t                timer_resolution;
+     ngx_msec_t                shutdown_timeout;
+diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
+index df25f9d..bd259c1 100644
+--- a/src/os/unix/ngx_process_cycle.c
++++ b/src/os/unix/ngx_process_cycle.c
+@@ -1179,6 +1179,7 @@ static void
+ ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
+ {
+     char   *name = data;
++    ngx_core_conf_t *ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);
+ 
+     /*
+      * Set correct process type since closing listening Unix domain socket
+@@ -1190,7 +1191,7 @@ ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
+     ngx_close_listening_sockets(cycle);
+ 
+     /* Set a moderate number of connections for a helper process. */
+-    cycle->connection_n = 512;
++    cycle->connection_n = ccf->privileged_agent_connections;
+ 
+     ngx_worker_process_init(cycle, -1);
+ 
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
similarity index 87%
rename from images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
index 63eaf0ca7..25282bda3 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
@@ -1,5 +1,5 @@
---- nginx-1.19.3/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
-+++ nginx-1.19.3-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
+--- nginx-1.19.9/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
++++ nginx-1.19.9-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
 @@ -793,13 +793,13 @@ static ngx_keyval_t  ngx_http_proxy_cach
  static ngx_http_variable_t  ngx_http_proxy_vars[] = {
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-resolver_conf_parsing.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-reuseport_close_unused_fds.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch b/images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch
new file mode 100644
index 000000000..59c62c8a5
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch
@@ -0,0 +1,56 @@
+# HG changeset patch
+# User Thibault Charbonnier <thibaultcha@fastmail.com>
+# Date 1481847421 28800
+#      Thu Dec 15 16:17:01 2016 -0800
+# Node ID 8bf038fe006fd8ae253d6b41fc6cf109a8912d3e
+# Parent  a3dc657f4e9530623683e6b85bd7492662e4dc47
+Resolver: ignore ipv6=off resolver option when no ipv6 support
+
+Makes the resolver directive more robust: we only error out when ipv6
+resolution is desired but not supported (ipv6=on).
+
+use case 1: some configurations are sometimes re-used between builds with and
+without ipv6 support. This patch avoids the need to remove the "ipv6=off" flag.
+
+use case 2: currently, some tools rely on the --with-ipv6 configure option from
+"nginx -V" to determine if ipv6 resolution should be disabled in some cases.
+With this option disappearing in Nginx 1.11.5, this patch would allow such tools
+to assume "ipv6=off" to be safe regardless of ipv6 support in the current
+build.
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index dade1846..5a3f0aa4 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -426,14 +426,22 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
+             continue;
+         }
+ 
+-#if (NGX_HAVE_INET6)
+         if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) {
+ 
+             if (ngx_strcmp(&names[i].data[5], "on") == 0) {
++#if (NGX_HAVE_INET6)
+                 r->ipv6 = 1;
++#else
++                ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
++                                   "no ipv6 support but \"%V\" in resolver",
++                                   &names[i]);
++                return NULL;
++#endif
+ 
+             } else if (ngx_strcmp(&names[i].data[5], "off") == 0) {
++#if (NGX_HAVE_INET6)
+                 r->ipv6 = 0;
++#endif
+ 
+             } else {
+                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+@@ -443,7 +451,6 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
+ 
+             continue;
+         }
+-#endif
+ 
+ #if !(NGX_WIN32)
+         if (ngx_strncmp(names[i].data, "local=", 6) == 0) {
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch b/images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch
new file mode 100644
index 000000000..07691d39f
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch
@@ -0,0 +1,39 @@
+diff --git a/src/core/nginx.h b/src/core/nginx.h
+index a3c0ef8..1263881 100644
+--- a/src/core/nginx.h
++++ b/src/core/nginx.h
+@@ -11,7 +11,7 @@
+ 
+ #define nginx_version      1019009
+ #define NGINX_VERSION      "1.19.9"
+-#define NGINX_VER          "nginx/" NGINX_VERSION
++#define NGINX_VER          "openresty/" NGINX_VERSION ".unknown"
+ 
+ #ifdef NGX_BUILD
+ #define NGINX_VER_BUILD    NGINX_VER " (" NGX_BUILD ")"
+diff --git a/src/http/ngx_http_header_filter_module.c b/src/http/ngx_http_header_filter_module.c
+index 9b89405..ca13f2a 100644
+--- a/src/http/ngx_http_header_filter_module.c
++++ b/src/http/ngx_http_header_filter_module.c
+@@ -46,7 +46,7 @@ ngx_module_t  ngx_http_header_filter_module = {
+ };
+ 
+ 
+-static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
++static u_char ngx_http_server_string[] = "Server: openresty" CRLF;
+ static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
+ static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
+ 
+diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
+index 8621e7a..a76c677 100644
+--- a/src/http/v2/ngx_http_v2_filter_module.c
++++ b/src/http/v2/ngx_http_v2_filter_module.c
+@@ -143,7 +143,7 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
+     ngx_http_core_srv_conf_t  *cscf;
+     u_char                     addr[NGX_SOCKADDR_STRLEN];
+ 
+-    static const u_char nginx[5] = "\x84\xaa\x63\x55\xe7";
++    static const u_char nginx[8] = "\x87\x3d\x65\xaa\xc2\xa1\x3e\xbf";
+ #if (NGX_HTTP_GZIP)
+     static const u_char accept_encoding[12] =
+         "\x8b\x84\x84\x2d\x69\x5b\x05\x44\x3c\x86\xaa\x6f";
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch b/images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch
new file mode 100644
index 000000000..c2fcd4cf2
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch
@@ -0,0 +1,44 @@
+# HG changeset patch
+# User Yichun Zhang <agentzh@gmail.com>
+# Date 1390506359 28800
+# Node ID 17186b98c235c07e94c64e5853689f790f173756
+# Parent  4b50d1f299d8a69f3e3f7975132e1490352642fe
+Variable: setting $args should invalidate unparsed uri.
+
+diff -r 4b50d1f299d8 -r 17186b98c235 src/http/ngx_http_variables.c
+--- a/src/http/ngx_http_variables.c	Fri Jan 10 11:22:14 2014 -0800
++++ b/src/http/ngx_http_variables.c	Thu Jan 23 11:45:59 2014 -0800
+@@ -15,6 +15,8 @@
+     ngx_http_variable_value_t *v, uintptr_t data);
+ static void ngx_http_variable_request_set(ngx_http_request_t *r,
+     ngx_http_variable_value_t *v, uintptr_t data);
++static void ngx_http_variable_request_args_set(ngx_http_request_t *r,
++    ngx_http_variable_value_t *v, uintptr_t data);
+ static ngx_int_t ngx_http_variable_request_get_size(ngx_http_request_t *r,
+     ngx_http_variable_value_t *v, uintptr_t data);
+ static void ngx_http_variable_request_set_size(ngx_http_request_t *r,
+@@ -218,7 +220,7 @@
+       NGX_HTTP_VAR_NOCACHEABLE, 0 },
+ 
+     { ngx_string("args"),
+-      ngx_http_variable_request_set,
++      ngx_http_variable_request_args_set,
+       ngx_http_variable_request,
+       offsetof(ngx_http_request_t, args),
+       NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
+@@ -647,6 +649,15 @@
+ 
+ 
+ static void
++ngx_http_variable_request_args_set(ngx_http_request_t *r,
++    ngx_http_variable_value_t *v, uintptr_t data)
++{
++    r->valid_unparsed_uri = 0;
++    ngx_http_variable_request_set(r, v, data);
++}
++
++
++static void
+ ngx_http_variable_request_set(ngx_http_request_t *r,
+     ngx_http_variable_value_t *v, uintptr_t data)
+ {
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-single_process_graceful_exit.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch b/images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
similarity index 98%
rename from images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
index 985ce573b..8ffe4c167 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
@@ -151,7 +151,7 @@ diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
 index c4376a5..48e8fa8 100644
 --- a/src/os/unix/ngx_process_cycle.c
 +++ b/src/os/unix/ngx_process_cycle.c
-@@ -1032,6 +1032,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
+@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
          for (i = 0; i < cycle->connection_n; i++) {
              if (c[i].fd != -1
                  && c[i].read
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-ssl_cert_cb_yield.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-ssl_sess_cb_yield.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch b/images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch
new file mode 100644
index 000000000..04d9ef10b
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch
@@ -0,0 +1,50 @@
+diff --git a/src/http/modules/ngx_http_static_module.c b/src/http/modules/ngx_http_static_module.c
+index 282d6ee..899e11e 100644
+--- a/src/http/modules/ngx_http_static_module.c
++++ b/src/http/modules/ngx_http_static_module.c
+@@ -58,6 +58,8 @@ ngx_http_static_handler(ngx_http_request_t *r)
+     ngx_chain_t                out;
+     ngx_open_file_info_t       of;
+     ngx_http_core_loc_conf_t  *clcf;
++    u_char                    *uri;
++    uintptr_t                  escape;
+ 
+     if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD|NGX_HTTP_POST))) {
+         return NGX_HTTP_NOT_ALLOWED;
+@@ -162,9 +164,21 @@ ngx_http_static_handler(ngx_http_request_t *r)
+ 
+             *last = '/';
+ 
++            escape = 2 * ngx_escape_uri(NULL, location, len, NGX_ESCAPE_URI);
++            if (escape > 0) {
++                uri = ngx_pnalloc(r->pool, len + escape);
++                if (uri == NULL) {
++                   return NGX_ERROR;
++                }
++                ngx_escape_uri(uri, location, len, NGX_ESCAPE_URI);
++                location = uri;
++                len += escape;
++            }
++
+         } else {
++            escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+             if (r->args.len) {
+-                len += r->args.len + 1;
++                len += r->args.len + 1 + escape;
+             }
+ 
+             location = ngx_pnalloc(r->pool, len);
+@@ -173,7 +187,12 @@ ngx_http_static_handler(ngx_http_request_t *r)
+                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
+             }
+ 
+-            last = ngx_copy(location, r->uri.data, r->uri.len);
++            if (escape > 0) {
++                last = (u_char *) ngx_escape_uri(location, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
++
++            } else {
++                last = ngx_copy(location, r->uri.data, r->uri.len);
++            }
+ 
+             *last = '/';
+ 
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch
new file mode 100644
index 000000000..f56bc5257
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch
@@ -0,0 +1,53 @@
+diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c
+index 526de3a..b531ce1 100644
+--- a/src/stream/ngx_stream_upstream_round_robin.c
++++ b/src/stream/ngx_stream_upstream_round_robin.c
+@@ -21,10 +21,6 @@ static void ngx_stream_upstream_notify_round_robin_peer(
+ 
+ #if (NGX_STREAM_SSL)
+ 
+-static ngx_int_t ngx_stream_upstream_set_round_robin_peer_session(
+-    ngx_peer_connection_t *pc, void *data);
+-static void ngx_stream_upstream_save_round_robin_peer_session(
+-    ngx_peer_connection_t *pc, void *data);
+ static ngx_int_t ngx_stream_upstream_empty_set_session(
+     ngx_peer_connection_t *pc, void *data);
+ static void ngx_stream_upstream_empty_save_session(ngx_peer_connection_t *pc,
+@@ -690,7 +686,7 @@ ngx_stream_upstream_notify_round_robin_peer(ngx_peer_connection_t *pc,
+ 
+ #if (NGX_STREAM_SSL)
+ 
+-static ngx_int_t
++ngx_int_t
+ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
+     void *data)
+ {
+@@ -756,7 +752,7 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
+ }
+ 
+ 
+-static void
++void
+ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
+     void *data)
+ {
+diff --git a/src/stream/ngx_stream_upstream_round_robin.h b/src/stream/ngx_stream_upstream_round_robin.h
+index 35d9fce..75f3e31 100644
+--- a/src/stream/ngx_stream_upstream_round_robin.h
++++ b/src/stream/ngx_stream_upstream_round_robin.h
+@@ -142,5 +142,15 @@ ngx_int_t ngx_stream_upstream_get_round_robin_peer(ngx_peer_connection_t *pc,
+ void ngx_stream_upstream_free_round_robin_peer(ngx_peer_connection_t *pc,
+     void *data, ngx_uint_t state);
+ 
++#if (NGX_STREAM_SSL)
++ngx_int_t ngx_stream_upstream_set_round_robin_peer_session(
++    ngx_peer_connection_t *pc, void *data);
++void ngx_stream_upstream_save_round_robin_peer_session(
++    ngx_peer_connection_t *pc, void *data);
++#endif
++
++
++#define HAVE_NGX_STREAM_BALANCER_EXPORT_PATCH 1
++
+ 
+ #endif /* _NGX_STREAM_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ */
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch
new file mode 100644
index 000000000..3b4b5e731
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch
@@ -0,0 +1,182 @@
+diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
+index 57e73e04..9a95ef99 100644
+--- a/src/stream/ngx_stream.h
++++ b/src/stream/ngx_stream.h
+@@ -242,6 +242,15 @@ typedef struct {
+ } ngx_stream_module_t;
+ 
+ 
++typedef struct {
++    ngx_msec_t                       connect_timeout;
++    ngx_msec_t                       timeout;
++} ngx_stream_proxy_ctx_t;
++
++
++#define NGX_STREAM_HAVE_PROXY_TIMEOUT_FIELDS_PATCH 1
++
++
+ #define NGX_STREAM_MODULE       0x4d525453     /* "STRM" */
+ 
+ #define NGX_STREAM_MAIN_CONF    0x02000000
+@@ -295,6 +304,7 @@ void ngx_stream_finalize_session(ngx_stream_session_t *s, ngx_uint_t rc);
+ extern ngx_module_t  ngx_stream_module;
+ extern ngx_uint_t    ngx_stream_max_module;
+ extern ngx_module_t  ngx_stream_core_module;
++extern ngx_module_t  ngx_stream_proxy_module;
+ 
+ 
+ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
+diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
+index 7484a728..7b50b427 100644
+--- a/src/stream/ngx_stream_proxy_module.c
++++ b/src/stream/ngx_stream_proxy_module.c
+@@ -378,6 +378,7 @@ ngx_stream_proxy_handler(ngx_stream_session_t *s)
+     ngx_stream_proxy_srv_conf_t      *pscf;
+     ngx_stream_upstream_srv_conf_t   *uscf, **uscfp;
+     ngx_stream_upstream_main_conf_t  *umcf;
++    ngx_stream_proxy_ctx_t           *pctx;
+ 
+     c = s->connection;
+ 
+@@ -386,6 +387,17 @@ ngx_stream_proxy_handler(ngx_stream_session_t *s)
+     ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
+                    "proxy connection handler");
+ 
++    pctx = ngx_palloc(c->pool, sizeof(ngx_stream_proxy_ctx_t));
++    if (pctx == NULL) {
++        ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
++        return;
++    }
++
++    pctx->connect_timeout = pscf->connect_timeout;
++    pctx->timeout = pscf->timeout;
++
++    ngx_stream_set_ctx(s, pctx, ngx_stream_proxy_module);
++
+     u = ngx_pcalloc(c->pool, sizeof(ngx_stream_upstream_t));
+     if (u == NULL) {
+         ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+@@ -677,6 +689,7 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
+     ngx_connection_t             *c, *pc;
+     ngx_stream_upstream_t        *u;
+     ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
+ 
+     c = s->connection;
+ 
+@@ -684,6 +697,8 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
+ 
+     pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
+ 
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
++
+     u = s->upstream;
+ 
+     u->connected = 0;
+@@ -747,7 +762,7 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
+     pc->read->handler = ngx_stream_proxy_connect_handler;
+     pc->write->handler = ngx_stream_proxy_connect_handler;
+ 
+-    ngx_add_timer(pc->write, pscf->connect_timeout);
++    ngx_add_timer(pc->write, ctx->connect_timeout);
+ }
+ 
+ 
+@@ -920,8 +935,10 @@ ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s)
+     ssize_t                       n, size;
+     ngx_connection_t             *c, *pc;
+     ngx_stream_upstream_t        *u;
+-    ngx_stream_proxy_srv_conf_t  *pscf;
+     u_char                        buf[NGX_PROXY_PROTOCOL_MAX_HEADER];
++    ngx_stream_proxy_ctx_t       *ctx;
++
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
+ 
+     c = s->connection;
+ 
+@@ -948,9 +965,7 @@ ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s)
+             return NGX_ERROR;
+         }
+ 
+-        pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
+-
+-        ngx_add_timer(pc->write, pscf->timeout);
++        ngx_add_timer(pc->write, ctx->timeout);
+ 
+         pc->write->handler = ngx_stream_proxy_connect_handler;
+ 
+@@ -1014,6 +1029,9 @@ ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
+     ngx_connection_t             *pc;
+     ngx_stream_upstream_t        *u;
+     ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
++
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
+ 
+     u = s->upstream;
+ 
+@@ -1051,7 +1069,7 @@ ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
+     if (rc == NGX_AGAIN) {
+ 
+         if (!pc->write->timer_set) {
+-            ngx_add_timer(pc->write, pscf->connect_timeout);
++            ngx_add_timer(pc->write, ctx->connect_timeout);
+         }
+ 
+         pc->ssl->handler = ngx_stream_proxy_ssl_handshake;
+@@ -1316,6 +1334,7 @@ ngx_stream_proxy_process_connection(ngx_event_t *ev, ngx_uint_t from_upstream)
+     ngx_stream_session_t         *s;
+     ngx_stream_upstream_t        *u;
+     ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
+ 
+     c = ev->data;
+     s = c->data;
+@@ -1327,6 +1346,8 @@ ngx_stream_proxy_process_connection(ngx_event_t *ev, ngx_uint_t from_upstream)
+         return;
+     }
+ 
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
++
+     c = s->connection;
+     pc = u->peer.connection;
+ 
+@@ -1346,7 +1367,7 @@ ngx_stream_proxy_process_connection(ngx_event_t *ev, ngx_uint_t from_upstream)
+                 }
+ 
+                 if (u->connected && !c->read->delayed && !pc->read->delayed) {
+-                    ngx_add_timer(c->write, pscf->timeout);
++                    ngx_add_timer(c->write, ctx->timeout);
+                 }
+ 
+                 return;
+@@ -1507,7 +1528,9 @@ ngx_stream_proxy_process(ngx_stream_session_t *s, ngx_uint_t from_upstream,
+     ngx_connection_t             *c, *pc, *src, *dst;
+     ngx_log_handler_pt            handler;
+     ngx_stream_upstream_t        *u;
+-    ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
++
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
+ 
+     u = s->upstream;
+ 
+@@ -1529,8 +1552,6 @@ ngx_stream_proxy_process(ngx_stream_session_t *s, ngx_uint_t from_upstream,
+         return;
+     }
+ 
+-    pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
+-
+     if (from_upstream) {
+         src = pc;
+         dst = c;
+@@ -1682,7 +1703,7 @@ ngx_stream_proxy_process(ngx_stream_session_t *s, ngx_uint_t from_upstream,
+         }
+ 
+         if (!c->read->delayed && !pc->read->delayed) {
+-            ngx_add_timer(c->write, pscf->timeout);
++            ngx_add_timer(c->write, ctx->timeout);
+ 
+         } else if (c->write->timer_set) {
+             ngx_del_timer(c->write);
+
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-stream_ssl_preread_no_skip.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-upstream_pipelining.patch b/images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-upstream_pipelining.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-upstream_timeout_fields.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch b/images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch
new file mode 100644
index 000000000..8c3ba2791
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch
@@ -0,0 +1,15 @@
+diff --git a/src/os/win32/ngx_event_log.c b/src/os/win32/ngx_event_log.c
+index e11ed1e8..dce8eddd 100644
+--- a/src/os/win32/ngx_event_log.c
++++ b/src/os/win32/ngx_event_log.c
+@@ -8,7 +8,9 @@
+ #include <ngx_core.h>
+ 
+ 
+-#define NGX_MAX_ERROR_STR   2048
++#ifndef NGX_MAX_ERROR_STR
++#define NGX_MAX_ERROR_STR   4096
++#endif
+ 
+ 
+ void ngx_cdecl
diff --git a/images/nginx/rootfs/patches/patch.2021.resolver.txt b/images/nginx/rootfs/patches/patch.2021.resolver.txt
new file mode 100644
index 000000000..6c895e61c
--- /dev/null
+++ b/images/nginx/rootfs/patches/patch.2021.resolver.txt
@@ -0,0 +1,23 @@
+diff --git src/core/ngx_resolver.c src/core/ngx_resolver.c
+--- src/core/ngx_resolver.c
++++ src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+             n = *src++;
+ 
+         } else {
++            if (dst != name->data) {
++                *dst++ = '.';
++            }
++
+             ngx_strlow(dst, src, n);
+             dst += n;
+             src += n;
+ 
+             n = *src++;
+-
+-            if (n != 0) {
+-                *dst++ = '.';
+-            }
+         }
+ 
+         if (n == 0) {

From 8951b7e22ad3952c549150f61d7346f272c563e1 Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Sat, 28 Aug 2021 10:38:52 -0400
Subject: [PATCH 080/376] Revert "Update base nginx" (#7558)

* Revert "Update base nginx (#7552)"

This reverts commit c6bc9870f1458abc5ba5de7044c1879a2696f255.

* keep alpine bump
---
 images/nginx/rootfs/build.sh                  |   4 +-
 ...> nginx-1.19.3-balancer_status_code.patch} |   0
 ... => nginx-1.19.3-cache_manager_exit.patch} |   2 +-
 ... nginx-1.19.3-delayed_posted_events.patch} |   0
 ...patch => nginx-1.19.3-hash_overflow.patch} |   0
 ...ginx-1.19.3-init_cycle_pool_release.patch} |  26 +-
 ...> nginx-1.19.3-larger_max_error_str.patch} |   4 +-
 .../patches/nginx-1.19.3-no_Werror.patch      |  36 ++
 ...> nginx-1.19.3-proxy_host_port_vars.patch} |   4 +-
 ... nginx-1.19.3-resolver_conf_parsing.patch} |   0
 ...x-1.19.3-reuseport_close_unused_fds.patch} |   0
 ...1.19.3-single_process_graceful_exit.patch} |   0
 ...atch => nginx-1.19.3-socket_cloexec.patch} |   2 +-
 ...h => nginx-1.19.3-ssl_cert_cb_yield.patch} |   0
 ...h => nginx-1.19.3-ssl_sess_cb_yield.patch} |   0
 ...tream_proxy_get_next_upstream_tries.patch} |   0
 ...x-1.19.3-stream_ssl_preread_no_skip.patch} |   0
 ...=> nginx-1.19.3-upstream_pipelining.patch} |   0
 ...ginx-1.19.3-upstream_timeout_fields.patch} |   0
 ....19.9-always_enable_cc_feature_tests.patch |  11 -
 .../nginx-1.19.9-daemon_destroy_pool.patch    |  12 -
 .../nginx-1.19.9-intercept_error_log.patch    |  60 --
 .../nginx-1.19.9-log_escape_non_ascii.patch   | 117 ----
 .../patches/nginx-1.19.9-no_Werror.patch      |  36 --
 .../patches/nginx-1.19.9-no_error_pages.patch |  91 ---
 .../rootfs/patches/nginx-1.19.9-no_pool.patch | 587 ------------------
 .../patches/nginx-1.19.9-pcre_conf_opt.patch  |  26 -
 ...ginx-1.19.9-privileged_agent_process.patch | 203 ------
 ...privileged_agent_process_connections.patch |  53 --
 ...inx-1.19.9-safe_resolver_ipv6_option.patch |  56 --
 .../patches/nginx-1.19.9-server_header.patch  |  39 --
 ...-1.19.9-setting_args_invalidates_uri.patch |  44 --
 ...inx-1.19.9-static_mod_escape_loc_hdr.patch |  50 --
 .../nginx-1.19.9-stream_balancer_export.patch |  53 --
 ...x-1.19.9-stream_proxy_timeout_fields.patch | 182 ------
 .../nginx-1.19.9-win32_max_err_str.patch      |  15 -
 .../rootfs/patches/patch.2021.resolver.txt    |  23 -
 37 files changed, 57 insertions(+), 1679 deletions(-)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-balancer_status_code.patch => nginx-1.19.3-balancer_status_code.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-cache_manager_exit.patch => nginx-1.19.3-cache_manager_exit.patch} (96%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-delayed_posted_events.patch => nginx-1.19.3-delayed_posted_events.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-hash_overflow.patch => nginx-1.19.3-hash_overflow.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-init_cycle_pool_release.patch => nginx-1.19.3-init_cycle_pool_release.patch} (62%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-larger_max_error_str.patch => nginx-1.19.3-larger_max_error_str.patch} (62%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.9-proxy_host_port_vars.patch => nginx-1.19.3-proxy_host_port_vars.patch} (87%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-resolver_conf_parsing.patch => nginx-1.19.3-resolver_conf_parsing.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-reuseport_close_unused_fds.patch => nginx-1.19.3-reuseport_close_unused_fds.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-single_process_graceful_exit.patch => nginx-1.19.3-single_process_graceful_exit.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-socket_cloexec.patch => nginx-1.19.3-socket_cloexec.patch} (98%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-ssl_cert_cb_yield.patch => nginx-1.19.3-ssl_cert_cb_yield.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-ssl_sess_cb_yield.patch => nginx-1.19.3-ssl_sess_cb_yield.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch => nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-stream_ssl_preread_no_skip.patch => nginx-1.19.3-stream_ssl_preread_no_skip.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-upstream_pipelining.patch => nginx-1.19.3-upstream_pipelining.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.9-upstream_timeout_fields.patch => nginx-1.19.3-upstream_timeout_fields.patch} (100%)
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch
 delete mode 100644 images/nginx/rootfs/patches/patch.2021.resolver.txt

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index be4cbda9c..46f304ea5 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -18,7 +18,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-export NGINX_VERSION=1.19.9
+export NGINX_VERSION=1.20.1
 
 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master
 export NDK_VERSION=0.3.1
@@ -197,7 +197,7 @@ mkdir --verbose -p "$BUILD_PATH"
 cd "$BUILD_PATH"
 
 # download, verify and extract the source files
-get_src 2e35dff06a9826e8aca940e9e8be46b7e4b12c19a48d55bfc2dc28fc9cc7d841 \
+get_src e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49 \
         "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
 
 get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch b/images/nginx/rootfs/patches/nginx-1.19.3-balancer_status_code.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-balancer_status_code.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch b/images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch
similarity index 96%
rename from images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch
index 91ee63a26..f1f81da2c 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch
@@ -8,7 +8,7 @@ Cache: gracefully exit the cache manager process.
 diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c
 --- a/src/os/unix/ngx_process_cycle.c	Thu Oct 31 18:23:49 2013 +0400
 +++ b/src/os/unix/ngx_process_cycle.c	Mon Nov 04 12:48:50 2013 -0800
-@@ -1134,7 +1134,7 @@
+@@ -1335,7 +1335,7 @@
  
          if (ngx_terminate || ngx_quit) {
              ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch b/images/nginx/rootfs/patches/nginx-1.19.3-delayed_posted_events.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-delayed_posted_events.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch b/images/nginx/rootfs/patches/nginx-1.19.3-hash_overflow.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-hash_overflow.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch
similarity index 62%
rename from images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch
index aa2df4660..b6f46674f 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch
@@ -1,6 +1,6 @@
-diff -rup nginx-1.19.9/src/core/nginx.c nginx-1.19.9-patched/src/core/nginx.c
---- nginx-1.19.9/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
-+++ nginx-1.19.9-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
+diff -rup nginx-1.19.3/src/core/nginx.c nginx-1.19.3-patched/src/core/nginx.c
+--- nginx-1.19.3/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
++++ nginx-1.19.3-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
 @@ -186,6 +186,7 @@ static u_char      *ngx_prefix;
  static u_char      *ngx_conf_file;
  static u_char      *ngx_conf_params;
@@ -18,9 +18,9 @@ diff -rup nginx-1.19.9/src/core/nginx.c nginx-1.19.9-patched/src/core/nginx.c
      if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
          return 1;
      }
-diff -rup nginx-1.19.9/src/core/ngx_core.h nginx-1.19.9-patched/src/core/ngx_core.h
---- nginx-1.19.9/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
+diff -rup nginx-1.19.3/src/core/ngx_core.h nginx-1.19.3-patched/src/core/ngx_core.h
+--- nginx-1.19.3/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.19.3-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
 @@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
  #define NGX_DISABLE_SYMLINKS_NOTOWNER   2
  #endif
@@ -28,9 +28,9 @@ diff -rup nginx-1.19.9/src/core/ngx_core.h nginx-1.19.9-patched/src/core/ngx_cor
 +extern ngx_pool_t        *saved_init_cycle_pool;
 +
  #endif /* _NGX_CORE_H_INCLUDED_ */
-diff -rup nginx-1.19.9/src/core/ngx_cycle.c nginx-1.19.9-patched/src/core/ngx_cycle.c
---- nginx-1.19.9/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
+diff -rup nginx-1.19.3/src/core/ngx_cycle.c nginx-1.19.3-patched/src/core/ngx_cycle.c
+--- nginx-1.19.3/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.19.3-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
 @@ -748,6 +748,10 @@ old_shm_zone_done:
  
      if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
@@ -42,10 +42,10 @@ diff -rup nginx-1.19.9/src/core/ngx_cycle.c nginx-1.19.9-patched/src/core/ngx_cy
          ngx_destroy_pool(old_cycle->pool);
          cycle->old_cycle = NULL;
  
-diff -rup nginx-1.19.9/src/os/unix/ngx_process_cycle.c nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c
---- nginx-1.19.9/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
-+++ nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
-@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
+diff -rup nginx-1.19.3/src/os/unix/ngx_process_cycle.c nginx-1.19.3-patched/src/os/unix/ngx_process_cycle.c
+--- nginx-1.19.3/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
++++ nginx-1.19.3-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
+@@ -783,6 +783,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
      ngx_exit_cycle.files_n = ngx_cycle->files_n;
      ngx_cycle = &ngx_exit_cycle;
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch b/images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch
similarity index 62%
rename from images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch
index 0628d3abb..c7013e05d 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch
@@ -1,5 +1,5 @@
---- nginx-1.19.9/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
+--- nginx-1.19.3/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
++++ nginx-1.19.3-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
 @@ -64,7 +64,9 @@ struct ngx_log_s {
  };
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
new file mode 100644
index 000000000..2cf7cd9c7
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
@@ -0,0 +1,36 @@
+diff -urp nginx-1.19.3/auto/cc/clang nginx-1.19.3-patched/auto/cc/clang
+--- nginx-1.19.3/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.3-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
+@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
+ CFLAGS="$CFLAGS -Wno-unused-parameter"
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.19.3/auto/cc/gcc nginx-1.19.3-patched/auto/cc/gcc
+--- nginx-1.19.3/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.3-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
+@@ -168,7 +168,7 @@ esac
+ 
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.19.3/auto/cc/icc nginx-1.19.3-patched/auto/cc/icc
+--- nginx-1.19.3/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.3-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
+@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
+ esac
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch
similarity index 87%
rename from images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch
index 25282bda3..63eaf0ca7 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch
@@ -1,5 +1,5 @@
---- nginx-1.19.9/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
-+++ nginx-1.19.9-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
+--- nginx-1.19.3/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
++++ nginx-1.19.3-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
 @@ -793,13 +793,13 @@ static ngx_keyval_t  ngx_http_proxy_cach
  static ngx_http_variable_t  ngx_http_proxy_vars[] = {
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/nginx-1.19.3-resolver_conf_parsing.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-resolver_conf_parsing.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/nginx-1.19.3-reuseport_close_unused_fds.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-reuseport_close_unused_fds.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/nginx-1.19.3-single_process_graceful_exit.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-single_process_graceful_exit.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch b/images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch
similarity index 98%
rename from images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch
index 8ffe4c167..985ce573b 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch
@@ -151,7 +151,7 @@ diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
 index c4376a5..48e8fa8 100644
 --- a/src/os/unix/ngx_process_cycle.c
 +++ b/src/os/unix/ngx_process_cycle.c
-@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
+@@ -1032,6 +1032,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
          for (i = 0; i < cycle->connection_n; i++) {
              if (c[i].fd != -1
                  && c[i].read
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.19.3-ssl_cert_cb_yield.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-ssl_cert_cb_yield.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.19.3-ssl_sess_cb_yield.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-ssl_sess_cb_yield.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/nginx-1.19.3-stream_ssl_preread_no_skip.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-stream_ssl_preread_no_skip.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch b/images/nginx/rootfs/patches/nginx-1.19.3-upstream_pipelining.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-upstream_pipelining.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.19.3-upstream_timeout_fields.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch
rename to images/nginx/rootfs/patches/nginx-1.19.3-upstream_timeout_fields.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch b/images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch
deleted file mode 100644
index 62034509d..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-always_enable_cc_feature_tests.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- nginx-1.19.9/auto/cc/conf	2015-10-30 22:47:50.000000000 +0800
-+++ nginx-1.19.9-patched/auto/cc/conf	2015-11-02 12:23:05.385156987 +0800
-@@ -136,7 +136,7 @@ fi
- CFLAGS="$CFLAGS $NGX_CC_OPT"
- NGX_TEST_LD_OPT="$NGX_LD_OPT"
- 
--if [ "$NGX_PLATFORM" != win32 ]; then
-+if [ 1 ]; then
- 
-     if test -n "$NGX_LD_OPT"; then
-         ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch b/images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch
deleted file mode 100644
index 5690b88f0..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-daemon_destroy_pool.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c
-index ab672110..f259af31 100644
---- a/src/os/unix/ngx_daemon.c
-+++ b/src/os/unix/ngx_daemon.c
-@@ -23,6 +23,8 @@ ngx_daemon(ngx_log_t *log)
-         break;
-
-     default:
-+        /* just to make it ASAN or Valgrind clean */
-+        ngx_destroy_pool(ngx_cycle->pool);
-         exit(0);
-     }
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch b/images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch
deleted file mode 100644
index 5de769517..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-intercept_error_log.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h
-index c51b7ff..4c335b9 100644
---- a/src/core/ngx_cycle.h
-+++ b/src/core/ngx_cycle.h
-@@ -22,9 +22,14 @@
- #define NGX_DEBUG_POINTS_ABORT  2
- 
- 
-+#define HAVE_INTERCEPT_ERROR_LOG_PATCH
-+
-+
- typedef struct ngx_shm_zone_s  ngx_shm_zone_t;
- 
- typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data);
-+typedef ngx_int_t (*ngx_log_intercept_pt) (ngx_log_t *log, ngx_uint_t level,
-+    u_char *buf, size_t len);
- 
- struct ngx_shm_zone_s {
-     void                     *data;
-@@ -75,6 +80,10 @@ struct ngx_cycle_s {
-     ngx_str_t                 prefix;
-     ngx_str_t                 lock_file;
-     ngx_str_t                 hostname;
-+
-+    ngx_log_intercept_pt      intercept_error_log_handler;
-+    void                     *intercept_error_log_data;
-+    unsigned                  entered_logger;    /* :1 */
- };
- 
- 
-diff --git a/src/core/ngx_log.c b/src/core/ngx_log.c
-index 8e9408d..ed9b11b 100644
---- a/src/core/ngx_log.c
-+++ b/src/core/ngx_log.c
-@@ -112,6 +112,8 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
-     ngx_uint_t   wrote_stderr, debug_connection;
-     u_char       errstr[NGX_MAX_ERROR_STR];
- 
-+    ngx_log_intercept_pt    log_intercept = NULL;
-+
-     last = errstr + NGX_MAX_ERROR_STR;
- 
-     p = ngx_cpymem(errstr, ngx_cached_err_log_time.data,
-@@ -153,6 +155,16 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
-         p = last - NGX_LINEFEED_SIZE;
-     }
- 
-+    if (ngx_cycle) {
-+        log_intercept = ngx_cycle->intercept_error_log_handler;
-+    }
-+
-+    if (log_intercept && !ngx_cycle->entered_logger) {
-+        ngx_cycle->entered_logger = 1;
-+        log_intercept(log, level, errstr, p - errstr);
-+        ngx_cycle->entered_logger = 0;
-+    }
-+
-     ngx_linefeed(p);
- 
-     wrote_stderr = 0;
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch b/images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch
deleted file mode 100644
index bea6e52ee..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-log_escape_non_ascii.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-diff --git a/src/http/modules/ngx_http_log_module.c b/src/http/modules/ngx_http_log_module.c
-index 917ed55f..b769dfd3 100644
---- a/src/http/modules/ngx_http_log_module.c
-+++ b/src/http/modules/ngx_http_log_module.c
-@@ -79,6 +79,8 @@ typedef struct {
-     time_t                      open_file_cache_valid;
-     ngx_uint_t                  open_file_cache_min_uses;
- 
-+    ngx_flag_t                  escape_non_ascii;
-+
-     ngx_uint_t                  off;        /* unsigned  off:1 */
- } ngx_http_log_loc_conf_t;
- 
-@@ -131,7 +133,8 @@ static size_t ngx_http_log_variable_getlen(ngx_http_request_t *r,
-     uintptr_t data);
- static u_char *ngx_http_log_variable(ngx_http_request_t *r, u_char *buf,
-     ngx_http_log_op_t *op);
--static uintptr_t ngx_http_log_escape(u_char *dst, u_char *src, size_t size);
-+static uintptr_t ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst,
-+    u_char *src, size_t size);
- static size_t ngx_http_log_json_variable_getlen(ngx_http_request_t *r,
-     uintptr_t data);
- static u_char *ngx_http_log_json_variable(ngx_http_request_t *r, u_char *buf,
-@@ -177,6 +180,13 @@ static ngx_command_t  ngx_http_log_commands[] = {
-       0,
-       NULL },
- 
-+    { ngx_string("log_escape_non_ascii"),
-+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
-+      ngx_conf_set_flag_slot,
-+      NGX_HTTP_LOC_CONF_OFFSET,
-+      offsetof(ngx_http_log_loc_conf_t, escape_non_ascii),
-+      NULL },
-+
-       ngx_null_command
- };
- 
-@@ -935,6 +945,7 @@ static size_t
- ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data)
- {
-     uintptr_t                   len;
-+    ngx_http_log_loc_conf_t    *lcf;
-     ngx_http_variable_value_t  *value;
- 
-     value = ngx_http_get_indexed_variable(r, data);
-@@ -943,7 +954,9 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data)
-         return 1;
-     }
- 
--    len = ngx_http_log_escape(NULL, value->data, value->len);
-+    lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module);
-+
-+    len = ngx_http_log_escape(lcf, NULL, value->data, value->len);
- 
-     value->escape = len ? 1 : 0;
- 
-@@ -954,6 +967,7 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data)
- static u_char *
- ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op)
- {
-+    ngx_http_log_loc_conf_t    *lcf;
-     ngx_http_variable_value_t  *value;
- 
-     value = ngx_http_get_indexed_variable(r, op->data);
-@@ -967,16 +981,18 @@ ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op)
-         return ngx_cpymem(buf, value->data, value->len);
- 
-     } else {
--        return (u_char *) ngx_http_log_escape(buf, value->data, value->len);
-+        lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module);
-+        return (u_char *) ngx_http_log_escape(lcf, buf, value->data, value->len);
-     }
- }
- 
- 
- static uintptr_t
--ngx_http_log_escape(u_char *dst, u_char *src, size_t size)
-+ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst, u_char *src,
-+    size_t size)
- {
--    ngx_uint_t      n;
--    static u_char   hex[] = "0123456789ABCDEF";
-+    ngx_uint_t                   n;
-+    static u_char                hex[] = "0123456789ABCDEF";
- 
-     static uint32_t   escape[] = {
-         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
-@@ -996,6 +1012,12 @@ ngx_http_log_escape(u_char *dst, u_char *src, size_t size)
-         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
-     };
- 
-+    if (lcf->escape_non_ascii) {
-+        ngx_memset(&escape[4], 0xff, sizeof(uint32_t) * 4);
-+
-+    } else {
-+        ngx_memzero(&escape[4], sizeof(uint32_t) * 4);
-+    }
- 
-     if (dst == NULL) {
- 
-@@ -1120,6 +1142,7 @@ ngx_http_log_create_loc_conf(ngx_conf_t *cf)
-     }
- 
-     conf->open_file_cache = NGX_CONF_UNSET_PTR;
-+    conf->escape_non_ascii = NGX_CONF_UNSET;
- 
-     return conf;
- }
-@@ -1135,6 +1158,8 @@ ngx_http_log_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
-     ngx_http_log_fmt_t        *fmt;
-     ngx_http_log_main_conf_t  *lmcf;
- 
-+    ngx_conf_merge_value(conf->escape_non_ascii, prev->escape_non_ascii, 1);
-+
-     if (conf->open_file_cache == NGX_CONF_UNSET_PTR) {
- 
-         conf->open_file_cache = prev->open_file_cache;
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
deleted file mode 100644
index 7bb0ac902..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-diff -urp nginx-1.19.9/auto/cc/clang nginx-1.19.9-patched/auto/cc/clang
---- nginx-1.19.9/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.9-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
-@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
- CFLAGS="$CFLAGS -Wno-unused-parameter"
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.19.9/auto/cc/gcc nginx-1.19.9-patched/auto/cc/gcc
---- nginx-1.19.9/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.9-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
-@@ -168,7 +168,7 @@ esac
- 
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.19.9/auto/cc/icc nginx-1.19.9-patched/auto/cc/icc
---- nginx-1.19.9/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.9-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
-@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
- esac
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch
deleted file mode 100644
index f57930768..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-no_error_pages.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-diff -upr nginx-1.19.9/src/http/ngx_http_core_module.c nginx-1.19.9-patched/src/http/ngx_http_core_module.c
---- nginx-1.19.9/src/http/ngx_http_core_module.c	2017-08-31 18:14:41.000000000 -0700
-+++ nginx-1.19.9-patched/src/http/ngx_http_core_module.c	2017-08-31 18:21:31.638098196 -0700
-@@ -61,6 +61,8 @@ static char *ngx_http_core_directio(ngx_
-     void *conf);
- static char *ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd,
-     void *conf);
-+static char *ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd,
-+    void *conf);
- static char *ngx_http_core_open_file_cache(ngx_conf_t *cf, ngx_command_t *cmd,
-     void *conf);
- static char *ngx_http_core_error_log(ngx_conf_t *cf, ngx_command_t *cmd,
-@@ -647,6 +649,14 @@ static ngx_command_t  ngx_http_core_comm
-       0,
-       NULL },
- 
-+    { ngx_string("no_error_pages"),
-+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-+                        |NGX_CONF_NOARGS,
-+      ngx_http_core_no_error_pages,
-+      NGX_HTTP_LOC_CONF_OFFSET,
-+      0,
-+      NULL },
-+
-     { ngx_string("post_action"),
-       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                         |NGX_CONF_TAKE1,
-@@ -3334,7 +3344,6 @@ ngx_http_core_create_loc_conf(ngx_conf_t
-      *     clcf->types = NULL;
-      *     clcf->default_type = { 0, NULL };
-      *     clcf->error_log = NULL;
--     *     clcf->error_pages = NULL;
-      *     clcf->client_body_path = NULL;
-      *     clcf->regex = NULL;
-      *     clcf->exact_match = 0;
-@@ -3344,6 +3353,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t
-      *     clcf->keepalive_disable = 0;
-      */
- 
-+    clcf->error_pages = NGX_CONF_UNSET_PTR;
-     clcf->client_max_body_size = NGX_CONF_UNSET;
-     clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE;
-     clcf->client_body_timeout = NGX_CONF_UNSET_MSEC;
-@@ -3543,9 +3553,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t
-         }
-     }
- 
--    if (conf->error_pages == NULL && prev->error_pages) {
--        conf->error_pages = prev->error_pages;
--    }
-+    ngx_conf_merge_ptr_value(conf->error_pages, prev->error_pages, NULL);
- 
-     ngx_conf_merge_str_value(conf->default_type,
-                               prev->default_type, "text/plain");
-@@ -4553,6 +4561,10 @@ ngx_http_core_error_page(ngx_conf_t *cf,
-     ngx_http_compile_complex_value_t   ccv;
- 
-     if (clcf->error_pages == NULL) {
-+        return "conflicts with \"no_error_pages\"";
-+    }
-+
-+    if (clcf->error_pages == NGX_CONF_UNSET_PTR) {
-         clcf->error_pages = ngx_array_create(cf->pool, 4,
-                                              sizeof(ngx_http_err_page_t));
-         if (clcf->error_pages == NULL) {
-@@ -4655,6 +4667,25 @@ ngx_http_core_error_page(ngx_conf_t *cf,
- 
-     return NGX_CONF_OK;
- }
-+
-+
-+static char *
-+ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
-+{
-+    ngx_http_core_loc_conf_t *clcf = conf;
-+
-+    if (clcf->error_pages == NULL) {
-+        return "is duplicate";
-+    }
-+
-+    if (clcf->error_pages != NGX_CONF_UNSET_PTR) {
-+        return "conflicts with \"error_page\"";
-+    }
-+
-+    clcf->error_pages = NULL;
-+
-+    return NGX_CONF_OK;
-+}
- 
- 
- static char *
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch
deleted file mode 100644
index aa3c37ae6..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-no_pool.patch
+++ /dev/null
@@ -1,587 +0,0 @@
-diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/nginx.h nginx-1.19.9-patched/src/core/nginx.h
---- nginx-1.19.9/src/core/nginx.h	2016-04-19 09:02:38.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/nginx.h	2016-04-21 16:25:07.452944624 -0700
-@@ -10,7 +10,7 @@
- 
- 
- #define nginx_version      1019009
- #define NGINX_VERSION      "1.19.9"
--#define NGINX_VER          "openresty/" NGINX_VERSION ".unknown"
-+#define NGINX_VER          "openresty/" NGINX_VERSION ".unknown (no pool)"
- 
- #ifdef NGX_BUILD
-diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_array.c nginx-1.19.9-patched/src/core/ngx_array.c
---- nginx-1.19.9/src/core/ngx_array.c	2016-04-19 09:02:38.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/ngx_array.c	2016-04-21 16:25:07.453947190 -0700
-@@ -30,26 +30,30 @@ ngx_array_create(ngx_pool_t *p, ngx_uint
- void
- ngx_array_destroy(ngx_array_t *a)
- {
--    ngx_pool_t  *p;
-+    ngx_pool_t          *p;
-+    ngx_array_link_t    *link;
- 
-     p = a->pool;
- 
--    if ((u_char *) a->elts + a->size * a->nalloc == p->d.last) {
--        p->d.last -= a->size * a->nalloc;
-+    if (a->elts) {
-+        ngx_pfree(p, a->elts);
-     }
- 
--    if ((u_char *) a + sizeof(ngx_array_t) == p->d.last) {
--        p->d.last = (u_char *) a;
-+    for (link = a->old_elts; link; link = link->next) {
-+        ngx_pfree(p, link->elts);
-     }
-+
-+    ngx_pfree(p, a);
- }
- 
- 
- void *
- ngx_array_push(ngx_array_t *a)
- {
--    void        *elt, *new;
--    size_t       size;
--    ngx_pool_t  *p;
-+    void                *elt, *new;
-+    size_t               size;
-+    ngx_pool_t          *p;
-+    ngx_array_link_t    *link;
- 
-     if (a->nelts == a->nalloc) {
- 
-@@ -59,29 +63,27 @@ ngx_array_push(ngx_array_t *a)
- 
-         p = a->pool;
- 
--        if ((u_char *) a->elts + size == p->d.last
--            && p->d.last + a->size <= p->d.end)
--        {
--            /*
--             * the array allocation is the last in the pool
--             * and there is space for new allocation
--             */
--
--            p->d.last += a->size;
--            a->nalloc++;
-+        /* allocate a new array */
- 
--        } else {
--            /* allocate a new array */
-+        new = ngx_palloc(p, 2 * size);
-+        if (new == NULL) {
-+            return NULL;
-+        }
- 
--            new = ngx_palloc(p, 2 * size);
--            if (new == NULL) {
--                return NULL;
--            }
-+        ngx_memcpy(new, a->elts, size);
- 
--            ngx_memcpy(new, a->elts, size);
--            a->elts = new;
--            a->nalloc *= 2;
-+        link = ngx_palloc(p, sizeof(ngx_array_link_t));
-+        if (link == NULL) {
-+            ngx_pfree(p, new);
-+            return NULL;
-         }
-+
-+        link->next = a->old_elts;
-+        link->elts = a->elts;
-+        a->old_elts = link;
-+
-+        a->elts = new;
-+        a->nalloc *= 2;
-     }
- 
-     elt = (u_char *) a->elts + a->size * a->nelts;
-@@ -95,11 +97,10 @@ void *
- ngx_array_push_n(ngx_array_t *a, ngx_uint_t n)
- {
-     void        *elt, *new;
--    size_t       size;
-     ngx_uint_t   nalloc;
-     ngx_pool_t  *p;
- 
--    size = n * a->size;
-+    ngx_array_link_t    *link;
- 
-     if (a->nelts + n > a->nalloc) {
- 
-@@ -107,31 +108,27 @@ ngx_array_push_n(ngx_array_t *a, ngx_uin
- 
-         p = a->pool;
- 
--        if ((u_char *) a->elts + a->size * a->nalloc == p->d.last
--            && p->d.last + size <= p->d.end)
--        {
--            /*
--             * the array allocation is the last in the pool
--             * and there is space for new allocation
--             */
-+        nalloc = 2 * ((n >= a->nalloc) ? n : a->nalloc);
- 
--            p->d.last += size;
--            a->nalloc += n;
-+        new = ngx_palloc(p, nalloc * a->size);
-+        if (new == NULL) {
-+            return NULL;
-+        }
- 
--        } else {
--            /* allocate a new array */
-+        ngx_memcpy(new, a->elts, a->nelts * a->size);
- 
--            nalloc = 2 * ((n >= a->nalloc) ? n : a->nalloc);
-+        link = ngx_palloc(p, sizeof(ngx_array_link_t));
-+        if (link == NULL) {
-+            ngx_pfree(p, new);
-+            return NULL;
-+        }
- 
--            new = ngx_palloc(p, nalloc * a->size);
--            if (new == NULL) {
--                return NULL;
--            }
-+        link->next = a->old_elts;
-+        link->elts = a->elts;
-+        a->old_elts = link;
- 
--            ngx_memcpy(new, a->elts, a->nelts * a->size);
--            a->elts = new;
--            a->nalloc = nalloc;
--        }
-+        a->elts = new;
-+        a->nalloc = nalloc;
-     }
- 
-     elt = (u_char *) a->elts + a->size * a->nelts;
-diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_array.h nginx-1.19.9-patched/src/core/ngx_array.h
---- nginx-1.19.9/src/core/ngx_array.h	2016-04-19 09:02:38.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/ngx_array.h	2016-04-21 16:25:07.453947190 -0700
-@@ -13,12 +13,23 @@
- #include <ngx_core.h>
- 
- 
-+typedef struct ngx_array_link_s ngx_array_link_t;
-+
-+
-+struct ngx_array_link_s {
-+    void                    *elts;
-+    ngx_array_link_t        *next;
-+};
-+
-+
- typedef struct {
-     void        *elts;
-     ngx_uint_t   nelts;
-     size_t       size;
-     ngx_uint_t   nalloc;
-     ngx_pool_t  *pool;
-+
-+    ngx_array_link_t *old_elts;
- } ngx_array_t;
- 
- 
-@@ -40,6 +51,7 @@ ngx_array_init(ngx_array_t *array, ngx_p
-     array->size = size;
-     array->nalloc = n;
-     array->pool = pool;
-+    array->old_elts = NULL;
- 
-     array->elts = ngx_palloc(pool, n * size);
-     if (array->elts == NULL) {
-diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_palloc.c nginx-1.19.9-patched/src/core/ngx_palloc.c
---- nginx-1.19.9/src/core/ngx_palloc.c	2016-04-19 09:02:38.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/ngx_palloc.c	2016-04-21 16:25:45.912282685 -0700
-@@ -9,34 +9,26 @@
- #include <ngx_core.h>
- 
- 
--static ngx_inline void *ngx_palloc_small(ngx_pool_t *pool, size_t size,
--    ngx_uint_t align);
--static void *ngx_palloc_block(ngx_pool_t *pool, size_t size);
--static void *ngx_palloc_large(ngx_pool_t *pool, size_t size);
-+static void * ngx_malloc(ngx_pool_t *pool, size_t size);
- 
- 
- ngx_pool_t *
- ngx_create_pool(size_t size, ngx_log_t *log)
- {
--    ngx_pool_t  *p;
-+    ngx_pool_t        *p;
- 
--    p = ngx_memalign(NGX_POOL_ALIGNMENT, size, log);
-+    size = sizeof(ngx_pool_t);
-+    p = ngx_alloc(size, log);
-     if (p == NULL) {
-         return NULL;
-     }
- 
--    p->d.last = (u_char *) p + sizeof(ngx_pool_t);
--    p->d.end = (u_char *) p + size;
--    p->d.next = NULL;
--    p->d.failed = 0;
-+    ngx_memzero(p, size);
- 
-     size = size - sizeof(ngx_pool_t);
-     p->max = (size < NGX_MAX_ALLOC_FROM_POOL) ? size : NGX_MAX_ALLOC_FROM_POOL;
- 
-     p->current = p;
--    p->chain = NULL;
--    p->large = NULL;
--    p->cleanup = NULL;
-     p->log = log;
- 
-     return p;
-@@ -46,8 +38,7 @@ ngx_create_pool(size_t size, ngx_log_t *
- void
- ngx_destroy_pool(ngx_pool_t *pool)
- {
--    ngx_pool_t          *p, *n;
--    ngx_pool_large_t    *l;
-+    ngx_pool_data_t     *d, *n;
-     ngx_pool_cleanup_t  *c;
- 
-     for (c = pool->cleanup; c; c = c->next) {
-@@ -58,6 +49,11 @@ ngx_destroy_pool(ngx_pool_t *pool)
-         }
-     }
- 
-+    if (pool->d == NULL) {
-+        ngx_free(pool);
-+        return;
-+    }
-+
- #if (NGX_DEBUG)
- 
-     /*
-@@ -65,13 +61,9 @@ ngx_destroy_pool(ngx_pool_t *pool)
-      * so we cannot use this log while free()ing the pool
-      */
- 
--    for (l = pool->large; l; l = l->next) {
--        ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
--    }
--
--    for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
-+    for (d = pool->d, n = d->next; ; d = n, n = n->next) {
-         ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
--                       "free: %p, unused: %uz", p, p->d.end - p->d.last);
-+                       "free: %p, unused: %d", d, 0);
- 
-         if (n == NULL) {
-             break;
-@@ -80,171 +72,82 @@ ngx_destroy_pool(ngx_pool_t *pool)
- 
- #endif
- 
--    for (l = pool->large; l; l = l->next) {
--        if (l->alloc) {
--            ngx_free(l->alloc);
--        }
--    }
--
--    for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
--        ngx_free(p);
-+    for (d = pool->d, n = d->next; ; d = n, n = n->next) {
-+        ngx_free(d->alloc);
-+        ngx_free(d);
- 
-         if (n == NULL) {
-             break;
-         }
-     }
-+
-+    pool->d = NULL;
-+    ngx_free(pool);
- }
- 
- 
- void
- ngx_reset_pool(ngx_pool_t *pool)
- {
--    ngx_pool_t        *p;
--    ngx_pool_large_t  *l;
-+    ngx_pool_data_t     *d, *n;
-+    ngx_pool_data_t     *saved = NULL;
- 
--    for (l = pool->large; l; l = l->next) {
--        if (l->alloc) {
--            ngx_free(l->alloc);
-+    if (pool->d) {
-+        for (d = pool->d, n = d->next; ; d = n, n = n->next) {
-+            if (d->alloc == pool->log) {
-+                saved = d;
-+                continue;
-+            }
-+
-+            ngx_free(d->alloc);
-+            ngx_free(d);
-+
-+            if (n == NULL) {
-+                break;
-+            }
-         }
--    }
- 
--    for (p = pool; p; p = p->d.next) {
--        p->d.last = (u_char *) p + sizeof(ngx_pool_t);
--        p->d.failed = 0;
-+        pool->d = saved;
-+        pool->current = pool;
-+        pool->chain = NULL;
-     }
--
--    pool->current = pool;
--    pool->chain = NULL;
--    pool->large = NULL;
- }
- 
- 
- void *
- ngx_palloc(ngx_pool_t *pool, size_t size)
- {
--#if !(NGX_DEBUG_PALLOC)
--    if (size <= pool->max) {
--        return ngx_palloc_small(pool, size, 1);
--    }
--#endif
--
--    return ngx_palloc_large(pool, size);
-+    return ngx_malloc(pool, size);
- }
- 
- 
- void *
- ngx_pnalloc(ngx_pool_t *pool, size_t size)
- {
--#if !(NGX_DEBUG_PALLOC)
--    if (size <= pool->max) {
--        return ngx_palloc_small(pool, size, 0);
--    }
--#endif
--
--    return ngx_palloc_large(pool, size);
--}
--
--
--static ngx_inline void *
--ngx_palloc_small(ngx_pool_t *pool, size_t size, ngx_uint_t align)
--{
--    u_char      *m;
--    ngx_pool_t  *p;
--
--    p = pool->current;
--
--    do {
--        m = p->d.last;
--
--        if (align) {
--            m = ngx_align_ptr(m, NGX_ALIGNMENT);
--        }
--
--        if ((size_t) (p->d.end - m) >= size) {
--            p->d.last = m + size;
--
--            return m;
--        }
--
--        p = p->d.next;
--
--    } while (p);
--
--    return ngx_palloc_block(pool, size);
--}
--
--
--static void *
--ngx_palloc_block(ngx_pool_t *pool, size_t size)
--{
--    u_char      *m;
--    size_t       psize;
--    ngx_pool_t  *p, *new;
--
--    psize = (size_t) (pool->d.end - (u_char *) pool);
--
--    m = ngx_memalign(NGX_POOL_ALIGNMENT, psize, pool->log);
--    if (m == NULL) {
--        return NULL;
--    }
--
--    new = (ngx_pool_t *) m;
--
--    new->d.end = m + psize;
--    new->d.next = NULL;
--    new->d.failed = 0;
--
--    m += sizeof(ngx_pool_data_t);
--    m = ngx_align_ptr(m, NGX_ALIGNMENT);
--    new->d.last = m + size;
--
--    for (p = pool->current; p->d.next; p = p->d.next) {
--        if (p->d.failed++ > 4) {
--            pool->current = p->d.next;
--        }
--    }
--
--    p->d.next = new;
--
--    return m;
-+    return ngx_malloc(pool, size);
- }
- 
- 
- static void *
--ngx_palloc_large(ngx_pool_t *pool, size_t size)
-+ngx_malloc(ngx_pool_t *pool, size_t size)
- {
--    void              *p;
--    ngx_uint_t         n;
--    ngx_pool_large_t  *large;
-+    void                *p;
-+    ngx_pool_data_t     *d;
- 
-     p = ngx_alloc(size, pool->log);
-     if (p == NULL) {
-         return NULL;
-     }
- 
--    n = 0;
--
--    for (large = pool->large; large; large = large->next) {
--        if (large->alloc == NULL) {
--            large->alloc = p;
--            return p;
--        }
--
--        if (n++ > 3) {
--            break;
--        }
--    }
--
--    large = ngx_palloc_small(pool, sizeof(ngx_pool_large_t), 1);
--    if (large == NULL) {
-+    d = ngx_alloc(sizeof(ngx_pool_data_t), pool->log);
-+    if (d == NULL){
-         ngx_free(p);
-         return NULL;
-     }
- 
--    large->alloc = p;
--    large->next = pool->large;
--    pool->large = large;
--
-+    d->alloc = p;
-+    d->next = pool->d;
-+    pool->d = d;
-     return p;
- }
- 
-@@ -253,38 +156,48 @@ void *
- ngx_pmemalign(ngx_pool_t *pool, size_t size, size_t alignment)
- {
-     void              *p;
--    ngx_pool_large_t  *large;
-+    ngx_pool_data_t   *d;
- 
-     p = ngx_memalign(alignment, size, pool->log);
-     if (p == NULL) {
-         return NULL;
-     }
- 
--    large = ngx_palloc_small(pool, sizeof(ngx_pool_large_t), 1);
--    if (large == NULL) {
-+    d = ngx_alloc(sizeof(ngx_pool_data_t), pool->log);
-+    if (d == NULL){
-         ngx_free(p);
-         return NULL;
-     }
- 
--    large->alloc = p;
--    large->next = pool->large;
--    pool->large = large;
--
-+    d->alloc = p;
-+    d->next = pool->d;
-+    pool->d = d;
-     return p;
- }
- 
- 
- ngx_int_t
--ngx_pfree(ngx_pool_t *pool, void *p)
-+ngx_pfree(ngx_pool_t *pool, void *data)
- {
--    ngx_pool_large_t  *l;
-+    ngx_pool_data_t     *p, *d;
- 
--    for (l = pool->large; l; l = l->next) {
--        if (p == l->alloc) {
--            ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
--                           "free: %p", l->alloc);
--            ngx_free(l->alloc);
--            l->alloc = NULL;
-+    p = NULL;
-+    for (d = pool->d; d; p = d, d = d->next) {
-+        if (data == d->alloc) {
-+
-+            ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", d->alloc);
-+
-+            ngx_free(d->alloc);
-+            d->alloc = NULL;
-+
-+            if (p) {
-+                p->next = d->next;
-+
-+            } else {
-+                pool->d = d->next;
-+            }
-+
-+            ngx_free(d);
- 
-             return NGX_OK;
-         }
-diff --minimal '--exclude=*.swp' '--exclude=*~' -up nginx-1.19.9/src/core/ngx_palloc.h nginx-1.19.9-patched/src/core/ngx_palloc.h
---- nginx-1.19.9/src/core/ngx_palloc.h	2016-04-19 09:02:38.000000000 -0700
-+++ nginx-1.19.9-patched/src/core/ngx_palloc.h	2016-04-21 16:25:07.454949755 -0700
-@@ -38,28 +38,21 @@ struct ngx_pool_cleanup_s {
- };
- 
- 
--typedef struct ngx_pool_large_s  ngx_pool_large_t;
--
--struct ngx_pool_large_s {
--    ngx_pool_large_t     *next;
--    void                 *alloc;
--};
-+typedef struct ngx_pool_data_s   ngx_pool_large_t;
-+typedef struct ngx_pool_data_s   ngx_pool_data_t;
- 
- 
--typedef struct {
--    u_char               *last;
--    u_char               *end;
--    ngx_pool_t           *next;
--    ngx_uint_t            failed;
--} ngx_pool_data_t;
-+struct ngx_pool_data_s {
-+    ngx_pool_data_t        *next;
-+    void                   *alloc;
-+};
- 
- 
- struct ngx_pool_s {
--    ngx_pool_data_t       d;
-+    ngx_pool_data_t      *d;
-     size_t                max;
-     ngx_pool_t           *current;
-     ngx_chain_t          *chain;
--    ngx_pool_large_t     *large;
-     ngx_pool_cleanup_t   *cleanup;
-     ngx_log_t            *log;
- };
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch b/images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch
deleted file mode 100644
index eb17e0642..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-pcre_conf_opt.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-# HG changeset patch
-# User Yichun Zhang <agentzh@gmail.com>
-# Date 1386694955 28800
-# Node ID 9ba6b149669f1f02eeb4cdc0ebd364a949b5c469
-# Parent  30e806b8636af5fd3f03ec17df24801f390f7511
-Configure: added new option --with-pcre-conf-opt=OPTIONS.
-
-diff -r 30e806b8636a -r 9ba6b149669f auto/options
---- a/auto/options	Mon Dec 09 10:16:44 2013 +0400
-+++ b/auto/options	Tue Dec 10 09:02:35 2013 -0800
-@@ -286,6 +286,7 @@
-         --with-pcre)                     USE_PCRE=YES               ;;
-         --with-pcre=*)                   PCRE="$value"              ;;
-         --with-pcre-opt=*)               PCRE_OPT="$value"          ;;
-+        --with-pcre-conf-opt=*)          PCRE_CONF_OPT="$value"     ;;
-         --with-pcre-jit)                 PCRE_JIT=YES               ;;
- 
-         --with-openssl=*)                OPENSSL="$value"           ;;
-@@ -441,6 +442,7 @@
-   --with-pcre                        force PCRE library usage
-   --with-pcre=DIR                    set path to PCRE library sources
-   --with-pcre-opt=OPTIONS            set additional build options for PCRE
-+  --with-pcre-conf-opt=OPTIONS       set additional configure options for PCRE
-   --with-pcre-jit                    build PCRE with JIT compilation support
- 
-   --with-md5=DIR                     set path to md5 library sources
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch b/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch
deleted file mode 100644
index 164004eba..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process.patch
+++ /dev/null
@@ -1,203 +0,0 @@
-diff --git a/src/core/nginx.c b/src/core/nginx.c
-index 60f8fe7..4bd244b 100644
---- a/src/core/nginx.c
-+++ b/src/core/nginx.c
-@@ -981,6 +981,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle)
- 
-     ccf->daemon = NGX_CONF_UNSET;
-     ccf->master = NGX_CONF_UNSET;
-+    ccf->privileged_agent = NGX_CONF_UNSET;
-     ccf->timer_resolution = NGX_CONF_UNSET_MSEC;
- 
-     ccf->worker_processes = NGX_CONF_UNSET;
-@@ -1009,6 +1010,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf)
- 
-     ngx_conf_init_value(ccf->daemon, 1);
-     ngx_conf_init_value(ccf->master, 1);
-+    ngx_conf_init_value(ccf->privileged_agent, 0);
-     ngx_conf_init_msec_value(ccf->timer_resolution, 0);
- 
-     ngx_conf_init_value(ccf->worker_processes, 1);
-diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h
-index c51b7ff..3261f90 100644
---- a/src/core/ngx_cycle.h
-+++ b/src/core/ngx_cycle.h
-@@ -22,6 +22,9 @@
- #define NGX_DEBUG_POINTS_ABORT  2
- 
- 
-+#define HAVE_PRIVILEGED_PROCESS_PATCH   1
-+
-+
- typedef struct ngx_shm_zone_s  ngx_shm_zone_t;
- 
- typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data);
-@@ -81,6 +84,7 @@ struct ngx_cycle_s {
- typedef struct {
-     ngx_flag_t                daemon;
-     ngx_flag_t                master;
-+    ngx_flag_t                privileged_agent;
- 
-     ngx_msec_t                timer_resolution;
- 
-diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
-index 7cee1c5..c4f70d6 100644
---- a/src/os/unix/ngx_process_cycle.c
-+++ b/src/os/unix/ngx_process_cycle.c
-@@ -15,6 +15,8 @@ static void ngx_start_worker_processes(ngx_cycle_t *cycle, ngx_int_t n,
-     ngx_int_t type);
- static void ngx_start_cache_manager_processes(ngx_cycle_t *cycle,
-     ngx_uint_t respawn);
-+static void ngx_start_privileged_agent_processes(ngx_cycle_t *cycle,
-+    ngx_uint_t respawn);
- static void ngx_pass_open_channel(ngx_cycle_t *cycle);
- static void ngx_signal_worker_processes(ngx_cycle_t *cycle, int signo);
- static ngx_uint_t ngx_reap_children(ngx_cycle_t *cycle);
-@@ -24,6 +26,7 @@ static void ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker);
- static void ngx_worker_process_exit(ngx_cycle_t *cycle);
- static void ngx_channel_handler(ngx_event_t *ev);
- static void ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data);
-+static void ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data);
- static void ngx_cache_manager_process_handler(ngx_event_t *ev);
- static void ngx_cache_loader_process_handler(ngx_event_t *ev);
- 
-@@ -51,6 +54,8 @@ sig_atomic_t  ngx_noaccept;
- ngx_uint_t    ngx_noaccepting;
- ngx_uint_t    ngx_restart;
- 
-+ngx_uint_t    ngx_is_privileged_agent;
-+
- 
- static u_char  master_process[] = "master process";
- 
-@@ -130,6 +135,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
-     ngx_start_worker_processes(cycle, ccf->worker_processes,
-                                NGX_PROCESS_RESPAWN);
-     ngx_start_cache_manager_processes(cycle, 0);
-+    ngx_start_privileged_agent_processes(cycle, 0);
- 
-     ngx_new_binary = 0;
-     delay = 0;
-@@ -215,6 +221,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
-                 ngx_start_worker_processes(cycle, ccf->worker_processes,
-                                            NGX_PROCESS_RESPAWN);
-                 ngx_start_cache_manager_processes(cycle, 0);
-+                ngx_start_privileged_agent_processes(cycle, 0);
-                 ngx_noaccepting = 0;
- 
-                 continue;
-@@ -234,6 +241,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
-             ngx_start_worker_processes(cycle, ccf->worker_processes,
-                                        NGX_PROCESS_JUST_RESPAWN);
-             ngx_start_cache_manager_processes(cycle, 1);
-+            ngx_start_privileged_agent_processes(cycle, 1);
- 
-             /* allow new processes to start */
-             ngx_msleep(100);
-@@ -248,6 +256,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle)
-             ngx_start_worker_processes(cycle, ccf->worker_processes,
-                                        NGX_PROCESS_RESPAWN);
-             ngx_start_cache_manager_processes(cycle, 0);
-+            ngx_start_privileged_agent_processes(cycle, 0);
-             live = 1;
-         }
- 
-@@ -393,6 +431,26 @@ ngx_start_cache_manager_processes(ngx_cycle_t *cycle, ngx_uint_t respawn)
- 
- 
- static void
-+ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, ngx_uint_t respawn)
-+{
-+    ngx_core_conf_t       *ccf;
-+
-+    ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx,
-+                                           ngx_core_module);
-+
-+    if (!ccf->privileged_agent) {
-+        return;
-+    }
-+
-+    ngx_spawn_process(cycle, ngx_privileged_agent_process_cycle,
-+                      "privileged agent process", "privileged agent process",
-+                      respawn ? NGX_PROCESS_JUST_RESPAWN : NGX_PROCESS_RESPAWN);
-+
-+    ngx_pass_open_channel(cycle);
-+}
-+
-+
-+static void
- ngx_pass_open_channel(ngx_cycle_t *cycle)
- {
-     ngx_int_t  i;
-@@ -794,7 +860,10 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
-         }
-     }
- 
--    if (geteuid() == 0) {
-+    /*
-+     * privileged agent process has the same permission as master process
-+     */
-+    if (!ngx_is_privileged_agent && geteuid() == 0) {
-         if (setgid(ccf->group) == -1) {
-             ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                           "setgid(%d) failed", ccf->group);
-@@ -1149,6 +1216,47 @@ ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data)
- 
- 
- static void
-+ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
-+{
-+    char   *name = data;
-+
-+    /*
-+     * Set correct process type since closing listening Unix domain socket
-+     * in a master process also removes the Unix domain socket file.
-+     */
-+    ngx_process = NGX_PROCESS_HELPER;
-+    ngx_is_privileged_agent = 1;
-+
-+    ngx_close_listening_sockets(cycle);
-+
-+    /* Set a moderate number of connections for a helper process. */
-+    cycle->connection_n = 512;
-+
-+    ngx_worker_process_init(cycle, -1);
-+
-+    ngx_use_accept_mutex = 0;
-+
-+    ngx_setproctitle(name);
-+
-+    for ( ;; ) {
-+
-+        if (ngx_terminate || ngx_quit) {
-+            ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
-+            ngx_worker_process_exit(cycle);
-+        }
-+
-+        if (ngx_reopen) {
-+            ngx_reopen = 0;
-+            ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs");
-+            ngx_reopen_files(cycle, -1);
-+        }
-+
-+        ngx_process_events_and_timers(cycle);
-+    }
-+}
-+
-+
-+static void
- ngx_cache_manager_process_handler(ngx_event_t *ev)
- {
-     time_t        next, n;
-diff --git a/src/os/unix/ngx_process_cycle.h b/src/os/unix/ngx_process_cycle.h
-index 69495d5..5149396 100644
---- a/src/os/unix/ngx_process_cycle.h
-+++ b/src/os/unix/ngx_process_cycle.h
-@@ -45,6 +45,7 @@ extern ngx_pid_t       ngx_new_binary;
- extern ngx_uint_t      ngx_inherited;
- extern ngx_uint_t      ngx_daemonized;
- extern ngx_uint_t      ngx_exiting;
-+extern ngx_uint_t      ngx_is_privileged_agent;
- 
- extern sig_atomic_t    ngx_reap;
- extern sig_atomic_t    ngx_sigio;
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch b/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch
deleted file mode 100644
index c642cfa4c..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-privileged_agent_process_connections.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/src/core/nginx.c b/src/core/nginx.c
-index 269ff84..48329bd 100644
---- a/src/core/nginx.c
-+++ b/src/core/nginx.c
-@@ -1062,6 +1062,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle)
-     ccf->daemon = NGX_CONF_UNSET;
-     ccf->master = NGX_CONF_UNSET;
-     ccf->privileged_agent = NGX_CONF_UNSET;
-+    ccf->privileged_agent_connections = NGX_CONF_UNSET_UINT;
-     ccf->timer_resolution = NGX_CONF_UNSET_MSEC;
-     ccf->shutdown_timeout = NGX_CONF_UNSET_MSEC;
- 
-@@ -1092,6 +1093,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf)
-     ngx_conf_init_value(ccf->daemon, 1);
-     ngx_conf_init_value(ccf->master, 1);
-     ngx_conf_init_value(ccf->privileged_agent, 0);
-+    ngx_conf_init_uint_value(ccf->privileged_agent_connections, 512);
-     ngx_conf_init_msec_value(ccf->timer_resolution, 0);
-     ngx_conf_init_msec_value(ccf->shutdown_timeout, 0);
- 
-diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h
-index 6a9583e..4469390 100644
---- a/src/core/ngx_cycle.h
-+++ b/src/core/ngx_cycle.h
-@@ -93,6 +93,7 @@ typedef struct {
-     ngx_flag_t                daemon;
-     ngx_flag_t                master;
-     ngx_flag_t                privileged_agent;
-+    ngx_uint_t                privileged_agent_connections;
- 
-     ngx_msec_t                timer_resolution;
-     ngx_msec_t                shutdown_timeout;
-diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
-index df25f9d..bd259c1 100644
---- a/src/os/unix/ngx_process_cycle.c
-+++ b/src/os/unix/ngx_process_cycle.c
-@@ -1179,6 +1179,7 @@ static void
- ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
- {
-     char   *name = data;
-+    ngx_core_conf_t *ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);
- 
-     /*
-      * Set correct process type since closing listening Unix domain socket
-@@ -1190,7 +1191,7 @@ ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
-     ngx_close_listening_sockets(cycle);
- 
-     /* Set a moderate number of connections for a helper process. */
--    cycle->connection_n = 512;
-+    cycle->connection_n = ccf->privileged_agent_connections;
- 
-     ngx_worker_process_init(cycle, -1);
- 
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch b/images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch
deleted file mode 100644
index 59c62c8a5..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-safe_resolver_ipv6_option.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-# HG changeset patch
-# User Thibault Charbonnier <thibaultcha@fastmail.com>
-# Date 1481847421 28800
-#      Thu Dec 15 16:17:01 2016 -0800
-# Node ID 8bf038fe006fd8ae253d6b41fc6cf109a8912d3e
-# Parent  a3dc657f4e9530623683e6b85bd7492662e4dc47
-Resolver: ignore ipv6=off resolver option when no ipv6 support
-
-Makes the resolver directive more robust: we only error out when ipv6
-resolution is desired but not supported (ipv6=on).
-
-use case 1: some configurations are sometimes re-used between builds with and
-without ipv6 support. This patch avoids the need to remove the "ipv6=off" flag.
-
-use case 2: currently, some tools rely on the --with-ipv6 configure option from
-"nginx -V" to determine if ipv6 resolution should be disabled in some cases.
-With this option disappearing in Nginx 1.11.5, this patch would allow such tools
-to assume "ipv6=off" to be safe regardless of ipv6 support in the current
-build.
-
-diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
-index dade1846..5a3f0aa4 100644
---- a/src/core/ngx_resolver.c
-+++ b/src/core/ngx_resolver.c
-@@ -426,14 +426,22 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
-             continue;
-         }
- 
--#if (NGX_HAVE_INET6)
-         if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) {
- 
-             if (ngx_strcmp(&names[i].data[5], "on") == 0) {
-+#if (NGX_HAVE_INET6)
-                 r->ipv6 = 1;
-+#else
-+                ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-+                                   "no ipv6 support but \"%V\" in resolver",
-+                                   &names[i]);
-+                return NULL;
-+#endif
- 
-             } else if (ngx_strcmp(&names[i].data[5], "off") == 0) {
-+#if (NGX_HAVE_INET6)
-                 r->ipv6 = 0;
-+#endif
- 
-             } else {
-                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-@@ -443,7 +451,6 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
- 
-             continue;
-         }
--#endif
- 
- #if !(NGX_WIN32)
-         if (ngx_strncmp(names[i].data, "local=", 6) == 0) {
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch b/images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch
deleted file mode 100644
index 07691d39f..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-server_header.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff --git a/src/core/nginx.h b/src/core/nginx.h
-index a3c0ef8..1263881 100644
---- a/src/core/nginx.h
-+++ b/src/core/nginx.h
-@@ -11,7 +11,7 @@
- 
- #define nginx_version      1019009
- #define NGINX_VERSION      "1.19.9"
--#define NGINX_VER          "nginx/" NGINX_VERSION
-+#define NGINX_VER          "openresty/" NGINX_VERSION ".unknown"
- 
- #ifdef NGX_BUILD
- #define NGINX_VER_BUILD    NGINX_VER " (" NGX_BUILD ")"
-diff --git a/src/http/ngx_http_header_filter_module.c b/src/http/ngx_http_header_filter_module.c
-index 9b89405..ca13f2a 100644
---- a/src/http/ngx_http_header_filter_module.c
-+++ b/src/http/ngx_http_header_filter_module.c
-@@ -46,7 +46,7 @@ ngx_module_t  ngx_http_header_filter_module = {
- };
- 
- 
--static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
-+static u_char ngx_http_server_string[] = "Server: openresty" CRLF;
- static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
- static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
- 
-diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
-index 8621e7a..a76c677 100644
---- a/src/http/v2/ngx_http_v2_filter_module.c
-+++ b/src/http/v2/ngx_http_v2_filter_module.c
-@@ -143,7 +143,7 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
-     ngx_http_core_srv_conf_t  *cscf;
-     u_char                     addr[NGX_SOCKADDR_STRLEN];
- 
--    static const u_char nginx[5] = "\x84\xaa\x63\x55\xe7";
-+    static const u_char nginx[8] = "\x87\x3d\x65\xaa\xc2\xa1\x3e\xbf";
- #if (NGX_HTTP_GZIP)
-     static const u_char accept_encoding[12] =
-         "\x8b\x84\x84\x2d\x69\x5b\x05\x44\x3c\x86\xaa\x6f";
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch b/images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch
deleted file mode 100644
index c2fcd4cf2..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-setting_args_invalidates_uri.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-# HG changeset patch
-# User Yichun Zhang <agentzh@gmail.com>
-# Date 1390506359 28800
-# Node ID 17186b98c235c07e94c64e5853689f790f173756
-# Parent  4b50d1f299d8a69f3e3f7975132e1490352642fe
-Variable: setting $args should invalidate unparsed uri.
-
-diff -r 4b50d1f299d8 -r 17186b98c235 src/http/ngx_http_variables.c
---- a/src/http/ngx_http_variables.c	Fri Jan 10 11:22:14 2014 -0800
-+++ b/src/http/ngx_http_variables.c	Thu Jan 23 11:45:59 2014 -0800
-@@ -15,6 +15,8 @@
-     ngx_http_variable_value_t *v, uintptr_t data);
- static void ngx_http_variable_request_set(ngx_http_request_t *r,
-     ngx_http_variable_value_t *v, uintptr_t data);
-+static void ngx_http_variable_request_args_set(ngx_http_request_t *r,
-+    ngx_http_variable_value_t *v, uintptr_t data);
- static ngx_int_t ngx_http_variable_request_get_size(ngx_http_request_t *r,
-     ngx_http_variable_value_t *v, uintptr_t data);
- static void ngx_http_variable_request_set_size(ngx_http_request_t *r,
-@@ -218,7 +220,7 @@
-       NGX_HTTP_VAR_NOCACHEABLE, 0 },
- 
-     { ngx_string("args"),
--      ngx_http_variable_request_set,
-+      ngx_http_variable_request_args_set,
-       ngx_http_variable_request,
-       offsetof(ngx_http_request_t, args),
-       NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },
-@@ -647,6 +649,15 @@
- 
- 
- static void
-+ngx_http_variable_request_args_set(ngx_http_request_t *r,
-+    ngx_http_variable_value_t *v, uintptr_t data)
-+{
-+    r->valid_unparsed_uri = 0;
-+    ngx_http_variable_request_set(r, v, data);
-+}
-+
-+
-+static void
- ngx_http_variable_request_set(ngx_http_request_t *r,
-     ngx_http_variable_value_t *v, uintptr_t data)
- {
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch b/images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch
deleted file mode 100644
index 04d9ef10b..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-static_mod_escape_loc_hdr.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-diff --git a/src/http/modules/ngx_http_static_module.c b/src/http/modules/ngx_http_static_module.c
-index 282d6ee..899e11e 100644
---- a/src/http/modules/ngx_http_static_module.c
-+++ b/src/http/modules/ngx_http_static_module.c
-@@ -58,6 +58,8 @@ ngx_http_static_handler(ngx_http_request_t *r)
-     ngx_chain_t                out;
-     ngx_open_file_info_t       of;
-     ngx_http_core_loc_conf_t  *clcf;
-+    u_char                    *uri;
-+    uintptr_t                  escape;
- 
-     if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD|NGX_HTTP_POST))) {
-         return NGX_HTTP_NOT_ALLOWED;
-@@ -162,9 +164,21 @@ ngx_http_static_handler(ngx_http_request_t *r)
- 
-             *last = '/';
- 
-+            escape = 2 * ngx_escape_uri(NULL, location, len, NGX_ESCAPE_URI);
-+            if (escape > 0) {
-+                uri = ngx_pnalloc(r->pool, len + escape);
-+                if (uri == NULL) {
-+                   return NGX_ERROR;
-+                }
-+                ngx_escape_uri(uri, location, len, NGX_ESCAPE_URI);
-+                location = uri;
-+                len += escape;
-+            }
-+
-         } else {
-+            escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
-             if (r->args.len) {
--                len += r->args.len + 1;
-+                len += r->args.len + 1 + escape;
-             }
- 
-             location = ngx_pnalloc(r->pool, len);
-@@ -173,7 +187,12 @@ ngx_http_static_handler(ngx_http_request_t *r)
-                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
-             }
- 
--            last = ngx_copy(location, r->uri.data, r->uri.len);
-+            if (escape > 0) {
-+                last = (u_char *) ngx_escape_uri(location, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
-+
-+            } else {
-+                last = ngx_copy(location, r->uri.data, r->uri.len);
-+            }
- 
-             *last = '/';
- 
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch
deleted file mode 100644
index f56bc5257..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-stream_balancer_export.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c
-index 526de3a..b531ce1 100644
---- a/src/stream/ngx_stream_upstream_round_robin.c
-+++ b/src/stream/ngx_stream_upstream_round_robin.c
-@@ -21,10 +21,6 @@ static void ngx_stream_upstream_notify_round_robin_peer(
- 
- #if (NGX_STREAM_SSL)
- 
--static ngx_int_t ngx_stream_upstream_set_round_robin_peer_session(
--    ngx_peer_connection_t *pc, void *data);
--static void ngx_stream_upstream_save_round_robin_peer_session(
--    ngx_peer_connection_t *pc, void *data);
- static ngx_int_t ngx_stream_upstream_empty_set_session(
-     ngx_peer_connection_t *pc, void *data);
- static void ngx_stream_upstream_empty_save_session(ngx_peer_connection_t *pc,
-@@ -690,7 +686,7 @@ ngx_stream_upstream_notify_round_robin_peer(ngx_peer_connection_t *pc,
- 
- #if (NGX_STREAM_SSL)
- 
--static ngx_int_t
-+ngx_int_t
- ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
-     void *data)
- {
-@@ -756,7 +752,7 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
- }
- 
- 
--static void
-+void
- ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
-     void *data)
- {
-diff --git a/src/stream/ngx_stream_upstream_round_robin.h b/src/stream/ngx_stream_upstream_round_robin.h
-index 35d9fce..75f3e31 100644
---- a/src/stream/ngx_stream_upstream_round_robin.h
-+++ b/src/stream/ngx_stream_upstream_round_robin.h
-@@ -142,5 +142,15 @@ ngx_int_t ngx_stream_upstream_get_round_robin_peer(ngx_peer_connection_t *pc,
- void ngx_stream_upstream_free_round_robin_peer(ngx_peer_connection_t *pc,
-     void *data, ngx_uint_t state);
- 
-+#if (NGX_STREAM_SSL)
-+ngx_int_t ngx_stream_upstream_set_round_robin_peer_session(
-+    ngx_peer_connection_t *pc, void *data);
-+void ngx_stream_upstream_save_round_robin_peer_session(
-+    ngx_peer_connection_t *pc, void *data);
-+#endif
-+
-+
-+#define HAVE_NGX_STREAM_BALANCER_EXPORT_PATCH 1
-+
- 
- #endif /* _NGX_STREAM_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ */
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch
deleted file mode 100644
index 3b4b5e731..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_timeout_fields.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
-index 57e73e04..9a95ef99 100644
---- a/src/stream/ngx_stream.h
-+++ b/src/stream/ngx_stream.h
-@@ -242,6 +242,15 @@ typedef struct {
- } ngx_stream_module_t;
- 
- 
-+typedef struct {
-+    ngx_msec_t                       connect_timeout;
-+    ngx_msec_t                       timeout;
-+} ngx_stream_proxy_ctx_t;
-+
-+
-+#define NGX_STREAM_HAVE_PROXY_TIMEOUT_FIELDS_PATCH 1
-+
-+
- #define NGX_STREAM_MODULE       0x4d525453     /* "STRM" */
- 
- #define NGX_STREAM_MAIN_CONF    0x02000000
-@@ -295,6 +304,7 @@ void ngx_stream_finalize_session(ngx_stream_session_t *s, ngx_uint_t rc);
- extern ngx_module_t  ngx_stream_module;
- extern ngx_uint_t    ngx_stream_max_module;
- extern ngx_module_t  ngx_stream_core_module;
-+extern ngx_module_t  ngx_stream_proxy_module;
- 
- 
- typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
-diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
-index 7484a728..7b50b427 100644
---- a/src/stream/ngx_stream_proxy_module.c
-+++ b/src/stream/ngx_stream_proxy_module.c
-@@ -378,6 +378,7 @@ ngx_stream_proxy_handler(ngx_stream_session_t *s)
-     ngx_stream_proxy_srv_conf_t      *pscf;
-     ngx_stream_upstream_srv_conf_t   *uscf, **uscfp;
-     ngx_stream_upstream_main_conf_t  *umcf;
-+    ngx_stream_proxy_ctx_t           *pctx;
- 
-     c = s->connection;
- 
-@@ -386,6 +387,17 @@ ngx_stream_proxy_handler(ngx_stream_session_t *s)
-     ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
-                    "proxy connection handler");
- 
-+    pctx = ngx_palloc(c->pool, sizeof(ngx_stream_proxy_ctx_t));
-+    if (pctx == NULL) {
-+        ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
-+        return;
-+    }
-+
-+    pctx->connect_timeout = pscf->connect_timeout;
-+    pctx->timeout = pscf->timeout;
-+
-+    ngx_stream_set_ctx(s, pctx, ngx_stream_proxy_module);
-+
-     u = ngx_pcalloc(c->pool, sizeof(ngx_stream_upstream_t));
-     if (u == NULL) {
-         ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
-@@ -677,6 +689,7 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
-     ngx_connection_t             *c, *pc;
-     ngx_stream_upstream_t        *u;
-     ngx_stream_proxy_srv_conf_t  *pscf;
-+    ngx_stream_proxy_ctx_t       *ctx;
- 
-     c = s->connection;
- 
-@@ -684,6 +697,8 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
- 
-     pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
- 
-+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
-+
-     u = s->upstream;
- 
-     u->connected = 0;
-@@ -747,7 +762,7 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
-     pc->read->handler = ngx_stream_proxy_connect_handler;
-     pc->write->handler = ngx_stream_proxy_connect_handler;
- 
--    ngx_add_timer(pc->write, pscf->connect_timeout);
-+    ngx_add_timer(pc->write, ctx->connect_timeout);
- }
- 
- 
-@@ -920,8 +935,10 @@ ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s)
-     ssize_t                       n, size;
-     ngx_connection_t             *c, *pc;
-     ngx_stream_upstream_t        *u;
--    ngx_stream_proxy_srv_conf_t  *pscf;
-     u_char                        buf[NGX_PROXY_PROTOCOL_MAX_HEADER];
-+    ngx_stream_proxy_ctx_t       *ctx;
-+
-+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
- 
-     c = s->connection;
- 
-@@ -948,9 +965,7 @@ ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s)
-             return NGX_ERROR;
-         }
- 
--        pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
--
--        ngx_add_timer(pc->write, pscf->timeout);
-+        ngx_add_timer(pc->write, ctx->timeout);
- 
-         pc->write->handler = ngx_stream_proxy_connect_handler;
- 
-@@ -1014,6 +1029,9 @@ ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
-     ngx_connection_t             *pc;
-     ngx_stream_upstream_t        *u;
-     ngx_stream_proxy_srv_conf_t  *pscf;
-+    ngx_stream_proxy_ctx_t       *ctx;
-+
-+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
- 
-     u = s->upstream;
- 
-@@ -1051,7 +1069,7 @@ ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
-     if (rc == NGX_AGAIN) {
- 
-         if (!pc->write->timer_set) {
--            ngx_add_timer(pc->write, pscf->connect_timeout);
-+            ngx_add_timer(pc->write, ctx->connect_timeout);
-         }
- 
-         pc->ssl->handler = ngx_stream_proxy_ssl_handshake;
-@@ -1316,6 +1334,7 @@ ngx_stream_proxy_process_connection(ngx_event_t *ev, ngx_uint_t from_upstream)
-     ngx_stream_session_t         *s;
-     ngx_stream_upstream_t        *u;
-     ngx_stream_proxy_srv_conf_t  *pscf;
-+    ngx_stream_proxy_ctx_t       *ctx;
- 
-     c = ev->data;
-     s = c->data;
-@@ -1327,6 +1346,8 @@ ngx_stream_proxy_process_connection(ngx_event_t *ev, ngx_uint_t from_upstream)
-         return;
-     }
- 
-+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
-+
-     c = s->connection;
-     pc = u->peer.connection;
- 
-@@ -1346,7 +1367,7 @@ ngx_stream_proxy_process_connection(ngx_event_t *ev, ngx_uint_t from_upstream)
-                 }
- 
-                 if (u->connected && !c->read->delayed && !pc->read->delayed) {
--                    ngx_add_timer(c->write, pscf->timeout);
-+                    ngx_add_timer(c->write, ctx->timeout);
-                 }
- 
-                 return;
-@@ -1507,7 +1528,9 @@ ngx_stream_proxy_process(ngx_stream_session_t *s, ngx_uint_t from_upstream,
-     ngx_connection_t             *c, *pc, *src, *dst;
-     ngx_log_handler_pt            handler;
-     ngx_stream_upstream_t        *u;
--    ngx_stream_proxy_srv_conf_t  *pscf;
-+    ngx_stream_proxy_ctx_t       *ctx;
-+
-+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
- 
-     u = s->upstream;
- 
-@@ -1529,8 +1552,6 @@ ngx_stream_proxy_process(ngx_stream_session_t *s, ngx_uint_t from_upstream,
-         return;
-     }
- 
--    pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
--
-     if (from_upstream) {
-         src = pc;
-         dst = c;
-@@ -1682,7 +1703,7 @@ ngx_stream_proxy_process(ngx_stream_session_t *s, ngx_uint_t from_upstream,
-         }
- 
-         if (!c->read->delayed && !pc->read->delayed) {
--            ngx_add_timer(c->write, pscf->timeout);
-+            ngx_add_timer(c->write, ctx->timeout);
- 
-         } else if (c->write->timer_set) {
-             ngx_del_timer(c->write);
-
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch b/images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch
deleted file mode 100644
index 8c3ba2791..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.9-win32_max_err_str.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/src/os/win32/ngx_event_log.c b/src/os/win32/ngx_event_log.c
-index e11ed1e8..dce8eddd 100644
---- a/src/os/win32/ngx_event_log.c
-+++ b/src/os/win32/ngx_event_log.c
-@@ -8,7 +8,9 @@
- #include <ngx_core.h>
- 
- 
--#define NGX_MAX_ERROR_STR   2048
-+#ifndef NGX_MAX_ERROR_STR
-+#define NGX_MAX_ERROR_STR   4096
-+#endif
- 
- 
- void ngx_cdecl
diff --git a/images/nginx/rootfs/patches/patch.2021.resolver.txt b/images/nginx/rootfs/patches/patch.2021.resolver.txt
deleted file mode 100644
index 6c895e61c..000000000
--- a/images/nginx/rootfs/patches/patch.2021.resolver.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-diff --git src/core/ngx_resolver.c src/core/ngx_resolver.c
---- src/core/ngx_resolver.c
-+++ src/core/ngx_resolver.c
-@@ -4008,15 +4008,15 @@ done:
-             n = *src++;
- 
-         } else {
-+            if (dst != name->data) {
-+                *dst++ = '.';
-+            }
-+
-             ngx_strlow(dst, src, n);
-             dst += n;
-             src += n;
- 
-             n = *src++;
--
--            if (n != 0) {
--                *dst++ = '.';
--            }
-         }
- 
-         if (n == 0) {

From 8a1a5e93c720d5ee0000c8db2885b7846025bd3e Mon Sep 17 00:00:00 2001
From: Dechao Qiu <dechao.qiu@gmail.com>
Date: Tue, 31 Aug 2021 07:45:38 -0700
Subject: [PATCH 081/376] Fix YAML indentation issue (#7556)

`http-snippet:|` does not work for kubernetes 1.21.4, it requires extra space: ``http-snippet: |`
---
 deploy/static/provider/aws/deploy-tls-termination.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index bf442df89..3085270d8 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -37,7 +37,7 @@ metadata:
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
-  http-snippet:|
+  http-snippet: |
     server{
       listen 2443;
       return 308 https://$host$request_uri;

From f2e743f561963f140e39f66bd2480d1ab2e68ab6 Mon Sep 17 00:00:00 2001
From: Vincent LE GOFF <vince.legoff@gmail.com>
Date: Thu, 2 Sep 2021 00:23:40 +0200
Subject: [PATCH 082/376] feat: add session-cookie-secure annotation (#7399)

---
 docs/examples/affinity/cookie/README.md       |  1 +
 .../affinity/cookie/ingress-samesite.yaml     |  1 +
 .../annotations/sessionaffinity/main.go       | 11 ++++++
 .../annotations/sessionaffinity/main_test.go  |  5 +++
 internal/ingress/controller/controller.go     |  1 +
 internal/ingress/types.go                     |  1 +
 internal/ingress/types_equals.go              |  3 ++
 rootfs/etc/nginx/lua/balancer/sticky.lua      |  7 +++-
 .../nginx/lua/test/balancer/sticky_test.lua   | 38 ++++++++++---------
 9 files changed, 50 insertions(+), 18 deletions(-)

diff --git a/docs/examples/affinity/cookie/README.md b/docs/examples/affinity/cookie/README.md
index 4f93fc0f8..b567c44c0 100644
--- a/docs/examples/affinity/cookie/README.md
+++ b/docs/examples/affinity/cookie/README.md
@@ -12,6 +12,7 @@ Session affinity can be configured using the following annotations:
 |nginx.ingress.kubernetes.io/affinity-mode|The affinity mode defines how sticky a session is. Use `balanced` to redistribute some sessions when scaling pods or `persistent` for maximum stickiness.|`balanced` (default) or `persistent`|
 |nginx.ingress.kubernetes.io/affinity-canary-behavior|Defines session affinity behavior of canaries. By default the behavior is `sticky`, and canaries respect session affinity configuration. Set this to `legacy` to restore original canary behavior, when session affinity parameters were not respected.|`sticky` (default) or `legacy`|
 |nginx.ingress.kubernetes.io/session-cookie-name|Name of the cookie that will be created|string (defaults to `INGRESSCOOKIE`)|
+|nginx.ingress.kubernetes.io/session-cookie-secure|Set the cookie as secure regardless the protocol of the incoming request|`"true"` or `"false"`|
 |nginx.ingress.kubernetes.io/session-cookie-path|Path that will be set on the cookie (required if your [Ingress paths][ingress-paths] use regular expressions)|string (defaults to the currently [matched path][ingress-paths])|
 |nginx.ingress.kubernetes.io/session-cookie-samesite|SameSite attribute to apply to the cookie|Browser accepted values are `None`, `Lax`, and `Strict`|
 |nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none|Will omit `SameSite=None` attribute for older browsers which reject the more-recently defined `SameSite=None` value|`"true"` or `"false"`
diff --git a/docs/examples/affinity/cookie/ingress-samesite.yaml b/docs/examples/affinity/cookie/ingress-samesite.yaml
index b3f8f4b20..edfa1b653 100644
--- a/docs/examples/affinity/cookie/ingress-samesite.yaml
+++ b/docs/examples/affinity/cookie/ingress-samesite.yaml
@@ -5,6 +5,7 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/affinity: "cookie"
     nginx.ingress.kubernetes.io/session-cookie-name: "SSNONE"
+    nginx.ingress.kubernetes.io/session-cookie-secure: "true"
     nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
     nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
     nginx.ingress.kubernetes.io/session-cookie-samesite: "None"
diff --git a/internal/ingress/annotations/sessionaffinity/main.go b/internal/ingress/annotations/sessionaffinity/main.go
index 358be1442..9c4d1d2bc 100644
--- a/internal/ingress/annotations/sessionaffinity/main.go
+++ b/internal/ingress/annotations/sessionaffinity/main.go
@@ -37,6 +37,10 @@ const (
 
 	defaultAffinityCookieName = "INGRESSCOOKIE"
 
+	// This is used to force the Secure flag on the cookie even if the
+	// incoming request is not secured. (https://github.com/kubernetes/ingress-nginx/issues/6812)
+	annotationAffinityCookieSecure = "session-cookie-secure"
+
 	// This is used to control the cookie expires, its value is a number of seconds until the
 	// cookie expires
 	annotationAffinityCookieExpires = "session-cookie-expires"
@@ -85,6 +89,8 @@ type Cookie struct {
 	Path string `json:"path"`
 	// Flag that allows cookie regeneration on request failure
 	ChangeOnFailure bool `json:"changeonfailure"`
+	// Secure flag to be set
+	Secure bool `json:"secure"`
 	// SameSite attribute value
 	SameSite string `json:"samesite"`
 	// Flag that conditionally applies SameSite=None attribute on cookie if user agent accepts it.
@@ -126,6 +132,11 @@ func (a affinity) cookieAffinityParse(ing *networking.Ingress) *Cookie {
 		klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieSameSite)
 	}
 
+	cookie.Secure, err = parser.GetBoolAnnotation(annotationAffinityCookieSecure, ing)
+	if err != nil {
+		klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieSecure)
+	}
+
 	cookie.ConditionalSameSiteNone, err = parser.GetBoolAnnotation(annotationAffinityCookieConditionalSameSiteNone, ing)
 	if err != nil {
 		klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieConditionalSameSiteNone)
diff --git a/internal/ingress/annotations/sessionaffinity/main_test.go b/internal/ingress/annotations/sessionaffinity/main_test.go
index 98f0a1eb6..65d11ac2d 100644
--- a/internal/ingress/annotations/sessionaffinity/main_test.go
+++ b/internal/ingress/annotations/sessionaffinity/main_test.go
@@ -79,6 +79,7 @@ func TestIngressAffinityCookieConfig(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix(annotationAffinityCookieMaxAge)] = "3000"
 	data[parser.GetAnnotationWithPrefix(annotationAffinityCookiePath)] = "/foo"
 	data[parser.GetAnnotationWithPrefix(annotationAffinityCookieChangeOnFailure)] = "true"
+	data[parser.GetAnnotationWithPrefix(annotationAffinityCookieSecure)] = "true"
 	ing.SetAnnotations(data)
 
 	affin, _ := NewParser(&resolver.Mock{}).Parse(ing)
@@ -114,4 +115,8 @@ func TestIngressAffinityCookieConfig(t *testing.T) {
 	if !nginxAffinity.Cookie.ChangeOnFailure {
 		t.Errorf("expected change of failure parameter set to true but returned %v", nginxAffinity.Cookie.ChangeOnFailure)
 	}
+
+	if !nginxAffinity.Cookie.Secure {
+		t.Errorf("expected secure parameter set to true but returned %v", nginxAffinity.Cookie.Secure)
+	}
 }
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 72a1afa63..1fd22079b 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -667,6 +667,7 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 					ups.SessionAffinity.CookieSessionAffinity.Name = anns.SessionAffinity.Cookie.Name
 					ups.SessionAffinity.CookieSessionAffinity.Expires = anns.SessionAffinity.Cookie.Expires
 					ups.SessionAffinity.CookieSessionAffinity.MaxAge = anns.SessionAffinity.Cookie.MaxAge
+					ups.SessionAffinity.CookieSessionAffinity.Secure = anns.SessionAffinity.Cookie.Secure
 					ups.SessionAffinity.CookieSessionAffinity.Path = cookiePath
 					ups.SessionAffinity.CookieSessionAffinity.SameSite = anns.SessionAffinity.Cookie.SameSite
 					ups.SessionAffinity.CookieSessionAffinity.ConditionalSameSiteNone = anns.SessionAffinity.Cookie.ConditionalSameSiteNone
diff --git a/internal/ingress/types.go b/internal/ingress/types.go
index a1cbdf685..033fa9cc4 100644
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@@ -155,6 +155,7 @@ type CookieSessionAffinity struct {
 	Expires                 string              `json:"expires,omitempty"`
 	MaxAge                  string              `json:"maxage,omitempty"`
 	Locations               map[string][]string `json:"locations,omitempty"`
+	Secure                  bool                `json:"secure,omitempty"`
 	Path                    string              `json:"path,omitempty"`
 	SameSite                string              `json:"samesite,omitempty"`
 	ConditionalSameSiteNone bool                `json:"conditional_samesite_none,omitempty"`
diff --git a/internal/ingress/types_equals.go b/internal/ingress/types_equals.go
index 87af2bcfc..18ffa9042 100644
--- a/internal/ingress/types_equals.go
+++ b/internal/ingress/types_equals.go
@@ -182,6 +182,9 @@ func (csa1 *CookieSessionAffinity) Equal(csa2 *CookieSessionAffinity) bool {
 	if csa1.SameSite != csa2.SameSite {
 		return false
 	}
+	if csa1.Secure != csa2.Secure {
+		return false
+	}
 	if csa1.ConditionalSameSiteNone != csa2.ConditionalSameSiteNone {
 		return false
 	}
diff --git a/rootfs/etc/nginx/lua/balancer/sticky.lua b/rootfs/etc/nginx/lua/balancer/sticky.lua
index 63f3c6785..3440d86bd 100644
--- a/rootfs/etc/nginx/lua/balancer/sticky.lua
+++ b/rootfs/etc/nginx/lua/balancer/sticky.lua
@@ -87,13 +87,18 @@ function _M.set_cookie(self, value)
     end
   end
 
+  local cookie_secure = self.cookie_session_affinity.secure
+  if cookie_secure == nil then
+    cookie_secure = ngx.var.https == "on"
+  end
+
   local cookie_data = {
     key = self:cookie_name(),
     value = value .. COOKIE_VALUE_DELIMITER .. self.backend_key,
     path = cookie_path,
     httponly = true,
     samesite = cookie_samesite,
-    secure = ngx.var.https == "on",
+    secure = cookie_secure,
   }
 
   if self.cookie_session_affinity.expires and self.cookie_session_affinity.expires ~= "" then
diff --git a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
index a0c0ae54f..80d0c0d0e 100644
--- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
@@ -422,7 +422,7 @@ describe("Sticky", function()
       cookie.new = mocked_cookie_new
     end)
 
-    local function test_set_cookie_with(sticky_balancer_type, samesite, conditional_samesite_none, expected_path, expected_samesite)
+    local function test_set_cookie_with(sticky_balancer_type, samesite, conditional_samesite_none, expected_path, expected_samesite, secure, expected_secure)
       local s = {}
       cookie.new = function(self)
         local cookie_instance = {
@@ -432,7 +432,7 @@ describe("Sticky", function()
             assert.equal(payload.samesite, expected_samesite)
             assert.equal(payload.domain, nil)
             assert.equal(payload.httponly, true)
-            assert.equal(payload.secure, false)
+            assert.equal(payload.secure, expected_secure)
             return true, nil
           end,
           get = function(k) return false end,
@@ -445,57 +445,61 @@ describe("Sticky", function()
       b.sessionAffinityConfig.cookieSessionAffinity.locations["test.com"] = {"/"}
       b.sessionAffinityConfig.cookieSessionAffinity.samesite = samesite
       b.sessionAffinityConfig.cookieSessionAffinity.conditional_samesite_none = conditional_samesite_none
+      b.sessionAffinityConfig.cookieSessionAffinity.secure = secure
       local sticky_balancer_instance = sticky_balancer_type:new(b)
       assert.has_no.errors(function() sticky_balancer_instance:balance() end)
       assert.spy(s).was_called()
     end
 
-    it("returns a cookie with SameSite=Strict when user specifies samesite strict", function()
-      test_set_cookie_with(sticky_balanced, "Strict", false, "/", "Strict")
+    it("returns a secure cookie with SameSite=Strict when user specifies samesite strict and secure=true", function()
+      test_set_cookie_with(sticky_balanced, "Lax", false, "/", "Lax", true, true)
     end)
     it("returns a cookie with SameSite=Strict when user specifies samesite strict and conditional samesite none", function()
-      test_set_cookie_with(sticky_balanced, "Strict", true, "/", "Strict")
+      test_set_cookie_with(sticky_balanced, "Strict", true, "/", "Strict", nil, false)
     end)
     it("returns a cookie with SameSite=Lax when user specifies samesite lax", function()
-      test_set_cookie_with(sticky_balanced, "Lax", false, "/", "Lax")
+      test_set_cookie_with(sticky_balanced, "Lax", false, "/", "Lax", nil, false)
     end)
     it("returns a cookie with SameSite=Lax when user specifies samesite lax and conditional samesite none", function()
-      test_set_cookie_with(sticky_balanced, "Lax", true, "/", "Lax")
+      test_set_cookie_with(sticky_balanced, "Lax", true, "/", "Lax", nil, false)
     end)
     it("returns a cookie with SameSite=None when user specifies samesite None", function()
-      test_set_cookie_with(sticky_balanced, "None", false, "/", "None")
+      test_set_cookie_with(sticky_balanced, "None", false, "/", "None", nil, false)
     end)
     it("returns a cookie with SameSite=None when user specifies samesite None and conditional samesite none with supported user agent", function()
       mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2704.103 Safari/537.36"} })
-      test_set_cookie_with(sticky_balanced, "None", true, "/", "None")
+      test_set_cookie_with(sticky_balanced, "None", true, "/", "None", nil, false)
     end)
     it("returns a cookie without SameSite=None when user specifies samesite None and conditional samesite none with unsupported user agent", function()
       mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} })
-      test_set_cookie_with(sticky_balanced, "None", true, "/", nil)
+      test_set_cookie_with(sticky_balanced, "None", true, "/", nil, nil, false)
     end)
 
+    it("returns a secure cookie with SameSite=Strict when user specifies samesite strict and secure=true", function()
+      test_set_cookie_with(sticky_persistent, "Lax", false, "/", "Lax", true, true)
+    end)
     it("returns a cookie with SameSite=Strict when user specifies samesite strict", function()
-      test_set_cookie_with(sticky_persistent, "Strict", false, "/", "Strict")
+      test_set_cookie_with(sticky_persistent, "Strict", false, "/", "Strict", nil, false)
     end)
     it("returns a cookie with SameSite=Strict when user specifies samesite strict and conditional samesite none", function()
-      test_set_cookie_with(sticky_persistent, "Strict", true, "/", "Strict")
+      test_set_cookie_with(sticky_persistent, "Strict", true, "/", "Strict", nil, false)
     end)
     it("returns a cookie with SameSite=Lax when user specifies samesite lax", function()
-      test_set_cookie_with(sticky_persistent, "Lax", false, "/", "Lax")
+      test_set_cookie_with(sticky_persistent, "Lax", false, "/", "Lax", nil, false)
     end)
     it("returns a cookie with SameSite=Lax when user specifies samesite lax and conditional samesite none", function()
-      test_set_cookie_with(sticky_persistent, "Lax", true, "/", "Lax")
+      test_set_cookie_with(sticky_persistent, "Lax", true, "/", "Lax", nil, false)
     end)
     it("returns a cookie with SameSite=None when user specifies samesite None", function()
-      test_set_cookie_with(sticky_persistent, "None", false, "/", "None")
+      test_set_cookie_with(sticky_persistent, "None", false, "/", "None", nil, false)
     end)
     it("returns a cookie with SameSite=None when user specifies samesite None and conditional samesite none with supported user agent", function()
       mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2704.103 Safari/537.36"} })
-      test_set_cookie_with(sticky_persistent, "None", true, "/", "None")
+      test_set_cookie_with(sticky_persistent, "None", true, "/", "None", nil, false)
     end)
     it("returns a cookie without SameSite=None when user specifies samesite None and conditional samesite none with unsupported user agent", function()
       mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} })
-      test_set_cookie_with(sticky_persistent, "None", true, "/", nil)
+      test_set_cookie_with(sticky_persistent, "None", true, "/", nil, nil, false)
     end)
   end)
 

From 9dda37c130b9c7ee553ebee108119d0e1dc31b09 Mon Sep 17 00:00:00 2001
From: Aivars Sterns <Atoms@users.noreply.github.com>
Date: Thu, 2 Sep 2021 10:54:09 +0300
Subject: [PATCH 083/376] add same tcp and udp ports to internal load balancer
 (#7511)

---
 .../controller-service-internal.yaml          | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml
index 09c942eb2..599449836 100644
--- a/charts/ingress-nginx/templates/controller-service-internal.yaml
+++ b/charts/ingress-nginx/templates/controller-service-internal.yaml
@@ -51,6 +51,28 @@ spec:
       nodePort: {{ .Values.controller.service.nodePorts.https }}
     {{- end }}
   {{- end }}
+  {{- range $key, $value := .Values.tcp }}
+    - name: {{ $key }}-tcp
+      port: {{ $key }}
+      protocol: TCP
+      targetPort: {{ $key }}-tcp
+    {{- if $.Values.controller.service.nodePorts.tcp }}
+    {{- if index $.Values.controller.service.nodePorts.tcp $key }}
+      nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+  {{- range $key, $value := .Values.udp }}
+    - name: {{ $key }}-udp
+      port: {{ $key }}
+      protocol: UDP
+      targetPort: {{ $key }}-udp
+    {{- if $.Values.controller.service.nodePorts.udp }}
+    {{- if index $.Values.controller.service.nodePorts.udp $key }}
+      nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
   selector:
     {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: controller

From 4601bd96995b66e77657f7fdbb43f9cd9d953048 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 2 Sep 2021 12:04:58 -0300
Subject: [PATCH 084/376] Default KinD manifest to watch ingresses without
 class (#7581)

---
 deploy/static/provider/kind/deploy.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 88c512162..4bd7e42c3 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -339,6 +339,7 @@ spec:
             - --validating-webhook-certificate=/usr/local/certificates/cert
             - --validating-webhook-key=/usr/local/certificates/key
             - --publish-status-address=localhost
+            - --watch-ingress-without-class
           securityContext:
             capabilities:
               drop:

From 61c596bea60d59b65f61b04e31291b49252797a8 Mon Sep 17 00:00:00 2001
From: Fred Thomsen <me@fredthomsen.net>
Date: Thu, 2 Sep 2021 12:54:58 -0400
Subject: [PATCH 085/376] Add doc ref for preserve-trailing-slash annotation
 (#7561)

Fixes issue #7555
---
 docs/user-guide/nginx-configuration/annotations.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 67bc10c58..e9fefebf1 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -64,6 +64,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/permanent-redirect](#permanent-redirect)|string|
 |[nginx.ingress.kubernetes.io/permanent-redirect-code](#permanent-redirect-code)|number|
 |[nginx.ingress.kubernetes.io/temporal-redirect](#temporal-redirect)|string|
+|[nginx.ingress.kubernetes.io/preserve-trailing-slash](#server-side-https-enforcement-through-redirect)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/proxy-body-size](#custom-max-body-size)|string|
 |[nginx.ingress.kubernetes.io/proxy-cookie-domain](#proxy-cookie-domain)|string|
 |[nginx.ingress.kubernetes.io/proxy-cookie-path](#proxy-cookie-path)|string|
@@ -591,6 +592,8 @@ When using SSL offloading outside of cluster (e.g. AWS ELB) it may be useful to
 even when there is no TLS certificate available.
 This can be achieved by using the `nginx.ingress.kubernetes.io/force-ssl-redirect: "true"` annotation in the particular resource.
 
+To preserve the trailing slash in the URI with `ssl-redirect`, set `nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"` annotation for that particular resource.
+
 ### Redirect from/to www
 
 In some scenarios is required to redirect from `www.domain.com` to `domain.com` or vice versa.

From cb8ebcb88022a4efdb90947930cc985e4261db99 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 2 Sep 2021 15:59:39 -0300
Subject: [PATCH 086/376] update alpine and remove buildx restriction (#7583)

---
 hack/init-buildx.sh            | 4 +++-
 images/nginx/rootfs/Dockerfile | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/hack/init-buildx.sh b/hack/init-buildx.sh
index a24b64956..379173cf8 100755
--- a/hack/init-buildx.sh
+++ b/hack/init-buildx.sh
@@ -46,7 +46,9 @@ fi
 # We only need to do this setup on linux hosts
 if [ "$(uname)" == 'Linux' ]; then
   # NOTE: this is pinned to a digest for a reason!
-  docker run --rm --privileged multiarch/qemu-user-static@sha256:28ebe2e48220ae8fd5d04bb2c847293b24d7fbfad84f0b970246e0a4efd48ad6 --reset -p yes
+  # Note2 (@rikatz) - Removing the pin, as apparently it's breaking new alpine builds
+  # docker run --rm --privileged multiarch/qemu-user-static@sha256:28ebe2e48220ae8fd5d04bb2c847293b24d7fbfad84f0b970246e0a4efd48ad6 --reset -p yes
+  docker run --rm --privileged multiarch/qemu-user-static:register --reset -p yes
 fi
 
 # Ensure we use a builder that can leverage it (the default on linux will not)
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index 676083bf8..85bea7e62 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 
-FROM alpine:3.14.1 as builder
+FROM alpine:3.14.2 as builder
 
 COPY . /
 
@@ -23,7 +23,7 @@ RUN apk update \
   && /build.sh
 
 # Use a multi-stage build
-FROM alpine:3.14.1
+FROM alpine:3.14.2
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 

From 39f087c012da23b40d20070f6ee2e46c9401e063 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 2 Sep 2021 16:15:46 -0300
Subject: [PATCH 087/376] Changing gcb builder (#7584)

---
 cloudbuild.yaml              | 2 +-
 images/nginx/cloudbuild.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 8dead6df3..22f4771bb 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -4,7 +4,7 @@ timeout: 1800s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: 'gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f'
+  - name: 'gcr.io/k8s-testimages/gcb-docker-gcloud:v20210722-085d930'
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index ba09d2acd..c5aca043e 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -4,7 +4,7 @@ options:
   # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
   machineType: N1_HIGHCPU_32
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20210722-085d930
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled

From dd3b0c9fc298e2f25be10d3c7d8594452371643a Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rkatz@vmware.com>
Date: Sat, 4 Sep 2021 01:06:51 -0300
Subject: [PATCH 088/376] Change builder in a new attempt to make it run

---
 hack/init-buildx.sh    | 19 ++++++++++---------
 images/nginx/README.md |  5 -----
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/hack/init-buildx.sh b/hack/init-buildx.sh
index 379173cf8..1a47bf145 100755
--- a/hack/init-buildx.sh
+++ b/hack/init-buildx.sh
@@ -29,6 +29,16 @@ if ! docker buildx 2>&1 >/dev/null; then
   exit 1
 fi
 
+# Ensure qemu is in binfmt_misc
+# Docker desktop already has these in versions recent enough to have buildx
+# We only need to do this setup on linux hosts
+if [ "$(uname)" == 'Linux' ]; then
+  # NOTE: this is pinned to a digest for a reason!
+  # Note2 (@rikatz) - Removing the pin, as apparently it's breaking new alpine builds
+  # docker run --rm --privileged multiarch/qemu-user-static@sha256:28ebe2e48220ae8fd5d04bb2c847293b24d7fbfad84f0b970246e0a4efd48ad6 --reset -p yes
+  docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+fi
+
 # We can skip setup if the current builder already has multi-arch
 # AND if it isn't the docker driver, which doesn't work
 current_builder="$(docker buildx inspect)"
@@ -41,15 +51,6 @@ if ! grep -q "^Driver: docker$"  <<<"${current_builder}" && \
   exit 0
 fi
 
-# Ensure qemu is in binfmt_misc
-# Docker desktop already has these in versions recent enough to have buildx
-# We only need to do this setup on linux hosts
-if [ "$(uname)" == 'Linux' ]; then
-  # NOTE: this is pinned to a digest for a reason!
-  # Note2 (@rikatz) - Removing the pin, as apparently it's breaking new alpine builds
-  # docker run --rm --privileged multiarch/qemu-user-static@sha256:28ebe2e48220ae8fd5d04bb2c847293b24d7fbfad84f0b970246e0a4efd48ad6 --reset -p yes
-  docker run --rm --privileged multiarch/qemu-user-static:register --reset -p yes
-fi
 
 # Ensure we use a builder that can leverage it (the default on linux will not)
 docker buildx rm ingress-nginx || true
diff --git a/images/nginx/README.md b/images/nginx/README.md
index dde0b618a..ae5066ce5 100644
--- a/images/nginx/README.md
+++ b/images/nginx/README.md
@@ -21,8 +21,3 @@ _Using docker_
 docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
 ```
 
-_Creating a replication controller_
-
-```console
-kubectl create -f ./rc.yaml
-```

From 4ce0227268dc52991e0e158c766f043db9605146 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rkatz@vmware.com>
Date: Sat, 4 Sep 2021 02:12:50 -0300
Subject: [PATCH 089/376] Remove addgroup directive from alpine building

---
 images/nginx/rootfs/Dockerfile | 1 -
 images/nginx/rootfs/build.sh   | 1 -
 2 files changed, 2 deletions(-)

diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index 85bea7e62..4893f3c54 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -53,7 +53,6 @@ RUN apk update \
     nano \
     tzdata \
   && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
-  && addgroup -Sg 101 www-data \
   && adduser -S -D -H -u 101 -h /usr/local/nginx \
     -s /sbin/nologin -G www-data -g www-data www-data \
   && bash -eu -c ' \
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 46f304ea5..d8d57bafe 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -733,7 +733,6 @@ writeDirs=( \
   /var/log/nginx \
 );
 
-addgroup -Sg 101 www-data
 adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data
 
 for dir in "${writeDirs[@]}"; do

From 4eeb1dfb56786b3ee0cb8ede79c2a1f0a63c2e3c Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Sun, 5 Sep 2021 09:15:20 +0530
Subject: [PATCH 090/376] improve faq for migration to ingress api v1 (#7540)

---
 docs/index.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/index.md b/docs/index.md
index 3012ffbea..601023215 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -167,3 +167,6 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
 
 ## Why is the ingressClassResource disabled by default in the helm chart ?
 - If this field is set to enabled value and there are existing ingress objects in the cluster, then the existing ingress objects will not be honored and only any new ingress object you create will inherit the ingressClass value.
+
+## I am seeing this error message in the logs of the Ingress-NGINX controller "ingress class annotation is not equal to the expected by Ingress Controller". Why ?
+- It is highly likely that you will also see the name of the ingress resource in the same error message. This error messsage has been observed on use the deprecated annotation, to spec the ingressClass, in a ingress resource manifest. It is recommended to use the ingress.spec.ingressClassName field, of the ingress resource, to spec the name of the ingressClass of the ingress resource being configured.

From 90c065d508b2cc5dbc74e3903318bb0c1b971fb6 Mon Sep 17 00:00:00 2001
From: KuberDriver <28806564+KuberDriver@users.noreply.github.com>
Date: Sun, 5 Sep 2021 11:50:28 +0000
Subject: [PATCH 091/376] Update to the base nginx image (#7597)

* Update to the base nginx image

* update template.go

* update template_test.go
---
 Makefile                                              | 2 +-
 images/echo/Makefile                                  | 2 +-
 images/nginx/README.md                                | 2 +-
 images/nginx/rc.yaml                                  | 2 +-
 images/test-runner/Makefile                           | 2 +-
 internal/ingress/controller/template/template.go      | 2 +-
 internal/ingress/controller/template/template_test.go | 4 ++--
 test/e2e/framework/deployment.go                      | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index edd16e4cc..6bc6f8cdc 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ endif
 
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 
-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
+BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
 
 GOARCH=$(ARCH)
 
diff --git a/images/echo/Makefile b/images/echo/Makefile
index 90a544b24..ccfa711b0 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -36,7 +36,7 @@ build: ensure-buildx
 		--platform=${PLATFORMS} $(OUTPUT) \
 		--progress=$(PROGRESS) \
 		--pull \
-		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17 \
+		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e \
 		--build-arg LUAROCKS_VERSION=3.3.1 \
 		--build-arg LUAROCKS_SHA=837481e408f7c06b59befe7ec194537c657687d624894bca7f79034302141a34 \
 		-t $(IMAGE):$(TAG) rootfs
diff --git a/images/nginx/README.md b/images/nginx/README.md
index ae5066ce5..fc247699e 100644
--- a/images/nginx/README.md
+++ b/images/nginx/README.md
@@ -18,6 +18,6 @@ This image provides a default configuration file with no backend servers.
 _Using docker_
 
 ```console
-docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
+docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
 ```
 
diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml
index 98a3df14b..e5654260f 100644
--- a/images/nginx/rc.yaml
+++ b/images/nginx/rc.yaml
@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
         - name: nginx
-          image: k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
+          image: k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
           ports:
             - containerPort: 80
             - containerPort: 443
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index 5c7b47d66..0ba3561b0 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -23,7 +23,7 @@ REGISTRY ?= local
 
 IMAGE = $(REGISTRY)/e2e-test-runner
 
-NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17
+NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
 
 # required to enable buildx
 export DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index b06f5a216..e5da5b993 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -1112,7 +1112,7 @@ func buildOpentracing(c interface{}, s interface{}) string {
 	buf := bytes.NewBufferString("")
 
 	if cfg.DatadogCollectorHost != "" {
-		buf.WriteString("opentracing_load_tracer /usr/local/lib64/libdd_opentracing.so /etc/nginx/opentracing.json;")
+		buf.WriteString("opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;")
 	} else if cfg.ZipkinCollectorHost != "" {
 		buf.WriteString("opentracing_load_tracer /usr/local/lib/libzipkin_opentracing_plugin.so /etc/nginx/opentracing.json;")
 	} else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" {
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index 14291dbf2..96dc9acae 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -1520,7 +1520,7 @@ func TestBuildOpenTracing(t *testing.T) {
 		EnableOpentracing:    true,
 		DatadogCollectorHost: "datadog-host.com",
 	}
-	expected = "opentracing_load_tracer /usr/local/lib64/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n"
+	expected = "opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n"
 	actual = buildOpentracing(cfgDatadog, []*ingress.Server{})
 
 	if expected != actual {
@@ -1544,7 +1544,7 @@ func TestBuildOpenTracing(t *testing.T) {
 		OpentracingOperationName:         "my-operation-name",
 		OpentracingLocationOperationName: "my-location-operation-name",
 	}
-	expected = "opentracing_load_tracer /usr/local/lib64/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n"
+	expected = "opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n"
 	expected += "opentracing_operation_name \"my-operation-name\";\n"
 	expected += "opentracing_location_operation_name \"my-location-operation-name\";\n"
 	actual = buildOpentracing(cfgOpenTracing, []*ingress.Server{})
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index 79da5c2ca..95bf37d75 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -38,7 +38,7 @@ const SlowEchoService = "slow-echo"
 const HTTPBinService = "httpbin"
 
 // NginxBaseImage use for testing
-const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17"
+const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e"
 
 // NewEchoDeployment creates a new single replica deployment of the echoserver image in a particular namespace
 func (f *Framework) NewEchoDeployment() {

From 9f9122c38141542aac7efb2f09f610e4ece57605 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Sun, 5 Sep 2021 23:52:28 +0530
Subject: [PATCH 092/376] fix 7591 (#7598)

---
 docs/index.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 601023215..cdcd4f896 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -165,8 +165,5 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
 - and also objects pointing to the ingressClass that have the same .spec.controller as configured in `--controller-class`
 
 
-## Why is the ingressClassResource disabled by default in the helm chart ?
-- If this field is set to enabled value and there are existing ingress objects in the cluster, then the existing ingress objects will not be honored and only any new ingress object you create will inherit the ingressClass value.
-
 ## I am seeing this error message in the logs of the Ingress-NGINX controller "ingress class annotation is not equal to the expected by Ingress Controller". Why ?
 - It is highly likely that you will also see the name of the ingress resource in the same error message. This error messsage has been observed on use the deprecated annotation, to spec the ingressClass, in a ingress resource manifest. It is recommended to use the ingress.spec.ingressClassName field, of the ingress resource, to spec the name of the ingressClass of the ingress resource being configured.

From f27deed2e87517e3863c716345460044ad79e728 Mon Sep 17 00:00:00 2001
From: Tony Li <lyt1999131@163.com>
Date: Tue, 7 Sep 2021 01:12:28 +0800
Subject: [PATCH 093/376] remove timestamp when requeuing Element (#7440)

Signed-off-by: xiayu.lyt <xiayu.lyt@alibaba-inc.com>
---
 internal/task/queue.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/task/queue.go b/internal/task/queue.go
index 3c6788409..ff6b20f62 100644
--- a/internal/task/queue.go
+++ b/internal/task/queue.go
@@ -118,7 +118,7 @@ func (t *Queue) worker() {
 		ts := time.Now().UnixNano()
 
 		item := key.(Element)
-		if t.lastSync > item.Timestamp {
+		if item.Timestamp != 0 && t.lastSync > item.Timestamp {
 			klog.V(3).InfoS("skipping sync", "key", item.Key, "last", t.lastSync, "now", item.Timestamp)
 			t.queue.Forget(key)
 			t.queue.Done(key)
@@ -130,7 +130,7 @@ func (t *Queue) worker() {
 			klog.ErrorS(err, "requeuing", "key", item.Key)
 			t.queue.AddRateLimited(Element{
 				Key:       item.Key,
-				Timestamp: time.Now().UnixNano(),
+				Timestamp: 0,
 			})
 		} else {
 			t.queue.Forget(key)

From 7d577d9761c539cea4c4c68567749c071744cbcf Mon Sep 17 00:00:00 2001
From: KuberDriver <28806564+KuberDriver@users.noreply.github.com>
Date: Mon, 6 Sep 2021 18:44:28 +0000
Subject: [PATCH 094/376] Update cloudbuild timeout (#7604)

* Update to the base nginx image

* Revert "Update to the base nginx image"

This reverts commit ad43c1d0604ab96d840adc9fb2604e60674119c5.

* Updated cloudbuild to increase build timeout value
---
 images/test-runner/cloudbuild.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml
index 3e4d67d06..7258ab384 100644
--- a/images/test-runner/cloudbuild.yaml
+++ b/images/test-runner/cloudbuild.yaml
@@ -1,4 +1,4 @@
-timeout: 1200s
+timeout: 3600s
 options:
   substitution_option: ALLOW_LOOSE
 steps:

From da29c7712aacfb89e62ad72ad1eef45f1d2743d1 Mon Sep 17 00:00:00 2001
From: KuberDriver <28806564+KuberDriver@users.noreply.github.com>
Date: Mon, 6 Sep 2021 23:21:16 +0000
Subject: [PATCH 095/376] Update e2e test runner image (#7596)

* Update to the base nginx image

* Revert "Update to the base nginx image"

This reverts commit ad43c1d0604ab96d840adc9fb2604e60674119c5.

* Update test runner image

* correcting the sha and version of e2e test runner images
---
 build/run-in-docker.sh    | 2 +-
 test/e2e-image/Dockerfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index debbe9752..90382fd5c 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -37,7 +37,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210822-g5e5faa24d@sha256:55c568d9e35e15d94b3ab41fe549b8ee4cd910cc3e031ddcccd06256755c5d89}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210906-g7d577d976@sha256:cf7079b5c05b8b1b108b16752c6ff4ca312cf96700e91eef6088b9e0c4a7aff1}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index 28cd272b6..083ad5792 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210822-g5e5faa24d@sha256:55c568d9e35e15d94b3ab41fe549b8ee4cd910cc3e031ddcccd06256755c5d89 AS BASE
+FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210906-g7d577d976@sha256:cf7079b5c05b8b1b108b16752c6ff4ca312cf96700e91eef6088b9e0c4a7aff1 AS BASE
 
 FROM alpine:3.12
 

From f182b317ba7d69d1dfc4abcf5e39b22e705beea9 Mon Sep 17 00:00:00 2001
From: pierre-yves <pyverdon@ymail.com>
Date: Tue, 7 Sep 2021 15:47:15 +0200
Subject: [PATCH 096/376] =?UTF-8?q?fix=20charts=20README.md=20to=20give=20?=
 =?UTF-8?q?additional=20detail=20on=20prometheus=20metrics=20=E2=80=A6=20(?=
 =?UTF-8?q?#7601)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix charts README.md to give additional detail on prometheus metrics configuration

* charts readme.md remove blank line
---
 charts/ingress-nginx/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 22e66fb85..fecbbcde2 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -84,7 +84,8 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:
 
 The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
 
-You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`.
+You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
+Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
 
 ### ingress-nginx nginx\_status page/stats server
 

From e7791941ba6fd72ec343862ed5ae1de1f058a5a6 Mon Sep 17 00:00:00 2001
From: Yuhao Zhang <git@yuha0.com>
Date: Tue, 7 Sep 2021 09:11:16 -0700
Subject: [PATCH 097/376] fix cli flag typo in faq (#7606)

---
 docs/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index cdcd4f896..8eb626101 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -104,7 +104,7 @@ DESCRIPTION:
 
 - If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use ingressclass, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your ingress class, so any new Ingress objects will have this one as default ingressClass.
 
-In this case, you need to make your Controller aware of the objects. If you have several Ingress objects and they don't yet have the [ingressClassName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#ingress-v1-networking-k8s-io) field, or the ingress annotation (`kubernetes.io/ingress.class`),  then you should start your ingress-controller with the flag [--watch-ingress-without-class=true](## What is the flag '--watch-without-ingress-class' ?) .
+In this case, you need to make your Controller aware of the objects. If you have several Ingress objects and they don't yet have the [ingressClassName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#ingress-v1-networking-k8s-io) field, or the ingress annotation (`kubernetes.io/ingress.class`),  then you should start your ingress-controller with the flag [--watch-ingress-without-class=true](## What is the flag '--watch-ingress-without-class' ?) .
 
 You can configure your helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. 
 
@@ -126,7 +126,7 @@ And add the value "spec.ingressClassName=nginx" in your Ingress objects
 ## I have multiple ingress objects in my cluster. What should I do ?
 - If you don't care about ingressClass, or you have a lot of ingress objects without ingressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`.
 
-## What is the flag '--watch-without-ingress-class' ?
+## What is the flag '--watch-ingress-without-class' ?
 - Its a flag that is passed,as an argument, to the ingress-controller executable, in the pod spec. It looks like this ;
 ```
 ...

From cf9ae96d729a69b568c7fe231a8e4cecee3122a7 Mon Sep 17 00:00:00 2001
From: Ray <61553+rctay@users.noreply.github.com>
Date: Wed, 8 Sep 2021 01:35:16 +0800
Subject: [PATCH 098/376] Additional AuthTLS assertions and doc change to
 demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)

* Fix indentation of nested list in AuthTLS annotations

Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.

On the other hand, for the line on auth-tls-secret (This annotation
expects the Secret name in the form "namespace/secretName"), its
Markdown markup suggests that the author wanted the line to start on its
own line, but currently this gets rendered on the same line. It's nice
for this to be on its own line, since it's kind of a "note" about the
annotation syntax. Format/indent the markup appropriately so that it
shows up on its line.

* Fix indentation of nested list in CORS annotations

Also, put `<annotation>`: <description text>` on a single line in
Markdown markup, which will match what gets rendered eventually.

On the other hand, for lines noting the allowed characters (This is a
multi-valued field...), its Markdown markup suggests that the author
wanted the line to start on its own line, but currently this gets
rendered on the same line. It's nice for this to be on its own line,
since it's kind of a "note" about the annotation syntax. Format/indent
the markup appropriately so that it shows up on its line.

* Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs

* Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth

* Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
---
 .../nginx-configuration/annotations.md        | 87 +++++++++----------
 .../ingress/annotations/authtls/main_test.go  | 41 +++++++--
 test/e2e/annotations/authtls.go               | 77 +++++++++++++---
 3 files changed, 143 insertions(+), 62 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index e9fefebf1..1fb883596 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -244,23 +244,18 @@ It is possible to enable Client Certificate Authentication using additional anno
 
 Client Certificate Authentication is applied per host and it is not possible to specify rules that differ for individual paths.
 
-The annotations are:
+To enable, add the annotation `nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName`. This secret must have a file named `ca.crt` containing the full Certificate Authority chain `ca.crt` that is enabled to authenticate against this Ingress.
 
-* `nginx.ingress.kubernetes.io/auth-tls-secret: secretName`:
-  The name of the Secret that contains the full Certificate Authority chain `ca.crt` that is enabled to authenticate against this Ingress.
-  This annotation expects the Secret name in the form "namespace/secretName".
-* `nginx.ingress.kubernetes.io/auth-tls-verify-depth`:
-  The validation depth between the provided client certificate and the Certification Authority chain.
-* `nginx.ingress.kubernetes.io/auth-tls-verify-client`:
-  Enables verification of client certificates. Possible values are:
-  * `off`: Don't request client certificates and don't do client certificate verification. (default)
-  * `on`: Request a client certificate that must be signed by a certificate that is included in the secret key `ca.crt` of the secret specified by `nginx.ingress.kubernetes.io/auth-tls-secret: secretName`. Failed certificate verification will result in a status code 400 (Bad Request).
-  * `optional`: Do optional client certificate validation against the CAs from `auth-tls-secret`. The request fails with status code 400 (Bad Request) when a certificate is provided that is not signed by the CA. When no or an otherwise invalid certificate is provided, the request does not fail, but instead the verification result is sent to the upstream service.
-  * `optional_no_ca`: Do optional client certificate validation, but do not fail the request when the client certificate is not signed by the CAs from `auth-tls-secret`. Certificate verification result is sent to the upstream service.
-* `nginx.ingress.kubernetes.io/auth-tls-error-page`:
-  The URL/Page that user should be redirected in case of a Certificate Authentication Error
-* `nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`:
-  Indicates if the received certificates should be passed or not to the upstream server in the header `ssl-client-cert`. Possible values are "true" or "false" (default).
+You can further customize client certificate authentication and behaviour with these annotations:
+
+* `nginx.ingress.kubernetes.io/auth-tls-verify-depth`: The validation depth between the provided client certificate and the Certification Authority chain. (default: 1)
+* `nginx.ingress.kubernetes.io/auth-tls-verify-client`: Enables verification of client certificates. Possible values are:
+    * `on`: Request a client certificate that must be signed by a certificate that is included in the secret key `ca.crt` of the secret specified by `nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName`. Failed certificate verification will result in a status code 400 (Bad Request) (default)
+    * `off`: Don't request client certificates and don't do client certificate verification.
+    * `optional`: Do optional client certificate validation against the CAs from `auth-tls-secret`. The request fails with status code 400 (Bad Request) when a certificate is provided that is not signed by the CA. When no or an otherwise invalid certificate is provided, the request does not fail, but instead the verification result is sent to the upstream service.
+    * `optional_no_ca`: Do optional client certificate validation, but do not fail the request when the client certificate is not signed by the CAs from `auth-tls-secret`. Certificate verification result is sent to the upstream service.
+* `nginx.ingress.kubernetes.io/auth-tls-error-page`: The URL/Page that user should be redirected in case of a Certificate Authentication Error
+* `nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`: Indicates if the received certificates should be passed or not to the upstream server in the header `ssl-client-cert`. Possible values are "true" or "false" (default).
 
 The following headers are sent to the upstream service according to the `auth-tls-*` annotations:
 
@@ -333,39 +328,43 @@ location enabling this functionality.
 
 CORS can be controlled with the following annotations:
 
-* `nginx.ingress.kubernetes.io/cors-allow-methods`
-  controls which methods are accepted. This is a multi-valued field, separated by ',' and
-  accepts only letters (upper and lower case).
-  - Default: `GET, PUT, POST, DELETE, PATCH, OPTIONS`
-  - Example: `nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"`
+* `nginx.ingress.kubernetes.io/cors-allow-methods`: Controls which methods are accepted.
 
-* `nginx.ingress.kubernetes.io/cors-allow-headers`
-  controls which headers are accepted. This is a multi-valued field, separated by ',' and accepts letters,
-  numbers, _ and -.
-  - Default: `DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization`
-  - Example: `nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For, X-app123-XPTO"`
+    This is a multi-valued field, separated by ',' and accepts only letters (upper and lower case).
 
-* `nginx.ingress.kubernetes.io/cors-expose-headers`
-  controls which headers are exposed to response. This is a multi-valued field, separated by ',' and accepts
-  letters, numbers, _, - and *.
-  - Default: *empty*
-  - Example: `nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"`
+    - Default: `GET, PUT, POST, DELETE, PATCH, OPTIONS`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"`
 
-* `nginx.ingress.kubernetes.io/cors-allow-origin`
-  controls what's the accepted Origin for CORS.
-  This is a single field value, with the following format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port`
-  - Default: `*`
-  - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443"`
+* `nginx.ingress.kubernetes.io/cors-allow-headers`: Controls which headers are accepted.
 
-* `nginx.ingress.kubernetes.io/cors-allow-credentials`
-  controls if credentials can be passed during CORS operations.
-  - Default: `true`
-  - Example: `nginx.ingress.kubernetes.io/cors-allow-credentials: "false"`
+    This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -.
 
-* `nginx.ingress.kubernetes.io/cors-max-age`
-  controls how long preflight requests can be cached.
-  Default: `1728000`
-  Example: `nginx.ingress.kubernetes.io/cors-max-age: 600`
+    - Default: `DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For, X-app123-XPTO"`
+
+* `nginx.ingress.kubernetes.io/cors-expose-headers`: Controls which headers are exposed to response.
+
+    This is a multi-valued field, separated by ',' and accepts letters, numbers, _, - and *.
+
+    - Default: *empty*
+    - Example: `nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"`
+
+* `nginx.ingress.kubernetes.io/cors-allow-origin`: Controls what's the accepted Origin for CORS.
+
+    This is a single field value, with the following format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port`
+
+    - Default: `*`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443"`
+
+* `nginx.ingress.kubernetes.io/cors-allow-credentials`: Controls if credentials can be passed during CORS operations.
+
+    - Default: `true`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-credentials: "false"`
+
+* `nginx.ingress.kubernetes.io/cors-max-age`: Controls how long preflight requests can be cached.
+
+    - Default: `1728000`
+    - Example: `nginx.ingress.kubernetes.io/cors-max-age: 600`
 
 !!! note
     For more information please see [https://enable-cors.org](https://enable-cors.org/server_nginx.html)
diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go
index b2c915d18..f7649fe1c 100644
--- a/internal/ingress/annotations/authtls/main_test.go
+++ b/internal/ingress/annotations/authtls/main_test.go
@@ -94,10 +94,6 @@ func TestAnnotations(t *testing.T) {
 	data := map[string]string{}
 
 	data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "default/demo-secret"
-	data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "off"
-	data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "1"
-	data[parser.GetAnnotationWithPrefix("auth-tls-error-page")] = "ok.com/error"
-	data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "true"
 
 	ing.SetAnnotations(data)
 
@@ -120,12 +116,45 @@ func TestAnnotations(t *testing.T) {
 	if u.AuthSSLCert.Secret != secret.Secret {
 		t.Errorf("expected %v but got %v", secret.Secret, u.AuthSSLCert.Secret)
 	}
-	if u.VerifyClient != "off" {
-		t.Errorf("expected %v but got %v", "off", u.VerifyClient)
+	if u.VerifyClient != "on" {
+		t.Errorf("expected %v but got %v", "on", u.VerifyClient)
 	}
 	if u.ValidationDepth != 1 {
 		t.Errorf("expected %v but got %v", 1, u.ValidationDepth)
 	}
+	if u.ErrorPage != "" {
+		t.Errorf("expected %v but got %v", "", u.ErrorPage)
+	}
+	if u.PassCertToUpstream != false {
+		t.Errorf("expected %v but got %v", false, u.PassCertToUpstream)
+	}
+
+	data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "off"
+	data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "2"
+	data[parser.GetAnnotationWithPrefix("auth-tls-error-page")] = "ok.com/error"
+	data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "true"
+
+	ing.SetAnnotations(data)
+
+	i, err = NewParser(fakeSecret).Parse(ing)
+	if err != nil {
+		t.Errorf("Unexpected error with ingress: %v", err)
+	}
+
+	u, ok = i.(*Config)
+	if !ok {
+		t.Errorf("expected *Config but got %v", u)
+	}
+
+	if u.AuthSSLCert.Secret != secret.Secret {
+		t.Errorf("expected %v but got %v", secret.Secret, u.AuthSSLCert.Secret)
+	}
+	if u.VerifyClient != "off" {
+		t.Errorf("expected %v but got %v", "off", u.VerifyClient)
+	}
+	if u.ValidationDepth != 2 {
+		t.Errorf("expected %v but got %v", 2, u.ValidationDepth)
+	}
 	if u.ErrorPage != "ok.com/error" {
 		t.Errorf("expected %v but got %v", "ok.com/error", u.ErrorPage)
 	}
diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go
index 86c5d9ec5..093afe14e 100644
--- a/test/e2e/annotations/authtls.go
+++ b/test/e2e/annotations/authtls.go
@@ -17,7 +17,6 @@ limitations under the License.
 package annotations
 
 import (
-	"crypto/tls"
 	"fmt"
 	"net/http"
 	"strings"
@@ -34,7 +33,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 		f.NewEchoDeploymentWithReplicas(2)
 	})
 
-	ginkgo.It("should set valid auth-tls-secret", func() {
+	ginkgo.It("should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret", func() {
 		host := "authtls.foo.com"
 		nameSpace := f.Namespace
 
@@ -45,16 +44,28 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 			nameSpace)
 		assert.Nil(ginkgo.GinkgoT(), err)
 
-		annotations := map[string]string{
+		annotations := map[string]string{}
+
+		ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "ssl_client_certificate") &&
+					!strings.Contains(server, "ssl_verify_client") &&
+					!strings.Contains(server, "ssl_verify_depth")
+			})
+
+		annotations = map[string]string{
 			"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
 		}
 
-		f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
+		ing.SetAnnotations(annotations)
+		f.UpdateIngress(ing)
 
 		assertSslClientCertificateConfig(f, host, "on", "1")
 
 		// Send Request without Client Certs
-		f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}).
+		f.HTTPTestClient().
 			GET("/").
 			WithURL(f.GetURL(framework.HTTPS)).
 			WithHeader("Host", host).
@@ -100,7 +111,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 			Status(http.StatusOK)
 	})
 
-	ginkgo.It("should set valid auth-tls-secret, pass certificate to upstream, and error page", func() {
+	ginkgo.It("should 302 redirect to error page instead of 400 when auth-tls-error-page is set", func() {
 		host := "authtls.foo.com"
 		nameSpace := f.Namespace
 
@@ -114,9 +125,8 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 		assert.Nil(ginkgo.GinkgoT(), err)
 
 		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/auth-tls-secret":                       nameSpace + "/" + host,
-			"nginx.ingress.kubernetes.io/auth-tls-error-page":                   f.GetURL(framework.HTTP) + errorPath,
-			"nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream": "true",
+			"nginx.ingress.kubernetes.io/auth-tls-secret":     nameSpace + "/" + host,
+			"nginx.ingress.kubernetes.io/auth-tls-error-page": f.GetURL(framework.HTTP) + errorPath,
 		}
 
 		f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
@@ -124,12 +134,10 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 		assertSslClientCertificateConfig(f, host, "on", "1")
 
 		sslErrorPage := fmt.Sprintf("error_page 495 496 = %s;", f.GetURL(framework.HTTP)+errorPath)
-		sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;"
 
 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, sslErrorPage) &&
-					strings.Contains(server, sslUpstreamClientCert)
+				return strings.Contains(server, sslErrorPage)
 			})
 
 		// Send Request without Client Certs
@@ -150,6 +158,51 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 			Status(http.StatusOK)
 	})
 
+	ginkgo.It("should pass URL-encoded certificate to upstream", func() {
+		host := "authtls.foo.com"
+		nameSpace := f.Namespace
+
+		clientConfig, err := framework.CreateIngressMASecret(
+			f.KubeClientSet,
+			host,
+			host,
+			nameSpace)
+		assert.Nil(ginkgo.GinkgoT(), err)
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-tls-secret":                       nameSpace + "/" + host,
+			"nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream": "true",
+		}
+
+		f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
+
+		assertSslClientCertificateConfig(f, host, "on", "1")
+
+		sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;"
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, sslUpstreamClientCert)
+			})
+
+		// Send Request without Client Certs
+		f.HTTPTestClient().
+			GET("/").
+			WithURL(f.GetURL(framework.HTTPS)).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusBadRequest)
+
+		// Send Request Passing the Client Certs
+		f.HTTPTestClientWithTLSConfig(clientConfig).
+			GET("/").
+			WithURL(f.GetURL(framework.HTTPS)).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).
+			Body().Contains("ssl-client-cert=-----BEGIN%20CERTIFICATE-----%0A")
+	})
+
 	ginkgo.It("should validate auth-tls-verify-client", func() {
 		host := "authtls.foo.com"
 		nameSpace := f.Namespace

From 33061b8cdffd7cd6dd91d68275eb39afea4dfce4 Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Tue, 7 Sep 2021 13:35:22 -0400
Subject: [PATCH 099/376] put modsecurity e2e tests into their own packages
 (#7560)

---
 test/e2e/annotations/{ => modsecurity}/modsecurity.go      | 2 +-
 test/e2e/e2e.go                                            | 2 ++
 test/e2e/settings/{ => modsecurity}/modsecurity_snippet.go | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)
 rename test/e2e/annotations/{ => modsecurity}/modsecurity.go (99%)
 rename test/e2e/settings/{ => modsecurity}/modsecurity_snippet.go (98%)

diff --git a/test/e2e/annotations/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go
similarity index 99%
rename from test/e2e/annotations/modsecurity.go
rename to test/e2e/annotations/modsecurity/modsecurity.go
index d83803c93..fad3a2dee 100644
--- a/test/e2e/annotations/modsecurity.go
+++ b/test/e2e/annotations/modsecurity/modsecurity.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package annotations
+package modsecurity
 
 import (
 	"net/http"
diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go
index 9bb8937ea..c0829f5ee 100644
--- a/test/e2e/e2e.go
+++ b/test/e2e/e2e.go
@@ -32,6 +32,7 @@ import (
 	// tests to run
 	_ "k8s.io/ingress-nginx/test/e2e/admission"
 	_ "k8s.io/ingress-nginx/test/e2e/annotations"
+	_ "k8s.io/ingress-nginx/test/e2e/annotations/modsecurity"
 	_ "k8s.io/ingress-nginx/test/e2e/dbg"
 	_ "k8s.io/ingress-nginx/test/e2e/defaultbackend"
 	_ "k8s.io/ingress-nginx/test/e2e/gracefulshutdown"
@@ -42,6 +43,7 @@ import (
 	_ "k8s.io/ingress-nginx/test/e2e/security"
 	_ "k8s.io/ingress-nginx/test/e2e/servicebackend"
 	_ "k8s.io/ingress-nginx/test/e2e/settings"
+	_ "k8s.io/ingress-nginx/test/e2e/settings/modsecurity"
 	_ "k8s.io/ingress-nginx/test/e2e/settings/ocsp"
 	_ "k8s.io/ingress-nginx/test/e2e/ssl"
 	_ "k8s.io/ingress-nginx/test/e2e/status"
diff --git a/test/e2e/settings/modsecurity_snippet.go b/test/e2e/settings/modsecurity/modsecurity_snippet.go
similarity index 98%
rename from test/e2e/settings/modsecurity_snippet.go
rename to test/e2e/settings/modsecurity/modsecurity_snippet.go
index c0b962236..f912db984 100644
--- a/test/e2e/settings/modsecurity_snippet.go
+++ b/test/e2e/settings/modsecurity/modsecurity_snippet.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package settings
+package modsecurity
 
 import (
 	"strings"

From 3c86f838d4a833ee8905cce6d5ef06d4b534f786 Mon Sep 17 00:00:00 2001
From: Emily L Shepherd <emily@redcoat.dev>
Date: Tue, 7 Sep 2021 18:41:16 +0100
Subject: [PATCH 100/376] Sync Hostname and IP address from service to ingress
 status (#7464)

* Change statusSync.runningAddresses() return type

Previously, this method returning a string slice containing the resolved
IP addresses / FQDNs to sync onto the Ingress. It was then converted
just before use into a slice of LoadBalancerIngresses.

This commit changes this logic so that this method generates
LoadBalancerIngress objects directly, and returns these. This has two
main benefits:
- Future work in syncing _both_ hostname and IP, or any other fields
  that may be used in future (eg Ports), is now supported.
- There is less need to rely on net.ParseIP() to determine if a value is
  an IP address or Hostname, as this can be correctly assigned at
  generation time based on where each value came from.

* Sync both IP and Hostname to Ingress Status

Previously, if the IP address was set on a PublishService's
LoadBalancerIngress entries, only that would be synced. Hostname was
only synced as a fallback when the IP address was missing.

Now, both fields are checked independantly and both are synced if
present.
---
 internal/ingress/status/status.go      | 92 +++++++++++++++-----------
 internal/ingress/status/status_test.go | 77 +++++++++++++--------
 2 files changed, 101 insertions(+), 68 deletions(-)

diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go
index cabc6b3a2..7e2db9189 100644
--- a/internal/ingress/status/status.go
+++ b/internal/ingress/status/status.go
@@ -26,7 +26,6 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 
 	pool "gopkg.in/go-playground/pool.v3"
@@ -143,7 +142,7 @@ func (s *statusSync) sync(key interface{}) error {
 	if err != nil {
 		return err
 	}
-	s.updateStatus(sliceToStatus(addrs))
+	s.updateStatus(standardizeLoadBalancerIngresses(addrs))
 
 	return nil
 }
@@ -162,13 +161,25 @@ func NewStatusSyncer(config Config) Syncer {
 	return st
 }
 
+func nameOrIPToLoadBalancerIngress(nameOrIP string) apiv1.LoadBalancerIngress {
+	if net.ParseIP(nameOrIP) != nil {
+		return apiv1.LoadBalancerIngress{IP: nameOrIP}
+	}
+
+	return apiv1.LoadBalancerIngress{Hostname: nameOrIP}
+}
+
 // runningAddresses returns a list of IP addresses and/or FQDN where the
 // ingress controller is currently running
-func (s *statusSync) runningAddresses() ([]string, error) {
+func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) {
 	if s.PublishStatusAddress != "" {
 		re := regexp.MustCompile(`,\s*`)
 		multipleAddrs := re.Split(s.PublishStatusAddress, -1)
-		return multipleAddrs, nil
+		addrs := make([]apiv1.LoadBalancerIngress, len(multipleAddrs))
+		for i, addr := range multipleAddrs {
+			addrs[i] = nameOrIPToLoadBalancerIngress(addr)
+		}
+		return addrs, nil
 	}
 
 	if s.PublishService != "" {
@@ -183,7 +194,7 @@ func (s *statusSync) runningAddresses() ([]string, error) {
 		return nil, err
 	}
 
-	addrs := make([]string, 0)
+	addrs := make([]apiv1.LoadBalancerIngress, 0)
 	for i := range pods.Items {
 		pod := pods.Items[i]
 		// only Running pods are valid
@@ -206,8 +217,8 @@ func (s *statusSync) runningAddresses() ([]string, error) {
 		}
 
 		name := k8s.GetNodeIPOrName(s.Client, pod.Spec.NodeName, s.UseNodeInternalIP)
-		if !stringInSlice(name, addrs) {
-			addrs = append(addrs, name)
+		if !stringInIngresses(name, addrs) {
+			addrs = append(addrs, nameOrIPToLoadBalancerIngress(name))
 		}
 	}
 
@@ -225,17 +236,9 @@ func (s *statusSync) isRunningMultiplePods() bool {
 	return len(pods.Items) > 1
 }
 
-// sliceToStatus converts a slice of IP and/or hostnames to LoadBalancerIngress
-func sliceToStatus(endpoints []string) []apiv1.LoadBalancerIngress {
-	lbi := []apiv1.LoadBalancerIngress{}
-	for _, ep := range endpoints {
-		if net.ParseIP(ep) == nil {
-			lbi = append(lbi, apiv1.LoadBalancerIngress{Hostname: ep})
-		} else {
-			lbi = append(lbi, apiv1.LoadBalancerIngress{IP: ep})
-		}
-	}
-
+// standardizeLoadBalancerIngresses sorts the list of loadbalancer by
+// IP
+func standardizeLoadBalancerIngresses(lbi []apiv1.LoadBalancerIngress) []apiv1.LoadBalancerIngress {
 	sort.SliceStable(lbi, func(a, b int) bool {
 		return lbi[a].IP < lbi[b].IP
 	})
@@ -321,7 +324,7 @@ func ingressSliceEqual(lhs, rhs []apiv1.LoadBalancerIngress) bool {
 	return true
 }
 
-func statusAddressFromService(service string, kubeClient clientset.Interface) ([]string, error) {
+func statusAddressFromService(service string, kubeClient clientset.Interface) ([]apiv1.LoadBalancerIngress, error) {
 	ns, name, _ := k8s.ParseNameNS(service)
 	svc, err := kubeClient.CoreV1().Services(ns).Get(context.TODO(), name, metav1.GetOptions{})
 	if err != nil {
@@ -330,39 +333,50 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([
 
 	switch svc.Spec.Type {
 	case apiv1.ServiceTypeExternalName:
-		return []string{svc.Spec.ExternalName}, nil
+		return []apiv1.LoadBalancerIngress{{
+			Hostname: svc.Spec.ExternalName,
+		}}, nil
 	case apiv1.ServiceTypeClusterIP:
-		return []string{svc.Spec.ClusterIP}, nil
+		return []apiv1.LoadBalancerIngress{{
+			IP: svc.Spec.ClusterIP,
+		}}, nil
 	case apiv1.ServiceTypeNodePort:
-		addresses := sets.NewString()
-		if svc.Spec.ExternalIPs != nil {
-			addresses.Insert(svc.Spec.ExternalIPs...)
-		} else {
-			addresses.Insert(svc.Spec.ClusterIP)
+		if svc.Spec.ExternalIPs == nil {
+			return []apiv1.LoadBalancerIngress{{
+				IP: svc.Spec.ClusterIP,
+			}}, nil
 		}
-		return addresses.List(), nil
+		addrs := make([]apiv1.LoadBalancerIngress, len(svc.Spec.ExternalIPs))
+		for i, ip := range svc.Spec.ExternalIPs {
+			addrs[i] = apiv1.LoadBalancerIngress{IP: ip}
+		}
+		return addrs, nil
 	case apiv1.ServiceTypeLoadBalancer:
-		addresses := sets.NewString()
-		for _, ip := range svc.Status.LoadBalancer.Ingress {
-			if ip.IP == "" {
-				addresses.Insert(ip.Hostname)
-			} else {
-				addresses.Insert(ip.IP)
+		addrs := make([]apiv1.LoadBalancerIngress, len(svc.Status.LoadBalancer.Ingress))
+		for i, ingress := range svc.Status.LoadBalancer.Ingress {
+			addrs[i] = apiv1.LoadBalancerIngress{}
+			if ingress.Hostname != "" {
+				addrs[i].Hostname = ingress.Hostname
+			}
+			if ingress.IP != "" {
+				addrs[i].IP = ingress.IP
 			}
 		}
-
-		addresses.Insert(svc.Spec.ExternalIPs...)
-
-		return addresses.List(), nil
+		for _, ip := range svc.Spec.ExternalIPs {
+			if !stringInIngresses(ip, addrs) {
+				addrs = append(addrs, apiv1.LoadBalancerIngress{IP: ip})
+			}
+		}
+		return addrs, nil
 	}
 
 	return nil, fmt.Errorf("unable to extract IP address/es from service %v", service)
 }
 
 // stringInSlice returns true if s is in list
-func stringInSlice(s string, list []string) bool {
+func stringInIngresses(s string, list []apiv1.LoadBalancerIngress) bool {
 	for _, v := range list {
-		if v == s {
+		if v.IP == s || v.Hostname == s {
 			return true
 		}
 	}
diff --git a/internal/ingress/status/status_test.go b/internal/ingress/status/status_test.go
index 79bb85891..fefca5ff2 100644
--- a/internal/ingress/status/status_test.go
+++ b/internal/ingress/status/status_test.go
@@ -382,7 +382,7 @@ func TestKeyfunc(t *testing.T) {
 func TestRunningAddressesWithPublishService(t *testing.T) {
 	testCases := map[string]struct {
 		fakeClient  *testclient.Clientset
-		expected    []string
+		expected    []apiv1.LoadBalancerIngress
 		errExpected bool
 	}{
 		"service type ClusterIP": {
@@ -416,7 +416,9 @@ func TestRunningAddressesWithPublishService(t *testing.T) {
 				},
 				},
 			),
-			[]string{"1.1.1.1"},
+			[]apiv1.LoadBalancerIngress{
+				{IP: "1.1.1.1"},
+			},
 			false,
 		},
 		"service type NodePort": {
@@ -435,7 +437,9 @@ func TestRunningAddressesWithPublishService(t *testing.T) {
 				},
 				},
 			),
-			[]string{"1.1.1.1"},
+			[]apiv1.LoadBalancerIngress{
+				{IP: "1.1.1.1"},
+			},
 			false,
 		},
 		"service type ExternalName": {
@@ -454,7 +458,9 @@ func TestRunningAddressesWithPublishService(t *testing.T) {
 				},
 				},
 			),
-			[]string{"foo.bar"},
+			[]apiv1.LoadBalancerIngress{
+				{Hostname: "foo.bar"},
+			},
 			false,
 		},
 		"service type LoadBalancer": {
@@ -478,6 +484,10 @@ func TestRunningAddressesWithPublishService(t *testing.T) {
 										IP:       "",
 										Hostname: "foo",
 									},
+									{
+										IP:       "10.0.0.2",
+										Hostname: "10-0-0-2.cloudprovider.example.net",
+									},
 								},
 							},
 						},
@@ -485,7 +495,14 @@ func TestRunningAddressesWithPublishService(t *testing.T) {
 				},
 				},
 			),
-			[]string{"10.0.0.1", "foo"},
+			[]apiv1.LoadBalancerIngress{
+				{IP: "10.0.0.1"},
+				{Hostname: "foo"},
+				{
+					IP:       "10.0.0.2",
+					Hostname: "10-0-0-2.cloudprovider.example.net",
+				},
+			},
 			false,
 		},
 		"service type LoadBalancer with same externalIP and ingress IP": {
@@ -513,7 +530,9 @@ func TestRunningAddressesWithPublishService(t *testing.T) {
 				},
 				},
 			),
-			[]string{"10.0.0.1"},
+			[]apiv1.LoadBalancerIngress{
+				{IP: "10.0.0.1"},
+			},
 			false,
 		},
 		"invalid service type": {
@@ -549,7 +568,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) {
 			}
 
 			if ra == nil {
-				t.Fatalf("returned nil but expected valid []string")
+				t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress")
 			}
 
 			if !reflect.DeepEqual(tc.expected, ra) {
@@ -565,15 +584,15 @@ func TestRunningAddressesWithPods(t *testing.T) {
 
 	r, _ := fk.runningAddresses()
 	if r == nil {
-		t.Fatalf("returned nil but expected valid []string")
+		t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress")
 	}
 	rl := len(r)
 	if len(r) != 1 {
 		t.Fatalf("returned %v but expected %v", rl, 1)
 	}
 	rv := r[0]
-	if rv != "11.0.0.2" {
-		t.Errorf("returned %v but expected %v", rv, "11.0.0.2")
+	if rv.IP != "11.0.0.2" {
+		t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "11.0.0.2"})
 	}
 }
 
@@ -583,15 +602,15 @@ func TestRunningAddressesWithPublishStatusAddress(t *testing.T) {
 
 	ra, _ := fk.runningAddresses()
 	if ra == nil {
-		t.Fatalf("returned nil but expected valid []string")
+		t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress")
 	}
 	rl := len(ra)
 	if len(ra) != 1 {
 		t.Errorf("returned %v but expected %v", rl, 1)
 	}
 	rv := ra[0]
-	if rv != "127.0.0.1" {
-		t.Errorf("returned %v but expected %v", rv, "127.0.0.1")
+	if rv.IP != "127.0.0.1" {
+		t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"})
 	}
 }
 
@@ -601,7 +620,7 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) {
 
 	ra, _ := fk.runningAddresses()
 	if ra == nil {
-		t.Fatalf("returned nil but expected valid []string")
+		t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress")
 	}
 	rl := len(ra)
 	if len(ra) != 2 {
@@ -609,11 +628,11 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) {
 	}
 	rv := ra[0]
 	rv2 := ra[1]
-	if rv != "127.0.0.1" {
-		t.Errorf("returned %v but expected %v", rv, "127.0.0.1")
+	if rv.IP != "127.0.0.1" {
+		t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"})
 	}
-	if rv2 != "1.1.1.1" {
-		t.Errorf("returned %v but expected %v", rv2, "1.1.1.1")
+	if rv2.IP != "1.1.1.1" {
+		t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"})
 	}
 }
 
@@ -623,7 +642,7 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) {
 
 	ra, _ := fk.runningAddresses()
 	if ra == nil {
-		t.Fatalf("returned nil but expected valid []string")
+		t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngresst")
 	}
 	rl := len(ra)
 	if len(ra) != 2 {
@@ -631,22 +650,22 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) {
 	}
 	rv := ra[0]
 	rv2 := ra[1]
-	if rv != "127.0.0.1" {
-		t.Errorf("returned %v but expected %v", rv, "127.0.0.1")
+	if rv.IP != "127.0.0.1" {
+		t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"})
 	}
-	if rv2 != "1.1.1.1" {
-		t.Errorf("returned %v but expected %v", rv2, "1.1.1.1")
+	if rv2.IP != "1.1.1.1" {
+		t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"})
 	}
 }
 
-func TestSliceToStatus(t *testing.T) {
-	fkEndpoints := []string{
-		"10.0.0.1",
-		"2001:db8::68",
-		"opensource-k8s-ingress",
+func TestStandardizeLoadBalancerIngresses(t *testing.T) {
+	fkEndpoints := []apiv1.LoadBalancerIngress{
+		{IP: "2001:db8::68"},
+		{IP: "10.0.0.1"},
+		{Hostname: "opensource-k8s-ingress"},
 	}
 
-	r := sliceToStatus(fkEndpoints)
+	r := standardizeLoadBalancerIngresses(fkEndpoints)
 
 	if r == nil {
 		t.Fatalf("returned nil but expected a valid []apiv1.LoadBalancerIngress")

From af5f40a0ebbfd4bd740c535de238d580eb3ffac7 Mon Sep 17 00:00:00 2001
From: Maxim <lm.bsod@gmail.com>
Date: Tue, 7 Sep 2021 10:47:16 -0700
Subject: [PATCH 101/376] Trigger syncIngress on Service addition/deletion
 #7346 (#7374)

Normally Ingress sinchronization for Services is triggered when
corresponding Service's Endpoints are added, deleted or modified.
Services of type ExternalName, however, do not have any endpoints
and hence do not trigger Ingress synchronization as only Update
events are being watched. This commit makes sure that Update and
Delete Service events also enqueue a syncIngress task.
---
 internal/ingress/controller/store/store.go    |  18 +++
 .../servicebackend/service_externalname.go    | 124 ++++++++++--------
 2 files changed, 88 insertions(+), 54 deletions(-)

diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index f65098a21..dd18594e9 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -660,6 +660,24 @@ func New(
 	}
 
 	serviceHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			svc := obj.(*corev1.Service)
+			if svc.Spec.Type == corev1.ServiceTypeExternalName {
+				updateCh.In() <- Event{
+					Type: CreateEvent,
+					Obj:  obj,
+				}
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			svc := obj.(*corev1.Service)
+			if svc.Spec.Type == corev1.ServiceTypeExternalName {
+				updateCh.In() <- Event{
+					Type: DeleteEvent,
+					Obj:  obj,
+				}
+			}
+		},
 		UpdateFunc: func(old, cur interface{}) {
 			oldSvc := old.(*corev1.Service)
 			curSvc := cur.(*corev1.Service)
diff --git a/test/e2e/servicebackend/service_externalname.go b/test/e2e/servicebackend/service_externalname.go
index 2c33c020f..d2a921cd3 100644
--- a/test/e2e/servicebackend/service_externalname.go
+++ b/test/e2e/servicebackend/service_externalname.go
@@ -34,6 +34,27 @@ import (
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )
 
+func buildHTTPBinExternalNameService(f *framework.Framework, portName string) *corev1.Service {
+	return &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      framework.HTTPBinService,
+			Namespace: f.Namespace,
+		},
+		Spec: corev1.ServiceSpec{
+			ExternalName: "httpbin.org",
+			Type:         corev1.ServiceTypeExternalName,
+			Ports: []corev1.ServicePort{
+				{
+					Name:       portName,
+					Port:       80,
+					TargetPort: intstr.FromInt(80),
+					Protocol:   "TCP",
+				},
+			},
+		},
+	}
+}
+
 var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	f := framework.NewDefaultFramework("type-externalname")
 
@@ -107,24 +128,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should return 200 for service type=ExternalName with a port defined", func() {
 		host := "echo"
 
-		svc := &corev1.Service{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      framework.HTTPBinService,
-				Namespace: f.Namespace,
-			},
-			Spec: corev1.ServiceSpec{
-				ExternalName: "httpbin.org",
-				Type:         corev1.ServiceTypeExternalName,
-				Ports: []corev1.ServicePort{
-					{
-						Name:       host,
-						Port:       80,
-						TargetPort: intstr.FromInt(80),
-						Protocol:   "TCP",
-					},
-				},
-			},
-		}
+		svc := buildHTTPBinExternalNameService(f, host)
 		f.EnsureService(svc)
 
 		annotations := map[string]string{
@@ -179,24 +183,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should return 200 for service type=ExternalName using a port name", func() {
 		host := "echo"
 
-		svc := &corev1.Service{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      framework.HTTPBinService,
-				Namespace: f.Namespace,
-			},
-			Spec: corev1.ServiceSpec{
-				ExternalName: "httpbin.org",
-				Type:         corev1.ServiceTypeExternalName,
-				Ports: []corev1.ServicePort{
-					{
-						Name:       host,
-						Port:       80,
-						TargetPort: intstr.FromInt(80),
-						Protocol:   "TCP",
-					},
-				},
-			},
-		}
+		svc := buildHTTPBinExternalNameService(f, host)
 		f.EnsureService(svc)
 
 		annotations := map[string]string{
@@ -260,24 +247,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 	ginkgo.It("should update the external name after a service update", func() {
 		host := "echo"
 
-		svc := &corev1.Service{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      framework.HTTPBinService,
-				Namespace: f.Namespace,
-			},
-			Spec: corev1.ServiceSpec{
-				ExternalName: "httpbin.org",
-				Type:         corev1.ServiceTypeExternalName,
-				Ports: []corev1.ServicePort{
-					{
-						Name:       host,
-						Port:       80,
-						TargetPort: intstr.FromInt(80),
-						Protocol:   "TCP",
-					},
-				},
-			},
-		}
+		svc := buildHTTPBinExternalNameService(f, host)
 		f.EnsureService(svc)
 
 		annotations := map[string]string{
@@ -336,4 +306,50 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() {
 		assert.Nil(ginkgo.GinkgoT(), err)
 		assert.Contains(ginkgo.GinkgoT(), output, `{"address":"eu.httpbin.org"`)
 	})
+
+	ginkgo.It("should sync ingress on external name service addition/deletion", func() {
+		host := "echo"
+
+		// Create the Ingress first
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "proxy_pass http://upstream_balancer;")
+			})
+
+		// Nginx should return 503 without the underlying service being available
+		f.HTTPTestClient().
+			GET("/get").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusServiceUnavailable)
+
+		// Now create the service
+		svc := buildHTTPBinExternalNameService(f, host)
+		f.EnsureService(svc)
+
+		framework.Sleep()
+
+		// 503 should change to 200 OK
+		f.HTTPTestClient().
+			GET("/get").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
+
+		// And back to 503 after deleting the service
+
+		err := f.KubeClientSet.CoreV1().Services(f.Namespace).Delete(context.TODO(), framework.HTTPBinService, metav1.DeleteOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting httpbin service")
+
+		framework.Sleep()
+
+		f.HTTPTestClient().
+			GET("/get").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusServiceUnavailable)
+	})
 })

From a714fb69dbf13171238ac17f625cc761af197c80 Mon Sep 17 00:00:00 2001
From: FBLGit <fblgit@users.noreply.github.com>
Date: Wed, 8 Sep 2021 01:53:16 +0800
Subject: [PATCH 102/376] This PR: (#7514)

<!--- Provide a general summary of your changes in the Title above --->
<!--- Why is this change required? What problem does it solve? -->

Introduces the CLI command flag `--disable-full-test`

By default, it doesn't alter the current behavior of the tests performed by the admission controller.
With or Without the flag, a full checkOverlap is actioned, without any alteration
and the object `pcfg` is created with the whole set of ingreses.

If the flag is set to true, it does manipulate the size of `pcfg` up to the content of $this single ingress.

This is achieved by overriding pcfg content by just the last slice that got recently appended to the object `ings`
```
	if n.cfg.DisableFullValidationTest {
		_, _, pcfg = n.getConfiguration(ings[len(ings)-1:])
	}
```

The following steps of generateTemplate and testTemplate are significally reduced to a signle scenario
```
    content, err := n.generateTemplate(cfg, *pcfg)
    ...
    err = n.testTemplate(content)
```

This flag doesn't avoid the proper testing of collisions, neither bad syntaxis within the rendered
configuration of the ingress.

But it does eliminate a scenario, which I wasn't able to produce, where by for some reason even proper rendering
and valid values, without collisions of host/path may end into an invalid nginx.conf

The reasoning for this Feature is:
- Test duration increases by the number of ingresses in the cluster.
- File size grows to very important numbers 150-200Mb on clusters with just 2000~ ingresses.
- Tests in that scenario, takes approximately 20s using the last 0.48.1 improvements
- Produces a considerable memory consumption, as well as CPU, compute, that affects directly the containers
  that serve traffic.

Since the flag is trully optional, and by default is disabled I fell as a good thing to have that can definitively
help on large-scale scenarios that still want to have a reasonable set of tests in place at a lower cost.

<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)

<!--- Please describe in detail how you tested your changes. -->
<!--- Include details of your testing environment, and the tests you ran to -->
<!--- see how your change affects other areas of the code, etc. -->
Tested with the build kit the following scenarios on a cluster with 1000~ ingresses:
- With Flag Disabled or Flag, not present (current status as per 0.48.1)

collision scenario (wrong snippet content):
`kubectl apply -f ../collision-syntax.yaml  0.18s user 0.05s system 3% cpu 6.639 total`

collisions scenario (duplicated host):
`kubectl apply -f ../collision-host.yaml  0.17s user 0.05s system 3% cpu 6.245 total`

create/update:
`kubectl apply -f ing-215.yaml  0.16s user 0.05s system 3% cpu 5.845 total`

- With Flag Enabled (true):
collision scenario (wrong snippet content):
`kubectl apply -f ../collision.yaml  0.18s user 0.02s system 57% cpu 0.347 total`

collision scenario (duplicated host):
`kubectl apply -f ../collision.yaml  0.21s user 0.06s system 85% cpu 0.318 total`

create/update:
`kubectl apply -f ing-973.yaml  0.17s user 0.03s system 72% cpu 0.271 total`

As part of the test, I did verified that the created nginx for the test was of a smaller size, and that it didnt affect negatively the final nginx.conf (of a much larger side) where this was merged by the next steps in place after the validation. I couldn't observe any other change in the behaviour and so far the routine looks simple and non harmful.

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
- [ ] I have added tests to cover my changes.
- [ ] All new and existing tests passed.

For the test part, I would need to understand the placement and test case that this would require, I wasn't able to see an existing scenario for this
---
 cmd/nginx/flags.go                        | 3 +++
 docs/user-guide/cli-arguments.md          | 1 +
 internal/ingress/controller/controller.go | 5 +++++
 3 files changed, 9 insertions(+)

diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index 7e6db6533..c12dc7399 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -174,6 +174,8 @@ Takes the form "<host>:port". If not provided, no admission controller is starte
 			`The path of the validating webhook certificate PEM.`)
 		validationWebhookKey = flags.String("validating-webhook-key", "",
 			`The path of the validating webhook key PEM.`)
+		disableFullValidationTest = flags.Bool("disable-full-test", false,
+			`Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated  (full test of all ingresses is enabled by default)`)
 
 		statusPort = flags.Int("status-port", 10246, `Port to use for the lua HTTP endpoint configuration.`)
 		streamPort = flags.Int("stream-port", 10247, "Port to use for the lua TCP/UDP endpoint configuration.")
@@ -280,6 +282,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		ConfigMapName:              *configMap,
 		TCPConfigMapName:           *tcpConfigMapName,
 		UDPConfigMapName:           *udpConfigMapName,
+		DisableFullValidationTest:  *disableFullValidationTest,
 		DefaultSSLCertificate:      *defSSLCertificate,
 		PublishService:             *publishSvc,
 		PublishStatusAddress:       *publishStatusAddress,
diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index 9c9ce0a9b..ef1c0feb2 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -16,6 +16,7 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
 | `--default-server-port`            | Port to use for exposing the default server (catch-all). (default 8181) |
 | `--default-ssl-certificate`        | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". |
 | `--disable-catch-all`              | Disable support for catch-all Ingresses |
+| `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated  (full test of all ingresses is enabled by default) |
 | `--election-id`                    | Election id to use for Ingress status updates. (default "ingress-controller-leader") |
 | `--enable-metrics`                 | Enables the collection of NGINX metrics (default true) |
 | `--enable-ssl-chain-completion`    | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. |
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 1fd22079b..38357d491 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -106,6 +106,7 @@ type Configuration struct {
 	ValidationWebhook         string
 	ValidationWebhookCertPath string
 	ValidationWebhookKeyPath  string
+	DisableFullValidationTest bool
 
 	GlobalExternalAuth  *ngx_config.GlobalExternalAuth
 	MaxmindEditionFiles *[]string
@@ -274,6 +275,10 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		return err
 	}
 
+	if n.cfg.DisableFullValidationTest {
+		_, _, pcfg = n.getConfiguration(ings[len(ings)-1:])
+	}
+
 	content, err := n.generateTemplate(cfg, *pcfg)
 	if err != nil {
 		n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name)

From 82e1fc8cac1c4c77223302ed256ff5907252baf1 Mon Sep 17 00:00:00 2001
From: fatedier <fatedier@gmail.com>
Date: Wed, 8 Sep 2021 02:15:16 +0800
Subject: [PATCH 103/376] getEndpoints uses service target port directly if
 it's a number and mismatch with port name in endpoint (#7393)

---
 internal/ingress/controller/endpoints.go      | 12 ++++-
 internal/ingress/controller/endpoints_test.go | 52 ++++++++++++++++++-
 2 files changed, 61 insertions(+), 3 deletions(-)

diff --git a/internal/ingress/controller/endpoints.go b/internal/ingress/controller/endpoints.go
index bdddcb0a0..26d7f298e 100644
--- a/internal/ingress/controller/endpoints.go
+++ b/internal/ingress/controller/endpoints.go
@@ -23,6 +23,7 @@ import (
 	"strconv"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/klog/v2"
 
@@ -81,7 +82,8 @@ func getEndpoints(s *corev1.Service, port *corev1.ServicePort, proto corev1.Prot
 	}
 
 	for _, ss := range ep.Subsets {
-		for _, epPort := range ss.Ports {
+		matchedPortNameFound := false
+		for i, epPort := range ss.Ports {
 
 			if !reflect.DeepEqual(epPort.Protocol, proto) {
 				continue
@@ -92,8 +94,16 @@ func getEndpoints(s *corev1.Service, port *corev1.ServicePort, proto corev1.Prot
 			if port.Name == "" {
 				// port.Name is optional if there is only one port
 				targetPort = epPort.Port
+				matchedPortNameFound = true
 			} else if port.Name == epPort.Name {
 				targetPort = epPort.Port
+				matchedPortNameFound = true
+			}
+
+			if i == len(ss.Ports)-1 && !matchedPortNameFound && port.TargetPort.Type == intstr.Int {
+				// use service target port if it's a number and no port name matched
+				// https://github.com/kubernetes/ingress-nginx/issues/7390
+				targetPort = port.TargetPort.IntVal
 			}
 
 			if targetPort <= 0 {
diff --git a/internal/ingress/controller/endpoints_test.go b/internal/ingress/controller/endpoints_test.go
index 20d53c526..83c8e1837 100644
--- a/internal/ingress/controller/endpoints_test.go
+++ b/internal/ingress/controller/endpoints_test.go
@@ -315,7 +315,50 @@ func TestGetEndpoints(t *testing.T) {
 			[]ingress.Endpoint{},
 		},
 		{
-			"should return no endpoint when the name of the port name do not match any port in the endpoint Subsets",
+			"should return no endpoint when the name of the port name do not match any port in the endpoint Subsets and TargetPort is string",
+			&corev1.Service{
+				Spec: corev1.ServiceSpec{
+					Type:      corev1.ServiceTypeClusterIP,
+					ClusterIP: "1.1.1.1",
+					Ports: []corev1.ServicePort{
+						{
+							Name:       "default",
+							TargetPort: intstr.FromString("port-1"),
+						},
+					},
+				},
+			},
+			&corev1.ServicePort{
+				Name:       "default",
+				TargetPort: intstr.FromString("port-1"),
+			},
+			corev1.ProtocolTCP,
+			func(string) (*corev1.Endpoints, error) {
+				nodeName := "dummy"
+				return &corev1.Endpoints{
+					Subsets: []corev1.EndpointSubset{
+						{
+							Addresses: []corev1.EndpointAddress{
+								{
+									IP:       "1.1.1.1",
+									NodeName: &nodeName,
+								},
+							},
+							Ports: []corev1.EndpointPort{
+								{
+									Protocol: corev1.ProtocolTCP,
+									Port:     int32(80),
+									Name:     "another-name",
+								},
+							},
+						},
+					},
+				}, nil
+			},
+			[]ingress.Endpoint{},
+		},
+		{
+			"should return one endpoint when the name of the port name do not match any port in the endpoint Subsets and TargetPort is int",
 			&corev1.Service{
 				Spec: corev1.ServiceSpec{
 					Type:      corev1.ServiceTypeClusterIP,
@@ -355,7 +398,12 @@ func TestGetEndpoints(t *testing.T) {
 					},
 				}, nil
 			},
-			[]ingress.Endpoint{},
+			[]ingress.Endpoint{
+				{
+					Address: "1.1.1.1",
+					Port:    "80",
+				},
+			},
 		},
 		{
 			"should return one endpoint when the name of the port name match a port in the endpoint Subsets",

From 48601bcd0e8fa1e22726e517fe70fc268a900fd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renan=20Gon=C3=A7alves?= <renan.saddam@gmail.com>
Date: Tue, 7 Sep 2021 21:47:15 +0200
Subject: [PATCH 104/376] Allow the usage of Services as Upstream on a global
 level (#7469)

It is possible to change this behavior on an ingress level, which works
well when you only have a few of them. When running several dozen
ingress and with a high change rate of running pods it makes it easier
to define this configuration on a global level.

This change is completely backwards compatible, only adding the
possibility of defining a new key in the configmap.
---
 .../nginx-configuration/configmap.md          |   6 +
 .../annotations/serviceupstream/main.go       |  11 +-
 .../annotations/serviceupstream/main_test.go  |  50 +++++++
 internal/ingress/controller/config/config.go  |   1 +
 internal/ingress/defaults/main.go             |   4 +
 test/e2e/annotations/serviceupstream.go       | 128 ++++++++++++++++++
 test/e2e/framework/k8s.go                     |  15 +-
 7 files changed, 209 insertions(+), 6 deletions(-)
 create mode 100644 test/e2e/annotations/serviceupstream.go

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 6e6152c5f..c8aa27373 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -203,6 +203,7 @@ The following table shows a configuration option's name, type, and the default v
 |[global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)|int|10000|
 |[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50|
 |[global-rate-limit-status-code](#global-rate-limit)|int|429|
+|[service-upstream](#service-upstream)|bool|"false"|
 
 ## add-headers
 
@@ -1224,3 +1225,8 @@ Configure `memcached` client for [Global Rate Limiting](https://github.com/kuber
 
 These settings get used by [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle)
 that ingress-nginx includes. Refer to the link to learn more about `lua-resty-global-throttle`.
+
+## service-upstream
+
+Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule.
+_**default:**_ "false"
diff --git a/internal/ingress/annotations/serviceupstream/main.go b/internal/ingress/annotations/serviceupstream/main.go
index 4c44356d6..4a4879682 100644
--- a/internal/ingress/annotations/serviceupstream/main.go
+++ b/internal/ingress/annotations/serviceupstream/main.go
@@ -20,6 +20,7 @@ import (
 	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
@@ -33,5 +34,13 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation {
 }
 
 func (s serviceUpstream) Parse(ing *networking.Ingress) (interface{}, error) {
-	return parser.GetBoolAnnotation("service-upstream", ing)
+	defBackend := s.r.GetDefaultBackend()
+
+	val, err := parser.GetBoolAnnotation("service-upstream", ing)
+	// A missing annotation is not a problem, just use the default
+	if err == errors.ErrMissingAnnotations {
+		return defBackend.ServiceUpstream, nil
+	}
+
+	return val, nil
 }
diff --git a/internal/ingress/annotations/serviceupstream/main_test.go b/internal/ingress/annotations/serviceupstream/main_test.go
index 3fbdb5785..b773e9723 100644
--- a/internal/ingress/annotations/serviceupstream/main_test.go
+++ b/internal/ingress/annotations/serviceupstream/main_test.go
@@ -23,6 +23,7 @@ import (
 	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/defaults"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
@@ -119,3 +120,52 @@ func TestIngressAnnotationServiceUpstreamSetFalse(t *testing.T) {
 		t.Errorf("expected annotation value to be false, got true")
 	}
 }
+
+type mockBackend struct {
+	resolver.Mock
+}
+
+// GetDefaultBackend returns the backend that must be used as default
+func (m mockBackend) GetDefaultBackend() defaults.Backend {
+	return defaults.Backend{
+		ServiceUpstream: true,
+	}
+}
+
+// Test that when we have a default configuration set on the Backend that is used
+// when we don't have the annotation
+func TestParseAnnotationsWithDefaultConfig(t *testing.T) {
+	ing := buildIngress()
+
+	val, _ := NewParser(mockBackend{}).Parse(ing)
+	enabled, ok := val.(bool)
+
+	if !ok {
+		t.Errorf("expected a bool type")
+	}
+
+	if !enabled {
+		t.Errorf("expected annotation value to be true, got false")
+	}
+}
+
+// Test that the annotation will disable the service upstream when enabled
+// in the default configuration
+func TestParseAnnotationsOverridesDefaultConfig(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix("service-upstream")] = "false"
+	ing.SetAnnotations(data)
+
+	val, _ := NewParser(mockBackend{}).Parse(ing)
+	enabled, ok := val.(bool)
+
+	if !ok {
+		t.Errorf("expected a bool type")
+	}
+
+	if enabled {
+		t.Errorf("expected annotation value to be false, got true")
+	}
+}
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index b96e26772..0546e9618 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -860,6 +860,7 @@ func NewDefault() Configuration {
 			ProxyBuffering:           "off",
 			ProxyHTTPVersion:         "1.1",
 			ProxyMaxTempFileSize:     "1024m",
+			ServiceUpstream:          false,
 		},
 		UpstreamKeepaliveConnections:           320,
 		UpstreamKeepaliveTimeout:               60,
diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go
index 03926baa0..bc9734257 100644
--- a/internal/ingress/defaults/main.go
+++ b/internal/ingress/defaults/main.go
@@ -161,4 +161,8 @@ type Backend struct {
 	// Sets the maximum temp file size when proxy-buffers capacity is exceeded.
 	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size
 	ProxyMaxTempFileSize string `json:"proxy-max-temp-file-size"`
+
+	// By default, the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration.
+	// It disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port.
+	ServiceUpstream bool `json:"service-upstream"`
 }
diff --git a/test/e2e/annotations/serviceupstream.go b/test/e2e/annotations/serviceupstream.go
new file mode 100644
index 000000000..c0bf37603
--- /dev/null
+++ b/test/e2e/annotations/serviceupstream.go
@@ -0,0 +1,128 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package annotations
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+
+	"k8s.io/ingress-nginx/internal/nginx"
+)
+
+var _ = framework.DescribeAnnotation("service-upstream", func() {
+	f := framework.NewDefaultFramework("serviceupstream")
+	host := "serviceupstream"
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.Context("when using the default value (false) and enabling in the annotations", func() {
+		ginkgo.It("should use the Service Cluster IP and Port ", func() {
+			annotations := map[string]string{
+				"nginx.ingress.kubernetes.io/service-upstream": "true",
+			}
+
+			ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s", host))
+			})
+
+			ginkgo.By("checking if the service is reached")
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				Expect().
+				Status(http.StatusOK)
+
+			ginkgo.By("checking if the Service Cluster IP and Port are used")
+			s := f.GetService(f.Namespace, framework.EchoService)
+			curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort)
+			output, err := f.ExecIngressPod(curlCmd)
+			assert.Nil(ginkgo.GinkgoT(), err)
+			assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP))
+		})
+	})
+
+	ginkgo.Context("when enabling in the configmap", func() {
+		ginkgo.It("should use the Service Cluster IP and Port ", func() {
+			annotations := map[string]string{}
+
+			f.UpdateNginxConfigMapData("service-upstream", "true")
+
+			ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s", host))
+			})
+
+			ginkgo.By("checking if the service is reached")
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				Expect().
+				Status(http.StatusOK)
+
+			ginkgo.By("checking if the Service Cluster IP and Port are used")
+			s := f.GetService(f.Namespace, framework.EchoService)
+			curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort)
+			output, err := f.ExecIngressPod(curlCmd)
+			assert.Nil(ginkgo.GinkgoT(), err)
+			assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP))
+		})
+	})
+
+	ginkgo.Context("when enabling in the configmap and disabling in the annotations", func() {
+		ginkgo.It("should not use the Service Cluster IP and Port", func() {
+			annotations := map[string]string{
+				"nginx.ingress.kubernetes.io/service-upstream": "false",
+			}
+
+			f.UpdateNginxConfigMapData("service-upstream", "true")
+
+			ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s", host))
+			})
+
+			ginkgo.By("checking if the service is reached")
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				Expect().
+				Status(http.StatusOK)
+
+			ginkgo.By("checking if the Service Cluster IP and Port are not used")
+			s := f.GetService(f.Namespace, framework.EchoService)
+			curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort)
+			output, err := f.ExecIngressPod(curlCmd)
+			assert.Nil(ginkgo.GinkgoT(), err)
+			assert.NotContains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP))
+		})
+	})
+})
diff --git a/test/e2e/framework/k8s.go b/test/e2e/framework/k8s.go
index 14937e6bd..ea34960b6 100644
--- a/test/e2e/framework/k8s.go
+++ b/test/e2e/framework/k8s.go
@@ -102,16 +102,21 @@ func (f *Framework) UpdateIngress(ingress *networking.Ingress) *networking.Ingre
 	return ing
 }
 
+// GetService gets a Service object from the given namespace, name and returns it, throws error if it does not exist.
+func (f *Framework) GetService(namespace string, name string) *core.Service {
+	s, err := f.KubeClientSet.CoreV1().Services(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	assert.Nil(ginkgo.GinkgoT(), err, "getting service")
+	assert.NotNil(ginkgo.GinkgoT(), s, "expected a service but none returned")
+
+	return s
+}
+
 // EnsureService creates a Service object and returns it, throws error if it already exists.
 func (f *Framework) EnsureService(service *core.Service) *core.Service {
 	err := createServiceWithRetries(f.KubeClientSet, f.Namespace, service)
 	assert.Nil(ginkgo.GinkgoT(), err, "creating service")
 
-	s, err := f.KubeClientSet.CoreV1().Services(f.Namespace).Get(context.TODO(), service.Name, metav1.GetOptions{})
-	assert.Nil(ginkgo.GinkgoT(), err, "getting service")
-	assert.NotNil(ginkgo.GinkgoT(), s, "expected a service but none returned")
-
-	return s
+	return f.GetService(f.Namespace, service.Name)
 }
 
 // EnsureDeployment creates a Deployment object and returns it, throws error if it already exists.

From 8b3a6f02526e8bcf8b6fff2bf8d3613e20211b15 Mon Sep 17 00:00:00 2001
From: Bhumij Gupta <bhumijgupta@gmail.com>
Date: Wed, 8 Sep 2021 14:47:20 +0530
Subject: [PATCH 105/376] Helm notes outputs non nil value for ingress.class
 annotation (#7611)

Signed-off-by: bhumijgupta <bhumijgupta@gmail.com>
---
 charts/ingress-nginx/templates/NOTES.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt
index 2eebba368..03ece9c59 100644
--- a/charts/ingress-nginx/templates/NOTES.txt
+++ b/charts/ingress-nginx/templates/NOTES.txt
@@ -33,7 +33,7 @@ An example Ingress that makes use of the controller:
   kind: Ingress
   metadata:
     annotations:
-      kubernetes.io/ingress.class: {{ .Values.controller.ingressClass }}
+      kubernetes.io/ingress.class: {{ .Values.controller.ingressClassResource.name }}
     name: example
     namespace: foo
   spec:

From 7be4015e135cff2757fcdb3ce0dd398ffa78ee26 Mon Sep 17 00:00:00 2001
From: Kundan Kumar <kundan.kumar@india.nec.com>
Date: Thu, 9 Sep 2021 16:00:11 +0530
Subject: [PATCH 106/376] Added command to get Nginx versionq! (#7577)

---
 .github/ISSUE_TEMPLATE/bug_report.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 3df73cc6a..c39d6e2c2 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -27,7 +27,13 @@ This questions are the first thing we need to know to understand the context.
 
 -->
 
-**NGINX Ingress controller version**:
+**NGINX Ingress controller version** (exec into the pod and run nginx-ingress-controller --version.):
+<!--
+POD_NAMESPACE=ingress-nginx
+POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')
+
+kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version  
+-->
 
 **Kubernetes version** (use `kubectl version`):
 

From c9a00fbc737e3d3d11cb4ffe8988919421bc1168 Mon Sep 17 00:00:00 2001
From: Jennifer Kirsch <7807969+DysphoricUnicorn@users.noreply.github.com>
Date: Thu, 9 Sep 2021 13:38:11 +0200
Subject: [PATCH 107/376] Fix old tag of custom error pages used in example
 (#7460)

* Fix old tag of custom error pages used in example

* Move nginx-errors to k8s registry

Since the setup for the custom-error-messages was really different from
the other images that are build using cloudbuild, I changed it to "fit
in better"

* Use Go version 1.17 for custom-error-pages

Since Go >= 1.16 required the use of modules, I also initialized the module using the name k8s.io/ingress-nginx/custom-error-pages
---
 .../custom-errors/custom-default-backend.yaml |   2 +-
 images/custom-error-pages/Makefile            | 136 ++++++-----------
 images/custom-error-pages/cloudbuild.yml      |  22 +++
 images/custom-error-pages/rootfs/Dockerfile   |  23 ++-
 images/custom-error-pages/rootfs/go.mod       |  17 +++
 images/custom-error-pages/rootfs/go.sum       | 138 ++++++++++++++++++
 .../custom-error-pages/{ => rootfs}/main.go   |   0
 .../{ => rootfs}/metrics.go                   |   0
 8 files changed, 240 insertions(+), 98 deletions(-)
 create mode 100644 images/custom-error-pages/cloudbuild.yml
 create mode 100644 images/custom-error-pages/rootfs/go.mod
 create mode 100644 images/custom-error-pages/rootfs/go.sum
 rename images/custom-error-pages/{ => rootfs}/main.go (100%)
 rename images/custom-error-pages/{ => rootfs}/metrics.go (100%)

diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml
index 70096bdbe..4cf5e72e2 100644
--- a/docs/examples/customization/custom-errors/custom-default-backend.yaml
+++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: nginx-error-server
-        image: quay.io/kubernetes-ingress-controller/custom-error-pages-amd64:0.3
+        image: gcr.io/k8s-staging-ingress-nginx/nginx-errors:0.48.1
         ports:
         - containerPort: 8080
         # Setting the environment variable DEBUG we can see the headers sent 
diff --git a/images/custom-error-pages/Makefile b/images/custom-error-pages/Makefile
index d08fa27e1..fa210ef87 100644
--- a/images/custom-error-pages/Makefile
+++ b/images/custom-error-pages/Makefile
@@ -1,105 +1,57 @@
-all: all-container
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
-BUILDTAGS=
+# Container image for nginx-errors.
 
-# Use the 0.0 tag for testing, it shouldn't clobber any release builds
-TAG?=0.4
-REGISTRY?=quay.io/kubernetes-ingress-controller
-GOOS?=linux
-DOCKER?=docker
-SED_I?=sed -i
-GOHOSTOS ?= $(shell go env GOHOSTOS)
+# set default shell
+SHELL=/bin/bash -o pipefail -o errexit
 
-PKG=k8s.io/ingress-nginx/images/custom-error-pages
+DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
+INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
 
-ifeq ($(GOHOSTOS),darwin)
-  SED_I=sed -i ''
-endif
+TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD)
+REGISTRY ?= local
 
-REPO_INFO=$(shell git config --get remote.origin.url)
+IMAGE = $(REGISTRY)/nginx-errors
 
-ifndef COMMIT
-  COMMIT := git-$(shell git rev-parse --short HEAD)
-endif
+# required to enable buildx
+export DOCKER_CLI_EXPERIMENTAL=enabled
 
-ARCH ?= $(shell go env GOARCH)
-GOARCH = ${ARCH}
+# build with buildx
+PLATFORMS?=linux/amd64,linux/arm,linux/arm64
+OUTPUT=
+PROGRESS=plain
 
-BASEIMAGE?=alpine:3.10
+build: ensure-buildx
+	docker buildx build \
+		--platform=${PLATFORMS} $(OUTPUT) \
+		--progress=$(PROGRESS) \
+		--pull \
+		-t $(IMAGE):$(TAG) rootfs
 
-ALL_ARCH = amd64 arm arm64
+# push the cross built image
+push: OUTPUT=--push
+push: build
 
-QEMUVERSION=v4.1.0-1
-
-IMGNAME = custom-error-pages
-IMAGE = $(REGISTRY)/$(IMGNAME)
-MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)
-
-ifeq ($(ARCH),arm)
-    QEMUARCH=arm
-	GOARCH=arm
-endif
-ifeq ($(ARCH),arm64)
-	QEMUARCH=aarch64
-endif
-
-TEMP_DIR := $(shell mktemp -d)
-
-DOCKERFILE := $(TEMP_DIR)/rootfs/Dockerfile
-
-sub-container-%:
-	$(MAKE) ARCH=$* build container
-
-sub-push-%:
-	$(MAKE) ARCH=$* push
-
-all-container: $(addprefix sub-container-,$(ALL_ARCH))
-
-all-push: $(addprefix sub-push-,$(ALL_ARCH))
-
-container: .container-$(ARCH)
-.container-$(ARCH):
-	cp -r ./* $(TEMP_DIR)
-	$(SED_I) 's|BASEIMAGE|$(BASEIMAGE)|g' $(DOCKERFILE)
-	$(SED_I) "s|QEMUARCH|$(QEMUARCH)|g" $(DOCKERFILE)
-
-ifeq ($(ARCH),amd64)
-	# When building "normally" for amd64, remove the whole line, it has no part in the amd64 image
-	$(SED_I) "/CROSS_BUILD_/d" $(DOCKERFILE)
+# enable buildx
+ensure-buildx:
+# this is required for cloudbuild
+ifeq ("$(wildcard $(INIT_BUILDX))","")
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
 else
-	# When cross-building, only the placeholder "CROSS_BUILD_" should be removed
-	# Register /usr/bin/qemu-ARCH-static as the handler for ARM binaries in the kernel
-	# $(DOCKER) run --rm --privileged multiarch/qemu-user-static:register --reset
-	curl -sSL https://github.com/multiarch/qemu-user-static/releases/download/$(QEMUVERSION)/x86_64_qemu-$(QEMUARCH)-static.tar.gz | tar -xz -C $(TEMP_DIR)/rootfs
-	$(SED_I) "s/CROSS_BUILD_//g" $(DOCKERFILE)
+	@exec $(INIT_BUILDX)
 endif
+	@echo "done"
 
-	$(DOCKER) build -t $(MULTI_ARCH_IMG):$(TAG) $(TEMP_DIR)/rootfs
-
-ifeq ($(ARCH), amd64)
-	# This is for to maintain the backward compatibility
-	$(DOCKER) tag $(MULTI_ARCH_IMG):$(TAG) $(IMAGE):$(TAG)
-endif
-
-push: .push-$(ARCH)
-.push-$(ARCH):
-	$(DOCKER) push $(MULTI_ARCH_IMG):$(TAG)
-ifeq ($(ARCH), amd64)
-	$(DOCKER) push $(IMAGE):$(TAG)
-endif
-
-clean:
-	$(DOCKER) rmi -f $(MULTI_ARCH_IMG):$(TAG) || true
-
-build: clean
-	CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} go build -a -installsuffix cgo \
-		-ldflags "-s -w" \
-		-o ${TEMP_DIR}/rootfs/custom-error-pages ${PKG}/...
-
-release: all-container all-push
-	echo "done"
-
-.PHONY: register-qemu
-register-qemu:
-	# Register /usr/bin/qemu-ARCH-static as the handler for binaries in multiple platforms
-	$(DOCKER) run --rm --privileged multiarch/qemu-user-static:register --reset
+.PHONY: build push ensure-buildx
diff --git a/images/custom-error-pages/cloudbuild.yml b/images/custom-error-pages/cloudbuild.yml
new file mode 100644
index 000000000..d80d2aeaf
--- /dev/null
+++ b/images/custom-error-pages/cloudbuild.yml
@@ -0,0 +1,22 @@
+timeout: 600s
+options:
+  substitution_option: ALLOW_LOOSE
+steps:
+  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+    entrypoint: bash
+    env:
+      - DOCKER_CLI_EXPERIMENTAL=enabled
+      - TAG=$_GIT_TAG
+      - BASE_REF=$_PULL_BASE_REF
+      - REGISTRY=gcr.io/k8s-staging-ingress-nginx
+      # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx
+      # set the home to /root explicitly to if using docker buildx
+      - HOME=/root
+    args:
+    - -c
+    - |
+      gcloud auth configure-docker \
+      && make push
+substitutions:
+  _GIT_TAG: "12345"
+  _PULL_BASE_REF: "master"
diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile
index aaf60efb1..fc09e92d1 100755
--- a/images/custom-error-pages/rootfs/Dockerfile
+++ b/images/custom-error-pages/rootfs/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2017 The Kubernetes Authors. All rights reserved.
+# Copyright 2021 The Kubernetes Authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,10 +12,23 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM BASEIMAGE
+FROM golang:1.17-alpine as builder
+RUN apk add git
 
-CROSS_BUILD_COPY qemu-QEMUARCH-static /usr/bin/
+WORKDIR /go/src/k8s.io/ingress-nginx/images/custom-error-pages
 
-COPY . /
+COPY . .
 
-CMD ["/custom-error-pages"]
+RUN go get . && \
+    CGO_ENABLED=0 go build -a -installsuffix cgo \
+	-ldflags "-s -w" \
+	-o nginx-errors .
+
+# Use distroless as minimal base image to package the binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+
+COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/nginx-errors /
+USER nonroot:nonroot
+
+CMD ["/nginx-errors"]
diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod
new file mode 100644
index 000000000..3040c5791
--- /dev/null
+++ b/images/custom-error-pages/rootfs/go.mod
@@ -0,0 +1,17 @@
+module k8s.io/ingress-nginx/custom-error-pages
+
+go 1.17
+
+require github.com/prometheus/client_golang v1.11.0
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/golang/protobuf v1.4.3 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.26.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
+	golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 // indirect
+	google.golang.org/protobuf v1.26.0-rc.1 // indirect
+)
diff --git a/images/custom-error-pages/rootfs/go.sum b/images/custom-error-pages/rootfs/go.sum
new file mode 100644
index 000000000..6a42e5c54
--- /dev/null
+++ b/images/custom-error-pages/rootfs/go.sum
@@ -0,0 +1,138 @@
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
+github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
+github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
+github.com/prometheus/common v0.26.0 h1:iMAkS2TDoNWnKM+Kopnx/8tnEStIfpYA0ur0xQzzhMQ=
+github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 h1:JWgyZ1qgdTaF3N3oxC+MdTV7qvEEgHo3otj+HB5CM7Q=
+golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.26.0-rc.1 h1:7QnIQpGRHE5RnLKnESfDoxm2dTapTZua5a0kS0A+VXQ=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/images/custom-error-pages/main.go b/images/custom-error-pages/rootfs/main.go
similarity index 100%
rename from images/custom-error-pages/main.go
rename to images/custom-error-pages/rootfs/main.go
diff --git a/images/custom-error-pages/metrics.go b/images/custom-error-pages/rootfs/metrics.go
similarity index 100%
rename from images/custom-error-pages/metrics.go
rename to images/custom-error-pages/rootfs/metrics.go

From 903446f326f7c1f50e753a613a48b1c66acc0cb9 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 9 Sep 2021 09:00:31 -0300
Subject: [PATCH 108/376] Rename cloudbuild.yml to cloudbuild.yaml

---
 images/custom-error-pages/{cloudbuild.yml => cloudbuild.yaml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename images/custom-error-pages/{cloudbuild.yml => cloudbuild.yaml} (100%)

diff --git a/images/custom-error-pages/cloudbuild.yml b/images/custom-error-pages/cloudbuild.yaml
similarity index 100%
rename from images/custom-error-pages/cloudbuild.yml
rename to images/custom-error-pages/cloudbuild.yaml

From 89eee0debae58cda181898699dd7842efa5a43e1 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 9 Sep 2021 09:17:26 -0300
Subject: [PATCH 109/376] Change the cloudbuild timeout

---
 images/custom-error-pages/cloudbuild.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml
index d80d2aeaf..9b913b3e6 100644
--- a/images/custom-error-pages/cloudbuild.yaml
+++ b/images/custom-error-pages/cloudbuild.yaml
@@ -1,4 +1,4 @@
-timeout: 600s
+timeout: 1800s
 options:
   substitution_option: ALLOW_LOOSE
 steps:

From cda59ccc9c8095119346ff5c948d8a17c100ead9 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Fri, 10 Sep 2021 14:14:01 -0300
Subject: [PATCH 110/376] Add new flag to watch ingressclass by name instead of
 spec (#7609)

---
 .../templates/controller-daemonset.yaml       |   3 +
 .../templates/controller-deployment.yaml      |   3 +
 charts/ingress-nginx/values.yaml              |   3 +
 cmd/nginx/flags.go                            |  10 +-
 .../controller/ingressclass/ingressclass.go   |   4 +
 internal/ingress/controller/store/store.go    |   7 +-
 .../ingress/controller/store/store_test.go    | 108 +++++++++++++++++-
 test/e2e/settings/ingress_class.go            |  68 +++++++++++
 8 files changed, 201 insertions(+), 5 deletions(-)

diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 2e6b32170..68291edd7 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -114,6 +114,9 @@ spec:
           {{- if .Values.controller.healthCheckHost }}
             - --healthz-host={{ .Values.controller.healthCheckHost }}
           {{- end }}
+          {{- if .Values.controller.ingressClassByName }}
+            - --ingress-class-by-name=true
+          {{- end }}
           {{- if .Values.controller.watchIngressWithoutClass }}
             - --watch-ingress-without-class=true
           {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index 681955f6f..24714a523 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -115,6 +115,9 @@ spec:
           {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
             - --health-check-path={{ .Values.controller.healthCheckPath }}
           {{- end }}
+          {{- if .Values.controller.ingressClassByName }}
+            - --ingress-class-by-name=true
+          {{- end }}
           {{- if .Values.controller.watchIngressWithoutClass }}
             - --watch-ingress-without-class=true
           {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 8ef8ea8e7..dff440313 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -66,6 +66,9 @@ controller:
   # Defaults to false
   watchIngressWithoutClass: false
 
+  # Process IngressClass per name (additionally as per spec.controller)
+  ingressClassByName: false
+
   # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged
diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index c12dc7399..42c14dd51 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -68,6 +68,9 @@ referenced in an Ingress Object should be the same value specified here to make
 		watchWithoutClass = flags.Bool("watch-ingress-without-class", false,
 			`Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified`)
 
+		ingressClassByName = flags.Bool("ingress-class-by-name", false,
+			`Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class`)
+
 		configMap = flags.String("configmap", "",
 			`Name of the ConfigMap containing custom global configurations for the controller.`)
 
@@ -299,9 +302,10 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 			SSLProxy: *sslProxyPort,
 		},
 		IngressClassConfiguration: &ingressclass.IngressClassConfiguration{
-			Controller:        *ingressClassController,
-			AnnotationValue:   *ingressClassAnnotation,
-			WatchWithoutClass: *watchWithoutClass,
+			Controller:         *ingressClassController,
+			AnnotationValue:    *ingressClassAnnotation,
+			WatchWithoutClass:  *watchWithoutClass,
+			IngressClassByName: *ingressClassByName,
 		},
 		DisableCatchAll:           *disableCatchAll,
 		ValidationWebhook:         *validationWebhook,
diff --git a/internal/ingress/controller/ingressclass/ingressclass.go b/internal/ingress/controller/ingressclass/ingressclass.go
index 025a4e2a5..f13a2a05c 100644
--- a/internal/ingress/controller/ingressclass/ingressclass.go
+++ b/internal/ingress/controller/ingressclass/ingressclass.go
@@ -42,4 +42,8 @@ type IngressClassConfiguration struct {
 	// WatchWithoutClass defines if Controller should watch to Ingress Objects that does
 	// not contain an IngressClass configuration
 	WatchWithoutClass bool
+
+	//IngressClassByName defines if the Controller should watch for Ingress Classes by
+	// .metadata.name together with .spec.Controller
+	IngressClassByName bool
 }
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index dd18594e9..d5f7ce63c 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -426,7 +426,12 @@ func New(
 	ingressClassEventHandler := cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
 			ingressclass := obj.(*networkingv1.IngressClass)
-			if ingressclass.Spec.Controller != icConfig.Controller {
+			foundClassByName := false
+			if icConfig.IngressClassByName && ingressclass.Name == icConfig.AnnotationValue {
+				klog.InfoS("adding ingressclass as ingress-class-by-name is configured", "ingressclass", klog.KObj(ingressclass))
+				foundClassByName = true
+			}
+			if !foundClassByName && ingressclass.Spec.Controller != icConfig.Controller {
 				klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(ingressclass))
 				return
 			}
diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go
index 35e5955b1..9004094a3 100644
--- a/internal/ingress/controller/store/store_test.go
+++ b/internal/ingress/controller/store/store_test.go
@@ -316,7 +316,7 @@ func TestStore(t *testing.T) {
 
 		err := framework.WaitForIngressInNamespace(clientSet, ns, ing.Name)
 		if err != nil {
-			t.Errorf("error waiting for secret: %v", err)
+			t.Errorf("error waiting for ingress: %v", err)
 		}
 		time.Sleep(1 * time.Second)
 
@@ -486,6 +486,112 @@ func TestStore(t *testing.T) {
 		}
 	})
 
+	t.Run("should return two events for add and delete and one for update of ingress and watch-ingress-by-name", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+		ic := createIngressClass(clientSet, t, "not-k8s.io/by-name")
+		defer deleteIngressClass(ic, clientSet, t)
+
+		createConfigMap(clientSet, ns, t)
+
+		stopCh := make(chan struct{})
+		updateCh := channels.NewRingChannel(1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		go func(ch *channels.RingChannel) {
+			for {
+				evt, ok := <-ch.Out()
+				if !ok {
+					return
+				}
+
+				e := evt.(Event)
+				if e.Obj == nil {
+					continue
+				}
+				if _, ok := e.Obj.(*networking.Ingress); !ok {
+					continue
+				}
+
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
+		ingressClassconfig := &ingressclass.IngressClassConfiguration{
+			Controller:         ingressclass.DefaultControllerName,
+			AnnotationValue:    ic,
+			IngressClassByName: true,
+		}
+
+		storer := New(
+			ns,
+			fmt.Sprintf("%v/config", ns),
+			fmt.Sprintf("%v/tcp", ns),
+			fmt.Sprintf("%v/udp", ns),
+			"",
+			10*time.Minute,
+			clientSet,
+			updateCh,
+			false,
+			ingressClassconfig)
+
+		storer.Run(stopCh)
+		validSpec := commonIngressSpec
+		validSpec.IngressClassName = &ic
+		ing := ensureIngress(&networking.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "ingclass-by-name",
+				Namespace: ns,
+			},
+			Spec: validSpec,
+		}, clientSet, t)
+
+		err := framework.WaitForIngressInNamespace(clientSet, ns, ing.Name)
+		if err != nil {
+			t.Errorf("error waiting for ingress: %v", err)
+		}
+		time.Sleep(1 * time.Second)
+
+		ingressUpdated := ing.DeepCopy()
+		ingressUpdated.Spec.Rules[0].Host = "update-dummy"
+		_ = ensureIngress(ingressUpdated, clientSet, t)
+		if err != nil {
+			t.Errorf("error updating ingress: %v", err)
+		}
+		// Secret takes a bit to update
+		time.Sleep(3 * time.Second)
+
+		err = clientSet.NetworkingV1().Ingresses(ingressUpdated.Namespace).Delete(context.TODO(), ingressUpdated.Name, metav1.DeleteOptions{})
+		if err != nil {
+			t.Errorf("error deleting ingress: %v", err)
+		}
+
+		err = framework.WaitForNoIngressInNamespace(clientSet, ingressUpdated.Namespace, ingressUpdated.Name)
+		if err != nil {
+			t.Errorf("error waiting for ingress deletion: %v", err)
+		}
+
+		if atomic.LoadUint64(&add) != 1 {
+			t.Errorf("expected 1 event of type Create but %v occurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 1 {
+			t.Errorf("expected 1 event of type Update but %v occurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 1 {
+			t.Errorf("expected 1 event of type Delete but %v occurred", del)
+		}
+	})
+
 	t.Run("should not receive updates for ingress with invalid class annotation", func(t *testing.T) {
 		ns := createNamespace(clientSet, t)
 		defer deleteNamespace(ns, clientSet, t)
diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go
index 3ba42f311..9740eef38 100644
--- a/test/e2e/settings/ingress_class.go
+++ b/test/e2e/settings/ingress_class.go
@@ -510,4 +510,72 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 		})
 
 	})
+
+	ginkgo.Context("With ingress-class-by-name flag", func() {
+		ginkgo.BeforeEach(func() {
+			err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
+				args := []string{}
+				for _, v := range deployment.Spec.Template.Spec.Containers[0].Args {
+					if strings.Contains(v, "--ingress-class-by-name") &&
+						strings.Contains(v, "--ingress-class=test-new-ingress-class") {
+						continue
+					}
+
+					args = append(args, v)
+				}
+				args = append(args, "--ingress-class=test-new-ingress-class")
+				args = append(args, "--ingress-class-by-name")
+				deployment.Spec.Template.Spec.Containers[0].Args = args
+				_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
+
+				return err
+			})
+			assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
+		})
+
+		ginkgo.It("should watch Ingress that uses the class name even if spec is different", func() {
+			validHostClassName := "validhostclassname"
+
+			ing := framework.NewSingleIngress(validHostClassName, "/", validHostClassName, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = &otherIngressClassName
+			f.EnsureIngress(ing)
+
+			validHostClass := "validhostclassspec"
+			ing = framework.NewSingleIngress(validHostClass, "/", validHostClass, f.Namespace, framework.EchoService, 80, nil)
+			f.EnsureIngress(ing)
+
+			invalidHost := "invalidannotation"
+			annotations := map[string]string{
+				ingressclass.IngressKey: "testclass123",
+			}
+			ing = framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, annotations)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name validhostclassname") &&
+					strings.Contains(cfg, "server_name validhostclassspec") &&
+					!strings.Contains(cfg, "server_name invalidannotation")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHostClass).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHostClassName).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", invalidHost).
+				Expect().
+				Status(http.StatusNotFound)
+		})
+
+	})
 })

From ff2b743a947e4d581bc8cd6173d5f581aebb469a Mon Sep 17 00:00:00 2001
From: Jennifer Kirsch <7807969+DysphoricUnicorn@users.noreply.github.com>
Date: Sun, 12 Sep 2021 19:08:06 +0200
Subject: [PATCH 111/376] Only build nginx-errors for linux/amd64 (#7625)

* Fix wrong image location used in nginx-errors example config

* Only build nginx-errors for linux/amd64
---
 .../customization/custom-errors/custom-default-backend.yaml     | 2 +-
 images/custom-error-pages/Makefile                              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml
index 4cf5e72e2..579e48544 100644
--- a/docs/examples/customization/custom-errors/custom-default-backend.yaml
+++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: nginx-error-server
-        image: gcr.io/k8s-staging-ingress-nginx/nginx-errors:0.48.1
+        image: k8s.gcr.io/ingress-nginx/nginx-errors:0.48.1
         ports:
         - containerPort: 8080
         # Setting the environment variable DEBUG we can see the headers sent 
diff --git a/images/custom-error-pages/Makefile b/images/custom-error-pages/Makefile
index fa210ef87..7564b813d 100644
--- a/images/custom-error-pages/Makefile
+++ b/images/custom-error-pages/Makefile
@@ -29,7 +29,7 @@ IMAGE = $(REGISTRY)/nginx-errors
 export DOCKER_CLI_EXPERIMENTAL=enabled
 
 # build with buildx
-PLATFORMS?=linux/amd64,linux/arm,linux/arm64
+PLATFORMS?=linux/amd64
 OUTPUT=
 PROGRESS=plain
 

From 0dbaadf60864960f46b01b992784029d829f4ac4 Mon Sep 17 00:00:00 2001
From: Renato Britto Araujo <renatobritto@protonmail.com>
Date: Sun, 12 Sep 2021 17:10:07 -0300
Subject: [PATCH 112/376] Add e2e tests for secure cookie annotations (#7575)
 (#7619)

Co-authored-by: Agoretti <andremotta96@gmail.com>

Co-authored-by: Agoretti <andremotta96@gmail.com>
---
 test/e2e/annotations/affinity.go | 70 ++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go
index 998eca82f..479860043 100644
--- a/test/e2e/annotations/affinity.go
+++ b/test/e2e/annotations/affinity.go
@@ -18,6 +18,7 @@ package annotations
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"strings"
@@ -363,4 +364,73 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 			Header("Set-Cookie").Contains("SERVERID=")
 	})
 
+	ginkgo.It("should set secure in cookie with provided true annotation on http", func() {
+		host := "foo.com"
+		annotations := make(map[string]string)
+		annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie"
+		annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID"
+		annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "true"
+
+		ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.HTTPTestClient().
+			GET("/bar").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).
+			Header("Set-Cookie").Contains("; Secure")
+	})
+
+	ginkgo.It("should not set secure in cookie with provided false annotation on http", func() {
+		host := "foo.com"
+		annotations := make(map[string]string)
+		annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie"
+		annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID"
+		annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "false"
+
+		ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.HTTPTestClient().
+			GET("/bar").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).
+			Header("Set-Cookie").NotContains("; Secure")
+	})
+
+	ginkgo.It("should set secure in cookie with provided false annotation on https", func() {
+		host := "foo.com"
+		annotations := make(map[string]string)
+		annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie"
+		annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID"
+		annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "false"
+
+		f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations))
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) &&
+					strings.Contains(server, "listen 443")
+			})
+
+		f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}).
+			GET("/").
+			WithURL(f.GetURL(framework.HTTPS)).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).
+			Header("Set-Cookie").Contains("; Secure")
+	})
 })

From 498892514deba821d6751253f783a6f383f3b784 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Thu, 16 Sep 2021 02:08:11 +0800
Subject: [PATCH 113/376] Downgrade nginx to v1.19 (#7639)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 images/nginx/rootfs/build.sh                  | 10 ++++--
 .../patches/nginx-1.19.3-no_Werror.patch      | 36 -------------------
 ...> nginx-1.19.9-balancer_status_code.patch} |  0
 ... => nginx-1.19.9-cache_manager_exit.patch} |  2 +-
 ... nginx-1.19.9-delayed_posted_events.patch} |  0
 ...patch => nginx-1.19.9-hash_overflow.patch} |  0
 ...ginx-1.19.9-init_cycle_pool_release.patch} | 26 +++++++-------
 ...> nginx-1.19.9-larger_max_error_str.patch} |  4 +--
 .../patches/nginx-1.19.9-no_Werror.patch      | 36 +++++++++++++++++++
 ...> nginx-1.19.9-proxy_host_port_vars.patch} |  4 +--
 ... nginx-1.19.9-resolver_conf_parsing.patch} |  0
 ...x-1.19.9-reuseport_close_unused_fds.patch} |  0
 ...1.19.9-single_process_graceful_exit.patch} |  0
 ...atch => nginx-1.19.9-socket_cloexec.patch} |  2 +-
 ...h => nginx-1.19.9-ssl_cert_cb_yield.patch} |  0
 ...h => nginx-1.19.9-ssl_sess_cb_yield.patch} |  0
 ...tream_proxy_get_next_upstream_tries.patch} |  0
 ...x-1.19.9-stream_ssl_preread_no_skip.patch} |  0
 ...=> nginx-1.19.9-upstream_pipelining.patch} |  0
 ...ginx-1.19.9-upstream_timeout_fields.patch} |  0
 .../rootfs/patches/patch.2021.resolver.txt    | 23 ++++++++++++
 21 files changed, 85 insertions(+), 58 deletions(-)
 delete mode 100644 images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-balancer_status_code.patch => nginx-1.19.9-balancer_status_code.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-cache_manager_exit.patch => nginx-1.19.9-cache_manager_exit.patch} (96%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-delayed_posted_events.patch => nginx-1.19.9-delayed_posted_events.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-hash_overflow.patch => nginx-1.19.9-hash_overflow.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-init_cycle_pool_release.patch => nginx-1.19.9-init_cycle_pool_release.patch} (62%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-larger_max_error_str.patch => nginx-1.19.9-larger_max_error_str.patch} (62%)
 create mode 100644 images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
 rename images/nginx/rootfs/patches/{nginx-1.19.3-proxy_host_port_vars.patch => nginx-1.19.9-proxy_host_port_vars.patch} (87%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-resolver_conf_parsing.patch => nginx-1.19.9-resolver_conf_parsing.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-reuseport_close_unused_fds.patch => nginx-1.19.9-reuseport_close_unused_fds.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-single_process_graceful_exit.patch => nginx-1.19.9-single_process_graceful_exit.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-socket_cloexec.patch => nginx-1.19.9-socket_cloexec.patch} (98%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-ssl_cert_cb_yield.patch => nginx-1.19.9-ssl_cert_cb_yield.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-ssl_sess_cb_yield.patch => nginx-1.19.9-ssl_sess_cb_yield.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch => nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-stream_ssl_preread_no_skip.patch => nginx-1.19.9-stream_ssl_preread_no_skip.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-upstream_pipelining.patch => nginx-1.19.9-upstream_pipelining.patch} (100%)
 rename images/nginx/rootfs/patches/{nginx-1.19.3-upstream_timeout_fields.patch => nginx-1.19.9-upstream_timeout_fields.patch} (100%)
 create mode 100644 images/nginx/rootfs/patches/patch.2021.resolver.txt

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index d8d57bafe..46daf5d5f 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -18,7 +18,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-export NGINX_VERSION=1.20.1
+export NGINX_VERSION=1.19.9
 
 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master
 export NDK_VERSION=0.3.1
@@ -197,7 +197,7 @@ mkdir --verbose -p "$BUILD_PATH"
 cd "$BUILD_PATH"
 
 # download, verify and extract the source files
-get_src e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49 \
+get_src 2e35dff06a9826e8aca940e9e8be46b7e4b12c19a48d55bfc2dc28fc9cc7d841 \
         "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
 
 get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \
@@ -568,7 +568,11 @@ cd "$BUILD_PATH/nginx-$NGINX_VERSION"
 # apply nginx patches
 for PATCH in `ls /patches`;do
   echo "Patch: $PATCH"
-  patch -p1 < /patches/$PATCH
+  if [[ "$PATCH" == *.txt ]]; then
+    patch -p0 < /patches/$PATCH
+  else
+    patch -p1 < /patches/$PATCH
+  fi
 done
 
 WITH_FLAGS="--with-debug \
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
deleted file mode 100644
index 2cf7cd9c7..000000000
--- a/images/nginx/rootfs/patches/nginx-1.19.3-no_Werror.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-diff -urp nginx-1.19.3/auto/cc/clang nginx-1.19.3-patched/auto/cc/clang
---- nginx-1.19.3/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.3-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
-@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
- CFLAGS="$CFLAGS -Wno-unused-parameter"
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.19.3/auto/cc/gcc nginx-1.19.3-patched/auto/cc/gcc
---- nginx-1.19.3/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.3-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
-@@ -168,7 +168,7 @@ esac
- 
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
-diff -urp nginx-1.19.3/auto/cc/icc nginx-1.19.3-patched/auto/cc/icc
---- nginx-1.19.3/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
-+++ nginx-1.19.3-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
-@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
- esac
- 
- # stop on warning
--CFLAGS="$CFLAGS -Werror"
-+#CFLAGS="$CFLAGS -Werror"
- 
- # debug
- CFLAGS="$CFLAGS -g"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-balancer_status_code.patch b/images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-balancer_status_code.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-balancer_status_code.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch b/images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
similarity index 96%
rename from images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
index f1f81da2c..91ee63a26 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-cache_manager_exit.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-cache_manager_exit.patch
@@ -8,7 +8,7 @@ Cache: gracefully exit the cache manager process.
 diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c
 --- a/src/os/unix/ngx_process_cycle.c	Thu Oct 31 18:23:49 2013 +0400
 +++ b/src/os/unix/ngx_process_cycle.c	Mon Nov 04 12:48:50 2013 -0800
-@@ -1335,7 +1335,7 @@
+@@ -1134,7 +1134,7 @@
  
          if (ngx_terminate || ngx_quit) {
              ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-delayed_posted_events.patch b/images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-delayed_posted_events.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-delayed_posted_events.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-hash_overflow.patch b/images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-hash_overflow.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-hash_overflow.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
similarity index 62%
rename from images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
index b6f46674f..aa2df4660 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-init_cycle_pool_release.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-init_cycle_pool_release.patch
@@ -1,6 +1,6 @@
-diff -rup nginx-1.19.3/src/core/nginx.c nginx-1.19.3-patched/src/core/nginx.c
---- nginx-1.19.3/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
-+++ nginx-1.19.3-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
+diff -rup nginx-1.19.9/src/core/nginx.c nginx-1.19.9-patched/src/core/nginx.c
+--- nginx-1.19.9/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
++++ nginx-1.19.9-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
 @@ -186,6 +186,7 @@ static u_char      *ngx_prefix;
  static u_char      *ngx_conf_file;
  static u_char      *ngx_conf_params;
@@ -18,9 +18,9 @@ diff -rup nginx-1.19.3/src/core/nginx.c nginx-1.19.3-patched/src/core/nginx.c
      if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
          return 1;
      }
-diff -rup nginx-1.19.3/src/core/ngx_core.h nginx-1.19.3-patched/src/core/ngx_core.h
---- nginx-1.19.3/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.19.3-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
+diff -rup nginx-1.19.9/src/core/ngx_core.h nginx-1.19.9-patched/src/core/ngx_core.h
+--- nginx-1.19.9/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
 @@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
  #define NGX_DISABLE_SYMLINKS_NOTOWNER   2
  #endif
@@ -28,9 +28,9 @@ diff -rup nginx-1.19.3/src/core/ngx_core.h nginx-1.19.3-patched/src/core/ngx_cor
 +extern ngx_pool_t        *saved_init_cycle_pool;
 +
  #endif /* _NGX_CORE_H_INCLUDED_ */
-diff -rup nginx-1.19.3/src/core/ngx_cycle.c nginx-1.19.3-patched/src/core/ngx_cycle.c
---- nginx-1.19.3/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
-+++ nginx-1.19.3-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
+diff -rup nginx-1.19.9/src/core/ngx_cycle.c nginx-1.19.9-patched/src/core/ngx_cycle.c
+--- nginx-1.19.9/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
 @@ -748,6 +748,10 @@ old_shm_zone_done:
  
      if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
@@ -42,10 +42,10 @@ diff -rup nginx-1.19.3/src/core/ngx_cycle.c nginx-1.19.3-patched/src/core/ngx_cy
          ngx_destroy_pool(old_cycle->pool);
          cycle->old_cycle = NULL;
  
-diff -rup nginx-1.19.3/src/os/unix/ngx_process_cycle.c nginx-1.19.3-patched/src/os/unix/ngx_process_cycle.c
---- nginx-1.19.3/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
-+++ nginx-1.19.3-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
-@@ -783,6 +783,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
+diff -rup nginx-1.19.9/src/os/unix/ngx_process_cycle.c nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c
+--- nginx-1.19.9/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
++++ nginx-1.19.9-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
+@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
      ngx_exit_cycle.files_n = ngx_cycle->files_n;
      ngx_cycle = &ngx_exit_cycle;
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch b/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
similarity index 62%
rename from images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
index c7013e05d..0628d3abb 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-larger_max_error_str.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-larger_max_error_str.patch
@@ -1,5 +1,5 @@
---- nginx-1.19.3/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
-+++ nginx-1.19.3-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
+--- nginx-1.19.9/src/core/ngx_log.h	2013-10-08 05:07:14.000000000 -0700
++++ nginx-1.19.9-patched/src/core/ngx_log.h	2013-12-05 20:35:35.996236720 -0800
 @@ -64,7 +64,9 @@ struct ngx_log_s {
  };
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
new file mode 100644
index 000000000..7bb0ac902
--- /dev/null
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-no_Werror.patch
@@ -0,0 +1,36 @@
+diff -urp nginx-1.19.9/auto/cc/clang nginx-1.19.9-patched/auto/cc/clang
+--- nginx-1.19.9/auto/cc/clang	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.9-patched/auto/cc/clang	2014-03-13 20:54:26.241413360 -0700
+@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
+ CFLAGS="$CFLAGS -Wno-unused-parameter"
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.19.9/auto/cc/gcc nginx-1.19.9-patched/auto/cc/gcc
+--- nginx-1.19.9/auto/cc/gcc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.9-patched/auto/cc/gcc	2014-03-13 20:54:13.301355329 -0700
+@@ -168,7 +168,7 @@ esac
+ 
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
+diff -urp nginx-1.19.9/auto/cc/icc nginx-1.19.9-patched/auto/cc/icc
+--- nginx-1.19.9/auto/cc/icc	2014-03-04 03:39:24.000000000 -0800
++++ nginx-1.19.9-patched/auto/cc/icc	2014-03-13 20:54:13.301355329 -0700
+@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
+ esac
+ 
+ # stop on warning
+-CFLAGS="$CFLAGS -Werror"
++#CFLAGS="$CFLAGS -Werror"
+ 
+ # debug
+ CFLAGS="$CFLAGS -g"
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch b/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
similarity index 87%
rename from images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
index 63eaf0ca7..25282bda3 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-proxy_host_port_vars.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-proxy_host_port_vars.patch
@@ -1,5 +1,5 @@
---- nginx-1.19.3/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
-+++ nginx-1.19.3-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
+--- nginx-1.19.9/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
++++ nginx-1.19.9-patched/src/http/modules/ngx_http_proxy_module.c	2017-07-16 14:02:51.000000000 +0800
 @@ -793,13 +793,13 @@ static ngx_keyval_t  ngx_http_proxy_cach
  static ngx_http_variable_t  ngx_http_proxy_vars[] = {
  
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-resolver_conf_parsing.patch b/images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-resolver_conf_parsing.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-resolver_conf_parsing.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-reuseport_close_unused_fds.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-reuseport_close_unused_fds.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-single_process_graceful_exit.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-single_process_graceful_exit.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch b/images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
similarity index 98%
rename from images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
index 985ce573b..8ffe4c167 100644
--- a/images/nginx/rootfs/patches/nginx-1.19.3-socket_cloexec.patch
+++ b/images/nginx/rootfs/patches/nginx-1.19.9-socket_cloexec.patch
@@ -151,7 +151,7 @@ diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
 index c4376a5..48e8fa8 100644
 --- a/src/os/unix/ngx_process_cycle.c
 +++ b/src/os/unix/ngx_process_cycle.c
-@@ -1032,6 +1032,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
+@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
          for (i = 0; i < cycle->connection_n; i++) {
              if (c[i].fd != -1
                  && c[i].read
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-ssl_cert_cb_yield.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-ssl_cert_cb_yield.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-ssl_sess_cb_yield.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-ssl_sess_cb_yield.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-stream_proxy_get_next_upstream_tries.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-stream_proxy_get_next_upstream_tries.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-stream_ssl_preread_no_skip.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-stream_ssl_preread_no_skip.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-upstream_pipelining.patch b/images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-upstream_pipelining.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-upstream_pipelining.patch
diff --git a/images/nginx/rootfs/patches/nginx-1.19.3-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch
similarity index 100%
rename from images/nginx/rootfs/patches/nginx-1.19.3-upstream_timeout_fields.patch
rename to images/nginx/rootfs/patches/nginx-1.19.9-upstream_timeout_fields.patch
diff --git a/images/nginx/rootfs/patches/patch.2021.resolver.txt b/images/nginx/rootfs/patches/patch.2021.resolver.txt
new file mode 100644
index 000000000..6c895e61c
--- /dev/null
+++ b/images/nginx/rootfs/patches/patch.2021.resolver.txt
@@ -0,0 +1,23 @@
+diff --git src/core/ngx_resolver.c src/core/ngx_resolver.c
+--- src/core/ngx_resolver.c
++++ src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+             n = *src++;
+ 
+         } else {
++            if (dst != name->data) {
++                *dst++ = '.';
++            }
++
+             ngx_strlow(dst, src, n);
+             dst += n;
+             src += n;
+ 
+             n = *src++;
+-
+-            if (n != 0) {
+-                *dst++ = '.';
+-            }
+         }
+ 
+         if (n == 0) {

From 557a765754f83da8f71917aba4a6c75bc5118bb7 Mon Sep 17 00:00:00 2001
From: agile6v <agile6v@gmail.com>
Date: Thu, 16 Sep 2021 02:30:12 +0800
Subject: [PATCH 114/376] fix typos. (#7640)

---
 docs/user-guide/nginx-configuration/annotations.md | 2 +-
 rootfs/etc/nginx/lua/plugins/README.md             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 1fb883596..38439b33f 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -531,7 +531,7 @@ to include that in access logs.
 1. The annotations below creates Global Rate Limiting instance per ingress.
 That means if there are multuple paths configured under the same ingress,
 the Global Rate Limiting will count requests to all the paths under the same counter.
-Extract a path out into its own ingres if you need to isolate a certain path.
+Extract a path out into its own ingress if you need to isolate a certain path.
 
 
 * `nginx.ingress.kubernetes.io/global-rate-limit`: Configures maximum allowed number of requests per window. Required.
diff --git a/rootfs/etc/nginx/lua/plugins/README.md b/rootfs/etc/nginx/lua/plugins/README.md
index 5178f01f0..0626a48ff 100644
--- a/rootfs/etc/nginx/lua/plugins/README.md
+++ b/rootfs/etc/nginx/lua/plugins/README.md
@@ -33,4 +33,4 @@ Mounting is the quickest option.
 
 ### Enabling plugins
 
-Once your plugin is ready you need to use [`plugins` configuration setting](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#plugins) to activate it. Let's say you want to active `hello_world` and `open_idc` plugins, then you set `plugins` setting to `"hello_world, open_idc"`. _Note_ that the plugins will be executed in the given order.
+Once your plugin is ready you need to use [`plugins` configuration setting](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#plugins) to activate it. Let's say you want to activate `hello_world` and `open_idc` plugins, then you set `plugins` setting to `"hello_world, open_idc"`. _Note_ that the plugins will be executed in the given order.

From 19df0a3c4ba1ada4dc421976bea606061a960ef6 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Wed, 15 Sep 2021 16:24:12 -0300
Subject: [PATCH 115/376] Add security contacts (#7642)

---
 SECURITY_CONTACTS | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SECURITY_CONTACTS b/SECURITY_CONTACTS
index fd437b717..b04c993fc 100644
--- a/SECURITY_CONTACTS
+++ b/SECURITY_CONTACTS
@@ -9,4 +9,6 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
-
+bowei
+rikatz
+strongjz

From d9f96bbbba78eb263532cb4903eb3ec6b6ed857b Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Thu, 16 Sep 2021 20:07:46 +0800
Subject: [PATCH 116/376] Update NGINX base image to v1.19 (#7643)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 Makefile                         | 2 +-
 images/echo/Makefile             | 2 +-
 images/nginx/README.md           | 2 +-
 images/nginx/rc.yaml             | 2 +-
 images/test-runner/Makefile      | 2 +-
 test/e2e/framework/deployment.go | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 6bc6f8cdc..59bd3c7fe 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ endif
 
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 
-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
+BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
 
 GOARCH=$(ARCH)
 
diff --git a/images/echo/Makefile b/images/echo/Makefile
index ccfa711b0..f87aa1c76 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -36,7 +36,7 @@ build: ensure-buildx
 		--platform=${PLATFORMS} $(OUTPUT) \
 		--progress=$(PROGRESS) \
 		--pull \
-		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e \
+		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd \
 		--build-arg LUAROCKS_VERSION=3.3.1 \
 		--build-arg LUAROCKS_SHA=837481e408f7c06b59befe7ec194537c657687d624894bca7f79034302141a34 \
 		-t $(IMAGE):$(TAG) rootfs
diff --git a/images/nginx/README.md b/images/nginx/README.md
index fc247699e..947e97db9 100644
--- a/images/nginx/README.md
+++ b/images/nginx/README.md
@@ -18,6 +18,6 @@ This image provides a default configuration file with no backend servers.
 _Using docker_
 
 ```console
-docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
+docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
 ```
 
diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml
index e5654260f..e8cef4e35 100644
--- a/images/nginx/rc.yaml
+++ b/images/nginx/rc.yaml
@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
         - name: nginx
-          image: k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
+          image: k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
           ports:
             - containerPort: 80
             - containerPort: 443
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index 0ba3561b0..12bb7429b 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -23,7 +23,7 @@ REGISTRY ?= local
 
 IMAGE = $(REGISTRY)/e2e-test-runner
 
-NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e
+NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
 
 # required to enable buildx
 export DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index 95bf37d75..4f01fab9e 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -38,7 +38,7 @@ const SlowEchoService = "slow-echo"
 const HTTPBinService = "httpbin"
 
 // NginxBaseImage use for testing
-const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210904-gb7c973dce@sha256:fac972a7e43b18408ecb9e87da868df519428294e2e988c16be72479ee873c0e"
+const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd"
 
 // NewEchoDeployment creates a new single replica deployment of the echoserver image in a particular namespace
 func (f *Framework) NewEchoDeployment() {

From 53fab99a86b0d268b67ef20c5c95d16d07e6c728 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Fri, 17 Sep 2021 01:01:46 +0800
Subject: [PATCH 117/376] Update e2e-test-runner image (#7648)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 build/run-in-docker.sh    | 2 +-
 test/e2e-image/Dockerfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index 90382fd5c..d345a81ec 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -37,7 +37,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210906-g7d577d976@sha256:cf7079b5c05b8b1b108b16752c6ff4ca312cf96700e91eef6088b9e0c4a7aff1}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210916-gd9f96bbbb@sha256:5b434c08e582b58b96867152682c1e754ee609c82390abf3074992d4ec53ed25}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index 083ad5792..fc5f30000 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210906-g7d577d976@sha256:cf7079b5c05b8b1b108b16752c6ff4ca312cf96700e91eef6088b9e0c4a7aff1 AS BASE
+FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210916-gd9f96bbbb@sha256:5b434c08e582b58b96867152682c1e754ee609c82390abf3074992d4ec53ed25 AS BASE
 
 FROM alpine:3.12
 

From b3389a1b6f3834d7641cee9f2d566fb32ac27d77 Mon Sep 17 00:00:00 2001
From: bishtsaurabh5 <bishtsaurabh5@gmail.com>
Date: Fri, 17 Sep 2021 02:23:27 +0530
Subject: [PATCH 118/376] Add github action for building images (#7636)

- Add github action test-image-build
- Filters the images folder
and checks for changes
- If the changes are done then the
make build would be performed
---
 .github/workflows/ci.yaml | 61 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 59 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 703be9cb3..030c9abe5 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -122,7 +122,7 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v2
-    
+
       - name: cache
         uses: actions/download-artifact@v2
         with:
@@ -143,7 +143,7 @@ jobs:
         with:
           version: v0.11.1
           image: kindest/node:v1.21.1
-    
+
       - uses: geekyeggo/delete-artifact@v1
         with:
           name: docker.tar.gz
@@ -220,3 +220,60 @@ jobs:
         run: |
           kind get kubeconfig > $HOME/.kube/kind-config-kind
           make kind-e2e-test
+
+  test-image-build:
+    runs-on: ubuntu-latest
+    env:
+      PLATFORMS: linux/amd64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - uses: dorny/paths-filter@v2
+        id: filter-images
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            custom-error-pages:
+              - 'images/custom-error-pages/**'
+            cfssl:
+              - 'images/cfssl/**'
+            fastcgi-helloserver:
+              - 'images/fastcgi-helloserver/**'
+            echo:
+              - 'images/echo/**'
+            go-grpc-greeter-server:
+              - 'images/go-grpc-greeter-server/**'
+            httpbin:
+              - 'images/httpbin/**'
+            kube-webhook-certgen:
+              - 'images/kube-webhook-certgen/**'
+
+      - name: custom-error-pages image build
+        if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }}
+        run: |
+          cd images/custom-error-pages && make build
+      - name: cfssl image build
+        if: ${{ steps.filter-images.outputs.cfssl == 'true' }}
+        run: |
+          cd images/cfssl && make build
+      - name: fastcgi-helloserver
+        if: ${{ steps.filter-images.outputs.fastcgi-helloserver == 'true' }}
+        run: |
+          cd images/fastcgi-helloserver && make build
+      - name: echo image build
+        if: ${{ steps.filter-images.outputs.echo == 'true' }}
+        run: |
+          cd images/echo && make build
+      - name: go-grpc-greeter-server image build
+        if: ${{ steps.filter-images.outputs.go-grpc-greeter-server == 'true' }}
+        run: |
+          cd images/go-grpc-greeter-server && make build
+      - name: httpbin image build
+        if: ${{ steps.filter-images.outputs.httpbin == 'true' }}
+        run: |
+          cd images/httpbin && make build
+      - name: kube-webhook-certgen image build
+        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
+        run: |
+          cd images/kube-webhook-certgen && make build
\ No newline at end of file

From 260910c0a0ad74639174044aaa10108af1911135 Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mateusz@kinvolk.io>
Date: Thu, 16 Sep 2021 22:59:26 +0200
Subject: [PATCH 119/376] images/kube-webhook-certgen/rootfs: improvements
 (#7630)

* images/kube-webhook-certgen/rootfs/README.md: remove trailing whitespace

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: improve code formatting

Automatically using gofumpt.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: remove executable bits from files

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: remove unreachable code

log.Fatal(|f) will alread call os.Exit(1), so this code is never
reached.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: fix unit tests

Right now they fail as everything else migrated from using v1beta1 to
v1.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: create clientset in cmd package

So one can easily mock the client, without touching unexported parts of
the code and to soften the dependency between CLI code (kubeconfig
path).

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: simplify bool logic

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: improve formatting

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: improve variable names

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: refactor a bit

Move patching logic to separate functions.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: fix error log messages

In patchMutating() function, log messages were waying still patching
validating webhook.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
---
 images/kube-webhook-certgen/rootfs/README.md  |   4 +-
 .../kube-webhook-certgen/rootfs/cmd/create.go |  17 ++-
 .../kube-webhook-certgen/rootfs/cmd/patch.go  |  23 ++--
 .../kube-webhook-certgen/rootfs/cmd/root.go   |  16 +++
 .../rootfs/pkg/certs/certs.go                 |   3 +-
 .../rootfs/pkg/certs/certs_test.go            |   5 +-
 .../rootfs/pkg/k8s/k8s.go                     | 123 +++++++++---------
 .../rootfs/pkg/k8s/k8s_test.go                |  11 +-
 8 files changed, 108 insertions(+), 94 deletions(-)
 mode change 100755 => 100644 images/kube-webhook-certgen/rootfs/README.md
 mode change 100755 => 100644 images/kube-webhook-certgen/rootfs/cmd/create.go
 mode change 100755 => 100644 images/kube-webhook-certgen/rootfs/cmd/patch.go
 mode change 100755 => 100644 images/kube-webhook-certgen/rootfs/cmd/root.go
 mode change 100755 => 100644 images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go

diff --git a/images/kube-webhook-certgen/rootfs/README.md b/images/kube-webhook-certgen/rootfs/README.md
old mode 100755
new mode 100644
index 47a8c74c7..9f5781660
--- a/images/kube-webhook-certgen/rootfs/README.md
+++ b/images/kube-webhook-certgen/rootfs/README.md
@@ -7,14 +7,14 @@ creators.
 
 ## Overview
 Generates a CA and leaf certificate with a long (100y) expiration, then patches [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
-by setting the `caBundle` field with the generated CA. 
+by setting the `caBundle` field with the generated CA.
 Can optionally patch the hooks `failurePolicy` setting - useful in cases where a single Helm chart needs to provision resources
 and hooks at the same time as patching.
 
 The utility works in two parts, optimized to work better with the Helm provisioning process that leverages pre-install and post-install hooks to execute this as a Kubernetes job.
 
 ## Security Considerations
-This tool may not be adequate in all security environments. If a more complete solution is required, you may want to 
+This tool may not be adequate in all security environments. If a more complete solution is required, you may want to
 seek alternatives such as [jetstack/cert-manager](https://github.com/jetstack/cert-manager)
 
 ## Command line options
diff --git a/images/kube-webhook-certgen/rootfs/cmd/create.go b/images/kube-webhook-certgen/rootfs/cmd/create.go
old mode 100755
new mode 100644
index 799d300ca..576a59bc0
--- a/images/kube-webhook-certgen/rootfs/cmd/create.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/create.go
@@ -7,17 +7,16 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var (
-	create = &cobra.Command{
-		Use:    "create",
-		Short:  "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
-		Long:   "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
-		PreRun: configureLogging,
-		Run:    createCommand}
-)
+var create = &cobra.Command{
+	Use:    "create",
+	Short:  "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
+	Long:   "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
+	PreRun: configureLogging,
+	Run:    createCommand,
+}
 
 func createCommand(cmd *cobra.Command, args []string) {
-	k := k8s.New(cfg.kubeconfig)
+	k := k8s.New(newKubernetesClient(cfg.kubeconfig))
 	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
 	if ca == nil {
 		log.Info("creating new secret")
diff --git a/images/kube-webhook-certgen/rootfs/cmd/patch.go b/images/kube-webhook-certgen/rootfs/cmd/patch.go
old mode 100755
new mode 100644
index b74eb1f3a..d139b37c0
--- a/images/kube-webhook-certgen/rootfs/cmd/patch.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/patch.go
@@ -1,28 +1,24 @@
 package cmd
 
 import (
-	"os"
-
 	"github.com/jet/kube-webhook-certgen/pkg/k8s"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	admissionv1 "k8s.io/api/admissionregistration/v1"
 )
 
-var (
-	patch = &cobra.Command{
-		Use:    "patch",
-		Short:  "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
-		Long:   "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
-		PreRun: prePatchCommand,
-		Run:    patchCommand}
-)
+var patch = &cobra.Command{
+	Use:    "patch",
+	Short:  "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
+	Long:   "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
+	PreRun: prePatchCommand,
+	Run:    patchCommand,
+}
 
 func prePatchCommand(cmd *cobra.Command, args []string) {
 	configureLogging(cmd, args)
-	if cfg.patchMutating == false && cfg.patchValidating == false {
+	if !cfg.patchMutating && !cfg.patchValidating {
 		log.Fatal("patch-validating=false, patch-mutating=false. You must patch at least one kind of webhook, otherwise this command is a no-op")
-		os.Exit(1)
 	}
 	switch cfg.patchFailurePolicy {
 	case "":
@@ -33,12 +29,11 @@ func prePatchCommand(cmd *cobra.Command, args []string) {
 		break
 	default:
 		log.Fatalf("patch-failure-policy %s is not valid", cfg.patchFailurePolicy)
-		os.Exit(1)
 	}
 }
 
 func patchCommand(_ *cobra.Command, _ []string) {
-	k := k8s.New(cfg.kubeconfig)
+	k := k8s.New(newKubernetesClient(cfg.kubeconfig))
 	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
 
 	if ca == nil {
diff --git a/images/kube-webhook-certgen/rootfs/cmd/root.go b/images/kube-webhook-certgen/rootfs/cmd/root.go
old mode 100755
new mode 100644
index bee41c26c..03f87ac06
--- a/images/kube-webhook-certgen/rootfs/cmd/root.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/root.go
@@ -7,6 +7,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	admissionv1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
 )
 
 var (
@@ -81,3 +83,17 @@ func getFormatter(logfmt string) log.Formatter {
 	log.Fatalf("invalid log format '%s'", logfmt)
 	return nil
 }
+
+func newKubernetesClient(kubeconfig string) kubernetes.Interface {
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		log.WithError(err).Fatal("error building kubernetes config")
+	}
+
+	c, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.WithError(err).Fatal("error creating kubernetes client")
+	}
+
+	return c
+}
diff --git a/images/kube-webhook-certgen/rootfs/pkg/certs/certs.go b/images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
index 3e60f3311..ea6f4b27c 100644
--- a/images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
@@ -7,11 +7,12 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	log "github.com/sirupsen/logrus"
 	"math/big"
 	"net"
 	"strings"
 	"time"
+
+	log "github.com/sirupsen/logrus"
 )
 
 // GenerateCerts venerates a ca with a leaf certificate and key and returns the ca, cert and key as PEM encoded slices
diff --git a/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go b/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
index e8fa0bb18..b4d95b9b2 100644
--- a/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
@@ -16,7 +16,6 @@ func handler(w http.ResponseWriter, r *http.Request) {
 }
 
 func TestCertificateCreation(t *testing.T) {
-
 	ca, cert, key := GenerateCerts("localhost")
 
 	c, err := tls.X509KeyPair(cert, key)
@@ -30,7 +29,9 @@ func TestCertificateCreation(t *testing.T) {
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{
 			RootCAs:    caCertPool,
-			ServerName: "localhost"}}
+			ServerName: "localhost",
+		},
+	}
 
 	ts := httptest.NewUnstartedServer(http.HandlerFunc(handler))
 	ts.TLS = &tls.Config{Certificates: []tls.Certificate{c}}
diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
old mode 100755
new mode 100644
index f0f21abd8..2d2000a8a
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
@@ -9,87 +9,41 @@ import (
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
 )
 
 type k8s struct {
 	clientset kubernetes.Interface
 }
 
-func New(kubeconfig string) *k8s {
-	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
-	if err != nil {
-		log.WithError(err).Fatal("error building kubernetes config")
+func New(clientset kubernetes.Interface) *k8s {
+	if clientset == nil {
+		log.Fatal("no kubernetes client given")
 	}
 
-	c, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		log.WithError(err).Fatal("error creating kubernetes client")
+	return &k8s{
+		clientset: clientset,
 	}
-
-	return &k8s{clientset: c}
 }
 
 // PatchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with
 // the provided ca data. If failurePolicy is provided, patch all webhooks with this value
 func (k8s *k8s) PatchWebhookConfigurations(
-	configurationNames string, ca []byte,
+	configurationName string,
+	ca []byte,
 	failurePolicy *admissionv1.FailurePolicyType,
-	patchMutating bool, patchValidating bool) {
-
-	log.Infof("patching webhook configurations '%s' mutating=%t, validating=%t, failurePolicy=%s", configurationNames, patchMutating, patchValidating, *failurePolicy)
+	patchMutating bool,
+	patchValidating bool,
+) {
+	log.Infof("patching webhook configurations '%s' mutating=%t, validating=%t, failurePolicy=%s", configurationName, patchMutating, patchValidating, *failurePolicy)
 
 	if patchValidating {
-		valHook, err := k8s.clientset.
-			AdmissionregistrationV1().
-			ValidatingWebhookConfigurations().
-			Get(context.TODO(), configurationNames, metav1.GetOptions{})
-
-		if err != nil {
-			log.WithField("err", err).Fatal("failed getting validating webhook")
-		}
-
-		for i := range valHook.Webhooks {
-			h := &valHook.Webhooks[i]
-			h.ClientConfig.CABundle = ca
-			if *failurePolicy != "" {
-				h.FailurePolicy = failurePolicy
-			}
-		}
-
-		if _, err = k8s.clientset.AdmissionregistrationV1().
-			ValidatingWebhookConfigurations().
-			Update(context.TODO(), valHook, metav1.UpdateOptions{}); err != nil {
-			log.WithField("err", err).Fatal("failed patching validating webhook")
-		}
-		log.Debug("patched validating hook")
+		k8s.patchValidating(configurationName, ca, failurePolicy)
 	} else {
 		log.Debug("validating hook patching not required")
 	}
 
 	if patchMutating {
-		mutHook, err := k8s.clientset.
-			AdmissionregistrationV1().
-			MutatingWebhookConfigurations().
-			Get(context.TODO(), configurationNames, metav1.GetOptions{})
-		if err != nil {
-			log.WithField("err", err).Fatal("failed getting validating webhook")
-		}
-
-		for i := range mutHook.Webhooks {
-			h := &mutHook.Webhooks[i]
-			h.ClientConfig.CABundle = ca
-			if *failurePolicy != "" {
-				h.FailurePolicy = failurePolicy
-			}
-		}
-
-		if _, err = k8s.clientset.AdmissionregistrationV1().
-			MutatingWebhookConfigurations().
-			Update(context.TODO(), mutHook, metav1.UpdateOptions{}); err != nil {
-			log.WithField("err", err).Fatal("failed patching validating webhook")
-		}
-		log.Debug("patched mutating hook")
+		k8s.patchMutating(configurationName, ca, failurePolicy)
 	} else {
 		log.Debug("mutating hook patching not required")
 	}
@@ -97,6 +51,56 @@ func (k8s *k8s) PatchWebhookConfigurations(
 	log.Info("Patched hook(s)")
 }
 
+func (k8s *k8s) patchValidating(configurationName string, ca []byte, failurePolicy *admissionv1.FailurePolicyType) {
+	valHook, err := k8s.clientset.
+		AdmissionregistrationV1().
+		ValidatingWebhookConfigurations().
+		Get(context.TODO(), configurationName, metav1.GetOptions{})
+	if err != nil {
+		log.WithField("err", err).Fatal("failed getting validating webhook")
+	}
+
+	for i := range valHook.Webhooks {
+		h := &valHook.Webhooks[i]
+		h.ClientConfig.CABundle = ca
+		if *failurePolicy != "" {
+			h.FailurePolicy = failurePolicy
+		}
+	}
+
+	if _, err = k8s.clientset.AdmissionregistrationV1().
+		ValidatingWebhookConfigurations().
+		Update(context.TODO(), valHook, metav1.UpdateOptions{}); err != nil {
+		log.WithField("err", err).Fatal("failed patching validating webhook")
+	}
+	log.Debug("patched validating hook")
+}
+
+func (k8s *k8s) patchMutating(configurationName string, ca []byte, failurePolicy *admissionv1.FailurePolicyType) {
+	mutHook, err := k8s.clientset.
+		AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Get(context.TODO(), configurationName, metav1.GetOptions{})
+	if err != nil {
+		log.WithField("err", err).Fatal("failed getting mutating webhook")
+	}
+
+	for i := range mutHook.Webhooks {
+		h := &mutHook.Webhooks[i]
+		h.ClientConfig.CABundle = ca
+		if *failurePolicy != "" {
+			h.FailurePolicy = failurePolicy
+		}
+	}
+
+	if _, err = k8s.clientset.AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Update(context.TODO(), mutHook, metav1.UpdateOptions{}); err != nil {
+		log.WithField("err", err).Fatal("failed patching mutating webhook")
+	}
+	log.Debug("patched mutating hook")
+}
+
 // GetCaFromSecret will check for the presence of a secret. If it exists, will return the content of the
 // "ca" from the secret, otherwise will return nil
 func (k8s *k8s) GetCaFromSecret(secretName string, namespace string) []byte {
@@ -120,7 +124,6 @@ func (k8s *k8s) GetCaFromSecret(secretName string, namespace string) []byte {
 
 // SaveCertsToSecret saves the provided ca, cert and key into a secret in the specified namespace.
 func (k8s *k8s) SaveCertsToSecret(secretName, namespace, certName, keyName string, ca, cert, key []byte) {
-
 	log.Debugf("saving to secret '%s' in namespace '%s'", secretName, namespace)
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
index d2a82682f..1a7444613 100644
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
@@ -99,7 +99,8 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: testWebhookName,
 			},
-			Webhooks: []admissionv1.MutatingWebhook{{Name: "m1"}, {Name: "m2"}}}, metav1.CreateOptions{})
+			Webhooks: []admissionv1.MutatingWebhook{{Name: "m1"}, {Name: "m2"}},
+		}, metav1.CreateOptions{})
 
 	k.clientset.
 		AdmissionregistrationV1().
@@ -109,7 +110,8 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: testWebhookName,
 			},
-			Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}}}, metav1.CreateOptions{})
+			Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}},
+		}, metav1.CreateOptions{})
 
 	k.PatchWebhookConfigurations(testWebhookName, ca, &fail, true, true)
 
@@ -117,16 +119,14 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 		AdmissionregistrationV1().
 		MutatingWebhookConfigurations().
 		Get(context.Background(), testWebhookName, metav1.GetOptions{})
-
 	if err != nil {
 		t.Error(err)
 	}
 
 	whval, err := k.clientset.
-		AdmissionregistrationV1beta1().
+		AdmissionregistrationV1().
 		MutatingWebhookConfigurations().
 		Get(context.Background(), testWebhookName, metav1.GetOptions{})
-
 	if err != nil {
 		t.Error(err)
 	}
@@ -155,5 +155,4 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 	if whval.Webhooks[1].FailurePolicy == nil {
 		t.Errorf("Expected second validating webhook failure policy to be set to %s", fail)
 	}
-
 }

From 5c6a28464bad138ff84f1d9a3414963d4b7c236f Mon Sep 17 00:00:00 2001
From: iugastefan922 <30867395+iugastefan922@users.noreply.github.com>
Date: Fri, 17 Sep 2021 00:23:27 +0300
Subject: [PATCH 120/376] additional info for the custom-headers documentation
 page (#7603)

* added another documentation example

* added end of file newline

* Revert "added end of file newline"

This reverts commit 2d196ffba343f0f906c6a39d5cb27a7d06e51602.

* added another documentation example
---
 docs/examples/customization/custom-headers/README.md   | 10 +++++++++-
 .../custom-headers/configmap-client-response.yaml      | 10 ++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 docs/examples/customization/custom-headers/configmap-client-response.yaml

diff --git a/docs/examples/customization/custom-headers/README.md b/docs/examples/customization/custom-headers/README.md
index ac43499e9..378f2aa87 100644
--- a/docs/examples/customization/custom-headers/README.md
+++ b/docs/examples/customization/custom-headers/README.md
@@ -18,7 +18,15 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main
 
 The nginx ingress controller will read the `ingress-nginx/ingress-nginx-controller` ConfigMap, find the `proxy-set-headers` key, read HTTP headers from the `ingress-nginx/custom-headers` ConfigMap, and include those HTTP headers in all requests flowing from nginx to the backends.
 
+
+The above example was for passing a custom list of headers to the upstream server.
+To pass the custom headers before sending response traffic to the client, use the add-headers key:
+
+```console
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/configmap-client-response.yaml
+```
+
 ## Test
 
 Check the contents of the ConfigMaps are present in the nginx.conf file using:
-`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf`
+`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf`
\ No newline at end of file
diff --git a/docs/examples/customization/custom-headers/configmap-client-response.yaml b/docs/examples/customization/custom-headers/configmap-client-response.yaml
new file mode 100644
index 000000000..3213de3f2
--- /dev/null
+++ b/docs/examples/customization/custom-headers/configmap-client-response.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  add-headers: "ingress-nginx/custom-headers"
+kind: ConfigMap
+metadata:
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx 
\ No newline at end of file

From c2fe736d48a9733ba766615dbd8e64f19dcf1223 Mon Sep 17 00:00:00 2001
From: Stephen Augustus <justaugustus@users.noreply.github.com>
Date: Sat, 18 Sep 2021 07:10:08 -0400
Subject: [PATCH 121/376] Changelog.md: Update references to
 sigs.k8s.io/promo-tools (#7656)

Signed-off-by: Stephen Augustus <foo@auggie.dev>
---
 Changelog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Changelog.md b/Changelog.md
index 59cff2a55..c9327db71 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -760,7 +760,7 @@ _New Features:_
 - Configure User-Agent for [client-go](https://github.com/kubernetes/ingress-nginx/pull/5700)
 - Switch to [gcr.io](https://cloud.google.com/container-registry/) as container registry
 - Use cloud-build to build [container images](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/US/ingress-nginx)
-- Publish images using [Container Image Promoter](https://github.com/kubernetes-sigs/k8s-container-image-promoter)
+- Publish images using [artifact promotion tooling](https://sigs.k8s.io/promo-tools)
 - Go 1.14.4
 - client-go v0.18.5
 

From 314cc6c2dcb466e43bd4ebaecbdb60824c164bcc Mon Sep 17 00:00:00 2001
From: Jennifer Kirsch <7807969+DysphoricUnicorn@users.noreply.github.com>
Date: Sun, 19 Sep 2021 20:06:08 +0200
Subject: [PATCH 122/376] Replace kube-lego docs with cert-manager (#7659)

Since kube-lego has not been maintained in quite a while,
I thought it would be best to remove the documentation about it
and replace it with information about cert-manager.
---
 docs/user-guide/tls.md | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md
index 237543b3a..264a1c617 100644
--- a/docs/user-guide/tls.md
+++ b/docs/user-guide/tls.md
@@ -87,24 +87,33 @@ annotation in the particular resource.
     This can be achieved by using the `nginx.ingress.kubernetes.io/force-ssl-redirect: "true"`
     annotation in the particular resource.
 
-## Automated Certificate Management with Kube-Lego
+## Automated Certificate Management with cert-manager
 
-!!! tip
-    Kube-Lego has reached end-of-life and is being
-    replaced by [cert-manager](https://github.com/jetstack/cert-manager/).
+[cert-manager] automatically requests missing or expired certificates from a range of 
+[supported issuers][cert-manager-issuer-config] (including [Let's Encrypt]) by monitoring 
+ingress resources.
 
-[Kube-Lego] automatically requests missing or expired certificates from [Let's Encrypt]
-by monitoring ingress resources and their referenced secrets.
+To set up cert-manager you should take a look at this [full example][full-cert-manager-example].
 
-To enable this for an ingress resource you have to add an annotation:
+To enable it for an ingress resource you have to deploy cert-manager, configure a certificate 
+issuer update the manifest:
 
-```console
-kubectl annotate ing ingress-demo kubernetes.io/tls-acme="true"
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-demo
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-staging" # Replace this with a production issuer once you've tested it
+    [..]
+spec:
+  tls:
+    - hosts:
+        - ingress-demo.example.com
+        secretName: ingress-demo-tls
+    [...]
 ```
 
-To setup Kube-Lego you can take a look at this [full example][full-kube-lego-example].
-The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.
-
 ## Default TLS Version and Ciphers
 
 To provide the most secure baseline configuration possible,
@@ -136,10 +145,11 @@ data:
 
 
 
-[full-kube-lego-example]:https://github.com/jetstack/kube-lego/tree/master/examples
-[Kube-Lego]:https://github.com/jetstack/kube-lego
 [Let's Encrypt]:https://letsencrypt.org
 [ConfigMap]: ./nginx-configuration/configmap.md
 [ssl-ciphers]: ./nginx-configuration/configmap.md#ssl-ciphers
 [SNI]: https://en.wikipedia.org/wiki/Server_Name_Indication
 [mozilla-ssl-config-old]: https://ssl-config.mozilla.org/#server=nginx&config=old
+[cert-manager]: https://github.com/jetstack/cert-manager/
+[full-cert-manager-example]:https://cert-manager.io/docs/tutorials/acme/ingress/
+[cert-manager-issuer-config]:https://cert-manager.io/docs/configuration/

From 5e6ab651ecfc26844d16733e5dc0b2aac96acc93 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 19 Sep 2021 16:40:08 -0300
Subject: [PATCH 123/376] Add option to force enabling snippet directives
 (#7665)

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
---
 .../ci/daemonset-customconfig-values.yaml     |   1 +
 .../ci/deployment-customconfig-values.yaml    |   1 +
 .../templates/controller-configmap.yaml       |   1 +
 charts/ingress-nginx/values.yaml              |   6 +
 .../nginx-configuration/configmap.md          |   7 +
 internal/ingress/controller/config/config.go  |   5 +
 internal/ingress/controller/controller.go     |  67 ++++++--
 .../ingress/controller/controller_test.go     | 109 ++++++++++++-
 .../annotations/modsecurity/modsecurity.go    |  42 ++++-
 test/e2e/annotations/serversnippet.go         |  51 +++++-
 test/e2e/annotations/snippet.go               |  44 +++++-
 test/e2e/settings/server_snippet.go           | 149 ++++++++++++++++++
 12 files changed, 459 insertions(+), 24 deletions(-)
 create mode 100644 test/e2e/settings/server_snippet.go

diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
index 43dd2b2ac..fdaf6e5c3 100644
--- a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
@@ -4,6 +4,7 @@ controller:
     tag: 1.0.0-dev
     digest: null
   kind: DaemonSet
+  enableSnippetDirectives: false
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
index 85715ddb7..f0d827dbc 100644
--- a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
@@ -5,6 +5,7 @@ controller:
     digest: null
   config:
     use-proxy-protocol: "true"
+  enableSnippetDirectives: false
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml
index 630545140..0099bd0a2 100644
--- a/charts/ingress-nginx/templates/controller-configmap.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap.yaml
@@ -10,6 +10,7 @@ metadata:
   name: {{ include "ingress-nginx.controller.fullname" . }}
   namespace: {{ .Release.Namespace }}
 data:
+  enable-snippet-directives: "{{ .Values.controller.enableSnippetDirectives }}"
 {{- if .Values.controller.addHeaders }}
   add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
 {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index dff440313..a41d30c04 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -69,6 +69,12 @@ controller:
   # Process IngressClass per name (additionally as per spec.controller)
   ingressClassByName: false
 
+  # This configuration defines if Ingress Controller should allow users to set
+  # their own *-snippet directives/annotations, otherwise this is forbidden / dropped
+  # when users add those annotations.
+  # Global snippets in ConfigMap are still respected
+  enableSnippetDirectives: true
+
   # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index c8aa27373..dd1828ed8 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -46,6 +46,7 @@ The following table shows a configuration option's name, type, and the default v
 |[disable-access-log](#disable-access-log)|bool|false|
 |[disable-ipv6](#disable-ipv6)|bool|false|
 |[disable-ipv6-dns](#disable-ipv6-dns)|bool|false|
+|[enable-snippet-directives](#enable-snippet-directives)|bool|true|
 |[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false|
 |[enable-ocsp](#enable-ocsp)|bool|false|
 |[ignore-invalid-headers](#ignore-invalid-headers)|bool|true|
@@ -316,6 +317,12 @@ Disable listening on IPV6. _**default:**_ `false`; IPv6 listening is enabled
 
 Disable IPV6 for nginx DNS resolver. _**default:**_ `false`; IPv6 resolving enabled.
 
+## enable-snippet-directives
+
+Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`;
+Obs.: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this 
+may allow a user to add restricted configurations to the final nginx.conf file
+
 ## enable-underscores-in-headers
 
 Enables underscores in header names. _**default:**_ is disabled
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index 0546e9618..89bbb33cf 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -93,6 +93,10 @@ const (
 type Configuration struct {
 	defaults.Backend `json:",squash"`
 
+	// EnableSnippetDirectives enable users to add their own snippets via ingress annotation.
+	// If disabled, only snippets added via ConfigMap are added to ingress.
+	EnableSnippetDirectives bool `json:"enable-snippet-directives"`
+
 	// Sets the name of the configmap that contains the headers to pass to the client
 	AddHeaders string `json:"add-headers,omitempty"`
 
@@ -757,6 +761,7 @@ func NewDefault() Configuration {
 	defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}}
 
 	cfg := Configuration{
+		EnableSnippetDirectives:          true,
 		AllowBackendServerHeader:         false,
 		AccessLogPath:                    "/var/log/nginx/access.log",
 		AccessLogParams:                  "",
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 38357d491..2c42041a5 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -234,27 +234,28 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		return fmt.Errorf("This deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.backend' or set DisableCatchAll flag to false.")
 	}
 
-	if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix {
-		for key := range ing.ObjectMeta.GetAnnotations() {
+	cfg := n.store.GetBackendConfiguration()
+	cfg.Resolver = n.resolver
+
+	for key := range ing.ObjectMeta.GetAnnotations() {
+		if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix {
 			if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.DefaultAnnotationsPrefix)) {
 				return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix)
 			}
 		}
+
+		if !cfg.EnableSnippetDirectives && strings.HasSuffix(key, "-snippet") {
+			return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key)
+		}
+
+		if len(cfg.GlobalRateLimitMemcachedHost) == 0 && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) {
+			return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap")
+		}
+
 	}
 
 	k8s.SetDefaultNGINXPathType(ing)
 
-	cfg := n.store.GetBackendConfiguration()
-	cfg.Resolver = n.resolver
-
-	if len(cfg.GlobalRateLimitMemcachedHost) == 0 {
-		for key := range ing.ObjectMeta.GetAnnotations() {
-			if strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) {
-				return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap")
-			}
-		}
-	}
-
 	allIngresses := n.store.ListIngresses()
 
 	filter := func(toCheck *ingress.Ingress) bool {
@@ -511,6 +512,30 @@ func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.S
 	}
 }
 
+func dropSnippetDirectives(anns *annotations.Ingress, ingKey string) {
+	if anns != nil {
+		if anns.ConfigurationSnippet != "" {
+			klog.V(3).Infof("Ingress %q tried to use configuration-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey)
+			anns.ConfigurationSnippet = ""
+		}
+		if anns.ServerSnippet != "" {
+			klog.V(3).Infof("Ingress %q tried to use server-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey)
+			anns.ServerSnippet = ""
+		}
+
+		if anns.ModSecurity.Snippet != "" {
+			klog.V(3).Infof("Ingress %q tried to use modsecurity-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey)
+			anns.ModSecurity.Snippet = ""
+		}
+
+		if anns.ExternalAuth.AuthSnippet != "" {
+			klog.V(3).Infof("Ingress %q tried to use auth-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey)
+			anns.ExternalAuth.AuthSnippet = ""
+		}
+
+	}
+}
+
 // getBackendServers returns a list of Upstream and Server to be used by the
 // backend.  An upstream can be used in multiple servers if the namespace,
 // service name and port are the same.
@@ -525,6 +550,10 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
+		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+			dropSnippetDirectives(anns, ingKey)
+		}
+
 		for _, rule := range ing.Spec.Rules {
 			host := rule.Host
 			if host == "" {
@@ -801,6 +830,10 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
+		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+			dropSnippetDirectives(anns, ingKey)
+		}
+
 		var defBackend string
 		if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil {
 			defBackend = upstreamName(ing.Namespace, ing.Spec.DefaultBackend.Service)
@@ -1091,6 +1124,10 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
+		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+			dropSnippetDirectives(anns, ingKey)
+		}
+
 		// default upstream name
 		un := du.Name
 
@@ -1167,6 +1204,10 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
+		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+			dropSnippetDirectives(anns, ingKey)
+		}
+
 		if anns.Canary.Enabled {
 			klog.V(2).Infof("Ingress %v is marked as Canary, ignoring", ingKey)
 			continue
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index 139e7b254..1ed876600 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity"
@@ -57,11 +58,12 @@ import (
 )
 
 type fakeIngressStore struct {
-	ingresses []*ingress.Ingress
+	ingresses     []*ingress.Ingress
+	configuration ngx_config.Configuration
 }
 
-func (fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration {
-	return ngx_config.Configuration{}
+func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration {
+	return fis.configuration
 }
 
 func (fakeIngressStore) GetConfigMap(key string) (*corev1.ConfigMap, error) {
@@ -235,6 +237,9 @@ func TestCheckIngress(t *testing.T) {
 		})
 
 		t.Run("When the default annotation prefix is used despite an override", func(t *testing.T) {
+			defer func() {
+				parser.AnnotationsPrefix = "nginx.ingress.kubernetes.io"
+			}()
 			parser.AnnotationsPrefix = "ingress.kubernetes.io"
 			ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/backend-protocol"] = "GRPC"
 			nginx.command = testNginxTestCommand{
@@ -246,6 +251,23 @@ func TestCheckIngress(t *testing.T) {
 			}
 		})
 
+		t.Run("When snippets are disabled and user tries to use snippet annotation", func(t *testing.T) {
+			nginx.store = fakeIngressStore{
+				ingresses: []*ingress.Ingress{},
+				configuration: ngx_config.Configuration{
+					EnableSnippetDirectives: false,
+				},
+			}
+			nginx.command = testNginxTestCommand{
+				t:   t,
+				err: nil,
+			}
+			ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/server-snippet"] = "bla"
+			if err := nginx.CheckIngress(ing); err == nil {
+				t.Errorf("with a snippet annotation, ingresses using the default should be rejected")
+			}
+		})
+
 		t.Run("When a new catch-all ingress is being created despite catch-alls being disabled ", func(t *testing.T) {
 			backendBefore := ing.Spec.DefaultBackend
 			disableCatchAllBefore := nginx.cfg.DisableCatchAll
@@ -275,6 +297,9 @@ func TestCheckIngress(t *testing.T) {
 		})
 
 		t.Run("When the ingress is in a different namespace than the watched one", func(t *testing.T) {
+			defer func() {
+				nginx.cfg.Namespace = "test-namespace"
+			}()
 			nginx.command = testNginxTestCommand{
 				t:   t,
 				err: fmt.Errorf("test error"),
@@ -2211,6 +2236,84 @@ func TestGetBackendServers(t *testing.T) {
 				}
 			},
 		},
+		{
+			Ingresses: []*ingress.Ingress{
+				{
+					Ingress: networking.Ingress{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "not-allowed-snippet",
+							Namespace: "default",
+							Annotations: map[string]string{
+								"nginx.ingress.kubernetes.io/server-snippet":         "bla",
+								"nginx.ingress.kubernetes.io/configuration-snippet":  "blo",
+								"nginx.ingress.kubernetes.io/whitelist-source-range": "10.0.0.0/24",
+							},
+						},
+						Spec: networking.IngressSpec{
+							Rules: []networking.IngressRule{
+								{
+									Host: "example.com",
+									IngressRuleValue: networking.IngressRuleValue{
+										HTTP: &networking.HTTPIngressRuleValue{
+											Paths: []networking.HTTPIngressPath{
+												{
+													Path:     "/path1",
+													PathType: &pathTypePrefix,
+													Backend: networking.IngressBackend{
+														Service: &networking.IngressServiceBackend{
+															Name: "path1-svc",
+															Port: networking.ServiceBackendPort{
+																Number: 80,
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+					ParsedAnnotations: &annotations.Ingress{
+						Whitelist:            ipwhitelist.SourceRange{CIDR: []string{"10.0.0.0/24"}},
+						ServerSnippet:        "bla",
+						ConfigurationSnippet: "blo",
+					},
+				},
+			},
+			Validate: func(ingresses []*ingress.Ingress, upstreams []*ingress.Backend, servers []*ingress.Server) {
+				if len(servers) != 2 {
+					t.Errorf("servers count should be 2, got %d", len(servers))
+					return
+				}
+				s := servers[1]
+
+				if s.ServerSnippet != "" {
+					t.Errorf("server snippet should be empty, got '%s'", s.ServerSnippet)
+				}
+
+				if s.Locations[0].ConfigurationSnippet != "" {
+					t.Errorf("config snippet should be empty, got '%s'", s.Locations[0].ConfigurationSnippet)
+				}
+
+				if len(s.Locations[0].Whitelist.CIDR) != 1 || s.Locations[0].Whitelist.CIDR[0] != "10.0.0.0/24" {
+					t.Errorf("allow list was incorrectly dropped, len should be 1 and contain 10.0.0.0/24")
+				}
+
+			},
+			SetConfigMap: func(ns string) *v1.ConfigMap {
+				return &v1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:     "config",
+						SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns),
+					},
+					Data: map[string]string{
+						"enable-snippet-directives": "false",
+					},
+				}
+			},
+		},
 	}
 
 	for _, testCase := range testCases {
diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go
index fad3a2dee..c4babf21a 100644
--- a/test/e2e/annotations/modsecurity/modsecurity.go
+++ b/test/e2e/annotations/modsecurity/modsecurity.go
@@ -282,7 +282,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 
 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return true
+				return strings.Contains(server, "SecRequestBodyAccess On")
 			})
 
 		f.HTTPTestClient().
@@ -292,4 +292,44 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 			Expect().
 			Status(http.StatusForbidden)
 	})
+
+	ginkgo.It("should enable modsecurity through the config map but ignore snippet as disabled by admin", func() {
+		host := "modsecurity.foo.com"
+		nameSpace := f.Namespace
+
+		snippet := `SecRequestBodyAccess On
+		SecAuditEngine RelevantOnly
+		SecAuditLogParts ABIJDEFHZ
+		SecAuditLog /dev/stdout
+		SecAuditLogType Serial
+		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		expectedComment := "SecRuleEngine On"
+
+		f.SetNginxConfigMapData(map[string]string{
+			"enable-modsecurity":           "true",
+			"enable-owasp-modsecurity-crs": "true",
+			"enable-snippet-directives":    "false",
+			"modsecurity-snippet":          expectedComment,
+		})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "block-ua")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("User-Agent", "block-ua").
+			Expect().
+			Status(http.StatusOK)
+	})
 })
diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go
index 8a4f25ea4..ccd235e13 100644
--- a/test/e2e/annotations/serversnippet.go
+++ b/test/e2e/annotations/serversnippet.go
@@ -17,6 +17,7 @@ limitations under the License.
 package annotations
 
 import (
+	"net/http"
 	"strings"
 
 	"github.com/onsi/ginkgo"
@@ -35,8 +36,8 @@ var _ = framework.DescribeAnnotation("server-snippet", func() {
 		host := "serversnippet.foo.com"
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/server-snippet": `
-				more_set_headers "Content-Length: $content_length";
-				more_set_headers "Content-Type: $content_type";`,
+				more_set_headers "Foo: Bar";
+				more_set_headers "Xpto: Lalala";`,
 		}
 
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
@@ -44,8 +45,50 @@ var _ = framework.DescribeAnnotation("server-snippet", func() {
 
 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, `more_set_headers "Content-Length: $content_length`) &&
-					strings.Contains(server, `more_set_headers "Content-Type: $content_type";`)
+				return strings.Contains(server, `more_set_headers "Foo: Bar`) &&
+					strings.Contains(server, `more_set_headers "Xpto: Lalala";`)
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Foo", []string{"Bar"}).
+			ValueEqual("Xpto", []string{"Lalala"})
+	})
+
+	ginkgo.It(`drops server snippet if disabled by the administrator`, func() {
+		host := "noserversnippet.foo.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/server-snippet": `
+				more_set_headers "Foo: Bar";
+				more_set_headers "Xpto: Lalala";`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.UpdateNginxConfigMapData("enable-snippet-directives", "false")
+		defer func() {
+			// Return to the original value
+			f.UpdateNginxConfigMapData("enable-snippet-directives", "true")
+		}()
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, `more_set_headers "Foo: Bar`) &&
+					!strings.Contains(server, `more_set_headers "Xpto: Lalala";`)
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			NotContainsKey("Foo").
+			NotContainsKey("Xpto")
+
 	})
 })
diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go
index 61c39fa65..82f062220 100644
--- a/test/e2e/annotations/snippet.go
+++ b/test/e2e/annotations/snippet.go
@@ -17,6 +17,7 @@ limitations under the License.
 package annotations
 
 import (
+	"net/http"
 	"strings"
 
 	"github.com/onsi/ginkgo"
@@ -31,11 +32,11 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() {
 		f.NewEchoDeployment()
 	})
 
-	ginkgo.It(`set snippet "more_set_headers "Request-Id: $req_id";" in all locations"`, func() {
+	ginkgo.It(`set snippet "more_set_headers "Foo1: Bar1";" in all locations"`, func() {
 		host := "configurationsnippet.foo.com"
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/configuration-snippet": `
-				more_set_headers "Request-Id: $req_id";`,
+				more_set_headers "Foo1: Bar1";`,
 		}
 
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
@@ -43,7 +44,44 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() {
 
 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, `more_set_headers "Request-Id: $req_id";`)
+				return strings.Contains(server, `more_set_headers "Foo1: Bar1";`)
 			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Foo1", []string{"Bar1"})
+	})
+
+	ginkgo.It(`drops snippet "more_set_headers "Foo1: Bar1";" in all locations if disabled by admin"`, func() {
+		host := "noconfigurationsnippet.foo.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": `
+				more_set_headers "Foo1: Bar1";`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.UpdateNginxConfigMapData("enable-snippet-directives", "false")
+		defer func() {
+			// Return to the original value
+			f.UpdateNginxConfigMapData("enable-snippet-directives", "true")
+		}()
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, `more_set_headers "Foo1: Bar1";`)
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			NotContainsKey("Foo1")
 	})
 })
diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go
new file mode 100644
index 000000000..c3ff5aa46
--- /dev/null
+++ b/test/e2e/settings/server_snippet.go
@@ -0,0 +1,149 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.DescribeSetting("configmap server-snippet", func() {
+	f := framework.NewDefaultFramework("cm-server-snippet")
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.It("should add value of server-snippet setting to all ingress config", func() {
+		host := "serverglobalsnippet1.foo.com"
+		hostAnnots := "serverannotssnippet1.foo.com"
+
+		f.SetNginxConfigMapData(map[string]string{
+			"server-snippet": `
+			more_set_headers "Globalfoo: Foooo";`,
+		})
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/server-snippet": `
+				more_set_headers "Foo: Bar";
+				more_set_headers "Xpto: Lalala";`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		ing1 := framework.NewSingleIngress(hostAnnots, "/", hostAnnots, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing1)
+
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) &&
+					!strings.Contains(server, `more_set_headers "Foo: Bar";`) &&
+					!strings.Contains(server, `more_set_headers "Xpto: Lalala";`)
+			})
+
+		f.WaitForNginxServer(hostAnnots,
+			func(server string) bool {
+				return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) &&
+					strings.Contains(server, `more_set_headers "Foo: Bar";`) &&
+					strings.Contains(server, `more_set_headers "Xpto: Lalala";`)
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Globalfoo", []string{"Foooo"}).
+			NotContainsKey("Foo").
+			NotContainsKey("Xpto")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", hostAnnots).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Foo", []string{"Bar"}).
+			ValueEqual("Xpto", []string{"Lalala"}).
+			ValueEqual("Globalfoo", []string{"Foooo"})
+	})
+
+	ginkgo.It("should add global server-snippet and drop annotations per admin config", func() {
+		host := "serverglobalsnippet2.foo.com"
+		hostAnnots := "serverannotssnippet2.foo.com"
+
+		f.SetNginxConfigMapData(map[string]string{
+			"enable-snippet-directives": "false",
+			"server-snippet": `
+			more_set_headers "Globalfoo: Foooo";`,
+		})
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/server-snippet": `
+				more_set_headers "Foo: Bar";
+				more_set_headers "Xpto: Lalala";`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		ing1 := framework.NewSingleIngress(hostAnnots, "/", hostAnnots, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing1)
+
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) &&
+					!strings.Contains(server, `more_set_headers "Foo: Bar";`) &&
+					!strings.Contains(server, `more_set_headers "Xpto: Lalala";`)
+			})
+
+		f.WaitForNginxServer(hostAnnots,
+			func(server string) bool {
+				return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) &&
+					!strings.Contains(server, `more_set_headers "Foo: Bar";`) &&
+					!strings.Contains(server, `more_set_headers "Xpto: Lalala";`)
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Globalfoo", []string{"Foooo"}).
+			NotContainsKey("Foo").
+			NotContainsKey("Xpto")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", hostAnnots).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Globalfoo", []string{"Foooo"}).
+			NotContainsKey("Foo").
+			NotContainsKey("Xpto")
+	})
+})

From c6bf056327284d19bf409eca1f6424dfbf169a71 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Mon, 20 Sep 2021 15:58:10 +0530
Subject: [PATCH 124/376] added example multiple controller install to faq
 (#7668)

---
 docs/index.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/docs/index.md b/docs/index.md
index 8eb626101..9e88b2dca 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -167,3 +167,27 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
 
 ## I am seeing this error message in the logs of the Ingress-NGINX controller "ingress class annotation is not equal to the expected by Ingress Controller". Why ?
 - It is highly likely that you will also see the name of the ingress resource in the same error message. This error messsage has been observed on use the deprecated annotation, to spec the ingressClass, in a ingress resource manifest. It is recommended to use the ingress.spec.ingressClassName field, of the ingress resource, to spec the name of the ingressClass of the ingress resource being configured.
+
+## How to easily install multiple instances of the ingress-NGINX controller in the same cluster ?
+- Create a new namespace
+  ```
+  kubectl create namespace ingress-controller-2
+  ```
+- Use helm to install the additional instance of the ingress controller
+- Ensure you have helm working (refer to helm documentation)
+- We have to assume that you have the helm repo for the ingress-NGINX controller already added to your helm config. But, if you have not added the helm repo then you can do this to add the repo to your helm config;
+  ```
+  helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx`
+  ```
+- Make sure you have updated the helm repo data;
+  ```
+  helm repo update
+  ```
+- Now you install the additional instance of the ingress-NGINX controller like this ;
+  ```
+  helm --namespace ingress-controller-2 install ingcontroller-2 ingress-nginx/ingress-nginx  \
+  --set controller.ingressClass=ingress-class-2 \
+  --set controller.ingressClassResource.name=ingress-class-2 \
+  --set controller.ingressClassResource.controllerValue= "k8s.io/ingress-controller-2" 
+  ```
+- If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values like names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs.

From 8e7727eb654e94bc100a35ecc4de053925f7ec27 Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Mon, 20 Sep 2021 17:54:11 +0200
Subject: [PATCH 125/376] add option for documentiony only to pr template
 (#7672)

---
 .github/PULL_REQUEST_TEMPLATE.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 27d5ba4b7..9bc455303 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -10,6 +10,7 @@
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
 - [ ] Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] Documentation only
 
 ## Which issue/s this PR fixes
 <!--

From 4fc57dcc4969cd907c6eeadffbba2d14949db39e Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 20 Sep 2021 20:52:23 -0300
Subject: [PATCH 126/376] Change enable-snippet to allow-snippet-annotation
 (#7670)

Signed-off-by: Ricardo Pchevuzinske Katz <rkatz@vmware.com>
---
 .../ci/daemonset-customconfig-values.yaml         |  2 +-
 .../ci/deployment-customconfig-values.yaml        |  2 +-
 .../templates/controller-configmap.yaml           |  2 +-
 charts/ingress-nginx/values.yaml                  |  4 ++--
 docs/user-guide/nginx-configuration/configmap.md  | 15 ++++++++-------
 internal/ingress/controller/config/config.go      |  7 ++++---
 internal/ingress/controller/controller.go         | 10 +++++-----
 internal/ingress/controller/controller_test.go    |  4 ++--
 test/e2e/annotations/modsecurity/modsecurity.go   |  2 +-
 test/e2e/annotations/serversnippet.go             |  4 ++--
 test/e2e/annotations/snippet.go                   |  4 ++--
 test/e2e/settings/server_snippet.go               |  2 +-
 12 files changed, 30 insertions(+), 28 deletions(-)

diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
index fdaf6e5c3..4393a5bc0 100644
--- a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
+++ b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
@@ -4,7 +4,7 @@ controller:
     tag: 1.0.0-dev
     digest: null
   kind: DaemonSet
-  enableSnippetDirectives: false
+  allowSnippetAnnotations: false
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
index f0d827dbc..174941848 100644
--- a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
@@ -5,7 +5,7 @@ controller:
     digest: null
   config:
     use-proxy-protocol: "true"
-  enableSnippetDirectives: false
+  allowSnippetAnnotations: false
   admissionWebhooks:
     enabled: false
   service:
diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml
index 0099bd0a2..697389207 100644
--- a/charts/ingress-nginx/templates/controller-configmap.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap.yaml
@@ -10,7 +10,7 @@ metadata:
   name: {{ include "ingress-nginx.controller.fullname" . }}
   namespace: {{ .Release.Namespace }}
 data:
-  enable-snippet-directives: "{{ .Values.controller.enableSnippetDirectives }}"
+  allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
 {{- if .Values.controller.addHeaders }}
   add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
 {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index a41d30c04..b58e79975 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -70,10 +70,10 @@ controller:
   ingressClassByName: false
 
   # This configuration defines if Ingress Controller should allow users to set
-  # their own *-snippet directives/annotations, otherwise this is forbidden / dropped
+  # their own *-snippet annotations, otherwise this is forbidden / dropped
   # when users add those annotations.
   # Global snippets in ConfigMap are still respected
-  enableSnippetDirectives: true
+  allowSnippetAnnotations: true
 
   # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index dd1828ed8..4fdda21ba 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -29,6 +29,7 @@ The following table shows a configuration option's name, type, and the default v
 |:---|:---|:------|
 |[add-headers](#add-headers)|string|""|
 |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|
+|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true|
 |[hide-headers](#hide-headers)|string array|empty|
 |[access-log-params](#access-log-params)|string|""|
 |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"|
@@ -46,7 +47,6 @@ The following table shows a configuration option's name, type, and the default v
 |[disable-access-log](#disable-access-log)|bool|false|
 |[disable-ipv6](#disable-ipv6)|bool|false|
 |[disable-ipv6-dns](#disable-ipv6-dns)|bool|false|
-|[enable-snippet-directives](#enable-snippet-directives)|bool|true|
 |[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false|
 |[enable-ocsp](#enable-ocsp)|bool|false|
 |[ignore-invalid-headers](#ignore-invalid-headers)|bool|true|
@@ -214,6 +214,13 @@ Sets custom headers from named configmap before sending traffic to the client. S
 
 Enables the return of the header Server from the backend instead of the generic nginx string. _**default:**_ is disabled
 
+## allow-snippet-annotations
+
+Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`;
+
+Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this 
+may allow a user to add restricted configurations to the final nginx.conf file
+
 ## hide-headers
 
 Sets additional header that will not be passed from the upstream server to the client response.
@@ -317,12 +324,6 @@ Disable listening on IPV6. _**default:**_ `false`; IPv6 listening is enabled
 
 Disable IPV6 for nginx DNS resolver. _**default:**_ `false`; IPv6 resolving enabled.
 
-## enable-snippet-directives
-
-Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`;
-Obs.: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this 
-may allow a user to add restricted configurations to the final nginx.conf file
-
 ## enable-underscores-in-headers
 
 Enables underscores in header names. _**default:**_ is disabled
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index 89bbb33cf..a29c1b094 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -93,9 +93,9 @@ const (
 type Configuration struct {
 	defaults.Backend `json:",squash"`
 
-	// EnableSnippetDirectives enable users to add their own snippets via ingress annotation.
+	// AllowSnippetAnnotations enable users to add their own snippets via ingress annotation.
 	// If disabled, only snippets added via ConfigMap are added to ingress.
-	EnableSnippetDirectives bool `json:"enable-snippet-directives"`
+	AllowSnippetAnnotations bool `json:"allow-snippet-annotations"`
 
 	// Sets the name of the configmap that contains the headers to pass to the client
 	AddHeaders string `json:"add-headers,omitempty"`
@@ -761,7 +761,8 @@ func NewDefault() Configuration {
 	defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}}
 
 	cfg := Configuration{
-		EnableSnippetDirectives:          true,
+
+		AllowSnippetAnnotations:          true,
 		AllowBackendServerHeader:         false,
 		AccessLogPath:                    "/var/log/nginx/access.log",
 		AccessLogParams:                  "",
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 2c42041a5..aeed32278 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -244,7 +244,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 			}
 		}
 
-		if !cfg.EnableSnippetDirectives && strings.HasSuffix(key, "-snippet") {
+		if !cfg.AllowSnippetAnnotations && strings.HasSuffix(key, "-snippet") {
 			return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key)
 		}
 
@@ -550,7 +550,7 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
-		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+		if !n.store.GetBackendConfiguration().AllowSnippetAnnotations {
 			dropSnippetDirectives(anns, ingKey)
 		}
 
@@ -830,7 +830,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
-		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+		if !n.store.GetBackendConfiguration().AllowSnippetAnnotations {
 			dropSnippetDirectives(anns, ingKey)
 		}
 
@@ -1124,7 +1124,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
-		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+		if !n.store.GetBackendConfiguration().AllowSnippetAnnotations {
 			dropSnippetDirectives(anns, ingKey)
 		}
 
@@ -1204,7 +1204,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 		ingKey := k8s.MetaNamespaceKey(ing)
 		anns := ing.ParsedAnnotations
 
-		if !n.store.GetBackendConfiguration().EnableSnippetDirectives {
+		if !n.store.GetBackendConfiguration().AllowSnippetAnnotations {
 			dropSnippetDirectives(anns, ingKey)
 		}
 
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index 1ed876600..d7020bb48 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -255,7 +255,7 @@ func TestCheckIngress(t *testing.T) {
 			nginx.store = fakeIngressStore{
 				ingresses: []*ingress.Ingress{},
 				configuration: ngx_config.Configuration{
-					EnableSnippetDirectives: false,
+					AllowSnippetAnnotations: false,
 				},
 			}
 			nginx.command = testNginxTestCommand{
@@ -2309,7 +2309,7 @@ func TestGetBackendServers(t *testing.T) {
 						SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns),
 					},
 					Data: map[string]string{
-						"enable-snippet-directives": "false",
+						"allow-snippet-annotations": "false",
 					},
 				}
 			},
diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go
index c4babf21a..cfd6286e4 100644
--- a/test/e2e/annotations/modsecurity/modsecurity.go
+++ b/test/e2e/annotations/modsecurity/modsecurity.go
@@ -316,7 +316,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 		f.SetNginxConfigMapData(map[string]string{
 			"enable-modsecurity":           "true",
 			"enable-owasp-modsecurity-crs": "true",
-			"enable-snippet-directives":    "false",
+			"allow-snippet-annotations":    "false",
 			"modsecurity-snippet":          expectedComment,
 		})
 
diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go
index ccd235e13..adba23fee 100644
--- a/test/e2e/annotations/serversnippet.go
+++ b/test/e2e/annotations/serversnippet.go
@@ -67,10 +67,10 @@ var _ = framework.DescribeAnnotation("server-snippet", func() {
 		}
 
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
-		f.UpdateNginxConfigMapData("enable-snippet-directives", "false")
+		f.UpdateNginxConfigMapData("allow-snippet-annotations", "false")
 		defer func() {
 			// Return to the original value
-			f.UpdateNginxConfigMapData("enable-snippet-directives", "true")
+			f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
 		}()
 		// Sleep a while just to guarantee that the configmap is applied
 		framework.Sleep()
diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go
index 82f062220..be0e9ccf9 100644
--- a/test/e2e/annotations/snippet.go
+++ b/test/e2e/annotations/snippet.go
@@ -63,10 +63,10 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() {
 		}
 
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
-		f.UpdateNginxConfigMapData("enable-snippet-directives", "false")
+		f.UpdateNginxConfigMapData("allow-snippet-annotations", "false")
 		defer func() {
 			// Return to the original value
-			f.UpdateNginxConfigMapData("enable-snippet-directives", "true")
+			f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
 		}()
 		// Sleep a while just to guarantee that the configmap is applied
 		framework.Sleep()
diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go
index c3ff5aa46..b9e172717 100644
--- a/test/e2e/settings/server_snippet.go
+++ b/test/e2e/settings/server_snippet.go
@@ -94,7 +94,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {
 		hostAnnots := "serverannotssnippet2.foo.com"
 
 		f.SetNginxConfigMapData(map[string]string{
-			"enable-snippet-directives": "false",
+			"allow-snippet-annotations": "false",
 			"server-snippet": `
 			more_set_headers "Globalfoo: Foooo";`,
 		})

From abab0396757dcd6f72018ee66611db18df838b17 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Tue, 21 Sep 2021 08:58:23 -0300
Subject: [PATCH 127/376] Trigger v1.0.1 release (#7679)

---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 0ec25f750..b18d46540 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.0.0
+v1.0.1

From f66f87fc2190273cf09c102ae9577368a27d202e Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Wed, 22 Sep 2021 14:12:02 +0200
Subject: [PATCH 128/376] preparing release v1.0.1 (#7681)

* preparing release v1.0.1

* update shas to newest promoted image

* update changelog of helm chart

* change requests from PR
---
 Changelog.md                                  | 66 +++++++++++++++
 README.md                                     |  2 +
 charts/ingress-nginx/CHANGELOG.md             |  8 ++
 charts/ingress-nginx/Chart.yaml               |  9 +-
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 82 +++++++++----------
 deploy/static/provider/aws/deploy.yaml        | 82 +++++++++----------
 deploy/static/provider/baremetal/deploy.yaml  | 82 +++++++++----------
 deploy/static/provider/cloud/deploy.yaml      | 82 +++++++++----------
 deploy/static/provider/do/deploy.yaml         | 82 +++++++++----------
 deploy/static/provider/exoscale/deploy.yaml   | 82 +++++++++----------
 deploy/static/provider/kind/deploy.yaml       | 82 +++++++++----------
 deploy/static/provider/scw/deploy.yaml        | 82 +++++++++----------
 docs/deploy/index.md                          | 20 ++---
 stable.txt                                    |  2 +-
 15 files changed, 421 insertions(+), 346 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index c9327db71..af44a04b0 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,71 @@
 # Changelog
 
+### 1.0.1
+
+**Image:**
+- k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+
+**Known Issues**
+* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.2, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). 
+
+_New Features:_
+
+_Changes:_
+
+- [X] [#7670](https://github.com/kubernetes/ingress-nginx/pull/7670) Change enable-snippet to allow-snippet-annotation (#7670)
+- [X] [#7672](https://github.com/kubernetes/ingress-nginx/pull/7672) add option for documentiony only to pr template (#7672)
+- [X] [#7668](https://github.com/kubernetes/ingress-nginx/pull/7668) added example multiple controller install to faq (#7668)
+- [X] [#7665](https://github.com/kubernetes/ingress-nginx/pull/7665) Add option to force enabling snippet directives (#7665)
+- [X] [#7659](https://github.com/kubernetes/ingress-nginx/pull/7659) Replace kube-lego docs with cert-manager (#7659)
+- [X] [#7656](https://github.com/kubernetes/ingress-nginx/pull/7656) Changelog.md: Update references to sigs.k8s.io/promo-tools (#7656)
+- [X] [#7603](https://github.com/kubernetes/ingress-nginx/pull/7603) additional info for the custom-headers documentation page (#7603)
+- [X] [#7630](https://github.com/kubernetes/ingress-nginx/pull/7630) images/kube-webhook-certgen/rootfs: improvements (#7630)
+- [X] [#7636](https://github.com/kubernetes/ingress-nginx/pull/7636) Add github action for building images (#7636)
+- [X] [#7648](https://github.com/kubernetes/ingress-nginx/pull/7648) Update e2e-test-runner image (#7648)
+- [X] [#7643](https://github.com/kubernetes/ingress-nginx/pull/7643) Update NGINX base image to v1.19 (#7643)
+- [X] [#7642](https://github.com/kubernetes/ingress-nginx/pull/7642) Add security contacts (#7642)
+- [X] [#7640](https://github.com/kubernetes/ingress-nginx/pull/7640) fix typos. (#7640)
+- [X] [#7639](https://github.com/kubernetes/ingress-nginx/pull/7536) Downgrade nginx to v1.19 (#7639)
+- [X] [#7575](https://github.com/kubernetes/ingress-nginx/pull/7575) Add e2e tests for secure cookie annotations (#7575) (#7619)
+- [X] [#7625](https://github.com/kubernetes/ingress-nginx/pull/7625) Only build nginx-errors for linux/amd64 (#7625)
+- [X] [#7609](https://github.com/kubernetes/ingress-nginx/pull/7609) Add new flag to watch ingressclass by name instead of spec (#7609)
+- [X] [#7604](https://github.com/kubernetes/ingress-nginx/pull/7604) Change the cloudbuild timeout (#7604)
+- [X] [#7460](https://github.com/kubernetes/ingress-nginx/pull/7460) Fix old tag of custom error pages used in example (#7460)
+- [X] [#7577](https://github.com/kubernetes/ingress-nginx/pull/7577) Added command to get Nginx versionq! (#7577)
+- [X] [#7611](https://github.com/kubernetes/ingress-nginx/pull/7611) Helm notes outputs non nil value for ingress.class annotation (#7611)
+- [X] [#7469](https://github.com/kubernetes/ingress-nginx/pull/7469) Allow the usage of Services as Upstream on a global level (#7469)
+- [X] [#7393](https://github.com/kubernetes/ingress-nginx/pull/7393) getEndpoints uses service target port directly if it's a number and mismatch with port name in endpoint (#7393)
+- [X] [#7514](https://github.com/kubernetes/ingress-nginx/pull/7514) nginx flag: --disable-full-test flag to allow testing configfile of the current single ingress (#7514)
+- [X] [#7374](https://github.com/kubernetes/ingress-nginx/pull/7374) Trigger syncIngress on Service addition/deletion #7346 (#7374)
+- [X] [#7464](https://github.com/kubernetes/ingress-nginx/pull/7464) Sync Hostname and IP address from service to ingress status (#7464)
+- [X] [#7560](https://github.com/kubernetes/ingress-nginx/pull/7560) put modsecurity e2e tests into their own packages (#7560)
+- [X] [#7202](https://github.com/kubernetes/ingress-nginx/pull/7202) Additional AuthTLS assertions and doc change to demonstrate auth-tls-secret enables the other AuthTLS annotations (#7202)
+- [X] [#7606](https://github.com/kubernetes/ingress-nginx/pull/7606) fix cli flag typo in faq (#7606)
+- [X] [#7601](https://github.com/kubernetes/ingress-nginx/pull/7601) fix charts README.md to give additional detail on prometheus metrics … (#7601)
+- [X] [#7596](https://github.com/kubernetes/ingress-nginx/pull/7596) Update e2e test runner image (#7596)
+- [X] [#7604](https://github.com/kubernetes/ingress-nginx/pull/7604) Update cloudbuild timeout (#7604)
+- [X] [#7440](https://github.com/kubernetes/ingress-nginx/pull/7440) remove timestamp when requeuing Element (#7440)
+- [X] [#7598](https://github.com/kubernetes/ingress-nginx/pull/7598) fix 7591 (#7598)
+- [X] [#7597](https://github.com/kubernetes/ingress-nginx/pull/7597) Update to the base nginx image (#7597)
+- [X] [#7540](https://github.com/kubernetes/ingress-nginx/pull/7540) improve faq for migration to ingress api v1 (#7540)
+- [X] [#7594](https://github.com/kubernetes/ingress-nginx/pull/7594) Remove addgroup directive from alpine building (#7594)
+- [X] [#7592](https://github.com/kubernetes/ingress-nginx/pull/7592) Change builder in a new attempt to make it run (#7592)
+- [X] [#7584](https://github.com/kubernetes/ingress-nginx/pull/7584) Changing gcb builder (#7584)
+- [X] [#7583](https://github.com/kubernetes/ingress-nginx/pull/7583) update alpine and remove buildx restriction (#7583)
+- [X] [#7561](https://github.com/kubernetes/ingress-nginx/pull/7561) Add doc ref for preserve-trailing-slash annotation (#7561)
+- [X] [#7581](https://github.com/kubernetes/ingress-nginx/pull/7581) Default KinD manifest to watch ingresses without class (#7581)
+- [X] [#7511](https://github.com/kubernetes/ingress-nginx/pull/7511) add same tcp and udp ports to internal load balancer (#7511)
+- [X] [#7399](https://github.com/kubernetes/ingress-nginx/pull/7399) feat: add session-cookie-secure annotation (#7399)
+- [X] [#7556](https://github.com/kubernetes/ingress-nginx/pull/7556) Fix YAML indentation issue (#7556)
+- [X] [#7558](https://github.com/kubernetes/ingress-nginx/pull/7558) Revert "Update base nginx" (#7558)
+- [X] [#7552](https://github.com/kubernetes/ingress-nginx/pull/7552) Update base nginx (#7552)
+- [X] [#7541](https://github.com/kubernetes/ingress-nginx/pull/7541) Add a flag to specify address to bind the healthz server (#7541)
+- [X] [#7503](https://github.com/kubernetes/ingress-nginx/pull/7503) Document the keep-alive 0 effect on http/2 requests (#7503)
+- [X] [#7264](https://github.com/kubernetes/ingress-nginx/pull/7264) Update docs for new ingress api in cluster version >=1.19 (#7264)
+- [X] [#7545](https://github.com/kubernetes/ingress-nginx/pull/7545) Improving e2e tests for non-service backends #7544 (#7545)
+- [X] [#7537](https://github.com/kubernetes/ingress-nginx/pull/7537) improve docs for release - added step to edit README for support matrix (#7537)
+- [X] [#7536](https://github.com/kubernetes/ingress-nginx/pull/7536) add known issues in changelog.md for release v1.0.0 (#7536)
+
 ### 1.0.0
 **This is a breaking change**
 
diff --git a/README.md b/README.md
index 3a7755ab5..def1895e7 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,9 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
+| v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9       |
 | v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
+| v0.49.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.19.9       |
 | v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index 36526e082..431a56225 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.2 
+
+- [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
+
+### 4.0.1 
+
+- [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx
+
 ### 3.34.0
 
 - [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 02621b9bb..b9f795878 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.1
-appVersion: 1.0.0
+version: 4.0.2
+appVersion: 1.0.1
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,6 +24,5 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Support for Ingress object v1 and drop support for v1beta1
-    - Update to go 1.17
-    - Fix some bugs
+    - Downgrade NGINX to v1.19.9
+    - Update Base Image to alpine 3.14.2
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index b58e79975..8cf1ee8b4 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v1.0.0"
-    digest: sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+    tag: "v1.0.1"
+    digest: sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 3085270d8..33f1f9d76 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -50,10 +50,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -117,10 +117,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -137,10 +137,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,10 +221,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,10 +243,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -275,10 +275,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -307,10 +307,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -333,7 +333,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -425,10 +425,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -443,10 +443,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -499,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -523,10 +523,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -548,10 +548,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -573,10 +573,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -598,10 +598,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -609,10 +609,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -648,10 +648,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -659,10 +659,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 6c3947d0e..3f388e58e 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -635,10 +635,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,10 +646,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 1ecedee18..6f197e8aa 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -262,10 +262,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -293,10 +293,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -319,7 +319,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -407,10 +407,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -425,10 +425,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -465,10 +465,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -481,10 +481,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -505,10 +505,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -530,10 +530,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -555,10 +555,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -580,10 +580,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -591,10 +591,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -630,10 +630,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -641,10 +641,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 3cc902135..a7f0ab730 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -262,10 +262,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -409,10 +409,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -427,10 +427,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -467,10 +467,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -507,10 +507,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -532,10 +532,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -557,10 +557,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -582,10 +582,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -593,10 +593,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -632,10 +632,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -643,10 +643,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 3e808aaac..6e6701f22 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -296,10 +296,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -322,7 +322,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -411,10 +411,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -429,10 +429,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -635,10 +635,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,10 +646,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 66491a116..fe5bb54b5 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -270,10 +270,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -302,10 +302,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -417,10 +417,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -435,10 +435,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -640,10 +640,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -651,10 +651,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 4bd7e42c3..564946582 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -43,10 +43,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +110,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +130,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +214,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +236,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -262,10 +262,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -293,10 +293,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -420,10 +420,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -438,10 +438,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -478,10 +478,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -494,10 +494,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -518,10 +518,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -543,10 +543,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -568,10 +568,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -593,10 +593,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -604,10 +604,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -643,10 +643,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -654,10 +654,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 006485a44..70d2ddbe1 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -296,10 +296,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -322,7 +322,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -411,10 +411,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -429,10 +429,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -469,10 +469,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -485,10 +485,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -509,10 +509,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -534,10 +534,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -559,10 +559,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -584,10 +584,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -595,10 +595,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -634,10 +634,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.1
+    helm.sh/chart: ingress-nginx-4.0.2
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.0
+    app.kubernetes.io/version: 1.0.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -645,10 +645,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.1
+        helm.sh/chart: ingress-nginx-4.0.2
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.0
+        app.kubernetes.io/version: 1.0.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index db1f83655..059bdb862 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -54,7 +54,7 @@ Kubernetes is available in Docker Desktop
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 #### minikube
@@ -82,7 +82,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (ELB)
@@ -91,10 +91,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -140,7 +140,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -149,7 +149,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -157,13 +157,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -177,7 +177,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index ae67461b9..eb4cb9717 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v1.0.0
\ No newline at end of file
+controller-v1.0.1
\ No newline at end of file

From dedb495c5570571ca484201e8312dc96a85e3b63 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Wed, 22 Sep 2021 09:30:44 -0300
Subject: [PATCH 129/376] Change legacy branch in GH action

---
 .github/workflows/helm.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index 7c54282de..b4aa5a5ff 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-      - dev-v1
+      - legacy
 
 jobs:
 

From 1a5c0b7ed2f4a9f21e4a79012cab101151bb9caa Mon Sep 17 00:00:00 2001
From: pierre villard <pvillard@ilki.fr>
Date: Fri, 24 Sep 2021 13:01:24 +0200
Subject: [PATCH 130/376] Correct a mistake (#7690)

---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index 9e88b2dca..2ad14162d 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -63,7 +63,7 @@ FIELDS:
 
 There are 2 reasons primarily.
 
-(Reason #1) Until K8s version 1.21, it was was possible to create a ingress resource, with the "apiVersion:" field set to a value like ;
+(Reason #1) Until K8s version 1.21, it was possible to create a ingress resource, with the "apiVersion:" field set to a value like ;
   - extensions/v1beta1
   - networking.k8s.io/v1beta1
 

From 3ae09fd1fac381fce9f5066febf172a4a70c10a9 Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Fri, 24 Sep 2021 13:03:23 +0200
Subject: [PATCH 131/376] add 0.49.1 to changelog (#7692)

---
 Changelog.md | 19 ++++++++++++++++++-
 README.md    |  2 +-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index af44a04b0..71cdb42cd 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -45,7 +45,7 @@ _Changes:_
 - [X] [#7596](https://github.com/kubernetes/ingress-nginx/pull/7596) Update e2e test runner image (#7596)
 - [X] [#7604](https://github.com/kubernetes/ingress-nginx/pull/7604) Update cloudbuild timeout (#7604)
 - [X] [#7440](https://github.com/kubernetes/ingress-nginx/pull/7440) remove timestamp when requeuing Element (#7440)
-- [X] [#7598](https://github.com/kubernetes/ingress-nginx/pull/7598) fix 7591 (#7598)
+- [X] [#7598](https://github.com/kubernetes/ingress-nginx/pull/7598) correct docs on ingressClass resource being disabled (#7598)
 - [X] [#7597](https://github.com/kubernetes/ingress-nginx/pull/7597) Update to the base nginx image (#7597)
 - [X] [#7540](https://github.com/kubernetes/ingress-nginx/pull/7540) improve faq for migration to ingress api v1 (#7540)
 - [X] [#7594](https://github.com/kubernetes/ingress-nginx/pull/7594) Remove addgroup directive from alpine building (#7594)
@@ -115,6 +115,23 @@ Changes:
 - [X] [#6940](https://github.com/kubernetes/ingress-nginx/pull/6940) Fix definition order of modsecurity directives 
 - [X] [#7156] Drops support for Ingress Object v1beta1
 
+### 0.49.1
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v0.49.1@sha256:4080849490fd4f61416ad7bdba6fdd0ee58164f2e13df1128b407ce82d5f3986`
+
+_New Features:_
+
+
+_Changes:_
+
+- [x] [#7670](https://github.com/kubernetes/ingress-nginx/pull/7670) Change enable-snippet to allow-snippet-annotation (#7670) (#7677)
+- [x] [#7676](https://github.com/kubernetes/ingress-nginx/pull/7676) Fix opentracing in v0.X (#7676)
+- [x] [#7643](https://github.com/kubernetes/ingress-nginx/pull/7643) Update NGINX base image to v1.19 (#7643)
+- [x] [#7665](https://github.com/kubernetes/ingress-nginx/pull/7665) Add option to force enabling snippet directives (7665)
+- [x] [#7521](https://github.com/kubernetes/ingress-nginx/pull/7521) Update ingress to go 1.17 (#7521)
+
 ### 0.49.0
 
 **Image:**
diff --git a/README.md b/README.md
index def1895e7..969bfd6b0 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 |-----------------------|-------------           |----------------|---------------|
 | v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9       |
 | v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
-| v0.49.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.19.9       |
+| v0.49.1               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
 | v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |

From 0606ef8282bdb46d9163dbee5be416f8f8c26217 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Sun, 26 Sep 2021 23:50:23 +0800
Subject: [PATCH 132/376] fix: upgrade lua-resty-balancer to v0.04 (#7702)

it has two important bugfix:

1. should force convert weight to a number since it may cause dead loop
   when weight is a string type "0".
2. out-of-bounds memory writing may happen in chash_point_sort.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 images/nginx/rootfs/build.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 46daf5d5f..eb73f3d81 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -88,8 +88,8 @@ export NGINX_AJP_VERSION=a964a0bcc6a9f2bfb82a13752d7794a36319ffac
 # Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20210510...v2.1-agentzh
 export LUAJIT_VERSION=2.1-20210510
 
-# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.03...master
-export LUA_RESTY_BALANCER=56fd8ad03d5718f507a5129edc43a25948364b9f
+# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master
+export LUA_RESTY_BALANCER=d97f37ddcbd5c329e0b0447fca4b2469e4f7d63e
 
 # Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.11...master
 export LUA_RESTY_CACHE=0.11
@@ -279,7 +279,7 @@ get_src 5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd \
 get_src 462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853 \
         "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz"
 
-get_src b3d28adac2acee1e5904e9f65d6e80e0553b01647fa0701b812bc7e464de74ad \
+get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \
         "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz"
 
 if [[ ${ARCH} == "s390x" ]]; then

From 5662db4509300e44db47f45f24e76084375e6bc4 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 26 Sep 2021 14:28:21 -0300
Subject: [PATCH 133/376] Fix resty balancer checksum and location (#7703)

---
 images/nginx/rootfs/build.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index eb73f3d81..4a8fa1a4c 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -89,7 +89,7 @@ export NGINX_AJP_VERSION=a964a0bcc6a9f2bfb82a13752d7794a36319ffac
 export LUAJIT_VERSION=2.1-20210510
 
 # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master
-export LUA_RESTY_BALANCER=d97f37ddcbd5c329e0b0447fca4b2469e4f7d63e
+export LUA_RESTY_BALANCER=0.04
 
 # Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.11...master
 export LUA_RESTY_CACHE=0.11
@@ -280,7 +280,7 @@ get_src 462c6b38792bab4ca8212bdfd3f2e38f6883bb45c8fb8a03474ea813e0fab853 \
         "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz"
 
 get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \
-        "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz"
+        "https://github.com/openresty/lua-resty-balancer/archive/v$LUA_RESTY_BALANCER.tar.gz"
 
 if [[ ${ARCH} == "s390x" ]]; then
 get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \

From 9acf62d867145a071ad715020292bbb887289ba0 Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mgozdek@microsoft.com>
Date: Sun, 26 Sep 2021 19:44:22 +0200
Subject: [PATCH 134/376] images/kube-webhook-certgen/rootfs: add support for
 patching APIService objects (#7641)

* images/kube-webhook-certgen/rootfs/pkg/k8s: return err from functions

Initially only from some to preserve existing behavior.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: make patching return error

So we don't call log.Fatal in so many places, which makes code testable.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: require context

So initialize top-level contexts in tests and CLI, then pass them around
all the way down, so there is an ability e.g. to add timeouts to patch
operations, if needed and to follow general conventions.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: support patching APIService

APIService object is very similar to MutatingWebhookConfiguration and
ValidatingWebhookConfiguration objects, so support for patching it
shouldn't be too much of a burden.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: use new patch API

So old function PatchWebhookConfigurations can be unexported and CLI can
be extended to also support patching APIService.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: unexport old patch function

PatchObjects should be now used instead.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: add .gitignore

To ignore manually built binaries during development process.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: test patching

By adding a PatchConfig and Patch function, it is now possible to test
logic of flag validation, which was previously tied to CLI options.

This commit adds nice set of tests covering existing logic.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: improve formatting

Those strings will be changed anyway in future commits, so at first we
can properly capitalize used names.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: support patching APIService

As logic for creating a CA certificate and patching an object is almost
the same for both webhook configuration and API services, this commit
adds support to kube-webhook-certgen CLI to also patch APIService
objects, so they can be served over TLS as well.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: pass failure policy by value

k8s.k8s.patchWebhookConfigurations() always dereferences it and we do
not do a nil check, so the code may panic in some conditions, so it's
safer to just pass it by value, as it's just a wrapped string.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
---
 images/kube-webhook-certgen/rootfs/.gitignore |   1 +
 .../kube-webhook-certgen/rootfs/cmd/create.go |  12 +-
 .../kube-webhook-certgen/rootfs/cmd/patch.go  | 102 +++++--
 .../rootfs/cmd/patch_test.go                  | 254 ++++++++++++++++++
 .../kube-webhook-certgen/rootfs/cmd/root.go   |  14 +-
 images/kube-webhook-certgen/rootfs/go.mod     |   1 +
 images/kube-webhook-certgen/rootfs/go.sum     | 179 ++++++++++++
 .../rootfs/pkg/k8s/k8s.go                     | 168 ++++++++++--
 .../rootfs/pkg/k8s/k8s_test.go                |  52 +++-
 9 files changed, 723 insertions(+), 60 deletions(-)
 create mode 100644 images/kube-webhook-certgen/rootfs/.gitignore
 create mode 100644 images/kube-webhook-certgen/rootfs/cmd/patch_test.go

diff --git a/images/kube-webhook-certgen/rootfs/.gitignore b/images/kube-webhook-certgen/rootfs/.gitignore
new file mode 100644
index 000000000..f82bfe10c
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/.gitignore
@@ -0,0 +1 @@
+/kube-webhook-certgen
diff --git a/images/kube-webhook-certgen/rootfs/cmd/create.go b/images/kube-webhook-certgen/rootfs/cmd/create.go
index 576a59bc0..e61d2c4a1 100644
--- a/images/kube-webhook-certgen/rootfs/cmd/create.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/create.go
@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"context"
+
 	"github.com/jet/kube-webhook-certgen/pkg/certs"
 	"github.com/jet/kube-webhook-certgen/pkg/k8s"
 	log "github.com/sirupsen/logrus"
@@ -16,13 +18,17 @@ var create = &cobra.Command{
 }
 
 func createCommand(cmd *cobra.Command, args []string) {
-	k := k8s.New(newKubernetesClient(cfg.kubeconfig))
-	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+	clientset, aggregatorClientset := newKubernetesClients(cfg.kubeconfig)
+	k := k8s.New(clientset, aggregatorClientset)
+
+	ctx := context.TODO()
+
+	ca := k.GetCaFromSecret(ctx, cfg.secretName, cfg.namespace)
 	if ca == nil {
 		log.Info("creating new secret")
 		newCa, newCert, newKey := certs.GenerateCerts(cfg.host)
 		ca = newCa
-		k.SaveCertsToSecret(cfg.secretName, cfg.namespace, cfg.certName, cfg.keyName, ca, newCert, newKey)
+		k.SaveCertsToSecret(ctx, cfg.secretName, cfg.namespace, cfg.certName, cfg.keyName, ca, newCert, newKey)
 	} else {
 		log.Info("secret already exists")
 	}
diff --git a/images/kube-webhook-certgen/rootfs/cmd/patch.go b/images/kube-webhook-certgen/rootfs/cmd/patch.go
index d139b37c0..dd41103ca 100644
--- a/images/kube-webhook-certgen/rootfs/cmd/patch.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/patch.go
@@ -1,6 +1,10 @@
 package cmd
 
 import (
+	"context"
+	"errors"
+	"fmt"
+
 	"github.com/jet/kube-webhook-certgen/pkg/k8s"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -9,49 +13,109 @@ import (
 
 var patch = &cobra.Command{
 	Use:    "patch",
-	Short:  "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
-	Long:   "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
-	PreRun: prePatchCommand,
+	Short:  "Patch a ValidatingWebhookConfiguration, MutatingWebhookConfiguration or APIService 'object-name' by using the ca from 'secret-name' in 'namespace'",
+	Long:   "Patch a ValidatingWebhookConfiguration, MutatingWebhookConfiguration or APIService 'object-name' by using the ca from 'secret-name' in 'namespace'",
+	PreRun: configureLogging,
 	Run:    patchCommand,
 }
 
-func prePatchCommand(cmd *cobra.Command, args []string) {
-	configureLogging(cmd, args)
-	if !cfg.patchMutating && !cfg.patchValidating {
-		log.Fatal("patch-validating=false, patch-mutating=false. You must patch at least one kind of webhook, otherwise this command is a no-op")
+type PatchConfig struct {
+	PatchMutating      bool
+	PatchValidating    bool
+	PatchFailurePolicy string
+	APIServiceName     string
+	WebhookName        string
+
+	SecretName string
+	Namespace  string
+
+	Patcher Patcher
+}
+
+type Patcher interface {
+	PatchObjects(ctx context.Context, options k8s.PatchOptions) error
+	GetCaFromSecret(ctx context.Context, secretName, namespace string) []byte
+}
+
+func Patch(ctx context.Context, cfg *PatchConfig) error {
+	if cfg.Patcher == nil {
+		return fmt.Errorf("no patcher defined")
 	}
-	switch cfg.patchFailurePolicy {
+
+	if !cfg.PatchMutating && !cfg.PatchValidating && cfg.APIServiceName == "" {
+		return fmt.Errorf("patch-validating=false, patch-mutating=false. You must patch at least one kind of webhook, otherwise this command is a no-op")
+	}
+
+	var failurePolicy admissionv1.FailurePolicyType
+
+	switch cfg.PatchFailurePolicy {
 	case "":
 		break
 	case "Ignore":
 	case "Fail":
-		failurePolicy = admissionv1.FailurePolicyType(cfg.patchFailurePolicy)
+		failurePolicy = admissionv1.FailurePolicyType(cfg.PatchFailurePolicy)
 		break
 	default:
-		log.Fatalf("patch-failure-policy %s is not valid", cfg.patchFailurePolicy)
+		return fmt.Errorf("patch-failure-policy %s is not valid", cfg.PatchFailurePolicy)
 	}
+
+	ca := cfg.Patcher.GetCaFromSecret(ctx, cfg.SecretName, cfg.Namespace)
+
+	if ca == nil {
+		return fmt.Errorf("no secret with '%s' in '%s'", cfg.SecretName, cfg.Namespace)
+	}
+
+	options := k8s.PatchOptions{
+		CABundle:          ca,
+		FailurePolicyType: failurePolicy,
+		APIServiceName:    cfg.APIServiceName,
+	}
+
+	if cfg.PatchMutating {
+		options.MutatingWebhookConfigurationName = cfg.WebhookName
+	}
+
+	if cfg.PatchValidating {
+		options.ValidatingWebhookConfigurationName = cfg.WebhookName
+	}
+
+	return cfg.Patcher.PatchObjects(ctx, options)
 }
 
 func patchCommand(_ *cobra.Command, _ []string) {
-	k := k8s.New(newKubernetesClient(cfg.kubeconfig))
-	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+	client, aggregationClient := newKubernetesClients(cfg.kubeconfig)
 
-	if ca == nil {
-		log.Fatalf("no secret with '%s' in '%s'", cfg.secretName, cfg.namespace)
+	config := &PatchConfig{
+		SecretName:         cfg.secretName,
+		Namespace:          cfg.namespace,
+		PatchMutating:      cfg.patchMutating,
+		PatchValidating:    cfg.patchValidating,
+		PatchFailurePolicy: cfg.patchFailurePolicy,
+		APIServiceName:     cfg.apiServiceName,
+		WebhookName:        cfg.webhookName,
+		Patcher:            k8s.New(client, aggregationClient),
 	}
 
-	k.PatchWebhookConfigurations(cfg.webhookName, ca, &failurePolicy, cfg.patchMutating, cfg.patchValidating)
+	ctx := context.TODO()
+
+	if err := Patch(ctx, config); err != nil {
+		if wrappedErr := errors.Unwrap(err); wrappedErr != nil {
+			log.WithField("err", wrappedErr).Fatal(err.Error())
+		}
+
+		log.Fatal(err.Error())
+	}
 }
 
 func init() {
 	rootCmd.AddCommand(patch)
 	patch.Flags().StringVar(&cfg.secretName, "secret-name", "", "Name of the secret where certificate information will be read from")
 	patch.Flags().StringVar(&cfg.namespace, "namespace", "", "Namespace of the secret where certificate information will be read from")
-	patch.Flags().StringVar(&cfg.webhookName, "webhook-name", "", "Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated")
-	patch.Flags().BoolVar(&cfg.patchValidating, "patch-validating", true, "If true, patch validatingwebhookconfiguration")
-	patch.Flags().BoolVar(&cfg.patchMutating, "patch-mutating", true, "If true, patch mutatingwebhookconfiguration")
+	patch.Flags().StringVar(&cfg.webhookName, "webhook-name", "", "Name of ValidatingWebhookConfiguration and MutatingWebhookConfiguration that will be updated")
+	patch.Flags().StringVar(&cfg.apiServiceName, "apiservice-name", "", "Name of APIService that will be patched")
+	patch.Flags().BoolVar(&cfg.patchValidating, "patch-validating", true, "If true, patch ValidatingWebhookConfiguration")
+	patch.Flags().BoolVar(&cfg.patchMutating, "patch-mutating", true, "If true, patch MutatingWebhookConfiguration")
 	patch.Flags().StringVar(&cfg.patchFailurePolicy, "patch-failure-policy", "", "If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail")
 	patch.MarkFlagRequired("secret-name")
 	patch.MarkFlagRequired("namespace")
-	patch.MarkFlagRequired("webhook-name")
 }
diff --git a/images/kube-webhook-certgen/rootfs/cmd/patch_test.go b/images/kube-webhook-certgen/rootfs/cmd/patch_test.go
new file mode 100644
index 000000000..2bec3b871
--- /dev/null
+++ b/images/kube-webhook-certgen/rootfs/cmd/patch_test.go
@@ -0,0 +1,254 @@
+package cmd_test
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/jet/kube-webhook-certgen/cmd"
+	"github.com/jet/kube-webhook-certgen/pkg/k8s"
+)
+
+func Test_Patch(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.TODO()
+
+	t.Run("patches_APIService_object_when_requested", func(t *testing.T) {
+		t.Parallel()
+
+		config := testPatchConfig()
+		config.APIServiceName = "bar"
+
+		patcher := testPatcher()
+		patcher.patchObjects = func(_ context.Context, options k8s.PatchOptions) error {
+			if options.APIServiceName != config.APIServiceName {
+				return fmt.Errorf("unexpected APIService name %q, expected %q", options.APIServiceName, config.APIServiceName)
+			}
+
+			return nil
+		}
+		config.Patcher = patcher
+
+		if err := cmd.Patch(ctx, config); err != nil {
+			t.Fatalf("Unexpected patching error: %v", err)
+		}
+	})
+
+	t.Run("use_configured_webhook_name_for_patching", func(t *testing.T) {
+		t.Parallel()
+
+		config := testPatchConfig()
+		config.WebhookName = "foo"
+
+		patcher := testPatcher()
+		patcher.patchObjects = func(_ context.Context, options k8s.PatchOptions) error {
+			if options.ValidatingWebhookConfigurationName != config.WebhookName {
+				return fmt.Errorf("unexpected object name %q, expected %q", options.ValidatingWebhookConfigurationName, config.WebhookName)
+			}
+
+			return nil
+		}
+		config.Patcher = patcher
+
+		if err := cmd.Patch(ctx, config); err != nil {
+			t.Fatalf("Unexpected patching error: %v", err)
+		}
+	})
+
+	t.Run("patches_only_validating_webhook_when_requested", func(t *testing.T) {
+		t.Parallel()
+
+		config := testPatchConfig()
+		config.PatchValidating = true
+		config.PatchMutating = false
+
+		patcher := testPatcher()
+		patcher.patchObjects = func(_ context.Context, options k8s.PatchOptions) error {
+			if options.ValidatingWebhookConfigurationName == "" {
+				t.Error("expected validating webhook to be patched")
+			}
+
+			if options.MutatingWebhookConfigurationName != "" {
+				t.Error("expected mutating webhook to not be patched")
+			}
+
+			if options.APIServiceName != "" {
+				t.Error("expected APIService to not be patched")
+			}
+
+			return nil
+		}
+		config.Patcher = patcher
+
+		if err := cmd.Patch(ctx, config); err != nil {
+			t.Fatalf("Unexpected patching error: %v", err)
+		}
+	})
+
+	t.Run("patches_both_webhooks_when_requested", func(t *testing.T) {
+		t.Parallel()
+
+		config := testPatchConfig()
+		config.PatchValidating = true
+		config.PatchMutating = true
+
+		patcher := testPatcher()
+		patcher.patchObjects = func(_ context.Context, options k8s.PatchOptions) error {
+			if options.ValidatingWebhookConfigurationName == "" {
+				t.Error("expected validating webhook to be patched")
+			}
+
+			if options.MutatingWebhookConfigurationName == "" {
+				t.Error("expected mutating webhook to be patched")
+			}
+
+			if options.APIServiceName != "" {
+				t.Error("expected APIService to not be patched")
+			}
+
+			return nil
+		}
+		config.Patcher = patcher
+
+		if err := cmd.Patch(ctx, config); err != nil {
+			t.Fatalf("Unexpected patching error: %v", err)
+		}
+	})
+
+	t.Run("use_empty_policy_when_ignore_is_requested", func(t *testing.T) {
+		t.Parallel()
+
+		config := testPatchConfig()
+		config.PatchFailurePolicy = "Ignore"
+
+		patcher := testPatcher()
+		patcher.patchObjects = func(_ context.Context, options k8s.PatchOptions) error {
+			if options.FailurePolicyType != "" {
+				return fmt.Errorf("expected policy to be nil. got: %q", options.FailurePolicyType)
+			}
+
+			return nil
+		}
+		config.Patcher = patcher
+
+		if err := cmd.Patch(ctx, config); err != nil {
+			t.Fatalf("Unexpected patching error: %v", err)
+		}
+	})
+
+	t.Run("use_fail_policy_when_fail_is_requested", func(t *testing.T) {
+		t.Parallel()
+
+		config := testPatchConfig()
+		config.PatchFailurePolicy = "Fail"
+
+		patcher := testPatcher()
+		patcher.patchObjects = func(_ context.Context, options k8s.PatchOptions) error {
+			if options.FailurePolicyType == "" || options.FailurePolicyType != "Fail" {
+				return fmt.Errorf("unexpected policy: %q", options.FailurePolicyType)
+			}
+
+			return nil
+		}
+		config.Patcher = patcher
+
+		if err := cmd.Patch(ctx, config); err != nil {
+			t.Fatalf("Unexpected patching error: %v", err)
+		}
+	})
+
+	t.Run("use_obtained_ca_certificate_for_patching", func(t *testing.T) {
+		t.Parallel()
+
+		expectedCA := []byte("foo")
+
+		config := testPatchConfig()
+
+		patcher := testPatcher()
+		patcher.patchObjects = func(_ context.Context, options k8s.PatchOptions) error {
+			if !reflect.DeepEqual(options.CABundle, expectedCA) {
+				return fmt.Errorf("unexpected CA, expected %q, got %q", string(expectedCA), string(options.CABundle))
+			}
+
+			return nil
+		}
+		patcher.getCaFromSecret = func(context.Context, string, string) []byte {
+			return expectedCA
+		}
+		config.Patcher = patcher
+
+		if err := cmd.Patch(ctx, config); err != nil {
+			t.Fatalf("Unexpected patching error: %v", err)
+		}
+	})
+
+	t.Run("returns_error_when", func(t *testing.T) {
+		t.Parallel()
+
+		for name, mutateF := range map[string]func(*cmd.PatchConfig){
+			"no_patcher_is_defined": func(c *cmd.PatchConfig) {
+				c.Patcher = nil
+			},
+			"no_webhooks_are_requested_for_patching": func(c *cmd.PatchConfig) {
+				c.PatchValidating = false
+				c.PatchMutating = false
+				c.APIServiceName = ""
+			},
+			"unsupported_patch_failure_policy_is_defined": func(c *cmd.PatchConfig) {
+				c.PatchFailurePolicy = "foo"
+			},
+			"ca_certificate_from_secret_is_empty": func(c *cmd.PatchConfig) {
+				patcher := testPatcher()
+				patcher.getCaFromSecret = func(_ context.Context, _, _ string) []byte {
+					return nil
+				}
+				c.Patcher = patcher
+			},
+		} {
+			mutateF := mutateF
+
+			t.Run(name, func(t *testing.T) {
+				t.Parallel()
+
+				config := testPatchConfig()
+				mutateF(config)
+
+				if err := cmd.Patch(ctx, config); err == nil {
+					t.Fatalf("Expected error while patching")
+				}
+			})
+		}
+	})
+}
+
+type patcher struct {
+	patchObjects    func(context.Context, k8s.PatchOptions) error
+	getCaFromSecret func(context.Context, string, string) []byte
+}
+
+func (p *patcher) PatchObjects(ctx context.Context, options k8s.PatchOptions) error {
+	return p.patchObjects(ctx, options)
+}
+
+func (p *patcher) GetCaFromSecret(ctx context.Context, secretName, namespace string) []byte {
+	return p.getCaFromSecret(ctx, secretName, namespace)
+}
+
+func testPatcher() *patcher {
+	return &patcher{
+		patchObjects: func(context.Context, k8s.PatchOptions) error {
+			return nil
+		},
+		getCaFromSecret: func(context.Context, string, string) []byte { return []byte{} },
+	}
+}
+
+func testPatchConfig() *cmd.PatchConfig {
+	return &cmd.PatchConfig{
+		PatchValidating: true,
+		WebhookName:     "foo",
+		Patcher:         testPatcher(),
+	}
+}
diff --git a/images/kube-webhook-certgen/rootfs/cmd/root.go b/images/kube-webhook-certgen/rootfs/cmd/root.go
index 03f87ac06..7db870d15 100644
--- a/images/kube-webhook-certgen/rootfs/cmd/root.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/root.go
@@ -6,9 +6,9 @@ import (
 	"github.com/onrik/logrus/filename"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	admissionv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 )
 
 var (
@@ -29,14 +29,13 @@ var (
 		certName           string
 		keyName            string
 		host               string
+		apiServiceName     string
 		webhookName        string
 		patchValidating    bool
 		patchMutating      bool
 		patchFailurePolicy string
 		kubeconfig         string
 	}{}
-
-	failurePolicy admissionv1.FailurePolicyType
 )
 
 // Execute is the main entry point for the program
@@ -84,7 +83,7 @@ func getFormatter(logfmt string) log.Formatter {
 	return nil
 }
 
-func newKubernetesClient(kubeconfig string) kubernetes.Interface {
+func newKubernetesClients(kubeconfig string) (kubernetes.Interface, clientset.Interface) {
 	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
 	if err != nil {
 		log.WithError(err).Fatal("error building kubernetes config")
@@ -95,5 +94,10 @@ func newKubernetesClient(kubeconfig string) kubernetes.Interface {
 		log.WithError(err).Fatal("error creating kubernetes client")
 	}
 
-	return c
+	aggregatorClientset, err := clientset.NewForConfig(config)
+	if err != nil {
+		log.WithError(err).Fatal("error creating kubernetes aggregator client")
+	}
+
+	return c, aggregatorClientset
 }
diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod
index 092a1aa82..edd26c0df 100644
--- a/images/kube-webhook-certgen/rootfs/go.mod
+++ b/images/kube-webhook-certgen/rootfs/go.mod
@@ -10,4 +10,5 @@ require (
 	k8s.io/api v0.22.0
 	k8s.io/apimachinery v0.22.0
 	k8s.io/client-go v0.22.0
+	k8s.io/kube-aggregator v0.22.0
 )
diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum
index c7667b99a..c1592f68d 100644
--- a/images/kube-webhook-certgen/rootfs/go.sum
+++ b/images/kube-webhook-certgen/rootfs/go.sum
@@ -37,6 +37,8 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
 github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
@@ -47,16 +49,33 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
+github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
+github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -64,16 +83,29 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
+github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
+github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -84,25 +116,42 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
 github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -176,6 +225,10 @@ github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97Dwqy
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
@@ -204,29 +257,46 @@ github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
@@ -234,6 +304,7 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -241,11 +312,15 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onrik/logrus v0.9.0 h1:oT7VstCUxWBoX7fswYK61fi9bzRBSpROq5CR2b7wxQo=
 github.com/onrik/logrus v0.9.0/go.mod h1:qfe9NeZVAJfIxviw3cYkZo3kvBtLoPRJriAO8zl7qTk=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -257,9 +332,12 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -267,29 +345,64 @@ github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZ
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
+github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
 github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
 github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -304,14 +417,23 @@ github.com/tidwall/match v1.0.3 h1:FQUVvBImDutD8wJLN6c5eMzWtjgONK9MwIBCOrUJKeE=
 github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.1.0 h1:K3hMW5epkdAVwibsQEfR/7Zj0Qgt4DxtNumTq/VloO8=
 github.com/tidwall/pretty v1.1.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
+go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
+go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
+go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -319,9 +441,26 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4=
+go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo=
+go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM=
+go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU=
+go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw=
+go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc=
+go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE=
+go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE=
+go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -370,7 +509,9 @@ golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -378,6 +519,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -400,6 +542,7 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -433,11 +576,15 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -450,6 +597,7 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -463,13 +611,18 @@ golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -478,6 +631,7 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -496,9 +650,12 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -510,10 +667,12 @@ golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -534,6 +693,7 @@ golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjs
 golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -605,6 +765,7 @@ google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
@@ -645,6 +806,7 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -659,6 +821,7 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -668,13 +831,19 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
@@ -683,6 +852,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -694,12 +865,19 @@ k8s.io/api v0.22.0 h1:elCpMZ9UE8dLdYxr55E06TmSeji9I3KH494qH70/y+c=
 k8s.io/api v0.22.0/go.mod h1:0AoXXqst47OI/L0oGKq9DG61dvGRPXs7X4/B7KyjBCU=
 k8s.io/apimachinery v0.22.0 h1:CqH/BdNAzZl+sr3tc0D3VsK3u6ARVSo3GWyLmfIjbP0=
 k8s.io/apimachinery v0.22.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
+k8s.io/apiserver v0.22.0/go.mod h1:04kaIEzIQrTGJ5syLppQWvpkLJXQtJECHmae+ZGc/nc=
 k8s.io/client-go v0.22.0 h1:sD6o9O6tCwUKCENw8v+HFsuAbq2jCu8cWC61/ydwA50=
 k8s.io/client-go v0.22.0/go.mod h1:GUjIuXR5PiEv/RVK5OODUsm6eZk7wtSWZSaSJbpFdGg=
+k8s.io/code-generator v0.22.0/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
+k8s.io/component-base v0.22.0/go.mod h1:SXj6Z+V6P6GsBhHZVbWCw9hFjUdUYnJerlhhPnYCBCg=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
 k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/kube-aggregator v0.22.0 h1:he3plI8vlaPJxR9vsy/lL5ga1V8CoA8M8x1Bn8eTCeM=
+k8s.io/kube-aggregator v0.22.0/go.mod h1:zHTepg0Q4tKzru7Pwg1QYHWrU/wrvIXM8hUdDAH66qg=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
 k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9 h1:imL9YgXQ9p7xmPzHFm/vVd/cF78jad+n4wK1ABwYtMM=
@@ -707,6 +885,7 @@ k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
index 2d2000a8a..ccd8970c5 100644
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
@@ -2,6 +2,7 @@ package k8s
 
 import (
 	"context"
+	"fmt"
 
 	log "github.com/sirupsen/logrus"
 	admissionv1 "k8s.io/api/admissionregistration/v1"
@@ -9,103 +10,214 @@ import (
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 )
 
 type k8s struct {
-	clientset kubernetes.Interface
+	clientset           kubernetes.Interface
+	aggregatorClientset clientset.Interface
 }
 
-func New(clientset kubernetes.Interface) *k8s {
+func New(clientset kubernetes.Interface, aggregatorClientset clientset.Interface) *k8s {
 	if clientset == nil {
 		log.Fatal("no kubernetes client given")
 	}
 
-	return &k8s{
-		clientset: clientset,
+	if aggregatorClientset == nil {
+		log.Fatal("no kubernetes aggregator client given")
 	}
+
+	return &k8s{
+		clientset:           clientset,
+		aggregatorClientset: aggregatorClientset,
+	}
+}
+
+type PatchOptions struct {
+	ValidatingWebhookConfigurationName string
+	MutatingWebhookConfigurationName   string
+	APIServiceName                     string
+	CABundle                           []byte
+	FailurePolicyType                  admissionv1.FailurePolicyType
+}
+
+func (k8s *k8s) PatchObjects(ctx context.Context, options PatchOptions) error {
+	patchMutating := options.MutatingWebhookConfigurationName != ""
+	patchValidating := options.ValidatingWebhookConfigurationName != ""
+	patchAPIService := options.APIServiceName != ""
+
+	if !patchMutating && !patchValidating && options.FailurePolicyType != "" {
+		return fmt.Errorf("failurePolicy specified, but no webhook will be patched")
+	}
+
+	if options.MutatingWebhookConfigurationName != options.ValidatingWebhookConfigurationName {
+		return fmt.Errorf("webhook names must be the same")
+	}
+
+	if patchAPIService {
+		log.Infof("patching APIService %q", options.APIServiceName)
+
+		if err := k8s.patchAPIService(ctx, options.APIServiceName, options.CABundle); err != nil {
+			// Intentionally don't wrap error here to preserve old behavior and be able to log both
+			// original error and a message.
+			return err
+		}
+	}
+
+	if patchMutating || patchValidating {
+		return k8s.patchWebhookConfigurations(ctx, options.ValidatingWebhookConfigurationName, options.CABundle, options.FailurePolicyType, patchMutating, patchValidating)
+	}
+
+	return nil
+}
+
+func (k8s *k8s) patchAPIService(ctx context.Context, objectName string, ca []byte) error {
+	log.Infof("patching APIService %q", objectName)
+
+	c := k8s.aggregatorClientset.ApiregistrationV1().APIServices()
+
+	apiService, err := c.Get(ctx, objectName, metav1.GetOptions{})
+	if err != nil {
+		return &wrappedError{
+			err:     err,
+			message: fmt.Sprintf("failed getting APIService %q", objectName),
+		}
+	}
+
+	apiService.Spec.CABundle = ca
+	apiService.Spec.InsecureSkipTLSVerify = false
+
+	if _, err := c.Update(ctx, apiService, metav1.UpdateOptions{}); err != nil {
+		return &wrappedError{
+			err:     err,
+			message: fmt.Sprintf("failed patching APIService %q", objectName),
+		}
+	}
+
+	log.Debug("patched APIService")
+
+	return nil
 }
 
 // PatchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with
 // the provided ca data. If failurePolicy is provided, patch all webhooks with this value
-func (k8s *k8s) PatchWebhookConfigurations(
+func (k8s *k8s) patchWebhookConfigurations(
+	ctx context.Context,
 	configurationName string,
 	ca []byte,
-	failurePolicy *admissionv1.FailurePolicyType,
+	failurePolicy admissionv1.FailurePolicyType,
 	patchMutating bool,
 	patchValidating bool,
-) {
-	log.Infof("patching webhook configurations '%s' mutating=%t, validating=%t, failurePolicy=%s", configurationName, patchMutating, patchValidating, *failurePolicy)
+) error {
+	log.Infof("patching webhook configurations '%s' mutating=%t, validating=%t, failurePolicy=%s", configurationName, patchMutating, patchValidating, failurePolicy)
 
 	if patchValidating {
-		k8s.patchValidating(configurationName, ca, failurePolicy)
+		if err := k8s.patchValidating(ctx, configurationName, ca, failurePolicy); err != nil {
+			// Intentionally don't wrap error here to preserve old behavior and be able to log both original error and a message.
+			return err
+		}
 	} else {
 		log.Debug("validating hook patching not required")
 	}
 
 	if patchMutating {
-		k8s.patchMutating(configurationName, ca, failurePolicy)
+		if err := k8s.patchMutating(ctx, configurationName, ca, failurePolicy); err != nil {
+			// Intentionally don't wrap error here to preserve old behavior and be able to log both original error and a message.
+			return err
+		}
 	} else {
 		log.Debug("mutating hook patching not required")
 	}
 
 	log.Info("Patched hook(s)")
+
+	return nil
 }
 
-func (k8s *k8s) patchValidating(configurationName string, ca []byte, failurePolicy *admissionv1.FailurePolicyType) {
+type wrappedError struct {
+	err     error
+	message string
+}
+
+func (err wrappedError) Error() string {
+	return err.message
+}
+
+func (err wrappedError) Unwrap() error {
+	return err.err
+}
+
+func (k8s *k8s) patchValidating(ctx context.Context, configurationName string, ca []byte, failurePolicy admissionv1.FailurePolicyType) error {
 	valHook, err := k8s.clientset.
 		AdmissionregistrationV1().
 		ValidatingWebhookConfigurations().
-		Get(context.TODO(), configurationName, metav1.GetOptions{})
+		Get(ctx, configurationName, metav1.GetOptions{})
 	if err != nil {
-		log.WithField("err", err).Fatal("failed getting validating webhook")
+		return &wrappedError{
+			err:     err,
+			message: "failed getting validating webhook",
+		}
 	}
 
 	for i := range valHook.Webhooks {
 		h := &valHook.Webhooks[i]
 		h.ClientConfig.CABundle = ca
-		if *failurePolicy != "" {
-			h.FailurePolicy = failurePolicy
+		if failurePolicy != "" {
+			h.FailurePolicy = &failurePolicy
 		}
 	}
 
 	if _, err = k8s.clientset.AdmissionregistrationV1().
 		ValidatingWebhookConfigurations().
-		Update(context.TODO(), valHook, metav1.UpdateOptions{}); err != nil {
-		log.WithField("err", err).Fatal("failed patching validating webhook")
+		Update(ctx, valHook, metav1.UpdateOptions{}); err != nil {
+		return &wrappedError{
+			err:     err,
+			message: "failed patching validating webhook",
+		}
 	}
 	log.Debug("patched validating hook")
+
+	return nil
 }
 
-func (k8s *k8s) patchMutating(configurationName string, ca []byte, failurePolicy *admissionv1.FailurePolicyType) {
+func (k8s *k8s) patchMutating(ctx context.Context, configurationName string, ca []byte, failurePolicy admissionv1.FailurePolicyType) error {
 	mutHook, err := k8s.clientset.
 		AdmissionregistrationV1().
 		MutatingWebhookConfigurations().
-		Get(context.TODO(), configurationName, metav1.GetOptions{})
+		Get(ctx, configurationName, metav1.GetOptions{})
 	if err != nil {
-		log.WithField("err", err).Fatal("failed getting mutating webhook")
+		return &wrappedError{
+			err:     err,
+			message: "failed getting mutating webhook",
+		}
 	}
 
 	for i := range mutHook.Webhooks {
 		h := &mutHook.Webhooks[i]
 		h.ClientConfig.CABundle = ca
-		if *failurePolicy != "" {
-			h.FailurePolicy = failurePolicy
+		if failurePolicy != "" {
+			h.FailurePolicy = &failurePolicy
 		}
 	}
 
 	if _, err = k8s.clientset.AdmissionregistrationV1().
 		MutatingWebhookConfigurations().
-		Update(context.TODO(), mutHook, metav1.UpdateOptions{}); err != nil {
-		log.WithField("err", err).Fatal("failed patching mutating webhook")
+		Update(ctx, mutHook, metav1.UpdateOptions{}); err != nil {
+		return &wrappedError{
+			err:     err,
+			message: "failed patching mutating webhook",
+		}
 	}
 	log.Debug("patched mutating hook")
+
+	return nil
 }
 
 // GetCaFromSecret will check for the presence of a secret. If it exists, will return the content of the
 // "ca" from the secret, otherwise will return nil
-func (k8s *k8s) GetCaFromSecret(secretName string, namespace string) []byte {
+func (k8s *k8s) GetCaFromSecret(ctx context.Context, secretName string, namespace string) []byte {
 	log.Debugf("getting secret '%s' in namespace '%s'", secretName, namespace)
-	secret, err := k8s.clientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
+	secret, err := k8s.clientset.CoreV1().Secrets(namespace).Get(ctx, secretName, metav1.GetOptions{})
 	if err != nil {
 		if k8serrors.IsNotFound(err) {
 			log.WithField("err", err).Info("no secret found")
@@ -123,7 +235,7 @@ func (k8s *k8s) GetCaFromSecret(secretName string, namespace string) []byte {
 }
 
 // SaveCertsToSecret saves the provided ca, cert and key into a secret in the specified namespace.
-func (k8s *k8s) SaveCertsToSecret(secretName, namespace, certName, keyName string, ca, cert, key []byte) {
+func (k8s *k8s) SaveCertsToSecret(ctx context.Context, secretName, namespace, certName, keyName string, ca, cert, key []byte) {
 	log.Debugf("saving to secret '%s' in namespace '%s'", secretName, namespace)
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -133,7 +245,7 @@ func (k8s *k8s) SaveCertsToSecret(secretName, namespace, certName, keyName strin
 	}
 
 	log.Debug("saving secret")
-	_, err := k8s.clientset.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+	_, err := k8s.clientset.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{})
 	if err != nil {
 		log.WithField("err", err).Fatal("failed creating secret")
 	}
diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
index 1a7444613..0cddcb99e 100644
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
@@ -3,6 +3,7 @@ package k8s
 import (
 	"bytes"
 	"context"
+	"errors"
 	"math/rand"
 	"testing"
 
@@ -52,7 +53,7 @@ func TestGetCaFromCertificate(t *testing.T) {
 
 	k.clientset.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
 
-	retrievedCa := k.GetCaFromSecret(testSecretName, testNamespace)
+	retrievedCa := k.GetCaFromSecret(context.TODO(), testSecretName, testNamespace)
 	if !bytes.Equal(retrievedCa, ca) {
 		t.Error("Was not able to retrieve CA information that was saved")
 	}
@@ -63,7 +64,7 @@ func TestSaveCertsToSecret(t *testing.T) {
 
 	ca, cert, key := genSecretData()
 
-	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
+	k.SaveCertsToSecret(context.TODO(), testSecretName, testNamespace, "cert", "key", ca, cert, key)
 
 	secret, _ := k.clientset.CoreV1().Secrets(testNamespace).Get(context.Background(), testSecretName, metav1.GetOptions{})
 
@@ -79,8 +80,9 @@ func TestSaveCertsToSecret(t *testing.T) {
 func TestSaveThenLoadSecret(t *testing.T) {
 	k := newTestSimpleK8s()
 	ca, cert, key := genSecretData()
-	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
-	retrievedCert := k.GetCaFromSecret(testSecretName, testNamespace)
+	ctx := context.TODO()
+	k.SaveCertsToSecret(ctx, testSecretName, testNamespace, "cert", "key", ca, cert, key)
+	retrievedCert := k.GetCaFromSecret(ctx, testSecretName, testNamespace)
 	if !bytes.Equal(retrievedCert, ca) {
 		t.Error("Was not able to retrieve CA information that was saved")
 	}
@@ -113,7 +115,9 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 			Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}},
 		}, metav1.CreateOptions{})
 
-	k.PatchWebhookConfigurations(testWebhookName, ca, &fail, true, true)
+	if err := k.patchWebhookConfigurations(context.TODO(), testWebhookName, ca, fail, true, true); err != nil {
+		t.Fatalf("Unexpected error patching webhooks: %s: %v", err.Error(), errors.Unwrap(err))
+	}
 
 	whmut, err := k.clientset.
 		AdmissionregistrationV1().
@@ -156,3 +160,41 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 		t.Errorf("Expected second validating webhook failure policy to be set to %s", fail)
 	}
 }
+
+func Test_Patching_objects(t *testing.T) {
+	t.Parallel()
+
+	t.Run("returns_error_when", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("failure_policy_is_defined_but_no_webhooks_will_be_patched", func(t *testing.T) {
+			t.Parallel()
+		})
+
+		// This is to preserve old behavior and log format, it could be improved.
+		t.Run("diffent_names_are_specified_for_validating_and_mutating_webhook", func(t *testing.T) {
+			t.Parallel()
+		})
+
+		t.Run("patching_APIService_is_requested_and_it_does_not_exist", func(t *testing.T) {
+			t.Parallel()
+		})
+
+		t.Run("patching_webhook_is_requested_and_it_does_not_exist", func(t *testing.T) {
+			t.Parallel()
+		})
+	})
+
+	t.Run("when_patching_APIService_object", func(t *testing.T) {
+		t.Parallel()
+
+		// This is required when CABundle field is populated.
+		t.Run("sets_insecure_skip_tls_verity_to_false", func(t *testing.T) {
+			t.Parallel()
+		})
+
+		t.Run("sets_ca_bundle_with_ca_certificate_from_created_secret", func(t *testing.T) {
+			t.Parallel()
+		})
+	})
+}

From 15385c6d566161c2380b555a58211d207087cdec Mon Sep 17 00:00:00 2001
From: Austin Wise <AustinWise@gmail.com>
Date: Sun, 26 Sep 2021 10:48:22 -0700
Subject: [PATCH 135/376] Tweak documentation formating about deprecated
 `apiVersion` values. (#7663)

* Tweak documentation formating about deprecated `apiVersion` values.

* retweak after rebase
---
 docs/index.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 2ad14162d..fe9f4c9d8 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -63,11 +63,12 @@ FIELDS:
 
 There are 2 reasons primarily.
 
-(Reason #1) Until K8s version 1.21, it was possible to create a ingress resource, with the "apiVersion:" field set to a value like ;
+(Reason #1) Until K8s version 1.21, it was possible to create a ingress resource, with the "apiVersion:" field set to a value like:
+
   - extensions/v1beta1
   - networking.k8s.io/v1beta1
 
-    (You would get a message about deprecation but the ingress resource would get created.)
+You would get a message about deprecation but the ingress resource would get created.
 
 From K8s version 1.22 onwards, you can ONLY set the "apiVersion:" field of a ingress resource, to the value "networking.k8s.io/v1". The reason is [official blog on deprecated ingress api versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/).
 

From ddbb0be0a06e09d45735a2f3e1e8ee2e8946d0cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9opold=20Jacquot?= <leopold.jacquot@gmail.com>
Date: Sun, 26 Sep 2021 19:54:22 +0200
Subject: [PATCH 136/376] add canary backend name for requests metrics (#7696)

---
 internal/ingress/metric/collectors/socket.go  |   9 +-
 .../ingress/metric/collectors/socket_test.go  | 176 +++++++++++-------
 rootfs/etc/nginx/lua/monitor.lua              |   1 +
 rootfs/etc/nginx/lua/test/monitor_test.lua    |   3 +
 4 files changed, 124 insertions(+), 65 deletions(-)

diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go
index 0f23e2cfb..8fec7dded 100644
--- a/internal/ingress/metric/collectors/socket.go
+++ b/internal/ingress/metric/collectors/socket.go
@@ -52,6 +52,7 @@ type socketData struct {
 	Namespace string `json:"namespace"`
 	Ingress   string `json:"ingress"`
 	Service   string `json:"service"`
+	Canary    string `json:"canary"`
 	Path      string `json:"path"`
 }
 
@@ -90,6 +91,7 @@ var (
 		"namespace",
 		"ingress",
 		"service",
+		"canary",
 	}
 )
 
@@ -176,7 +178,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 				Namespace:   PrometheusNamespace,
 				ConstLabels: constLabels,
 			},
-			[]string{"ingress", "namespace", "status", "service"},
+			[]string{"ingress", "namespace", "status", "service", "canary"},
 		),
 
 		bytesSent: prometheus.NewHistogramVec(
@@ -198,7 +200,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 				ConstLabels: constLabels,
 				Objectives:  defObjectives,
 			},
-			[]string{"ingress", "namespace", "service"},
+			[]string{"ingress", "namespace", "service", "canary"},
 		),
 	}
 
@@ -242,6 +244,7 @@ func (sc *SocketCollector) handleMessage(msg []byte) {
 			"namespace": stats.Namespace,
 			"ingress":   stats.Ingress,
 			"service":   stats.Service,
+			"canary":    stats.Canary,
 		}
 		if sc.metricsPerHost {
 			requestLabels["host"] = stats.Host
@@ -252,12 +255,14 @@ func (sc *SocketCollector) handleMessage(msg []byte) {
 			"ingress":   stats.Ingress,
 			"status":    stats.Status,
 			"service":   stats.Service,
+			"canary":    stats.Canary,
 		}
 
 		latencyLabels := prometheus.Labels{
 			"namespace": stats.Namespace,
 			"ingress":   stats.Ingress,
 			"service":   stats.Service,
+			"canary":    stats.Canary,
 		}
 
 		requestsMetric, err := sc.requests.GetMetricWith(collectorLabels)
diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go
index b9b3c6848..6ab972f58 100644
--- a/internal/ingress/metric/collectors/socket_test.go
+++ b/internal/ingress/metric/collectors/socket_test.go
@@ -92,7 +92,8 @@ func TestCollector(t *testing.T) {
 				"upstreamStatus":"220",
 				"namespace":"test-app-production",
 				"ingress":"web-yml",
-				"service":"test-app"
+				"service":"test-app",
+				"canary":""
 			}`},
 			metrics: []string{"nginx_ingress_controller_response_duration_seconds"},
 			wantBefore: `
@@ -115,26 +116,70 @@ func TestCollector(t *testing.T) {
 				"upstreamStatus":"220",
 				"namespace":"test-app-production",
 				"ingress":"web-yml",
-				"service":"test-app"
+				"service":"test-app",
+				"canary":""
 			}]`},
 			metrics: []string{"nginx_ingress_controller_response_duration_seconds"},
 			wantBefore: `
 				# HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server
 				# TYPE nginx_ingress_controller_response_duration_seconds histogram
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.005"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.01"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.025"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.05"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.25"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="2.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="10"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="+Inf"} 1
-				nginx_ingress_controller_response_duration_seconds_sum{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 200
-				nginx_ingress_controller_response_duration_seconds_count{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 1
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.005"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.01"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.025"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.05"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.25"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="2.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="10"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="+Inf"} 1
+				nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 200
+				nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 1
+			`,
+			removeIngresses: []string{"test-app-production/web-yml"},
+			wantAfter: `
+			`,
+		},
+
+		{
+			name: "valid metric object with canary information should update prometheus metrics",
+			data: []string{`[{
+				"host":"testshop.com",
+				"status":"200",
+				"bytesSent":150.0,
+				"method":"GET",
+				"path":"/admin",
+				"requestLength":300.0,
+				"requestTime":60.0,
+				"upstreamName":"test-upstream",
+				"upstreamIP":"1.1.1.1:8080",
+				"upstreamResponseTime":200,
+				"upstreamStatus":"220",
+				"namespace":"test-app-production",
+				"ingress":"web-yml",
+				"service":"test-app",
+				"canary":"test-app-production-test-app-canary-80"
+			}]`},
+			metrics: []string{"nginx_ingress_controller_response_duration_seconds"},
+			wantBefore: `
+				# HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server
+				# TYPE nginx_ingress_controller_response_duration_seconds histogram
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.005"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.01"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.025"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.05"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.25"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="2.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="10"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="+Inf"} 1
+				nginx_ingress_controller_response_duration_seconds_sum{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 200
+				nginx_ingress_controller_response_duration_seconds_count{canary="test-app-production-test-app-canary-80",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 1
 			`,
 			removeIngresses: []string{"test-app-production/web-yml"},
 			wantAfter: `
@@ -157,7 +202,8 @@ func TestCollector(t *testing.T) {
 				"upstreamStatus":"220",
 				"namespace":"test-app-production",
 				"ingress":"web-yml",
-				"service":"test-app"
+				"service":"test-app",
+				"canary":""
 			}]`, `[{
 				"host":"testshop.com",
 				"status":"200",
@@ -172,7 +218,8 @@ func TestCollector(t *testing.T) {
 				"upstreamStatus":"220",
 				"namespace":"test-app-qa",
 				"ingress":"web-yml-qa",
-				"service":"test-app-qa"
+				"service":"test-app-qa",
+				"canary":""
 			}]`, `[{
 				"host":"testshop.com",
 				"status":"200",
@@ -187,40 +234,41 @@ func TestCollector(t *testing.T) {
 				"upstreamStatus":"220",
 				"namespace":"test-app-qa",
 				"ingress":"web-yml-qa",
-				"service":"test-app-qa"
+				"service":"test-app-qa",
+				"canary":""
 			}]`},
 			metrics: []string{"nginx_ingress_controller_response_duration_seconds"},
 			wantBefore: `
 				# HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server
 				# TYPE nginx_ingress_controller_response_duration_seconds histogram
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.005"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.01"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.025"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.05"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.25"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="2.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="10"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="+Inf"} 1
-				nginx_ingress_controller_response_duration_seconds_sum{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 200
-				nginx_ingress_controller_response_duration_seconds_count{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 1
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.005"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.01"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.025"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.05"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.25"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="2.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="10"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="+Inf"} 2
-				nginx_ingress_controller_response_duration_seconds_sum{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200"} 400
-				nginx_ingress_controller_response_duration_seconds_count{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200"} 2			
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.005"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.01"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.025"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.05"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.25"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="2.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="10"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="+Inf"} 1
+				nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 200
+				nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 1
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.005"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.01"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.025"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.05"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.25"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="0.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="2.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="10"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200",le="+Inf"} 2
+				nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200"} 400
+				nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml-qa",method="GET",namespace="test-app-qa",path="/admin",service="test-app-qa",status="200"} 2			
 			`,
 		},
 
@@ -241,7 +289,8 @@ func TestCollector(t *testing.T) {
 				"upstreamStatus":"220",
 				"namespace":"test-app-production",
 				"ingress":"web-yml",
-				"service":"test-app"
+				"service":"test-app",
+				"canary":""
 			},
 			{
 				"host":"testshop.com",
@@ -257,26 +306,27 @@ func TestCollector(t *testing.T) {
 				"upstreamStatus":"220",
 				"namespace":"test-app-production",
 				"ingress":"web-yml",
-				"service":"test-app"
+				"service":"test-app",
+				"canary":""
 			}]`},
 			metrics: []string{"nginx_ingress_controller_response_duration_seconds"},
 			wantBefore: `
 				# HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server
 				# TYPE nginx_ingress_controller_response_duration_seconds histogram
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.005"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.01"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.025"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.05"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.25"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="1"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="2.5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="5"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="10"} 0
-				nginx_ingress_controller_response_duration_seconds_bucket{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="+Inf"} 2
-				nginx_ingress_controller_response_duration_seconds_sum{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 300
-				nginx_ingress_controller_response_duration_seconds_count{controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 2
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.005"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.01"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.025"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.05"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.25"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="0.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="1"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="2.5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="5"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="10"} 0
+				nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200",le="+Inf"} 2
+				nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 300
+				nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 2
 			`,
 			removeIngresses: []string{"test-app-production/web-yml"},
 			wantAfter: `
diff --git a/rootfs/etc/nginx/lua/monitor.lua b/rootfs/etc/nginx/lua/monitor.lua
index 3e7d6b34c..be7a173ee 100644
--- a/rootfs/etc/nginx/lua/monitor.lua
+++ b/rootfs/etc/nginx/lua/monitor.lua
@@ -37,6 +37,7 @@ local function metrics()
     namespace = ngx.var.namespace or "-",
     ingress = ngx.var.ingress_name or "-",
     service = ngx.var.service_name or "-",
+    canary = ngx.var.proxy_alternative_upstream_name or "-",
     path = ngx.var.location_path or "-",
 
     method = ngx.var.request_method or "-",
diff --git a/rootfs/etc/nginx/lua/test/monitor_test.lua b/rootfs/etc/nginx/lua/test/monitor_test.lua
index 78efed939..2762a980d 100644
--- a/rootfs/etc/nginx/lua/test/monitor_test.lua
+++ b/rootfs/etc/nginx/lua/test/monitor_test.lua
@@ -82,6 +82,7 @@ describe("Monitor", function()
         namespace = "default",
         ingress_name = "example",
         service_name = "http-svc",
+        proxy_alternative_upstream_name = "default-http-svc-canary-80",
         location_path = "/",
 
         request_method = "GET",
@@ -114,6 +115,7 @@ describe("Monitor", function()
           namespace = "default",
           ingress = "example",
           service = "http-svc",
+          canary = "default-http-svc-canary-80",
           path = "/",
 
           method = "GET",
@@ -131,6 +133,7 @@ describe("Monitor", function()
           namespace = "default",
           ingress = "example",
           service = "http-svc",
+          canary = "default-http-svc-canary-80",
           path = "/",
 
           method = "POST",

From c6566a558c4bcfa6c35d0a2ac4975921b44e195b Mon Sep 17 00:00:00 2001
From: Fredrik Enestad <fredrik@enestad.com>
Date: Sun, 26 Sep 2021 20:02:22 +0200
Subject: [PATCH 137/376] add a metric with build info (#7660)

---
 .../ingress/metric/collectors/controller.go   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/internal/ingress/metric/collectors/controller.go b/internal/ingress/metric/collectors/controller.go
index af746b4ba..135e74b9b 100644
--- a/internal/ingress/metric/collectors/controller.go
+++ b/internal/ingress/metric/collectors/controller.go
@@ -23,6 +23,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/ingress-nginx/internal/ingress"
+	"k8s.io/ingress-nginx/version"
 	"k8s.io/klog/v2"
 )
 
@@ -50,6 +51,8 @@ type Controller struct {
 	labels      prometheus.Labels
 
 	leaderElection *prometheus.GaugeVec
+
+	buildInfo prometheus.Collector
 }
 
 // NewController creates a new prometheus collector for the
@@ -69,6 +72,23 @@ func NewController(pod, namespace, class string) *Controller {
 			"class":     class,
 		},
 
+		buildInfo: prometheus.NewGaugeFunc(
+			prometheus.GaugeOpts{
+				Namespace: PrometheusNamespace,
+				Name:      "build_info",
+				Help:      "A metric with a constant '1' labeled with information about the build.",
+				ConstLabels: prometheus.Labels{
+					"controller_namespace": namespace,
+					"controller_class":     class,
+					"controller_pod":       pod,
+					"release":              version.RELEASE,
+					"build":                version.COMMIT,
+					"repository":           version.REPO,
+				},
+			},
+			func() float64 { return 1 },
+		),
+
 		configHash: prometheus.NewGauge(
 			prometheus.GaugeOpts{
 				Namespace:   PrometheusNamespace,
@@ -210,6 +230,7 @@ func (cm Controller) Describe(ch chan<- *prometheus.Desc) {
 	cm.checkIngressOperationErrors.Describe(ch)
 	cm.sslExpireTime.Describe(ch)
 	cm.leaderElection.Describe(ch)
+	cm.buildInfo.Describe(ch)
 }
 
 // Collect implements the prometheus.Collector interface.
@@ -223,6 +244,7 @@ func (cm Controller) Collect(ch chan<- prometheus.Metric) {
 	cm.checkIngressOperationErrors.Collect(ch)
 	cm.sslExpireTime.Collect(ch)
 	cm.leaderElection.Collect(ch)
+	cm.buildInfo.Collect(ch)
 }
 
 // SetSSLExpireTime sets the expiration time of SSL Certificates

From 6885ab228193cb7d0de0f9fde36291927afe4ba6 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 26 Sep 2021 20:24:23 -0300
Subject: [PATCH 138/376] Update base nginx image to the corrected version
 (#7705)

---
 Makefile                         | 2 +-
 images/echo/Makefile             | 2 +-
 images/nginx/README.md           | 2 +-
 images/nginx/rc.yaml             | 2 +-
 images/test-runner/Makefile      | 2 +-
 test/e2e/framework/deployment.go | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 59bd3c7fe..ad2c8340d 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ endif
 
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 
-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
+BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
 
 GOARCH=$(ARCH)
 
diff --git a/images/echo/Makefile b/images/echo/Makefile
index f87aa1c76..7a93aec25 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -36,7 +36,7 @@ build: ensure-buildx
 		--platform=${PLATFORMS} $(OUTPUT) \
 		--progress=$(PROGRESS) \
 		--pull \
-		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd \
+		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9 \
 		--build-arg LUAROCKS_VERSION=3.3.1 \
 		--build-arg LUAROCKS_SHA=837481e408f7c06b59befe7ec194537c657687d624894bca7f79034302141a34 \
 		-t $(IMAGE):$(TAG) rootfs
diff --git a/images/nginx/README.md b/images/nginx/README.md
index 947e97db9..9e6321938 100644
--- a/images/nginx/README.md
+++ b/images/nginx/README.md
@@ -18,6 +18,6 @@ This image provides a default configuration file with no backend servers.
 _Using docker_
 
 ```console
-docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
+docker run -v /some/nginx.conf:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
 ```
 
diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml
index e8cef4e35..043d7bfe4 100644
--- a/images/nginx/rc.yaml
+++ b/images/nginx/rc.yaml
@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
         - name: nginx
-          image: k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
+          image: k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
           ports:
             - containerPort: 80
             - containerPort: 443
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index 12bb7429b..664782a09 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -23,7 +23,7 @@ REGISTRY ?= local
 
 IMAGE = $(REGISTRY)/e2e-test-runner
 
-NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd
+NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
 
 # required to enable buildx
 export DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index 4f01fab9e..444045036 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -38,7 +38,7 @@ const SlowEchoService = "slow-echo"
 const HTTPBinService = "httpbin"
 
 // NginxBaseImage use for testing
-const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd"
+const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9"
 
 // NewEchoDeployment creates a new single replica deployment of the echoserver image in a particular namespace
 func (f *Framework) NewEchoDeployment() {

From 2b8ed4511af75a7c41e52726b0644d600fc7961b Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 26 Sep 2021 21:50:23 -0300
Subject: [PATCH 139/376] Tag release v1.0.2 (#7707)

---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index b18d46540..570c79651 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.0.1
+v1.0.2

From 3eb5ec28fe64017761c56c60dde937ae6a699995 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 27 Sep 2021 00:25:27 -0300
Subject: [PATCH 140/376] Release v1.0.2 (#7709)

* Release v1.0.2

* Apply suggestions from code review

Co-authored-by: Jintao Zhang <tao12345666333@163.com>

* Fix changelog

Co-authored-by: Jintao Zhang <tao12345666333@163.com>
---
 Changelog.md                                  | 26 ++++++
 README.md                                     |  2 +
 charts/ingress-nginx/CHANGELOG.md             |  5 ++
 charts/ingress-nginx/Chart.yaml               |  9 +-
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 82 +++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 83 +++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 83 +++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 83 +++++++++---------
 deploy/static/provider/do/deploy.yaml         | 83 +++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 83 +++++++++---------
 deploy/static/provider/kind/deploy.yaml       | 84 +++++++++----------
 deploy/static/provider/scw/deploy.yaml        | 83 +++++++++---------
 docs/deploy/index.md                          | 20 ++---
 stable.txt                                    |  2 +-
 15 files changed, 386 insertions(+), 346 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 71cdb42cd..be586a65b 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,21 @@
 # Changelog
 
+### 1.0.2
+
+**Image:**
+- k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+
+**Known Issues**
+* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.3, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). 
+
+_New Features:_
+
+_Changes:_
+
+- [X] [#7706](https://github.com/kubernetes/ingress-nginx/pull/7706) Add build info on prometheus metrics
+- [X] [#7702](https://github.com/kubernetes/ingress-nginx/pull/7702) Upgrade lua-resty-balancer to v0.04
+- [X] [#7696](https://github.com/kubernetes/ingress-nginx/pull/7696) Add canary backend name for requests metrics
+
 ### 1.0.1
 
 **Image:**
@@ -115,6 +131,16 @@ Changes:
 - [X] [#6940](https://github.com/kubernetes/ingress-nginx/pull/6940) Fix definition order of modsecurity directives 
 - [X] [#7156] Drops support for Ingress Object v1beta1
 
+### 0.49.2
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v0.49.2@sha256:84e351228337bb7b09f0e90e6b6f5e2f8f4cf7d618c1ddc1e966f23902d273db`
+
+_Changes:_
+
+- [x] [#7702](https://github.com/kubernetes/ingress-nginx/pull/#7702) upgrade lua-resty-balancer to v0.04
+
 ### 0.49.1
 
 **Image:**
diff --git a/README.md b/README.md
index 969bfd6b0..2567e7d54 100644
--- a/README.md
+++ b/README.md
@@ -30,8 +30,10 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
+| v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9       |
 | v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9       |
 | v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
+| v0.49.2               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
 | v0.49.1               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
 | v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index 431a56225..fd649cc32 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.3
+
+- [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
+
+
 ### 4.0.2 
 
 - [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index b9f795878..95e64f6cb 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.2
-appVersion: 1.0.1
+version: 4.0.3
+appVersion: 1.0.2
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,5 +24,6 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Downgrade NGINX to v1.19.9
-    - Update Base Image to alpine 3.14.2
+    - Upgrade lua-resty-balancer to v0.0.4 to stop coredumps
+    - Add canary backend name in metrics
+    - Add build info in metrics
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 8cf1ee8b4..602b7f563 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v1.0.1"
-    digest: sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+    tag: "v1.0.2"
+    digest: sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 33f1f9d76..ca4cf535e 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -50,10 +50,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -117,10 +117,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -137,10 +137,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,10 +221,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,10 +243,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -275,10 +275,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -307,10 +307,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -333,7 +333,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -425,10 +425,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -443,10 +443,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -499,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -523,10 +523,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -548,10 +548,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -573,10 +573,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -598,10 +598,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -609,10 +609,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -648,10 +648,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -659,10 +659,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 3f388e58e..2f105e5e3 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,25 +28,26 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
 ---
 # Source: ingress-nginx/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +266,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +413,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +431,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +471,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +511,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +536,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +561,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +586,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +597,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -635,10 +636,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,10 +647,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 6f197e8aa..413f4486c 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,25 +28,26 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
 ---
 # Source: ingress-nginx/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -262,10 +263,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -293,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -319,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -407,10 +408,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -425,10 +426,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -465,10 +466,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -481,10 +482,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -505,10 +506,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -530,10 +531,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -555,10 +556,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -580,10 +581,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -591,10 +592,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -630,10 +631,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -641,10 +642,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index a7f0ab730..ad1d2d152 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,25 +28,26 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
 ---
 # Source: ingress-nginx/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -262,10 +263,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +295,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +321,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -409,10 +410,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -427,10 +428,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -467,10 +468,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -483,10 +484,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -507,10 +508,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -532,10 +533,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -557,10 +558,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -582,10 +583,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -593,10 +594,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -632,10 +633,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -643,10 +644,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 6e6701f22..0faacb212 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,15 +28,16 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
   use-proxy-protocol: 'true'
 ---
 # Source: ingress-nginx/templates/clusterrole.yaml
@@ -44,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +265,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -296,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -322,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -411,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -429,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +471,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +511,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +536,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +561,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +586,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +597,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -635,10 +636,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,10 +647,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index fe5bb54b5..6000b489f 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,25 +28,26 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
 ---
 # Source: ingress-nginx/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -270,10 +271,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -302,10 +303,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +329,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -417,10 +418,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -435,10 +436,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +476,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +492,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +516,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +541,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +566,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +591,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +602,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -640,10 +641,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -651,10 +652,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 564946582..49efcda1d 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,25 +28,26 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
 ---
 # Source: ingress-nginx/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -110,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -130,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -214,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -236,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -262,10 +263,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -293,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -339,7 +340,6 @@ spec:
             - --validating-webhook-certificate=/usr/local/certificates/cert
             - --validating-webhook-key=/usr/local/certificates/key
             - --publish-status-address=localhost
-            - --watch-ingress-without-class
           securityContext:
             capabilities:
               drop:
@@ -420,10 +420,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -438,10 +438,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -478,10 +478,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -494,10 +494,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -518,10 +518,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -543,10 +543,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -568,10 +568,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -593,10 +593,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -604,10 +604,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -643,10 +643,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -654,10 +654,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 70d2ddbe1..1fd2ae4a8 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,15 +28,16 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
   use-proxy-protocol: 'true'
 ---
 # Source: ingress-nginx/templates/clusterrole.yaml
@@ -44,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +265,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -296,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -322,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -411,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -429,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -469,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -485,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -509,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -534,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -559,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -584,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -595,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -634,10 +635,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.2
+    helm.sh/chart: ingress-nginx-4.0.3
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.1
+    app.kubernetes.io/version: 1.0.2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -645,10 +646,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.2
+        helm.sh/chart: ingress-nginx-4.0.3
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.1
+        app.kubernetes.io/version: 1.0.2
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 059bdb862..1f5e5fbd6 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -54,7 +54,7 @@ Kubernetes is available in Docker Desktop
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 #### minikube
@@ -82,7 +82,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (ELB)
@@ -91,10 +91,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -140,7 +140,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -149,7 +149,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -157,13 +157,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -177,7 +177,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.1/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index eb4cb9717..7c5ca8084 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v1.0.1
\ No newline at end of file
+controller-v1.0.2

From 7a1d06f3d2fcaf3cd9df53b602087f0bf486f4bf Mon Sep 17 00:00:00 2001
From: John Losito <lositojohnj@gmail.com>
Date: Mon, 27 Sep 2021 08:19:36 -0400
Subject: [PATCH 141/376] Allow dependabot to check go modules (#6873)

---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..61634d5a4
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"

From c0f61039e47ca021c8c5432d7a7686fca4807a7f Mon Sep 17 00:00:00 2001
From: Claudiu Belu <1552519+claudiubelu@users.noreply.github.com>
Date: Mon, 27 Sep 2021 15:42:18 +0300
Subject: [PATCH 142/376] Updates E2E test images registry (#7704)

We're moving away from google.com gcp projects. These images are now on community-owned infra.
---
 docs/examples/chashsubset/deployment.yaml | 2 +-
 docs/examples/http-svc.yaml               | 2 +-
 docs/examples/multi-tls/multi-tls.yaml    | 2 +-
 test/e2e/annotations/canary.go            | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/examples/chashsubset/deployment.yaml b/docs/examples/chashsubset/deployment.yaml
index 82fdc7ac0..24a41dcc2 100644
--- a/docs/examples/chashsubset/deployment.yaml
+++ b/docs/examples/chashsubset/deployment.yaml
@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: nginxhello
-          image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
+          image: k8s.gcr.io/e2e-test-images/echoserver:2.3
           ports:
             - containerPort: 8080
           env:
diff --git a/docs/examples/http-svc.yaml b/docs/examples/http-svc.yaml
index bd2b34ce9..4e8426897 100644
--- a/docs/examples/http-svc.yaml
+++ b/docs/examples/http-svc.yaml
@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
       - name: http-svc
-        image: gcr.io/kubernetes-e2e-test-images/echoserver:2.1
+        image: k8s.gcr.io/e2e-test-images/echoserver:2.3
         ports:
         - containerPort: 8080
         env:
diff --git a/docs/examples/multi-tls/multi-tls.yaml b/docs/examples/multi-tls/multi-tls.yaml
index 32f5932c1..b3985439e 100644
--- a/docs/examples/multi-tls/multi-tls.yaml
+++ b/docs/examples/multi-tls/multi-tls.yaml
@@ -70,7 +70,7 @@ spec:
     spec:
       containers:
       - name: http-svc
-        image: gcr.io/kubernetes-e2e-test-images/echoserver:2.1
+        image: k8s.gcr.io/e2e-test-images/echoserver:2.3
         ports:
         - containerPort: 8080
         env:
diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go
index 07b307abb..d189c972d 100644
--- a/test/e2e/annotations/canary.go
+++ b/test/e2e/annotations/canary.go
@@ -146,7 +146,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 				ginkgo.By("returning a 200 status when the canary deployment has 0 replicas and a request is sent to the mainline ingress")
 
 				f.NewEchoDeploymentWithReplicas(1)
-				f.NewDeployment(canaryService, "gcr.io/kubernetes-e2e-test-images/echoserver:2.2", 8080, 0)
+				f.NewDeployment(canaryService, "k8s.gcr.io/e2e-test-images/echoserver:2.3", 8080, 0)
 
 				resp, _, errs = gorequest.New().
 					Get(f.GetURL(framework.HTTP)).

From 9daa72b64784968a545d458ef3ffd809d4334c86 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 28 Sep 2021 09:02:43 -0700
Subject: [PATCH 143/376] Bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.1
 (#7713)

Bumps [github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify) from 1.4.9 to 1.5.1.
- [Release notes](https://github.com/fsnotify/fsnotify/releases)
- [Changelog](https://github.com/fsnotify/fsnotify/blob/master/CHANGELOG.md)
- [Commits](https://github.com/fsnotify/fsnotify/compare/v1.4.9...v1.5.1)

---
updated-dependencies:
- dependency-name: github.com/fsnotify/fsnotify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index 4c8d4596f..a5afe73b7 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.17
 require (
 	github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a
 	github.com/eapache/channels v1.1.0
-	github.com/fsnotify/fsnotify v1.4.9
+	github.com/fsnotify/fsnotify v1.5.1
 	github.com/gavv/httpexpect/v2 v2.3.1
 	github.com/imdario/mergo v0.3.12
 	github.com/json-iterator/go v1.1.11
diff --git a/go.sum b/go.sum
index 2a19bfd54..a943dc294 100644
--- a/go.sum
+++ b/go.sum
@@ -192,8 +192,9 @@ github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVB
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
+github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
 github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpTZwlIzQ28rbPY8pNJvzY7Gcx5KnNOk=
 github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/gavv/httpexpect/v2 v2.3.1 h1:sGLlKMn8AuHS9ztK9Sb7AJ7OxIL8v2PcLdyxfKt1Fo4=

From 0b40037675265220d755f345f66a57c4175a3ccb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 28 Sep 2021 09:06:44 -0700
Subject: [PATCH 144/376] Bump github.com/opencontainers/runc from 1.0.1 to
 1.0.2 (#7715)

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.1 to 1.0.2.
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Commits](https://github.com/opencontainers/runc/compare/v1.0.1...v1.0.2)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index a5afe73b7..fafe8d3eb 100644
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
 	github.com/ncabatoff/process-exporter v0.7.5
 	github.com/onsi/ginkgo v1.16.4
-	github.com/opencontainers/runc v1.0.1
+	github.com/opencontainers/runc v1.0.2
 	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/prometheus/client_golang v1.11.0
diff --git a/go.sum b/go.sum
index a943dc294..0517f1627 100644
--- a/go.sum
+++ b/go.sum
@@ -550,8 +550,8 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.14.0 h1:ep6kpPVwmr/nTbklSx2nrLNSIO62DoYAhnPNIMhK8gI=
 github.com/onsi/gomega v1.14.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
-github.com/opencontainers/runc v1.0.1 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs=
-github.com/opencontainers/runc v1.0.1/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
+github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg=
+github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=

From be9a7bea4a3b2f89ec7620dd0056f8fc3bbd6063 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Tue, 28 Sep 2021 21:38:43 +0530
Subject: [PATCH 145/376] added example to install multiple instances of
 controller (#7718)

---
 docs/index.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index fe9f4c9d8..ea5bb2a08 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -172,7 +172,7 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
 ## How to easily install multiple instances of the ingress-NGINX controller in the same cluster ?
 - Create a new namespace
   ```
-  kubectl create namespace ingress-controller-2
+  kubectl create namespace ingress-nginx-2
   ```
 - Use helm to install the additional instance of the ingress controller
 - Ensure you have helm working (refer to helm documentation)
@@ -186,9 +186,11 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
   ```
 - Now you install the additional instance of the ingress-NGINX controller like this ;
   ```
-  helm --namespace ingress-controller-2 install ingcontroller-2 ingress-nginx/ingress-nginx  \
-  --set controller.ingressClass=ingress-class-2 \
-  --set controller.ingressClassResource.name=ingress-class-2 \
-  --set controller.ingressClassResource.controllerValue= "k8s.io/ingress-controller-2" 
+  helm install ingress-nginx-2 ingress-nginx/ingress-nginx  \
+  --namespace ingress-nginx-2 \
+  --set controller.ingressClassResource.name=nginx-2 \
+  --set controller.ingressClassResource.controllerValue= "k8s.io/ingress-nginx-2" \
+  --set controller.ingressClassResource.enabled=true \
+  --set controller.IngressClassByName=true
   ```
 - If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values like names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs.

From 3224e7192fe1dc20ee0fd1f9b9e7a2700a44bf68 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Wed, 29 Sep 2021 19:10:45 -0300
Subject: [PATCH 146/376] Fix ingress without class in kind deployment (#7726)

---
 deploy/static/provider/kind/deploy.yaml | 1 +
 hack/generate-deploy-scripts.sh         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 49efcda1d..ba54920c6 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -339,6 +339,7 @@ spec:
             - --validating-webhook=:8443
             - --validating-webhook-certificate=/usr/local/certificates/cert
             - --validating-webhook-key=/usr/local/certificates/key
+            - --watch-ingress-without-class=true
             - --publish-status-address=localhost
           securityContext:
             capabilities:
diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index a4872c6d8..221c34697 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -135,6 +135,7 @@ controller:
   terminationGracePeriodSeconds: 0
   service:
     type: NodePort
+  watchIngressWithoutClass: true
 
   nodeSelector:
     ingress-ready: "true"

From 37ab9991e83e550d681cd967a12e64ce3ab3315a Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Thu, 30 Sep 2021 01:10:09 -0300
Subject: [PATCH 147/376] Fix selector for shutting down Pods (#7727)

* Fix selector for shutting down Pods

* Add autogenerated labels for daemonset in exception

Co-authored-by: Jintao Zhang <tao12345666333@163.com>

Co-authored-by: Jintao Zhang <tao12345666333@163.com>
---
 internal/ingress/status/status.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go
index 7e2db9189..791e88818 100644
--- a/internal/ingress/status/status.go
+++ b/internal/ingress/status/status.go
@@ -226,8 +226,21 @@ func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) {
 }
 
 func (s *statusSync) isRunningMultiplePods() bool {
+
+	// As a standard, app.kubernetes.io are "reserved well-known" labels.
+	// In our case, we add those labels as identifiers of the Ingress
+	// deployment in this namespace, so we can select it as a set of Ingress instances.
+	// As those labels are also generated as part of a HELM deployment, we can be "safe" they
+	// cover 95% of the cases
+	podLabel := make(map[string]string)
+	for k, v := range k8s.IngressPodDetails.Labels {
+		if k != "pod-template-hash" && k != "controller-revision-hash" && k != "pod-template-generation" {
+			podLabel[k] = v
+		}
+	}
+
 	pods, err := s.Client.CoreV1().Pods(k8s.IngressPodDetails.Namespace).List(context.TODO(), metav1.ListOptions{
-		LabelSelector: labels.SelectorFromSet(k8s.IngressPodDetails.Labels).String(),
+		LabelSelector: labels.SelectorFromSet(podLabel).String(),
 	})
 	if err != nil {
 		return false

From 191ef6453b9b8fad9cbde205d09b33e8b477c7d2 Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Thu, 30 Sep 2021 16:04:09 +0200
Subject: [PATCH 148/376] add issue triage information (#7658)

* add issue triage information

* change requests

* change requests from PR
---
 CONTRIBUTING.md |  8 ++++--
 ISSUE_TRIAGE.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++
 README.md       |  5 ++--
 3 files changed, 75 insertions(+), 4 deletions(-)
 create mode 100644 ISSUE_TRIAGE.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index afaf04291..5266e6131 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,6 +2,8 @@
 
 Read the following guide if you're interested in contributing to Ingress. [Make Ingress-Nginx Work for you, and the Community](https://youtu.be/GDm-7BlmPPg) from KubeCon Europe 2018 is a great video to get you started!!
 
+Note that this guide refers to contributing to actual sources of the repository. If you interested in contributing through issue triaging, have a look at [this guide](./ISSUE_TRIAGE.md). 
+
 ## Contributor License Agreements
 
 We'd love to accept your patches! Before we can take them, we have to jump a couple of legal hurdles.
@@ -15,9 +17,11 @@ Follow either of the two links above to access the appropriate CLA and instructi
 
 ***NOTE***: Only original source code from you and other people that have signed the CLA can be accepted into the main repository.
 
-## Finding Things That Need Help
+## Finding Issues That Need Help
 
-If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22). Alternatively, read some of the docs on other controllers and try to write your own, file and fix any/all issues that come up, including gaps in documentation!
+If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22). 
+
+Alternatively, search for the label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+) if you have some experience with ingress-nginx. Note, that it could make sense to grab issues with higher priority first.
 
 ## Contributing a Patch
 
diff --git a/ISSUE_TRIAGE.md b/ISSUE_TRIAGE.md
new file mode 100644
index 000000000..8b73d6d3e
--- /dev/null
+++ b/ISSUE_TRIAGE.md
@@ -0,0 +1,66 @@
+# Triage Process
+
+As any kind of contributor (triage, reviewer ...), always have in mind that if a user came to us and raised an issue, the user may have a real problem. We must assume that, and not the opposite (the user needs to prove to us that this is a bug). Keeping that in mind, **be nice with users, even if you don’t agree with them**
+
+Note that this guide refers to contributing through issue triaging. If you are interested in contributing to actual sources of the repository, see [this guide](./CONTRIBUTING.MD). 
+
+## General Information 
+
+The triage process of the ingress-nginx maintainers is based on the [triage process guidelines](https://github.com/kubernetes/community/blob/master/contributors/guide/issue-triage.md) of the Kubernetes community  
+
+However the exact process of the ingress-nginx maintainers may differ in certain aspects. This doc gives a more precise overview on how the ingress-nginx maintainers approach the issue triage process and other processes that are related. 
+
+## Triage Flow 
+
+This section describes the different stages of the triage flow.
+
+### Prepare Issues
+New issues come in with the labels `needs-triage` and `needs-priority` and one of: `kind/bug`, `kind/feature` or `kind/support`. Unfortunately there are also some legacy issues that only have a `kind/*` label but neither `needs-triage` nor `needs-priority` . However for every issue that does not have the `triage-accepted` label the following steps have to be done to prepare them for further processing:  
+
+
+* Filter for issues [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Aissue) label.
+* Check if all neccessary information are available. This is basically true, if people filled out the issue template correctly. If neccessary information is missing, ask the author to add the missing information and add the label `triage/needs-information` if not already present. If already present, send the author a friendly reminder to add those. 
+* Check if the used versions of ingress-nginx and Kubernetes is supported. Note that [we only support n-3 versions](https://github.com/kubernetes/ingress-nginx#support-versions-table). If the version is not supported, ask the author to upgrade to newer versions and see if the error still persists. 
+* Read through the issue description and comments briefly to understand what the issue is about. Also check if the kind and area is correct, and adjust it if neccessary. If the issue is understandable add the label `triage-accepted`.
+* If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
+
+Note: Issues that are stale for 90 days are being closed automatically. However we could be missing a bug here, so from time to time it makes sense to go over the closed ones and see if there is something important. Use [this filter](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aclosed+is%3Aissue+label%3Alifecycle%2Frotten+) to find those. 
+
+Who and When?
+* Basically everyone who wants to contribute can do the mentioned steps at any time.
+
+### Issue Priorization
+For all issues, where all neccessary information is available thus triage is accepted, we need to do some priorization: 
+
+* Go through all issues with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+).  
+* Add appropriate priority label: `priority/backlog`, `priority/critical-urgent`, `priority/awaiting-more-evidence`, `priority/important-longterm`, `priority/important-soon` or `good first issue`
+
+Who and When? 
+* Basically every contributor should be able to do that.
+* Tricky/important ones could be brought up during community meetings
+
+## Labels 
+Labels are helpful for issues to indicate in which lifecycle state they are currently and to categorize them. This section describes the most important ones with the additional info about how to add those. A complete label list of the Kubernetes community can be found [here](https://github.com/kubernetes/kubernetes/labels) while a complete label list for this project can be found [here](https://github.com/kubernetes/ingress-nginx/labels). However, here the most important ones: 
+
+* Triage:
+  * [`needs-triage`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-triage): Indicates that the issue needs triage. Automatically added. 
+  * [`triage/accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Faccepted+is%3Aissue+): Indicates that the issue is ready for further processing. Add with `/triage accepted`.
+  * [`triage/needs-information`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Fneeds-information+is%3Aissue+): Indicates that the issue lacks information. Add with `/triage needs-information`.
+* Kind: 
+  * [`kind/bug`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fbug+is%3Aissue): Indicates that the issue is assumed to be a bug. Add with `/kind bug`. Remove with `/remove-kind bug`.
+  * [`kind/feature`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Ffeature+is%3Aissue+): Indicates that the issue is a feature request. Add with `/kind feature`. Remove with `/remove-kind feature`.
+  * [`kind/documentation`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fdocumentation+is%3Aissue+): Indicates that the issue is documentation related. Add with `/kind documentation`. Remove with `/remove-kind documentation`.
+  * [`kind/support`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fsupport+is%3Aissue+): Indicates the the issue is a support request. Add with `/kind support`. Remove with `/remove-kind support`.
+* Area: 
+  * [`area/helm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Fhelm+is%3Aissue+): Indicates that the issue is related to helm charts. Add with `/area helm`.
+  * [`area/lua`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Flua+is%3Aissue+): Indicates that the issue is related to lua. Add with `/area lua`.
+  * [`area/docs`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Fdocs+is%3Aissue): Indicates that the issue is related to documentation. Add with `/area docs` .
+* Priority: 
+  * [`needs-priority`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-priority): Indicates that the issue has no priorization yet. Automatically added.
+  * [`priority/critical-urgent`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fcritical-urgent+is%3Aissue+): indicates that the issue has highest priority. Add with `/priority critical-urgent`.
+  * [`priority/important-soon`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-soon+is%3Aissue+): indicates that the issue should be worked on either currently soon, ideally in time for the next release. Add with `/priority important-soon`.
+  * [`priority/important-longterm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-longterm+is%3Aissue+): indicates that the issue is not important for now, but should be worked on in one of the upcomming releases. Add with `/priority important-longterm`.
+  * [`priority/backlog`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fbacklog+is%3Aissue+): Indicates that the issue has the lowest priority. Add with `/priority backlog`.
+* Other: 
+  * [`help wanted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22): indicates that the issue needs help from a contributor. Add with `/help`.
+  * [`good first issue`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22): indicates that the issue needs help from a contributor and is a good first issue for new contributors. Add with `/good-first-issue`.
\ No newline at end of file
diff --git a/README.md b/README.md
index 2567e7d54..5c58ca402 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,9 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.46.0               | 1.21, 1.20, 1.19       | 3.13.2         |  1.19.6       |
 
+
+See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable Ingress API. 
+
 ## Get Involved
 
 Thanks for taking the time to join our community and start contributing!
@@ -50,8 +53,6 @@ Thanks for taking the time to join our community and start contributing!
   
   - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
 
-  - Check out the [open issues](https://github.com/kubernetes/ingress-nginx), especially [help-wanted](https://github.com/kubernetes/ingress-nginx/labels/help%20wanted) ones.
-
   - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
   
   - Submit github issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.

From ee16726790a50397136ee63c8203422fd413587a Mon Sep 17 00:00:00 2001
From: Konstantin Chukhlomin <mail@chuhlomin.com>
Date: Fri, 1 Oct 2021 09:11:23 -0400
Subject: [PATCH 149/376] Update docs/example/rewrite (sudden stickyingress)
 (#7733)

---
 docs/examples/rewrite/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md
index 824b0966f..6ae71a5d8 100644
--- a/docs/examples/rewrite/README.md
+++ b/docs/examples/rewrite/README.md
@@ -94,6 +94,6 @@ Server: nginx/1.11.10
 Date: Mon, 13 Mar 2017 14:57:15 GMT
 Content-Type: text/html
 Content-Length: 162
-Location: http://stickyingress.example.com/app1
+Location: http://approot.bar.com/app1
 Connection: keep-alive
 ```

From 35fe26faaf902d9e36ecc4758d4131efe38235f3 Mon Sep 17 00:00:00 2001
From: Erick <erick@fiddler.ai>
Date: Sun, 3 Oct 2021 10:19:06 -0400
Subject: [PATCH 150/376] Add a note to README.md with context on
 CVE-2021-23017 patch (#7735)

---
 README.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5c58ca402..a54273cb2 100644
--- a/README.md
+++ b/README.md
@@ -30,8 +30,8 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
-| v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9       |
-| v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9       |
+| v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
+| v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
 | v0.49.2               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
 | v0.49.1               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
@@ -40,6 +40,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.46.0               | 1.21, 1.20, 1.19       | 3.13.2         |  1.19.6       |
 
+† _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
 
 See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable Ingress API. 
 

From b219555e75684d6df91a03415507d3b310b831a5 Mon Sep 17 00:00:00 2001
From: Zackky Muhammad <m.zackky@gmail.com>
Date: Mon, 4 Oct 2021 04:59:07 +0800
Subject: [PATCH 151/376] docs(index): fix typo helm value example (#7734)

---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index ea5bb2a08..1d27546ee 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -191,6 +191,6 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
   --set controller.ingressClassResource.name=nginx-2 \
   --set controller.ingressClassResource.controllerValue= "k8s.io/ingress-nginx-2" \
   --set controller.ingressClassResource.enabled=true \
-  --set controller.IngressClassByName=true
+  --set controller.ingressClassByName=true
   ```
 - If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values like names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs.

From e8d914475910e6de6e2dc1977d22db0161eb96f4 Mon Sep 17 00:00:00 2001
From: Alan <zg.zhu@daocloud.io>
Date: Mon, 4 Oct 2021 05:05:07 +0800
Subject: [PATCH 152/376] fix overlap check when ingress is configured as
 canary (#7719)

---
 internal/ingress/controller/controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index aeed32278..f935f5fff 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -1713,7 +1713,7 @@ func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers
 					return fmt.Errorf(`host "%s" and path "%s" is already defined in ingress %s/%s`, rule.Host, path.Path, existing.Namespace, existing.Name)
 				}
 
-				if annotationErr == errors.ErrMissingAnnotations && existingAnnotationErr == existingAnnotationErr {
+				if annotationErr == errors.ErrMissingAnnotations && existingAnnotationErr == errors.ErrMissingAnnotations {
 					return fmt.Errorf(`host "%s" and path "%s" is already defined in ingress %s/%s`, rule.Host, path.Path, existing.Namespace, existing.Name)
 				}
 			}

From 6e125826ad3968709392f2056023d4d7474ed4f5 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 3 Oct 2021 19:15:07 -0300
Subject: [PATCH 153/376] Prepare for v1.0.3 release (#7740)

---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 570c79651..e946d6bb7 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.0.2
+v1.0.3

From bdea0c8e462ce94031df622e1eda3196ac41933e Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 4 Oct 2021 11:17:09 -0300
Subject: [PATCH 154/376] Release v1.0.3 (#7743)

Signed-off-by: Ricardo Pchevuzinske Katz <rkatz@vmware.com>
---
 Changelog.md                                  | 27 ++++++
 README.md                                     |  2 +
 charts/ingress-nginx/CHANGELOG.md             |  5 ++
 charts/ingress-nginx/Chart.yaml               | 10 +--
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 82 +++++++++----------
 deploy/static/provider/aws/deploy.yaml        | 82 +++++++++----------
 deploy/static/provider/baremetal/deploy.yaml  | 82 +++++++++----------
 deploy/static/provider/cloud/deploy.yaml      | 82 +++++++++----------
 deploy/static/provider/do/deploy.yaml         | 82 +++++++++----------
 deploy/static/provider/exoscale/deploy.yaml   | 82 +++++++++----------
 deploy/static/provider/kind/deploy.yaml       | 82 +++++++++----------
 deploy/static/provider/scw/deploy.yaml        | 82 +++++++++----------
 docs/deploy/index.md                          | 20 ++---
 stable.txt                                    |  2 +-
 15 files changed, 380 insertions(+), 346 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index be586a65b..e41239540 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,21 @@
 # Changelog
 
+### 1.0.3
+
+**Image:**
+- k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+
+**Known Issues**
+* Ingress controller now (starting from v1.0.0) mandates cluster scoped access to IngressClass. This leads to problems when updating old Ingress controller to newest version, as described [here](https://github.com/kubernetes/ingress-nginx/issues/7510). We plan to fix it in v1.0.4, see [this](https://github.com/kubernetes/ingress-nginx/pull/7578). 
+
+_New Features:_
+
+_Changes:_
+
+- [X] [#7727](https://github.com/kubernetes/ingress-nginx/pull/7727) Fix selector for shutting down Pods status
+- [X] [#7719](https://github.com/kubernetes/ingress-nginx/pull/7719) Fix overlap check when ingress is configured as canary
+- Diverse docs fixes and libraries bumping
+
 ### 1.0.2
 
 **Image:**
@@ -131,6 +147,17 @@ Changes:
 - [X] [#6940](https://github.com/kubernetes/ingress-nginx/pull/6940) Fix definition order of modsecurity directives 
 - [X] [#7156] Drops support for Ingress Object v1beta1
 
+### 0.49.3
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v0.49.3@sha256:35fe394c82164efa8f47f3ed0be981b3f23da77175bbb8268a9ae438851c8324`
+
+_Changes:_
+
+- [X] [#7731](https://github.com/kubernetes/ingress-nginx/pull/7727) Fix selector for shutting down Pods status
+- [X] [#7741](https://github.com/kubernetes/ingress-nginx/pull/7719) Fix overlap check when ingress is configured as canary
+
 ### 0.49.2
 
 **Image:**
diff --git a/README.md b/README.md
index a54273cb2..1e24d8201 100644
--- a/README.md
+++ b/README.md
@@ -30,9 +30,11 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
+| v1.0.3                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
+| v0.49.3               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
 | v0.49.2               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
 | v0.49.1               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
 | v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index fd649cc32..d680c2c68 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.4
+
+- [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx
+
+
 ### 4.0.3
 
 - [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 95e64f6cb..4c76d3ff9 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.3
-appVersion: 1.0.2
+version: 4.0.4
+appVersion: 1.0.3
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,6 +24,6 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Upgrade lua-resty-balancer to v0.0.4 to stop coredumps
-    - Add canary backend name in metrics
-    - Add build info in metrics
+    - Bump various libraries
+    - Fix selector for shutting down Pods
+    - Fix overlap check when ingress is configured as canary
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 602b7f563..c4d3ef389 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v1.0.2"
-    digest: sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+    tag: "v1.0.3"
+    digest: sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index ca4cf535e..b97e5a6e9 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -50,10 +50,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -117,10 +117,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -137,10 +137,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -221,10 +221,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -243,10 +243,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -275,10 +275,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -307,10 +307,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -333,7 +333,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -425,10 +425,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -443,10 +443,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -499,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -523,10 +523,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -548,10 +548,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -573,10 +573,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -598,10 +598,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -609,10 +609,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -648,10 +648,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -659,10 +659,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 2f105e5e3..312f9d84e 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -413,10 +413,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -431,10 +431,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -471,10 +471,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -487,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -511,10 +511,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -536,10 +536,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -561,10 +561,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -586,10 +586,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -597,10 +597,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -636,10 +636,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -647,10 +647,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 413f4486c..d40a7001f 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -263,10 +263,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +320,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -408,10 +408,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -426,10 +426,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -466,10 +466,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -482,10 +482,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -506,10 +506,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -531,10 +531,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -556,10 +556,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -581,10 +581,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -592,10 +592,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -631,10 +631,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -642,10 +642,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index ad1d2d152..9f34732c9 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -263,10 +263,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -295,10 +295,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -321,7 +321,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -410,10 +410,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -428,10 +428,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -468,10 +468,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -484,10 +484,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -508,10 +508,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -533,10 +533,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -558,10 +558,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -583,10 +583,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -594,10 +594,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -633,10 +633,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -644,10 +644,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 0faacb212..702965e03 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -471,10 +471,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -487,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -511,10 +511,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -536,10 +536,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -561,10 +561,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -586,10 +586,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -597,10 +597,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -636,10 +636,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -647,10 +647,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 6000b489f..bccc7e95c 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -271,10 +271,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -303,10 +303,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -329,7 +329,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -418,10 +418,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -436,10 +436,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -476,10 +476,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -492,10 +492,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -516,10 +516,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -541,10 +541,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -566,10 +566,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -591,10 +591,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -602,10 +602,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -641,10 +641,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -652,10 +652,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index ba54920c6..9f464063d 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -263,10 +263,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -294,10 +294,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -421,10 +421,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -439,10 +439,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -479,10 +479,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -495,10 +495,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -519,10 +519,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -544,10 +544,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -569,10 +569,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -594,10 +594,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -605,10 +605,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -644,10 +644,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -655,10 +655,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 1fd2ae4a8..e62154cd9 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -297,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -635,10 +635,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.3
+    helm.sh/chart: ingress-nginx-4.0.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.2
+    app.kubernetes.io/version: 1.0.3
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,10 +646,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.3
+        helm.sh/chart: ingress-nginx-4.0.4
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.2
+        app.kubernetes.io/version: 1.0.3
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 1f5e5fbd6..f0a90e63d 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -54,7 +54,7 @@ Kubernetes is available in Docker Desktop
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
 ```
 
 #### minikube
@@ -82,7 +82,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (ELB)
@@ -91,10 +91,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -140,7 +140,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -149,7 +149,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -157,13 +157,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -177,7 +177,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.2/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index 7c5ca8084..80a2c1385 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v1.0.2
+controller-v1.0.3

From 07e54431ff069a5452a1f68ca3dbb98da0e0f35b Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Mon, 4 Oct 2021 19:21:50 -0400
Subject: [PATCH 155/376] bump the version to fix the build issues (#7751)

---
 charts/ingress-nginx/CHANGELOG.md             |  2 +-
 charts/ingress-nginx/Chart.yaml               |  2 +-
 .../provider/aws/deploy-tls-termination.yaml  | 41 ++++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 40 +++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 40 +++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 40 +++++++++---------
 deploy/static/provider/do/deploy.yaml         | 40 +++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 40 +++++++++---------
 deploy/static/provider/kind/deploy.yaml       | 40 +++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 40 +++++++++---------
 10 files changed, 163 insertions(+), 162 deletions(-)

diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index d680c2c68..e569bf6ae 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
-### 4.0.4
+### 4.0.5
 
 - [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx
 
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 4c76d3ff9..28e8db3bd 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.4
+version: 4.0.5
 appVersion: 1.0.3
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index b97e5a6e9..f6c67e074 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -37,6 +37,7 @@ metadata:
   name: ingress-nginx-controller
   namespace: ingress-nginx
 data:
+  allow-snippet-annotations: 'true'
   http-snippet: |
     server{
       listen 2443;
@@ -50,7 +51,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -117,7 +118,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -137,7 +138,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -221,7 +222,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -243,7 +244,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -275,7 +276,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -307,7 +308,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -425,7 +426,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -443,7 +444,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -483,7 +484,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -499,7 +500,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -523,7 +524,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -548,7 +549,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -573,7 +574,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -598,7 +599,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -609,7 +610,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -648,7 +649,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -659,7 +660,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 312f9d84e..058a47090 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -111,7 +111,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -131,7 +131,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -215,7 +215,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -237,7 +237,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -266,7 +266,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -298,7 +298,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -413,7 +413,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -431,7 +431,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -471,7 +471,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -487,7 +487,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -511,7 +511,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -536,7 +536,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -561,7 +561,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -586,7 +586,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -597,7 +597,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -636,7 +636,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -647,7 +647,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index d40a7001f..7e0a5a9e7 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -111,7 +111,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -131,7 +131,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -215,7 +215,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -237,7 +237,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -263,7 +263,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -294,7 +294,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -408,7 +408,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -426,7 +426,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -466,7 +466,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -482,7 +482,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -506,7 +506,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -531,7 +531,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -556,7 +556,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -581,7 +581,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -592,7 +592,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -631,7 +631,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -642,7 +642,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 9f34732c9..e2df8e210 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -111,7 +111,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -131,7 +131,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -215,7 +215,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -237,7 +237,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -263,7 +263,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -295,7 +295,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -410,7 +410,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -428,7 +428,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -468,7 +468,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -484,7 +484,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -508,7 +508,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -533,7 +533,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -558,7 +558,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -583,7 +583,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -594,7 +594,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -633,7 +633,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -644,7 +644,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 702965e03..e4b46caeb 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -45,7 +45,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -216,7 +216,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -238,7 +238,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -265,7 +265,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -297,7 +297,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -412,7 +412,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -430,7 +430,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -471,7 +471,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -487,7 +487,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -511,7 +511,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -536,7 +536,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -561,7 +561,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -586,7 +586,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -597,7 +597,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -636,7 +636,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -647,7 +647,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index bccc7e95c..cc7509a56 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -111,7 +111,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -131,7 +131,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -215,7 +215,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -237,7 +237,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -271,7 +271,7 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -303,7 +303,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -418,7 +418,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -436,7 +436,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -476,7 +476,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -492,7 +492,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -516,7 +516,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -541,7 +541,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -566,7 +566,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -591,7 +591,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -602,7 +602,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -641,7 +641,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -652,7 +652,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 9f464063d..5d57cd699 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -111,7 +111,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -131,7 +131,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -215,7 +215,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -237,7 +237,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -263,7 +263,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -294,7 +294,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -421,7 +421,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -439,7 +439,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -479,7 +479,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -495,7 +495,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -519,7 +519,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -544,7 +544,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -569,7 +569,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -594,7 +594,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -605,7 +605,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -644,7 +644,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -655,7 +655,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index e62154cd9..6f20554d2 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -45,7 +45,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -216,7 +216,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -238,7 +238,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -265,7 +265,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -297,7 +297,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -412,7 +412,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -430,7 +430,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -470,7 +470,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -486,7 +486,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -510,7 +510,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -535,7 +535,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -560,7 +560,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -585,7 +585,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -596,7 +596,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3
@@ -635,7 +635,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.4
+    helm.sh/chart: ingress-nginx-4.0.5
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.3
@@ -646,7 +646,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.4
+        helm.sh/chart: ingress-nginx-4.0.5
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.3

From 5fec4e885def71393ae02f68eee23981c6e385f3 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Fri, 8 Oct 2021 07:25:51 +0530
Subject: [PATCH 156/376] removed space in example helm install command from
 docs (#7775)

---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index 1d27546ee..ddd7f8884 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -189,7 +189,7 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
   helm install ingress-nginx-2 ingress-nginx/ingress-nginx  \
   --namespace ingress-nginx-2 \
   --set controller.ingressClassResource.name=nginx-2 \
-  --set controller.ingressClassResource.controllerValue= "k8s.io/ingress-nginx-2" \
+  --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx-2" \
   --set controller.ingressClassResource.enabled=true \
   --set controller.ingressClassByName=true
   ```

From 0963a459220e08be1d0ec956d4ef908441958649 Mon Sep 17 00:00:00 2001
From: Jun Gu <32951570+gujun4990@users.noreply.github.com>
Date: Fri, 8 Oct 2021 20:44:59 +0800
Subject: [PATCH 157/376] docs: Remove extra symbol (#7765)

Signed-off-by: jun.gu <gujun4990@outlook.com>
---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index ddd7f8884..cc3d2cb58 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -178,7 +178,7 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
 - Ensure you have helm working (refer to helm documentation)
 - We have to assume that you have the helm repo for the ingress-NGINX controller already added to your helm config. But, if you have not added the helm repo then you can do this to add the repo to your helm config;
   ```
-  helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx`
+  helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
   ```
 - Make sure you have updated the helm repo data;
   ```

From 9e3c5286400e8ccdf64002ce23876f8d6422df52 Mon Sep 17 00:00:00 2001
From: Alex R <i@sepa.spb.ru>
Date: Fri, 8 Oct 2021 21:47:23 +0300
Subject: [PATCH 158/376] Disable builtin ssl_session_cache (#7777)

Signed-off-by: Alex R <i@sepa.spb.ru>
---
 rootfs/etc/nginx/template/nginx.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index b4c91ef54..32b02f72a 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -429,7 +429,7 @@ http {
 
     # turn on session caching to drastically improve performance
     {{ if $cfg.SSLSessionCache }}
-    ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};
+    ssl_session_cache shared:SSL:{{ $cfg.SSLSessionCacheSize }};
     ssl_session_timeout {{ $cfg.SSLSessionTimeout }};
     {{ end }}
 

From 4ad67e125ea46645b84f0e51ac903f37cad4282d Mon Sep 17 00:00:00 2001
From: mitchldtn <65378283+mitchldtn@users.noreply.github.com>
Date: Sun, 10 Oct 2021 13:36:38 -0500
Subject: [PATCH 159/376] Update index.md (#7766)

Proposal to add information to Helm Installation

I can into an issue recently which cost me the better part of an afternoon and evening. The only information about some changes, I was not aware of, was in this blog post about improvements in 1.18.

The information about the errors I was receiving lead me to dead ends prior to finding that blog post. `IngressClass` and `ingressClassName` are thrown around a lot and it can be confusing but it helped me to eventually find a solution.

I kept getting `Error: rendered manifests contain a resource that already exists. Unable to continue with install: IngressClass "nginx" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata ...` and could not figure out how to fix it.

I believe adding the proposed changes, or a version of them, would help eliminate that frustration I experienced for other users that may run into these issues.
---
 docs/deploy/index.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index f0a90e63d..559d74c58 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -235,6 +235,8 @@ helm repo update
 helm install ingress-nginx ingress-nginx/ingress-nginx
 ```
 
+[For multiple NGINX Ingress controllers](https://kubernetes.github.io/ingress-nginx/#how-to-easily-install-multiple-instances-of-the-ingress-nginx-controller-in-the-same-cluster)
+
 ## Detect installed version:
 
 ```console

From 757aa53686f835becd7d9444b289531352c630b1 Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mgozdek@microsoft.com>
Date: Sun, 10 Oct 2021 20:40:37 +0200
Subject: [PATCH 160/376] Add CI for images/kube-webhook-certgen (#7717)

As a follow up to PR #7641, this commit adds some basic e2e tests for
kube-webhook-certgen image.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
---
 .github/workflows/ci.yaml                 | 38 +++++++++++++-
 images/kube-webhook-certgen/Makefile      |  8 ++-
 images/kube-webhook-certgen/hack/e2e.sh   | 62 +++++++++++++++++++++++
 images/kube-webhook-certgen/hack/e2e.yaml | 57 +++++++++++++++++++++
 4 files changed, 163 insertions(+), 2 deletions(-)
 create mode 100755 images/kube-webhook-certgen/hack/e2e.sh
 create mode 100644 images/kube-webhook-certgen/hack/e2e.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 030c9abe5..67a9ac74d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -276,4 +276,40 @@ jobs:
       - name: kube-webhook-certgen image build
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
         run: |
-          cd images/kube-webhook-certgen && make build
\ No newline at end of file
+          cd images/kube-webhook-certgen && make build
+
+  test-image:
+    runs-on: ubuntu-latest
+    env:
+      PLATFORMS: linux/amd64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - uses: dorny/paths-filter@v2
+        id: filter-images
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            kube-webhook-certgen:
+              - 'images/kube-webhook-certgen/**'
+
+      - name: Create Kubernetes cluster
+        id: kind
+        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: v0.11.1
+          image: kindest/node:v1.21.1
+
+      - name: Set up Go 1.17
+        id: go
+        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: kube-webhook-certgen image build
+        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
+        run: |
+          cd images/kube-webhook-certgen && make test test-e2e
diff --git a/images/kube-webhook-certgen/Makefile b/images/kube-webhook-certgen/Makefile
index 8457e0c57..f1d3edc5b 100644
--- a/images/kube-webhook-certgen/Makefile
+++ b/images/kube-webhook-certgen/Makefile
@@ -53,4 +53,10 @@ else
 endif
 	@echo "done"
 
-.PHONY: build push ensure-buildx
+test:
+	cd rootfs && go test ./...
+
+test-e2e:
+	./hack/e2e.sh
+
+.PHONY: build push ensure-buildx test test-e2e
diff --git a/images/kube-webhook-certgen/hack/e2e.sh b/images/kube-webhook-certgen/hack/e2e.sh
new file mode 100755
index 000000000..7ebf1fb1e
--- /dev/null
+++ b/images/kube-webhook-certgen/hack/e2e.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$DEBUG" ]; then
+  set -x
+fi
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+pushd rootfs
+go build
+popd
+
+export KUBECONFIG=${KUBECONFIG:-~/.kube/config}
+
+function error {
+  trap - EXIT
+  echo $@
+  exit 1
+}
+
+function cleanup {
+  kubectl delete --recursive -f hack/e2e.yaml --ignore-not-found
+}
+
+trap cleanup EXIT
+
+cleanup
+
+kubectl apply --recursive -f hack/e2e.yaml
+
+./rootfs/kube-webhook-certgen create --kubeconfig ${KUBECONFIG} --namespace test --secret-name test --host test --cert-name test
+./rootfs/kube-webhook-certgen patch --kubeconfig ${KUBECONFIG} --namespace test --secret-name test --webhook-name pod-policy.example.com
+./rootfs/kube-webhook-certgen patch --kubeconfig ${KUBECONFIG} --namespace test --secret-name test --apiservice-name v1alpha1.pod-policy.example.com
+./rootfs/kube-webhook-certgen patch --kubeconfig ${KUBECONFIG} --namespace test --secret-name test --webhook-name pod-policy.example.com --apiservice-name v1alpha1.pod-policy.example.com
+
+if [[ -z "$(kubectl get validatingwebhookconfiguration pod-policy.example.com -o jsonpath='{.webhooks[0].clientConfig.caBundle}')" ]]; then
+  error "ValidatingWebhookConfiguration pod-policy.example.com did not get CA injected"
+fi
+
+if [[ -z "$(kubectl get mutatingwebhookconfiguration pod-policy.example.com -o jsonpath='{.webhooks[0].clientConfig.caBundle}')" ]]; then
+  error "MutatingWebhookConfiguration pod-policy.example.com did not get CA injected"
+fi
+
+if [[ -z "$(kubectl get apiservice v1alpha1.pod-policy.example.com -o jsonpath='{.spec.caBundle}')" ]];then
+  error "APIService v1alpha1.pod-policy.example.com did not get CA injected"
+fi
diff --git a/images/kube-webhook-certgen/hack/e2e.yaml b/images/kube-webhook-certgen/hack/e2e.yaml
new file mode 100644
index 000000000..f6f116f5e
--- /dev/null
+++ b/images/kube-webhook-certgen/hack/e2e.yaml
@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "pod-policy.example.com"
+webhooks:
+- name: "pod-policy.example.com"
+  rules:
+  - apiGroups:   [""]
+    apiVersions: ["v1"]
+    operations:  ["CREATE"]
+    resources:   ["pods"]
+    scope:       "Namespaced"
+  clientConfig:
+    service:
+      namespace: "example-namespace"
+      name: "example-service"
+  admissionReviewVersions: ["v1", "v1beta1"]
+  sideEffects: None
+  timeoutSeconds: 5
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: "pod-policy.example.com"
+webhooks:
+- name: "pod-policy.example.com"
+  rules:
+  - apiGroups:   [""]
+    apiVersions: ["v1"]
+    operations:  ["CREATE"]
+    resources:   ["pods"]
+    scope:       "Namespaced"
+  clientConfig:
+    service:
+      namespace: "example-namespace"
+      name: "example-service"
+  admissionReviewVersions: ["v1", "v1beta1"]
+  sideEffects: None
+  timeoutSeconds: 5
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.pod-policy.example.com
+spec:
+  service:
+    name: "example-namespace"
+    namespace: "example-service"
+  group: pod-policy.example.com
+  version: v1alpha1
+  groupPriorityMinimum: 100
+  versionPriority: 100

From 710d0db9a56401ed0eb07559b67180f1752839c6 Mon Sep 17 00:00:00 2001
From: Enes Kirimi <enesmil@gmail.com>
Date: Sun, 10 Oct 2021 20:50:37 +0200
Subject: [PATCH 161/376] Expand docker desktop installation with an attention
 block (#7730)

---
 docs/deploy/index.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 559d74c58..ccd782a5e 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -53,6 +53,9 @@ Kubernetes is available in Docker Desktop
 - Mac, from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018)
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
+!!! attention
+    Before running the command at your terminal, make sure Kubernetes is enabled at Docker settings
+
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
 ```

From 6499393772ee786179b006b423e11950912e8295 Mon Sep 17 00:00:00 2001
From: emerson <emerson_gong@hotmail.com>
Date: Mon, 11 Oct 2021 03:48:37 +0800
Subject: [PATCH 162/376] Print warning only instead of error if no permission
 on ingressclass (#7578)

* skip ingressclass check if ingressclass is not enabled

* reformat with gofmt
---
 cmd/nginx/main.go                             |  5 +++-
 .../controller/ingressclass/ingressclass.go   |  4 ++-
 internal/ingress/controller/store/store.go    | 28 +++++++++++++------
 3 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index cd98effb0..aa5a0372b 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -110,8 +110,11 @@ func main() {
 	_, err = kubeClient.NetworkingV1().IngressClasses().List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
 		if !errors.IsNotFound(err) {
-			if errors.IsUnauthorized(err) || !errors.IsForbidden(err) {
+			if errors.IsUnauthorized(err) {
 				klog.Fatalf("Error searching IngressClass: Please verify your RBAC and allow Ingress Controller to list and get Ingress Classes: %v", err)
+			} else if errors.IsForbidden(err) {
+				klog.Warningf("No permissions to list and get Ingress Classes: %v, IngressClass feature will be disabled", err)
+				conf.IngressClassConfiguration.IgnoreIngressClass = true
 			}
 		}
 	}
diff --git a/internal/ingress/controller/ingressclass/ingressclass.go b/internal/ingress/controller/ingressclass/ingressclass.go
index f13a2a05c..95bd98d0f 100644
--- a/internal/ingress/controller/ingressclass/ingressclass.go
+++ b/internal/ingress/controller/ingressclass/ingressclass.go
@@ -42,7 +42,9 @@ type IngressClassConfiguration struct {
 	// WatchWithoutClass defines if Controller should watch to Ingress Objects that does
 	// not contain an IngressClass configuration
 	WatchWithoutClass bool
-
+	// IgnoreIngressClass defines if Controller should ignore the IngressClass Object if no permissions are
+	// granted on IngressClass
+	IgnoreIngressClass bool
 	//IngressClassByName defines if the Controller should watch for Ingress Classes by
 	// .metadata.name together with .spec.Controller
 	IngressClassByName bool
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index d5f7ce63c..6852f63b2 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -151,7 +151,9 @@ func (e NotExistsError) Error() string {
 func (i *Informer) Run(stopCh chan struct{}) {
 	go i.Secret.Run(stopCh)
 	go i.Endpoint.Run(stopCh)
-	go i.IngressClass.Run(stopCh)
+	if i.IngressClass != nil {
+		go i.IngressClass.Run(stopCh)
+	}
 	go i.Service.Run(stopCh)
 	go i.ConfigMap.Run(stopCh)
 
@@ -159,13 +161,15 @@ func (i *Informer) Run(stopCh chan struct{}) {
 	// from the queue
 	if !cache.WaitForCacheSync(stopCh,
 		i.Endpoint.HasSynced,
-		i.IngressClass.HasSynced,
 		i.Service.HasSynced,
 		i.Secret.HasSynced,
 		i.ConfigMap.HasSynced,
 	) {
 		runtime.HandleError(fmt.Errorf("timed out waiting for caches to sync"))
 	}
+	if i.IngressClass != nil && !cache.WaitForCacheSync(stopCh, i.IngressClass.HasSynced) {
+		runtime.HandleError(fmt.Errorf("timed out waiting for ingress classcaches to sync"))
+	}
 
 	// in big clusters, deltas can keep arriving even after HasSynced
 	// functions have returned 'true'
@@ -300,8 +304,10 @@ func New(
 	store.informers.Ingress = infFactory.Networking().V1().Ingresses().Informer()
 	store.listers.Ingress.Store = store.informers.Ingress.GetStore()
 
-	store.informers.IngressClass = infFactory.Networking().V1().IngressClasses().Informer()
-	store.listers.IngressClass.Store = cache.NewStore(cache.MetaNamespaceKeyFunc)
+	if !icConfig.IgnoreIngressClass {
+		store.informers.IngressClass = infFactory.Networking().V1().IngressClasses().Informer()
+		store.listers.IngressClass.Store = cache.NewStore(cache.MetaNamespaceKeyFunc)
+	}
 
 	store.informers.Endpoint = infFactory.Core().V1().Endpoints().Informer()
 	store.listers.Endpoint.Store = store.informers.Endpoint.GetStore()
@@ -385,8 +391,12 @@ func New(
 			oldIng, _ := toIngress(old)
 			curIng, _ := toIngress(cur)
 
-			_, errOld := store.GetIngressClass(oldIng, icConfig)
-			classCur, errCur := store.GetIngressClass(curIng, icConfig)
+			var errOld, errCur error
+			var classCur string
+			if !icConfig.IgnoreIngressClass {
+				_, errOld = store.GetIngressClass(oldIng, icConfig)
+				classCur, errCur = store.GetIngressClass(curIng, icConfig)
+			}
 			if errOld != nil && errCur == nil {
 				if hasCatchAllIngressRule(curIng.Spec) && disableCatchAll {
 					klog.InfoS("ignoring update for catch-all ingress because of --disable-catch-all", "ingress", klog.KObj(curIng))
@@ -699,7 +709,9 @@ func New(
 	}
 
 	store.informers.Ingress.AddEventHandler(ingEventHandler)
-	store.informers.IngressClass.AddEventHandler(ingressClassEventHandler)
+	if !icConfig.IgnoreIngressClass {
+		store.informers.IngressClass.AddEventHandler(ingressClassEventHandler)
+	}
 	store.informers.Endpoint.AddEventHandler(epEventHandler)
 	store.informers.Secret.AddEventHandler(secrEventHandler)
 	store.informers.ConfigMap.AddEventHandler(cmEventHandler)
@@ -852,7 +864,7 @@ func (s *k8sStore) GetService(key string) (*corev1.Service, error) {
 
 func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) {
 	// First we try ingressClassName
-	if ing.Spec.IngressClassName != nil {
+	if !icConfig.IgnoreIngressClass && ing.Spec.IngressClassName != nil {
 		iclass, err := s.listers.IngressClass.ByKey(*ing.Spec.IngressClassName)
 		if err != nil {
 			return "", err

From a6ef52da9dc67597352d124fe60f0daa5b2b8984 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9opold=20Jacquot?= <leopold.jacquot@infomaniak.com>
Date: Sun, 10 Oct 2021 22:34:37 +0200
Subject: [PATCH 163/376] Add service-metrics port protocol (#7782)

---
 charts/ingress-nginx/templates/controller-service-metrics.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml
index 1b690192c..0aaf41473 100644
--- a/charts/ingress-nginx/templates/controller-service-metrics.yaml
+++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml
@@ -33,6 +33,7 @@ spec:
   ports:
     - name: metrics
       port: {{ .Values.controller.metrics.service.servicePort }}
+      protocol: TCP
       targetPort: metrics
     {{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }}
     {{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }}

From 97e39e79e2d69a9eba45ad83ae2d19e70330e2f2 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 10 Oct 2021 20:18:37 -0300
Subject: [PATCH 164/376] Add e2e test for non ingressclass enabled ingress
 (#7785)

---
 cmd/nginx/main.go                  |  5 +-
 go.mod                             |  1 +
 go.sum                             |  1 +
 test/e2e/settings/ingress_class.go | 90 ++++++++++++++++++++++++++++++
 4 files changed, 93 insertions(+), 4 deletions(-)

diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index aa5a0372b..69d12d05e 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -110,15 +110,12 @@ func main() {
 	_, err = kubeClient.NetworkingV1().IngressClasses().List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
 		if !errors.IsNotFound(err) {
-			if errors.IsUnauthorized(err) {
-				klog.Fatalf("Error searching IngressClass: Please verify your RBAC and allow Ingress Controller to list and get Ingress Classes: %v", err)
-			} else if errors.IsForbidden(err) {
+			if errors.IsForbidden(err) {
 				klog.Warningf("No permissions to list and get Ingress Classes: %v, IngressClass feature will be disabled", err)
 				conf.IngressClassConfiguration.IgnoreIngressClass = true
 			}
 		}
 	}
-
 	conf.Client = kubeClient
 
 	err = k8s.GetIngressPod(kubeClient)
diff --git a/go.mod b/go.mod
index fafe8d3eb..8925d1296 100644
--- a/go.mod
+++ b/go.mod
@@ -78,6 +78,7 @@ require (
 	github.com/go-openapi/jsonreference v0.19.3 // indirect
 	github.com/go-openapi/spec v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.5 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
diff --git a/go.sum b/go.sum
index 0517f1627..d2755d925 100644
--- a/go.sum
+++ b/go.sum
@@ -267,6 +267,7 @@ github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2K
 github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
 github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go
index 9740eef38..09134ccba 100644
--- a/test/e2e/settings/ingress_class.go
+++ b/test/e2e/settings/ingress_class.go
@@ -18,6 +18,7 @@ package settings
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"strings"
 	"sync"
@@ -26,6 +27,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -578,4 +581,91 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 		})
 
 	})
+
+	ginkgo.Context("Without IngressClass Cluster scoped Permission", func() {
+
+		ginkgo.BeforeEach(func() {
+			icname := fmt.Sprintf("ic-%s", f.Namespace)
+
+			newRole := &rbacv1.ClusterRoleBinding{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: icname,
+				},
+				RoleRef: rbacv1.RoleRef{
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "ClusterRole",
+					Name:     icname,
+				},
+				Subjects: []rbacv1.Subject{
+					{
+						APIGroup:  "",
+						Kind:      "ServiceAccount",
+						Namespace: f.Namespace,
+						Name:      "blablabla",
+					},
+				},
+			}
+			_, err := f.KubeClientSet.RbacV1().ClusterRoleBindings().Update(context.TODO(), newRole, metav1.UpdateOptions{})
+
+			assert.Nil(ginkgo.GinkgoT(), err, "Updating IngressClass ClusterRoleBinding")
+
+			// Force the correct annotation value just for the re-deployment
+			err = f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
+				args := []string{}
+				for _, v := range deployment.Spec.Template.Spec.Containers[0].Args {
+					if strings.Contains(v, "--ingress-class=testclass") {
+						continue
+					}
+
+					args = append(args, v)
+				}
+				args = append(args, "--ingress-class=testclass")
+				deployment.Spec.Template.Spec.Containers[0].Args = args
+				_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
+
+				return err
+			})
+			assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
+		})
+
+		ginkgo.It("should watch Ingress with correct annotation", func() {
+
+			validHost := "foo"
+			annotations := map[string]string{
+				ingressclass.IngressKey: "testclass",
+			}
+			ing := framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, annotations)
+			ing.Spec.IngressClassName = nil
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name foo")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHost).
+				Expect().
+				Status(http.StatusOK)
+		})
+
+		ginkgo.It("should ignore Ingress with only IngressClassName", func() {
+
+			invalidHost := "noclassforyou"
+
+			ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return !strings.Contains(cfg, "server_name noclassforyou")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", invalidHost).
+				Expect().
+				Status(http.StatusNotFound)
+		})
+
+	})
 })

From 54a58708035c69047fd2692dca0e86c14ad2b127 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 10 Oct 2021 21:40:37 -0300
Subject: [PATCH 165/376] Update dependencies (#7783)

---
 go.mod | 20 ++++++++++----------
 go.sum | 36 ++++++++++++++++++++++++------------
 2 files changed, 34 insertions(+), 22 deletions(-)

diff --git a/go.mod b/go.mod
index 8925d1296..62daa9a6c 100644
--- a/go.mod
+++ b/go.mod
@@ -22,24 +22,24 @@ require (
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/client_model v0.2.0
-	github.com/prometheus/common v0.30.0
+	github.com/prometheus/common v0.31.1
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
 	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d
-	google.golang.org/grpc v1.38.0
+	google.golang.org/grpc v1.41.0
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/go-playground/pool.v3 v3.1.1
-	k8s.io/api v0.21.3
-	k8s.io/apiextensions-apiserver v0.21.3
-	k8s.io/apimachinery v0.21.3
-	k8s.io/apiserver v0.21.3
-	k8s.io/cli-runtime v0.21.3
-	k8s.io/client-go v0.21.3
-	k8s.io/code-generator v0.21.3
-	k8s.io/component-base v0.21.3
+	k8s.io/api v0.21.5
+	k8s.io/apiextensions-apiserver v0.21.5
+	k8s.io/apimachinery v0.21.5
+	k8s.io/apiserver v0.21.5
+	k8s.io/cli-runtime v0.21.5
+	k8s.io/client-go v0.21.5
+	k8s.io/code-generator v0.21.5
+	k8s.io/component-base v0.21.5
 	k8s.io/klog/v2 v2.10.0
 	k8s.io/utils v0.0.0-20210802155522-efc7438f0176 // indirect
 	pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732
diff --git a/go.sum b/go.sum
index d2755d925..69bca847a 100644
--- a/go.sum
+++ b/go.sum
@@ -124,6 +124,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
@@ -175,6 +176,7 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -608,8 +610,8 @@ github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt2
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.14.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/common v0.30.0 h1:JEkYlQnpzrzQFxi6gnukFPdQ+ac82oRhzMcIduJu/Ug=
-github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
+github.com/prometheus/common v0.31.1 h1:d18hG4PkHnNAKNMOmFuXFaiY8Us0nird/2m60uS1AMs=
+github.com/prometheus/common v0.31.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -744,6 +746,7 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -1164,8 +1167,9 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.41.0 h1:f+PlOh7QV4iIJkPrx5NQ7qaNGFQ3OTse67yaDHfju4E=
+google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1229,22 +1233,29 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.21.3 h1:cblWILbLO8ar+Fj6xdDGr603HRsf8Wu9E9rngJeprZQ=
 k8s.io/api v0.21.3/go.mod h1:hUgeYHUbBp23Ue4qdX9tR8/ANi/g3ehylAqDn9NWVOg=
-k8s.io/apiextensions-apiserver v0.21.3 h1:+B6biyUWpqt41kz5x6peIsljlsuwvNAp/oFax/j2/aY=
+k8s.io/api v0.21.5 h1:9zp3SslPRB+rqxhGKqqTo6VsN3HX0Ype1nWV6UQQ+Sk=
+k8s.io/api v0.21.5/go.mod h1:Un8C5Hemo2r3MfPOjZvwQQ9KkBbiTBUCGrjlivo9uJ0=
 k8s.io/apiextensions-apiserver v0.21.3/go.mod h1:kl6dap3Gd45+21Jnh6utCx8Z2xxLm8LGDkprcd+KbsE=
-k8s.io/apimachinery v0.21.3 h1:3Ju4nvjCngxxMYby0BimUk+pQHPOQp3eCGChk5kfVII=
+k8s.io/apiextensions-apiserver v0.21.5 h1:sCUpiB47ba59J57ZsqOvoxD3voc2nnR+sylAzHIwI8w=
+k8s.io/apiextensions-apiserver v0.21.5/go.mod h1:iiakfVazpXLW8OkF2sH/p9XGgfE7XFSQuZFJ10QlXB4=
 k8s.io/apimachinery v0.21.3/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI=
-k8s.io/apiserver v0.21.3 h1:QxAgE1ZPQG5cPlHScHTnLxP9H/kU3zjH1Vnd8G+n5OI=
+k8s.io/apimachinery v0.21.5 h1:56bnsHcUNboSCbD779GGi4Lh5kHTDFUoDrnHbhLTiaw=
+k8s.io/apimachinery v0.21.5/go.mod h1:3PfBV+4PPXNs0aueD+7fHcGyhdkFFYqXeshQtsKCi+4=
 k8s.io/apiserver v0.21.3/go.mod h1:eDPWlZG6/cCCMj/JBcEpDoK+I+6i3r9GsChYBHSbAzU=
-k8s.io/cli-runtime v0.21.3 h1:eXevRomULAAGjQ7m6qo+AWHvtVRqaLG8WQICEBwjtmo=
-k8s.io/cli-runtime v0.21.3/go.mod h1:h65y0uXIXDnNjd5J+F3CvQU3ZNplH4+rjqbII7JkD4A=
-k8s.io/client-go v0.21.3 h1:J9nxZTOmvkInRDCzcSNQmPJbDYN/PjlxXT9Mos3HcLg=
+k8s.io/apiserver v0.21.5 h1:iEPvJ2uwmyb7C4eScOj1fgPKCyCUGgMQU5+UREE87vE=
+k8s.io/apiserver v0.21.5/go.mod h1:0bWmrAx3dxUUFSEw71U91Si5obhIvBcAmf8oVZUO58E=
+k8s.io/cli-runtime v0.21.5 h1:ZpPmrRsHvzdMzXrcr1/ZSBHLKrhS1aHyMr2hGJNlNpI=
+k8s.io/cli-runtime v0.21.5/go.mod h1:TKlcXsRVImtcPDGEe72pyZtD9UgBJNupIf3hmsIeekE=
 k8s.io/client-go v0.21.3/go.mod h1:+VPhCgTsaFmGILxR/7E1N0S+ryO010QBeNCv5JwRGYU=
-k8s.io/code-generator v0.21.3 h1:K2Onrjuve/31D4Y5DpR9ngWM2BiiKUxrGaCxSEJS/Y8=
+k8s.io/client-go v0.21.5 h1:zkVidiWVgciPKYqWpMFMjCUF+4rRXcfkKoyQS1Ue21k=
+k8s.io/client-go v0.21.5/go.mod h1:EUornVlr3rBrPKXUoMPNggJdEQmvFNMpYO3Kb6432kw=
 k8s.io/code-generator v0.21.3/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo=
-k8s.io/component-base v0.21.3 h1:4WuuXY3Npa+iFfi2aDRiOz+anhNvRfye0859ZgfC5Og=
+k8s.io/code-generator v0.21.5 h1:7X6dJG4hzKFHChYpP02iF0XrXhenqQHc76QoKYzDZfI=
+k8s.io/code-generator v0.21.5/go.mod h1:0K1k6o2ef8JD/j8LF3ZuqWLGFMHvO5psNzLLmxf7ZVE=
 k8s.io/component-base v0.21.3/go.mod h1:kkuhtfEHeZM6LkX0saqSK8PbdO7A0HigUngmhhrwfGQ=
+k8s.io/component-base v0.21.5 h1:icFqcFDrO9S+FQpGohzVm6qce9vlo131K0r3NhElxiQ=
+k8s.io/component-base v0.21.5/go.mod h1:UyRaqQfPkBL/haEFaMWgVQvtom5TqAT+jqlFGlh6LuU=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 h1:Uusb3oh8XcdzDF/ndlI4ToKTYVlkCSJP39SRY2mfRAw=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
@@ -1267,6 +1278,7 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.19/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/controller-runtime v0.9.5 h1:WThcFE6cqctTn2jCZprLICO6BaKZfhsT37uAapTNfxc=
 sigs.k8s.io/controller-runtime v0.9.5/go.mod h1:q6PpkM5vqQubEKUKOM6qr06oXGzOBcCby1DA9FbyZeA=
 sigs.k8s.io/kustomize/api v0.8.8 h1:G2z6JPSSjtWWgMeWSoHdXqyftJNmMmyxXpwENGoOtGE=

From 69577e58f5798263b6892275abe71bd62e53d171 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Oct 2021 05:08:40 -0700
Subject: [PATCH 166/376] Bump github.com/mitchellh/mapstructure from 1.4.1 to
 1.4.2 (#7786)

Bumps [github.com/mitchellh/mapstructure](https://github.com/mitchellh/mapstructure) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/mitchellh/mapstructure/releases)
- [Changelog](https://github.com/mitchellh/mapstructure/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mitchellh/mapstructure/compare/v1.4.1...v1.4.2)

---
updated-dependencies:
- dependency-name: github.com/mitchellh/mapstructure
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index 62daa9a6c..7989becbd 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/mitchellh/hashstructure v1.1.0
-	github.com/mitchellh/mapstructure v1.4.1
+	github.com/mitchellh/mapstructure v1.4.2
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
 	github.com/ncabatoff/process-exporter v0.7.5
 	github.com/onsi/ginkgo v1.16.4
diff --git a/go.sum b/go.sum
index 69bca847a..924b6e98c 100644
--- a/go.sum
+++ b/go.sum
@@ -492,8 +492,9 @@ github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.4.2 h1:6h7AQ0yhTcIsmFmnAwQls75jp2Gzs4iB8W7pjMO+rqo=
+github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4=
 github.com/mmarkdown/mmark v2.0.40+incompatible/go.mod h1:Uvmoz7tvsWpr7bMVxIpqZPyN3FbOtzDmnsJDFp7ltJs=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=

From 0c1698001855f3599ff6429cb04f18c983657955 Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Mon, 11 Oct 2021 15:16:40 +0200
Subject: [PATCH 167/376] add OpenTelemetry to nginx base image (#7669)

---
 images/nginx/README.md       |  2 ++
 images/nginx/rootfs/build.sh | 42 ++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/images/nginx/README.md b/images/nginx/README.md
index 9e6321938..376948743 100644
--- a/images/nginx/README.md
+++ b/images/nginx/README.md
@@ -4,6 +4,8 @@ This custom image contains:
 
 - [nginx-http-auth-digest](https://github.com/atomx/nginx-http-auth-digest)
 - [ngx_http_substitutions_filter_module](https://github.com/yaoweibin/ngx_http_substitutions_filter_module)
+- [OpenTelemetry-CPP](https://github.com/open-telemetry/opentelemetry-cpp)
+- [OpenTelemetry-CPP-Nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx)
 - [nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing)
 - [opentracing-cpp](https://github.com/opentracing/opentracing-cpp)
 - [zipkin-cpp-opentracing](https://github.com/rnburn/zipkin-cpp-opentracing)
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 4a8fa1a4c..2aa84e874 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -35,6 +35,12 @@ export NGINX_DIGEST_AUTH=1.0.0
 # Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master
 export NGINX_SUBSTITUTIONS=b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0
 
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main
+export OPENTELEMETRY_CPP_VERSION=1.0.0
+
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/4c4933...main
+export OPENTELEMETRY_CONTRIB_COMMIT=4c4933dc207c04e3528a9b20c28b639bc99773ad
+
 # Check for recent changes: https://github.com/opentracing-contrib/nginx-opentracing/compare/v0.19.0...master
 export NGINX_OPENTRACING_VERSION=0.19.0
 
@@ -131,11 +137,13 @@ export BUILD_PATH=/tmp/build
 
 ARCH=$(uname -m)
 
+export USE_OPENTELEMETRY=true
 if [[ ${ARCH} == "s390x" ]]; then
   export LUAJIT_VERSION=9d5750d28478abfdcaefdfdc408f87752a21e431
   export LUA_RESTY_CORE=0.1.17
   export LUA_NGX_VERSION=0.10.15
   export LUA_STREAM_NGX_VERSION=0.0.7
+  export USE_OPENTELEMETRY=false
 fi
 
 get_src()
@@ -215,6 +223,9 @@ get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
 get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
         "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz"
 
+get_src 49519dcf5a2324f9122819141045744fdcbcf411c730f173c4f3d993f02c92b5 \
+        "https://github.com/dmathieu/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz"
+
 get_src 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 \
         "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz"
 
@@ -468,6 +479,32 @@ cmake -DCMAKE_BUILD_TYPE=Release \
 make
 make install
 
+if [ $USE_OPENTELEMETRY ]; then
+  # build opentelemetry lib
+  apk add protobuf-dev \
+    grpc \
+    grpc-dev \
+    gtest-dev \
+    c-ares-dev
+
+  cd $BUILD_PATH
+  git clone --recursive https://github.com/open-telemetry/opentelemetry-cpp opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION
+  cd "opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION"
+  git checkout v$OPENTELEMETRY_CPP_VERSION
+  mkdir .build
+  cd .build
+
+  cmake -DCMAKE_BUILD_TYPE=Release \
+        -DBUILD_TESTING=OFF \
+        -DWITH_EXAMPLES=OFF \
+        -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
+        -DWITH_OTLP=ON \
+        -DWITH_OTLP_HTTP=OFF \
+        ..
+  make
+  make install
+fi
+
 # Get Brotli source and deps
 cd "$BUILD_PATH"
 git clone --depth=1 https://github.com/google/ngx_brotli.git
@@ -635,6 +672,11 @@ WITH_MODULES=" \
   --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \
   --add-dynamic-module=$BUILD_PATH/ngx_brotli"
 
+if [ $USE_OPENTELEMETRY ]; then
+  WITH_MODULES+=" \
+    --add-dynamic-module=$BUILD_PATH/opentelemetry-cpp-contrib-$OPENTELEMETRY_CONTRIB_COMMIT/instrumentation/nginx"
+fi
+
 ./configure \
   --prefix=/usr/local/nginx \
   --conf-path=/etc/nginx/nginx.conf \

From 6ba7aa037f425a31619cc25bd4a98bd82fc75f95 Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Mon, 11 Oct 2021 17:10:40 +0200
Subject: [PATCH 168/376] Refine release docs (#7729)

* refine, add some more precise information

* refine, add some more precise information
---
 RELEASE.md | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/RELEASE.md b/RELEASE.md
index 2765ff7de..cf3dfc1c7 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -10,25 +10,23 @@
 
 - Make changes in /images 
 
-### c. Create PR
+### c. Create Pull Request
 
-- Open a PR to fire cloudbuild of a new image for the Ingress-Nginx-Controller
+- Open a Pull Request for your changes considering the following steps to fire cloudbuild of a new image for the Ingress-Nginx-Controller:
 
-  - In case of rare CVE fix or other reason to rebuild the nginx-base-image itself, look at the /images directory  [NGINX Base Image](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx)
+  - In case of rare CVE fix or other reason to rebuild the nginx-base-image itself, look at the /images directory  [NGINX Base Image](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx).
 
-  - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21),
-
-  - [SHA256](images/nginx/rootfs/build.sh#L124) 
+  - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21), [SHA256](images/nginx/rootfs/build.sh#L124).
 
   - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.  
 
 ### d. Merge
 
-- Merging success should fire cloudbuild
+- Merging will fire cloudbuild, which will result in images beeing promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
 
 ### e. Make sure cloudbuild is a success
 
-- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. 
 
 - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
 
@@ -70,17 +68,19 @@
 
 ### d. Merge
 
-- Merging success should fire cloudbuild
+- Merging will fire cloudbuild, which will result in images beeing promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
 
 ### e. Make sure cloudbuild is a success
 
-- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. 
 
 - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
 
 
 ## 3. PROMOTE the Image(s):
 
+Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images: 
+
 ### a. Get the sha
 
 - Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above 
@@ -89,9 +89,17 @@
 
   - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller
 
-### b. Insert the sha(s) in another project
+  - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: 
 
-- This sha(s) (and the tag(s) for the new image(s) has to be inserted, as a new line, in a file, in another project of Kubernetes. 
+  ```
+  ...
+  pushing manifest for gcr.io/k8s-staging-ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16
+  ...
+  ```
+
+### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io)
+
+- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization. 
 
 - Fork that other project (if you don't have a fork already).
 
@@ -122,6 +130,8 @@
 
 ## 4. PREPARE for a new Release
 
+- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). 
+
 - This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.
 
 ### a. Make sure your git workspace is ready

From 766345e2bb2ee54600a9715a93ded23bbc4e046a Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Tue, 12 Oct 2021 08:09:47 +0530
Subject: [PATCH 169/376] added ingressClassName field in example ingress
 (#7797)

---
 charts/ingress-nginx/templates/NOTES.txt | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt
index 03ece9c59..29aeb113a 100644
--- a/charts/ingress-nginx/templates/NOTES.txt
+++ b/charts/ingress-nginx/templates/NOTES.txt
@@ -37,19 +37,22 @@ An example Ingress that makes use of the controller:
     name: example
     namespace: foo
   spec:
+    ingressClassName: example-class
     rules:
       - host: www.example.com
         http:
           paths:
-            - backend:
-                serviceName: exampleService
-                servicePort: 80
-              path: /
+            - path: /
+              pathType: Prefix
+              backend:
+                service:
+                  name: exampleService
+                  port: 80
     # This section is only required if TLS is to be enabled for the Ingress
     tls:
-        - hosts:
-            - www.example.com
-          secretName: example-tls
+      - hosts:
+        - www.example.com
+        secretName: example-tls
 
 If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
 

From 068eccb6073ebbb8c8113dc1be5665adac17bcfc Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Tue, 12 Oct 2021 16:45:48 +0200
Subject: [PATCH 170/376] fix reference to contributing.md in issue-triage.md
 (#7802)

---
 ISSUE_TRIAGE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ISSUE_TRIAGE.md b/ISSUE_TRIAGE.md
index 8b73d6d3e..943a03e89 100644
--- a/ISSUE_TRIAGE.md
+++ b/ISSUE_TRIAGE.md
@@ -2,7 +2,7 @@
 
 As any kind of contributor (triage, reviewer ...), always have in mind that if a user came to us and raised an issue, the user may have a real problem. We must assume that, and not the opposite (the user needs to prove to us that this is a bug). Keeping that in mind, **be nice with users, even if you don’t agree with them**
 
-Note that this guide refers to contributing through issue triaging. If you are interested in contributing to actual sources of the repository, see [this guide](./CONTRIBUTING.MD). 
+Note that this guide refers to contributing through issue triaging. If you are interested in contributing to actual sources of the repository, see [this guide](./CONTRIBUTING.md). 
 
 ## General Information 
 

From 54523641a89a2b026180eb1e779152b8e939b11a Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mgozdek@microsoft.com>
Date: Tue, 12 Oct 2021 19:07:47 +0200
Subject: [PATCH 171/376] images/kube-webhook-certgen/rootfs: add missing tests
 and fix regression (#7801)

* images/kube-webhook-certgen/rootfs: improve tests objects creation

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: use context with deadline for tests

So in case some operations are taking more time, we respect -timeout
flag.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: add missing tests implementation

It should've been added in 9acf62d867145a071ad715020292bbb887289ba0.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: fix patching only mutating webhook

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
---
 .../rootfs/pkg/k8s/k8s.go                     |  10 +-
 .../rootfs/pkg/k8s/k8s_test.go                | 225 +++++++++++++++---
 2 files changed, 200 insertions(+), 35 deletions(-)

diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
index ccd8970c5..0034235fb 100644
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
@@ -50,7 +50,8 @@ func (k8s *k8s) PatchObjects(ctx context.Context, options PatchOptions) error {
 		return fmt.Errorf("failurePolicy specified, but no webhook will be patched")
 	}
 
-	if options.MutatingWebhookConfigurationName != options.ValidatingWebhookConfigurationName {
+	if patchMutating && patchValidating &&
+		options.MutatingWebhookConfigurationName != options.ValidatingWebhookConfigurationName {
 		return fmt.Errorf("webhook names must be the same")
 	}
 
@@ -64,8 +65,13 @@ func (k8s *k8s) PatchObjects(ctx context.Context, options PatchOptions) error {
 		}
 	}
 
+	webhookName := options.ValidatingWebhookConfigurationName
+	if webhookName == "" {
+		webhookName = options.MutatingWebhookConfigurationName
+	}
+
 	if patchMutating || patchValidating {
-		return k8s.patchWebhookConfigurations(ctx, options.ValidatingWebhookConfigurationName, options.CABundle, options.FailurePolicyType, patchMutating, patchValidating)
+		return k8s.patchWebhookConfigurations(ctx, webhookName, options.CABundle, options.FailurePolicyType, patchMutating, patchValidating)
 	}
 
 	return nil
diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
index 0cddcb99e..deaeb3540 100644
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
@@ -6,17 +6,22 @@ import (
 	"errors"
 	"math/rand"
 	"testing"
+	"time"
 
 	admissionv1 "k8s.io/api/admissionregistration/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/fake"
+	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+	aggregatorfake "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake"
 )
 
 const (
-	testWebhookName = "c7c95710-d8c3-4cc3-a2a8-8d2b46909c76"
-	testSecretName  = "15906410-af2a-4f9b-8a2d-c08ffdd5e129"
-	testNamespace   = "7cad5f92-c0d5-4bc9-87a3-6f44d5a5619d"
+	testWebhookName    = "c7c95710-d8c3-4cc3-a2a8-8d2b46909c76"
+	testSecretName     = "15906410-af2a-4f9b-8a2d-c08ffdd5e129"
+	testAPIServiceName = "37f6a2d1-b401-4275-833b-9ff5004f0301"
+	testNamespace      = "7cad5f92-c0d5-4bc9-87a3-6f44d5a5619d"
 )
 
 var (
@@ -33,27 +38,27 @@ func genSecretData() (ca, cert, key []byte) {
 	return
 }
 
-func newTestSimpleK8s() *k8s {
+func newTestSimpleK8s(objects ...runtime.Object) *k8s {
 	return &k8s{
-		clientset: fake.NewSimpleClientset(),
+		clientset:           fake.NewSimpleClientset(objects...),
+		aggregatorClientset: aggregatorfake.NewSimpleClientset(),
 	}
 }
 
 func TestGetCaFromCertificate(t *testing.T) {
-	k := newTestSimpleK8s()
-
 	ca, cert, key := genSecretData()
 
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: testSecretName,
+			Name:      testSecretName,
+			Namespace: testNamespace,
 		},
 		Data: map[string][]byte{"ca": ca, "cert": cert, "key": key},
 	}
 
-	k.clientset.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
+	k := newTestSimpleK8s(secret)
 
-	retrievedCa := k.GetCaFromSecret(context.TODO(), testSecretName, testNamespace)
+	retrievedCa := k.GetCaFromSecret(contextWithDeadline(t), testSecretName, testNamespace)
 	if !bytes.Equal(retrievedCa, ca) {
 		t.Error("Was not able to retrieve CA information that was saved")
 	}
@@ -64,9 +69,11 @@ func TestSaveCertsToSecret(t *testing.T) {
 
 	ca, cert, key := genSecretData()
 
-	k.SaveCertsToSecret(context.TODO(), testSecretName, testNamespace, "cert", "key", ca, cert, key)
+	ctx := contextWithDeadline(t)
 
-	secret, _ := k.clientset.CoreV1().Secrets(testNamespace).Get(context.Background(), testSecretName, metav1.GetOptions{})
+	k.SaveCertsToSecret(ctx, testSecretName, testNamespace, "cert", "key", ca, cert, key)
+
+	secret, _ := k.clientset.CoreV1().Secrets(testNamespace).Get(ctx, testSecretName, metav1.GetOptions{})
 
 	if !bytes.Equal(secret.Data["cert"], cert) {
 		t.Error("'cert' saved data does not match retrieved")
@@ -80,7 +87,7 @@ func TestSaveCertsToSecret(t *testing.T) {
 func TestSaveThenLoadSecret(t *testing.T) {
 	k := newTestSimpleK8s()
 	ca, cert, key := genSecretData()
-	ctx := context.TODO()
+	ctx := contextWithDeadline(t)
 	k.SaveCertsToSecret(ctx, testSecretName, testNamespace, "cert", "key", ca, cert, key)
 	retrievedCert := k.GetCaFromSecret(ctx, testSecretName, testNamespace)
 	if !bytes.Equal(retrievedCert, ca) {
@@ -89,40 +96,35 @@ func TestSaveThenLoadSecret(t *testing.T) {
 }
 
 func TestPatchWebhookConfigurations(t *testing.T) {
-	k := newTestSimpleK8s()
-
 	ca, _, _ := genSecretData()
 
-	k.clientset.
-		AdmissionregistrationV1().
-		MutatingWebhookConfigurations().
-		Create(context.Background(), &admissionv1.MutatingWebhookConfiguration{
+	k := newTestSimpleK8s(
+		&admissionv1.MutatingWebhookConfiguration{
 			TypeMeta: metav1.TypeMeta{},
 			ObjectMeta: metav1.ObjectMeta{
 				Name: testWebhookName,
 			},
 			Webhooks: []admissionv1.MutatingWebhook{{Name: "m1"}, {Name: "m2"}},
-		}, metav1.CreateOptions{})
-
-	k.clientset.
-		AdmissionregistrationV1().
-		ValidatingWebhookConfigurations().
-		Create(context.Background(), &admissionv1.ValidatingWebhookConfiguration{
+		},
+		&admissionv1.ValidatingWebhookConfiguration{
 			TypeMeta: metav1.TypeMeta{},
 			ObjectMeta: metav1.ObjectMeta{
 				Name: testWebhookName,
 			},
 			Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}},
-		}, metav1.CreateOptions{})
+		},
+	)
 
-	if err := k.patchWebhookConfigurations(context.TODO(), testWebhookName, ca, fail, true, true); err != nil {
+	ctx := contextWithDeadline(t)
+
+	if err := k.patchWebhookConfigurations(ctx, testWebhookName, ca, fail, true, true); err != nil {
 		t.Fatalf("Unexpected error patching webhooks: %s: %v", err.Error(), errors.Unwrap(err))
 	}
 
 	whmut, err := k.clientset.
 		AdmissionregistrationV1().
 		MutatingWebhookConfigurations().
-		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+		Get(ctx, testWebhookName, metav1.GetOptions{})
 	if err != nil {
 		t.Error(err)
 	}
@@ -130,7 +132,7 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 	whval, err := k.clientset.
 		AdmissionregistrationV1().
 		MutatingWebhookConfigurations().
-		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+		Get(ctx, testWebhookName, metav1.GetOptions{})
 	if err != nil {
 		t.Error(err)
 	}
@@ -164,37 +166,194 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 func Test_Patching_objects(t *testing.T) {
 	t.Parallel()
 
+	ctx := contextWithDeadline(t)
+
 	t.Run("returns_error_when", func(t *testing.T) {
 		t.Parallel()
 
 		t.Run("failure_policy_is_defined_but_no_webhooks_will_be_patched", func(t *testing.T) {
 			t.Parallel()
+
+			k := testK8sWithUnpatchedObjects()
+
+			o := PatchOptions{
+				FailurePolicyType: admissionv1.Fail,
+			}
+
+			if err := k.PatchObjects(ctx, o); err == nil {
+				t.Fatalf("Expected error while patching")
+			}
 		})
 
 		// This is to preserve old behavior and log format, it could be improved.
-		t.Run("diffent_names_are_specified_for_validating_and_mutating_webhook", func(t *testing.T) {
+		t.Run("diffent_non_empty_names_are_specified_for_validating_and_mutating_webhook", func(t *testing.T) {
 			t.Parallel()
-		})
 
-		t.Run("patching_APIService_is_requested_and_it_does_not_exist", func(t *testing.T) {
-			t.Parallel()
+			k := testK8sWithUnpatchedObjects()
+
+			o := PatchOptions{
+				ValidatingWebhookConfigurationName: "foo",
+				MutatingWebhookConfigurationName:   "bar",
+			}
+
+			if err := k.PatchObjects(ctx, o); err == nil {
+				t.Fatalf("Expected error while patching")
+			}
 		})
 
 		t.Run("patching_webhook_is_requested_and_it_does_not_exist", func(t *testing.T) {
 			t.Parallel()
+
+			k := newTestSimpleK8s()
+
+			o := PatchOptions{
+				ValidatingWebhookConfigurationName: "foo",
+			}
+
+			if err := k.PatchObjects(ctx, o); err == nil {
+				t.Fatalf("Expected error while patching")
+			}
+		})
+
+		t.Run("patching_APIService_is_requested_and_it_does_not_exist", func(t *testing.T) {
+			t.Parallel()
+
+			k := newTestSimpleK8s()
+
+			o := PatchOptions{
+				APIServiceName: "foo",
+			}
+
+			if err := k.PatchObjects(ctx, o); err == nil {
+				t.Fatalf("Expected error while patching")
+			}
 		})
 	})
 
 	t.Run("when_patching_APIService_object", func(t *testing.T) {
 		t.Parallel()
 
+		k := testK8sWithUnpatchedObjects()
+
+		o := PatchOptions{
+			APIServiceName: testAPIServiceName,
+			CABundle:       []byte("foo"),
+		}
+
+		if err := k.PatchObjects(ctx, o); err != nil {
+			t.Fatalf("Unexpected error while patching objects: %v", err)
+		}
+
+		c := k.aggregatorClientset.ApiregistrationV1().APIServices()
+		apiService, err := c.Get(ctx, testAPIServiceName, metav1.GetOptions{})
+		if err != nil {
+			t.Fatalf("Unexpected error while getting APIService object %q: %v", testAPIServiceName, err)
+		}
+
 		// This is required when CABundle field is populated.
 		t.Run("sets_insecure_skip_tls_verity_to_false", func(t *testing.T) {
 			t.Parallel()
+
+			if apiService.Spec.InsecureSkipTLSVerify {
+				t.Fatalf("Expected insecureSkipTLSVerify of APIService to be false")
+			}
 		})
 
 		t.Run("sets_ca_bundle_with_ca_certificate_from_created_secret", func(t *testing.T) {
 			t.Parallel()
+
+			if len(apiService.Spec.CABundle) == 0 {
+				t.Fatalf("Expected CABundle of APIService to be not empty")
+			}
+
+			if !bytes.Equal(o.CABundle, apiService.Spec.CABundle) {
+				t.Fatalf("CABundle content of APIService does not match requested bundle")
+			}
 		})
 	})
+
+	t.Run("allows_patching_only_validating_webhook", func(t *testing.T) {
+		t.Parallel()
+
+		k := testK8sWithUnpatchedObjects()
+
+		o := PatchOptions{
+			ValidatingWebhookConfigurationName: testWebhookName,
+		}
+
+		if err := k.PatchObjects(ctx, o); err != nil {
+			t.Fatalf("Unexpected error patching objects: %v", err)
+		}
+	})
+
+	t.Run("allows_patching_only_mutating_webhook", func(t *testing.T) {
+		t.Parallel()
+
+		k := testK8sWithUnpatchedObjects()
+
+		o := PatchOptions{
+			MutatingWebhookConfigurationName: testWebhookName,
+		}
+
+		if err := k.PatchObjects(ctx, o); err != nil {
+			t.Fatalf("Unexpected error patching objects: %v", err)
+		}
+	})
+}
+
+const (
+	// Arbitrary amount of time to let tests exit cleanly before main process terminates.
+	timeoutGracePeriod = 10 * time.Second
+)
+
+// contextWithDeadline returns context with will timeout before t.Deadline().
+func contextWithDeadline(t *testing.T) context.Context {
+	t.Helper()
+
+	deadline, ok := t.Deadline()
+	if !ok {
+		return context.Background()
+	}
+
+	ctx, cancel := context.WithDeadline(context.Background(), deadline.Truncate(timeoutGracePeriod))
+
+	t.Cleanup(cancel)
+
+	return ctx
+}
+
+func testK8sWithUnpatchedObjects() *k8s {
+	ca, cert, key := genSecretData()
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      testSecretName,
+			Namespace: testNamespace,
+		},
+		Data: map[string][]byte{"ca": ca, "cert": cert, "key": key},
+	}
+
+	validatingWebhook := &admissionv1.ValidatingWebhookConfiguration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: testWebhookName,
+		},
+		Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}},
+	}
+	mutatingWebhook := &admissionv1.MutatingWebhookConfiguration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: testWebhookName,
+		},
+		Webhooks: []admissionv1.MutatingWebhook{{Name: "m1"}, {Name: "m2"}},
+	}
+
+	apiService := &apiregistrationv1.APIService{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: testAPIServiceName,
+		},
+	}
+
+	return &k8s{
+		clientset:           fake.NewSimpleClientset(secret, validatingWebhook, mutatingWebhook),
+		aggregatorClientset: aggregatorfake.NewSimpleClientset(apiService),
+	}
 }

From 9da4d87d0c16b84d8bc9ba12a1dbdc64e0dd7e0f Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Tue, 12 Oct 2021 21:16:34 +0200
Subject: [PATCH 172/376] Properly check whether we can install opentelemetry,
 and switch it back to main repo (#7803)

* check for the exact value of USE_OPENTELEMETRY

* use latest commit from the main opentelemetry-cpp-contrib repo
---
 images/nginx/rootfs/build.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 2aa84e874..919e4fcbb 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -38,8 +38,8 @@ export NGINX_SUBSTITUTIONS=b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0
 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main
 export OPENTELEMETRY_CPP_VERSION=1.0.0
 
-# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/4c4933...main
-export OPENTELEMETRY_CONTRIB_COMMIT=4c4933dc207c04e3528a9b20c28b639bc99773ad
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/c655b8...main
+export OPENTELEMETRY_CONTRIB_COMMIT=c655b849f017a5363085a4b4e6fcae8a4b7621ad
 
 # Check for recent changes: https://github.com/opentracing-contrib/nginx-opentracing/compare/v0.19.0...master
 export NGINX_OPENTRACING_VERSION=0.19.0
@@ -223,8 +223,8 @@ get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
 get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
         "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz"
 
-get_src 49519dcf5a2324f9122819141045744fdcbcf411c730f173c4f3d993f02c92b5 \
-        "https://github.com/dmathieu/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz"
+get_src 37b2a2abf75e865449ff1425cee96dbd74659ac0c612c84ee5f381244360cab2 \
+        "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz"
 
 get_src 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 \
         "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz"
@@ -479,7 +479,7 @@ cmake -DCMAKE_BUILD_TYPE=Release \
 make
 make install
 
-if [ $USE_OPENTELEMETRY ]; then
+if [ $USE_OPENTELEMETRY = true ]; then
   # build opentelemetry lib
   apk add protobuf-dev \
     grpc \
@@ -672,7 +672,7 @@ WITH_MODULES=" \
   --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \
   --add-dynamic-module=$BUILD_PATH/ngx_brotli"
 
-if [ $USE_OPENTELEMETRY ]; then
+if [ $USE_OPENTELEMETRY = true ]; then
   WITH_MODULES+=" \
     --add-dynamic-module=$BUILD_PATH/opentelemetry-cpp-contrib-$OPENTELEMETRY_CONTRIB_COMMIT/instrumentation/nginx"
 fi

From 001ce778b79246a367194a7f0e4fba29dacdf3f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Henri?= <joao.henri.cr@gmail.com>
Date: Tue, 12 Oct 2021 17:38:00 -0300
Subject: [PATCH 173/376] Support ipFamilyPolicy and ipFamilies fields in Helm
 Chart (#7651)

* Add support to ipFamilyPolicy and ipFamilies fields in Helm chart

As stated in the prerequisites' session of https://kubernetes.io/docs/concepts/services-networking/dual-stack/, in order to use Kubernetes IPv4/IPv6 dual stack, v1.20 is needed. This commit aims in supporting these dual-stack-ness in ingress-nginx's chart.

Signed-off-by: jaehnri <joao.henri.cr@gmail.com>

* Standardize documentation with two '#'s

Signed-off-by: jaehnri <joao.henri.cr@gmail.com>

* Bump Helm chart version to 4.1.0

Signed-off-by: jaehnri <joao.henri.cr@gmail.com>

* Update Helm Chart changelog with 4.1.0 description

Signed-off-by: jaehnri <joao.henri.cr@gmail.com>

* Revert Helm Chart bump and remove CHANGELOG

As there will be more things in the release, in the review of this PR, it was asked to revert the bumps:
https://github.com/kubernetes/ingress-nginx/pull/7651#pullrequestreview-757311449

Signed-off-by: jaehnri <joao.henri.cr@gmail.com>
---
 .../templates/controller-service.yaml         | 10 ++++++++
 charts/ingress-nginx/values.yaml              | 25 +++++++++++++------
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml
index 924881845..f0245249f 100644
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@@ -36,6 +36,16 @@ spec:
 {{- end }}
 {{- if .Values.controller.service.healthCheckNodePort }}
   healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
+{{- end }}
+{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}
+{{- end }}
+{{- end }}
+{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.ipFamilies }}
+  ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }}
+{{- end }}
 {{- end }}
   ports:
   {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index c4d3ef389..4e21f2a38 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -444,20 +444,31 @@ controller:
     enableHttp: true
     enableHttps: true
 
-    ## Set external traffic policy to: "Local" to preserve source IP on
-    ## providers supporting it
+    ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
     ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
     # externalTrafficPolicy: ""
 
-    # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
-    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+    ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
     # sessionAffinity: ""
 
-    # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
-    # the service controller allocates a port from your cluster’s NodePort range.
-    # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+    ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
+    ## the service controller allocates a port from your cluster’s NodePort range.
+    ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
     # healthCheckNodePort: 0
 
+    ## Represents the dual-stack-ness requested or required by this Service. Possible values are
+    ## SingleStack, PreferDualStack or RequireDualStack.
+    ## The ipFamilies and clusterIPs fields depend on the value of this field.
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
+    ipFamilyPolicy: "SingleStack"
+
+    ## List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically
+    ## based on cluster configuration and the ipFamilyPolicy field.
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
+    ipFamilies:
+      - IPv4
+
     ports:
       http: 80
       https: 443

From 96acb8580f42114f9f69f1abc7b9b2a394fdd1c0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 12 Oct 2021 13:49:59 -0700
Subject: [PATCH 174/376] Bump github.com/json-iterator/go from 1.1.11 to
 1.1.12 (#7792)

Bumps [github.com/json-iterator/go](https://github.com/json-iterator/go) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/json-iterator/go/releases)
- [Commits](https://github.com/json-iterator/go/compare/v1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: github.com/json-iterator/go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 5 ++---
 go.sum | 7 ++++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 7989becbd..2f64cfd89 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/fsnotify/fsnotify v1.5.1
 	github.com/gavv/httpexpect/v2 v2.3.1
 	github.com/imdario/mergo v0.3.12
-	github.com/json-iterator/go v1.1.11
+	github.com/json-iterator/go v1.1.12
 	github.com/kylelemons/godebug v1.1.0
 	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/mitchellh/go-ps v1.0.0
@@ -78,7 +78,6 @@ require (
 	github.com/go-openapi/jsonreference v0.19.3 // indirect
 	github.com/go-openapi/spec v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.5 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
@@ -103,7 +102,7 @@ require (
 	github.com/mmarkdown/mmark v2.0.40+incompatible // indirect
 	github.com/moby/sys/mountinfo v0.4.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
diff --git a/go.sum b/go.sum
index 924b6e98c..718fba62f 100644
--- a/go.sum
+++ b/go.sum
@@ -269,7 +269,6 @@ github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2K
 github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
 github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
@@ -425,8 +424,9 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
@@ -505,8 +505,9 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52 h1:8zDEa5yAIWYBHSDpPbSgGIBL/SvPSE9/FlB3aQ54d/A=

From f5b9d9c51267ec1672e717628371512d05e00ef4 Mon Sep 17 00:00:00 2001
From: Mathieu Corbin <corbin.math@gmail.com>
Date: Tue, 12 Oct 2021 22:54:00 +0200
Subject: [PATCH 175/376] Exoscale: use HTTP healthcheck mode (#7798)

The Exoscale LoadBalancer service uses "externalTrafficPolicy:
Local".
It's better to use the HTTP healthcheck in this mode instead of the
TCP one.
---
 hack/generate-deploy-scripts.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index 221c34697..b8aec4104 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -201,7 +201,8 @@ controller:
       service.beta.kubernetes.io/exoscale-loadbalancer-name: "nginx-ingress-controller"
       service.beta.kubernetes.io/exoscale-loadbalancer-description: "NGINX Ingress Controller load balancer"
       service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: "source-hash"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "tcp"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "http"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: "/"
       service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: "10s"
       service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: "3s"
       service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"

From d74fa2f538a00d16db6cc75446748f48155752e4 Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mgozdek@microsoft.com>
Date: Tue, 12 Oct 2021 23:17:59 +0200
Subject: [PATCH 176/376] Update ingress-nginx/kube-webhook-certgen image to
 latest v1.1.1 (#7793)

We skip version v1.1 as it had a regression.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
---
 charts/ingress-nginx/values.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 4e21f2a38..e8376fb88 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -590,8 +590,8 @@ controller:
         # for backwards compatibility consider setting the full image url via the repository value below
         # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         # repository:
-        tag: v1.0
-        digest: sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+        tag: v1.1.1
+        digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
         pullPolicy: IfNotPresent
       ## Provide a priority class name to the webhook patching job
       ##

From 9b78b6c197b48116243922170875af4aa752ee59 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Tue, 12 Oct 2021 19:35:49 -0300
Subject: [PATCH 177/376] Prepare for v1.0.4 release (#7804)

Signed-off-by: Ricardo Pchevuzinske Katz <rkatz@vmware.com>
---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index e946d6bb7..3e7bcf08c 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.0.3
+v1.0.4

From 14f6b32032b709d3e0f614ca85954c3583c5fe3d Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Wed, 13 Oct 2021 00:25:48 -0300
Subject: [PATCH 178/376] Release v1.0.4 (#7805)

Signed-off-by: Ricardo Pchevuzinske Katz <rkatz@vmware.com>
---
 Changelog.md                                  | 16 ++++
 README.md                                     |  1 +
 charts/ingress-nginx/CHANGELOG.md             |  9 +-
 charts/ingress-nginx/Chart.yaml               | 11 ++-
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 89 +++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 89 +++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 89 +++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 89 +++++++++---------
 deploy/static/provider/do/deploy.yaml         | 89 +++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 92 ++++++++++---------
 deploy/static/provider/kind/deploy.yaml       | 89 +++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 89 +++++++++---------
 docs/deploy/index.md                          | 20 ++--
 stable.txt                                    |  2 +-
 15 files changed, 413 insertions(+), 365 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index e41239540..3af07fcd4 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,21 @@
 # Changelog
 
+### 1.0.4
+
+**Image:**
+- k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+
+_Possible Breaking Change_
+We have disabled the builtin ssl_session_cache due to possible memory fragmentation. This should not impact the majority of users, but please let us know 
+if you face any problem
+
+_Changes:_
+
+- [7777](https://github.com/kubernetes/ingress-nginx/pull/7777) Disable builtin ssl_session_cache
+- [7727](https://github.com/kubernetes/ingress-nginx/pull/7727) Print warning only instead of error if no IngressClass permission is available
+- Bump internal libraries versions
+- Fix diverse documentation
+
 ### 1.0.3
 
 **Image:**
diff --git a/README.md b/README.md
index 1e24d8201..0849d0f0b 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
+| v1.0.4                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.3                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index e569bf6ae..d61bd5db8 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,16 +2,21 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.6
+
+- [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx
+- [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart
+- [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode
+- [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1
+
 ### 4.0.5
 
 - [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx
 
-
 ### 4.0.3
 
 - [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx
 
-
 ### 4.0.2 
 
 - [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 28e8db3bd..3e0c0de7a 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.5
-appVersion: 1.0.3
+version: 4.0.6
+appVersion: 1.0.4
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,6 +24,7 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Bump various libraries
-    - Fix selector for shutting down Pods
-    - Fix overlap check when ingress is configured as canary
+    - Disable builtin ssl_session_cache
+    - Print warning only instead of error if no IngressClass permission is available
+    - Bump internal libraries versions
+    - Fix documentations
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index e8376fb88..86028fdd2 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v1.0.3"
-    digest: sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+    tag: "v1.0.4"
+    digest: sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index f6c67e074..99e6397c3 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -51,10 +51,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -118,10 +118,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -138,10 +138,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -222,10 +222,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -244,10 +244,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -276,10 +276,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: elb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -287,6 +287,9 @@ metadata:
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -308,10 +311,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -334,7 +337,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -426,10 +429,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -444,10 +447,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -484,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -500,10 +503,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -524,10 +527,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -549,10 +552,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -574,10 +577,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -599,10 +602,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -610,16 +613,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -649,10 +652,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -660,16 +663,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 058a47090..273d90dfd 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -277,6 +277,9 @@ metadata:
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -298,10 +301,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -413,10 +416,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -431,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -471,10 +474,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -487,10 +490,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -511,10 +514,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -536,10 +539,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -561,10 +564,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -586,10 +589,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -597,16 +600,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -636,10 +639,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -647,16 +650,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 7e0a5a9e7..10f08bb6e 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -263,16 +263,19 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   type: NodePort
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -294,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -320,7 +323,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -408,10 +411,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -426,10 +429,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -466,10 +469,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -482,10 +485,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -506,10 +509,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -531,10 +534,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -556,10 +559,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -581,10 +584,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -592,16 +595,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -631,10 +634,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -642,16 +645,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index e2df8e210..38dc08bf7 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -263,10 +263,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -274,6 +274,9 @@ metadata:
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -295,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -321,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -410,10 +413,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -428,10 +431,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -468,10 +471,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -484,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -508,10 +511,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -533,10 +536,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -558,10 +561,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -583,10 +586,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -594,16 +597,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -633,10 +636,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -644,16 +647,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index e4b46caeb..5d148249e 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -276,6 +276,9 @@ metadata:
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -297,10 +300,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +326,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +415,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +433,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -471,10 +474,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -487,10 +490,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -511,10 +514,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -536,10 +539,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -561,10 +564,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -586,10 +589,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -597,16 +600,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -636,10 +639,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -647,16 +650,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index cc7509a56..f86766fbc 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,15 +266,16 @@ metadata:
       load balancer
     service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s
-    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: tcp
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: '1'
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -282,6 +283,9 @@ metadata:
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -303,10 +307,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -329,7 +333,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -418,10 +422,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -436,10 +440,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -476,10 +480,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -492,10 +496,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -516,10 +520,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -541,10 +545,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -566,10 +570,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -591,10 +595,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -602,16 +606,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -641,10 +645,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -652,16 +656,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 5d57cd699..322d63e0e 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -111,10 +111,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -131,10 +131,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -215,10 +215,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -237,10 +237,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -263,16 +263,19 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   type: NodePort
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -294,10 +297,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -421,10 +424,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -439,10 +442,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -479,10 +482,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -495,10 +498,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -519,10 +522,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -544,10 +547,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -569,10 +572,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -594,10 +597,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -605,16 +608,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -644,10 +647,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -655,16 +658,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 6f20554d2..b7bdefba5 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -265,10 +265,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -276,6 +276,9 @@ metadata:
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
   ports:
     - name: http
       port: 80
@@ -297,10 +300,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -323,7 +326,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +415,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +433,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +473,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +489,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +513,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +538,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +563,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +588,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,16 +599,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - create
@@ -635,10 +638,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.5
+    helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.3
+    app.kubernetes.io/version: 1.0.4
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,16 +649,16 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.5
+        helm.sh/chart: ingress-nginx-4.0.6
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.3
+        app.kubernetes.io/version: 1.0.4
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
       containers:
         - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
+          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
           imagePullPolicy: IfNotPresent
           args:
             - patch
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index ccd782a5e..3a53aca1c 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -57,7 +57,7 @@ Kubernetes is available in Docker Desktop
     Before running the command at your terminal, make sure Kubernetes is enabled at Docker settings
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
 ```
 
 #### minikube
@@ -85,7 +85,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (ELB)
@@ -94,10 +94,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -143,7 +143,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -152,7 +152,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -160,13 +160,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -180,7 +180,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -190,7 +190,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.3/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index 80a2c1385..4288631e7 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v1.0.3
+controller-v1.0.4

From 5a52d99ae85cfe5ef9535291b8326b0006e75066 Mon Sep 17 00:00:00 2001
From: Mmadu Manasseh <mmadumanasseh@gmail.com>
Date: Thu, 14 Oct 2021 09:23:19 +0100
Subject: [PATCH 179/376] Refactor: update DaemonSet and Deployment command
 params to use templates (#7689)

* Refactor: update DaemonSet and Deployment command parameters to use helm templates

* Fix whitespace issues
---
 charts/ingress-nginx/templates/_params.tpl    | 52 ++++++++++++++++++
 .../templates/controller-daemonset.yaml       | 54 +------------------
 .../templates/controller-deployment.yaml      | 51 +-----------------
 3 files changed, 54 insertions(+), 103 deletions(-)
 create mode 100644 charts/ingress-nginx/templates/_params.tpl

diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl
new file mode 100644
index 000000000..c628ec6f7
--- /dev/null
+++ b/charts/ingress-nginx/templates/_params.tpl
@@ -0,0 +1,52 @@
+{{- define "ingress-nginx.params" -}}
+- /nginx-ingress-controller
+{{- if .Values.defaultBackend.enabled }}
+- --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
+{{- end }}
+{{- if .Values.controller.publishService.enabled }}
+- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
+{{- end }}
+- --election-id={{ .Values.controller.electionID }}
+- --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
+- --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
+{{- if .Values.tcp }}
+- --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
+{{- end }}
+{{- if .Values.udp }}
+- --udp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp
+{{- end }}
+{{- if .Values.controller.scope.enabled }}
+- --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
+{{- end }}
+{{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
+- --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
+{{- end }}
+{{- if .Values.controller.admissionWebhooks.enabled }}
+- --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }}
+- --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }}
+- --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }}
+{{- end }}
+{{- if .Values.controller.maxmindLicenseKey }}
+- --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
+{{- end }}
+{{- if .Values.controller.healthCheckHost }}
+- --healthz-host={{ .Values.controller.healthCheckHost }}
+{{- end }}
+{{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
+- --health-check-path={{ .Values.controller.healthCheckPath }}
+{{- end }}
+{{- if .Values.controller.ingressClassByName }}
+- --ingress-class-by-name=true
+{{- end }}
+{{- if .Values.controller.watchIngressWithoutClass }}
+- --watch-ingress-without-class=true
+{{- end }}
+{{- range $key, $value := .Values.controller.extraArgs }}
+{{- /* Accept keys without values or with false as value */}}
+{{- if eq ($value | quote | len) 2 }}
+- --{{ $key }}
+{{- else }}
+- --{{ $key }}={{ $value }}
+{{- end }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 68291edd7..5f71d4414 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -75,59 +75,7 @@ spec:
           lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
         {{- end }}
           args:
-            - /nginx-ingress-controller
-          {{- if .Values.defaultBackend.enabled }}
-            - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
-          {{- end }}
-          {{- if .Values.controller.publishService.enabled }}
-            - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
-          {{- end }}
-            - --election-id={{ .Values.controller.electionID }}
-            - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
-            - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
-          {{- if .Values.tcp }}
-            - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
-          {{- end }}
-          {{- if .Values.udp }}
-            - --udp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp
-          {{- end }}
-          {{- if .Values.controller.scope.enabled }}
-            - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
-          {{- end }}
-          {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
-            - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
-          {{- end }}
-          {{- if .Values.controller.admissionWebhooks.enabled }}
-            - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }}
-            - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }}
-            - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }}
-          {{- end }}
-          {{- if .Values.controller.maxmindMirror }}
-            - --maxmind-mirror={{ .Values.controller.maxmindMirror }}
-          {{- end}}
-          {{- if .Values.controller.maxmindLicenseKey }}
-            - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
-          {{- end }}
-          {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
-            - --health-check-path={{ .Values.controller.healthCheckPath }}
-          {{- end }}
-          {{- if .Values.controller.healthCheckHost }}
-            - --healthz-host={{ .Values.controller.healthCheckHost }}
-          {{- end }}
-          {{- if .Values.controller.ingressClassByName }}
-            - --ingress-class-by-name=true
-          {{- end }}
-          {{- if .Values.controller.watchIngressWithoutClass }}
-            - --watch-ingress-without-class=true
-          {{- end }}
-          {{- range $key, $value := .Values.controller.extraArgs }}
-            {{- /* Accept keys without values or with false as value */}}
-            {{- if eq ($value | quote | len) 2 }}
-            - --{{ $key }}
-            {{- else }}
-            - --{{ $key }}={{ $value }}
-            {{- end }}
-          {{- end }}
+            {{- include "ingress-nginx.params" . | nindent 12 }}
           securityContext:
             capabilities:
                 drop:
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index 24714a523..41276c6fa 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -79,56 +79,7 @@ spec:
           lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
         {{- end }}
           args:
-            - /nginx-ingress-controller
-          {{- if .Values.defaultBackend.enabled }}
-            - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
-          {{- end }}
-          {{- if .Values.controller.publishService.enabled }}
-            - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
-          {{- end }}
-            - --election-id={{ .Values.controller.electionID }}
-            - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
-            - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
-          {{- if .Values.tcp }}
-            - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
-          {{- end }}
-          {{- if .Values.udp }}
-            - --udp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp
-          {{- end }}
-          {{- if .Values.controller.scope.enabled }}
-            - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
-          {{- end }}
-          {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
-            - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
-          {{- end }}
-          {{- if .Values.controller.admissionWebhooks.enabled }}
-            - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }}
-            - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }}
-            - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }}
-          {{- end }}
-          {{- if .Values.controller.maxmindLicenseKey }}
-            - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
-          {{- end }}
-          {{- if .Values.controller.healthCheckHost }}
-            - --healthz-host={{ .Values.controller.healthCheckHost }}
-          {{- end }}
-          {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
-            - --health-check-path={{ .Values.controller.healthCheckPath }}
-          {{- end }}
-          {{- if .Values.controller.ingressClassByName }}
-            - --ingress-class-by-name=true
-          {{- end }}
-          {{- if .Values.controller.watchIngressWithoutClass }}
-            - --watch-ingress-without-class=true
-          {{- end }}
-          {{- range $key, $value := .Values.controller.extraArgs }}
-            {{- /* Accept keys without values or with false as value */}}
-            {{- if eq ($value | quote | len) 2 }}
-            - --{{ $key }}
-            {{- else }}
-            - --{{ $key }}={{ $value }}
-            {{- end }}
-          {{- end }}
+            {{- include "ingress-nginx.params" . | nindent 12 }}
           securityContext:
             capabilities:
                 drop:

From abb05135bbaf422d52c50ebe36d918d2aaef113d Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Tue, 19 Oct 2021 15:52:39 +0200
Subject: [PATCH 180/376] add some information about triaging pull requests
 (#7822)

---
 CONTRIBUTING.md |  4 +++-
 ISSUE_TRIAGE.md | 33 ++++++++++++++++++++++++++++-----
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 5266e6131..170396aaa 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -34,7 +34,9 @@ All changes must be code reviewed. Coding conventions and standards are explaine
 
 ### Merge Approval
 
-Ingress collaborators may add "LGTM" (Looks Good To Me) or an equivalent comment to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress collaborator signs off with an LGTM.
+Ingress Nginx collaborators may add "/lgtm" (Looks Good To Me) to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress Nginx collaborator signs off with an LGTM. Adding the "/lgtm" comment result in the prow bot adding the `lgtm` label. Note that a pull request still needs an `approve` label from one of the owners. 
+
+Reviewers or members who want to become reviewers according to the [k8s membership ladder](https://github.com/kubernetes/community/blob/master/community-membership.md), coud actively search for [pull requests that need a review](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted). 
 
 ## Support Channels
 
diff --git a/ISSUE_TRIAGE.md b/ISSUE_TRIAGE.md
index 943a03e89..3a5ba48a9 100644
--- a/ISSUE_TRIAGE.md
+++ b/ISSUE_TRIAGE.md
@@ -10,14 +10,13 @@ The triage process of the ingress-nginx maintainers is based on the [triage proc
 
 However the exact process of the ingress-nginx maintainers may differ in certain aspects. This doc gives a more precise overview on how the ingress-nginx maintainers approach the issue triage process and other processes that are related. 
 
-## Triage Flow 
+## Triage Flow (Issues)
 
-This section describes the different stages of the triage flow.
+This section describes the different stages of the triage flow for issues.
 
 ### Prepare Issues
 New issues come in with the labels `needs-triage` and `needs-priority` and one of: `kind/bug`, `kind/feature` or `kind/support`. Unfortunately there are also some legacy issues that only have a `kind/*` label but neither `needs-triage` nor `needs-priority` . However for every issue that does not have the `triage-accepted` label the following steps have to be done to prepare them for further processing:  
 
-
 * Filter for issues [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Aissue) label.
 * Check if all neccessary information are available. This is basically true, if people filled out the issue template correctly. If neccessary information is missing, ask the author to add the missing information and add the label `triage/needs-information` if not already present. If already present, send the author a friendly reminder to add those. 
 * Check if the used versions of ingress-nginx and Kubernetes is supported. Note that [we only support n-3 versions](https://github.com/kubernetes/ingress-nginx#support-versions-table). If the version is not supported, ask the author to upgrade to newer versions and see if the error still persists. 
@@ -39,11 +38,35 @@ Who and When?
 * Basically every contributor should be able to do that.
 * Tricky/important ones could be brought up during community meetings
 
+## Triage Flow (Pull Requests)
+
+This section describes the different stages of the triage flow for pull requests.
+
+### Prepare Pull Requests
+Pull requests come in with the labels `needs-triage`, `needs-priority` and `needs-kind` and one that indicates the size(`size/*`). Unfortunately there are also some legacy pull requests that only have a `size/*` label but neither `needs-triage` nor `needs-priority` . However for every pull request that does not have the `triage-accepted` label the following steps should be done to prepare them for further processing:   
+
+* Filter for pull requests [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Apr) label.
+* Check if the cla is signed and all neccessary information are available. This is basically true, if people filled out the pull request template correctly. If everything is fine add the `triage-accepted` label.
+* If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
+
+Who and When?
+* Basically everyone who wants to contribute can do the mentioned steps at any time.
+
+### Pull Request Priorization
+For all pull requests, where all neccessary information is available and cla is signed thus triage is accepted, we need to do some priorization: 
+
+* Go through all pull requests with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted).  
+* Sync the `kind/*` and `priority/*` label from the linked issue for the pull request. If the pull request does not have any issue associated (which normally should not be the case), add an appropriate priority and kind label (one of: `priority/backlog`, `priority/critical-urgent`, `priority/important-longterm`, `priority/important-soon`) 
+
+Who and When? 
+* Basically every contributor should be able to do that.
+* Tricky/important ones could be brought up during community meetings
+
 ## Labels 
-Labels are helpful for issues to indicate in which lifecycle state they are currently and to categorize them. This section describes the most important ones with the additional info about how to add those. A complete label list of the Kubernetes community can be found [here](https://github.com/kubernetes/kubernetes/labels) while a complete label list for this project can be found [here](https://github.com/kubernetes/ingress-nginx/labels). However, here the most important ones: 
+Labels are helpful for issues or pull requests to indicate in which lifecycle state they are currently and to categorize them. This section describes the most important ones with the additional info about how to add those. A complete label list of the Kubernetes community can be found [here](https://github.com/kubernetes/kubernetes/labels) while a complete label list for this project can be found [here](https://github.com/kubernetes/ingress-nginx/labels). However, here the most important ones: 
 
 * Triage:
-  * [`needs-triage`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-triage): Indicates that the issue needs triage. Automatically added. 
+  * [`needs-triage`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-triage): Indicates that the issue or pull request needs triage. Automatically added. 
   * [`triage/accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Faccepted+is%3Aissue+): Indicates that the issue is ready for further processing. Add with `/triage accepted`.
   * [`triage/needs-information`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Fneeds-information+is%3Aissue+): Indicates that the issue lacks information. Add with `/triage needs-information`.
 * Kind: 

From 8611ecb7c97ce286e2e171a7e6e6aa50d2398b0c Mon Sep 17 00:00:00 2001
From: Maxence Boutet <52334444+mboutet@users.noreply.github.com>
Date: Tue, 19 Oct 2021 23:37:57 -0400
Subject: [PATCH 181/376] Fix not rendered markdown list (#7825)

---
 docs/index.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index cc3d2cb58..1154ba32b 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -160,7 +160,8 @@ Ingress-Nginx-Controller-nginx1 with `k8s.io/ingress-nginx1`
 Ingress-Nginx-Controller-nginx2 with `k8s.io/ingress-nginx2`
 Then, when you create an Ingress Object with IngressClassName = `ingress-nginx2`, it will look for controllers with `controller-class=k8s.io/ingress-nginx2` and as `Ingress-Nginx-Controller-nginx2` is watching objects that points to `ingressClass="k8s.io/ingress-nginx2`, it will serve that object, while `Ingress-Nginx-Controller-nginx1` will ignore the ingress object.
 
-Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the flag `--watch-ingress-without-class=true`, then it will serve ;
+Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the flag `--watch-ingress-without-class=true`, then it will serve:
+
 - objects without ingress-class
 - objects with the annotation configured in flag `--ingress-class` and same class value
 - and also objects pointing to the ingressClass that have the same .spec.controller as configured in `--controller-class`

From 0b24ade145de1166d203c49ddac9229c911eb03b Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Fri, 22 Oct 2021 23:00:38 +0530
Subject: [PATCH 182/376] fixed issue 7807 (#7814)

---
 docs/examples/grpc/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md
index 8835b5110..a20c8c7dd 100644
--- a/docs/examples/grpc/README.md
+++ b/docs/examples/grpc/README.md
@@ -6,7 +6,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 
 1. You have a kubernetes cluster running.
 2. You have a domain name such as `example.com` that is configured to route traffic to the ingress controller.
-3. You have the nginx-ingress controller installed as per docs, with gRPC support.
+3. You have the nginx-ingress controller installed as per docs.
 4. You have a backend application running a gRPC server and listening for TCP traffic.  If you want, you can use <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> as an example.
 5. You're also responsible for provisioning an SSL certificate for the ingress. So you need to have a valid SSL certificate, deployed as a Kubernetes secret of type tls, in the same namespace as the gRPC application.
 
@@ -20,7 +20,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 
 - As an example gRPC application, we can use this app <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> .
 
-- To create a container image for this app, you can use [this Dockerfile](../../../images/go-grpc-greeter-server/rootfs/Dockerfile). 
+- To create a container image for this app, you can use [this Dockerfile](https://github.com/kubernetes/ingress-nginx/blob/5a52d99ae85cfe5ef9535291b8326b0006e75066/images/go-grpc-greeter-server/rootfs/Dockerfile). 
 
 - If you use the Dockerfile mentioned above, to create a image, then given below is an example of a Kubernetes manifest, to create a deployment resource, that uses that image. If needed, then edit this manifest to suit your needs. Assuming the name of this yaml file is  `deployment.go-grpc-greeter-server.yaml` ;
 

From af7d9581f47113f4e2cfd7fac92ba02ae9cd49f0 Mon Sep 17 00:00:00 2001
From: Zhiwei Liu <zhiweiv@outlook.com>
Date: Fri, 22 Oct 2021 17:34:38 +0000
Subject: [PATCH 183/376] Remove deprecated annotation in helm chart example
 (#7813)

---
 charts/ingress-nginx/templates/NOTES.txt | 2 --
 1 file changed, 2 deletions(-)

diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt
index 29aeb113a..2dbf14f21 100644
--- a/charts/ingress-nginx/templates/NOTES.txt
+++ b/charts/ingress-nginx/templates/NOTES.txt
@@ -32,8 +32,6 @@ An example Ingress that makes use of the controller:
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
-    annotations:
-      kubernetes.io/ingress.class: {{ .Values.controller.ingressClassResource.name }}
     name: example
     namespace: foo
   spec:

From 21bab108f41f65eddd92b92e3c249b674d07c11c Mon Sep 17 00:00:00 2001
From: Mara Sophie Grosch <littlefox@lf-net.org>
Date: Sun, 24 Oct 2021 21:08:22 +0200
Subject: [PATCH 184/376] mention CVE-2021-25742 in annotations doc (#7843)

Referring to CVE-2021-25742 in the annotations doc at the description of `configuration-snippet`.
---
 docs/user-guide/nginx-configuration/annotations.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 38439b33f..d8e6010ab 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -303,6 +303,8 @@ nginx.ingress.kubernetes.io/configuration-snippet: |
   more_set_headers "Request-Id: $req_id";
 ```
 
+Be aware this can be dangerous in multi-tenant clusters, as it can lead to people with otherwise limited permissions being able to retrieve all secrets on the cluster. The recommended mitigation for this threat is to disable this feature, so it may not work for you. See CVE-2021-25742 and the [related issue on github](https://github.com/kubernetes/ingress-nginx/issues/7837) for more information.
+
 ### Custom HTTP Errors
 
 Like the [`custom-http-errors`](./configmap.md#custom-http-errors) value in the ConfigMap, this annotation will set NGINX `proxy-intercept-errors`, but only for the NGINX location associated with this ingress. If a [default backend annotation](#default-backend) is specified on the ingress, the errors will be routed to that annotation's default backend service (instead of the global default backend).

From eb482db5b3fbf07ddcaaed4aeb7b1f3344f32bbf Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Sun, 24 Oct 2021 21:12:21 +0200
Subject: [PATCH 185/376] disable opentelemetry on arm (#7831)

---
 images/nginx/rootfs/build.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 919e4fcbb..ab64d5d94 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -137,12 +137,15 @@ export BUILD_PATH=/tmp/build
 
 ARCH=$(uname -m)
 
-export USE_OPENTELEMETRY=true
 if [[ ${ARCH} == "s390x" ]]; then
   export LUAJIT_VERSION=9d5750d28478abfdcaefdfdc408f87752a21e431
   export LUA_RESTY_CORE=0.1.17
   export LUA_NGX_VERSION=0.10.15
   export LUA_STREAM_NGX_VERSION=0.0.7
+fi
+
+export USE_OPENTELEMETRY=true
+if [[ ${ARCH} == "s390x" ]] || [[ ${ARCH} == "armv7l" ]]; then
   export USE_OPENTELEMETRY=false
 fi
 

From 57585df4d46967fbac9c699cec33d50cb8989b8f Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Sun, 24 Oct 2021 21:14:21 +0200
Subject: [PATCH 186/376] add more guidance for the right labeling when
 creating doc related issue (#7842)

---
 .github/ISSUE_TEMPLATE/feature_request.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index 771804b54..b4041a579 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -25,6 +25,9 @@ blocks.  If they're super-long, please use the details tag like
 
 <!-- Does it require a particular kubernetes version? -->
 
-<!-- If this is actually about documentation, add `/kind documentation` below -->
+<!-- If this is actually about documentation, uncomment the following block -->
 
-/kind feature
+<!-- 
+/kind documentation
+/remove-kind feature
+-->
\ No newline at end of file

From c6adeb8f8cb606f0d78e46f14efbf17367d8ffe4 Mon Sep 17 00:00:00 2001
From: Davide Icardi <davide.icardi@gmail.com>
Date: Sun, 24 Oct 2021 21:20:21 +0200
Subject: [PATCH 187/376] improve basic usage documentation (#7661)

---
 docs/user-guide/basic-usage.md | 100 ++++++++++++++++-----------------
 1 file changed, 49 insertions(+), 51 deletions(-)

diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md
index ae913b6a4..64c81148b 100644
--- a/docs/user-guide/basic-usage.md
+++ b/docs/user-guide/basic-usage.md
@@ -2,7 +2,11 @@
 
 ingress-nginx can be used for many use cases, inside various cloud provider and supports a lot of configurations. In this section you can find a common usage scenario where a single load balancer powered by ingress-nginx will route traffic to 2 different HTTP backend services based on the host name.
 
-First of all follow the instructions to install ingress-nginx. Then imagine that you need to expose 2 HTTP services already installed: `myServiceA`, `myServiceB`. Let's say that you want to expose the first at `myServiceA.foo.org` and the second at `myServiceB.foo.org`. One possible solution is to create two **ingress** resources:
+First of all follow the instructions to install ingress-nginx. Then imagine that you need to expose 2 HTTP services already installed, `myServiceA`, `myServiceB`, and configured as `type: ClusterIP`. 
+
+Let's say that you want to expose the first at `myServiceA.foo.org` and the second at `myServiceB.foo.org`.
+
+If cluster version < 1.19 you can create two **ingress** resources like this:
 
 ```
 apiVersion: networking.k8s.io/v1
@@ -46,59 +50,53 @@ spec:
               number: 80
 ```
 
-When you apply this yaml, 2 ingress resources will be created managed by the **ingress-nginx** instance. Nginx is configured to automatically discover all ingress with the `kubernetes.io/ingress.class: "nginx"` annotation.
+If cluster version >= 1.19 the Ingress resource above will not work, instead of annotations you should use the new `ingressClassName: nginx` property.
+
+```
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-myservicea
+spec:
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: myservicea
+            port: 
+              number: 80
+  ingressClassName: nginx
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-myserviceb
+spec:
+  rules:
+  - host: myserviceb.foo.org
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: myserviceb
+            port: 
+              number: 80
+  ingressClassName: nginx
+```
+
+When you apply this yaml, 2 ingress resources will be created managed by the **ingress-nginx** instance. Nginx is configured to automatically discover all ingress with the `kubernetes.io/ingress.class: "nginx"` annotation or where `ingressClassName: nginx` is present.
 Please note that the ingress resource should be placed inside the same namespace of the backend resource.
 
-If cluster version >= 1.19 the Ingress resource above will not work.
-You need to deploy the following so that it match the new api version.
-This will require changes to the Ingress objects as shown below, and a new object from type "kind: IngressClass"
-```
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ingress-myservicea
-spec:
-  rules:
-  - host: myservicea.foo.org
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: myservicea
-            port: 
-              number: 80
-  ingressClassName: nginx
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ingress-myserviceb
-spec:
-  rules:
-  - host: myserviceb.foo.org
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: myserviceb
-            port: 
-              number: 80
-  ingressClassName: nginx
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  name: nginx
-spec:
-  controller: k8s.io/ingress-nginx
-```
-
-On many cloud providers ingress-nginx will also create the corresponding Load Balancer resource. All you have to do is get the external IP and add a DNS `A record` inside your DNS provider that point myServiceA.foo.org and myServiceB.foo.org to the nginx external IP. Get the external IP by running:
+On many cloud providers ingress-nginx will also create the corresponding Load Balancer resource. All you have to do is get the external IP and add a DNS `A record` inside your DNS provider that point myservicea.foo.org and myserviceb.foo.org to the nginx external IP. Get the external IP by running:
 
 ```
 kubectl get services -n ingress-nginx
 ```
+
+To test inside minikube refer to this documentation: [Set up Ingress on Minikube with the NGINX Ingress Controller](https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/)
\ No newline at end of file

From e4001df41eaa4119ba2dd42dc3c31750a371a39c Mon Sep 17 00:00:00 2001
From: James Callahan <35791147+james-callahan@users.noreply.github.com>
Date: Mon, 25 Oct 2021 08:28:21 +1100
Subject: [PATCH 188/376] ServiceMonitor namespaceSelector defaults to current
 namespace (#7001)

---
 charts/ingress-nginx/templates/controller-servicemonitor.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index 17894c8be..cf383f0f8 100644
--- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -27,10 +27,6 @@ spec:
 {{- end }}
 {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
   namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }}
-{{ else }}
-  namespaceSelector:
-    matchNames:
-      - {{ .Release.Namespace }}
 {{- end }}
 {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
   targetLabels:

From 7d5452d00b7584195c4f9239f8938447a2a1b3f5 Mon Sep 17 00:00:00 2001
From: Matthew Silverman <matthew.silverman@shopify.com>
Date: Sun, 24 Oct 2021 17:36:21 -0400
Subject: [PATCH 189/376] configmap: option to not trust incoming tracing spans
 (#7045)

* validate the sender of tracing spans

* add location-specific setting
---
 .../nginx-configuration/annotations.md        | 10 ++++++
 .../third-party-addons/opentracing.md         | 12 +++++++
 .../ingress/annotations/opentracing/main.go   | 23 +++++++++---
 .../annotations/opentracing/main_test.go      | 23 ++++++++++++
 internal/ingress/controller/config/config.go  |  6 ++++
 .../ingress/controller/template/template.go   | 28 +++++++--------
 .../controller/template/template_test.go      | 36 ++++++++++++-------
 rootfs/etc/nginx/template/nginx.tmpl          |  2 +-
 test/e2e/settings/opentracing.go              | 18 +++++++++-
 9 files changed, 124 insertions(+), 34 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index d8e6010ab..ca515f9e2 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -112,6 +112,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/connection-proxy-header](#connection-proxy-header)|string|
 |[nginx.ingress.kubernetes.io/enable-access-log](#enable-access-log)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/enable-opentracing](#enable-opentracing)|"true" or "false"|
+|[nginx.ingress.kubernetes.io/opentracing-trust-incoming-span](#opentracing-trust-incoming-span)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/enable-influxdb](#influxdb)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/influxdb-measurement](#influxdb)|string|
 |[nginx.ingress.kubernetes.io/influxdb-port](#influxdb)|string|
@@ -768,6 +769,15 @@ to enable it or disable it for a specific ingress (e.g. to turn off tracing of e
 nginx.ingress.kubernetes.io/enable-opentracing: "true"
 ```
 
+### Opentracing Trust Incoming Span
+
+The option to trust incoming trace spans can be enabled or disabled globally through the ConfigMap but this will
+sometimes need to be overriden to enable it or disable it for a specific ingress (e.g. only enable on a private endpoint)
+
+```yaml
+nginx.ingress.kubernetes.io/opentracing-trust-incoming-span: "true"
+```
+
 ### X-Forwarded-Prefix Header
 To add the non-standard `X-Forwarded-Prefix` header to the upstream request with a string value, the following annotation can be used:
 
diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md
index 916b29637..6c2918046 100644
--- a/docs/user-guide/third-party-addons/opentracing.md
+++ b/docs/user-guide/third-party-addons/opentracing.md
@@ -46,6 +46,9 @@ opentracing-operation-name
 # specifies specifies the name to use for the location span
 opentracing-location-operation-name
 
+# sets whether or not to trust incoming tracing spans
+opentracing-trust-incoming-span
+
 # specifies the port to use when uploading traces, Default: 9411
 zipkin-collector-port
 
@@ -114,6 +117,15 @@ datadog-sample-rate
 
 All these options (including host) allow environment variables, such as `$HOSTNAME` or `$HOST_IP`. In the case of Jaeger, if you have a Jaeger agent running on each machine in your cluster, you can use something like `$HOST_IP` (which can be 'mounted' with the `status.hostIP` fieldpath, as described [here](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#capabilities-of-the-downward-api)) to make sure traces will be sent to the local agent.
 
+
+Note that you can also set whether to trust incoming spans (global default is true) per-location using annotations like the following:
+```
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/opentracing-trust-incoming-span: "true"
+```
+
 ## Examples
 
 The following examples show how to deploy and test different distributed tracing systems. These example can be performed using Minikube.
diff --git a/internal/ingress/annotations/opentracing/main.go b/internal/ingress/annotations/opentracing/main.go
index 2ed4a2182..17ba7eb9f 100644
--- a/internal/ingress/annotations/opentracing/main.go
+++ b/internal/ingress/annotations/opentracing/main.go
@@ -29,8 +29,10 @@ type opentracing struct {
 
 // Config contains the configuration to be used in the Ingress
 type Config struct {
-	Enabled bool `json:"enabled"`
-	Set     bool `json:"set"`
+	Enabled      bool `json:"enabled"`
+	Set          bool `json:"set"`
+	TrustEnabled bool `json:"trust-enabled"`
+	TrustSet     bool `json:"trust-set"`
 }
 
 // Equal tests for equality between two Config types
@@ -43,6 +45,14 @@ func (bd1 *Config) Equal(bd2 *Config) bool {
 		return false
 	}
 
+	if bd1.TrustSet != bd2.TrustSet {
+		return false
+	}
+
+	if bd1.TrustEnabled != bd2.TrustEnabled {
+		return false
+	}
+
 	return true
 }
 
@@ -54,8 +64,13 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation {
 func (s opentracing) Parse(ing *networking.Ingress) (interface{}, error) {
 	enabled, err := parser.GetBoolAnnotation("enable-opentracing", ing)
 	if err != nil {
-		return &Config{Set: false, Enabled: false}, nil
+		return &Config{}, nil
 	}
 
-	return &Config{Set: true, Enabled: enabled}, nil
+	trustSpan, err := parser.GetBoolAnnotation("opentracing-trust-incoming-span", ing)
+	if err != nil {
+		return &Config{Set: true, Enabled: enabled}, nil
+	}
+
+	return &Config{Set: true, Enabled: enabled, TrustSet: true, TrustEnabled: trustSpan}, nil
 }
diff --git a/internal/ingress/annotations/opentracing/main_test.go b/internal/ingress/annotations/opentracing/main_test.go
index 77e29cb5d..7bd9d31ff 100644
--- a/internal/ingress/annotations/opentracing/main_test.go
+++ b/internal/ingress/annotations/opentracing/main_test.go
@@ -106,6 +106,29 @@ func TestIngressAnnotationOpentracingSetFalse(t *testing.T) {
 	}
 }
 
+func TestIngressAnnotationOpentracingTrustSetTrue(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true"
+	data[parser.GetAnnotationWithPrefix("opentracing-trust-incoming-span")] = "true"
+	ing.SetAnnotations(data)
+
+	val, _ := NewParser(&resolver.Mock{}).Parse(ing)
+	openTracing, ok := val.(*Config)
+	if !ok {
+		t.Errorf("expected a Config type")
+	}
+
+	if !openTracing.Enabled {
+		t.Errorf("expected annotation value to be true, got false")
+	}
+
+	if !openTracing.TrustEnabled {
+		t.Errorf("expected annotation value to be true, got false")
+	}
+}
+
 func TestIngressAnnotationOpentracingUnset(t *testing.T) {
 	ing := buildIngress()
 
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index a29c1b094..b1a5fc8c4 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -537,6 +537,11 @@ type Configuration struct {
 	// OpentracingOperationName specifies a custom name for the location span
 	OpentracingLocationOperationName string `json:"opentracing-location-operation-name"`
 
+	// OpentracingTrustIncomingSpan sets whether or not to trust incoming trace spans
+	// If false, incoming span headers will be rejected
+	// Default: true
+	OpentracingTrustIncomingSpan bool `json:"opentracing-trust-incoming-span"`
+
 	// ZipkinCollectorHost specifies the host to use when uploading traces
 	ZipkinCollectorHost string `json:"zipkin-collector-host"`
 
@@ -874,6 +879,7 @@ func NewDefault() Configuration {
 		LimitConnZoneVariable:                  defaultLimitConnZoneVariable,
 		BindAddressIpv4:                        defBindAddress,
 		BindAddressIpv6:                        defBindAddress,
+		OpentracingTrustIncomingSpan:           true,
 		ZipkinCollectorPort:                    9411,
 		ZipkinServiceName:                      "nginx",
 		ZipkinSampleRate:                       1.0,
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index e5da5b993..7ed297fa6 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -1440,7 +1440,7 @@ func httpsListener(addresses []string, co string, tc config.TemplateConfig) []st
 	return out
 }
 
-func buildOpentracingForLocation(isOTEnabled bool, location *ingress.Location) string {
+func buildOpentracingForLocation(isOTEnabled bool, isOTTrustSet bool, location *ingress.Location) string {
 	isOTEnabledInLoc := location.Opentracing.Enabled
 	isOTSetInLoc := location.Opentracing.Set
 
@@ -1448,25 +1448,21 @@ func buildOpentracingForLocation(isOTEnabled bool, location *ingress.Location) s
 		if isOTSetInLoc && !isOTEnabledInLoc {
 			return "opentracing off;"
 		}
-
-		opc := opentracingPropagateContext(location)
-		if opc != "" {
-			opc = fmt.Sprintf("opentracing on;\n%v", opc)
-		}
-
-		return opc
+	} else if !isOTSetInLoc || !isOTEnabledInLoc {
+		return ""
 	}
 
-	if isOTSetInLoc && isOTEnabledInLoc {
-		opc := opentracingPropagateContext(location)
-		if opc != "" {
-			opc = fmt.Sprintf("opentracing on;\n%v", opc)
-		}
-
-		return opc
+	opc := opentracingPropagateContext(location)
+	if opc != "" {
+		opc = fmt.Sprintf("opentracing on;\n%v", opc)
 	}
 
-	return ""
+	if (!isOTTrustSet && !location.Opentracing.TrustSet) ||
+		(location.Opentracing.TrustSet && !location.Opentracing.TrustEnabled) {
+		opc = opc + "\nopentracing_trust_incoming_span off;"
+	}
+
+	return opc
 }
 
 // shouldLoadOpentracingModule determines whether or not the Opentracing module needs to be loaded.
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index 96dc9acae..cfb65c08e 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -1637,32 +1637,44 @@ func TestShouldLoadModSecurityModule(t *testing.T) {
 
 func TestOpentracingForLocation(t *testing.T) {
 	trueVal := true
+	falseVal := false
 
 	loadOT := `opentracing on;
 opentracing_propagate_context;`
+	loadOTUntrustedSpan := `opentracing on;
+opentracing_propagate_context;
+opentracing_trust_incoming_span off;`
 	testCases := []struct {
-		description string
-		globalOT    bool
-		isSetInLoc  bool
-		isOTInLoc   *bool
-		expected    string
+		description     string
+		globalOT        bool
+		isSetInLoc      bool
+		isOTInLoc       *bool
+		globalTrust     bool
+		isTrustSetInLoc bool
+		isTrustInLoc    *bool
+		expected        string
 	}{
-		{"globally enabled, without annotation", true, false, nil, loadOT},
-		{"globally enabled and enabled in location", true, true, &trueVal, loadOT},
-		{"globally disabled and not enabled in location", false, false, nil, ""},
-		{"globally disabled but enabled in location", false, true, &trueVal, loadOT},
-		{"globally disabled, enabled in location but false", false, true, &trueVal, loadOT},
+		{"globally enabled, without annotation", true, false, nil, true, false, nil, loadOT},
+		{"globally enabled and enabled in location", true, true, &trueVal, true, false, nil, loadOT},
+		{"globally disabled and not enabled in location", false, false, nil, true, false, nil, ""},
+		{"globally disabled but enabled in location", false, true, &trueVal, true, false, nil, loadOT},
+		{"globally trusted, not trusted in location", true, false, nil, true, true, &falseVal, loadOTUntrustedSpan},
+		{"not globally trusted, trust set in location", true, false, nil, false, true, &trueVal, loadOT},
+		{"not globally trusted, trust not set in location", true, false, nil, false, false, nil, loadOTUntrustedSpan},
 	}
 
 	for _, testCase := range testCases {
 		il := &ingress.Location{
-			Opentracing: opentracing.Config{Set: testCase.isSetInLoc},
+			Opentracing: opentracing.Config{Set: testCase.isSetInLoc, TrustSet: testCase.isTrustSetInLoc},
 		}
 		if il.Opentracing.Set {
 			il.Opentracing.Enabled = *testCase.isOTInLoc
 		}
+		if il.Opentracing.TrustSet {
+			il.Opentracing.TrustEnabled = *testCase.isTrustInLoc
+		}
 
-		actual := buildOpentracingForLocation(testCase.globalOT, il)
+		actual := buildOpentracingForLocation(testCase.globalOT, testCase.globalTrust, il)
 
 		if testCase.expected != actual {
 			t.Errorf("%v: expected '%v' but returned '%v'", testCase.description, testCase.expected, actual)
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 32b02f72a..bfe0703ff 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1096,7 +1096,7 @@ stream {
             set $location_path  {{ $ing.Path | escapeLiteralDollar | quote }};
             set $global_rate_limit_exceeding n;
 
-            {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $location }}
+            {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $all.Cfg.OpentracingTrustIncomingSpan $location }}
 
             {{ if $location.Mirror.Source }}
             mirror {{ $location.Mirror.Source }};
diff --git a/test/e2e/settings/opentracing.go b/test/e2e/settings/opentracing.go
index 0fe4e62f6..3ac16be78 100644
--- a/test/e2e/settings/opentracing.go
+++ b/test/e2e/settings/opentracing.go
@@ -29,7 +29,8 @@ import (
 )
 
 const (
-	enableOpentracing = "enable-opentracing"
+	enableOpentracing            = "enable-opentracing"
+	opentracingTrustIncomingSpan = "opentracing-trust-incoming-span"
 
 	zipkinCollectorHost = "zipkin-collector-host"
 
@@ -81,6 +82,21 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() {
 			})
 	})
 
+	ginkgo.It("should include opentracing_trust_incoming_span off directive when disabled", func() {
+		config := map[string]string{}
+		config[enableOpentracing] = "true"
+		config[opentracingTrustIncomingSpan] = "false"
+		config[zipkinCollectorHost] = "127.0.0.1"
+		f.SetNginxConfigMapData(config)
+
+		f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil))
+
+		f.WaitForNginxConfiguration(
+			func(cfg string) bool {
+				return strings.Contains(cfg, "opentracing_trust_incoming_span off")
+			})
+	})
+
 	ginkgo.It("should not exists opentracing_operation_name directive when is empty", func() {
 		config := map[string]string{}
 		config[enableOpentracing] = "true"

From 6b9865c607ff77115a6d933fc94f82ee898b640d Mon Sep 17 00:00:00 2001
From: Thibault Guittet <88336850+rh-tguittet@users.noreply.github.com>
Date: Sun, 24 Oct 2021 22:38:21 +0100
Subject: [PATCH 190/376] Update Bare-metal NodePort URL anchor (#7687)

---
 docs/deploy/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 3a53aca1c..5c98aa996 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 
 #### Bare-metal
 
-Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
+Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport):
 
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/baremetal/deploy.yaml

From 880ea6dba887b7b2f88feabbdf95cff7203ee7a2 Mon Sep 17 00:00:00 2001
From: Jens Reimann <ctron@dentrassi.de>
Date: Mon, 25 Oct 2021 00:10:21 +0200
Subject: [PATCH 191/376] fix: fix thread synchronization issue #6245 (#7800)

---
 internal/ingress/controller/template/template.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 7ed297fa6..dc4b78c1a 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -63,6 +63,9 @@ const (
 
 // Writer is the interface to render a template
 type Writer interface {
+	// Write renders the template.
+	// NOTE: Implementors must ensure that the content of the returned slice is not modified by the implementation
+	// after the return of this function.
 	Write(conf config.TemplateConfig) ([]byte, error)
 }
 
@@ -202,7 +205,12 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) {
 		return nil, err
 	}
 
-	return outCmdBuf.Bytes(), nil
+	// make a copy to ensure that we are no longer modifying the content of the buffer
+	out := outCmdBuf.Bytes()
+	res := make([]byte, len(out))
+	copy(res, out)
+
+	return res, nil
 }
 
 var (

From 5b94d83aeb0d11f8aa26e8cf1ef0fb2c04c2b32a Mon Sep 17 00:00:00 2001
From: WMP <janowski.m@gmail.com>
Date: Mon, 25 Oct 2021 00:28:21 +0200
Subject: [PATCH 192/376] priorityClassName should be in " " (#7512)

* priorityClassName should be in " "

Example:  https://github.com/helm/charts/blob/master/stable/k8s-spot-rescheduler/templates/deployment.yaml#L28

* Update charts/ingress-nginx/templates/controller-deployment.yaml

Co-authored-by: Alex Harder <13860012+ChiefAlexander@users.noreply.github.com>

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
Co-authored-by: Alex Harder <13860012+ChiefAlexander@users.noreply.github.com>
---
 charts/ingress-nginx/templates/controller-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index 41276c6fa..cdf96600c 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -54,7 +54,7 @@ spec:
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.priorityClassName }}
-      priorityClassName: {{ .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName | quote }}
     {{- end }}
     {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
       securityContext:

From 1d1e89eb9bfa9cdd765ddff836f0bf4e1a200c52 Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mgozdek@microsoft.com>
Date: Mon, 25 Oct 2021 16:04:24 +0200
Subject: [PATCH 193/376] Add myself as a reviewer to
 images/kube-webhook-certgen (#7845)

* OWNERS_ALIASES: add ingress-nginx-kube-webhook-certgen-reviewers

For extra kube-webhook-certgen reviewers.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen: add separate owners

To add myself as a reviewer as discussed in #7641.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
---
 OWNERS_ALIASES                     |  3 +++
 images/kube-webhook-certgen/OWNERS | 10 ++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 images/kube-webhook-certgen/OWNERS

diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index b313f36b8..f147d0f89 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -30,3 +30,6 @@ aliases:
   ingress-nginx-helm-reviewers:
   - ChiefAlexander
   - cpanato
+
+  ingress-nginx-kube-webhook-certgen-reviewers:
+  - invidian
diff --git a/images/kube-webhook-certgen/OWNERS b/images/kube-webhook-certgen/OWNERS
new file mode 100644
index 000000000..ad47b2e6d
--- /dev/null
+++ b/images/kube-webhook-certgen/OWNERS
@@ -0,0 +1,10 @@
+# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+
+approvers:
+- ingress-nginx-admins
+- ingress-nginx-maintainers
+
+reviewers:
+- ingress-nginx-admins
+- ingress-nginx-maintainers
+- ingress-nginx-kube-webhook-certgen-reviewers

From 987a721723d9a7849aa25a40e48bd6cad5ac2dc7 Mon Sep 17 00:00:00 2001
From: Vladimir Varankin <vladimir@varank.in>
Date: Mon, 25 Oct 2021 19:47:02 +0200
Subject: [PATCH 194/376] update documentation and templates for aws nlb
 (#7662)

---
 deploy/static/provider/aws/deploy-tls-termination.yaml | 3 +--
 docs/deploy/index.md                                   | 8 ++++++--
 hack/generate-deploy-scripts.sh                        | 7 ++++---
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 99e6397c3..a0e07e952 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -269,12 +269,11 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
     service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
-    service.beta.kubernetes.io/aws-load-balancer-type: elb
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
     helm.sh/chart: ingress-nginx-4.0.6
     app.kubernetes.io/name: ingress-nginx
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 5c98aa996..f5074b078 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -38,7 +38,7 @@ You can wait until it is ready to run the next command:
   - [Digital Ocean](#digital-ocean)
   - [Scaleway](#scaleway)
   - [Exoscale](#exoscale)
-  - [Oracle Cloud Infrastructure](#oracle-cloud-infrastructure)  
+  - [Oracle Cloud Infrastructure](#oracle-cloud-infrastructure)
   - [Bare-metal](#bare-metal)
   - [Verify installation](#verify-installation)
   - [Detect installed version](#detect-installed-version)
@@ -82,13 +82,17 @@ Please check the microk8s [documentation page](https://microk8s.io/docs/addon-in
 
 In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`.
 
+!!! info
+    The provided templates illustrate the setup for legacy in-tree service load balancer for AWS NLB.
+    AWS provides the documentation on how to use [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html) with [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller).
+
 ##### Network Load Balancer (NLB)
 
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy.yaml
 ```
 
-##### TLS termination in AWS Load Balancer (ELB)
+##### TLS termination in AWS Load Balancer (NLB)
 
 In some scenarios is required to terminate TLS in the Load Balancer and not in the ingress controller.
 
diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index b8aec4104..28625721b 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -89,11 +89,12 @@ controller:
     externalTrafficPolicy: Local
 
     annotations:
-      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+      # This example is for legacy in-tree service load balancer controller for AWS NLB,
+      # that has been phased out from Kubernetes mainline.
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
       service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
       service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"
-      service.beta.kubernetes.io/aws-load-balancer-type: elb
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb
       # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
       # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
       # increased to '3600' to avoid any potential issues.

From 4da87d128d834f5dc9dff8b96cc874a4e98a8dc9 Mon Sep 17 00:00:00 2001
From: Jessica Andersson <jesandeit@gmail.com>
Date: Wed, 27 Oct 2021 15:31:26 +0200
Subject: [PATCH 195/376] improves text format for readability (#7855)

Small text format changes to section "I have more than one controller running in my cluster, and I want to use the new spec?" to allow for better readability.
---
 docs/index.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 1154ba32b..6aa2ea81c 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -154,10 +154,12 @@ In this scenario, you need to create multiple ingressClasses (see example one).
 
 - Ingress-Nginx-IngressClass-1 with .spec.controller equals to "k8s.io/ingress-nginx1"
 - Ingress-Nginx-IngressClass-2 with .spec.controller equals to "k8s.io/ingress-nginx2"
+
 When deploying your ingress controllers, you will have to change the `--controller-class` field as follows:
 
-Ingress-Nginx-Controller-nginx1 with `k8s.io/ingress-nginx1`
-Ingress-Nginx-Controller-nginx2 with `k8s.io/ingress-nginx2`
+- Ingress-Nginx-Controller-nginx1 with `k8s.io/ingress-nginx1`
+- Ingress-Nginx-Controller-nginx2 with `k8s.io/ingress-nginx2`
+
 Then, when you create an Ingress Object with IngressClassName = `ingress-nginx2`, it will look for controllers with `controller-class=k8s.io/ingress-nginx2` and as `Ingress-Nginx-Controller-nginx2` is watching objects that points to `ingressClass="k8s.io/ingress-nginx2`, it will serve that object, while `Ingress-Nginx-Controller-nginx1` will ignore the ingress object.
 
 Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the flag `--watch-ingress-without-class=true`, then it will serve:

From 8467124c24c48ee70d1a887dd750e9686cddf257 Mon Sep 17 00:00:00 2001
From: Paul McDonald <pm@thepaulmacca.com>
Date: Wed, 27 Oct 2021 18:05:25 +0100
Subject: [PATCH 196/376] Update upgrade.md (#7828)

Updated to the same release name in the installation guide
---
 docs/deploy/upgrade.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/deploy/upgrade.md b/docs/deploy/upgrade.md
index b42a09865..933829a80 100644
--- a/docs/deploy/upgrade.md
+++ b/docs/deploy/upgrade.md
@@ -41,11 +41,11 @@ For interactive editing, use `kubectl edit deployment nginx-ingress-controller -
 
 ## With Helm
 
-If you installed ingress-nginx using the Helm command in the deployment docs so its name is `ngx-ingress`,
+If you installed ingress-nginx using the Helm command in the deployment docs so its name is `ingress-nginx`,
 you should be able to upgrade using
 
 ```shell
-helm upgrade --reuse-values ngx-ingress ingress-nginx/ingress-nginx
+helm upgrade --reuse-values ingress-nginx ingress-nginx/ingress-nginx
 ```
 
 ### Migrating from stable/nginx-ingress

From e34ca93ad64a7d3ff99999aa9ca942de8b039600 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Nov 2021 17:10:59 -0700
Subject: [PATCH 197/376] Bump github.com/ncabatoff/process-exporter from 0.7.5
 to 0.7.9 (#7865)

Bumps [github.com/ncabatoff/process-exporter](https://github.com/ncabatoff/process-exporter) from 0.7.5 to 0.7.9.
- [Release notes](https://github.com/ncabatoff/process-exporter/releases)
- [Changelog](https://github.com/ncabatoff/process-exporter/blob/master/cloudbuild.release.yaml)
- [Commits](https://github.com/ncabatoff/process-exporter/compare/v0.7.5...v0.7.9)

---
updated-dependencies:
- dependency-name: github.com/ncabatoff/process-exporter
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod |  6 +++---
 go.sum | 24 ++++++++++++++----------
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/go.mod b/go.mod
index 2f64cfd89..225d191a3 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/mitchellh/hashstructure v1.1.0
 	github.com/mitchellh/mapstructure v1.4.2
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
-	github.com/ncabatoff/process-exporter v0.7.5
+	github.com/ncabatoff/process-exporter v0.7.9
 	github.com/onsi/ginkgo v1.16.4
 	github.com/opencontainers/runc v1.0.2
 	github.com/pkg/errors v0.9.1
@@ -84,7 +84,7 @@ require (
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 // indirect
 	github.com/google/btree v1.0.0 // indirect
-	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/google/go-querystring v1.0.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
@@ -108,7 +108,7 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 718fba62f..bdc542758 100644
--- a/go.sum
+++ b/go.sum
@@ -329,8 +329,9 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -445,6 +446,8 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@@ -528,9 +531,8 @@ github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OS
 github.com/ncabatoff/fakescraper v0.0.0-20201102132415-4b37ba603d65/go.mod h1:Tx6UMSMyIsjLG/VU/F6xA1+0XI+/f9o1dGJnf1l+bPg=
 github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QUgeEjeXnVb+oYuEDQc6gLvrZJTYo94=
 github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag=
-github.com/ncabatoff/process-exporter v0.7.5 h1:KPB7abQEny4kaSge/WFRQb04/UbLmUgHxrpWAU+voRE=
-github.com/ncabatoff/process-exporter v0.7.5/go.mod h1:RMjrx3Qn8l2pgCD27g45xbko4UDpVVuHC8Cd2YXPtWA=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/ncabatoff/process-exporter v0.7.9 h1:RRvLF8pbWwLryEZiNMKJGfCTQkJW8SNabneiKQq3DBY=
+github.com/ncabatoff/process-exporter v0.7.9/go.mod h1:I/1yUBpScNw5UC/Qf2DC9vWqol2cR6jPqSVulMEnzxQ=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
@@ -578,6 +580,7 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -594,7 +597,6 @@ github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDf
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.8.0/go.mod h1:O9VU6huf47PktckDQfMTX0Y8tY0/7TSWwj+ITvv0TnM=
 github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
@@ -610,7 +612,6 @@ github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.14.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.31.1 h1:d18hG4PkHnNAKNMOmFuXFaiY8Us0nird/2m60uS1AMs=
 github.com/prometheus/common v0.31.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
@@ -621,13 +622,17 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
+github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
@@ -956,7 +961,6 @@ golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1190,8 +1194,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
-gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=

From ed34f6c93d27fa69253822cf0d66f542d369a1c8 Mon Sep 17 00:00:00 2001
From: counter2015 <hujiawei7@outlook.com>
Date: Tue, 2 Nov 2021 08:12:58 +0800
Subject: [PATCH 198/376] fix ingress syntax. (#7867)

---
 .github/ISSUE_TEMPLATE/bug_report.md          | 13 +++---
 .../affinity/cookie/ingress-samesite.yaml     | 22 ++++++----
 docs/examples/affinity/cookie/ingress.yaml    | 11 +++--
 docs/examples/auth/basic/README.md            |  7 +++-
 docs/examples/auth/client-certs/ingress.yaml  | 11 +++--
 docs/examples/auth/external-auth/README.md    | 11 +++--
 docs/examples/auth/external-auth/ingress.yaml | 11 +++--
 .../dashboard-ingress.yaml                    | 23 ++++++----
 docs/examples/chashsubset/deployment.yaml     | 14 +++++--
 .../configuration-snippets/ingress.yaml       | 11 +++--
 .../deploy/echo-service.yaml                  | 22 ++++++----
 .../docker-registry/ingress-with-tls.yaml     | 11 +++--
 .../docker-registry/ingress-without-tls.yaml  | 11 +++--
 docs/examples/multi-tls/multi-tls.yaml        | 22 ++++++----
 docs/examples/rewrite/README.md               | 22 ++++++----
 docs/examples/static-ip/nginx-ingress.yaml    | 10 +++--
 docs/examples/tls-termination/README.md       |  7 +++-
 docs/examples/tls-termination/ingress.yaml    |  7 +++-
 docs/user-guide/fcgi-services.md              | 10 +++--
 docs/user-guide/ingress-path-matching.md      | 42 +++++++++++++------
 .../third-party-addons/opentracing.md         | 11 +++--
 21 files changed, 204 insertions(+), 105 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index c39d6e2c2..63a7bfbf6 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -100,7 +100,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main
 ## Create an ingress (please add any additional annotation required)
 
 echo "
-  apiVersion: networking.k8s.io/v1beta1
+  apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: foo-bar
@@ -109,10 +109,13 @@ echo "
     - host: foo.bar
       http:
         paths:
-        - backend:
-            serviceName: http-svc
-            servicePort: 80
-          path: /
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: http-svc
+              port: 
+                number: 80
 " | kubectl apply -f -
 
 ## make a request
diff --git a/docs/examples/affinity/cookie/ingress-samesite.yaml b/docs/examples/affinity/cookie/ingress-samesite.yaml
index edfa1b653..d03a25e39 100644
--- a/docs/examples/affinity/cookie/ingress-samesite.yaml
+++ b/docs/examples/affinity/cookie/ingress-samesite.yaml
@@ -15,10 +15,13 @@ spec:
   - host: stickyingress-samesite-none.example.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port:
+              number: 80
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -35,7 +38,10 @@ spec:
   - host: stickyingress-samesite-strict.example.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port:
+              number: 80
\ No newline at end of file
diff --git a/docs/examples/affinity/cookie/ingress.yaml b/docs/examples/affinity/cookie/ingress.yaml
index eac973fde..d3053021e 100644
--- a/docs/examples/affinity/cookie/ingress.yaml
+++ b/docs/examples/affinity/cookie/ingress.yaml
@@ -13,7 +13,10 @@ spec:
   - host: stickyingress.example.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port: 
+              number: 80
diff --git a/docs/examples/auth/basic/README.md b/docs/examples/auth/basic/README.md
index a5fa579e0..d3d255afb 100644
--- a/docs/examples/auth/basic/README.md
+++ b/docs/examples/auth/basic/README.md
@@ -47,9 +47,12 @@ spec:
     http:
       paths:
       - path: /
+        pathType: Prefix
         backend:
-          serviceName: http-svc
-          servicePort: 80
+          service: 
+            name: http-svc
+            port: 
+              number: 80
 " | kubectl create -f -
 ```
 
diff --git a/docs/examples/auth/client-certs/ingress.yaml b/docs/examples/auth/client-certs/ingress.yaml
index 7172081b4..90ff87514 100644
--- a/docs/examples/auth/client-certs/ingress.yaml
+++ b/docs/examples/auth/client-certs/ingress.yaml
@@ -19,10 +19,13 @@ spec:
   - host: mydomain.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port:
+              number: 80
   tls:
   - hosts:
     - mydomain.com
diff --git a/docs/examples/auth/external-auth/README.md b/docs/examples/auth/external-auth/README.md
index 235cca9cb..62ae72e2c 100644
--- a/docs/examples/auth/external-auth/README.md
+++ b/docs/examples/auth/external-auth/README.md
@@ -30,10 +30,13 @@ spec:
   - host: external-auth-01.sample.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: http-svc
+            port: 
+              number: 80
 status:
   loadBalancer:
     ingress:
diff --git a/docs/examples/auth/external-auth/ingress.yaml b/docs/examples/auth/external-auth/ingress.yaml
index 2a58ca2e3..df80cbb25 100644
--- a/docs/examples/auth/external-auth/ingress.yaml
+++ b/docs/examples/auth/external-auth/ingress.yaml
@@ -9,7 +9,10 @@ spec:
   - host: external-auth-01.sample.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
\ No newline at end of file
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port:
+              number: 80
\ No newline at end of file
diff --git a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml b/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
index 725bf1dc5..4c0a2d373 100644
--- a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
+++ b/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
@@ -11,11 +11,13 @@ spec:
   - host: __INGRESS_HOST__
     http:
       paths:
-      - backend:
-          serviceName: kubernetes-dashboard
-          servicePort: 80
-        path: /
-
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: kubernetes-dashboard
+            port:
+              number: 80
 ---
 
 apiVersion: networking.k8s.io/v1
@@ -28,10 +30,13 @@ spec:
   - host: __INGRESS_HOST__
     http:
       paths:
-      - backend:
-          serviceName: oauth2-proxy
-          servicePort: 4180
-        path: /oauth2
+      - path: /oauth2
+        pathType: Prefix
+        backend:
+          service:
+            name: oauth2-proxy
+            port:
+              number: 4180
   tls:
   - hosts:
     - __INGRESS_HOST__
diff --git a/docs/examples/chashsubset/deployment.yaml b/docs/examples/chashsubset/deployment.yaml
index 24a41dcc2..867cd01c0 100644
--- a/docs/examples/chashsubset/deployment.yaml
+++ b/docs/examples/chashsubset/deployment.yaml
@@ -64,7 +64,15 @@ metadata:
   name: nginxhello-ingress
   namespace: default
 spec:
-  backend:
-    serviceName: nginxhello
-    servicePort: 80
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: nginxhello
+              port:
+                number: 80
 
diff --git a/docs/examples/customization/configuration-snippets/ingress.yaml b/docs/examples/customization/configuration-snippets/ingress.yaml
index 70d9042c7..aaf31f0bb 100644
--- a/docs/examples/customization/configuration-snippets/ingress.yaml
+++ b/docs/examples/customization/configuration-snippets/ingress.yaml
@@ -10,7 +10,10 @@ spec:
   - host: custom.configuration.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port:
+              number: 80
diff --git a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml b/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
index 075421807..3a80ae834 100644
--- a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
+++ b/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
@@ -56,10 +56,13 @@ spec:
   - host: public-demo-echo-service.kube.local
     http:
       paths:
-      - backend:
-          serviceName: demo-echo-service
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: demo-echo-service
+            port:
+              number: 80
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -74,7 +77,10 @@ spec:
   - host: secure-demo-echo-service.kube.local
     http:
       paths:
-      - backend:
-          serviceName: demo-echo-service
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: demo-echo-service
+            port:
+              number: 80
diff --git a/docs/examples/docker-registry/ingress-with-tls.yaml b/docs/examples/docker-registry/ingress-with-tls.yaml
index 11ccf6627..bef35c50b 100644
--- a/docs/examples/docker-registry/ingress-with-tls.yaml
+++ b/docs/examples/docker-registry/ingress-with-tls.yaml
@@ -17,7 +17,10 @@ spec:
   - host: registry.<your domain>
     http:
       paths:
-      - backend:
-          serviceName: docker-registry
-          servicePort: 5000
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: docker-registry
+            port:
+              number: 5000
\ No newline at end of file
diff --git a/docs/examples/docker-registry/ingress-without-tls.yaml b/docs/examples/docker-registry/ingress-without-tls.yaml
index 2d713cb8c..f64cbb295 100644
--- a/docs/examples/docker-registry/ingress-without-tls.yaml
+++ b/docs/examples/docker-registry/ingress-without-tls.yaml
@@ -12,7 +12,10 @@ spec:
   - host: registry.<your domain>
     http:
       paths:
-      - backend:
-          serviceName: docker-registry
-          servicePort: 5000
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: docker-registry
+            port:
+              number: 5000
diff --git a/docs/examples/multi-tls/multi-tls.yaml b/docs/examples/multi-tls/multi-tls.yaml
index b3985439e..aa2cf54d6 100644
--- a/docs/examples/multi-tls/multi-tls.yaml
+++ b/docs/examples/multi-tls/multi-tls.yaml
@@ -115,14 +115,20 @@ spec:
   - host: foo.bar.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port:
+              number: 80
   - host: bar.baz.com
     http:
       paths:
-      - backend:
-          serviceName: nginx
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service
+            name: nginx
+            port:
+              number: 80
diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md
index 6ae71a5d8..3c48b100f 100644
--- a/docs/examples/rewrite/README.md
+++ b/docs/examples/rewrite/README.md
@@ -46,10 +46,13 @@ spec:
   - host: rewrite.bar.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /something(/|$)(.*)
+      - path: /something(/|$)(.*)
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port: 
+              number: 80
 ' | kubectl create -f -
 ```
 
@@ -78,10 +81,13 @@ spec:
   - host: approot.bar.com
     http:
       paths:
-      - backend:
-          serviceName: http-svc
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: http-svc
+            port: 
+              number: 80
 " | kubectl create -f -
 ```
 
diff --git a/docs/examples/static-ip/nginx-ingress.yaml b/docs/examples/static-ip/nginx-ingress.yaml
index 358942f5c..740f46e89 100644
--- a/docs/examples/static-ip/nginx-ingress.yaml
+++ b/docs/examples/static-ip/nginx-ingress.yaml
@@ -9,7 +9,11 @@ spec:
   rules:
   - http:
       paths:
-      - backend:
+      - path: /
+        pathType: Prefix
+        backend:
           # This assumes http-svc exists and routes to healthy endpoints.
-          serviceName: http-svc
-          servicePort: 80
+          service:
+            name: http-svc
+            port:
+              number: 80
diff --git a/docs/examples/tls-termination/README.md b/docs/examples/tls-termination/README.md
index f3096db2e..2df767e26 100644
--- a/docs/examples/tls-termination/README.md
+++ b/docs/examples/tls-termination/README.md
@@ -27,10 +27,13 @@ spec:
       http:
         paths:
         - path: /
+          pathType: Prefix
           backend:
             # This assumes http-svc exists and routes to healthy endpoints
-            serviceName: http-svc
-            servicePort: 80
+            service:
+              name: http-svc
+              port: 
+                number: 80
 ```
 
 The following command instructs the controller to terminate traffic using the provided
diff --git a/docs/examples/tls-termination/ingress.yaml b/docs/examples/tls-termination/ingress.yaml
index 2e989d1b0..debaa45b2 100644
--- a/docs/examples/tls-termination/ingress.yaml
+++ b/docs/examples/tls-termination/ingress.yaml
@@ -14,7 +14,10 @@ spec:
       http:
         paths:
         - path: /
+          pathType: Prefix
           backend:
             # This assumes http-svc exists and routes to healthy endpoints
-            serviceName: http-svc
-            servicePort: 80
+            service:
+              name: http-svc
+              port:
+                number: 80
diff --git a/docs/user-guide/fcgi-services.md b/docs/user-guide/fcgi-services.md
index 62271c2ce..03afc89d1 100644
--- a/docs/user-guide/fcgi-services.md
+++ b/docs/user-guide/fcgi-services.md
@@ -74,9 +74,13 @@ spec:
   - host: app.example.com
     http:
       paths:
-      - backend:
-          serviceName: example-service
-          servicePort: fastcgi
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: example-service
+            port:
+              name: fastcgi
 ```
 
 ## FastCGI Ingress Annotations
diff --git a/docs/user-guide/ingress-path-matching.md b/docs/user-guide/ingress-path-matching.md
index 6812e2cb5..e5e0d9a50 100644
--- a/docs/user-guide/ingress-path-matching.md
+++ b/docs/user-guide/ingress-path-matching.md
@@ -27,9 +27,12 @@ spec:
     http:
       paths:
       - path: /foo/.*
+        pathType: Prefix
         backend:
-          serviceName: test
-          servicePort: 80
+          service:
+            name: test
+            port:
+              number: 80
 ```
 
 The preceding ingress definition would translate to the following location block within the NGINX configuration for the `test.com` server:
@@ -61,13 +64,19 @@ spec:
     http:
       paths:
       - path: /foo/bar
+        pathType: Prefix
         backend:
-          serviceName: service1
-          servicePort: 80
+          service:
+            name: service1
+            port:
+              number: 80
       - path: /foo/bar/
+        pathType: Prefix
         backend:
-          serviceName: service2
-          servicePort: 80
+          service:
+            name: service2
+            port:
+              number: 80
 ```
 
 ```yaml
@@ -83,9 +92,12 @@ spec:
     http:
       paths:
       - path: /foo/bar/(.+)
+        pathType: Prefix
         backend:
-          serviceName: service3
-          servicePort: 80
+          service:
+            name: service3
+            port: 
+              number: 80
 ```
 
 The ingress controller would define the following location blocks, in order of descending length, within the NGINX template for the `test.com` server:
@@ -137,13 +149,19 @@ spec:
     http:
       paths:
       - path: /foo/bar/bar
+        pathType: Prefix
         backend:
-          serviceName: test
-          servicePort: 80
+          service:
+            name: test
+            port: 
+              number: 80
       - path: /foo/bar/[A-Z0-9]{3}
+        pathType: Prefix
         backend:
-          serviceName: test
-          servicePort: 80
+          service:
+            name: test
+            port: 
+              number: 80
 ```
 
 The ingress controller would define the following location blocks (in this order) within the NGINX template for the `test.com` server:
diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md
index 6c2918046..e27f32f6b 100644
--- a/docs/user-guide/third-party-addons/opentracing.md
+++ b/docs/user-guide/third-party-addons/opentracing.md
@@ -189,10 +189,13 @@ In the Zipkin interface we can see the details:
         - host: example.com
           http:
             paths:
-            - backend:
-                serviceName: echoheaders-x
-                servicePort: 80
-              path: /echo
+            - path: /echo
+              pathType: Prefix
+              backend:
+                service:
+                  name: echoheaders-x
+                  port:
+                    number: 80
       ' | kubectl apply -f -
     ```
 

From c8ab4dc3072ff36491a2b896e4b2a1e3726b7caf Mon Sep 17 00:00:00 2001
From: Rahil Patel <37254995+rahil-p@users.noreply.github.com>
Date: Tue, 2 Nov 2021 07:52:59 -0400
Subject: [PATCH 199/376] add `brotli-min-length` configuration option (#7854)

* add `brotli-min-length` configuration option

* add e2e tests for brotli

* include check for expected content type

* fix header and format
---
 .../nginx-configuration/configmap.md          |  5 ++
 internal/ingress/controller/config/config.go  |  4 +
 rootfs/etc/nginx/template/nginx.tmpl          |  1 +
 test/e2e/settings/brotli.go                   | 74 +++++++++++++++++++
 4 files changed, 84 insertions(+)
 create mode 100644 test/e2e/settings/brotli.go

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 4fdda21ba..21cb2799e 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -98,6 +98,7 @@ The following table shows a configuration option's name, type, and the default v
 |[use-geoip2](#use-geoip2)|bool|"false"|
 |[enable-brotli](#enable-brotli)|bool|"false"|
 |[brotli-level](#brotli-level)|int|4|
+|[brotli-min-length](#brotli-min-length)|int|20|
 |[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"|
 |[use-http2](#use-http2)|bool|"true"|
 |[gzip-level](#gzip-level)|int|1|
@@ -665,6 +666,10 @@ The default mime type list to compress is: `application/xml+rss application/atom
 
 Sets the Brotli Compression Level that will be used. _**default:**_ 4
 
+## brotli-min-length
+
+Minimum length of responses, in bytes, that will be eligible for brotli compression. _**default:**_ 20
+
 ## brotli-types
 
 Sets the MIME Types that will be compressed on-the-fly by brotli.
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index b1a5fc8c4..2d853cfb0 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -413,6 +413,9 @@ type Configuration struct {
 	// Brotli Compression Level that will be used
 	BrotliLevel int `json:"brotli-level,omitempty"`
 
+	// Minimum length of responses, in bytes, that will be eligible for brotli compression
+	BrotliMinLength int `json:"brotli-min-length,omitempty"`
+
 	// MIME Types that will be compressed on-the-fly using Brotli module
 	BrotliTypes string `json:"brotli-types,omitempty"`
 
@@ -778,6 +781,7 @@ func NewDefault() Configuration {
 		BlockUserAgents:                  defBlockEntity,
 		BlockReferers:                    defBlockEntity,
 		BrotliLevel:                      4,
+		BrotliMinLength:                  20,
 		BrotliTypes:                      brotliTypes,
 		ClientHeaderBufferSize:           "1k",
 		ClientHeaderTimeout:              60,
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index bfe0703ff..9beca463b 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -320,6 +320,7 @@ http {
     {{ if $cfg.EnableBrotli }}
     brotli on;
     brotli_comp_level {{ $cfg.BrotliLevel }};
+    brotli_min_length {{ $cfg.BrotliMinLength }};
     brotli_types {{ $cfg.BrotliTypes }};
     {{ end }}
 
diff --git a/test/e2e/settings/brotli.go b/test/e2e/settings/brotli.go
new file mode 100644
index 000000000..52092ee83
--- /dev/null
+++ b/test/e2e/settings/brotli.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("brotli", func() {
+	f := framework.NewDefaultFramework("brotli")
+
+	host := "brotli"
+
+	ginkgo.BeforeEach(func() {
+		f.NewHttpbinDeployment()
+	})
+
+	ginkgo.It("should only compress responses that meet the `brotli-min-length` condition", func() {
+		brotliMinLength := 24
+		contentEncoding := "application/octet-stream"
+		f.UpdateNginxConfigMapData("enable-brotli", "true")
+		f.UpdateNginxConfigMapData("brotli-types", contentEncoding)
+		f.UpdateNginxConfigMapData("brotli-min-length", strconv.Itoa(brotliMinLength))
+
+		f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil))
+
+		f.WaitForNginxConfiguration(
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %v", host)) &&
+					strings.Contains(server, "brotli on") &&
+					strings.Contains(server, fmt.Sprintf("brotli_types %v", contentEncoding)) &&
+					strings.Contains(server, fmt.Sprintf("brotli_min_length %d", brotliMinLength))
+			})
+
+		f.HTTPTestClient().
+			GET(fmt.Sprintf("/bytes/%d", brotliMinLength)).
+			WithHeader("Host", host).
+			WithHeader("Accept-Encoding", "br").
+			Expect().
+			Status(http.StatusOK).
+			ContentType(contentEncoding).
+			ContentEncoding("br")
+
+		f.HTTPTestClient().
+			GET(fmt.Sprintf("/bytes/%d", brotliMinLength-1)).
+			WithHeader("Host", host).
+			WithHeader("Accept-Encoding", "br").
+			Expect().
+			Status(http.StatusOK).
+			ContentType(contentEncoding).
+			ContentEncoding()
+	})
+})

From 43c22c491489ddfc16264447d9a387f140bfaecb Mon Sep 17 00:00:00 2001
From: zhengtianbao <china.zhengtianbao@gmail.com>
Date: Wed, 3 Nov 2021 01:46:59 +0800
Subject: [PATCH 200/376] remove build-plugin extra quote (#7870)

---
 build/build-plugin.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/build-plugin.sh b/build/build-plugin.sh
index 578957eb4..93b6efbdf 100755
--- a/build/build-plugin.sh
+++ b/build/build-plugin.sh
@@ -57,7 +57,7 @@ function build_for_arch(){
     -trimpath -ldflags="-buildid= -w -s" \
       -X ${PKG}/version.RELEASE=${TAG} \
       -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-      -X ${PKG}/version.REPO=${REPO_INFO}" \
+      -X ${PKG}/version.REPO=${REPO_INFO} \
     -o "${release}/kubectl-ingress_nginx${extension}" "${PKG}/cmd/plugin"
 
     cp LICENSE ${release}

From a5bab6a7150f65dcf06588aeef31a41bad4b7da6 Mon Sep 17 00:00:00 2001
From: FBLGit <fblgit@users.noreply.github.com>
Date: Wed, 3 Nov 2021 01:54:34 +0800
Subject: [PATCH 201/376] feature: added AdmissionController metrics (#7711)

* feature: added AdmissionController metrics

* fix: flag control on admissionCollector

* fix: admission collector disclaimer year and linting
---
 cmd/nginx/main.go                             |   4 +-
 internal/ingress/controller/controller.go     |  19 ++-
 internal/ingress/controller/nginx.go          |   3 +-
 .../ingress/metric/collectors/admission.go    | 157 ++++++++++++++++++
 .../metric/collectors/admission_test.go       | 122 ++++++++++++++
 internal/ingress/metric/dummy.go              |   7 +-
 internal/ingress/metric/main.go               |  35 +++-
 7 files changed, 333 insertions(+), 14 deletions(-)
 create mode 100644 internal/ingress/metric/collectors/admission.go
 create mode 100644 internal/ingress/metric/collectors/admission_test.go

diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index 69d12d05e..fb87ad84a 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -138,7 +138,9 @@ func main() {
 			klog.Fatalf("Error creating prometheus collector:  %v", err)
 		}
 	}
-	mc.Start()
+	// Pass the ValidationWebhook status to determine if we need to start the collector
+	// for the admissionWebhook
+	mc.Start(conf.ValidationWebhook)
 
 	if conf.EnableProfiling {
 		go registerProfiler()
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index f935f5fff..d648bb3ae 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -215,6 +215,8 @@ func (n *NGINXController) syncIngress(interface{}) error {
 // CheckIngress returns an error in case the provided ingress, when added
 // to the current configuration, generates an invalid configuration
 func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
+	startCheck := time.Now().UnixNano() / 1000000
+
 	if ing == nil {
 		// no ingress to add, no state change
 		return nil
@@ -233,7 +235,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 	if n.cfg.DisableCatchAll && ing.Spec.DefaultBackend != nil {
 		return fmt.Errorf("This deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.backend' or set DisableCatchAll flag to false.")
 	}
-
+	startRender := time.Now().UnixNano() / 1000000
 	cfg := n.store.GetBackendConfiguration()
 	cfg.Resolver = n.resolver
 
@@ -267,7 +269,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		Ingress:           *ing,
 		ParsedAnnotations: annotations.NewAnnotationExtractor(n.store).Extract(ing),
 	})
-
+	startTest := time.Now().UnixNano() / 1000000
 	_, servers, pcfg := n.getConfiguration(ings)
 
 	err := checkOverlap(ing, allIngresses, servers)
@@ -275,9 +277,10 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name)
 		return err
 	}
-
+	testedSize := len(ings)
 	if n.cfg.DisableFullValidationTest {
 		_, _, pcfg = n.getConfiguration(ings[len(ings)-1:])
+		testedSize = 1
 	}
 
 	content, err := n.generateTemplate(cfg, *pcfg)
@@ -291,8 +294,16 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name)
 		return err
 	}
-
 	n.metricCollector.IncCheckCount(ing.ObjectMeta.Namespace, ing.Name)
+	endCheck := time.Now().UnixNano() / 1000000
+	n.metricCollector.SetAdmissionMetrics(
+		float64(testedSize),
+		float64(endCheck-startTest)/1000,
+		float64(len(ings)),
+		float64(startTest-startRender)/1000,
+		float64(len(content)),
+		float64(endCheck-startCheck)/1000,
+	)
 	return nil
 }
 
diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index ddde11bc8..b77d1d870 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -241,7 +241,8 @@ type NGINXController struct {
 
 	store store.Storer
 
-	metricCollector metric.Collector
+	metricCollector    metric.Collector
+	admissionCollector metric.Collector
 
 	validationWebhookServer *http.Server
 
diff --git a/internal/ingress/metric/collectors/admission.go b/internal/ingress/metric/collectors/admission.go
new file mode 100644
index 000000000..cf42fbaa1
--- /dev/null
+++ b/internal/ingress/metric/collectors/admission.go
@@ -0,0 +1,157 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package collectors
+
+import (
+	"fmt"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"k8s.io/klog/v2"
+)
+
+// AdmissionCollector stores prometheus metrics of the admission webhook
+type AdmissionCollector struct {
+	prometheus.Collector
+
+	testedIngressLength prometheus.Gauge
+	testedIngressTime   prometheus.Gauge
+
+	renderingIngressLength prometheus.Gauge
+	renderingIngressTime   prometheus.Gauge
+
+	admissionTime prometheus.Gauge
+
+	testedConfigurationSize prometheus.Gauge
+
+	constLabels prometheus.Labels
+	labels      prometheus.Labels
+}
+
+// NewAdmissionCollector creates a new AdmissionCollector instance for the admission collector
+func NewAdmissionCollector(pod, namespace, class string) *AdmissionCollector {
+	constLabels := prometheus.Labels{
+		"controller_namespace": namespace,
+		"controller_class":     class,
+		"controller_pod":       pod,
+	}
+
+	am := &AdmissionCollector{
+		constLabels: constLabels,
+
+		labels: prometheus.Labels{
+			"namespace": namespace,
+			"class":     class,
+		},
+
+		testedIngressLength: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Name:        "admission_tested_ingresses",
+				Help:        "The length of ingresses processed by the admission controller",
+				Namespace:   PrometheusNamespace,
+				ConstLabels: constLabels,
+			}),
+		testedIngressTime: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Name:        "admission_tested_duration",
+				Help:        "The processing duration of the admission controller tests (float seconds)",
+				Namespace:   PrometheusNamespace,
+				ConstLabels: constLabels,
+			}),
+		renderingIngressLength: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Name:        "admission_render_ingresses",
+				Help:        "The length of ingresses rendered by the admission controller",
+				Namespace:   PrometheusNamespace,
+				ConstLabels: constLabels,
+			}),
+		renderingIngressTime: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Name:        "admission_render_duration",
+				Help:        "The processing duration of ingresses rendering by the admission controller (float seconds)",
+				Namespace:   PrometheusNamespace,
+				ConstLabels: constLabels,
+			}),
+		testedConfigurationSize: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Namespace:   PrometheusNamespace,
+				Name:        "admission_config_size",
+				Help:        "The size of the tested configuration",
+				ConstLabels: constLabels,
+			}),
+		admissionTime: prometheus.NewGauge(
+			prometheus.GaugeOpts{
+				Name:        "admission_roundtrip_duration",
+				Help:        "The complete duration of the admission controller at the time to process a new event (float seconds)",
+				Namespace:   PrometheusNamespace,
+				ConstLabels: constLabels,
+			}),
+	}
+	return am
+}
+
+// Describe implements prometheus.Collector
+func (am AdmissionCollector) Describe(ch chan<- *prometheus.Desc) {
+	am.testedIngressLength.Describe(ch)
+	am.testedIngressTime.Describe(ch)
+	am.renderingIngressLength.Describe(ch)
+	am.renderingIngressTime.Describe(ch)
+	am.testedConfigurationSize.Describe(ch)
+	am.admissionTime.Describe(ch)
+}
+
+// Collect implements the prometheus.Collector interface.
+func (am AdmissionCollector) Collect(ch chan<- prometheus.Metric) {
+	am.testedIngressLength.Collect(ch)
+	am.testedIngressTime.Collect(ch)
+	am.renderingIngressLength.Collect(ch)
+	am.renderingIngressTime.Collect(ch)
+	am.testedConfigurationSize.Collect(ch)
+	am.admissionTime.Collect(ch)
+}
+
+// ByteFormat formats humanReadable bytes
+func ByteFormat(bytes int64) string {
+	const unit = 1000
+	if bytes < unit {
+		return fmt.Sprintf("%d B", bytes)
+	}
+	div, exp := int64(unit), 0
+	for n := bytes / unit; n >= unit; n /= unit {
+		div *= unit
+		exp++
+	}
+	return fmt.Sprintf("%.1f%cB",
+		float64(bytes)/float64(div), "kMGTPE"[exp])
+}
+
+// SetAdmissionMetrics sets the values for AdmissionMetrics that can be called externally
+func (am *AdmissionCollector) SetAdmissionMetrics(testedIngressLength float64, testedIngressTime float64, renderingIngressLength float64, renderingIngressTime float64, testedConfigurationSize float64, admissionTime float64) {
+	am.testedIngressLength.Set(testedIngressLength)
+	am.testedIngressTime.Set(testedIngressTime)
+	am.renderingIngressLength.Set(renderingIngressLength)
+	am.renderingIngressTime.Set(renderingIngressTime)
+	am.testedConfigurationSize.Set(testedConfigurationSize)
+	am.admissionTime.Set(admissionTime)
+	klog.Infof("processed ingress via admission controller {testedIngressLength:%v testedIngressTime:%vs renderingIngressLength:%v renderingIngressTime:%vs admissionTime:%vs testedConfigurationSize:%v}",
+		testedIngressLength,
+		testedIngressTime,
+		renderingIngressLength,
+		renderingIngressTime,
+		ByteFormat(int64(testedConfigurationSize)),
+		admissionTime,
+	)
+}
diff --git a/internal/ingress/metric/collectors/admission_test.go b/internal/ingress/metric/collectors/admission_test.go
new file mode 100644
index 000000000..68208ad3e
--- /dev/null
+++ b/internal/ingress/metric/collectors/admission_test.go
@@ -0,0 +1,122 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package collectors
+
+import (
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+func TestAdmissionCounters(t *testing.T) {
+	const (
+		metadataFirst = `
+			# HELP nginx_ingress_controller_admission_config_size The size of the tested configuration
+			# TYPE nginx_ingress_controller_admission_config_size gauge
+			# HELP nginx_ingress_controller_admission_roundtrip_duration The complete duration of the admission controller at the time to process a new event (float seconds)
+			# TYPE nginx_ingress_controller_admission_roundtrip_duration gauge
+		`
+		metadataSecond = `
+			# HELP nginx_ingress_controller_admission_render_ingresses The length of ingresses rendered by the admission controller
+			# TYPE nginx_ingress_controller_admission_render_ingresses gauge
+			# HELP nginx_ingress_controller_admission_tested_duration The processing duration of the admission controller tests (float seconds)
+			# TYPE nginx_ingress_controller_admission_tested_duration gauge
+		`
+		metadataThird = `
+			# HELP nginx_ingress_controller_admission_config_size The size of the tested configuration
+			# TYPE nginx_ingress_controller_admission_config_size gauge
+			# HELP nginx_ingress_controller_admission_render_duration The processing duration of ingresses rendering by the admission controller (float seconds)
+			# TYPE nginx_ingress_controller_admission_render_duration gauge
+			# HELP nginx_ingress_controller_admission_render_ingresses The length of ingresses rendered by the admission controller
+			# TYPE nginx_ingress_controller_admission_render_ingresses gauge
+			# HELP nginx_ingress_controller_admission_roundtrip_duration The complete duration of the admission controller at the time to process a new event (float seconds)
+			# TYPE nginx_ingress_controller_admission_roundtrip_duration gauge
+			# HELP nginx_ingress_controller_admission_tested_ingresses The length of ingresses processed by the admission controller
+			# TYPE nginx_ingress_controller_admission_tested_ingresses gauge
+			# HELP nginx_ingress_controller_admission_tested_duration The processing duration of the admission controller tests (float seconds)
+			# TYPE nginx_ingress_controller_admission_tested_duration gauge
+		`
+	)
+	cases := []struct {
+		name    string
+		test    func(*AdmissionCollector)
+		metrics []string
+		want    string
+	}{
+		{
+			name: "should return 0 as values on a fresh initiated collector",
+			test: func(am *AdmissionCollector) {
+			},
+			want: metadataFirst + `
+				nginx_ingress_controller_admission_config_size{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 0
+				nginx_ingress_controller_admission_roundtrip_duration{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 0
+			`,
+			metrics: []string{"nginx_ingress_controller_admission_config_size", "nginx_ingress_controller_admission_roundtrip_duration"},
+		},
+		{
+			name: "set admission metrics to 1 in all fields and validate next set",
+			test: func(am *AdmissionCollector) {
+				am.SetAdmissionMetrics(1, 1, 1, 1, 1, 1)
+			},
+			want: metadataSecond + `
+				nginx_ingress_controller_admission_render_ingresses{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 1
+				nginx_ingress_controller_admission_tested_duration{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 1
+			`,
+			metrics: []string{"nginx_ingress_controller_admission_render_ingresses", "nginx_ingress_controller_admission_tested_duration"},
+		},
+		{
+			name: "set admission metrics to 5 in all fields and validate all sets",
+			test: func(am *AdmissionCollector) {
+				am.SetAdmissionMetrics(5, 5, 5, 5, 5, 5)
+			},
+			want: metadataThird + `
+				nginx_ingress_controller_admission_config_size{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 5
+				nginx_ingress_controller_admission_render_duration{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 5
+				nginx_ingress_controller_admission_render_ingresses{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 5
+				nginx_ingress_controller_admission_roundtrip_duration{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 5
+				nginx_ingress_controller_admission_tested_ingresses{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 5
+				nginx_ingress_controller_admission_tested_duration{controller_class="nginx",controller_namespace="default",controller_pod="pod"} 5
+			`,
+			metrics: []string{
+				"nginx_ingress_controller_admission_config_size",
+				"nginx_ingress_controller_admission_render_duration",
+				"nginx_ingress_controller_admission_render_ingresses",
+				"nginx_ingress_controller_admission_roundtrip_duration",
+				"nginx_ingress_controller_admission_tested_ingresses",
+				"nginx_ingress_controller_admission_tested_duration",
+			},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			am := NewAdmissionCollector("pod", "default", "nginx")
+			reg := prometheus.NewPedanticRegistry()
+			if err := reg.Register(am); err != nil {
+				t.Errorf("registering collector failed: %s", err)
+			}
+
+			c.test(am)
+
+			if err := GatherAndCompare(am, c.want, c.metrics, reg); err != nil {
+				t.Errorf("unexpected collecting result:\n%s", err)
+			}
+
+			reg.Unregister(am)
+		})
+	}
+}
diff --git a/internal/ingress/metric/dummy.go b/internal/ingress/metric/dummy.go
index 59a9144e0..922a21604 100644
--- a/internal/ingress/metric/dummy.go
+++ b/internal/ingress/metric/dummy.go
@@ -32,6 +32,9 @@ type DummyCollector struct{}
 // ConfigSuccess ...
 func (dc DummyCollector) ConfigSuccess(uint64, bool) {}
 
+// SetAdmissionMetrics ...
+func (dc DummyCollector) SetAdmissionMetrics(float64, float64, float64, float64, float64, float64) {}
+
 // IncReloadCount ...
 func (dc DummyCollector) IncReloadCount() {}
 
@@ -48,10 +51,10 @@ func (dc DummyCollector) IncCheckErrorCount(string, string) {}
 func (dc DummyCollector) RemoveMetrics(ingresses, endpoints []string) {}
 
 // Start ...
-func (dc DummyCollector) Start() {}
+func (dc DummyCollector) Start(admissionStatus string) {}
 
 // Stop ...
-func (dc DummyCollector) Stop() {}
+func (dc DummyCollector) Stop(admissionStatus string) {}
 
 // SetSSLExpireTime ...
 func (dc DummyCollector) SetSSLExpireTime([]*ingress.Server) {}
diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go
index 64810dd36..0cc07fe28 100644
--- a/internal/ingress/metric/main.go
+++ b/internal/ingress/metric/main.go
@@ -36,6 +36,8 @@ type Collector interface {
 	IncReloadCount()
 	IncReloadErrorCount()
 
+	SetAdmissionMetrics(float64, float64, float64, float64, float64, float64)
+
 	OnStartedLeading(string)
 	OnStoppedLeading(string)
 
@@ -49,15 +51,16 @@ type Collector interface {
 	// SetHosts sets the hostnames that are being served by the ingress controller
 	SetHosts(sets.String)
 
-	Start()
-	Stop()
+	Start(string)
+	Stop(string)
 }
 
 type collector struct {
 	nginxStatus  collectors.NGINXStatusCollector
 	nginxProcess collectors.NGINXProcessCollector
 
-	ingressController *collectors.Controller
+	ingressController   *collectors.Controller
+	admissionController *collectors.AdmissionCollector
 
 	socket *collectors.SocketCollector
 
@@ -90,11 +93,14 @@ func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingresscla
 
 	ic := collectors.NewController(podName, podNamespace, ingressclass)
 
+	am := collectors.NewAdmissionCollector(podName, podNamespace, ingressclass)
+
 	return Collector(&collector{
 		nginxStatus:  nc,
 		nginxProcess: pc,
 
-		ingressController: ic,
+		admissionController: am,
+		ingressController:   ic,
 
 		socket: s,
 
@@ -127,9 +133,12 @@ func (c *collector) RemoveMetrics(ingresses, hosts []string) {
 	c.ingressController.RemoveMetrics(hosts, c.registry)
 }
 
-func (c *collector) Start() {
+func (c *collector) Start(admissionStatus string) {
 	c.registry.MustRegister(c.nginxStatus)
 	c.registry.MustRegister(c.nginxProcess)
+	if admissionStatus != "" {
+		c.registry.MustRegister(c.admissionController)
+	}
 	c.registry.MustRegister(c.ingressController)
 	c.registry.MustRegister(c.socket)
 
@@ -143,9 +152,12 @@ func (c *collector) Start() {
 	go c.socket.Start()
 }
 
-func (c *collector) Stop() {
+func (c *collector) Stop(admissionStatus string) {
 	c.registry.Unregister(c.nginxStatus)
 	c.registry.Unregister(c.nginxProcess)
+	if admissionStatus != "" {
+		c.registry.Unregister(c.admissionController)
+	}
 	c.registry.Unregister(c.ingressController)
 	c.registry.Unregister(c.socket)
 
@@ -167,6 +179,17 @@ func (c *collector) SetHosts(hosts sets.String) {
 	c.socket.SetHosts(hosts)
 }
 
+func (c *collector) SetAdmissionMetrics(testedIngressLength float64, testedIngressTime float64, renderingIngressLength float64, renderingIngressTime float64, testedConfigurationSize float64, admissionTime float64) {
+	c.admissionController.SetAdmissionMetrics(
+		testedIngressLength,
+		testedIngressTime,
+		renderingIngressLength,
+		renderingIngressTime,
+		testedConfigurationSize,
+		admissionTime,
+	)
+}
+
 // OnStartedLeading indicates the pod was elected as the leader
 func (c *collector) OnStartedLeading(electionID string) {
 	setLeader(true)

From 65b8eeddec3ee6695587a67fd131e699159788d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christopher=20Larivi=C3=A8re?= <lariviere.c@gmail.com>
Date: Tue, 2 Nov 2021 15:31:42 -0400
Subject: [PATCH 202/376] Support cors-allow-origin with multiple origins
 (#7614)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add Initial support for multiple cors origins in nginx

- bump cluster version for `make dev-env`
- add buildOriginRegex function in nginx.tmpl
- add e2e 4 e2e tests for cors.go
- refers to feature request #5496

* add tests + use search to identify '*' origin

* add tests + use search to identify '*' origin

Signed-off-by: Christopher Larivière <lariviere.c@gmail.com>

* fix "should enable cors test" looking at improper values

* Modify tests and add some logic for origin validation

- add origin validation in cors ingress annotations
- add extra tests to validate regex
- properly escape regex using "QuoteMeta"
- fix some copy/paste errors

* add TrimSpace and length validation before adding a new origin

* modify documentation for cors and remove dangling comment

* add support for optional port mapping on origin

* support single-level wildcard subdomains + tests

* Remove automatic `*` fonctionality from incorrect origins

- use []string instead of basic string to avoid reparsing in template.go
- fix typo in docs
- modify template to properly enable only if the whole block is enabled
- modify cors parsing
- test properly by validating that the value returned is the proper
  origin
- update unit tests and annotation tests

* Re-add `*` when no cors origins are supplied + fix tests

- fix e2e tests to allow for `*`
- re-add `*` to cors parsing if trimmed cors-allow-origin is empty
(supplied but empty) and if it wasn't supplied at all.

* remove unecessary logic for building cors origin + remove comments

- add some edge cases in e2e tests
- rework logic for building cors origin

there was no need for logic in template.go for buildCorsOriginRegex
if there is a `*` it ill be short-circuited by first if.

if it's a wildcard domain or any domain (without a wildcard), it MUST
match the main/cors.go regex format.

if there's a star in a wildcard domain, it must be replaced with
`[A-Za-z0-9]+`

* add missing check in e2e tests
---
 build/dev-env.sh                              |   2 +-
 .../nginx-configuration/annotations.md        |   7 +-
 go.mod                                        |   1 +
 go.sum                                        |   1 +
 .../ingress/annotations/annotations_test.go   |  24 +-
 internal/ingress/annotations/cors/main.go     |  52 +-
 .../ingress/annotations/cors/main_test.go     |   6 +-
 .../ingress/controller/template/template.go   |  27 +
 rootfs/etc/nginx/template/nginx.tmpl          |  23 +-
 test/e2e/annotations/cors.go                  | 471 +++++++++++++++++-
 10 files changed, 570 insertions(+), 44 deletions(-)

diff --git a/build/dev-env.sh b/build/dev-env.sh
index b089de206..d98f0bfbd 100755
--- a/build/dev-env.sh
+++ b/build/dev-env.sh
@@ -61,7 +61,7 @@ echo "[dev-env] building image"
 make build image
 docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}"
 
-export K8S_VERSION=${K8S_VERSION:-v1.20.2@sha256:8f7ea6e7642c0da54f04a7ee10431549c0257315b3a634f6ef2fecaaedb19bab}
+export K8S_VERSION=${K8S_VERSION:-v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6}
 
 KIND_CLUSTER_NAME="ingress-nginx-dev"
 
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index ca515f9e2..19bd3947f 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -354,10 +354,13 @@ CORS can be controlled with the following annotations:
 
 * `nginx.ingress.kubernetes.io/cors-allow-origin`: Controls what's the accepted Origin for CORS.
 
-    This is a single field value, with the following format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port`
+    This is a multi-valued field, separated by ','. It must follow this format: `http(s)://origin-site.com` or `http(s)://origin-site.com:port`
 
     - Default: `*`
-    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443"`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, https://example.org:1199"`
+
+    It also supports single level wildcard subdomains and follows this format: `http(s)://*.foo.bar`, `http(s)://*.bar.foo:8080` or `http(s)://*.abc.bar.foo:9000`
+    - Example: `nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.origin-site.com:4443, http://*.origin-site.com, https://example.org:1199"`
 
 * `nginx.ingress.kubernetes.io/cors-allow-credentials`: Controls if credentials can be passed during CORS operations.
 
diff --git a/go.mod b/go.mod
index 225d191a3..49e380774 100644
--- a/go.mod
+++ b/go.mod
@@ -78,6 +78,7 @@ require (
 	github.com/go-openapi/jsonreference v0.19.3 // indirect
 	github.com/go-openapi/spec v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.5 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
diff --git a/go.sum b/go.sum
index bdc542758..21a2bb5c4 100644
--- a/go.sum
+++ b/go.sum
@@ -269,6 +269,7 @@ github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2K
 github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
 github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go
index ada81117d..8eec999cc 100644
--- a/internal/ingress/annotations/annotations_test.go
+++ b/internal/ingress/annotations/annotations_test.go
@@ -215,15 +215,15 @@ func TestCors(t *testing.T) {
 		corsenabled bool
 		methods     string
 		headers     string
-		origin      string
+		origin      []string
 		credentials bool
 		expose      string
 	}{
-		{map[string]string{annotationCorsEnabled: "true"}, true, defaultCorsMethods, defaultCorsHeaders, "*", true, ""},
-		{map[string]string{annotationCorsEnabled: "true", annotationCorsAllowMethods: "POST, GET, OPTIONS", annotationCorsAllowHeaders: "$nginx_version", annotationCorsAllowCredentials: "false", annotationCorsExposeHeaders: "X-CustomResponseHeader"}, true, "POST, GET, OPTIONS", defaultCorsHeaders, "*", false, "X-CustomResponseHeader"},
-		{map[string]string{annotationCorsEnabled: "true", annotationCorsAllowCredentials: "false"}, true, defaultCorsMethods, defaultCorsHeaders, "*", false, ""},
-		{map[string]string{}, false, defaultCorsMethods, defaultCorsHeaders, "*", true, ""},
-		{nil, false, defaultCorsMethods, defaultCorsHeaders, "*", true, ""},
+		{map[string]string{annotationCorsEnabled: "true"}, true, defaultCorsMethods, defaultCorsHeaders, []string{"*"}, true, ""},
+		{map[string]string{annotationCorsEnabled: "true", annotationCorsAllowMethods: "POST, GET, OPTIONS", annotationCorsAllowHeaders: "$nginx_version", annotationCorsAllowCredentials: "false", annotationCorsExposeHeaders: "X-CustomResponseHeader"}, true, "POST, GET, OPTIONS", defaultCorsHeaders, []string{"*"}, false, "X-CustomResponseHeader"},
+		{map[string]string{annotationCorsEnabled: "true", annotationCorsAllowCredentials: "false"}, true, defaultCorsMethods, defaultCorsHeaders, []string{"*"}, false, ""},
+		{map[string]string{}, false, defaultCorsMethods, defaultCorsHeaders, []string{"*"}, true, ""},
+		{nil, false, defaultCorsMethods, defaultCorsHeaders, []string{"*"}, true, ""},
 	}
 
 	for _, foo := range fooAnns {
@@ -243,12 +243,18 @@ func TestCors(t *testing.T) {
 			t.Errorf("Returned %v but expected %v for Cors Methods", r.CorsAllowMethods, foo.methods)
 		}
 
-		if r.CorsAllowOrigin != foo.origin {
-			t.Errorf("Returned %v but expected %v for Cors Methods", r.CorsAllowOrigin, foo.origin)
+		if len(r.CorsAllowOrigin) != len(foo.origin) {
+			t.Errorf("Lengths of Cors Origins are not equal. Expected %v - Actual %v", r.CorsAllowOrigin, foo.origin)
+		}
+
+		for i, v := range r.CorsAllowOrigin {
+			if v != foo.origin[i] {
+				t.Errorf("Values of Cors Origins are not equal. Expected %v - Actual %v", r.CorsAllowOrigin, foo.origin)
+			}
 		}
 
 		if r.CorsAllowCredentials != foo.credentials {
-			t.Errorf("Returned %v but expected %v for Cors Methods", r.CorsAllowCredentials, foo.credentials)
+			t.Errorf("Returned %v but expected %v for Cors Credentials", r.CorsAllowCredentials, foo.credentials)
 		}
 
 	}
diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go
index 44947a014..d2f232af1 100644
--- a/internal/ingress/annotations/cors/main.go
+++ b/internal/ingress/annotations/cors/main.go
@@ -18,8 +18,10 @@ package cors
 
 import (
 	"regexp"
+	"strings"
 
 	networking "k8s.io/api/networking/v1"
+	"k8s.io/klog/v2"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
@@ -36,7 +38,7 @@ var (
 	// Regex are defined here to prevent information leak, if user tries to set anything not valid
 	// that could cause the Response to contain some internal value/variable (like returning $pid, $upstream_addr, etc)
 	// Origin must contain a http/s Origin (including or not the port) or the value '*'
-	corsOriginRegex = regexp.MustCompile(`^(https?://[A-Za-z0-9\-\.]*(:[0-9]+)?|\*)?$`)
+	corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?|\*)?$`)
 	// Method must contain valid methods list (PUT, GET, POST, BLA)
 	// May contain or not spaces between each verb
 	corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`)
@@ -54,13 +56,13 @@ type cors struct {
 
 // Config contains the Cors configuration to be used in the Ingress
 type Config struct {
-	CorsEnabled          bool   `json:"corsEnabled"`
-	CorsAllowOrigin      string `json:"corsAllowOrigin"`
-	CorsAllowMethods     string `json:"corsAllowMethods"`
-	CorsAllowHeaders     string `json:"corsAllowHeaders"`
-	CorsAllowCredentials bool   `json:"corsAllowCredentials"`
-	CorsExposeHeaders    string `json:"corsExposeHeaders"`
-	CorsMaxAge           int    `json:"corsMaxAge"`
+	CorsEnabled          bool     `json:"corsEnabled"`
+	CorsAllowOrigin      []string `json:"corsAllowOrigin"`
+	CorsAllowMethods     string   `json:"corsAllowMethods"`
+	CorsAllowHeaders     string   `json:"corsAllowHeaders"`
+	CorsAllowCredentials bool     `json:"corsAllowCredentials"`
+	CorsExposeHeaders    string   `json:"corsExposeHeaders"`
+	CorsMaxAge           int      `json:"corsMaxAge"`
 }
 
 // NewParser creates a new CORS annotation parser
@@ -91,13 +93,20 @@ func (c1 *Config) Equal(c2 *Config) bool {
 	if c1.CorsAllowMethods != c2.CorsAllowMethods {
 		return false
 	}
-	if c1.CorsAllowOrigin != c2.CorsAllowOrigin {
-		return false
-	}
 	if c1.CorsEnabled != c2.CorsEnabled {
 		return false
 	}
 
+	if len(c1.CorsAllowOrigin) != len(c2.CorsAllowOrigin) {
+		return false
+	}
+
+	for i, v := range c1.CorsAllowOrigin {
+		if v != c2.CorsAllowOrigin[i] {
+			return false
+		}
+	}
+
 	return true
 }
 
@@ -112,9 +121,23 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.CorsEnabled = false
 	}
 
-	config.CorsAllowOrigin, err = parser.GetStringAnnotation("cors-allow-origin", ing)
-	if err != nil || !corsOriginRegex.MatchString(config.CorsAllowOrigin) {
-		config.CorsAllowOrigin = "*"
+	unparsedOrigins, err := parser.GetStringAnnotation("cors-allow-origin", ing)
+	if err == nil {
+		config.CorsAllowOrigin = strings.Split(unparsedOrigins, ",")
+		for i, origin := range config.CorsAllowOrigin {
+			origin = strings.TrimSpace(origin)
+			if origin == "*" {
+				config.CorsAllowOrigin = []string{"*"}
+				break
+			}
+			if !corsOriginRegex.MatchString(origin) {
+				klog.Errorf("Error parsing cors-allow-origin parameters. Supplied incorrect origin: %s. Skipping.", origin)
+				config.CorsAllowOrigin = append(config.CorsAllowOrigin[:i], config.CorsAllowOrigin[i+1:]...)
+			}
+			klog.Infof("Current config.corsAllowOrigin %v", config.CorsAllowOrigin)
+		}
+	} else {
+		config.CorsAllowOrigin = []string{"*"}
 	}
 
 	config.CorsAllowHeaders, err = parser.GetStringAnnotation("cors-allow-headers", ing)
@@ -143,5 +166,4 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) {
 	}
 
 	return config, nil
-
 }
diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go
index a65bf12cd..086a59d89 100644
--- a/internal/ingress/annotations/cors/main_test.go
+++ b/internal/ingress/annotations/cors/main_test.go
@@ -110,7 +110,7 @@ func TestIngressCorsConfigValid(t *testing.T) {
 		t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-methods")], nginxCors.CorsAllowMethods)
 	}
 
-	if nginxCors.CorsAllowOrigin != "https://origin123.test.com:4443" {
+	if nginxCors.CorsAllowOrigin[0] != "https://origin123.test.com:4443" {
 		t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-origin")], nginxCors.CorsAllowOrigin)
 	}
 
@@ -164,10 +164,6 @@ func TestIngressCorsConfigInvalid(t *testing.T) {
 		t.Errorf("expected %v but returned %v", defaultCorsHeaders, nginxCors.CorsAllowMethods)
 	}
 
-	if nginxCors.CorsAllowOrigin != "*" {
-		t.Errorf("expected %v but returned %v", "*", nginxCors.CorsAllowOrigin)
-	}
-
 	if nginxCors.CorsExposeHeaders != "" {
 		t.Errorf("expected %v but returned %v", "", nginxCors.CorsExposeHeaders)
 	}
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index dc4b78c1a..1147c8e5d 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -276,6 +276,7 @@ var (
 		"shouldLoadAuthDigestModule":         shouldLoadAuthDigestModule,
 		"shouldLoadInfluxDBModule":           shouldLoadInfluxDBModule,
 		"buildServerName":                    buildServerName,
+		"buildCorsOriginRegex":               buildCorsOriginRegex,
 	}
 )
 
@@ -1676,3 +1677,29 @@ func convertGoSliceIntoLuaTable(goSliceInterface interface{}, emptyStringAsNil b
 		return "", fmt.Errorf("could not process type: %s", kind)
 	}
 }
+
+func buildOriginRegex(origin string) string {
+	origin = regexp.QuoteMeta(origin)
+	origin = strings.Replace(origin, "\\*", "[A-Za-z0-9]+", 1)
+	return fmt.Sprintf("(%s)", origin)
+}
+
+func buildCorsOriginRegex(corsOrigins []string) string {
+	if len(corsOrigins) == 1 && corsOrigins[0] == "*" {
+		return "set $http_origin *;\nset $cors 'true';"
+	}
+
+	var originsRegex string = "if ($http_origin ~* ("
+	for i, origin := range corsOrigins {
+		originTrimmed := strings.TrimSpace(origin)
+		if len(originTrimmed) > 0 {
+			builtOrigin := buildOriginRegex(originTrimmed)
+			originsRegex += builtOrigin
+			if i != len(corsOrigins)-1 {
+				originsRegex = originsRegex + "|"
+			}
+		}
+	}
+	originsRegex = originsRegex + ")$ ) { set $cors 'true'; }"
+	return originsRegex
+}
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 9beca463b..d579165b7 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -867,8 +867,24 @@ stream {
 {{ define "CORS" }}
      {{ $cors := .CorsConfig }}
      # Cors Preflight methods needs additional options and different Return Code
+     {{ if $cors.CorsAllowOrigin }}
+        {{ buildCorsOriginRegex $cors.CorsAllowOrigin }}
+     {{ end }}
      if ($request_method = 'OPTIONS') {
-        more_set_headers 'Access-Control-Allow-Origin: {{ $cors.CorsAllowOrigin }}';
+        set $cors ${cors}options;
+     }
+
+     if ($cors = "true") {
+        more_set_headers 'Access-Control-Allow-Origin: $http_origin';
+        {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
+        more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}';
+        more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}';
+        {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
+        more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}';
+     }
+
+     if ($cors = "trueoptions") {
+        more_set_headers 'Access-Control-Allow-Origin: $http_origin';
         {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
         more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}';
         more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}';
@@ -878,11 +894,6 @@ stream {
         more_set_headers 'Content-Length: 0';
         return 204;
      }
-
-        more_set_headers 'Access-Control-Allow-Origin: {{ $cors.CorsAllowOrigin }}';
-        {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
-        {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
-
 {{ end }}
 
 {{/* definition of server-template to avoid repetitions with server-alias */}}
diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go
index e4cdd32b4..c17eb0b20 100644
--- a/test/e2e/annotations/cors.go
+++ b/test/e2e/annotations/cors.go
@@ -44,10 +44,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
 		f.WaitForNginxServer(host,
 			func(server string) bool {
 				return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';") &&
-					strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: *';") &&
+					strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: $http_origin';") &&
 					strings.Contains(server, "more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';") &&
 					strings.Contains(server, "more_set_headers 'Access-Control-Max-Age: 1728000';") &&
-					strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';")
+					strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';") &&
+					strings.Contains(server, "set $http_origin *;") &&
+					strings.Contains(server, "$cors 'true';")
 			})
 
 		f.HTTPTestClient().
@@ -107,6 +109,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
 
 	ginkgo.It("should allow origin for cors", func() {
 		host := "cors.foo.com"
+		origin := "https://origin.cors.com:8080"
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/enable-cors":       "true",
 			"nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin.cors.com:8080",
@@ -115,10 +118,20 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
-		f.WaitForNginxServer(host,
-			func(server string) bool {
-				return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: https://origin.cors.com:8080';")
-			})
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin})
 	})
 
 	ginkgo.It("should allow headers for cors", func() {
@@ -152,4 +165,450 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
 				return strings.Contains(server, "more_set_headers 'Access-Control-Expose-Headers: X-CustomResponseHeader, X-CustomSecondHeader';")
 			})
 	})
+
+	ginkgo.It("should allow - single origin for multiple cors values", func() {
+		host := "cors.foo.com"
+		origin := "https://origin.cors.com:8080"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin.cors.com:8080, https://origin2.cors.com",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin})
+	})
+
+	ginkgo.It("should not allow - single origin for multiple cors values", func() {
+		host := "cors.foo.com"
+		origin := "http://no.origin.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin2.cors.com, https://origin.com",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+	})
+
+	ginkgo.It("should allow correct origins - single origin for multiple cors values", func() {
+		host := "cors.foo.com"
+		badOrigin := "origin.cors.com:8080"
+		origin1 := "https://origin2.cors.com"
+		origin2 := "https://origin.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "origin.cors.com:8080, https://origin2.cors.com, https://origin.com",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", badOrigin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin1).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin1).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin1})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin2).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin2).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin2})
+	})
+
+	ginkgo.It("should not break functionality", func() {
+		host := "cors.foo.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "*",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{"*"})
+	})
+
+	ginkgo.It("should not break functionality - without `*`", func() {
+		host := "cors.foo.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors": "true",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{"*"})
+	})
+
+	ginkgo.It("should not break functionality with extra domain", func() {
+		host := "cors.foo.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "*, foo.bar.com",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{"*"})
+	})
+
+	ginkgo.It("should not match", func() {
+		host := "cors.foo.com"
+		origin := "https://fooxbar.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "https://foo.bar.com",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+	})
+
+	ginkgo.It("should allow - single origin with required port", func() {
+		host := "cors.foo.com"
+		origin := "http://origin.com:8080"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin})
+	})
+
+	ginkgo.It("should not allow - single origin with port and origin without port", func() {
+		host := "cors.foo.com"
+		origin := "http://origin.com:8080"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin2.cors.com, http://origin.com",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+	})
+
+	ginkgo.It("should not allow - single origin without port and origin with required port", func() {
+		host := "cors.foo.com"
+		origin := "http://origin.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+	})
+
+	ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() {
+		host := "cors.foo.com"
+		origin := "http://foo.origin.cors.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://*.origin.cors.com, http://*.origin.com:8080",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin})
+	})
+
+	ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() {
+		host := "cors.foo.com"
+		origin := "http://bar.foo.origin.cors.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://*.origin.cors.com, http://*.origin.com:8080",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+	})
+
+	ginkgo.It("should allow - matching origin+port with wildcard origin", func() {
+		host := "cors.foo.com"
+		origin := "http://abc.origin.com:8080"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin})
+	})
+
+	ginkgo.It("should not allow - portless origin with wildcard origin", func() {
+		host := "cors.foo.com"
+		origin := "http://abc.origin.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+	})
+
+	ginkgo.It("should allow correct origins - missing subdomain + origin with wildcard origin and correct origin", func() {
+		host := "cors.foo.com"
+		badOrigin := "http://origin.com:8080"
+		origin := "http://bar.origin.com:8080"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", badOrigin).
+			Expect().
+			Headers().NotContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin})
+	})
+
+	ginkgo.It("should allow - missing origins (should allow all origins)", func() {
+		host := "cors.foo.com"
+		origin := "http://origin.com"
+		origin2 := "http://book.origin.com"
+		origin3 := "test.origin.com"
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-cors":       "true",
+			"nginx.ingress.kubernetes.io/cors-allow-origin": "      ",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		// the client should still receive a response but browsers should block the request
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{"*"})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin2).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin2).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{"*"})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin3).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin3).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{"*"})
+	})
 })

From b8e62019bcceaaead8a29a6888d8a7f280c65deb Mon Sep 17 00:00:00 2001
From: Hu Shuai <hus.fnst@cn.fujitsu.com>
Date: Thu, 4 Nov 2021 19:52:03 +0800
Subject: [PATCH 203/376] Fix typos in ISSUE_TRIAGE.md (#7863)

Signed-off-by: Hu Shuai <hus.fnst@cn.fujitsu.com>
---
 ISSUE_TRIAGE.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/ISSUE_TRIAGE.md b/ISSUE_TRIAGE.md
index 3a5ba48a9..e6d2c1d8e 100644
--- a/ISSUE_TRIAGE.md
+++ b/ISSUE_TRIAGE.md
@@ -18,9 +18,9 @@ This section describes the different stages of the triage flow for issues.
 New issues come in with the labels `needs-triage` and `needs-priority` and one of: `kind/bug`, `kind/feature` or `kind/support`. Unfortunately there are also some legacy issues that only have a `kind/*` label but neither `needs-triage` nor `needs-priority` . However for every issue that does not have the `triage-accepted` label the following steps have to be done to prepare them for further processing:  
 
 * Filter for issues [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Aissue) label.
-* Check if all neccessary information are available. This is basically true, if people filled out the issue template correctly. If neccessary information is missing, ask the author to add the missing information and add the label `triage/needs-information` if not already present. If already present, send the author a friendly reminder to add those. 
+* Check if all necessary information are available. This is basically true, if people filled out the issue template correctly. If necessary information is missing, ask the author to add the missing information and add the label `triage/needs-information` if not already present. If already present, send the author a friendly reminder to add those. 
 * Check if the used versions of ingress-nginx and Kubernetes is supported. Note that [we only support n-3 versions](https://github.com/kubernetes/ingress-nginx#support-versions-table). If the version is not supported, ask the author to upgrade to newer versions and see if the error still persists. 
-* Read through the issue description and comments briefly to understand what the issue is about. Also check if the kind and area is correct, and adjust it if neccessary. If the issue is understandable add the label `triage-accepted`.
+* Read through the issue description and comments briefly to understand what the issue is about. Also check if the kind and area is correct, and adjust it if necessary. If the issue is understandable add the label `triage-accepted`.
 * If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
 
 Note: Issues that are stale for 90 days are being closed automatically. However we could be missing a bug here, so from time to time it makes sense to go over the closed ones and see if there is something important. Use [this filter](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aclosed+is%3Aissue+label%3Alifecycle%2Frotten+) to find those. 
@@ -28,8 +28,8 @@ Note: Issues that are stale for 90 days are being closed automatically. However
 Who and When?
 * Basically everyone who wants to contribute can do the mentioned steps at any time.
 
-### Issue Priorization
-For all issues, where all neccessary information is available thus triage is accepted, we need to do some priorization: 
+### Issue Prioritization
+For all issues, where all necessary information is available thus triage is accepted, we need to do some prioritization: 
 
 * Go through all issues with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+).  
 * Add appropriate priority label: `priority/backlog`, `priority/critical-urgent`, `priority/awaiting-more-evidence`, `priority/important-longterm`, `priority/important-soon` or `good first issue`
@@ -46,14 +46,14 @@ This section describes the different stages of the triage flow for pull requests
 Pull requests come in with the labels `needs-triage`, `needs-priority` and `needs-kind` and one that indicates the size(`size/*`). Unfortunately there are also some legacy pull requests that only have a `size/*` label but neither `needs-triage` nor `needs-priority` . However for every pull request that does not have the `triage-accepted` label the following steps should be done to prepare them for further processing:   
 
 * Filter for pull requests [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Apr) label.
-* Check if the cla is signed and all neccessary information are available. This is basically true, if people filled out the pull request template correctly. If everything is fine add the `triage-accepted` label.
+* Check if the cla is signed and all necessary information are available. This is basically true, if people filled out the pull request template correctly. If everything is fine add the `triage-accepted` label.
 * If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
 
 Who and When?
 * Basically everyone who wants to contribute can do the mentioned steps at any time.
 
-### Pull Request Priorization
-For all pull requests, where all neccessary information is available and cla is signed thus triage is accepted, we need to do some priorization: 
+### Pull Request Prioritization
+For all pull requests, where all necessary information is available and cla is signed thus triage is accepted, we need to do some prioritization: 
 
 * Go through all pull requests with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted).  
 * Sync the `kind/*` and `priority/*` label from the linked issue for the pull request. If the pull request does not have any issue associated (which normally should not be the case), add an appropriate priority and kind label (one of: `priority/backlog`, `priority/critical-urgent`, `priority/important-longterm`, `priority/important-soon`) 
@@ -79,10 +79,10 @@ Labels are helpful for issues or pull requests to indicate in which lifecycle st
   * [`area/lua`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Flua+is%3Aissue+): Indicates that the issue is related to lua. Add with `/area lua`.
   * [`area/docs`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Fdocs+is%3Aissue): Indicates that the issue is related to documentation. Add with `/area docs` .
 * Priority: 
-  * [`needs-priority`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-priority): Indicates that the issue has no priorization yet. Automatically added.
+  * [`needs-priority`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-priority): Indicates that the issue has no prioritization yet. Automatically added.
   * [`priority/critical-urgent`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fcritical-urgent+is%3Aissue+): indicates that the issue has highest priority. Add with `/priority critical-urgent`.
   * [`priority/important-soon`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-soon+is%3Aissue+): indicates that the issue should be worked on either currently soon, ideally in time for the next release. Add with `/priority important-soon`.
-  * [`priority/important-longterm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-longterm+is%3Aissue+): indicates that the issue is not important for now, but should be worked on in one of the upcomming releases. Add with `/priority important-longterm`.
+  * [`priority/important-longterm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-longterm+is%3Aissue+): indicates that the issue is not important for now, but should be worked on in one of the upcoming releases. Add with `/priority important-longterm`.
   * [`priority/backlog`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fbacklog+is%3Aissue+): Indicates that the issue has the lowest priority. Add with `/priority backlog`.
 * Other: 
   * [`help wanted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22): indicates that the issue needs help from a contributor. Add with `/help`.

From d1ff845f4fbce99f588c1625b6effb9f71d53d41 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Fri, 5 Nov 2021 19:11:53 +0530
Subject: [PATCH 204/376] changed text and added command (#7889)

---
 .github/ISSUE_TEMPLATE/bug_report.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 63a7bfbf6..66fba1fbf 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -43,18 +43,19 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers
 - **OS** (e.g. from /etc/os-release):
 - **Kernel** (e.g. `uname -a`):
 - **Install tools**:
-  - `Please mention how/where was clsuter created like kubeadm/kops/minikube/kind etc. `
+  - `Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc. `
 - **Basic cluster related info**:
   - `kubectl version`
   - `kubectl get nodes -o wide`
 
 - **How was the ingress-nginx-controller installed**:
-  - If helm was used then please show output of `helm ls -A`
+  - If helm was used then please show output of `helm ls -A | grep -i ingress`
   - If helm was used then please show output of `helm -n <ingresscontrollernamepspace> get values <helmreleasename>`
-  - If helm was not used, then please explain how the ingress-nginx-controller was installed or copy/paste the command used to install the controller below
+  - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
   - if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
 
 - **Current State of the controller**:
+  - `kubectl describe ingressclasses`
   - `kubectl -n <ingresscontrollernamespace> get all -A -o wide`
   - `kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>`
   - `kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>`

From 62ab435958404769454a8d753f3d3db64f7b99cb Mon Sep 17 00:00:00 2001
From: Sablu Miah <sablumiah@gmail.com>
Date: Fri, 5 Nov 2021 20:34:41 +0000
Subject: [PATCH 205/376] Fix Formatting/Typo (#7894)

Quick simple typo/formatting fix to keep consistency with direct sections below
---
 docs/user-guide/nginx-configuration/configmap.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 21cb2799e..281b0d510 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -312,7 +312,7 @@ _References:_
 
 ## disable-access-log
 
-Disables the Access Log from the entire Ingress Controller. _**default:**_ '"false"'
+Disables the Access Log from the entire Ingress Controller. _**default:**_ `false`
 
 _References:_
 [http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log](http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log)

From ce165f907873e7bf014b902cd09a1f8a7acdaa57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= <jerome.petazzoni@gmail.com>
Date: Fri, 5 Nov 2021 21:50:40 +0100
Subject: [PATCH 206/376] Try to improve the installation guide (#7757)

* move generic instructions to the beginning of the file
* add an example of ingress resource creation
* simplify a few commands to make them shorter and simpler
* add short paragraphs about PROXY protocol and traffic policy

This tries to address the concerns I expressed in #7701.
---
 docs/deploy/index.md | 229 ++++++++++++++++++++++++++++++-------------
 1 file changed, 159 insertions(+), 70 deletions(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index f5074b078..4dea7d985 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -1,37 +1,21 @@
 # Installation Guide
 
-!!! attention
-    The default configuration watches Ingress object from **all namespaces**.
+There are multiple ways to install the NGINX ingress controller:
+- with [Helm](https://helm.sh), using the project repository chart;
+- with `kubectl apply`, using YAML manifests;
+- with specific addons (e.g. for [minikube](#minikube) or [MicroK8s](#microk8s)).
 
-    To change this behavior use the flag `--watch-namespace` to limit the scope to a particular namespace.
-
-!!! warning
-    If multiple Ingresses define paths for the same host, the ingress controller **merges the definitions**.
-
-!!! danger
-    The [admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) requires connectivity between Kubernetes API server and the ingress controller.
-
-    In case [Network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) or additional firewalls, please allow access to port `8443`.
-
-!!! attention
-    The first time the ingress controller starts, two [Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/) create the SSL Certificate used by the admission webhook.
-    For this reason, there is an initial delay of up to two minutes until it is possible to create and validate Ingress definitions. 
-
-You can wait until it is ready to run the next command:
-
-```yaml
- kubectl wait --namespace ingress-nginx \
-  --for=condition=ready pod \
-  --selector=app.kubernetes.io/component=controller \
-  --timeout=120s
-```
+On most Kubernetes clusters, the ingress controller will work without requiring any extra configuration. If you want to get started as fast as possible, you can check the [quick start](#quick-start) instructions. However, in many environments, you can improve the performance or get better logs by enabling extra features. we recommend that you check the [environment-specific instructions](#environment-specific-instructions) for details about optimizing the ingress controller for your particular environment or cloud provider.
 
 ## Contents
 
-- [Provider Specific Steps](#provider-specific-steps)
+<!-- Quick tip: run `grep '^##' index.md` to check that the table of contents is up to date. -->
+
+- [Quick start](#quick-start)
+- [Environment-specific instructions](#environment-specific-instructions)
   - [Docker Desktop](#docker-desktop)
   - [minikube](#minikube)
-  - [microk8s](#microk8s)
+  - [MicroK8s](#microk8s)
   - [AWS](#aws)
   - [GCE - GKE](#gce-gke)
   - [Azure](#azure)
@@ -40,18 +24,26 @@ You can wait until it is ready to run the next command:
   - [Exoscale](#exoscale)
   - [Oracle Cloud Infrastructure](#oracle-cloud-infrastructure)
   - [Bare-metal](#bare-metal)
-  - [Verify installation](#verify-installation)
-  - [Detect installed version](#detect-installed-version)
-- [Using Helm](#using-helm)
+- [Miscellaneous](#miscellaneous)
 
-### Provider Specific Steps
+## Quick start
 
-#### Docker Desktop
+You can deploy the ingress controller with the following command:
 
-Kubernetes is available in Docker Desktop
+```console
+helm upgrade --install ingress-nginx ingress-nginx \
+  --repo https://kubernetes.github.io/ingress-nginx \
+  --namespace ingress-nginx --create-namespace
+```
 
-- Mac, from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018)
-- Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
+It will install the controller in the `ingress-nginx` namespace, creating that namespace if it doesn't already exist.
+
+!!! info
+    This command is *idempotent*:
+    - if the ingress controller is not installed, it will install it,
+    - if the ingress controller is already installed, it will upgrade it.
+
+This requires Helm version 3. If you prefer to use a YAML manifest, you can run the following command instead:
 
 !!! attention
     Before running the command at your terminal, make sure Kubernetes is enabled at Docker settings
@@ -60,23 +52,112 @@ Kubernetes is available in Docker Desktop
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
 ```
 
+!!! info
+    The YAML manifest in the command above was generated with `helm template`, so you will end up with almost the same resources as if you had used Helm to install the controller.
+
+If you are running an old version of Kubernetes (1.18 or earlier), please read
+[this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions.
+
+### Pre-flight check
+
+A few pods should start in the `ingress-nginx` namespace:
+
+```console
+kubectl get pods --namespace=ingress-nginx
+```
+
+After a while, they should all be running. The following command will wait for the ingress controller pod to be up, running, and ready:
+
+```console
+kubectl wait --namespace ingress-nginx \
+  --for=condition=ready pod \
+  --selector=app.kubernetes.io/component=controller \
+  --timeout=120s
+```
+
+### Local testing
+
+Let's create a simple web server and the associated service:
+
+```console
+kubectl create deployment demo --image=httpd --port=80
+kubectl expose deployment demo
+```
+
+Then create an ingress resource. The following example uses an host that maps to `localhost`:
+
+```console
+kubectl create ingress demo-localhost --class=nginx \
+  --rule=demo.localdev.me/*=demo:80
+```
+
+Now, forward a local port to the ingress controller:
+
+```console
+kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8080:80
+```
+
+At this point, if you access http://demo.localdev.me:8080/, you should see an HTML page telling you "It works!".
+
+### Online testing
+
+If your Kubernetes cluster is a "real" cluster that supports services of type `LoadBalancer`, it will have allocated an external IP address or FQDN to the ingress controller.
+
+You can see that IP address or FQDN with the following command:
+
+```console
+kubectl get service ingress-nginx-controller --namespace=ingress-nginx
+```
+
+Set up a DNS record pointing to that IP address or FQDN; then create an ingress resource. The following example assumes that you have set up a DNS record for `www.demo.io`:
+
+```console
+kubectl create ingress demo --class=nginx \
+  --rule=www.demo.io/*=demo:80
+```
+
+You should then be able to see the "It works!" page when you connect to http://www.demo.io/. Congratulations, you are serving a public web site hosted on a Kubernetes cluster! 🎉
+
+## Environment-specific instructions
+
+### Local development clusters
+
 #### minikube
 
-For standard usage:
+The ingress controller can be installed through minikube's addons system:
 
 ```console
 minikube addons enable ingress
 ```
 
-#### microk8s
+#### MicroK8s
 
-For standard usage:
+The ingress controller can be installed through MicroK8s's addons system:
 
 ```console
 microk8s enable ingress
 ```
 
-Please check the microk8s [documentation page](https://microk8s.io/docs/addon-ingress)
+Please check the MicroK8s [documentation page](https://microk8s.io/docs/addon-ingress) for details.
+
+#### Docker Desktop
+
+Kubernetes is available in Docker Desktop:
+
+- Mac, from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018)
+- Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
+
+The ingress controller can be installed on Docker Desktop using the default [quick start](#quick-start) instructions.
+
+On most systems, if you don't have any other service of type `LoadBalancer` bound to port 80, the ingress controller will be assigned the `EXTERNAL-IP` of `localhost`, which means that it will be reachable on localhost:80. If that doesn't work, you might have to fall back to the `kubectl port-forward` method described in the [local testing section](#local-testing).
+
+### Cloud deployments
+
+If the load balancers of your cloud provider do active healthchecks on their backends (most do), you can change the `externalTrafficPolicy` of the ingress controller Service to `Local` (instead of the default `Cluster`) to save an extra hop in some cases. If you're installing with Helm, this can be done by adding `--set controller.service.externalTrafficPolicy=Local` to the `helm install` or `helm upgrade` command.
+
+Furthermore, if the load balancers of your cloud provider support the PROXY protocol, you can enable it, and it will let the ingress controller see the real IP address of the clients. Otherwise, it will generally see the IP address of the upstream load balancer. This must be done both in the ingress controller (with e.g. `--set controller.config.use-proxy-protocol=true`) and in the cloud provider's load balancer configuration to function correctly.
+
+In the following sections, we provide YAML manifests that enable these options when possible, using the specific options of various cloud providers.
 
 #### AWS
 
@@ -189,7 +270,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
 
-#### Bare-metal
+### Bare metal clusters
 
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport):
 
@@ -203,50 +284,58 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 !!! info
     For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](./baremetal.md).
 
-### Verify installation
+## Miscellaneous
 
-To check if the ingress controller pods have started, run the following command:
+### Checking ingress controller version
 
-```console
-kubectl get pods -n ingress-nginx \
-  -l app.kubernetes.io/name=ingress-nginx --watch
-```
-
-Once the ingress controller pods are running, you can cancel the command typing `Ctrl+C`.
-
-Now, you are ready to create your first ingress.
-
-### Detect installed version
-
-To detect which version of the ingress controller is running, exec into the pod and run `nginx-ingress-controller --version`.
+Run `nginx-ingress-controller --version` within the pod, for instance with `kubectl exec`:
 
 ```console
 POD_NAMESPACE=ingress-nginx
-POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')
-
-kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
+POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o name)
+kubectl exec $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
 ```
 
-## Using Helm
+### Scope
+
+By default, the controller watches Ingress objects from all namespaces. If you want to change this behavior, use the flag `--watch-namespace` or check the Helm chart value `controller.scope` to limit the controller to a single namespace.
+
+See also [“How to easily install multiple instances of the Ingress NGINX controller in the same cluster”](https://kubernetes.github.io/ingress-nginx/#how-to-easily-install-multiple-instances-of-the-ingress-nginx-controller-in-the-same-cluster) for more details.
+
+### Webhook network access
+
+!!! warning
+    The controller uses an [admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to validate Ingress definitions. Make sure that you don't have [Network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) or additional firewalls preventing connections from the API server to the `ingress-nginx-controller-admission` service.
+
+### Certificate generation
 
 !!! attention
-    Only Helm v3 is supported
+    The first time the ingress controller starts, two [Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/) create the SSL Certificate used by the admission webhook.
 
-NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart from the project repository.
-To install the chart with the release name `ingress-nginx`:
+THis can cause an initial delay of up to two minutes until it is possible to create and validate Ingress definitions.
 
-```console
-helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-helm repo update
+You can wait until it is ready to run the next command:
 
-helm install ingress-nginx ingress-nginx/ingress-nginx
+```yaml
+ kubectl wait --namespace ingress-nginx \
+  --for=condition=ready pod \
+  --selector=app.kubernetes.io/component=controller \
+  --timeout=120s
 ```
 
-[For multiple NGINX Ingress controllers](https://kubernetes.github.io/ingress-nginx/#how-to-easily-install-multiple-instances-of-the-ingress-nginx-controller-in-the-same-cluster)
+### Running on Kubernetes versions older than 1.19
 
-## Detect installed version:
+Ingress resources evolved over time. They started with `apiVersion: extensions/v1beta1`, then moved to `apiVersion: networking.k8s.io/v1beta1` and more recently to `apiVersion: networking.k8s.io/v1`.
 
-```console
-POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
-kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version
-```
+Here is how these Ingress versions are supported in Kubernetes:
+- before Kubernetes 1.19, only `v1beta1` Ingress resources are supported
+- from Kubernetes 1.19 to 1.21, both `v1beta1` and `v1` Ingress resources are supported
+- in Kubernetes 1.22 and above, only `v1` Ingress resources are supported
+
+And here is how these Ingress versions are supported in NGINX Ingress Controller:
+- before version 1.0, only `v1beta1` Ingress resources are supported
+- in version 1.0 and above, only `v1` Ingress resources are
+
+As a result, if you're running Kubernetes 1.19 or later, you should be able to use the latest version of the NGINX Ingress Controller; but if you're using an old version of Kubernetes (1.18 or earlier) you will have to use version 0.X of the NGINX Ingress Controller (e.g. version 0.49).
+
+The Helm chart of the NGINX Ingress Controller switched to version 1 in version 4 of the chart. In other words, if you're running Kubernetes 1.19 or earlier, you should use version 3.X of the chart (this can be done by adding `--version='<4'` to the `helm install` command).

From 72ec0e290ea22a4607465cf01a1b4bda75930a8d Mon Sep 17 00:00:00 2001
From: Jennifer <JenniferMack@users.noreply.github.com>
Date: Fri, 5 Nov 2021 13:54:40 -0700
Subject: [PATCH 207/376] Remove double spacing (#7830)

---
 charts/ingress-nginx/templates/controller-configmap.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml
index 697389207..5d618420f 100644
--- a/charts/ingress-nginx/templates/controller-configmap.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap.yaml
@@ -21,6 +21,6 @@ data:
   ssl-dh-param: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) }}
 {{- end }}
 {{- range $key, $value := .Values.controller.config }}
-    {{ $key | nindent 2 }}: {{ $value | quote }}
+    {{- $key | nindent 2 }}: {{ $value | quote }}
 {{- end }}
 

From b7b2714b694f576b0021f49c35f8e4f453b3ff12 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Tue, 9 Nov 2021 01:15:39 -0500
Subject: [PATCH 208/376] Update proxy-set-header example (#7898)

The Example was directed to the repo markdown and not the site.

/kind documentation
---
 docs/user-guide/nginx-configuration/configmap.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 281b0d510..fc093c4af 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -496,7 +496,7 @@ _**default:**_ "0.0.0.0/0"
 
 ## proxy-set-headers
 
-Sets custom headers from named configmap before sending traffic to backends. The value format is namespace/name.  See [example](https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers)
+Sets custom headers from named configmap before sending traffic to backends. The value format is namespace/name.  See [example](https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers/)
 
 ## server-name-hash-max-size
 

From 017e1ecde30c0d283f55a59a74f4c4f9ff64f00e Mon Sep 17 00:00:00 2001
From: Gerald Pape <ubergesundheit@users.noreply.github.com>
Date: Tue, 9 Nov 2021 16:43:49 +0100
Subject: [PATCH 209/376] Fix Ingress resources in docs (#7579)

* fix Ingress resources in docs

Signed-off-by: Gerald Pape <gerald@giantswarm.io>

* move to ingressClassName

* fix more Ingress resource examples

* empty commit

Signed-off-by: Gerald Pape <gerald@giantswarm.io>

* make NOTES.txt aware of version + add notice about ingress version to examples main page

* add link to legacy documentation

Signed-off-by: Gerald Pape <gerald@giantswarm.io>
---
 .github/ISSUE_TEMPLATE/bug_report.md            |  3 +++
 charts/ingress-nginx/README.md                  |  9 +++++----
 charts/ingress-nginx/templates/NOTES.txt        | 17 ++++++++++++-----
 .../affinity/cookie/ingress-samesite.yaml       |  4 +++-
 docs/examples/affinity/cookie/ingress.yaml      |  1 +
 docs/examples/auth/basic/README.md              |  1 +
 docs/examples/auth/client-certs/ingress.yaml    |  1 +
 docs/examples/auth/external-auth/ingress.yaml   |  3 ++-
 .../oauth-external-auth/dashboard-ingress.yaml  |  2 ++
 docs/examples/chashsubset/deployment.yaml       |  2 +-
 .../configuration-snippets/ingress.yaml         |  1 +
 .../deploy/echo-service.yaml                    |  2 ++
 .../docker-registry/ingress-with-tls.yaml       |  3 ++-
 .../docker-registry/ingress-without-tls.yaml    |  3 ++-
 docs/examples/grpc/README.md                    |  4 ++--
 docs/examples/index.md                          |  8 ++++++--
 docs/examples/multi-tls/multi-tls.yaml          |  1 +
 docs/examples/rewrite/README.md                 |  2 ++
 docs/examples/static-ip/nginx-ingress.yaml      |  1 +
 docs/examples/tls-termination/README.md         |  3 ++-
 docs/examples/tls-termination/ingress.yaml      |  1 +
 docs/user-guide/basic-usage.md                  |  8 +++-----
 docs/user-guide/fcgi-services.md                |  2 +-
 docs/user-guide/ingress-path-matching.md        |  4 ++++
 .../third-party-addons/opentracing.md           |  1 +
 25 files changed, 62 insertions(+), 25 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 66fba1fbf..f266d0f29 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -105,7 +105,10 @@ echo "
   kind: Ingress
   metadata:
     name: foo-bar
+    annotations:
+      kubernetes.io/ingress.class: nginx
   spec:
+    ingressClassName: nginx # omit this if you're on controller version below 1.0.0
     rules:
     - host: foo.bar
       http:
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index fecbbcde2..5e5c8b235 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,13 +2,14 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
+To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
 This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
 
 ## Prerequisites
 
-- Kubernetes v1.16+
+- Chart version 3.x.x: Kubernetes v1.16+
+- Chart version 4.x.x and above: Kubernetes v1.19+
 
 ## Get Repo Info
 
@@ -177,8 +178,8 @@ controller:
         networking.gke.io/load-balancer-type: "Internal"
         # For earlier versions
         # cloud.google.com/load-balancer-type: "Internal"
-        
-        # Any other annotation can be declared here. 
+
+        # Any other annotation can be declared here.
 ```
 
 Example for Azure:
diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt
index 2dbf14f21..c10ab03ed 100644
--- a/charts/ingress-nginx/templates/NOTES.txt
+++ b/charts/ingress-nginx/templates/NOTES.txt
@@ -29,23 +29,30 @@ Get the application URL by running these commands:
 
 An example Ingress that makes use of the controller:
 
+{{- $isV1 := semverCompare ">=1" .Chart.AppVersion}}
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: example
     namespace: foo
+    {{- if eq $isV1 false }}
+    annotations:
+      kubernetes.io/ingress.class: {{ .Values.controller.ingressClass }}
+    {{- end }}
   spec:
-    ingressClassName: example-class
+    {{- if $isV1 }}
+    ingressClassName: {{ .Values.controller.ingressClassResource.name }}
+    {{- end }}
     rules:
       - host: www.example.com
         http:
           paths:
-            - path: /
-              pathType: Prefix
-              backend:
+            - backend:
                 service:
                   name: exampleService
-                  port: 80
+                  port:
+                    number: 80
+              path: /
     # This section is only required if TLS is to be enabled for the Ingress
     tls:
       - hosts:
diff --git a/docs/examples/affinity/cookie/ingress-samesite.yaml b/docs/examples/affinity/cookie/ingress-samesite.yaml
index d03a25e39..2f7022ef7 100644
--- a/docs/examples/affinity/cookie/ingress-samesite.yaml
+++ b/docs/examples/affinity/cookie/ingress-samesite.yaml
@@ -11,6 +11,7 @@ metadata:
     nginx.ingress.kubernetes.io/session-cookie-samesite: "None"
     nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "true" # omits SameSite=None for older browsers which reject cookies with SameSite=None
 spec:
+  ingressClassName: nginx
   rules:
   - host: stickyingress-samesite-none.example.com
     http:
@@ -34,6 +35,7 @@ metadata:
     nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
     nginx.ingress.kubernetes.io/session-cookie-samesite: "Strict"
 spec:
+  ingressClassName: nginx
   rules:
   - host: stickyingress-samesite-strict.example.com
     http:
@@ -44,4 +46,4 @@ spec:
           service:
             name: http-svc
             port:
-              number: 80
\ No newline at end of file
+              number: 80
diff --git a/docs/examples/affinity/cookie/ingress.yaml b/docs/examples/affinity/cookie/ingress.yaml
index d3053021e..4ca9fbc09 100644
--- a/docs/examples/affinity/cookie/ingress.yaml
+++ b/docs/examples/affinity/cookie/ingress.yaml
@@ -9,6 +9,7 @@ metadata:
     nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
 
 spec:
+  ingressClassName: nginx
   rules:
   - host: stickyingress.example.com
     http:
diff --git a/docs/examples/auth/basic/README.md b/docs/examples/auth/basic/README.md
index d3d255afb..ffd8495f3 100644
--- a/docs/examples/auth/basic/README.md
+++ b/docs/examples/auth/basic/README.md
@@ -42,6 +42,7 @@ metadata:
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
 spec:
+  ingressClassName: nginx
   rules:
   - host: foo.bar.com
     http:
diff --git a/docs/examples/auth/client-certs/ingress.yaml b/docs/examples/auth/client-certs/ingress.yaml
index 90ff87514..0cd56fcbf 100644
--- a/docs/examples/auth/client-certs/ingress.yaml
+++ b/docs/examples/auth/client-certs/ingress.yaml
@@ -15,6 +15,7 @@ metadata:
   name: nginx-test
   namespace: default
 spec:
+  ingressClassName: nginx
   rules:
   - host: mydomain.com
     http:
diff --git a/docs/examples/auth/external-auth/ingress.yaml b/docs/examples/auth/external-auth/ingress.yaml
index df80cbb25..1aa2f36e9 100644
--- a/docs/examples/auth/external-auth/ingress.yaml
+++ b/docs/examples/auth/external-auth/ingress.yaml
@@ -5,6 +5,7 @@ metadata:
     nginx.ingress.kubernetes.io/auth-url: "https://httpbin.org/basic-auth/user/passwd"
   name: external-auth
 spec:
+  ingressClassName: nginx
   rules:
   - host: external-auth-01.sample.com
     http:
@@ -15,4 +16,4 @@ spec:
           service:
             name: http-svc
             port:
-              number: 80
\ No newline at end of file
+              number: 80
diff --git a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml b/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
index 4c0a2d373..198a165f4 100644
--- a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
+++ b/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml
@@ -7,6 +7,7 @@ metadata:
   name: external-auth-oauth2
   namespace: kube-system
 spec:
+  ingressClassName: nginx
   rules:
   - host: __INGRESS_HOST__
     http:
@@ -26,6 +27,7 @@ metadata:
   name: oauth2-proxy
   namespace: kube-system
 spec:
+  ingressClassName: nginx
   rules:
   - host: __INGRESS_HOST__
     http:
diff --git a/docs/examples/chashsubset/deployment.yaml b/docs/examples/chashsubset/deployment.yaml
index 867cd01c0..0ac13fcce 100644
--- a/docs/examples/chashsubset/deployment.yaml
+++ b/docs/examples/chashsubset/deployment.yaml
@@ -64,6 +64,7 @@ metadata:
   name: nginxhello-ingress
   namespace: default
 spec:
+  ingressClassName: nginx
   rules:
   - host: foo.bar.com
     http:
@@ -75,4 +76,3 @@ spec:
               name: nginxhello
               port:
                 number: 80
-
diff --git a/docs/examples/customization/configuration-snippets/ingress.yaml b/docs/examples/customization/configuration-snippets/ingress.yaml
index aaf31f0bb..1f0c4f24a 100644
--- a/docs/examples/customization/configuration-snippets/ingress.yaml
+++ b/docs/examples/customization/configuration-snippets/ingress.yaml
@@ -6,6 +6,7 @@ metadata:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Request-Id: $req_id";
 spec:
+  ingressClassName: nginx
   rules:
   - host: custom.configuration.com
     http:
diff --git a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml b/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
index 3a80ae834..9881ac8d0 100644
--- a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
+++ b/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
@@ -52,6 +52,7 @@ metadata:
     nginx.ingress.kubernetes.io/auth-response-headers: UserID, UserRole
   namespace: default
 spec:
+  ingressClassName: nginx
   rules:
   - host: public-demo-echo-service.kube.local
     http:
@@ -73,6 +74,7 @@ metadata:
     nginx.ingress.kubernetes.io/auth-response-headers: UserID, UserRole
   namespace: default
 spec:
+  ingressClassName: nginx
   rules:
   - host: secure-demo-echo-service.kube.local
     http:
diff --git a/docs/examples/docker-registry/ingress-with-tls.yaml b/docs/examples/docker-registry/ingress-with-tls.yaml
index bef35c50b..1bdd9ed7a 100644
--- a/docs/examples/docker-registry/ingress-with-tls.yaml
+++ b/docs/examples/docker-registry/ingress-with-tls.yaml
@@ -9,6 +9,7 @@ metadata:
   name: docker-registry
   namespace: docker-registry
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - registry.<your domain>
@@ -23,4 +24,4 @@ spec:
           service:
             name: docker-registry
             port:
-              number: 5000
\ No newline at end of file
+              number: 5000
diff --git a/docs/examples/docker-registry/ingress-without-tls.yaml b/docs/examples/docker-registry/ingress-without-tls.yaml
index f64cbb295..d0ffc8baf 100644
--- a/docs/examples/docker-registry/ingress-without-tls.yaml
+++ b/docs/examples/docker-registry/ingress-without-tls.yaml
@@ -8,6 +8,7 @@ metadata:
   name: docker-registry
   namespace: docker-registry
 spec:
+  ingressClassName: nginx
   rules:
   - host: registry.<your domain>
     http:
@@ -18,4 +19,4 @@ spec:
           service:
             name: docker-registry
             port:
-              number: 5000
+              number: 5000
\ No newline at end of file
diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md
index a20c8c7dd..a738450a9 100644
--- a/docs/examples/grpc/README.md
+++ b/docs/examples/grpc/README.md
@@ -16,7 +16,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
   ```
   $ kubectl get po -A -o wide | grep go-grpc-greeter-server
   ```
-- If you have a gRPC app deployed in your cluster, then skip further notes in this Step 1, and continue from Step 2 below. 
+- If you have a gRPC app deployed in your cluster, then skip further notes in this Step 1, and continue from Step 2 below.
 
 - As an example gRPC application, we can use this app <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> .
 
@@ -94,12 +94,12 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
   kind: Ingress
   metadata:
     annotations:
-      kubernetes.io/ingress.class: "nginx"
       nginx.ingress.kubernetes.io/ssl-redirect: "true"
       nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
     name: fortune-ingress
     namespace: default
   spec:
+    ingressClassName: nginx
     rules:
     - host: grpctest.dev.mydomain.com
       http:
diff --git a/docs/examples/index.md b/docs/examples/index.md
index 04f42ea60..8a5fd5f51 100644
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@@ -1,8 +1,12 @@
 # Ingress examples
 
-This directory contains a catalog of examples on how to run, configure and scale Ingress.  
+This directory contains a catalog of examples on how to run, configure and scale Ingress.
 Please review the [prerequisites](PREREQUISITES.md) before trying them.
 
+The examples on these pages include the `spec.ingressClassName` field which replaces the deprecated `kubernetes.io/ingress.class: nginx` annotation. Users of ingress-nginx < 1.0.0 (Helm chart < 4.0.0) should use the [legacy documentation](https://github.com/kubernetes/ingress-nginx/tree/legacy/docs/examples).
+
+For more information, check out the [Migration to apiVersion networking.k8s.io/v1](../#faq-migration-to-apiversion-networkingk8siov1) guide.
+
 Category | Name | Description | Complexity Level
 ---------| ---- | ----------- | ----------------
 Apps | [Docker Registry](docker-registry/README.md) | TODO | TODO
@@ -14,7 +18,7 @@ Customization | [Configuration snippets](customization/configuration-snippets/RE
 Customization | [Custom configuration](customization/custom-configuration/README.md) | TODO | TODO
 Customization | [Custom DH parameters for perfect forward secrecy](customization/ssl-dh-param/README.md) | TODO | TODO
 Customization | [Custom errors](customization/custom-errors/README.md) | serve custom error pages from the default backend | Intermediate
-Customization | [Custom headers](customization/custom-headers/README.md) | set custom headers before sending traffic to backends  | Advanced
+Customization | [Custom headers](customization/custom-headers/README.md) | set custom headers before sending traffic to backends | Advanced
 Customization | [External authentication with response header propagation](customization/external-auth-headers/README.md) | TODO | TODO
 Customization | [Sysctl tuning](customization/sysctl/README.md) | TODO | TODO
 Features | [Rewrite](rewrite/README.md) | TODO | TODO
diff --git a/docs/examples/multi-tls/multi-tls.yaml b/docs/examples/multi-tls/multi-tls.yaml
index aa2cf54d6..3612ab6d7 100644
--- a/docs/examples/multi-tls/multi-tls.yaml
+++ b/docs/examples/multi-tls/multi-tls.yaml
@@ -98,6 +98,7 @@ metadata:
   name: foo-tls
   namespace: default
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - foo.bar.com
diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md
index 3c48b100f..fbe9f30c7 100644
--- a/docs/examples/rewrite/README.md
+++ b/docs/examples/rewrite/README.md
@@ -42,6 +42,7 @@ metadata:
   name: rewrite
   namespace: default
 spec:
+  ingressClassName: nginx
   rules:
   - host: rewrite.bar.com
     http:
@@ -77,6 +78,7 @@ metadata:
   name: approot
   namespace: default
 spec:
+  ingressClassName: nginx
   rules:
   - host: approot.bar.com
     http:
diff --git a/docs/examples/static-ip/nginx-ingress.yaml b/docs/examples/static-ip/nginx-ingress.yaml
index 740f46e89..5c8a3c920 100644
--- a/docs/examples/static-ip/nginx-ingress.yaml
+++ b/docs/examples/static-ip/nginx-ingress.yaml
@@ -3,6 +3,7 @@ kind: Ingress
 metadata:
   name: ingress-nginx
 spec:
+  ingressClassName: nginx
   tls:
   # This assumes tls-secret exists.
   - secretName: tls-secret
diff --git a/docs/examples/tls-termination/README.md b/docs/examples/tls-termination/README.md
index 2df767e26..f4fe2e81d 100644
--- a/docs/examples/tls-termination/README.md
+++ b/docs/examples/tls-termination/README.md
@@ -22,6 +22,7 @@ spec:
       # This assumes tls-secret exists and the SSL
       # certificate contains a CN for foo.bar.com
       secretName: tls-secret
+  ingressClassName: nginx
   rules:
     - host: foo.bar.com
       http:
@@ -32,7 +33,7 @@ spec:
             # This assumes http-svc exists and routes to healthy endpoints
             service:
               name: http-svc
-              port: 
+              port:
                 number: 80
 ```
 
diff --git a/docs/examples/tls-termination/ingress.yaml b/docs/examples/tls-termination/ingress.yaml
index debaa45b2..890247fd3 100644
--- a/docs/examples/tls-termination/ingress.yaml
+++ b/docs/examples/tls-termination/ingress.yaml
@@ -3,6 +3,7 @@ kind: Ingress
 metadata:
   name: nginx-test
 spec:
+  ingressClassName: nginx
   tls:
     - hosts:
       - foo.bar.com
diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md
index 64c81148b..cbb7004c7 100644
--- a/docs/user-guide/basic-usage.md
+++ b/docs/user-guide/basic-usage.md
@@ -13,10 +13,8 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-myservicea
-  annotations:
-    # use the shared ingress-nginx
-    kubernetes.io/ingress.class: "nginx"
 spec:
+  ingressClassName: nginx
   rules:
   - host: myservicea.foo.org
     http:
@@ -67,7 +65,7 @@ spec:
         backend:
           service:
             name: myservicea
-            port: 
+            port:
               number: 80
   ingressClassName: nginx
 ---
@@ -85,7 +83,7 @@ spec:
         backend:
           service:
             name: myserviceb
-            port: 
+            port:
               number: 80
   ingressClassName: nginx
 ```
diff --git a/docs/user-guide/fcgi-services.md b/docs/user-guide/fcgi-services.md
index 03afc89d1..becb4819f 100644
--- a/docs/user-guide/fcgi-services.md
+++ b/docs/user-guide/fcgi-services.md
@@ -64,12 +64,12 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    kubernetes.io/ingress.class: "nginx"
     nginx.ingress.kubernetes.io/backend-protocol: "FCGI"
     nginx.ingress.kubernetes.io/fastcgi-index: "index.php"
     nginx.ingress.kubernetes.io/fastcgi-params-configmap: "example-cm"
   name: example-app
 spec:
+  ingressClassName: nginx
   rules:
   - host: app.example.com
     http:
diff --git a/docs/user-guide/ingress-path-matching.md b/docs/user-guide/ingress-path-matching.md
index e5e0d9a50..321ddfa8e 100644
--- a/docs/user-guide/ingress-path-matching.md
+++ b/docs/user-guide/ingress-path-matching.md
@@ -22,6 +22,7 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
+  ingressClassName: nginx
   rules:
   - host: test.com
     http:
@@ -59,6 +60,7 @@ kind: Ingress
 metadata:
   name: test-ingress-1
 spec:
+  ingressClassName: nginx
   rules:
   - host: test.com
     http:
@@ -87,6 +89,7 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /$1
 spec:
+  ingressClassName: nginx
   rules:
   - host: test.com
     http:
@@ -144,6 +147,7 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
+  ingressClassName: nginx
   rules:
   - host: test.com
     http:
diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md
index e27f32f6b..27c64e300 100644
--- a/docs/user-guide/third-party-addons/opentracing.md
+++ b/docs/user-guide/third-party-addons/opentracing.md
@@ -185,6 +185,7 @@ In the Zipkin interface we can see the details:
       metadata:
         name: echo-ingress
       spec:
+        ingressClassName: nginx
         rules:
         - host: example.com
           http:

From af232df1afa29c03d4ae55de9021612d51bec4f7 Mon Sep 17 00:00:00 2001
From: sandipanpanda <87253083+sandipanpanda@users.noreply.github.com>
Date: Thu, 11 Nov 2021 23:12:09 +0530
Subject: [PATCH 210/376]  Update anchor links of Nodeport from #nodeport to
 #type-nodeport (#7899)

* Update anchor link from #nodeport to #type-nodeport in baremetal.md

* Update anchor link from #nodeport to #type-nodeport in baremetal.md
---
 docs/deploy/baremetal.md | 2 +-
 docs/deploy/index.md     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md
index 436fdc4ae..b54c7f61e 100644
--- a/docs/deploy/baremetal.md
+++ b/docs/deploy/baremetal.md
@@ -250,7 +250,7 @@ for generating redirect URLs that take into account the URL used by external cli
     ```
 
 [install-baremetal]: ./index.md#bare-metal
-[nodeport-def]: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+[nodeport-def]: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
 [nodeport-nat]: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-nodeport
 [pod-assign]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 [preserve-ip]: https://github.com/kubernetes/ingress-nginx/blob/nginx-0.19.0/deploy/provider/aws/service-nlb.yaml#L12-L14
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 4dea7d985..197a0efbd 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -272,7 +272,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 
 ### Bare metal clusters
 
-Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport):
+Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/baremetal/deploy.yaml

From 100057d0c5daec02331bb3412bd5d72e203e899e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christopher=20Larivi=C3=A8re?= <lariviere.c@gmail.com>
Date: Thu, 11 Nov 2021 13:26:08 -0500
Subject: [PATCH 211/376] fix missing `\-` in regex expression for CORS
 wildcard domain (#7904)

---
 internal/ingress/controller/template/template.go |  2 +-
 test/e2e/annotations/cors.go                     | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index 1147c8e5d..ae5ec259a 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -1680,7 +1680,7 @@ func convertGoSliceIntoLuaTable(goSliceInterface interface{}, emptyStringAsNil b
 
 func buildOriginRegex(origin string) string {
 	origin = regexp.QuoteMeta(origin)
-	origin = strings.Replace(origin, "\\*", "[A-Za-z0-9]+", 1)
+	origin = strings.Replace(origin, "\\*", `[A-Za-z0-9\-]+`, 1)
 	return fmt.Sprintf("(%s)", origin)
 }
 
diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go
index c17eb0b20..64b633173 100644
--- a/test/e2e/annotations/cors.go
+++ b/test/e2e/annotations/cors.go
@@ -425,6 +425,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
 	ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() {
 		host := "cors.foo.com"
 		origin := "http://foo.origin.cors.com"
+		origin2 := "http://bar-foo.origin.cors.com"
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/enable-cors":       "true",
 			"nginx.ingress.kubernetes.io/cors-allow-origin": "http://*.origin.cors.com, http://*.origin.com:8080",
@@ -447,6 +448,21 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
 			Expect().
 			Status(http.StatusOK).Headers().
 			ValueEqual("Access-Control-Allow-Origin", []string{origin})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin2).
+			Expect().
+			Headers().ContainsKey("Access-Control-Allow-Origin")
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("Origin", origin2).
+			Expect().
+			Status(http.StatusOK).Headers().
+			ValueEqual("Access-Control-Allow-Origin", []string{origin2})
 	})
 
 	ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() {

From 8333c8c127582370d0cc35951d0c7dba1abe36de Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Fri, 12 Nov 2021 14:34:29 -0500
Subject: [PATCH 212/376] update docs with a warning about cert chain order
 (#7908)

---
 docs/examples/PREREQUISITES.md | 4 +++-
 docs/user-guide/tls.md         | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/examples/PREREQUISITES.md b/docs/examples/PREREQUISITES.md
index 4d122b148..4f9f80baf 100644
--- a/docs/examples/PREREQUISITES.md
+++ b/docs/examples/PREREQUISITES.md
@@ -26,7 +26,7 @@ Note: If using CA Authentication, described below, you will need to sign the ser
 CA Authentication also known as Mutual Authentication allows both the server and client to verify each others
 identity via a common CA.
 
-We have a CA Certificate which we obtain usually from a Certificate Authority and use that to sign
+We have a CA Certificate which we usually obtain from a Certificate Authority and use that to sign
 both our server certificate and client certificate. Then every time we want to access our backend, we must
 pass the client certificate.
 
@@ -54,6 +54,8 @@ openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set
 
 Once this is complete you can continue to follow the instructions [here](./auth/client-certs/README.md#creating-certificate-secrets)
 
+
+
 ## Test HTTP Service
 
 All examples that require a test HTTP Service use the standard http-svc pod,
diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md
index 264a1c617..636bf3aed 100644
--- a/docs/user-guide/tls.md
+++ b/docs/user-guide/tls.md
@@ -4,6 +4,9 @@
 
 Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
 
+!!! warning
+    Ensure that the certificate order is leaf->intermediate->root, otherwise the controller will not be able to import the certificate, and you'll see this error in the logs ```W1012 09:15:45.920000       6 backend_ssl.go:46] Error obtaining X.509 certificate: unexpected error creating SSL Cert: certificate and private key does not have a matching public key: tls: private key does not match public key```
+
 You can generate a self-signed certificate and private key with:
 
 ```bash

From 67e13bf692841e47038883f8f385aec50ff65851 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Fri, 12 Nov 2021 16:40:30 -0300
Subject: [PATCH 213/376] Add option to sanitize annotation inputs (#7874)

* Add option to sanitize annotation inputs

* Fix e2e tests after string sanitization

* Add proxy_pass and serviceaccount as denied values
---
 .../ingress/annotations/parser/main_test.go   |   6 +
 internal/ingress/controller/config/config.go  |  21 +++
 internal/ingress/controller/controller.go     |  12 +-
 .../ingress/controller/controller_test.go     |  17 ++
 internal/ingress/controller/store/store.go    |  23 +++
 test/e2e/admission/admission.go               |  22 +++
 test/e2e/annotations/globalratelimit.go       |   5 +
 .../annotations/modsecurity/modsecurity.go    |  20 ++-
 test/e2e/framework/util.go                    |   2 +-
 test/e2e/ingress/pathtype_mixed.go            |  18 +--
 test/e2e/settings/badannotationvalues.go      | 153 ++++++++++++++++++
 11 files changed, 283 insertions(+), 16 deletions(-)
 create mode 100644 test/e2e/settings/badannotationvalues.go

diff --git a/internal/ingress/annotations/parser/main_test.go b/internal/ingress/annotations/parser/main_test.go
index f63560ca3..7b01a1230 100644
--- a/internal/ingress/annotations/parser/main_test.go
+++ b/internal/ingress/annotations/parser/main_test.go
@@ -116,6 +116,12 @@ rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/serv
 			}
 			continue
 		}
+		if !test.expErr {
+			if err != nil {
+				t.Errorf("%v: didn't expected error but error was returned: %v", test.name, err)
+			}
+			continue
+		}
 		if s != test.exp {
 			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.name, test.exp, s)
 		}
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index 2d853cfb0..b54257ebc 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -18,6 +18,7 @@ package config
 
 import (
 	"strconv"
+	"strings"
 	"time"
 
 	"k8s.io/klog/v2"
@@ -97,6 +98,11 @@ type Configuration struct {
 	// If disabled, only snippets added via ConfigMap are added to ingress.
 	AllowSnippetAnnotations bool `json:"allow-snippet-annotations"`
 
+	// AnnotationValueWordBlocklist defines words that should not be part of an user annotation value
+	// (can be used to run arbitrary code or configs, for example) and that should be dropped.
+	// This list should be separated by "," character
+	AnnotationValueWordBlocklist string `json:"annotation-value-word-blocklist"`
+
 	// Sets the name of the configmap that contains the headers to pass to the client
 	AddHeaders string `json:"add-headers,omitempty"`
 
@@ -762,6 +768,20 @@ func NewDefault() Configuration {
 	defNginxStatusIpv6Whitelist := make([]string, 0)
 	defResponseHeaders := make([]string, 0)
 
+	defAnnotationValueWordBlocklist := []string{
+		"load_module",
+		"lua_package",
+		"_by_lua",
+		"location",
+		"root",
+		"proxy_pass",
+		"serviceaccount",
+		"{",
+		"}",
+		"'",
+		"\\",
+	}
+
 	defIPCIDR = append(defIPCIDR, "0.0.0.0/0")
 	defNginxStatusIpv4Whitelist = append(defNginxStatusIpv4Whitelist, "127.0.0.1")
 	defNginxStatusIpv6Whitelist = append(defNginxStatusIpv6Whitelist, "::1")
@@ -772,6 +792,7 @@ func NewDefault() Configuration {
 
 		AllowSnippetAnnotations:          true,
 		AllowBackendServerHeader:         false,
+		AnnotationValueWordBlocklist:     strings.Join(defAnnotationValueWordBlocklist, ","),
 		AccessLogPath:                    "/var/log/nginx/access.log",
 		AccessLogParams:                  "",
 		EnableAccessLogForDefaultBackend: false,
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index d648bb3ae..b51071630 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -239,12 +239,22 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 	cfg := n.store.GetBackendConfiguration()
 	cfg.Resolver = n.resolver
 
-	for key := range ing.ObjectMeta.GetAnnotations() {
+	arraybadWords := strings.Split(strings.TrimSpace(cfg.AnnotationValueWordBlocklist), ",")
+
+	for key, value := range ing.ObjectMeta.GetAnnotations() {
+
 		if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix {
 			if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.DefaultAnnotationsPrefix)) {
 				return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix)
 			}
 		}
+		if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) {
+			for _, forbiddenvalue := range arraybadWords {
+				if strings.Contains(value, forbiddenvalue) {
+					return fmt.Errorf("%s annotation contains invalid word %s", key, forbiddenvalue)
+				}
+			}
+		}
 
 		if !cfg.AllowSnippetAnnotations && strings.HasSuffix(key, "-snippet") {
 			return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key)
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index d7020bb48..f9d60974f 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -268,6 +268,23 @@ func TestCheckIngress(t *testing.T) {
 			}
 		})
 
+		t.Run("When invalid directives are used in annotation values", func(t *testing.T) {
+			nginx.store = fakeIngressStore{
+				ingresses: []*ingress.Ingress{},
+				configuration: ngx_config.Configuration{
+					AnnotationValueWordBlocklist: "invalid_directive, another_directive",
+				},
+			}
+			nginx.command = testNginxTestCommand{
+				t:   t,
+				err: nil,
+			}
+			ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/custom-headers"] = "invalid_directive"
+			if err := nginx.CheckIngress(ing); err == nil {
+				t.Errorf("with an invalid value in annotation the ingress should be rejected")
+			}
+		})
+
 		t.Run("When a new catch-all ingress is being created despite catch-alls being disabled ", func(t *testing.T) {
 			backendBefore := ing.Spec.DefaultBackend
 			disableCatchAllBefore := nginx.cfg.DisableCatchAll
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index 6852f63b2..a91443549 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -23,6 +23,7 @@ import (
 	"os"
 	"reflect"
 	"sort"
+	"strings"
 	"sync"
 	"time"
 
@@ -734,6 +735,21 @@ func hasCatchAllIngressRule(spec networkingv1.IngressSpec) bool {
 	return spec.DefaultBackend != nil
 }
 
+func checkBadAnnotationValue(annotations map[string]string, badwords string) error {
+	arraybadWords := strings.Split(strings.TrimSpace(badwords), ",")
+
+	for annotation, value := range annotations {
+		if strings.HasPrefix(annotation, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) {
+			for _, forbiddenvalue := range arraybadWords {
+				if strings.Contains(value, forbiddenvalue) {
+					return fmt.Errorf("%s annotation contains invalid word %s", annotation, forbiddenvalue)
+				}
+			}
+		}
+	}
+	return nil
+}
+
 // syncIngress parses ingress annotations converting the value of the
 // annotation to a go struct
 func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) {
@@ -742,6 +758,13 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) {
 
 	copyIng := &networkingv1.Ingress{}
 	ing.ObjectMeta.DeepCopyInto(&copyIng.ObjectMeta)
+
+	klog.Errorf("Blocklist: %v", s.backendConfig.AnnotationValueWordBlocklist)
+	if err := checkBadAnnotationValue(copyIng.Annotations, s.backendConfig.AnnotationValueWordBlocklist); err != nil {
+		klog.Errorf("skipping ingress %s: %s", key, err)
+		return
+	}
+
 	ing.Spec.DeepCopyInto(&copyIng.Spec)
 	ing.Status.DeepCopyInto(&copyIng.Status)
 
diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go
index 121d0d37a..8b85f35d1 100644
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@@ -121,6 +121,28 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
 	})
 
+	ginkgo.It("should return an error if there is an invalid value in some annotation", func() {
+		host := "admission-test"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/connection-proxy-header": "a;}",
+		}
+		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
+		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
+	})
+
+	ginkgo.It("should return an error if there is a forbidden value in some annotation", func() {
+		host := "admission-test"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/connection-proxy-header": "set_by_lua",
+		}
+		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
+		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
+	})
+
 	ginkgo.It("should not return an error if the Ingress V1 definition is valid with Ingress Class", func() {
 		err := createIngress(f.Namespace, validV1Ingress)
 		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
diff --git a/test/e2e/annotations/globalratelimit.go b/test/e2e/annotations/globalratelimit.go
index dd985c68c..ca9302892 100644
--- a/test/e2e/annotations/globalratelimit.go
+++ b/test/e2e/annotations/globalratelimit.go
@@ -40,6 +40,11 @@ var _ = framework.DescribeAnnotation("annotation-global-rate-limit", func() {
 		annotations["nginx.ingress.kubernetes.io/global-rate-limit"] = "5"
 		annotations["nginx.ingress.kubernetes.io/global-rate-limit-window"] = "2m"
 
+		// We need to allow { and } characters for this annotation to work
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		ing = f.EnsureIngress(ing)
 		namespace := strings.Replace(string(ing.UID), "-", "", -1)
diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go
index cfd6286e4..f88d6541e 100644
--- a/test/e2e/annotations/modsecurity/modsecurity.go
+++ b/test/e2e/annotations/modsecurity/modsecurity.go
@@ -165,7 +165,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 			"nginx.ingress.kubernetes.io/enable-modsecurity":  "true",
 			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
 		}
-
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
 		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
@@ -198,7 +200,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
 		}
-
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
 		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
@@ -232,7 +236,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
 		}
-
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
 		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
@@ -268,7 +274,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
 		}
-
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
 		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
@@ -307,7 +315,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
 		}
-
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
 		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go
index 75fcb58ea..753e31bfc 100644
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@@ -42,7 +42,7 @@ const (
 	Poll = 2 * time.Second
 
 	// DefaultTimeout time to wait for operations to complete
-	DefaultTimeout = 5 * time.Minute
+	DefaultTimeout = 30 * time.Second
 )
 
 func nowStamp() string {
diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go
index 28e3049c9..cf2172bd1 100644
--- a/test/e2e/ingress/pathtype_mixed.go
+++ b/test/e2e/ingress/pathtype_mixed.go
@@ -41,14 +41,14 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
 		host := "mixed.path"
 
 		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathlocation: /";`,
+			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathheader: /";`,
 		}
 		ing := framework.NewSingleIngress("exact-root", "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType
 		f.EnsureIngress(ing)
 
 		annotations = map[string]string{
-			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathlocation: /";`,
+			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathheader: /";`,
 		}
 		ing = framework.NewSingleIngress("prefix-root", "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
@@ -71,7 +71,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
 
 		assert.NotContains(ginkgo.GinkgoT(), body, "pathtype=prefix")
 		assert.Contains(ginkgo.GinkgoT(), body, "pathtype=exact")
-		assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/")
+		assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/")
 
 		ginkgo.By("Checking prefix request to /bar")
 		body = f.HTTPTestClient().
@@ -84,17 +84,17 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
 
 		assert.Contains(ginkgo.GinkgoT(), body, "pathtype=prefix")
 		assert.NotContains(ginkgo.GinkgoT(), body, "pathtype=exact")
-		assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/")
+		assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/")
 
 		annotations = map[string]string{
-			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathlocation: /foo";`,
+			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathheader: /foo";`,
 		}
 		ing = framework.NewSingleIngress("exact-foo", "/foo", host, f.Namespace, framework.EchoService, 80, annotations)
 		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType
 		f.EnsureIngress(ing)
 
 		annotations = map[string]string{
-			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathlocation: /foo";`,
+			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathheader: /foo";`,
 		}
 		ing = framework.NewSingleIngress("prefix-foo", "/foo", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
@@ -117,7 +117,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
 
 		assert.NotContains(ginkgo.GinkgoT(), body, "pathtype=prefix")
 		assert.Contains(ginkgo.GinkgoT(), body, "pathtype=exact")
-		assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/foo")
+		assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/foo")
 
 		ginkgo.By("Checking prefix request to /foo/bar")
 		body = f.HTTPTestClient().
@@ -129,7 +129,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
 			Raw()
 
 		assert.Contains(ginkgo.GinkgoT(), body, "pathtype=prefix")
-		assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/foo")
+		assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/foo")
 
 		ginkgo.By("Checking prefix request to /foobar")
 		body = f.HTTPTestClient().
@@ -141,6 +141,6 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
 			Raw()
 
 		assert.Contains(ginkgo.GinkgoT(), body, "pathtype=prefix")
-		assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/")
+		assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/")
 	})
 })
diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go
new file mode 100644
index 000000000..74ce1c21e
--- /dev/null
+++ b/test/e2e/settings/badannotationvalues.go
@@ -0,0 +1,153 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.DescribeAnnotation("Bad annotation values", func() {
+	f := framework.NewDefaultFramework("bad-annotation")
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.It("should drop an ingress if there is an invalid character in some annotation", func() {
+		host := "invalid-value-test"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": `
+			# abc { }`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "# abc { }")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+	})
+
+	ginkgo.It("should drop an ingress if there is a forbidden word in some annotation", func() {
+		host := "forbidden-value-test"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": `
+			  default_type text/plain;
+              content_by_lua_block {
+                ngx.say("Hello World")
+            }`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, `ngx.say("Hello World")`)
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+	})
+
+	ginkgo.It("should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
+		host := "custom-forbidden-value-test"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": `
+			# something_forbidden`,
+		}
+
+		hostValid := "custom-allowed-value-test"
+		annotationsValid := map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": `
+			# bla_by_lua`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		ingValid := framework.NewSingleIngress(hostValid, "/", hostValid, f.Namespace, framework.EchoService, 80, annotationsValid)
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+		f.EnsureIngress(ing)
+		f.EnsureIngress(ingValid)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.WaitForNginxServer(hostValid,
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s ;", hostValid))
+			})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "# something_forbidden")
+			})
+
+		f.WaitForNginxServer(hostValid,
+			func(server string) bool {
+				return strings.Contains(server, "# bla_by_lua")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", hostValid).
+			Expect().
+			Status(http.StatusOK)
+	})
+})

From 7203a0b8bd22877e7c32908f7ea54abf9b53db4a Mon Sep 17 00:00:00 2001
From: zryfish <zw0948@gmail.com>
Date: Sat, 13 Nov 2021 03:46:28 +0800
Subject: [PATCH 214/376] support watch namespaces matched namespace selector
 (#7472)

skip caching namespaces at cluster scope if only watching single namespace

add --watch-namespace-selector in user guide

add e2e test
---
 charts/ingress-nginx/templates/_params.tpl    |   3 +
 .../ingress-nginx/templates/clusterrole.yaml  |   3 +
 charts/ingress-nginx/values.yaml              |   3 +
 cmd/nginx/flags.go                            |  18 +++
 deploy/static/provider/aws/deploy.yaml        |   1 +
 deploy/static/provider/baremetal/deploy.yaml  |   1 +
 deploy/static/provider/cloud/deploy.yaml      |   1 +
 deploy/static/provider/do/deploy.yaml         |   1 +
 deploy/static/provider/exoscale/deploy.yaml   |   1 +
 deploy/static/provider/kind/deploy.yaml       |   1 +
 deploy/static/provider/scw/deploy.yaml        |   1 +
 docs/user-guide/cli-arguments.md              |   1 +
 go.mod                                        |   1 +
 go.sum                                        |   1 +
 internal/ingress/controller/controller.go     |   3 +
 .../ingress/controller/controller_test.go     |   3 +
 internal/ingress/controller/nginx.go          |   1 +
 .../ingress/controller/store/namespace.go     |  39 ++++++
 internal/ingress/controller/store/store.go    |  66 +++++++++-
 .../ingress/controller/store/store_test.go    | 109 ++++++++++++++++
 .../namespace-selector/values.yaml            |  36 +++++
 test/e2e/framework/deployment.go              |  14 +-
 test/e2e/framework/framework.go               |   8 +-
 test/e2e/framework/k8s.go                     |  20 +--
 test/e2e/framework/util.go                    |  21 ++-
 test/e2e/settings/namespace_selector.go       | 123 ++++++++++++++++++
 26 files changed, 461 insertions(+), 19 deletions(-)
 create mode 100644 internal/ingress/controller/store/namespace.go
 create mode 100644 test/e2e-image/namespace-overlays/namespace-selector/values.yaml
 create mode 100644 test/e2e/settings/namespace_selector.go

diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl
index c628ec6f7..d74798b98 100644
--- a/charts/ingress-nginx/templates/_params.tpl
+++ b/charts/ingress-nginx/templates/_params.tpl
@@ -18,6 +18,9 @@
 {{- if .Values.controller.scope.enabled }}
 - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
 {{- end }}
+{{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
+- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }}
+{{- end }}
 {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
 - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml
index c1f901d50..efc7d2682 100644
--- a/charts/ingress-nginx/templates/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/clusterrole.yaml
@@ -20,6 +20,9 @@ rules:
       - nodes
       - pods
       - secrets
+{{- if not .Values.controller.scope.enabled }}
+      - namespaces
+{{- end}}
     verbs:
       - list
       - watch
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 86028fdd2..3f9771b31 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -137,6 +137,9 @@ controller:
   scope:
     enabled: false
     namespace: ""   # defaults to $(POD_NAMESPACE)
+    # When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
+    #   only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
+    namespaceSelector: ""
 
   ## Allows customization of the configmap / nginx-configmap namespace
   ##
diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index 42c14dd51..72a2bfb8d 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/spf13/pflag"
 	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/controller"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
@@ -100,6 +101,9 @@ either be a port name or number.`)
 This includes Ingresses, Services and all configuration resources. All
 namespaces are watched if this parameter is left empty.`)
 
+		watchNamespaceSelector = flags.String("watch-namespace-selector", "",
+			`Selector selects namespaces the controller watches for updates to Kubernetes objects.`)
+
 		profiling = flags.Bool("profiling", true,
 			`Enable profiling via web interface host:port/debug/pprof/`)
 
@@ -266,6 +270,19 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		nginx.HealthCheckTimeout = time.Duration(*defHealthCheckTimeout) * time.Second
 	}
 
+	if len(*watchNamespace) != 0 && len(*watchNamespaceSelector) != 0 {
+		return false, nil, fmt.Errorf("flags --watch-namespace and --watch-namespace-selector are mutually exclusive")
+	}
+
+	var namespaceSelector labels.Selector
+	if len(*watchNamespaceSelector) != 0 {
+		var err error
+		namespaceSelector, err = labels.Parse(*watchNamespaceSelector)
+		if err != nil {
+			return false, nil, fmt.Errorf("failed to parse --watch-namespace-selector=%s, error: %v", *watchNamespaceSelector, err)
+		}
+	}
+
 	ngx_config.EnableSSLChainCompletion = *enableSSLChainCompletion
 
 	config := &controller.Configuration{
@@ -282,6 +299,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		ResyncPeriod:               *resyncPeriod,
 		DefaultService:             *defaultSvc,
 		Namespace:                  *watchNamespace,
+		WatchNamespaceSelector:     namespaceSelector,
 		ConfigMapName:              *configMap,
 		TCPConfigMapName:           *tcpConfigMapName,
 		UDPConfigMapName:           *udpConfigMapName,
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 273d90dfd..3b3b45bc4 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -59,6 +59,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 10f08bb6e..106b85306 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -59,6 +59,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 38dc08bf7..bd9dd511e 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -59,6 +59,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 5d148249e..1e701f3e8 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -60,6 +60,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index f86766fbc..b050d7e7b 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -59,6 +59,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 322d63e0e..a426cd1c2 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -59,6 +59,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index b7bdefba5..4010e5fc6 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -60,6 +60,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index ef1c0feb2..dc31830ef 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -65,3 +65,4 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
 | `--version`                        | Show release information about the NGINX Ingress controller and exit. |
 | `--vmodule`                        | comma-separated list of pattern=N settings for file-filtered logging |
 | `--watch-namespace`                | Namespace the controller watches for updates to Kubernetes objects. This includes Ingresses, Services and all configuration resources. All namespaces are watched if this parameter is left empty. |
+| `--watch-namespace-selector`       | The controller will watch namespaces whose labels match the given selector. This flag only takes effective when `--watch-namespace` is empty. |
diff --git a/go.mod b/go.mod
index 49e380774..f7dc52167 100644
--- a/go.mod
+++ b/go.mod
@@ -63,6 +63,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/client9/misspell v0.3.4 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
diff --git a/go.sum b/go.sum
index 21a2bb5c4..02750db0d 100644
--- a/go.sum
+++ b/go.sum
@@ -120,6 +120,7 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
+github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index b51071630..b1dbf9cd1 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -27,6 +27,7 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -67,6 +68,8 @@ type Configuration struct {
 
 	Namespace string
 
+	WatchNamespaceSelector labels.Selector
+
 	// +optional
 	TCPConfigMapName string
 	// +optional
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index f9d60974f..15367bc0d 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -36,6 +36,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes/fake"
 
 	"k8s.io/ingress-nginx/internal/file"
@@ -2378,6 +2379,7 @@ func newNGINXController(t *testing.T) *NGINXController {
 
 	storer := store.New(
 		ns,
+		labels.Nothing(),
 		fmt.Sprintf("%v/config", ns),
 		fmt.Sprintf("%v/tcp", ns),
 		fmt.Sprintf("%v/udp", ns),
@@ -2441,6 +2443,7 @@ func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.Confi
 
 	storer := store.New(
 		ns,
+		labels.Nothing(),
 		fmt.Sprintf("%v/config", ns),
 		fmt.Sprintf("%v/tcp", ns),
 		fmt.Sprintf("%v/udp", ns),
diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index b77d1d870..4d1aa3916 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -122,6 +122,7 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro
 
 	n.store = store.New(
 		config.Namespace,
+		config.WatchNamespaceSelector,
 		config.ConfigMapName,
 		config.TCPConfigMapName,
 		config.UDPConfigMapName,
diff --git a/internal/ingress/controller/store/namespace.go b/internal/ingress/controller/store/namespace.go
new file mode 100644
index 000000000..b29eb0326
--- /dev/null
+++ b/internal/ingress/controller/store/namespace.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+)
+
+// NamespaceLister makes a Store that lists Namespaces.
+type NamespaceLister struct {
+	cache.Store
+}
+
+// ByKey returns the Namespace matching key in the local Namespace Store.
+func (cml *NamespaceLister) ByKey(key string) (*apiv1.Namespace, error) {
+	s, exists, err := cml.GetByKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, NotExistsError(key)
+	}
+	return s.(*apiv1.Namespace), nil
+}
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index a91443549..fe0d1e0d7 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -32,6 +32,7 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -127,6 +128,7 @@ type Informer struct {
 	Service      cache.SharedIndexInformer
 	Secret       cache.SharedIndexInformer
 	ConfigMap    cache.SharedIndexInformer
+	Namespace    cache.SharedIndexInformer
 }
 
 // Lister contains object listers (stores).
@@ -137,6 +139,7 @@ type Lister struct {
 	Endpoint              EndpointLister
 	Secret                SecretLister
 	ConfigMap             ConfigMapLister
+	Namespace             NamespaceLister
 	IngressWithAnnotation IngressWithAnnotationsLister
 }
 
@@ -172,6 +175,15 @@ func (i *Informer) Run(stopCh chan struct{}) {
 		runtime.HandleError(fmt.Errorf("timed out waiting for ingress classcaches to sync"))
 	}
 
+	// when limit controller scope to one namespace, skip sync namespaces at cluster scope
+	if i.Namespace != nil {
+		go i.Namespace.Run(stopCh)
+
+		if !cache.WaitForCacheSync(stopCh, i.Namespace.HasSynced) {
+			runtime.HandleError(fmt.Errorf("timed out waiting for caches to sync"))
+		}
+	}
+
 	// in big clusters, deltas can keep arriving even after HasSynced
 	// functions have returned 'true'
 	time.Sleep(1 * time.Second)
@@ -225,7 +237,9 @@ type k8sStore struct {
 
 // New creates a new object store to be used in the ingress controller
 func New(
-	namespace, configmap, tcp, udp, defaultSSLCertificate string,
+	namespace string,
+	namespaceSelector labels.Selector,
+	configmap, tcp, udp, defaultSSLCertificate string,
 	resyncPeriod time.Duration,
 	client clientset.Interface,
 	updateCh *channels.RingChannel,
@@ -322,6 +336,35 @@ func New(
 	store.informers.Service = infFactory.Core().V1().Services().Informer()
 	store.listers.Service.Store = store.informers.Service.GetStore()
 
+	// avoid caching namespaces at cluster scope when watching single namespace
+	if namespaceSelector != nil && !namespaceSelector.Empty() {
+		// cache informers factory for namespaces
+		infFactoryNamespaces := informers.NewSharedInformerFactoryWithOptions(client, resyncPeriod,
+			informers.WithTweakListOptions(labelsTweakListOptionsFunc),
+		)
+
+		store.informers.Namespace = infFactoryNamespaces.Core().V1().Namespaces().Informer()
+		store.listers.Namespace.Store = store.informers.Namespace.GetStore()
+	}
+
+	watchedNamespace := func(namespace string) bool {
+		if namespaceSelector == nil || namespaceSelector.Empty() {
+			return true
+		}
+
+		item, ok, err := store.listers.Namespace.GetByKey(namespace)
+		if !ok {
+			klog.Errorf("Namespace %s not existed: %v.", namespace, err)
+			return false
+		}
+		ns, ok := item.(*corev1.Namespace)
+		if !ok {
+			return false
+		}
+
+		return namespaceSelector.Matches(labels.Set(ns.Labels))
+	}
+
 	ingDeleteHandler := func(obj interface{}) {
 		ing, ok := toIngress(obj)
 		if !ok {
@@ -338,6 +381,10 @@ func New(
 			}
 		}
 
+		if !watchedNamespace(ing.Namespace) {
+			return
+		}
+
 		_, err := store.GetIngressClass(ing, icConfig)
 		if err != nil {
 			klog.InfoS("Ignoring ingress because of error while validating ingress class", "ingress", klog.KObj(ing), "error", err)
@@ -363,6 +410,11 @@ func New(
 	ingEventHandler := cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
 			ing, _ := toIngress(obj)
+
+			if !watchedNamespace(ing.Namespace) {
+				return
+			}
+
 			ic, err := store.GetIngressClass(ing, icConfig)
 			if err != nil {
 				klog.InfoS("Ignoring ingress because of error while validating ingress class", "ingress", klog.KObj(ing), "error", err)
@@ -392,6 +444,10 @@ func New(
 			oldIng, _ := toIngress(old)
 			curIng, _ := toIngress(cur)
 
+			if !watchedNamespace(oldIng.Namespace) {
+				return
+			}
+
 			var errOld, errCur error
 			var classCur string
 			if !icConfig.IgnoreIngressClass {
@@ -528,6 +584,10 @@ func New(
 				sec := cur.(*corev1.Secret)
 				key := k8s.MetaNamespaceKey(sec)
 
+				if !watchedNamespace(sec.Namespace) {
+					return
+				}
+
 				if store.defaultSSLCertificate == key {
 					store.syncSecret(store.defaultSSLCertificate)
 				}
@@ -566,6 +626,10 @@ func New(
 				}
 			}
 
+			if !watchedNamespace(sec.Namespace) {
+				return
+			}
+
 			store.sslStore.Delete(k8s.MetaNamespaceKey(sec))
 
 			key := k8s.MetaNamespaceKey(sec)
diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go
index 9004094a3..735208001 100644
--- a/internal/ingress/controller/store/store_test.go
+++ b/internal/ingress/controller/store/store_test.go
@@ -31,6 +31,7 @@ import (
 	networking "k8s.io/api/networking/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
@@ -89,6 +90,8 @@ func TestStore(t *testing.T) {
 		t.Fatalf("error: %v", err)
 	}
 
+	emptySelector, _ := labels.Parse("")
+
 	defer te.Stop()
 
 	clientSet, err := kubernetes.NewForConfig(cfg)
@@ -112,6 +115,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -191,6 +195,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -293,6 +298,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -407,6 +413,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -535,6 +542,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -633,6 +641,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -725,6 +734,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -809,6 +819,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -903,6 +914,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -1025,6 +1037,7 @@ func TestStore(t *testing.T) {
 
 		storer := New(
 			ns,
+			emptySelector,
 			fmt.Sprintf("%v/config", ns),
 			fmt.Sprintf("%v/tcp", ns),
 			fmt.Sprintf("%v/udp", ns),
@@ -1107,6 +1120,102 @@ func TestStore(t *testing.T) {
 		}
 	})
 
+	t.Run("should not receive events whose namespace doesn't match watch namespace selector", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+		createConfigMap(clientSet, ns, t)
+
+		stopCh := make(chan struct{})
+		updateCh := channels.NewRingChannel(1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		go func(ch *channels.RingChannel) {
+			for {
+				evt, ok := <-ch.Out()
+				if !ok {
+					return
+				}
+
+				e := evt.(Event)
+				if e.Obj == nil {
+					continue
+				}
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
+		namesapceSelector, _ := labels.Parse("foo=bar")
+		storer := New(
+			ns,
+			namesapceSelector,
+			fmt.Sprintf("%v/config", ns),
+			fmt.Sprintf("%v/tcp", ns),
+			fmt.Sprintf("%v/udp", ns),
+			"",
+			10*time.Minute,
+			clientSet,
+			updateCh,
+			false,
+			DefaultClassConfig)
+
+		storer.Run(stopCh)
+
+		ing := ensureIngress(&networking.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "dummy",
+				Namespace: ns,
+			},
+			Spec: networking.IngressSpec{
+				Rules: []networking.IngressRule{
+					{
+						Host: "dummy",
+						IngressRuleValue: networking.IngressRuleValue{
+							HTTP: &networking.HTTPIngressRuleValue{
+								Paths: []networking.HTTPIngressPath{
+									{
+										Path:     "/",
+										PathType: &pathPrefix,
+										Backend: networking.IngressBackend{
+											Service: &networking.IngressServiceBackend{
+												Name: "http-svc",
+												Port: networking.ServiceBackendPort{
+													Number: 80,
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		}, clientSet, t)
+		defer deleteIngress(ing, clientSet, t)
+
+		time.Sleep(1 * time.Second)
+
+		if atomic.LoadUint64(&add) != 0 {
+			t.Errorf("expected 0 events of type Create but %v occurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 0 {
+			t.Errorf("expected 0 events of type Update but %v occurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 0 {
+			t.Errorf("expected 0 events of type Delete but %v occurred", del)
+		}
+
+	})
 	// test add ingress with secret it doesn't exists and then add secret
 	// check secret is generated on fs
 	// check ocsp
diff --git a/test/e2e-image/namespace-overlays/namespace-selector/values.yaml b/test/e2e-image/namespace-overlays/namespace-selector/values.yaml
new file mode 100644
index 000000000..e4c0e7a87
--- /dev/null
+++ b/test/e2e-image/namespace-overlays/namespace-selector/values.yaml
@@ -0,0 +1,36 @@
+# TODO: remove the need to use fullnameOverride
+fullnameOverride: nginx-ingress
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest:
+  containerPort:
+    http: "1080"
+    https: "1443"
+
+  extraArgs:
+    http-port: "1080"
+    https-port: "1443"
+    # e2e tests do not require information about ingress status
+    update-status: "false"
+  ingressClassResource:
+    # We will create and remove each IC/ClusterRole/ClusterRoleBinding per test so there's no conflict
+    enabled: false
+  scope:
+    enabled: false
+    namespaceSelector: "foo=bar"
+
+  config:
+    worker-processes: "1"
+  service:
+    type: NodePort
+  admissionWebhooks:
+    enabled: false
+
+defaultBackend:
+  enabled: false
+
+rbac:
+  create: true
+  scope: false
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index 444045036..c5fded856 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -55,7 +55,15 @@ func (f *Framework) NewEchoDeploymentWithReplicas(replicas int) {
 // replicas is configurable and
 // name is configurable
 func (f *Framework) NewEchoDeploymentWithNameAndReplicas(name string, replicas int) {
-	deployment := newDeployment(name, f.Namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:131ece0637b29231470cfaa04690c2966a2e0b147d3c9df080a0857b78982410", 80, int32(replicas),
+	f.newEchoDeployment(f.Namespace, name, replicas)
+}
+
+func (f *Framework) NewEchoDeploymentWithNamespaceAndReplicas(namespace string, replicas int) {
+	f.newEchoDeployment(namespace, EchoService, replicas)
+}
+
+func (f *Framework) newEchoDeployment(namespace, name string, replicas int) {
+	deployment := newDeployment(name, namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:131ece0637b29231470cfaa04690c2966a2e0b147d3c9df080a0857b78982410", 80, int32(replicas),
 		nil,
 		[]corev1.VolumeMount{},
 		[]corev1.Volume{},
@@ -66,7 +74,7 @@ func (f *Framework) NewEchoDeploymentWithNameAndReplicas(name string, replicas i
 	service := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: f.Namespace,
+			Namespace: namespace,
 		},
 		Spec: corev1.ServiceSpec{
 			Ports: []corev1.ServicePort{
@@ -85,7 +93,7 @@ func (f *Framework) NewEchoDeploymentWithNameAndReplicas(name string, replicas i
 
 	f.EnsureService(service)
 
-	err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, name, f.Namespace, replicas)
+	err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, name, namespace, replicas)
 	assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready")
 }
 
diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go
index e31fd1e4e..11405c69f 100644
--- a/test/e2e/framework/framework.go
+++ b/test/e2e/framework/framework.go
@@ -126,7 +126,7 @@ func (f *Framework) AfterEach() {
 	defer func(kubeClient kubernetes.Interface, ns string) {
 		go func() {
 			defer ginkgo.GinkgoRecover()
-			err := deleteKubeNamespace(kubeClient, ns)
+			err := DeleteKubeNamespace(kubeClient, ns)
 			assert.Nil(ginkgo.GinkgoT(), err, "deleting namespace %v", f.Namespace)
 		}()
 	}(f.KubeClientSet, f.Namespace)
@@ -588,6 +588,12 @@ func NewSingleIngress(name, path, host, ns, service string, port int, annotation
 	return newSingleIngressWithRules(name, path, host, ns, service, port, annotations, nil)
 }
 
+func NewSingleIngressWithIngressClass(name, path, host, ns, service, ingressClass string, port int, annotations map[string]string) *networking.Ingress {
+	ing := newSingleIngressWithRules(name, path, host, ns, service, port, annotations, nil)
+	ing.Spec.IngressClassName = &ingressClass
+	return ing
+}
+
 // NewSingleIngressWithMultiplePaths creates a simple ingress rule with multiple paths
 func NewSingleIngressWithMultiplePaths(name string, paths []string, host, ns, service string, port int, annotations map[string]string) *networking.Ingress {
 	pathtype := networking.PathTypePrefix
diff --git a/test/e2e/framework/k8s.go b/test/e2e/framework/k8s.go
index ea34960b6..7f434beb8 100644
--- a/test/e2e/framework/k8s.go
+++ b/test/e2e/framework/k8s.go
@@ -38,7 +38,7 @@ import (
 
 // EnsureSecret creates a Secret object or returns it if it already exists.
 func (f *Framework) EnsureSecret(secret *api.Secret) *api.Secret {
-	err := createSecretWithRetries(f.KubeClientSet, f.Namespace, secret)
+	err := createSecretWithRetries(f.KubeClientSet, secret.Namespace, secret)
 	assert.Nil(ginkgo.GinkgoT(), err, "creating secret")
 
 	s, err := f.KubeClientSet.CoreV1().Secrets(secret.Namespace).Get(context.TODO(), secret.Name, metav1.GetOptions{})
@@ -50,10 +50,10 @@ func (f *Framework) EnsureSecret(secret *api.Secret) *api.Secret {
 
 // EnsureConfigMap creates a ConfigMap object or returns it if it already exists.
 func (f *Framework) EnsureConfigMap(configMap *api.ConfigMap) (*api.ConfigMap, error) {
-	cm, err := f.KubeClientSet.CoreV1().ConfigMaps(f.Namespace).Create(context.TODO(), configMap, metav1.CreateOptions{})
+	cm, err := f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Create(context.TODO(), configMap, metav1.CreateOptions{})
 	if err != nil {
 		if k8sErrors.IsAlreadyExists(err) {
-			return f.KubeClientSet.CoreV1().ConfigMaps(f.Namespace).Update(context.TODO(), configMap, metav1.UpdateOptions{})
+			return f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Update(context.TODO(), configMap, metav1.UpdateOptions{})
 		}
 		return nil, err
 	}
@@ -72,13 +72,13 @@ func (f *Framework) GetIngress(namespace string, name string) *networking.Ingres
 // EnsureIngress creates an Ingress object and returns it, throws error if it already exists.
 func (f *Framework) EnsureIngress(ingress *networking.Ingress) *networking.Ingress {
 	fn := func() {
-		err := createIngressWithRetries(f.KubeClientSet, f.Namespace, ingress)
+		err := createIngressWithRetries(f.KubeClientSet, ingress.Namespace, ingress)
 		assert.Nil(ginkgo.GinkgoT(), err, "creating ingress")
 	}
 
 	f.WaitForReload(fn)
 
-	ing := f.GetIngress(f.Namespace, ingress.Name)
+	ing := f.GetIngress(ingress.Namespace, ingress.Name)
 	if ing.Annotations == nil {
 		ing.Annotations = make(map[string]string)
 	}
@@ -88,10 +88,10 @@ func (f *Framework) EnsureIngress(ingress *networking.Ingress) *networking.Ingre
 
 // UpdateIngress updates an Ingress object and returns the updated object.
 func (f *Framework) UpdateIngress(ingress *networking.Ingress) *networking.Ingress {
-	err := updateIngressWithRetries(f.KubeClientSet, f.Namespace, ingress)
+	err := updateIngressWithRetries(f.KubeClientSet, ingress.Namespace, ingress)
 	assert.Nil(ginkgo.GinkgoT(), err, "updating ingress")
 
-	ing := f.GetIngress(f.Namespace, ingress.Name)
+	ing := f.GetIngress(ingress.Namespace, ingress.Name)
 	if ing.Annotations == nil {
 		ing.Annotations = make(map[string]string)
 	}
@@ -113,15 +113,15 @@ func (f *Framework) GetService(namespace string, name string) *core.Service {
 
 // EnsureService creates a Service object and returns it, throws error if it already exists.
 func (f *Framework) EnsureService(service *core.Service) *core.Service {
-	err := createServiceWithRetries(f.KubeClientSet, f.Namespace, service)
+	err := createServiceWithRetries(f.KubeClientSet, service.Namespace, service)
 	assert.Nil(ginkgo.GinkgoT(), err, "creating service")
 
-	return f.GetService(f.Namespace, service.Name)
+	return f.GetService(service.Namespace, service.Name)
 }
 
 // EnsureDeployment creates a Deployment object and returns it, throws error if it already exists.
 func (f *Framework) EnsureDeployment(deployment *appsv1.Deployment) *appsv1.Deployment {
-	err := createDeploymentWithRetries(f.KubeClientSet, f.Namespace, deployment)
+	err := createDeploymentWithRetries(f.KubeClientSet, deployment.Namespace, deployment)
 	assert.Nil(ginkgo.GinkgoT(), err, "creating deployment")
 
 	d, err := f.KubeClientSet.AppsV1().Deployments(deployment.Namespace).Get(context.TODO(), deployment.Name, metav1.GetOptions{})
diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go
index 753e31bfc..3befb8369 100644
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@@ -85,14 +85,15 @@ func RestclientConfig(config, context string) (*api.Config, error) {
 // RunID unique identifier of the e2e run
 var RunID = uuid.NewUUID()
 
-// CreateKubeNamespace creates a new namespace in the cluster
-func CreateKubeNamespace(baseName string, c kubernetes.Interface) (string, error) {
+func createNamespace(baseName string, labels map[string]string, c kubernetes.Interface) (string, error) {
 	ts := time.Now().UnixNano()
 	ns := &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: fmt.Sprintf("e2e-tests-%v-%v-", baseName, ts),
+			Labels:       labels,
 		},
 	}
+
 	// Be robust about making the namespace creation call.
 	var got *corev1.Namespace
 	var err error
@@ -111,8 +112,20 @@ func CreateKubeNamespace(baseName string, c kubernetes.Interface) (string, error
 	return got.Name, nil
 }
 
-// deleteKubeNamespace deletes a namespace and all the objects inside
-func deleteKubeNamespace(c kubernetes.Interface, namespace string) error {
+// CreateKubeNamespace creates a new namespace in the cluster
+func CreateKubeNamespace(baseName string, c kubernetes.Interface) (string, error) {
+
+	return createNamespace(baseName, nil, c)
+}
+
+// CreateKubeNamespaceWithLabel creates a new namespace with given labels in the cluster
+func CreateKubeNamespaceWithLabel(baseName string, labels map[string]string, c kubernetes.Interface) (string, error) {
+
+	return createNamespace(baseName, labels, c)
+}
+
+// DeleteKubeNamespace deletes a namespace and all the objects inside
+func DeleteKubeNamespace(c kubernetes.Interface, namespace string) error {
 	grace := int64(0)
 	pb := metav1.DeletePropagationBackground
 	return c.CoreV1().Namespaces().Delete(context.TODO(), namespace, metav1.DeleteOptions{
diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go
new file mode 100644
index 000000000..4fa28826a
--- /dev/null
+++ b/test/e2e/settings/namespace_selector.go
@@ -0,0 +1,123 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() {
+	f := framework.NewDefaultFramework("namespace-selector")
+	notMatchedHost, matchedHost := "bar", "foo"
+	var notMatchedNs string
+	var matchedNs string
+
+	// create a test namespace, under which create an ingress and backend deployment
+	prepareTestIngress := func(baseName string, host string, labels map[string]string) string {
+		ns, err := framework.CreateKubeNamespaceWithLabel(f.BaseName, labels, f.KubeClientSet)
+		assert.Nil(ginkgo.GinkgoT(), err, "creating test namespace")
+		f.NewEchoDeploymentWithNamespaceAndReplicas(ns, 1)
+		ing := framework.NewSingleIngressWithIngressClass(host, "/", host, ns, framework.EchoService, f.IngressClass, 80, nil)
+		f.EnsureIngress(ing)
+		return ns
+	}
+
+	cleanupNamespace := func(ns string) {
+		err := framework.DeleteKubeNamespace(f.KubeClientSet, ns)
+		assert.Nil(ginkgo.GinkgoT(), err, "deleting temporarily crated namespace")
+	}
+
+	ginkgo.BeforeEach(func() {
+		notMatchedNs = prepareTestIngress(notMatchedHost, notMatchedHost, nil) // create namespace without label "foo=bar"
+		matchedNs = prepareTestIngress(matchedHost, matchedHost, map[string]string{"foo": "bar"})
+	})
+
+	ginkgo.AfterEach(func() {
+		cleanupNamespace(notMatchedNs)
+		cleanupNamespace(matchedNs)
+
+		// cleanup clusterrole/clusterrolebinding created by installing chart with controller.scope.enabled=false
+		err := f.KubeClientSet.RbacV1().ClusterRoles().Delete(context.TODO(), "nginx-ingress", metav1.DeleteOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "deleting clusterrole nginx-ingress")
+
+		err = f.KubeClientSet.RbacV1().ClusterRoleBindings().Delete(context.TODO(), "nginx-ingress", metav1.DeleteOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "deleting clusterrolebinging nginx-ingress")
+	})
+
+	ginkgo.Context("With specific watch-namespace-selector flags", func() {
+
+		ginkgo.It("should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar", func() {
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return !strings.Contains(cfg, "server_name bar") &&
+					strings.Contains(cfg, "server_name foo")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", matchedHost).
+				Expect().
+				Status(http.StatusOK)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", notMatchedHost).
+				Expect().
+				Status(http.StatusNotFound)
+
+			// should accept Ingress when namespace labeled with foo=bar
+			ns, err := f.KubeClientSet.CoreV1().Namespaces().Get(context.TODO(), notMatchedNs, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			if ns.Labels == nil {
+				ns.Labels = make(map[string]string)
+			}
+			ns.Labels["foo"] = "bar"
+
+			_, err = f.KubeClientSet.CoreV1().Namespaces().Update(context.TODO(), ns, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err, "labeling not matched namespace")
+
+			// update ingress to trigger reconcilation
+			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(notMatchedNs).Get(context.TODO(), notMatchedHost, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err, "retrieve test ingress")
+			if ing.Labels == nil {
+				ing.Labels = make(map[string]string)
+			}
+			ing.Labels["foo"] = "bar"
+
+			_, err = f.KubeClientSet.NetworkingV1().Ingresses(notMatchedNs).Update(context.TODO(), ing, metav1.UpdateOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err, "updating ingress")
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name bar")
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", notMatchedHost).
+				Expect().
+				Status(http.StatusOK)
+		})
+	})
+})

From ab4fa4246797a33bc7b45b45097a91086fe9ad48 Mon Sep 17 00:00:00 2001
From: agile6v <agile6v@gmail.com>
Date: Sat, 13 Nov 2021 03:46:35 +0800
Subject: [PATCH 215/376] fix compling kubectl-ingress_nginx error and add some
 descriptions for build command. (#7903)

---
 build/build-plugin.sh | 10 +++++++---
 build/build.sh        | 19 +++++++++++--------
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/build/build-plugin.sh b/build/build-plugin.sh
index 93b6efbdf..568451dc0 100755
--- a/build/build-plugin.sh
+++ b/build/build-plugin.sh
@@ -52,12 +52,14 @@ function build_for_arch(){
   arch=$2
   extension=$3
 
+  echo "> building targets for ${os}-${arch}"
+
   env GOOS="${os}" GOARCH="${arch}" go build \
-    "${GOBUILD_FLAGS}" \
-    -trimpath -ldflags="-buildid= -w -s" \
+    ${GOBUILD_FLAGS} \
+    -trimpath -ldflags="-buildid= -w -s \
       -X ${PKG}/version.RELEASE=${TAG} \
       -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-      -X ${PKG}/version.REPO=${REPO_INFO} \
+      -X ${PKG}/version.REPO=${REPO_INFO}" \
     -o "${release}/kubectl-ingress_nginx${extension}" "${PKG}/cmd/plugin"
 
     cp LICENSE ${release}
@@ -74,6 +76,8 @@ cp cmd/plugin/ingress-nginx.yaml.tmpl "${release}/ingress-nginx.yaml"
 
 sed -i "s/%%%tag%%%/${TAG}/g" ${release}/ingress-nginx.yaml
 
+echo "Generated targets in ${release} directory."
+
 build_for_arch darwin amd64 ''
 build_for_arch linux amd64 ''
 build_for_arch windows amd64 '.exe'
diff --git a/build/build.sh b/build/build.sh
index 914716feb..9edae604d 100755
--- a/build/build.sh
+++ b/build/build.sh
@@ -46,23 +46,26 @@ fi
 export CGO_ENABLED=0
 export GOARCH=${ARCH}
 
-go build \
-  -trimpath -ldflags="-buildid= -w -s \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "rootfs/bin/${ARCH}/nginx-ingress-controller" "${PKG}/cmd/nginx"
+TARGETS_DIR="rootfs/bin/${ARCH}"
+echo "Building targets for ${ARCH}, generated targets in ${TARGETS_DIR} directory."
 
 go build \
   -trimpath -ldflags="-buildid= -w -s \
     -X ${PKG}/version.RELEASE=${TAG} \
     -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
     -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "rootfs/bin/${ARCH}/dbg" "${PKG}/cmd/dbg"
+  -o "${TARGETS_DIR}/nginx-ingress-controller" "${PKG}/cmd/nginx"
 
 go build \
   -trimpath -ldflags="-buildid= -w -s \
     -X ${PKG}/version.RELEASE=${TAG} \
     -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
     -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "rootfs/bin/${ARCH}/wait-shutdown" "${PKG}/cmd/waitshutdown"
+  -o "${TARGETS_DIR}/dbg" "${PKG}/cmd/dbg"
+
+go build \
+  -trimpath -ldflags="-buildid= -w -s \
+    -X ${PKG}/version.RELEASE=${TAG} \
+    -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+    -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -o "${TARGETS_DIR}/wait-shutdown" "${PKG}/cmd/waitshutdown"

From 3c08f002f92b293fdcf70ad7d84d51c57ece23be Mon Sep 17 00:00:00 2001
From: Mac Chaffee <me@macchaffee.com>
Date: Mon, 15 Nov 2021 15:20:49 -0500
Subject: [PATCH 216/376] Rewrite multiple-ingress.md to work with v1 (#7608)

* Rewrite multiple-ingress.md to work with v1

* Fix --controller-class flag docs
---
 docs/user-guide/multiple-ingress.md | 95 +++++++++++++++++++++++------
 1 file changed, 75 insertions(+), 20 deletions(-)

diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md
index 2604f4e80..531b99ae2 100644
--- a/docs/user-guide/multiple-ingress.md
+++ b/docs/user-guide/multiple-ingress.md
@@ -1,7 +1,74 @@
 # Multiple Ingress controllers
 
-If you're running multiple ingress controllers, or running on a cloud provider that natively handles ingress such as GKE,
-you need to specify the annotation `kubernetes.io/ingress.class: "nginx"` in all ingresses that you would like the ingress-nginx controller to claim.
+By default, deploying multiple Ingress controllers (e.g., `ingress-nginx` & `gce`) will result in all controllers simultaneously racing to update Ingress status fields in confusing ways.
+
+To fix this problem, you can either use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) (preferred) or use the `kubernetes.io/ingress.class` annotation (in deprecation).
+
+## Using IngressClasses
+
+If all ingress controllers respect IngressClasses (e.g. multiple instances of ingress-nginx v1.0), you can deploy two Ingress controllers by granting them control over two different IngressClasses, then selecting one of the two IngressClasses with `ingressClassName`.
+
+First, ensure the `--controller-class=` is set to something different on each ingress controller:
+
+```yaml
+# ingress-nginx Deployment/Statfulset
+spec:
+  template:
+     spec:
+       containers:
+         - name: nginx-ingress-internal-controller
+           args:
+             - /nginx-ingress-controller
+             - '--controller-class=k8s.io/internal-ingress-nginx'
+            ...
+```
+
+Then use the same value in the IngressClass:
+
+```yaml
+# ingress-nginx IngressClass
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: internal-nginx
+spec:
+  controller: k8s.io/internal-ingress-nginx
+  ...
+```
+
+And refer to that IngressClass in your Ingress:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-ingress
+spec:
+  ingressClassName: internal-nginx
+  ...
+```
+
+or if installing with Helm:
+
+```yaml
+controller:
+  ingressClassResource:
+    name: internal-nginx  # default: nginx
+    enabled: true
+    default: false
+    controllerValue: "k8s.io/internal-ingress-nginx"  # default: k8s.io/ingress-nginx
+```
+
+!!! important
+
+    When running multiple ingress-nginx controllers, it will only process an unset class annotation if one of the controllers uses the default
+    `--controller-class` value (see `IsValid` method in `internal/ingress/annotations/class/main.go`), otherwise the class annotation becomes required.
+
+    If `--controller-class` is set to the default value of `k8s.io/ingress-nginx`, the controller will monitor Ingresses with no class annotation *and* Ingresses with annotation class set to `nginx`. Use a non-default value for `--controller-class`, to ensure that the controller only satisfied the specific class of Ingresses.
+
+## Using the kubernetes.io/ingress.class annotation (in deprecation)
+
+If you're running multiple ingress controllers where one or more do not support IngressClasses, you must specify the annotation `kubernetes.io/ingress.class: "nginx"` in all ingresses that you would like ingress-nginx to claim.
 
 
 For instance,
@@ -24,16 +91,7 @@ metadata:
 
 will target the nginx controller, forcing the GCE controller to ignore it.
 
-To reiterate, setting the annotation to any value which does not match a valid ingress class will force the NGINX Ingress controller to ignore your Ingress.
-If you are only running a single NGINX ingress controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string.
-
-Do this if you wish to use one of the other Ingress controllers at the same time as the NGINX controller.
-
-## Multiple ingress-nginx controllers
-
-This mechanism also provides users the ability to run _multiple_ NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic).
-To do this, the option `--ingress-class` must be changed to a value unique for the cluster within the definition of the replication controller.
-Here is a partial example:
+You can change the value "nginx" to something else by setting the `--ingress-class` flag:
 
 ```yaml
 spec:
@@ -43,15 +101,12 @@ spec:
          - name: nginx-ingress-internal-controller
            args:
              - /nginx-ingress-controller
-             - '--ingress-class=nginx-internal'
-             - '--configmap=ingress/nginx-ingress-internal-controller'
+             - --ingress-class=internal-nginx
 ```
 
-!!! important
-    Deploying multiple Ingress controllers, of different types (e.g., `ingress-nginx` & `gce`), and not specifying a class annotation will
-    result in both or all controllers fighting to satisfy the Ingress, and all of them racing to update Ingress status field in confusing ways.
+then setting the corresponding `kubernetes.io/ingress.class: "internal-nginx"` annotation on your Ingresses.
 
-    When running multiple ingress-nginx controllers, it will only process an unset class annotation if one of the controllers uses the default
-    `--ingress-class` value (see `IsValid` method in `internal/ingress/annotations/class/main.go`), otherwise the class annotation become required.
+To reiterate, setting the annotation to any value which does not match a valid ingress class will force the NGINX Ingress controller to ignore your Ingress.
+If you are only running a single NGINX ingress controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string.
 
-    If `--ingress-class` is set to the default value of `nginx`, the controller will monitor Ingresses with no class annotation *and* Ingresses with annotation class set to `nginx`. Use a non-default value for `--ingress-class`, to ensure that the controller only satisfied the specific class of Ingresses.
+Do this if you wish to use one of the other Ingress controllers at the same time as the NGINX controller.

From 6299c39842c31ff1e17d72503003ca36e2976a9a Mon Sep 17 00:00:00 2001
From: Adam Graves <adam.graves85@gmail.com>
Date: Mon, 15 Nov 2021 21:54:49 +0000
Subject: [PATCH 217/376] Allow setting of container securityContext (#7533)

Currently this blocks deployments on clusters with global PodSecurityPolicies set

Signed-off-by: Adam Graves <adam.graves85@gmail.com>
---
 charts/ingress-nginx/templates/_helpers.tpl    | 18 ++++++++++++++++++
 .../templates/controller-deployment.yaml       |  9 +--------
 charts/ingress-nginx/values.yaml               |  6 ++++++
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
index 8b1fd0951..726224f18 100644
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@@ -30,6 +30,24 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Container SecurityContext.
+*/}}
+{{- define "controller.containerSecurityContext" -}}
+{{- if .Values.controller.containerSecurityContext -}}
+{{- toYaml .Values.controller.containerSecurityContext -}}
+{{- else -}}
+capabilities:
+  drop:
+  - ALL
+  add:
+  - NET_BIND_SERVICE
+runAsUser: {{ .Values.controller.image.runAsUser }}
+allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Create a default fully qualified controller name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index cdf96600c..93fada79e 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -80,14 +80,7 @@ spec:
         {{- end }}
           args:
             {{- include "ingress-nginx.params" . | nindent 12 }}
-          securityContext:
-            capabilities:
-                drop:
-                - ALL
-                add:
-                - NET_BIND_SERVICE
-            runAsUser: {{ .Values.controller.image.runAsUser }}
-            allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+          securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
           env:
             - name: POD_NAME
               valueFrom:
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 3f9771b31..048f89854 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -771,6 +771,12 @@ defaultBackend:
   ##
   podSecurityContext: {}
 
+  ## Security Context policies for controller main container.
+  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
+  ## notes on enabling and using sysctls
+  ##
+  containerSecurityContext: {}
+
   # labels to add to the pod container metadata
   podLabels: {}
   #  key: value

From b2f13576387879c8137280cddb1b9d40c9a9221c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Nov 2021 13:56:48 -0800
Subject: [PATCH 218/376] Bump sigs.k8s.io/controller-runtime from 0.9.5 to
 0.10.3 (#7917)

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.9.5 to 0.10.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.9.5...v0.10.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod |  49 +++++++++----------
 go.sum | 147 ++++++++++++++++++++++++++++++++++++---------------------
 2 files changed, 115 insertions(+), 81 deletions(-)

diff --git a/go.mod b/go.mod
index f7dc52167..ea740a4e4 100644
--- a/go.mod
+++ b/go.mod
@@ -32,28 +32,28 @@ require (
 	google.golang.org/grpc v1.41.0
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/go-playground/pool.v3 v3.1.1
-	k8s.io/api v0.21.5
-	k8s.io/apiextensions-apiserver v0.21.5
-	k8s.io/apimachinery v0.21.5
-	k8s.io/apiserver v0.21.5
+	k8s.io/api v0.22.2
+	k8s.io/apiextensions-apiserver v0.22.2
+	k8s.io/apimachinery v0.22.2
+	k8s.io/apiserver v0.22.2
 	k8s.io/cli-runtime v0.21.5
-	k8s.io/client-go v0.21.5
-	k8s.io/code-generator v0.21.5
-	k8s.io/component-base v0.21.5
+	k8s.io/client-go v0.22.2
+	k8s.io/code-generator v0.22.2
+	k8s.io/component-base v0.22.2
 	k8s.io/klog/v2 v2.10.0
-	k8s.io/utils v0.0.0-20210802155522-efc7438f0176 // indirect
+	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
 	pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732
-	sigs.k8s.io/controller-runtime v0.9.5
+	sigs.k8s.io/controller-runtime v0.10.3
 	sigs.k8s.io/mdtoc v1.0.1
 )
 
 require (
 	cloud.google.com/go v0.81.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.12 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.5 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.18 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/logger v0.2.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/BurntSushi/toml v0.3.1 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
@@ -63,7 +63,6 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
-	github.com/client9/misspell v0.3.4 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -71,21 +70,20 @@ require (
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
 	github.com/fatih/structs v1.0.0 // indirect
-	github.com/form3tech-oss/jwt-go v3.2.2+incompatible // indirect
+	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-logr/logr v0.4.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.3 // indirect
-	github.com/go-openapi/jsonreference v0.19.3 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/spec v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.5 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 // indirect
-	github.com/google/btree v1.0.0 // indirect
+	github.com/google/btree v1.0.1 // indirect
 	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/google/go-querystring v1.0.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
@@ -94,12 +92,12 @@ require (
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/imkira/go-interpol v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/compress v1.12.2 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/mailru/easyjson v0.7.0 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mmarkdown/mmark v2.0.40+incompatible // indirect
 	github.com/moby/sys/mountinfo v0.4.1 // indirect
@@ -123,12 +121,9 @@ require (
 	github.com/yudai/gojsondiff v1.0.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.18.1 // indirect
 	golang.org/x/mod v0.4.2 // indirect
 	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
-	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+	golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 // indirect
 	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
 	golang.org/x/text v0.3.6 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
@@ -142,7 +137,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 // indirect
-	k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 // indirect
+	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
 	moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e // indirect
 	sigs.k8s.io/kustomize/api v0.8.8 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.10.17 // indirect
diff --git a/go.sum b/go.sum
index 02750db0d..02f4f714f 100644
--- a/go.sum
+++ b/go.sum
@@ -38,19 +38,23 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.12 h1:gI8ytXbxMfI+IVbI9mP2JGCTXIuhHLgRlvQ9X4PsnHE=
 github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
-github.com/Azure/go-autorest/autorest/adal v0.9.5 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0=
+github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM=
+github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
 github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
+github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q=
+github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
 github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
-github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE=
 github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
+github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
@@ -95,7 +99,7 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
+github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -110,6 +114,8 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb
 github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
+github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
@@ -120,13 +126,15 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
-github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
+github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
+github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
+github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
@@ -189,8 +197,10 @@ github.com/fasthttp/websocket v1.4.3-rc.6/go.mod h1:43W9OM2T8FeXpCWMsBd9Cb7nE2CA
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/structs v1.0.0 h1:BrX964Rv5uQ3wwS+KRUAJCBBw5PQmgJfJ6v4yly5QwU=
 github.com/fatih/structs v1.0.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
-github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
+github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
+github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
@@ -202,6 +212,7 @@ github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpT
 github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/gavv/httpexpect/v2 v2.3.1 h1:sGLlKMn8AuHS9ztK9Sb7AJ7OxIL8v2PcLdyxfKt1Fo4=
 github.com/gavv/httpexpect/v2 v2.3.1/go.mod h1:yOE8m/aqFYQDNrgprMeXgq4YynfN9h1NgcE1+1suV64=
+github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
@@ -234,13 +245,15 @@ github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA
 github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
 github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
 github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM=
+github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
 github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
 github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
 github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
@@ -263,14 +276,14 @@ github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk
 github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
+github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
 github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
 github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
 github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
@@ -279,6 +292,7 @@ github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFG
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -286,8 +300,9 @@ github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4er
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@@ -319,8 +334,9 @@ github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEW
 github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 h1:LP/6EfrZ/LyCc+SXvANDrIJ4sP9u2NAtqyv6QknetNQ=
 github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -364,6 +380,7 @@ github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
+github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -378,6 +395,7 @@ github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWet
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
@@ -400,8 +418,6 @@ github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
@@ -422,6 +438,9 @@ github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -437,6 +456,7 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8=
@@ -469,8 +489,9 @@ github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/markbates/pkger v0.17.1/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
@@ -505,7 +526,7 @@ github.com/mmarkdown/mmark v2.0.40+incompatible/go.mod h1:Uvmoz7tvsWpr7bMVxIpqZP
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
 github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
-github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
+github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -549,6 +570,7 @@ github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
@@ -556,8 +578,8 @@ github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.14.0 h1:ep6kpPVwmr/nTbklSx2nrLNSIO62DoYAhnPNIMhK8gI=
-github.com/onsi/gomega v1.14.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
+github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
+github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg=
 github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
@@ -623,7 +645,6 @@ github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7z
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
@@ -655,6 +676,7 @@ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
@@ -665,6 +687,7 @@ github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
+github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
 github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
 github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
@@ -698,6 +721,7 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
@@ -737,12 +761,15 @@ github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981 h1:fT5B
 github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
+go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
-go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
+go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
+go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
+go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4=
 go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
@@ -755,6 +782,17 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4=
+go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo=
+go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM=
+go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU=
+go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw=
+go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc=
+go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE=
+go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE=
+go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
@@ -763,7 +801,6 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
@@ -773,8 +810,8 @@ go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9E
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.18.1 h1:CSUJ2mjFszzEWt4CdKISEuChVIXGBn3lAPwkRGyVrc4=
-go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
+go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE=
+go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -816,7 +853,6 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug=
 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
@@ -826,7 +862,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.1-0.20200828183125-ce943fd02449/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
@@ -873,6 +908,7 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -882,6 +918,7 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d h1:20cMwl2fHAzkJMEA+8J4JgqBQcQGzbisXo31MIeenXI=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -955,6 +992,7 @@ golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -962,6 +1000,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -981,8 +1020,10 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 h1:c8PlLMqBbOHoqtjteWm5/kbe6rNY2pbRfbIMVnepueo=
+golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=
@@ -1006,6 +1047,7 @@ golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -1128,6 +1170,7 @@ google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
@@ -1140,7 +1183,6 @@ google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
@@ -1175,6 +1217,7 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc v1.41.0 h1:f+PlOh7QV4iIJkPrx5NQ7qaNGFQ3OTse67yaDHfju4E=
 google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
@@ -1241,43 +1284,40 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.21.3/go.mod h1:hUgeYHUbBp23Ue4qdX9tR8/ANi/g3ehylAqDn9NWVOg=
-k8s.io/api v0.21.5 h1:9zp3SslPRB+rqxhGKqqTo6VsN3HX0Ype1nWV6UQQ+Sk=
 k8s.io/api v0.21.5/go.mod h1:Un8C5Hemo2r3MfPOjZvwQQ9KkBbiTBUCGrjlivo9uJ0=
-k8s.io/apiextensions-apiserver v0.21.3/go.mod h1:kl6dap3Gd45+21Jnh6utCx8Z2xxLm8LGDkprcd+KbsE=
-k8s.io/apiextensions-apiserver v0.21.5 h1:sCUpiB47ba59J57ZsqOvoxD3voc2nnR+sylAzHIwI8w=
-k8s.io/apiextensions-apiserver v0.21.5/go.mod h1:iiakfVazpXLW8OkF2sH/p9XGgfE7XFSQuZFJ10QlXB4=
-k8s.io/apimachinery v0.21.3/go.mod h1:H/IM+5vH9kZRNJ4l3x/fXP/5bOPJaVP/guptnZPeCFI=
-k8s.io/apimachinery v0.21.5 h1:56bnsHcUNboSCbD779GGi4Lh5kHTDFUoDrnHbhLTiaw=
+k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw=
+k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8=
+k8s.io/apiextensions-apiserver v0.22.2 h1:zK7qI8Ery7j2CaN23UCFaC1hj7dMiI87n01+nKuewd4=
+k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA=
 k8s.io/apimachinery v0.21.5/go.mod h1:3PfBV+4PPXNs0aueD+7fHcGyhdkFFYqXeshQtsKCi+4=
-k8s.io/apiserver v0.21.3/go.mod h1:eDPWlZG6/cCCMj/JBcEpDoK+I+6i3r9GsChYBHSbAzU=
-k8s.io/apiserver v0.21.5 h1:iEPvJ2uwmyb7C4eScOj1fgPKCyCUGgMQU5+UREE87vE=
-k8s.io/apiserver v0.21.5/go.mod h1:0bWmrAx3dxUUFSEw71U91Si5obhIvBcAmf8oVZUO58E=
+k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk=
+k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
+k8s.io/apiserver v0.22.2 h1:TdIfZJc6YNhu2WxeAOWq1TvukHF0Sfx0+ln4XK9qnL4=
+k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI=
 k8s.io/cli-runtime v0.21.5 h1:ZpPmrRsHvzdMzXrcr1/ZSBHLKrhS1aHyMr2hGJNlNpI=
 k8s.io/cli-runtime v0.21.5/go.mod h1:TKlcXsRVImtcPDGEe72pyZtD9UgBJNupIf3hmsIeekE=
-k8s.io/client-go v0.21.3/go.mod h1:+VPhCgTsaFmGILxR/7E1N0S+ryO010QBeNCv5JwRGYU=
-k8s.io/client-go v0.21.5 h1:zkVidiWVgciPKYqWpMFMjCUF+4rRXcfkKoyQS1Ue21k=
 k8s.io/client-go v0.21.5/go.mod h1:EUornVlr3rBrPKXUoMPNggJdEQmvFNMpYO3Kb6432kw=
-k8s.io/code-generator v0.21.3/go.mod h1:K3y0Bv9Cz2cOW2vXUrNZlFbflhuPvuadW6JdnN6gGKo=
-k8s.io/code-generator v0.21.5 h1:7X6dJG4hzKFHChYpP02iF0XrXhenqQHc76QoKYzDZfI=
-k8s.io/code-generator v0.21.5/go.mod h1:0K1k6o2ef8JD/j8LF3ZuqWLGFMHvO5psNzLLmxf7ZVE=
-k8s.io/component-base v0.21.3/go.mod h1:kkuhtfEHeZM6LkX0saqSK8PbdO7A0HigUngmhhrwfGQ=
-k8s.io/component-base v0.21.5 h1:icFqcFDrO9S+FQpGohzVm6qce9vlo131K0r3NhElxiQ=
-k8s.io/component-base v0.21.5/go.mod h1:UyRaqQfPkBL/haEFaMWgVQvtom5TqAT+jqlFGlh6LuU=
+k8s.io/client-go v0.22.2 h1:DaSQgs02aCC1QcwUdkKZWOeaVsQjYvWv8ZazcZ6JcHc=
+k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U=
+k8s.io/code-generator v0.22.2 h1:+bUv9lpTnAWABtPkvO4x0kfz7j/kDEchVt0P/wXU3jQ=
+k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
+k8s.io/component-base v0.22.2 h1:vNIvE0AIrLhjX8drH0BgCNJcR4QZxMXcJzBsDplDx9M=
+k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 h1:Uusb3oh8XcdzDF/ndlI4ToKTYVlkCSJP39SRY2mfRAw=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
 k8s.io/klog/v2 v2.10.0 h1:R2HDMDJsHVTHA2n4RjwbeYXdOcBymXdX/JRb1v0VGhE=
 k8s.io/klog/v2 v2.10.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
-k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 h1:vEx13qjvaZ4yfObSSXW7BrMc/KQBBT/Jyee8XtLf4x0=
 k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
+k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
+k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210722164352-7f3ee0f31471/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210802155522-efc7438f0176 h1:Mx0aa+SUAcNRQbs5jUzV8lkDlGFU8laZsY9jrcVX5SY=
-k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g=
+k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e h1:C7q+e9M5nggAvWfVg9Nl66kebKeuJlP3FD58V4RR5wo=
 moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e/go.mod h1:nejbQVfXh96n9dSF6cH3Jsk/QI1Z2oEL7sSI2ifXFNA=
 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg=
@@ -1285,10 +1325,9 @@ pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.19/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/controller-runtime v0.9.5 h1:WThcFE6cqctTn2jCZprLICO6BaKZfhsT37uAapTNfxc=
-sigs.k8s.io/controller-runtime v0.9.5/go.mod h1:q6PpkM5vqQubEKUKOM6qr06oXGzOBcCby1DA9FbyZeA=
+sigs.k8s.io/controller-runtime v0.10.3 h1:s5Ttmw/B4AuIbwrXD3sfBkXwnPMMWrqpVj4WRt1dano=
+sigs.k8s.io/controller-runtime v0.10.3/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=
 sigs.k8s.io/kustomize/api v0.8.8 h1:G2z6JPSSjtWWgMeWSoHdXqyftJNmMmyxXpwENGoOtGE=
 sigs.k8s.io/kustomize/api v0.8.8/go.mod h1:He1zoK0nk43Pc6NlV085xDXDXTNprtcyKZVm3swsdNY=
 sigs.k8s.io/kustomize/kyaml v0.10.17 h1:4zrV0ym5AYa0e512q7K3Wp1u7mzoWW0xR3UHJcGWGIg=

From b7ac27a6717fa52e56a2d811c8092e6c82a5db0d Mon Sep 17 00:00:00 2001
From: Robert Steele <rosteele@antempus.dev>
Date: Mon, 15 Nov 2021 13:58:48 -0800
Subject: [PATCH 219/376] Update Bare Metal anchor link (#7914)

---
 docs/deploy/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 197a0efbd..9ce75eb6f 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -23,7 +23,7 @@ On most Kubernetes clusters, the ingress controller will work without requiring
   - [Scaleway](#scaleway)
   - [Exoscale](#exoscale)
   - [Oracle Cloud Infrastructure](#oracle-cloud-infrastructure)
-  - [Bare-metal](#bare-metal)
+  - [Bare-metal](#bare-metal-clusters)
 - [Miscellaneous](#miscellaneous)
 
 ## Quick start

From b08d4278adfcedb389407eb2b29a818daa412607 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 15 Nov 2021 19:34:48 -0300
Subject: [PATCH 220/376] Try to improve test speed (#7922)

---
 test/e2e-image/e2e.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/test/e2e-image/e2e.sh b/test/e2e-image/e2e.sh
index 240803c63..3a06871cc 100755
--- a/test/e2e-image/e2e.sh
+++ b/test/e2e-image/e2e.sh
@@ -27,10 +27,11 @@ E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-""}
 ginkgo_args=(
   "-randomizeAllSpecs"
   "-flakeAttempts=2"
+  "-failFast"
   "-progress"
   "-slowSpecThreshold=${SLOW_E2E_THRESHOLD}"
   "-succinct"
-  "-timeout=45m" # Suite timeout should be lower than Prow job timeout to avoid abrupt termination
+  "-timeout=75m"
 )
 
 echo -e "${BGREEN}Running e2e test suite (FOCUS=${FOCUS})...${NC}"

From 7d17ff35fa13c84d5981e69a1e3ca027cdf78b38 Mon Sep 17 00:00:00 2001
From: Nithya <nithyashree675@gmail.com>
Date: Mon, 15 Nov 2021 23:13:52 +0000
Subject: [PATCH 221/376] helm chart: choice option for internal/external
 loadbalancer type service (#7806)

---
 charts/ingress-nginx/templates/_params.tpl             | 6 +++++-
 charts/ingress-nginx/templates/controller-service.yaml | 2 +-
 charts/ingress-nginx/values.yaml                       | 3 +++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl
index d74798b98..64a462eaa 100644
--- a/charts/ingress-nginx/templates/_params.tpl
+++ b/charts/ingress-nginx/templates/_params.tpl
@@ -3,8 +3,12 @@
 {{- if .Values.defaultBackend.enabled }}
 - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
 {{- end }}
-{{- if .Values.controller.publishService.enabled }}
+{{- if and .Values.controller.publishService.enabled .Values.controller.service.enabled }}
+{{- if .Values.controller.service.external.enabled }}
 - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
+{{- else if .Values.controller.service.internal.enabled }}
+- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}-internal
+{{- end }}
 {{- end }}
 - --election-id={{ .Values.controller.electionID }}
 - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml
index f0245249f..90a0eb994 100644
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.controller.service.enabled -}}
+{{- if and .Values.controller.service.enabled .Values.controller.service.external.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 048f89854..1b2e08243 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -494,6 +494,9 @@ controller:
       tcp: {}
       udp: {}
 
+    external:
+      enabled: true
+
     ## Enables an additional internal load balancer (besides the external one).
     ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
     internal:

From 15567b07c014fcaf6109dc7d0e48e3b07b26867f Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 15 Nov 2021 20:37:29 -0300
Subject: [PATCH 222/376] Trim spaces from badword items (#7921)

---
 .../nginx-configuration/configmap.md           | 18 ++++++++++++++++++
 internal/ingress/controller/controller.go      |  2 +-
 internal/ingress/controller/controller_test.go |  4 ++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index fc093c4af..d58ef17cd 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -30,6 +30,7 @@ The following table shows a configuration option's name, type, and the default v
 |[add-headers](#add-headers)|string|""|
 |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|
 |[allow-snippet-annotations](#allow-snippet-annotations)|bool|true|
+|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|"load_module","lua_package","_by_lua","location","root","proxy_pass","serviceaccount","{","}","'","\"
 |[hide-headers](#hide-headers)|string array|empty|
 |[access-log-params](#access-log-params)|string|""|
 |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"|
@@ -222,6 +223,23 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the
 Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this 
 may allow a user to add restricted configurations to the final nginx.conf file
 
+## annotation-value-word-blocklist
+
+Contains a comma-separated value of chars/words that are well known of being used to abuse Ingress configuration 
+and must be blocked.
+
+When an annotation is detected with a value that matches one of the blocked badwords, the whole Ingress wont be configured.
+
+_**default:**_ `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"`
+
+
+Warning: The default value already contains a sane set of badwords. Some features like mod_security needs characters that are blocked, and it's up to the Ingress admin to remove this characters from the blocklist.
+
+When doing this, the default blocklist is overrided, which means that the Ingress admin should add all the words
+that should be blocked.
+
+If you find some word should not be on the default list, or if you think that we should add more badwords, please 
+feel free to open an issue with your case!
 ## hide-headers
 
 Sets additional header that will not be passed from the upstream server to the client response.
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index b1dbf9cd1..fb06a58c6 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -253,7 +253,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		}
 		if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) {
 			for _, forbiddenvalue := range arraybadWords {
-				if strings.Contains(value, forbiddenvalue) {
+				if strings.Contains(value, strings.TrimSpace(forbiddenvalue)) {
 					return fmt.Errorf("%s annotation contains invalid word %s", key, forbiddenvalue)
 				}
 			}
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index 15367bc0d..b67929b97 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -284,6 +284,10 @@ func TestCheckIngress(t *testing.T) {
 			if err := nginx.CheckIngress(ing); err == nil {
 				t.Errorf("with an invalid value in annotation the ingress should be rejected")
 			}
+			ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/custom-headers"] = "another_directive"
+			if err := nginx.CheckIngress(ing); err == nil {
+				t.Errorf("with an invalid value in annotation the ingress should be rejected")
+			}
 		})
 
 		t.Run("When a new catch-all ingress is being created despite catch-alls being disabled ", func(t *testing.T) {

From 7ce96cbcf668f94a0d1ee0a674e96002948bff6f Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 15 Nov 2021 20:51:50 -0300
Subject: [PATCH 223/376] Prepare for v1.0.5 release (#7923)

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 3e7bcf08c..80e0d762d 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.0.4
+v1.0.5

From 727f4cb9255bce1771db7a01fe515ca9d5121b18 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 15 Nov 2021 22:11:26 -0300
Subject: [PATCH 224/376] Release v1.0.5 documents (#7924)

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
---
 Changelog.md                                  | 22 +++++
 README.md                                     |  1 +
 charts/ingress-nginx/CHANGELOG.md             |  5 ++
 charts/ingress-nginx/Chart.yaml               | 10 +--
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 83 ++++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 82 +++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 82 +++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 82 +++++++++---------
 deploy/static/provider/do/deploy.yaml         | 82 +++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 82 +++++++++---------
 deploy/static/provider/kind/deploy.yaml       | 82 +++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 82 +++++++++---------
 docs/deploy/index.md                          | 20 ++---
 stable.txt                                    |  2 +-
 15 files changed, 374 insertions(+), 347 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 3af07fcd4..a6626cdd7 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,27 @@
 # Changelog
 
+### 1.0.5
+
+**Image:**
+- k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+
+_Possible Breaking Change_
+We now implement string sanitization in annotation values. This means that words like "location", "by_lua" and
+others will drop the reconciliation of an Ingress object. 
+
+Users from mod_security and other features should be aware that some blocked values may be used by those features 
+and must be manually unblocked by the Ingress Administrator.
+
+For more details please check [https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist]
+
+_Changes:_
+- [7874](https://github.com/kubernetes/ingress-nginx/pull/7874) Add option to sanitize annotation inputs
+- [7854](https://github.com/kubernetes/ingress-nginx/pull/7854) Add brotli-min-length configuration option
+- [7800](https://github.com/kubernetes/ingress-nginx/pull/7800) Fix thread synchronization issue
+- [7711](https://github.com/kubernetes/ingress-nginx/pull/7711) Added AdmissionController metrics
+- [7614](https://github.com/kubernetes/ingress-nginx/pull/7614) Support cors-allow-origin with multiple origins
+- [7472](https://github.com/kubernetes/ingress-nginx/pull/7472) Support watch multiple namespaces matched witch namespace selector
+
 ### 1.0.4
 
 **Image:**
diff --git a/README.md b/README.md
index 0849d0f0b..f885a2279 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
+| v1.0.5                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.4                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.3                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index d61bd5db8..aea4d5453 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.7
+
+- [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx
+- [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service
+
 ### 4.0.6
 
 - [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 3e0c0de7a..1b6aef5b5 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.6
-appVersion: 1.0.4
+version: 4.0.7
+appVersion: 1.0.5
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,7 +24,5 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Disable builtin ssl_session_cache
-    - Print warning only instead of error if no IngressClass permission is available
-    - Bump internal libraries versions
-    - Fix documentations
+    - choice option for internal/external loadbalancer type service
+    - use controller v1.0.5
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 1b2e08243..d572f3e62 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v1.0.4"
-    digest: sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+    tag: "v1.0.5"
+    digest: sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index a0e07e952..cad07b084 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -51,10 +51,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -66,6 +66,7 @@ rules:
       - nodes
       - pods
       - secrets
+      - namespaces
     verbs:
       - list
       - watch
@@ -118,10 +119,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -138,10 +139,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -222,10 +223,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -244,10 +245,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -275,10 +276,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -310,10 +311,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -336,7 +337,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -428,10 +429,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -446,10 +447,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -486,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -502,10 +503,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -526,10 +527,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -551,10 +552,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -576,10 +577,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -601,10 +602,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -612,10 +613,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -651,10 +652,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -662,10 +663,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 3b3b45bc4..36a0a4ab3 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -267,10 +267,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -302,10 +302,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -417,10 +417,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -435,10 +435,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -640,10 +640,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -651,10 +651,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 106b85306..78172c779 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -635,10 +635,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,10 +646,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index bd9dd511e..7f5ce802a 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -299,10 +299,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -325,7 +325,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -414,10 +414,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -432,10 +432,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -472,10 +472,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -488,10 +488,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -512,10 +512,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -537,10 +537,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -562,10 +562,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -587,10 +587,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -598,10 +598,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -637,10 +637,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -648,10 +648,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 1e701f3e8..570b0a6a7 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -217,10 +217,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -239,10 +239,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -301,10 +301,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -327,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,10 +416,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -434,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -640,10 +640,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -651,10 +651,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index b050d7e7b..6ef5d00dd 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -273,10 +273,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -308,10 +308,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -334,7 +334,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -423,10 +423,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -441,10 +441,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -481,10 +481,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -497,10 +497,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -521,10 +521,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -546,10 +546,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -571,10 +571,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -596,10 +596,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -607,10 +607,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -646,10 +646,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -657,10 +657,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index a426cd1c2..67aee00f6 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -425,10 +425,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -443,10 +443,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -499,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -523,10 +523,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -548,10 +548,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -573,10 +573,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -598,10 +598,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -609,10 +609,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -648,10 +648,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -659,10 +659,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 4010e5fc6..acf50cdd9 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -217,10 +217,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -239,10 +239,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -301,10 +301,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -327,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,10 +416,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -434,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -474,10 +474,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -490,10 +490,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -514,10 +514,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -539,10 +539,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -564,10 +564,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -589,10 +589,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -600,10 +600,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -639,10 +639,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.6
+    helm.sh/chart: ingress-nginx-4.0.7
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.4
+    app.kubernetes.io/version: 1.0.5
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -650,10 +650,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.6
+        helm.sh/chart: ingress-nginx-4.0.7
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.4
+        app.kubernetes.io/version: 1.0.5
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 9ce75eb6f..51272e045 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -49,7 +49,7 @@ This requires Helm version 3. If you prefer to use a YAML manifest, you can run
     Before running the command at your terminal, make sure Kubernetes is enabled at Docker settings
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! info
@@ -170,7 +170,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (NLB)
@@ -179,10 +179,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -228,7 +228,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -237,7 +237,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -245,13 +245,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -265,7 +265,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -275,7 +275,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index 4288631e7..de07e4b28 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v1.0.4
+controller-v1.0.5
\ No newline at end of file

From 8e210b21e289e8419f71651c83e014bd90fa384b Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Tue, 16 Nov 2021 09:43:27 -0300
Subject: [PATCH 225/376] Force helm v4.0.8 release (#7928)

---
 charts/ingress-nginx/Chart.yaml               |  2 +-
 .../provider/aws/deploy-tls-termination.yaml  | 40 +++++++++----------
 deploy/static/provider/aws/deploy.yaml        | 40 +++++++++----------
 deploy/static/provider/baremetal/deploy.yaml  | 40 +++++++++----------
 deploy/static/provider/cloud/deploy.yaml      | 40 +++++++++----------
 deploy/static/provider/do/deploy.yaml         | 40 +++++++++----------
 deploy/static/provider/exoscale/deploy.yaml   | 40 +++++++++----------
 deploy/static/provider/kind/deploy.yaml       | 40 +++++++++----------
 deploy/static/provider/scw/deploy.yaml        | 40 +++++++++----------
 9 files changed, 161 insertions(+), 161 deletions(-)

diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 1b6aef5b5..2c3d8e5ae 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.7
+version: 4.0.8
 appVersion: 1.0.5
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index cad07b084..68073f419 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -51,7 +51,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -119,7 +119,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -139,7 +139,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -223,7 +223,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -245,7 +245,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -276,7 +276,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -311,7 +311,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -429,7 +429,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -447,7 +447,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -487,7 +487,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -503,7 +503,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -527,7 +527,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -552,7 +552,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -577,7 +577,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -602,7 +602,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -613,7 +613,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -652,7 +652,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -663,7 +663,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 36a0a4ab3..f11068e75 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -216,7 +216,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -238,7 +238,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -267,7 +267,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -302,7 +302,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -417,7 +417,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -435,7 +435,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -475,7 +475,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -491,7 +491,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -515,7 +515,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -540,7 +540,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -565,7 +565,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -590,7 +590,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -601,7 +601,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -640,7 +640,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -651,7 +651,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 78172c779..8d7140b59 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -216,7 +216,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -238,7 +238,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -264,7 +264,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -298,7 +298,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -412,7 +412,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -430,7 +430,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -470,7 +470,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -486,7 +486,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -510,7 +510,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -535,7 +535,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -560,7 +560,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -585,7 +585,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -596,7 +596,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -635,7 +635,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -646,7 +646,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 7f5ce802a..deb3d62cb 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -216,7 +216,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -238,7 +238,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -264,7 +264,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -299,7 +299,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -414,7 +414,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -432,7 +432,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -472,7 +472,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -488,7 +488,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -512,7 +512,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -537,7 +537,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -562,7 +562,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -587,7 +587,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -598,7 +598,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -637,7 +637,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -648,7 +648,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 570b0a6a7..f2ac4ec68 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -45,7 +45,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -113,7 +113,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -133,7 +133,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -217,7 +217,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -239,7 +239,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -266,7 +266,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -301,7 +301,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -416,7 +416,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -434,7 +434,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -475,7 +475,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -491,7 +491,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -515,7 +515,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -540,7 +540,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -565,7 +565,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -590,7 +590,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -601,7 +601,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -640,7 +640,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -651,7 +651,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 6ef5d00dd..ab640c53e 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -216,7 +216,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -238,7 +238,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -273,7 +273,7 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -308,7 +308,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -423,7 +423,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -441,7 +441,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -481,7 +481,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -497,7 +497,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -521,7 +521,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -546,7 +546,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -571,7 +571,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -596,7 +596,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -607,7 +607,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -646,7 +646,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -657,7 +657,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 67aee00f6..982331c7b 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -44,7 +44,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -112,7 +112,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -132,7 +132,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -216,7 +216,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -238,7 +238,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -264,7 +264,7 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -298,7 +298,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -425,7 +425,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -443,7 +443,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -483,7 +483,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -499,7 +499,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -523,7 +523,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -548,7 +548,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -573,7 +573,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -598,7 +598,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -609,7 +609,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -648,7 +648,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -659,7 +659,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index acf50cdd9..8e30160fb 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,7 +13,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -45,7 +45,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -113,7 +113,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -133,7 +133,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -217,7 +217,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -239,7 +239,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -266,7 +266,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -301,7 +301,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -416,7 +416,7 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -434,7 +434,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -474,7 +474,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -490,7 +490,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -514,7 +514,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -539,7 +539,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -564,7 +564,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -589,7 +589,7 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -600,7 +600,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5
@@ -639,7 +639,7 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.7
+    helm.sh/chart: ingress-nginx-4.0.8
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/version: 1.0.5
@@ -650,7 +650,7 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.7
+        helm.sh/chart: ingress-nginx-4.0.8
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/version: 1.0.5

From 0545986293523047352e9bfcce9149fd14407df0 Mon Sep 17 00:00:00 2001
From: Ted <xiao.xj@outlook.com>
Date: Thu, 18 Nov 2021 05:41:58 +0800
Subject: [PATCH 226/376] update doc for patched status (#7930)

the BASE_IMAGE `k8s.gcr.io/ingress-nginx/nginx:v20210915-g498892514@sha256:8c1e48123e64e3f2b90ed32a53babd9b5f5431dad26beecdcb8fc185ded3b6dd` was alreday patched
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f885a2279..21864da9f 100644
--- a/README.md
+++ b/README.md
@@ -36,9 +36,9 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 | v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
-| v0.49.3               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
-| v0.49.2               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
-| v0.49.1               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9       |
+| v0.49.3               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v0.49.2               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v0.49.1               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
 | v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
 | v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |

From 8c722557f0521cefafef482b4ed15f6af536d3c7 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 17 Nov 2021 18:49:05 -0500
Subject: [PATCH 227/376] update build for darwin arm64 (#7941)

---
 build/build-plugin.sh              |  1 +
 cmd/plugin/ingress-nginx.yaml.tmpl | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/build/build-plugin.sh b/build/build-plugin.sh
index 568451dc0..a3ed34bf2 100755
--- a/build/build-plugin.sh
+++ b/build/build-plugin.sh
@@ -79,5 +79,6 @@ sed -i "s/%%%tag%%%/${TAG}/g" ${release}/ingress-nginx.yaml
 echo "Generated targets in ${release} directory."
 
 build_for_arch darwin amd64 ''
+build_for_arch darwin arm64 ''
 build_for_arch linux amd64 ''
 build_for_arch windows amd64 '.exe'
diff --git a/cmd/plugin/ingress-nginx.yaml.tmpl b/cmd/plugin/ingress-nginx.yaml.tmpl
index f5e7c3541..1283cb7f3 100644
--- a/cmd/plugin/ingress-nginx.yaml.tmpl
+++ b/cmd/plugin/ingress-nginx.yaml.tmpl
@@ -9,6 +9,16 @@ spec:
   version: v%%%tag%%%
   homepage: https://kubernetes.github.io/ingress-nginx/kubectl-plugin/
   platforms:
+  - uri: https://github.com/kubernetes/ingress-nginx/releases/download/nginx-%%%tag%%%/kubectl-ingress_nginx-darwin-arm64.tar.gz
+    sha256: %%%shasum_darwin_arm64%%%
+    files:
+    - from: "*"
+      to: "."
+    bin: "./kubectl-ingress_nginx"
+    selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
   - uri: https://github.com/kubernetes/ingress-nginx/releases/download/nginx-%%%tag%%%/kubectl-ingress_nginx-darwin-amd64.tar.gz
     sha256: %%%shasum_darwin_amd64%%%
     files:

From 30c0d2260d61fb942bb12ebf829e93dcb0b19988 Mon Sep 17 00:00:00 2001
From: Muhammad Hamza Zaib <hamzazaib3202@gmail.com>
Date: Fri, 19 Nov 2021 15:52:52 +0100
Subject: [PATCH 228/376] [Helm] Add labels to resources (#6992)

* Add labels to RBAC resources

* Add labels to all resources

* Fix labels indentaton in patch jobs

* Add controller and default backend labels to pods

Signed-off-by: Muhammad Hamza Zaib <hamzazaib3202@gmail.com>

* Bump chart version and update changelog

Signed-off-by: Muhammad Hamza Zaib <hamzazaib3202@gmail.com>
---
 charts/ingress-nginx/CHANGELOG.md                         | 4 ++++
 charts/ingress-nginx/Chart.yaml                           | 2 +-
 .../admission-webhooks/job-patch/clusterrole.yaml         | 3 +++
 .../admission-webhooks/job-patch/clusterrolebinding.yaml  | 3 +++
 .../admission-webhooks/job-patch/job-createSecret.yaml    | 6 ++++++
 .../admission-webhooks/job-patch/job-patchWebhook.yaml    | 6 ++++++
 .../templates/admission-webhooks/job-patch/psp.yaml       | 3 +++
 .../templates/admission-webhooks/job-patch/role.yaml      | 3 +++
 .../admission-webhooks/job-patch/rolebinding.yaml         | 3 +++
 .../admission-webhooks/job-patch/serviceaccount.yaml      | 3 +++
 .../templates/admission-webhooks/validating-webhook.yaml  | 3 +++
 charts/ingress-nginx/templates/clusterrole.yaml           | 3 +++
 charts/ingress-nginx/templates/clusterrolebinding.yaml    | 3 +++
 .../templates/controller-configmap-addheaders.yaml        | 3 +++
 .../templates/controller-configmap-proxyheaders.yaml      | 3 +++
 .../ingress-nginx/templates/controller-configmap-tcp.yaml | 3 +++
 .../ingress-nginx/templates/controller-configmap-udp.yaml | 3 +++
 charts/ingress-nginx/templates/controller-configmap.yaml  | 3 +++
 charts/ingress-nginx/templates/controller-daemonset.yaml  | 3 +++
 charts/ingress-nginx/templates/controller-deployment.yaml | 3 +++
 charts/ingress-nginx/templates/controller-hpa.yaml        | 3 +++
 charts/ingress-nginx/templates/controller-keda.yaml       | 3 +++
 .../templates/controller-poddisruptionbudget.yaml         | 3 +++
 charts/ingress-nginx/templates/controller-psp.yaml        | 3 +++
 charts/ingress-nginx/templates/controller-role.yaml       | 3 +++
 .../ingress-nginx/templates/controller-rolebinding.yaml   | 3 +++
 .../templates/controller-service-webhook.yaml             | 3 +++
 .../templates/controller-serviceaccount.yaml              | 3 +++
 .../templates/default-backend-deployment.yaml             | 6 ++++++
 charts/ingress-nginx/templates/default-backend-hpa.yaml   | 3 +++
 .../templates/default-backend-poddisruptionbudget.yaml    | 3 +++
 charts/ingress-nginx/templates/default-backend-psp.yaml   | 3 +++
 charts/ingress-nginx/templates/default-backend-role.yaml  | 3 +++
 .../templates/default-backend-rolebinding.yaml            | 3 +++
 .../ingress-nginx/templates/default-backend-service.yaml  | 3 +++
 .../templates/default-backend-serviceaccount.yaml         | 3 +++
 charts/ingress-nginx/values.yaml                          | 8 +++++++-
 37 files changed, 123 insertions(+), 2 deletions(-)

diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index aea4d5453..ba368c30f 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.9
+
+- [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources
+
 ### 4.0.7
 
 - [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 2c3d8e5ae..20470c718 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.8
+version: 4.0.9
 appVersion: 1.0.5
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
index fd762f935..5659a1f10 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@@ -9,6 +9,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups:
       - admissionregistration.k8s.io
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
index 4990fb1c3..abf17fb9f 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@@ -9,6 +9,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index 1f58bdce7..185271951 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -10,6 +10,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
 {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
   # Alpha feature since k8s 1.12
@@ -24,6 +27,9 @@ spec:
       labels:
         {{- include "ingress-nginx.labels" . | nindent 8 }}
         app.kubernetes.io/component: admission-webhook
+        {{- with .Values.controller.admissionWebhooks.patch.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
     {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
       priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 6d01ad230..053c17273 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -10,6 +10,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
 {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
   # Alpha feature since k8s 1.12
@@ -24,6 +27,9 @@ spec:
       labels:
         {{- include "ingress-nginx.labels" . | nindent 8 }}
         app.kubernetes.io/component: admission-webhook
+        {{- with .Values.controller.admissionWebhooks.patch.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
     {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
       priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
index d2c7de685..70edde334 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
@@ -9,6 +9,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   allowPrivilegeEscalation: false
   fsGroup:
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
index 9b083ee6e..795bac6b9 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
@@ -10,6 +10,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups:
       - ""
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
index edda07f5d..698c5c864 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
@@ -10,6 +10,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
index 1ff0f7f0e..eae475118 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
@@ -10,4 +10,7 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
index 712f74fdd..8caffcb03 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
@@ -10,6 +10,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-admission
 webhooks:
   - name: validate.nginx.ingress.kubernetes.io
diff --git a/charts/ingress-nginx/templates/clusterrole.yaml b/charts/ingress-nginx/templates/clusterrole.yaml
index efc7d2682..c093f048a 100644
--- a/charts/ingress-nginx/templates/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/clusterrole.yaml
@@ -10,6 +10,9 @@ kind: ClusterRole
 metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
 rules:
   - apiGroups:
diff --git a/charts/ingress-nginx/templates/clusterrolebinding.yaml b/charts/ingress-nginx/templates/clusterrolebinding.yaml
index 81be52b87..acbbd8b10 100644
--- a/charts/ingress-nginx/templates/clusterrolebinding.yaml
+++ b/charts/ingress-nginx/templates/clusterrolebinding.yaml
@@ -4,6 +4,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
diff --git a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
index e0b7a0f21..dfd49a126 100644
--- a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
   namespace: {{ .Release.Namespace }}
 data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
index 91f22f03d..f8d15faf9 100644
--- a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
   namespace: {{ .Release.Namespace }}
 data:
diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
index aaf336fb3..0f6088ea9 100644
--- a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- if .Values.controller.tcp.annotations }}
   annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/ingress-nginx/templates/controller-configmap-udp.yaml
index 7f46791ec..3772ec514 100644
--- a/charts/ingress-nginx/templates/controller-configmap-udp.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap-udp.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- if .Values.controller.udp.annotations }}
   annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml
index 5d618420f..f28b26e1e 100644
--- a/charts/ingress-nginx/templates/controller-configmap.yaml
+++ b/charts/ingress-nginx/templates/controller-configmap.yaml
@@ -4,6 +4,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- if .Values.controller.configAnnotations }}
   annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 5f71d4414..365a3cea7 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -35,6 +35,9 @@ spec:
       labels:
         {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: controller
+        {{- with .Values.controller.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- if .Values.controller.podLabels }}
         {{- toYaml .Values.controller.podLabels | nindent 8 }}
       {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index 93fada79e..2c0641bb5 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -39,6 +39,9 @@ spec:
       labels:
         {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: controller
+        {{- with .Values.controller.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- if .Values.controller.podLabels }}
         {{- toYaml .Values.controller.podLabels | nindent 8 }}
       {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml
index 876315f33..e0979f14b 100644
--- a/charts/ingress-nginx/templates/controller-hpa.yaml
+++ b/charts/ingress-nginx/templates/controller-hpa.yaml
@@ -11,6 +11,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:
diff --git a/charts/ingress-nginx/templates/controller-keda.yaml b/charts/ingress-nginx/templates/controller-keda.yaml
index c7eebf5c8..875157ea4 100644
--- a/charts/ingress-nginx/templates/controller-keda.yaml
+++ b/charts/ingress-nginx/templates/controller-keda.yaml
@@ -7,6 +7,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
   {{- if .Values.controller.keda.scaledObject.annotations }}
   annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
index 9556f5863..8dfbe9891 100644
--- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:
diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml
index bdb856310..a859594d1 100644
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@@ -6,6 +6,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   allowedCapabilities:
     - NET_BIND_SERVICE
diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml
index 97c627dac..47bbc32d0 100644
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
   namespace: {{ .Release.Namespace }}
 rules:
diff --git a/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/ingress-nginx/templates/controller-rolebinding.yaml
index 5ec3bc774..e846a1183 100644
--- a/charts/ingress-nginx/templates/controller-rolebinding.yaml
+++ b/charts/ingress-nginx/templates/controller-rolebinding.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
   namespace: {{ .Release.Namespace }}
 roleRef:
diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml
index ae3b1fc92..2aae24fcf 100644
--- a/charts/ingress-nginx/templates/controller-service-webhook.yaml
+++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml
@@ -8,6 +8,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.controller.fullname" . }}-admission
   namespace: {{ .Release.Namespace }}
 spec:
diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
index 50a718d32..a4d7db5d2 100644
--- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ template "ingress-nginx.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml
index 99345269b..fd3e96e9e 100644
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:
@@ -24,6 +27,9 @@ spec:
       labels:
         {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: default-backend
+        {{- with .Values.defaultBackend.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- if .Values.defaultBackend.podLabels }}
         {{- toYaml .Values.defaultBackend.podLabels | nindent 8 }}
       {{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml
index e31fda3f9..594d26525 100644
--- a/charts/ingress-nginx/templates/default-backend-hpa.yaml
+++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:
diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
index 9e586aa21..3a6e8ebde 100644
--- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:
diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml
index 716dbf16f..42061c5d3 100644
--- a/charts/ingress-nginx/templates/default-backend-psp.yaml
+++ b/charts/ingress-nginx/templates/default-backend-psp.yaml
@@ -6,6 +6,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   allowPrivilegeEscalation: false
   fsGroup:
diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml
index 5d29a2d52..a2b457c36 100644
--- a/charts/ingress-nginx/templates/default-backend-role.yaml
+++ b/charts/ingress-nginx/templates/default-backend-role.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-backend
   namespace: {{ .Release.Namespace }}
 rules:
diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
index 4a9cb9284..dbaa516b9 100644
--- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
+++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}-backend
   namespace: {{ .Release.Namespace }}
 roleRef:
diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml
index f59eb1e7c..5f1d09a95 100644
--- a/charts/ingress-nginx/templates/default-backend-service.yaml
+++ b/charts/ingress-nginx/templates/default-backend-service.yaml
@@ -8,6 +8,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:
diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
index 0c00e9369..b45a95ad2 100644
--- a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index d572f3e62..d11fc5a2d 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -187,7 +187,7 @@ controller:
   annotations: {}
   #  keel.sh/pollSchedule: "@every 60m"
 
-  ## Labels to be added to the controller Deployment or DaemonSet
+  ## Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels
   ##
   labels: {}
   #  keel.sh/policy: patch
@@ -563,6 +563,8 @@ controller:
     key: "/usr/local/certificates/key"
     namespaceSelector: {}
     objectSelector: {}
+    ## Labels to be added to admission webhooks
+    labels: {}
 
     # Use an existing PSP instead of creating one
     existingPsp: ""
@@ -606,6 +608,8 @@ controller:
       nodeSelector:
         kubernetes.io/os: linux
       tolerations: []
+      ## Labels to be added to patch job resources
+      labels: {}
       runAsUser: 2000
 
   metrics:
@@ -840,6 +844,8 @@ defaultBackend:
     type: ClusterIP
 
   priorityClassName: ""
+  ## Labels to be added to the default backend resources
+  labels: {}
 
 ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
 rbac:

From e57d2f63fa7b30c8125cf308a490419ebf093f61 Mon Sep 17 00:00:00 2001
From: Steve Griffith <stgriffi@microsoft.com>
Date: Sat, 20 Nov 2021 15:52:59 -0500
Subject: [PATCH 229/376] applied allowPrivilegeEscalation=false (#7948)

---
 .../admission-webhooks/job-patch/job-createSecret.yaml          | 2 ++
 .../admission-webhooks/job-patch/job-patchWebhook.yaml          | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index 185271951..147b6ea8e 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -53,6 +53,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
           {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
           resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
           {{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 053c17273..5e5cb28d1 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -55,6 +55,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
           {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
           resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
           {{- end }}

From d4a6ade65fcb5bda8af3a3017399c4619f667315 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Tue, 23 Nov 2021 12:06:17 -0500
Subject: [PATCH 230/376] update default block list,docs, tests (#7942)

* update default block list,docs, tests

* fix config for admin test

* gofmt

* remove the err return
---
 .../nginx-configuration/configmap.md          | 17 ++---
 internal/ingress/controller/config/config.go  | 18 +----
 internal/ingress/controller/controller.go     | 13 +++-
 internal/ingress/controller/store/store.go    |  9 +--
 test/e2e/admission/admission.go               |  6 ++
 test/e2e/framework/util.go                    |  2 +-
 test/e2e/settings/badannotationvalues.go      | 67 +++++++++++--------
 7 files changed, 69 insertions(+), 63 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index d58ef17cd..0bac62ac1 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -30,7 +30,7 @@ The following table shows a configuration option's name, type, and the default v
 |[add-headers](#add-headers)|string|""|
 |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|
 |[allow-snippet-annotations](#allow-snippet-annotations)|bool|true|
-|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|"load_module","lua_package","_by_lua","location","root","proxy_pass","serviceaccount","{","}","'","\"
+|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""|
 |[hide-headers](#hide-headers)|string array|empty|
 |[access-log-params](#access-log-params)|string|""|
 |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"|
@@ -226,20 +226,17 @@ may allow a user to add restricted configurations to the final nginx.conf file
 ## annotation-value-word-blocklist
 
 Contains a comma-separated value of chars/words that are well known of being used to abuse Ingress configuration 
-and must be blocked.
+and must be blocked. Related to [CVE-2021-25742](https://github.com/kubernetes/ingress-nginx/issues/7837) 
 
-When an annotation is detected with a value that matches one of the blocked badwords, the whole Ingress wont be configured.
+When an annotation is detected with a value that matches one of the blocked bad words, the whole Ingress won't be configured.
 
-_**default:**_ `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"`
+_**default:**_ `""`
 
+When doing this, the default blocklist is override, which means that the Ingress admin should add all the words
+that should be blocked, here is a suggested block list.
 
-Warning: The default value already contains a sane set of badwords. Some features like mod_security needs characters that are blocked, and it's up to the Ingress admin to remove this characters from the blocklist.
+_**suggested:**_ `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"`
 
-When doing this, the default blocklist is overrided, which means that the Ingress admin should add all the words
-that should be blocked.
-
-If you find some word should not be on the default list, or if you think that we should add more badwords, please 
-feel free to open an issue with your case!
 ## hide-headers
 
 Sets additional header that will not be passed from the upstream server to the client response.
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index b54257ebc..cbe0675a2 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -18,7 +18,6 @@ package config
 
 import (
 	"strconv"
-	"strings"
 	"time"
 
 	"k8s.io/klog/v2"
@@ -767,21 +766,6 @@ func NewDefault() Configuration {
 	defNginxStatusIpv4Whitelist := make([]string, 0)
 	defNginxStatusIpv6Whitelist := make([]string, 0)
 	defResponseHeaders := make([]string, 0)
-
-	defAnnotationValueWordBlocklist := []string{
-		"load_module",
-		"lua_package",
-		"_by_lua",
-		"location",
-		"root",
-		"proxy_pass",
-		"serviceaccount",
-		"{",
-		"}",
-		"'",
-		"\\",
-	}
-
 	defIPCIDR = append(defIPCIDR, "0.0.0.0/0")
 	defNginxStatusIpv4Whitelist = append(defNginxStatusIpv4Whitelist, "127.0.0.1")
 	defNginxStatusIpv6Whitelist = append(defNginxStatusIpv6Whitelist, "::1")
@@ -792,7 +776,7 @@ func NewDefault() Configuration {
 
 		AllowSnippetAnnotations:          true,
 		AllowBackendServerHeader:         false,
-		AnnotationValueWordBlocklist:     strings.Join(defAnnotationValueWordBlocklist, ","),
+		AnnotationValueWordBlocklist:     "",
 		AccessLogPath:                    "/var/log/nginx/access.log",
 		AccessLogParams:                  "",
 		EnableAccessLogForDefaultBackend: false,
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index fb06a58c6..3c2969c2c 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -242,7 +242,12 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 	cfg := n.store.GetBackendConfiguration()
 	cfg.Resolver = n.resolver
 
-	arraybadWords := strings.Split(strings.TrimSpace(cfg.AnnotationValueWordBlocklist), ",")
+	var arrayBadWords []string
+
+	if cfg.AnnotationValueWordBlocklist != "" {
+		arrayBadWords = strings.Split(strings.TrimSpace(cfg.AnnotationValueWordBlocklist), ",")
+		klog.Warningf("Blocklist is %s", cfg.AnnotationValueWordBlocklist)
+	}
 
 	for key, value := range ing.ObjectMeta.GetAnnotations() {
 
@@ -251,9 +256,11 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 				return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix)
 			}
 		}
-		if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) {
-			for _, forbiddenvalue := range arraybadWords {
+
+		if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) && len(arrayBadWords) != 0 {
+			for _, forbiddenvalue := range arrayBadWords {
 				if strings.Contains(value, strings.TrimSpace(forbiddenvalue)) {
+					klog.Errorf("%s annotation contains invalid word %s", key, forbiddenvalue)
 					return fmt.Errorf("%s annotation contains invalid word %s", key, forbiddenvalue)
 				}
 			}
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index fe0d1e0d7..c76b59bb0 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -823,10 +823,11 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) {
 	copyIng := &networkingv1.Ingress{}
 	ing.ObjectMeta.DeepCopyInto(&copyIng.ObjectMeta)
 
-	klog.Errorf("Blocklist: %v", s.backendConfig.AnnotationValueWordBlocklist)
-	if err := checkBadAnnotationValue(copyIng.Annotations, s.backendConfig.AnnotationValueWordBlocklist); err != nil {
-		klog.Errorf("skipping ingress %s: %s", key, err)
-		return
+	if s.backendConfig.AnnotationValueWordBlocklist != "" {
+		if err := checkBadAnnotationValue(copyIng.Annotations, s.backendConfig.AnnotationValueWordBlocklist); err != nil {
+			klog.Errorf("skipping ingress %s: %s", key, err)
+			return
+		}
 	}
 
 	ing.Spec.DeepCopyInto(&copyIng.Spec)
diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go
index 8b85f35d1..030c3854a 100644
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@@ -127,6 +127,9 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/connection-proxy-header": "a;}",
 		}
+
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "}")
+
 		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
@@ -138,6 +141,9 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/connection-proxy-header": "set_by_lua",
 		}
+
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "set_by_lua")
+
 		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go
index 3befb8369..af2545b89 100644
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@@ -42,7 +42,7 @@ const (
 	Poll = 2 * time.Second
 
 	// DefaultTimeout time to wait for operations to complete
-	DefaultTimeout = 30 * time.Second
+	DefaultTimeout = 90 * time.Second
 )
 
 func nowStamp() string {
diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go
index 74ce1c21e..cae6605cc 100644
--- a/test/e2e/settings/badannotationvalues.go
+++ b/test/e2e/settings/badannotationvalues.go
@@ -33,7 +33,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 		f.NewEchoDeployment()
 	})
 
-	ginkgo.It("should drop an ingress if there is an invalid character in some annotation", func() {
+	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() {
 		host := "invalid-value-test"
 
 		annotations := map[string]string{
@@ -43,6 +43,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,{")
+
 		f.EnsureIngress(ing)
 
 		f.WaitForNginxServer(host,
@@ -62,7 +64,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 			Status(http.StatusNotFound)
 	})
 
-	ginkgo.It("should drop an ingress if there is a forbidden word in some annotation", func() {
+	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() {
 		host := "forbidden-value-test"
 
 		annotations := map[string]string{
@@ -75,6 +77,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 
 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,content_by_lua_block")
 		// Sleep a while just to guarantee that the configmap is applied
 		framework.Sleep()
 		f.EnsureIngress(ing)
@@ -96,13 +99,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 			Status(http.StatusNotFound)
 	})
 
-	ginkgo.It("should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
-		host := "custom-forbidden-value-test"
-
-		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/configuration-snippet": `
-			# something_forbidden`,
-		}
+	ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() {
 
 		hostValid := "custom-allowed-value-test"
 		annotationsValid := map[string]string{
@@ -110,44 +107,58 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 			# bla_by_lua`,
 		}
 
-		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		ingValid := framework.NewSingleIngress(hostValid, "/", hostValid, f.Namespace, framework.EchoService, 80, annotationsValid)
-		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden")
+
 		// Sleep a while just to guarantee that the configmap is applied
 		framework.Sleep()
-		f.EnsureIngress(ing)
 		f.EnsureIngress(ingValid)
 
-		f.WaitForNginxServer(host,
-			func(server string) bool {
-				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
-			})
-
 		f.WaitForNginxServer(hostValid,
 			func(server string) bool {
 				return strings.Contains(server, fmt.Sprintf("server_name %s ;", hostValid))
 			})
 
-		f.WaitForNginxServer(host,
-			func(server string) bool {
-				return !strings.Contains(server, "# something_forbidden")
-			})
-
 		f.WaitForNginxServer(hostValid,
 			func(server string) bool {
 				return strings.Contains(server, "# bla_by_lua")
 			})
 
-		f.HTTPTestClient().
-			GET("/").
-			WithHeader("Host", host).
-			Expect().
-			Status(http.StatusNotFound)
-
 		f.HTTPTestClient().
 			GET("/").
 			WithHeader("Host", hostValid).
 			Expect().
 			Status(http.StatusOK)
 	})
+
+	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
+		host := "custom-forbidden-value-test"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": `
+			# something_forbidden`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "# something_forbidden")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+
+	})
 })

From 46e044af07936b679b67f8da8ff81d04711100f0 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Tue, 23 Nov 2021 16:11:43 -0500
Subject: [PATCH 231/376] Start Release process for v1.1.0

Start Release process for v1.1.0
---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 80e0d762d..795460fce 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.0.5
+v1.1.0

From c0814c6f784e63f08768a935234afc201cf5a5f2 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Tue, 23 Nov 2021 18:25:20 -0300
Subject: [PATCH 232/376] Change sanitization message from error to warning
 (#7963)

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
---
 internal/ingress/controller/controller.go  | 2 --
 internal/ingress/controller/store/store.go | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 3c2969c2c..75c06ad2d 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -246,7 +246,6 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 
 	if cfg.AnnotationValueWordBlocklist != "" {
 		arrayBadWords = strings.Split(strings.TrimSpace(cfg.AnnotationValueWordBlocklist), ",")
-		klog.Warningf("Blocklist is %s", cfg.AnnotationValueWordBlocklist)
 	}
 
 	for key, value := range ing.ObjectMeta.GetAnnotations() {
@@ -260,7 +259,6 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) && len(arrayBadWords) != 0 {
 			for _, forbiddenvalue := range arrayBadWords {
 				if strings.Contains(value, strings.TrimSpace(forbiddenvalue)) {
-					klog.Errorf("%s annotation contains invalid word %s", key, forbiddenvalue)
 					return fmt.Errorf("%s annotation contains invalid word %s", key, forbiddenvalue)
 				}
 			}
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index c76b59bb0..7e9b89735 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -825,7 +825,7 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) {
 
 	if s.backendConfig.AnnotationValueWordBlocklist != "" {
 		if err := checkBadAnnotationValue(copyIng.Annotations, s.backendConfig.AnnotationValueWordBlocklist); err != nil {
-			klog.Errorf("skipping ingress %s: %s", key, err)
+			klog.Warningf("skipping ingress %s: %s", key, err)
 			return
 		}
 	}

From 843a16a8f827fd84baab7c0d1ac5b40752b304b6 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Tue, 23 Nov 2021 18:07:46 -0500
Subject: [PATCH 233/376] Release updates for v1.1.0 (#7964)

---
 Changelog.md                                  | 18 ++++
 README.md                                     |  1 +
 charts/ingress-nginx/CHANGELOG.md             |  4 +
 charts/ingress-nginx/Chart.yaml               |  7 +-
 charts/ingress-nginx/values.yaml              |  4 +-
 .../provider/aws/deploy-tls-termination.yaml  | 86 ++++++++++---------
 deploy/static/provider/aws/deploy.yaml        | 86 ++++++++++---------
 deploy/static/provider/baremetal/deploy.yaml  | 86 ++++++++++---------
 deploy/static/provider/cloud/deploy.yaml      | 86 ++++++++++---------
 deploy/static/provider/do/deploy.yaml         | 86 ++++++++++---------
 deploy/static/provider/exoscale/deploy.yaml   | 86 ++++++++++---------
 deploy/static/provider/kind/deploy.yaml       | 86 ++++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 86 ++++++++++---------
 docs/deploy/index.md                          | 20 ++---
 stable.txt                                    |  2 +-
 15 files changed, 399 insertions(+), 345 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index a6626cdd7..b384cfc7e 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,23 @@
 # Changelog
 
+### 1.1.0
+
+**Image:**
+- k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+
+This release makes the annotation `annotation-value-word-blocklist` backwards compatible by being an empty list instead of prescribed defaults.
+Effectively reverting [7874](https://github.com/kubernetes/ingress-nginx/pull/7874) but keeping the functionality of `annotation-value-word-blocklist`
+
+See Issue [7939](https://github.com/kubernetes/ingress-nginx/pull/7939) for more discussion
+
+Admins should still consider putting a reasonable block list in place, more information on why can be found [here](https://github.com/kubernetes/ingress-nginx/issues/7837) and how in our documentation [here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist)
+
+_Changes:_
+- [7963](https://github.com/kubernetes/ingress-nginx/pull/7963) Change sanitization message from error to warning (#7963)
+- [7942](https://github.com/kubernetes/ingress-nginx/pull/7942) update default block list,docs, tests (#7942)
+- [7948](https://github.com/kubernetes/ingress-nginx/pull/7948) applied allowPrivilegeEscalation=false (#7948)
+- [7941](https://github.com/kubernetes/ingress-nginx/pull/7941) update build for darwin arm64 (#7941)
+
 ### 1.0.5
 
 **Image:**
diff --git a/README.md b/README.md
index 21864da9f..8f4109a00 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
 |-----------------------|-------------           |----------------|---------------|
+| v1.1.0                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.5                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.4                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.0.3                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index ba368c30f..75635d303 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.10
+
+- [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0
+
 ### 4.0.9
 
 - [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 20470c718..44a584611 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.9
-appVersion: 1.0.5
+version: 4.0.10
+appVersion: 1.1.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,5 +24,4 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - choice option for internal/external loadbalancer type service
-    - use controller v1.0.5
+    - use controller v1.1.0
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index d11fc5a2d..3f7b3e0e8 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     # for backwards compatibility consider setting the full image url via the repository value below
     # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     # repository:
-    tag: "v1.0.5"
-    digest: sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+    tag: "v1.1.0"
+    digest: sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index 68073f419..a3d7c7cdd 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -51,10 +51,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -119,10 +119,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -139,10 +139,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -223,10 +223,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -245,10 +245,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -276,10 +276,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -311,10 +311,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -337,7 +337,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -429,10 +429,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -447,10 +447,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -487,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -503,10 +503,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -527,10 +527,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -552,10 +552,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -577,10 +577,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -602,10 +602,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -613,10 +613,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -634,6 +634,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -652,10 +654,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -663,10 +665,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -686,6 +688,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index f11068e75..2014ca51d 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -267,10 +267,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -302,10 +302,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -417,10 +417,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -435,10 +435,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -622,6 +622,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -640,10 +642,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -651,10 +653,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -674,6 +676,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 8d7140b59..983e2d51b 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -617,6 +617,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -635,10 +637,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -646,10 +648,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -669,6 +671,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index deb3d62cb..3eef6bb59 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -299,10 +299,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -325,7 +325,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -414,10 +414,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -432,10 +432,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -472,10 +472,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -488,10 +488,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -512,10 +512,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -537,10 +537,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -562,10 +562,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -587,10 +587,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -598,10 +598,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -619,6 +619,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -637,10 +639,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -648,10 +650,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -671,6 +673,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index f2ac4ec68..094ace53e 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -217,10 +217,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -239,10 +239,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -301,10 +301,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -327,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,10 +416,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -434,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -622,6 +622,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -640,10 +642,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -651,10 +653,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -674,6 +676,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index ab640c53e..b599f414f 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -273,10 +273,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -308,10 +308,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -334,7 +334,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -423,10 +423,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -441,10 +441,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -481,10 +481,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -497,10 +497,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -521,10 +521,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -546,10 +546,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -571,10 +571,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -596,10 +596,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -607,10 +607,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -628,6 +628,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -646,10 +648,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -657,10 +659,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -680,6 +682,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 982331c7b..a8cd76371 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -425,10 +425,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -443,10 +443,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -499,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -523,10 +523,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -548,10 +548,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -573,10 +573,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -598,10 +598,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -609,10 +609,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -630,6 +630,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -648,10 +650,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -659,10 +661,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -682,6 +684,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 8e30160fb..9ebc76cfd 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -217,10 +217,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -239,10 +239,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -301,10 +301,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -327,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,10 +416,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -434,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -474,10 +474,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -490,10 +490,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -514,10 +514,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -539,10 +539,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -564,10 +564,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -589,10 +589,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -600,10 +600,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -621,6 +621,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
@@ -639,10 +641,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.8
+    helm.sh/chart: ingress-nginx-4.0.10
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.0.5
+    app.kubernetes.io/version: 1.1.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -650,10 +652,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.8
+        helm.sh/chart: ingress-nginx-4.0.10
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.0.5
+        app.kubernetes.io/version: 1.1.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -673,6 +675,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
       restartPolicy: OnFailure
       serviceAccountName: ingress-nginx-admission
       nodeSelector:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 51272e045..e1a337faf 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -49,7 +49,7 @@ This requires Helm version 3. If you prefer to use a YAML manifest, you can run
     Before running the command at your terminal, make sure Kubernetes is enabled at Docker settings
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! info
@@ -170,7 +170,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (NLB)
@@ -179,10 +179,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t
 
 For this purpose we provide a template:
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/aws/deploy-tls-termination.yaml)
+- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml)
 
 ```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/aws/deploy-tls-termination.yaml
+wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml
 ```
 
 - Edit the file and change:
@@ -228,7 +228,7 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! failure Important
@@ -237,7 +237,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -245,13 +245,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -265,7 +265,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -275,7 +275,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.5/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 !!! tip
diff --git a/stable.txt b/stable.txt
index de07e4b28..e6c5acf0d 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v1.0.5
\ No newline at end of file
+controller-v1.1.0
\ No newline at end of file

From dbf3689c5e37713c4e03f62ed4fc95a1b5b30f58 Mon Sep 17 00:00:00 2001
From: Sven Schliesing <muffl0n@raffts.net>
Date: Wed, 24 Nov 2021 00:27:45 +0100
Subject: [PATCH 234/376] add documentation for "force-ssl-redirect" (#7957)

See #4628
---
 docs/user-guide/nginx-configuration/configmap.md | 5 +++++
 docs/user-guide/tls.md                           | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index 0bac62ac1..f120f41f6 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -172,6 +172,7 @@ The following table shows a configuration option's name, type, and the default v
 |[proxy-redirect-from](#proxy-redirect-from)|string|"off"|
 |[proxy-request-buffering](#proxy-request-buffering)|string|"on"|
 |[ssl-redirect](#ssl-redirect)|bool|"true"|
+|[force-ssl-redirect](#force-ssl-redirect)|bool|"false"|
 |[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}|
 |[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}|
 |[limit-rate](#limit-rate)|int|0|
@@ -1061,6 +1062,10 @@ Enables or disables [buffering of a client request body](http://nginx.org/en/doc
 Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate (defined in an Ingress rule).
 _**default:**_ "true"
 
+## force-ssl-redirect
+Sets the global value of redirects (308) to HTTPS if the server has a default TLS certificate (defined in extra-args).
+_**default:**_ "false"
+
 ## whitelist-source-range
 
 Sets the default whitelisted IPs for each `server` block. This can be overwritten by an annotation on an Ingress rule.
diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md
index 636bf3aed..38f533de6 100644
--- a/docs/user-guide/tls.md
+++ b/docs/user-guide/tls.md
@@ -44,6 +44,8 @@ add `--default-ssl-certificate=default/foo-tls` in the `nginx-controller` deploy
 The default certificate will also be used for ingress `tls:` sections that do not
 have a `secretName` option.
 
+To force redirects for Ingresses that do not specify a TLS-block at all, take a look at `force-ssl-redirect` in [ConfigMap][ConfigMap].
+
 ## SSL Passthrough
 
 The [`--enable-ssl-passthrough`](cli-arguments.md) flag enables the SSL Passthrough feature, which is disabled by

From 0122aba44dfeb72847c660641839ae2dc53d1a93 Mon Sep 17 00:00:00 2001
From: Yang Li <idealhack@gmail.com>
Date: Wed, 24 Nov 2021 08:35:45 +0900
Subject: [PATCH 235/376] admission: improved log messages for ingress name
 (#7944)

---
 internal/admission/controller/main.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/admission/controller/main.go b/internal/admission/controller/main.go
index 066747301..8645756fd 100644
--- a/internal/admission/controller/main.go
+++ b/internal/admission/controller/main.go
@@ -87,7 +87,7 @@ func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object,
 	}
 
 	if err := ia.Checker.CheckIngress(&ingress); err != nil {
-		klog.ErrorS(err, "invalid ingress configuration", "ingress", fmt.Sprintf("%v/%v", review.Request.Name, review.Request.Namespace))
+		klog.ErrorS(err, "invalid ingress configuration", "ingress", fmt.Sprintf("%v/%v", review.Request.Namespace, review.Request.Name))
 		status.Allowed = false
 		status.Result = &metav1.Status{
 			Status: metav1.StatusFailure, Code: http.StatusBadRequest, Reason: metav1.StatusReasonBadRequest,
@@ -98,7 +98,7 @@ func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object,
 		return review, nil
 	}
 
-	klog.InfoS("successfully validated configuration, accepting", "ingress", fmt.Sprintf("%v/%v", review.Request.Name, review.Request.Namespace))
+	klog.InfoS("successfully validated configuration, accepting", "ingress", fmt.Sprintf("%v/%v", review.Request.Namespace, review.Request.Name))
 	status.Allowed = true
 	review.Response = status
 

From 77a63c6855dd830a1225632945acb5e425ed4078 Mon Sep 17 00:00:00 2001
From: Kundan Kumar <kundan.kumar@india.nec.com>
Date: Wed, 24 Nov 2021 23:50:21 +0530
Subject: [PATCH 236/376] updated service upstream definition (#7972)

---
 docs/user-guide/nginx-configuration/annotations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 19bd3947f..2a0078105 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -576,7 +576,7 @@ By default the NGINX ingress controller uses a list of all endpoints (Pod IP/por
 
 The `nginx.ingress.kubernetes.io/service-upstream` annotation disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port.
 
-This can be desirable for things like zero-downtime deployments as it reduces the need to reload NGINX configuration when Pods come up and down. See issue [#257](https://github.com/kubernetes/ingress-nginx/issues/257).
+This can be desirable for things like zero-downtime deployments . See issue [#257](https://github.com/kubernetes/ingress-nginx/issues/257).
 
 #### Known Issues
 

From 51bc8725a40b2a2984426feeb5b6fab854ee9145 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 24 Nov 2021 15:27:56 -0500
Subject: [PATCH 237/376] add legacy version update v0.50.0

add legacy version update v0.50.0
---
 Changelog.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Changelog.md b/Changelog.md
index b384cfc7e..e755ea2c2 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -203,6 +203,23 @@ Changes:
 - [X] [#6940](https://github.com/kubernetes/ingress-nginx/pull/6940) Fix definition order of modsecurity directives 
 - [X] [#7156] Drops support for Ingress Object v1beta1
 
+### 0.50.0
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8`
+
+This release makes the annotation `annotation-value-word-blocklist` backwards compatible by being an empty list instead of prescribed defaults.
+Effectively reverting [7874](https://github.com/kubernetes/ingress-nginx/pull/7874) but keeping the functionality of `annotation-value-word-blocklist`
+
+See Issue [7939](https://github.com/kubernetes/ingress-nginx/pull/7939) for more discussion
+
+Admins should still consider putting a reasonable block list in place, more information on why can be found [here](https://github.com/kubernetes/ingress-nginx/issues/7837) and how in our documentation [here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist)
+
+_Changes:_
+- [7963](https://github.com/kubernetes/ingress-nginx/pull/7963) Change sanitization message from error to warning (#7963)
+- [7942](https://github.com/kubernetes/ingress-nginx/pull/7942) update default block list,docs, tests (#7942)
+
 ### 0.49.3
 
 **Image:**

From 5a5bff1fb98c896192ca58ecf51fa5a8985d2282 Mon Sep 17 00:00:00 2001
From: Anton Holovin <adm.golovin@gmail.com>
Date: Fri, 26 Nov 2021 12:36:52 +0200
Subject: [PATCH 238/376] Making Kube service appProtocol field optional
 (#7873)

---
 charts/ingress-nginx/CHANGELOG.md                      | 4 ++++
 charts/ingress-nginx/Chart.yaml                        | 2 +-
 charts/ingress-nginx/templates/controller-service.yaml | 4 ++--
 charts/ingress-nginx/values.yaml                       | 8 ++++++++
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index 75635d303..e23a0dc27 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.11
+
+- [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional.
+
 ### 4.0.10
 
 - [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 44a584611..cef3ec7da 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.10
+version: 4.0.11
 appVersion: 1.1.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml
index 90a0eb994..05fb2041e 100644
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@@ -54,7 +54,7 @@ spec:
       port: {{ .Values.controller.service.ports.http }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.http }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+    {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
       appProtocol: http
     {{- end }}
     {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
@@ -66,7 +66,7 @@ spec:
       port: {{ .Values.controller.service.ports.https }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.https }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+    {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
       appProtocol: https
     {{- end }}
     {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 3f7b3e0e8..01ab72dd3 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -432,6 +432,14 @@ controller:
   service:
     enabled: true
 
+    ## If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
+    ## using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+    ## It allows choosing the protocol for each backend specified in the Kubernetes service.
+    ## See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244
+    ## Will be ignored for Kubernetes versions older than 1.20
+    ##
+    appProtocol: true
+
     annotations: {}
     labels: {}
     # clusterIP: ""

From b615a6808d57195c73f2fcf8f82cc9f23329eaba Mon Sep 17 00:00:00 2001
From: TJ Saunders <tj@castaglia.org>
Date: Sat, 27 Nov 2021 16:31:21 -0800
Subject: [PATCH 239/376] Fix a couple of misspellings in the annotations
 documentation. (#7983)

---
 docs/user-guide/nginx-configuration/annotations.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 2a0078105..721e17c32 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -531,11 +531,11 @@ for that error to decide if you need to bump the cache size. Without cache the c
 request is two memcached commands: `GET`, and `INCR`. With the cache it is only `INCR`.
 1. Log NGINX variable `$global_rate_limit_exceeding`'s value to have some visibility into
 what portion of requests are rejected (value `y`), whether they are rejected using cached decision (value `c`),
-or if they are not rejeced (default value `n`). You can use [log-format-upstream](./configmap.md#log-format-upstream)
+or if they are not rejected (default value `n`). You can use [log-format-upstream](./configmap.md#log-format-upstream)
 to include that in access logs.
 1. In case of an error it will log the error message and **fail open**.
 1. The annotations below creates Global Rate Limiting instance per ingress.
-That means if there are multuple paths configured under the same ingress,
+That means if there are multiple paths configured under the same ingress,
 the Global Rate Limiting will count requests to all the paths under the same counter.
 Extract a path out into its own ingress if you need to isolate a certain path.
 

From e9c297e74dd20601a7bec89b86d36e75d323c5ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reinhard=20N=C3=A4gele?= <unguiculus@gmail.com>
Date: Sun, 28 Nov 2021 22:11:22 +0100
Subject: [PATCH 240/376] Fix names in documentation (#7940)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Fix names in documentation

This fixes the documentation to reflect the name change from
`nginx-ingress` to `ingress-nginx`.

Signed-off-by: Reinhard Nägele <unguiculus@gmail.com>

* Revert accidental changelog update

Signed-off-by: Reinhard Nägele <unguiculus@gmail.com>
---
 docs/deploy/index.md                          |  2 +-
 docs/deploy/rbac.md                           | 30 ++++++-------
 docs/deploy/upgrade.md                        | 14 +++---
 docs/examples/affinity/cookie/README.md       |  2 +-
 .../auth/oauth-external-auth/README.md        |  2 +-
 docs/examples/customization/sysctl/README.md  |  2 +-
 docs/examples/grpc/README.md                  |  6 +--
 docs/examples/multi-tls/README.md             |  2 +-
 docs/examples/static-ip/README.md             | 44 +++++++++----------
 .../static-ip/nginx-ingress-controller.yaml   | 10 ++---
 docs/examples/static-ip/static-ip-svc.yaml    |  4 +-
 docs/examples/tls-termination/README.md       |  8 ++--
 docs/kubectl-plugin.md                        |  8 ++--
 docs/troubleshooting.md                       | 22 +++++-----
 docs/user-guide/cli-arguments.md              |  2 +-
 docs/user-guide/convert_arguments_to_doc.py   |  2 +-
 docs/user-guide/multiple-ingress.md           |  4 +-
 docs/user-guide/tls.md                        |  4 +-
 18 files changed, 84 insertions(+), 84 deletions(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index e1a337faf..832030ffd 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -288,7 +288,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 
 ### Checking ingress controller version
 
-Run `nginx-ingress-controller --version` within the pod, for instance with `kubectl exec`:
+Run `ingress-nginx-controller --version` within the pod, for instance with `kubectl exec`:
 
 ```console
 POD_NAMESPACE=ingress-nginx
diff --git a/docs/deploy/rbac.md b/docs/deploy/rbac.md
index 08c1a0291..8c36d19a7 100644
--- a/docs/deploy/rbac.md
+++ b/docs/deploy/rbac.md
@@ -2,7 +2,7 @@
 
 ## Overview
 
-This example applies to nginx-ingress-controllers being deployed in an environment with RBAC enabled.
+This example applies to ingress-nginx-controllers being deployed in an environment with RBAC enabled.
 
 Role Based Access Control is comprised of four layers:
 
@@ -11,25 +11,25 @@ Role Based Access Control is comprised of four layers:
 3. `Role` - permissions assigned to a role that apply to a specific namespace
 4. `RoleBinding` - binding a Role to a specific account
 
-In order for RBAC to be applied to an nginx-ingress-controller, that controller
+In order for RBAC to be applied to an ingress-nginx-controller, that controller
 should be assigned to a `ServiceAccount`.  That `ServiceAccount` should be
-bound to the `Role`s and `ClusterRole`s defined for the nginx-ingress-controller.
+bound to the `Role`s and `ClusterRole`s defined for the ingress-nginx-controller.
 
 ## Service Accounts created in this example
 
-One ServiceAccount is created in this example, `nginx-ingress-serviceaccount`.
+One ServiceAccount is created in this example, `ingress-nginx`.
 
 ## Permissions Granted in this example
 
 There are two sets of permissions defined in this example.  Cluster-wide
-permissions defined by the `ClusterRole` named `nginx-ingress-clusterrole`, and
-namespace specific permissions defined by the `Role` named `nginx-ingress-role`.
+permissions defined by the `ClusterRole` named `ingress-nginx`, and
+namespace specific permissions defined by the `Role` named `ingress-nginx`.
 
 ### Cluster Permissions
 
-These permissions are granted in order for the nginx-ingress-controller to be
+These permissions are granted in order for the ingress-nginx-controller to be
 able to function as an ingress across the cluster.  These permissions are
-granted to the ClusterRole named `nginx-ingress-clusterrole`
+granted to the ClusterRole named `ingress-nginx`
 
 * `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
 * `nodes`: get
@@ -39,13 +39,13 @@ granted to the ClusterRole named `nginx-ingress-clusterrole`
 
 ### Namespace Permissions
 
-These permissions are granted specific to the nginx-ingress namespace.  These
-permissions are granted to the Role named `nginx-ingress-role`
+These permissions are granted specific to the ingress-nginx namespace.  These
+permissions are granted to the Role named `ingress-nginx`
 
 * `configmaps`, `pods`, `secrets`: get
 * `endpoints`: get
 
-Furthermore to support leader-election, the nginx-ingress-controller needs to
+Furthermore to support leader-election, the ingress-nginx-controller needs to
 have access to a `configmap` using the resourceName `ingress-controller-leader-nginx`
 
 > Note that resourceNames can NOT be used to limit requests using the “create”
@@ -64,13 +64,13 @@ This resourceName is the concatenation of the `election-id` and the
 * `resourceName` : `<election-id>-<ingress-class>`
 
 Please adapt accordingly if you overwrite either parameter when launching the
-nginx-ingress-controller.
+ingress-nginx-controller.
 
 ### Bindings
 
-The ServiceAccount `nginx-ingress-serviceaccount` is bound to the Role
-`nginx-ingress-role` and the ClusterRole `nginx-ingress-clusterrole`.
+The ServiceAccount `ingress-nginx` is bound to the Role
+`ingress-nginx` and the ClusterRole `ingress-nginx`.
 
 The serviceAccountName associated with the containers in the deployment must
 match the serviceAccount. The namespace references in the Deployment metadata, 
-container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace.
+container arguments, and POD_NAMESPACE should be in the ingress-nginx namespace.
diff --git a/docs/deploy/upgrade.md b/docs/deploy/upgrade.md
index 933829a80..3b29a689b 100644
--- a/docs/deploy/upgrade.md
+++ b/docs/deploy/upgrade.md
@@ -14,7 +14,7 @@ I.e. if your deployment resource looks like (partial example):
 ```yaml
 kind: Deployment
 metadata:
-  name: nginx-ingress-controller
+  name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   replicas: 1
@@ -23,21 +23,21 @@ spec:
     metadata: ...
     spec:
       containers:
-        - name: nginx-ingress-controller
-          image: k8s.gcr.io/ingress-nginx/controller:v0.34.0@sha256:56633bd00dab33d92ba14c6e709126a762d54a75a6e72437adefeaaca0abb069
+        - name: ingress-nginx-controller
+          image: k8s.gcr.io/ingress-nginx/controller:v1.0.4@sha256:545cff00370f28363dad31e3b59a94ba377854d3a11f18988f5f9e56841ef9ef
           args: ...
 ```
 
-simply change the `0.34.0` tag to the version you wish to upgrade to.
+simply change the `v1.0.4` tag to the version you wish to upgrade to.
 The easiest way to do this is e.g. (do note you may need to change the name parameter according to your installation):
 
 ```
-kubectl set image deployment/nginx-ingress-controller \
-  nginx-ingress-controller=k8s.gcr.io/ingress-nginx/controller:v0.34.1@sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 \
+kubectl set image deployment/ingress-nginx-controller \
+  controller=k8s.gcr.io/ingress-nginx/controller:v1.0.5@sha256:55a1fcda5b7657c372515fe402c3e39ad93aa59f6e4378e82acd99912fe6028d \
   -n ingress-nginx
 ```
 
-For interactive editing, use `kubectl edit deployment nginx-ingress-controller -n ingress-nginx`.
+For interactive editing, use `kubectl edit deployment ingress-nginx-controller -n ingress-nginx`.
 
 ## With Helm
 
diff --git a/docs/examples/affinity/cookie/README.md b/docs/examples/affinity/cookie/README.md
index b567c44c0..a37bef6f1 100644
--- a/docs/examples/affinity/cookie/README.md
+++ b/docs/examples/affinity/cookie/README.md
@@ -49,7 +49,7 @@ Annotations:
 Events:
   FirstSeen	LastSeen	Count	From				SubObjectPath	Type		Reason	Message
   ---------	--------	-----	----				-------------	--------	------	-------
-  7s		7s		1	{nginx-ingress-controller }			Normal		CREATE	default/nginx-test
+  7s		7s		1	{ingress-nginx-controller }			Normal		CREATE	default/nginx-test
 
 
 $ curl -I http://stickyingress.example.com
diff --git a/docs/examples/auth/oauth-external-auth/README.md b/docs/examples/auth/oauth-external-auth/README.md
index c5fcd7264..f6e21f488 100644
--- a/docs/examples/auth/oauth-external-auth/README.md
+++ b/docs/examples/auth/oauth-external-auth/README.md
@@ -6,7 +6,7 @@ The `auth-url` and `auth-signin` annotations allow you to use an external
 authentication provider to protect your Ingress resources.
 
 !!! Important
-    This annotation requires `nginx-ingress-controller v0.9.0` or greater.)
+    This annotation requires `ingress-nginx-controller v0.9.0` or greater.)
 
 ### Key Detail
 
diff --git a/docs/examples/customization/sysctl/README.md b/docs/examples/customization/sysctl/README.md
index 01cb2f192..b285808b5 100644
--- a/docs/examples/customization/sysctl/README.md
+++ b/docs/examples/customization/sysctl/README.md
@@ -3,7 +3,7 @@
 This example aims to demonstrate the use of an Init Container to adjust sysctl default values using `kubectl patch`
 
 ```console
-kubectl patch deployment -n ingress-nginx nginx-ingress-controller \
+kubectl patch deployment -n ingress-nginx ingress-nginx-controller \
     --patch="$(curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/sysctl/patch.json)"
 ```
 
diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md
index a738450a9..7a9c2aef2 100644
--- a/docs/examples/grpc/README.md
+++ b/docs/examples/grpc/README.md
@@ -6,7 +6,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 
 1. You have a kubernetes cluster running.
 2. You have a domain name such as `example.com` that is configured to route traffic to the ingress controller.
-3. You have the nginx-ingress controller installed as per docs.
+3. You have the ingress-nginx-controller installed as per docs.
 4. You have a backend application running a gRPC server and listening for TCP traffic.  If you want, you can use <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> as an example.
 5. You're also responsible for provisioning an SSL certificate for the ingress. So you need to have a valid SSL certificate, deployed as a Kubernetes secret of type tls, in the same namespace as the gRPC application.
 
@@ -151,7 +151,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 ### Debugging Hints
 
 1. Obviously, watch the logs on your app.
-2. Watch the logs for the nginx-ingress-controller (increasing verbosity as
+2. Watch the logs for the ingress-nginx-controller (increasing verbosity as
    needed).
 3. Double-check your address and ports.
 4. Set the `GODEBUG=http2debug=2` environment variable to get detailed http/2
@@ -173,4 +173,4 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 
 Values for the timeouts must be specified as e.g. `"1200s"`.
 
-> On the most recent versions of nginx-ingress, changing these timeouts requires using the `nginx.ingress.kubernetes.io/server-snippet` annotation. There are plans for future releases to allow using the Kubernetes annotations to define each timeout separately.
+> On the most recent versions of ingress-nginx, changing these timeouts requires using the `nginx.ingress.kubernetes.io/server-snippet` annotation. There are plans for future releases to allow using the Kubernetes annotations to define each timeout separately.
diff --git a/docs/examples/multi-tls/README.md b/docs/examples/multi-tls/README.md
index d1e7295d9..198bc6d38 100644
--- a/docs/examples/multi-tls/README.md
+++ b/docs/examples/multi-tls/README.md
@@ -8,7 +8,7 @@ This example uses 2 different certificates to terminate SSL for 2 hostnames.
 
 This should generate a segment like:
 ```console
-$ kubectl exec -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf | grep "foo.bar.com" -B 7 -A 35
+$ kubectl exec -it ingress-nginx-controller-6vwd1 -- cat /etc/nginx/nginx.conf | grep "foo.bar.com" -B 7 -A 35
     server {
         listen 80;
         listen 443 ssl http2;
diff --git a/docs/examples/static-ip/README.md b/docs/examples/static-ip/README.md
index 1f9ea5c96..f74be5757 100644
--- a/docs/examples/static-ip/README.md
+++ b/docs/examples/static-ip/README.md
@@ -16,27 +16,27 @@ by default nginx Ingresses will only get static IPs if your cloudprovider
 supports static IP assignments to nodes. On GKE/GCE for example, even though
 nodes get static IPs, the IPs are not retained across upgrade.
 
-To acquire a static IP for the nginx ingress controller, simply put it
+To acquire a static IP for the ingress-nginx-controller, simply put it
 behind a Service of `Type=LoadBalancer`.
 
 First, create a loadbalancer Service and wait for it to acquire an IP
 
 ```console
 $ kubectl create -f static-ip-svc.yaml
-service "nginx-ingress-lb" created
+service "ingress-nginx-lb" created
 
-$ kubectl get svc nginx-ingress-lb
+$ kubectl get svc ingress-nginx-lb
 NAME               CLUSTER-IP     EXTERNAL-IP       PORT(S)                      AGE
-nginx-ingress-lb   10.0.138.113   104.154.109.191   80:31457/TCP,443:32240/TCP   15m
+ingress-nginx-lb   10.0.138.113   104.154.109.191   80:31457/TCP,443:32240/TCP   15m
 ```
 
 then, update the ingress controller so it adopts the static IP of the Service
 by passing the `--publish-service` flag (the example yaml used in the next step
-already has it set to "nginx-ingress-lb").
+already has it set to "ingress-nginx-lb").
 
 ```console
-$ kubectl create -f nginx-ingress-controller.yaml
-deployment "nginx-ingress-controller" created
+$ kubectl create -f ingress-nginx-controller.yaml
+deployment "ingress-nginx-controller" created
 ```
 
 ## Assigning the IP to an Ingress
@@ -45,12 +45,12 @@ From here on every Ingress created with the `ingress.class` annotation set to
 `nginx` will get the IP allocated in the previous step
 
 ```console
-$ kubectl create -f nginx-ingress.yaml
-ingress "nginx-ingress" created
+$ kubectl create -f ingress-nginx.yaml
+ingress "ingress-nginx" created
 
 $ kubectl get ing ingress-nginx
 NAME            HOSTS     ADDRESS           PORTS     AGE
-nginx-ingress   *         104.154.109.191   80, 443   13m
+ingress-nginx   *         104.154.109.191   80, 443   13m
 
 $ curl 104.154.109.191 -kL
 CLIENT VALUES:
@@ -68,15 +68,15 @@ request_uri=http://104.154.109.191:8080/
 You can test retention by deleting the Ingress
 
 ```console
-$ kubectl delete ing nginx-ingress
-ingress "nginx-ingress" deleted
+$ kubectl delete ing ingress-nginx
+ingress "ingress-nginx" deleted
 
-$ kubectl create -f nginx-ingress.yaml
-ingress "nginx-ingress" created
+$ kubectl create -f ingress-nginx.yaml
+ingress "ingress-nginx" created
 
-$ kubectl get ing nginx-ingress
+$ kubectl get ing ingress-nginx
 NAME            HOSTS     ADDRESS           PORTS     AGE
-nginx-ingress   *         104.154.109.191   80, 443   13m
+ingress-nginx   *         104.154.109.191   80, 443   13m
 ```
 
 > Note that unlike the GCE Ingress, the same loadbalancer IP is shared amongst all
@@ -88,25 +88,25 @@ nginx-ingress   *         104.154.109.191   80, 443   13m
 To promote the allocated IP to static, you can update the Service manifest
 
 ```console
-$ kubectl patch svc nginx-ingress-lb -p '{"spec": {"loadBalancerIP": "104.154.109.191"}}'
-"nginx-ingress-lb" patched
+$ kubectl patch svc ingress-nginx-lb -p '{"spec": {"loadBalancerIP": "104.154.109.191"}}'
+"ingress-nginx-lb" patched
 ```
 
 and promote the IP to static (promotion works differently for cloudproviders,
 provided example is for GKE/GCE)
 `
 ```console
-$ gcloud compute addresses create nginx-ingress-lb --addresses 104.154.109.191 --region us-central1
-Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/nginx-ingress-lb].
+$ gcloud compute addresses create ingress-nginx-lb --addresses 104.154.109.191 --region us-central1
+Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/ingress-nginx-lb].
 ---
 address: 104.154.109.191
 creationTimestamp: '2017-01-31T16:34:50.089-08:00'
 description: ''
 id: '5208037144487826373'
 kind: compute#address
-name: nginx-ingress-lb
+name: ingress-nginx-lb
 region: us-central1
-selfLink: https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/nginx-ingress-lb
+selfLink: https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/ingress-nginx-lb
 status: IN_USE
 users:
 - us-central1/forwardingRules/a09f6913ae80e11e6a8c542010af0000
diff --git a/docs/examples/static-ip/nginx-ingress-controller.yaml b/docs/examples/static-ip/nginx-ingress-controller.yaml
index 30885ec54..61c3a8f7f 100644
--- a/docs/examples/static-ip/nginx-ingress-controller.yaml
+++ b/docs/examples/static-ip/nginx-ingress-controller.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx-ingress-controller
+  name: ingress-nginx-controller
   labels:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
@@ -18,14 +18,14 @@ spec:
         app.kubernetes.io/part-of: ingress-nginx
     spec:
       # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
-      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
+      # however, it is not a hard dependency of the ingress-nginx-controller itself and it may cause issues if port 10254 already is taken on the host
       # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
       # like with kubeadm
       # hostNetwork: true
       terminationGracePeriodSeconds: 60
       containers:
-      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0
-        name: nginx-ingress-controller
+      - image: k8s.gcr.io/ingress-nginx/controller:v1.0.5
+        name: controller
         readinessProbe:
           httpGet:
             path: /healthz
@@ -54,4 +54,4 @@ spec:
                 fieldPath: metadata.namespace
         args:
         - /nginx-ingress-controller
-        - --publish-service=$(POD_NAMESPACE)/nginx-ingress-lb
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-lb
diff --git a/docs/examples/static-ip/static-ip-svc.yaml b/docs/examples/static-ip/static-ip-svc.yaml
index b64cf96cb..ee803951f 100644
--- a/docs/examples/static-ip/static-ip-svc.yaml
+++ b/docs/examples/static-ip/static-ip-svc.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: nginx-ingress-lb
+  name: ingress-nginx-lb
   labels:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
@@ -18,6 +18,6 @@ spec:
     name: https
     targetPort: 443
   selector:
-    # Selects nginx-ingress-controller pods
+    # Selects ingress-nginx-controller pods
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
diff --git a/docs/examples/tls-termination/README.md b/docs/examples/tls-termination/README.md
index f4fe2e81d..bd68ddc67 100644
--- a/docs/examples/tls-termination/README.md
+++ b/docs/examples/tls-termination/README.md
@@ -65,10 +65,10 @@ Annotations:
 Events:
   FirstSeen	LastSeen	Count	From				SubObjectPath	Type		Reason	Message
   ---------	--------	-----	----				-------------	--------	------	-------
-  7s		7s		1	{nginx-ingress-controller }			Normal		CREATE	default/nginx-test
-  7s		7s		1	{nginx-ingress-controller }			Normal		UPDATE	default/nginx-test
-  7s		7s		1	{nginx-ingress-controller }			Normal		CREATE	ip: 104.198.183.6
-  7s		7s		1	{nginx-ingress-controller }			Warning		MAPPING	Ingress rule 'default/nginx-test' contains no path definition. Assuming /
+  7s		7s		1	{ingress-nginx-controller }			Normal		CREATE	default/nginx-test
+  7s		7s		1	{ingress-nginx-controller }			Normal		UPDATE	default/nginx-test
+  7s		7s		1	{ingress-nginx-controller }			Normal		CREATE	ip: 104.198.183.6
+  7s		7s		1	{ingress-nginx-controller }			Warning		MAPPING	Ingress rule 'default/nginx-test' contains no path definition. Assuming /
 
 $ curl 104.198.183.6 -L
 curl: (60) SSL certificate problem: self signed certificate
diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md
index c0dc6b922..7f4205746 100644
--- a/docs/kubectl-plugin.md
+++ b/docs/kubectl-plugin.md
@@ -68,7 +68,7 @@ Use "ingress-nginx [command] --help" for more information about a command.
 ## Common Flags
 
 - Every subcommand supports the basic `kubectl` configuration flags like `--namespace`, `--context`, `--client-key` and so on.
-- Subcommands that act on a particular `ingress-nginx` pod (`backends`, `certs`, `conf`, `exec`, `general`, `logs`, `ssh`), support the `--deployment <deployment>` and `--pod <pod>` flags to select either a pod from a deployment with the given name, or a pod with the given name. The `--deployment` flag defaults to `nginx-ingress-controller`.
+- Subcommands that act on a particular `ingress-nginx` pod (`backends`, `certs`, `conf`, `exec`, `general`, `logs`, `ssh`), support the `--deployment <deployment>` and `--pod <pod>` flags to select either a pod from a deployment with the given name, or a pod with the given name. The `--deployment` flag defaults to `ingress-nginx-controller`.
 - Subcommands that inspect resources (`ingresses`, `lint`) support the `--all-namespaces` flag, which causes them to inspect resources in every namespace.
 
 ## Subcommands
@@ -263,7 +263,7 @@ Checking ingresses...
       https://github.com/kubernetes/ingress-nginx/issues/3174
 
 Checking deployments...
-✗ namespace2/nginx-ingress-controller
+✗ namespace2/ingress-nginx-controller
   - Uses removed config flag --sort-backends
       Lint added for version 0.22.0
       https://github.com/kubernetes/ingress-nginx/issues/3655
@@ -283,7 +283,7 @@ Checking ingresses...
        https://github.com/kubernetes/ingress-nginx/issues/3743
 
 Checking deployments...
-✗ namespace2/nginx-ingress-controller
+✗ namespace2/ingress-nginx-controller
   - Uses removed config flag --enable-dynamic-certificates
       Lint added for version 0.24.0
       https://github.com/kubernetes/ingress-nginx/issues/3808
@@ -318,5 +318,5 @@ I0405 16:53:46.193913       7 event.go:209] Event(v1.ObjectReference{Kind:"Confi
 
 ```console
 $ kubectl ingress-nginx ssh -n ingress-nginx
-www-data@nginx-ingress-controller-7cbf77c976-wx5pn:/etc/nginx$
+www-data@ingress-nginx-controller-7cbf77c976-wx5pn:/etc/nginx$
 ```
diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index 6a29638d4..2bcc97dca 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -37,8 +37,8 @@ Annotations:
 Events:
   Type    Reason  Age   From                      Message
   ----    ------  ----  ----                      -------
-  Normal  CREATE  1m    nginx-ingress-controller  Ingress default/cafe-ingress
-  Normal  UPDATE  58s   nginx-ingress-controller  Ingress default/cafe-ingress
+  Normal  CREATE  1m    ingress-nginx-controller  Ingress default/cafe-ingress
+  Normal  UPDATE  58s   ingress-nginx-controller  Ingress default/cafe-ingress
 ```
 
 Check the Ingress Controller Logs
@@ -46,9 +46,9 @@ Check the Ingress Controller Logs
 ```console
 $ kubectl get pods -n <namespace-of-ingress-controller>
 NAME                                        READY     STATUS    RESTARTS   AGE
-nginx-ingress-controller-67956bf89d-fv58j   1/1       Running   0          1m
+ingress-nginx-controller-67956bf89d-fv58j   1/1       Running   0          1m
 
-$ kubectl logs -n <namespace> nginx-ingress-controller-67956bf89d-fv58j
+$ kubectl logs -n <namespace> ingress-nginx-controller-67956bf89d-fv58j
 -------------------------------------------------------------------------------
 NGINX Ingress controller
   Release:    0.14.0
@@ -63,9 +63,9 @@ Check the Nginx Configuration
 ```console
 $ kubectl get pods -n <namespace-of-ingress-controller>
 NAME                                        READY     STATUS    RESTARTS   AGE
-nginx-ingress-controller-67956bf89d-fv58j   1/1       Running   0          1m
+ingress-nginx-controller-67956bf89d-fv58j   1/1       Running   0          1m
 
-$ kubectl exec -it -n <namespace-of-ingress-controller> nginx-ingress-controller-67956bf89d-fv58j -- cat /etc/nginx/nginx.conf
+$ kubectl exec -it -n <namespace-of-ingress-controller> ingress-nginx-controller-67956bf89d-fv58j -- cat /etc/nginx/nginx.conf
 daemon off;
 worker_processes 2;
 pid /run/nginx.pid;
@@ -102,9 +102,9 @@ the deployment.
 $ kubectl get deploy -n <namespace-of-ingress-controller>
 NAME                       DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
 default-http-backend       1         1         1            1           35m
-nginx-ingress-controller   1         1         1            1           35m
+ingress-nginx-controller   1         1         1            1           35m
 
-$ kubectl edit deploy -n <namespace-of-ingress-controller> nginx-ingress-controller
+$ kubectl edit deploy -n <namespace-of-ingress-controller> ingress-nginx-controller
 # Add --v=X to "- args", where X is an integer
 ```
 
@@ -254,9 +254,9 @@ $ ssh user@workerIP
 2. Obtain the Docker Container Running nginx
 
 ```console
-$ docker ps | grep nginx-ingress-controller
+$ docker ps | grep ingress-nginx-controller
 CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
-d9e1d243156a        quay.io/kubernetes-ingress-controller/nginx-ingress-controller   "/usr/bin/dumb-init …"   19 minutes ago      Up 19 minutes                                                                            k8s_nginx-ingress-controller_nginx-ingress-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0
+d9e1d243156a        k8s.gcr.io/ingress-nginx/controller   "/usr/bin/dumb-init …"   19 minutes ago      Up 19 minutes                                                                            k8s_ingress-nginx-controller_ingress-nginx-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0
 ```
 
 3. Exec into the container
@@ -277,7 +277,7 @@ $ nginx -V 2>&1 | grep -- '--with-debug'
 $ ps -ef
 UID        PID  PPID  C STIME TTY          TIME CMD
 root         1     0  0 20:23 ?        00:00:00 /usr/bin/dumb-init /nginx-ingres
-root         5     1  0 20:23 ?        00:00:05 /nginx-ingress-controller --defa
+root         5     1  0 20:23 ?        00:00:05 /ingress-nginx-controller --defa
 root        21     5  0 20:23 ?        00:00:00 nginx: master process /usr/sbin/
 nobody     106    21  0 20:23 ?        00:00:00 nginx: worker process
 nobody     107    21  0 20:23 ?        00:00:00 nginx: worker process
diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index dc31830ef..b3bac7d96 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -2,7 +2,7 @@
 
 The following command line arguments are accepted by the Ingress controller executable.
 
-They are set in the container spec of the `nginx-ingress-controller` Deployment manifest
+They are set in the container spec of the `ingress-nginx-controller` Deployment manifest
 
 | Argument | Description |
 |----------|-------------|
diff --git a/docs/user-guide/convert_arguments_to_doc.py b/docs/user-guide/convert_arguments_to_doc.py
index e23e5693a..acd5ffc7b 100755
--- a/docs/user-guide/convert_arguments_to_doc.py
+++ b/docs/user-guide/convert_arguments_to_doc.py
@@ -15,7 +15,7 @@
 # limitations under the License.
 
 """
-Convert the output of `nginx-ingress-controller --help` to
+Convert the output of `ingress-nginx-controller --help` to
 a Markdown table.
 """
 
diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md
index 531b99ae2..b0125c3b2 100644
--- a/docs/user-guide/multiple-ingress.md
+++ b/docs/user-guide/multiple-ingress.md
@@ -16,7 +16,7 @@ spec:
   template:
      spec:
        containers:
-         - name: nginx-ingress-internal-controller
+         - name: ingress-nginx-internal-controller
            args:
              - /nginx-ingress-controller
              - '--controller-class=k8s.io/internal-ingress-nginx'
@@ -98,7 +98,7 @@ spec:
   template:
      spec:
        containers:
-         - name: nginx-ingress-internal-controller
+         - name: ingress-nginx-internal-controller
            args:
              - /nginx-ingress-controller
              - --ingress-class=internal-nginx
diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md
index 38f533de6..158d23fde 100644
--- a/docs/user-guide/tls.md
+++ b/docs/user-guide/tls.md
@@ -123,7 +123,7 @@ spec:
 
 To provide the most secure baseline configuration possible,
 
-nginx-ingress defaults to using TLS 1.2 and 1.3 only, with a [secure set of TLS ciphers][ssl-ciphers].
+ingress-nginx defaults to using TLS 1.2 and 1.3 only, with a [secure set of TLS ciphers][ssl-ciphers].
 
 ### Legacy TLS
 
@@ -131,7 +131,7 @@ The default configuration, though secure, does not support some older browsers a
 
 For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing,
 May 2018, [approximately 15% of Android devices](https://developer.android.com/about/dashboards/#Platform)
-are not compatible with nginx-ingress's default configuration.
+are not compatible with ingress-nginx's default configuration.
 
 To change this default behavior, use a [ConfigMap][ConfigMap].
 

From 042e426b01863716bcb2191c2806c48cebf2c181 Mon Sep 17 00:00:00 2001
From: Kamil Hristov <kamilhristov@gmail.com>
Date: Mon, 29 Nov 2021 04:33:22 +0200
Subject: [PATCH 241/376] Improve admission e2e-tests (#7953)

Check if the message equals an expected value for checks without errors.
---
 test/e2e/admission/admission.go | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go
index 030c3854a..2099e54d4 100644
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@@ -150,7 +150,8 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 	})
 
 	ginkgo.It("should not return an error if the Ingress V1 definition is valid with Ingress Class", func() {
-		err := createIngress(f.Namespace, validV1Ingress)
+		out, err := createIngress(f.Namespace, validV1Ingress)
+		assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions created\n", out)
 		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
 
 		f.WaitForNginxConfiguration(func(cfg string) bool {
@@ -165,7 +166,8 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 	})
 
 	ginkgo.It("should not return an error if the Ingress V1 definition is valid with IngressClass annotation", func() {
-		err := createIngress(f.Namespace, validV1IngressAnnotation)
+		out, err := createIngress(f.Namespace, validV1IngressAnnotation)
+		assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-class created\n", out)
 		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
 
 		f.WaitForNginxConfiguration(func(cfg string) bool {
@@ -180,7 +182,8 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 	})
 
 	ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() {
-		err := createIngress(f.Namespace, invalidV1Ingress)
+		out, err := createIngress(f.Namespace, invalidV1Ingress)
+		assert.Empty(ginkgo.GinkgoT(), out)
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
 
 		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), "extensions-invalid", metav1.GetOptions{})
@@ -270,20 +273,22 @@ spec:
 `
 )
 
-func createIngress(namespace, ingressDefinition string) error {
+func createIngress(namespace, ingressDefinition string) (string, error) {
 	var (
+		execOut bytes.Buffer
 		execErr bytes.Buffer
 	)
 
 	cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v --warnings-as-errors=false apply --namespace %s -f -", framework.KubectlPath, namespace))
 	cmd.Stdin = strings.NewReader(ingressDefinition)
+	cmd.Stdout = &execOut
 	cmd.Stderr = &execErr
 
 	err := cmd.Run()
 	if err != nil {
 		stderr := strings.TrimSpace(execErr.String())
-		return fmt.Errorf("Kubectl error: %v\n%v", err, stderr)
+		return "", fmt.Errorf("kubectl error: %v\n%v", err, stderr)
 	}
 
-	return nil
+	return execOut.String(), nil
 }

From 27037a1919e515dea4652fc7ae80625861c6eb3f Mon Sep 17 00:00:00 2001
From: Masa <mi81ma@gmail.com>
Date: Mon, 29 Nov 2021 10:39:22 +0800
Subject: [PATCH 242/376] Fix command in index.md (#7935)

* Fix command in index.md

* Fix command in index.md

* Update index.md
---
 docs/deploy/index.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 832030ffd..7f55547f3 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -113,9 +113,16 @@ Set up a DNS record pointing to that IP address or FQDN; then create an ingress
 
 ```console
 kubectl create ingress demo --class=nginx \
-  --rule=www.demo.io/*=demo:80
+  --rule="www.demo.io/*=demo:80"
 ```
 
+Alternatively, the above command can be rewritten as follows for the ```--rule``` command and below.
+```console
+kubectl create ingress demo --class=nginx \
+  --rule www.demo.io/=demo:80
+```
+
+
 You should then be able to see the "It works!" page when you connect to http://www.demo.io/. Congratulations, you are serving a public web site hosted on a Kubernetes cluster! 🎉
 
 ## Environment-specific instructions

From ea1099abc958781668e5de9fe928d952b52c6c79 Mon Sep 17 00:00:00 2001
From: Alex Co <tuanclq@gmail.com>
Date: Mon, 29 Nov 2021 18:33:22 +0700
Subject: [PATCH 243/376] allow set annotations for admission Jobs (#7979)

* allow set annotations for admission Jobs

Signed-off-by: Alex Co <tuanclq@gmail.com>

* Bump chart version & update CHANGELOG

Signed-off-by: Alex Co <tuanclq@gmail.com>

* Bump chart version again

Signed-off-by: Alex Co <tuanclq@gmail.com>

* Add example

Signed-off-by: Alex Co <tuanclq@gmail.com>
---
 charts/ingress-nginx/CHANGELOG.md                            | 4 ++++
 charts/ingress-nginx/Chart.yaml                              | 2 +-
 .../admission-webhooks/job-patch/job-createSecret.yaml       | 3 +++
 .../admission-webhooks/job-patch/job-patchWebhook.yaml       | 3 +++
 charts/ingress-nginx/values.yaml                             | 5 +++++
 5 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index e23a0dc27..c773b3504 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.12
+
+- [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs
+
 ### 4.0.11
 
 - [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional.
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index cef3ec7da..1c62844e0 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.11
+version: 4.0.12
 appVersion: 1.1.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index 147b6ea8e..46afc214c 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -7,6 +7,9 @@ metadata:
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    {{- with .Values.controller.admissionWebhooks.annotations }}
+    {{- toYaml . | indent 4 }}
+    {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 5e5cb28d1..1e9438825 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -7,6 +7,9 @@ metadata:
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    {{- with .Values.controller.admissionWebhooks.annotations }}
+    {{- toYaml . | indent 4 }}
+    {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 01ab72dd3..cf84ea807 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -563,6 +563,11 @@ controller:
 
   admissionWebhooks:
     annotations: {}
+    # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
+
+    ## Additional annotations to the admission webhooks.
+    ## These annotations will be added to the ValidatingWebhookConfiguration and
+    ## the Jobs Spec of the admission webhooks.
     enabled: true
     failurePolicy: Fail
     # timeoutSeconds: 10

From a03895d91e601ca2fbd02d960d0bbbeaa1a8b4a8 Mon Sep 17 00:00:00 2001
From: Ansil H <ansil.hameedkunju@suse.com>
Date: Mon, 29 Nov 2021 22:03:23 +0530
Subject: [PATCH 244/376] Add ssl_reject_handshake to defaul server (#7977)

* Add ssl_reject_handshake to defaul server

* Added SSLRejectHandshake to NewDefault

* Added documentation
---
 docs/user-guide/nginx-configuration/configmap.md | 9 +++++++++
 internal/ingress/controller/config/config.go     | 6 ++++++
 rootfs/etc/nginx/template/nginx.tmpl             | 4 ++++
 3 files changed, 19 insertions(+)

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index f120f41f6..f048d4bcd 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -208,6 +208,7 @@ The following table shows a configuration option's name, type, and the default v
 |[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50|
 |[global-rate-limit-status-code](#global-rate-limit)|int|429|
 |[service-upstream](#service-upstream)|bool|"false"|
+|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"|
 
 ## add-headers
 
@@ -1263,3 +1264,11 @@ that ingress-nginx includes. Refer to the link to learn more about `lua-resty-gl
 
 Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule.
 _**default:**_ "false"
+
+## ssl-reject-handshake
+
+Set to reject SSL handshake to an unknown virtualhost. This paramter helps to mitigate the fingerprinting using default certificate of ingress.
+_**default:**_ "false"
+
+_References:_
+[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake)
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index cbe0675a2..d17135f1c 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -388,6 +388,11 @@ type Configuration struct {
 	// https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
 	SSLBufferSize string `json:"ssl-buffer-size,omitempty"`
 
+	// https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake
+	// If enabled, SSL handshakes to an invalid virtualhost will be rejected
+	// Default: false
+	SSLRejectHandshake bool `json:"ssl-reject-handshake"`
+
 	// Enables or disables the use of the PROXY protocol to receive client connection
 	// (real IP address) information passed through proxy servers and load balancers
 	// such as HAproxy and Amazon Elastic Load Balancer (ELB).
@@ -838,6 +843,7 @@ func NewDefault() Configuration {
 		SSLECDHCurve:                     "auto",
 		SSLProtocols:                     sslProtocols,
 		SSLEarlyData:                     sslEarlyData,
+		SSLRejectHandshake:               false,
 		SSLSessionCache:                  true,
 		SSLSessionCacheSize:              sslSessionCacheSize,
 		SSLSessionTickets:                false,
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index d579165b7..c6e978ffe 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -906,6 +906,10 @@ stream {
 
         set $proxy_upstream_name "-";
 
+        {{ if eq $server.Hostname "_" }}
+        ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }};
+        {{ end }}
+
         ssl_certificate_by_lua_block {
             certificate.call()
         }

From e621c6e973ffd12ea0e1fbfdac47c0dd217f10de Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Wed, 1 Dec 2021 09:35:18 +0800
Subject: [PATCH 245/376] fix: go-grpc Dockerfile (#8001)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 images/go-grpc-greeter-server/rootfs/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile
index a528c6cb6..8db118349 100644
--- a/images/go-grpc-greeter-server/rootfs/Dockerfile
+++ b/images/go-grpc-greeter-server/rootfs/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:buster as build
 
 WORKDIR /go/src/greeter-server
 
-RUN curl -o main.go https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go && \
+RUN curl -o main.go https://raw.githubusercontent.com/grpc/grpc-go/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go && \
   go mod init greeter-server && \
   go mod tidy && \
   go build -o /greeter-server main.go

From bc4c86a791dd66a4e1a84d144ffe689bc963486c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= <jerome.petazzoni@gmail.com>
Date: Sat, 4 Dec 2021 05:28:31 +0100
Subject: [PATCH 246/376] Minor improvements (formatting, consistency) in
 install guide (#8003)

Small changes, mostly:
- formatting (especially in lists, since mkdocs doesn't seem
  to support nested lists)
- use the same level of warning when it makes sense
  (intead of "danger", "failure", etc)
- improve wording in a few places
- re-order a few operations
- move a few sentences that were out of place
---
 docs/deploy/index.md | 112 +++++++++++++++++++++----------------------
 1 file changed, 56 insertions(+), 56 deletions(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 7f55547f3..b9ce87e5d 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -1,6 +1,7 @@
 # Installation Guide
 
 There are multiple ways to install the NGINX ingress controller:
+
 - with [Helm](https://helm.sh), using the project repository chart;
 - with `kubectl apply`, using YAML manifests;
 - with specific addons (e.g. for [minikube](#minikube) or [MicroK8s](#microk8s)).
@@ -12,23 +13,24 @@ On most Kubernetes clusters, the ingress controller will work without requiring
 <!-- Quick tip: run `grep '^##' index.md` to check that the table of contents is up to date. -->
 
 - [Quick start](#quick-start)
+
 - [Environment-specific instructions](#environment-specific-instructions)
-  - [Docker Desktop](#docker-desktop)
-  - [minikube](#minikube)
-  - [MicroK8s](#microk8s)
-  - [AWS](#aws)
-  - [GCE - GKE](#gce-gke)
-  - [Azure](#azure)
-  - [Digital Ocean](#digital-ocean)
-  - [Scaleway](#scaleway)
-  - [Exoscale](#exoscale)
-  - [Oracle Cloud Infrastructure](#oracle-cloud-infrastructure)
-  - [Bare-metal](#bare-metal-clusters)
+  - ... [Docker Desktop](#docker-desktop)
+  - ... [minikube](#minikube)
+  - ... [MicroK8s](#microk8s)
+  - ... [AWS](#aws)
+  - ... [GCE - GKE](#gce-gke)
+  - ... [Azure](#azure)
+  - ... [Digital Ocean](#digital-ocean)
+  - ... [Scaleway](#scaleway)
+  - ... [Exoscale](#exoscale)
+  - ... [Oracle Cloud Infrastructure](#oracle-cloud-infrastructure)
+  - ... [Bare-metal](#bare-metal-clusters)
 - [Miscellaneous](#miscellaneous)
 
 ## Quick start
 
-You can deploy the ingress controller with the following command:
+**If you have Helm,** you can deploy the ingress controller with the following command:
 
 ```console
 helm upgrade --install ingress-nginx ingress-nginx \
@@ -40,13 +42,11 @@ It will install the controller in the `ingress-nginx` namespace, creating that n
 
 !!! info
     This command is *idempotent*:
+
     - if the ingress controller is not installed, it will install it,
     - if the ingress controller is already installed, it will upgrade it.
 
-This requires Helm version 3. If you prefer to use a YAML manifest, you can run the following command instead:
-
-!!! attention
-    Before running the command at your terminal, make sure Kubernetes is enabled at Docker settings
+**If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead:
 
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
@@ -109,7 +109,9 @@ You can see that IP address or FQDN with the following command:
 kubectl get service ingress-nginx-controller --namespace=ingress-nginx
 ```
 
-Set up a DNS record pointing to that IP address or FQDN; then create an ingress resource. The following example assumes that you have set up a DNS record for `www.demo.io`:
+It will be the `EXTERNAL-IP` field. If that field shows `<pending>`, this means that your Kubernetes cluster wasn't able to provision the load balancer (generally, this is because it doesn't support services of type `LoadBalancer`).
+
+Once you have the external IP address (or FQDN), set up a DNS record pointing to it. Then you can create an ingress resource. The following example assumes that you have set up a DNS record for `www.demo.io`:
 
 ```console
 kubectl create ingress demo --class=nginx \
@@ -154,6 +156,8 @@ Kubernetes is available in Docker Desktop:
 - Mac, from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018)
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
+First, make sure that Kubernetes is enabled in the Docker settings. The command `kubectl get nodes` should show a single node called `docker-destkop`.
+
 The ingress controller can be installed on Docker Desktop using the default [quick start](#quick-start) instructions.
 
 On most systems, if you don't have any other service of type `LoadBalancer` bound to port 80, the ingress controller will be assigned the `EXTERNAL-IP` of `localhost`, which means that it will be reachable on localhost:80. If that doesn't work, you might have to fall back to the `kubectl port-forward` method described in the [local testing section](#local-testing).
@@ -182,31 +186,27 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 
 ##### TLS termination in AWS Load Balancer (NLB)
 
-In some scenarios is required to terminate TLS in the Load Balancer and not in the ingress controller.
+By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS with using an NLB.
 
-For this purpose we provide a template:
+1. Download the the [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml) template:
+   ```console
+   wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml
+   ```
 
-- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml)
+2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
+   ```
+   proxy-real-ip-cidr: XXX.XXX.XXX/XX
+   ```
 
-```console
-wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml
-```
+3. Change the AWS Certificate Manager (ACM) ID as well:
+   ```
+   arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
+   ```
 
-- Edit the file and change:
-
-  - VPC CIDR in use for the Kubernetes cluster:
-
-  `proxy-real-ip-cidr: XXX.XXX.XXX/XX`
-
-  - AWS Certificate Manager (ACM) ID
-
-  `arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX`
-
-- Deploy the manifest:
-
-```console
-kubectl apply -f deploy-tls-termination.yaml
-```
+4. Deploy the manifest:
+   ```console
+   kubectl apply -f deploy-tls-termination.yaml
+   ```
 
 ##### NLB Idle Timeouts
 
@@ -220,26 +220,28 @@ More information with regards to timeouts can be found in the [official AWS docu
 
 #### GCE-GKE
 
-!!! info
-    Initialize your user as a cluster-admin with the following command:
-    ```console
-    kubectl create clusterrolebinding cluster-admin-binding \
-      --clusterrole cluster-admin \
-      --user $(gcloud config get-value account)
-    ```
+First, your user needs to have `cluster-admin` permissions on the cluster. This can be done with the following command:
 
-!!! danger
-    For private clusters, you will need to either add an additional firewall rule that allows master nodes access to port `8443/tcp` on worker nodes, or change the existing rule that allows access to ports `80/tcp`, `443/tcp` and `10254/tcp` to also allow access to port `8443/tcp`.
+```console
+kubectl create clusterrolebinding cluster-admin-binding \
+  --clusterrole cluster-admin \
+  --user $(gcloud config get-value account)
+```
 
-    See the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) on adding rules and the [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/79739) for more detail.
+Then, the ingress controller can be installed like this:
 
 
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
 ```
 
-!!! failure Important
-    Proxy protocol is not supported in GCE/GKE
+!!! warning
+    For private clusters, you will need to either add an additional firewall rule that allows master nodes access to port `8443/tcp` on worker nodes, or change the existing rule that allows access to ports `80/tcp`, `443/tcp` and `10254/tcp` to also allow access to port `8443/tcp`.
+
+    See the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) on adding rules and the [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/79739) for more detail.
+
+!!! warning
+    Proxy protocol is not supported in GCE/GKE.
 
 #### Azure
 
@@ -279,17 +281,15 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https
 
 ### Bare metal clusters
 
-Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport):
+This section is applicable to Kubernetes clusters deployed on bare metal servers, as well as "raw" VMs where Kubernetes was installed manually, using generic Linux distros (like CentOS, Ubuntu...)
+
+For quick testing, you can use a [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport). This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
 
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/baremetal/deploy.yaml
 ```
 
-!!! tip
-    Applicable on kubernetes clusters deployed on bare-metal with generic Linux distro(Such as CentOs, Ubuntu ...).
-
-!!! info
-    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](./baremetal.md).
+For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), see [bare-metal considerations](./baremetal.md).
 
 ## Miscellaneous
 

From 2b499d9c860d7965ad495d4d332477155659432d Mon Sep 17 00:00:00 2001
From: Jedidiah Park <6612147+kjpark@users.noreply.github.com>
Date: Mon, 6 Dec 2021 08:46:33 -0500
Subject: [PATCH 247/376] Fix spelling in documentation and top-level files
 (#8009)

* fix typos in docs

* fix typos in top-level files
---
 CONTRIBUTING.md                                    | 2 +-
 RELEASE.md                                         | 4 ++--
 docs/developer-guide/code-overview.md              | 2 +-
 docs/developer-guide/getting-started.md            | 2 +-
 docs/user-guide/monitoring.md                      | 2 +-
 docs/user-guide/nginx-configuration/annotations.md | 2 +-
 docs/user-guide/nginx-configuration/configmap.md   | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 170396aaa..e73f49fcd 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -36,7 +36,7 @@ All changes must be code reviewed. Coding conventions and standards are explaine
 
 Ingress Nginx collaborators may add "/lgtm" (Looks Good To Me) to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress Nginx collaborator signs off with an LGTM. Adding the "/lgtm" comment result in the prow bot adding the `lgtm` label. Note that a pull request still needs an `approve` label from one of the owners. 
 
-Reviewers or members who want to become reviewers according to the [k8s membership ladder](https://github.com/kubernetes/community/blob/master/community-membership.md), coud actively search for [pull requests that need a review](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted). 
+Reviewers or members who want to become reviewers according to the [k8s membership ladder](https://github.com/kubernetes/community/blob/master/community-membership.md), could actively search for [pull requests that need a review](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted). 
 
 ## Support Channels
 
diff --git a/RELEASE.md b/RELEASE.md
index cf3dfc1c7..32c64d0dd 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -22,7 +22,7 @@
 
 ### d. Merge
 
-- Merging will fire cloudbuild, which will result in images beeing promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
+- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
 
 ### e. Make sure cloudbuild is a success
 
@@ -68,7 +68,7 @@
 
 ### d. Merge
 
-- Merging will fire cloudbuild, which will result in images beeing promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
+- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
 
 ### e. Make sure cloudbuild is a success
 
diff --git a/docs/developer-guide/code-overview.md b/docs/developer-guide/code-overview.md
index b5d22e068..6f4beb9c9 100644
--- a/docs/developer-guide/code-overview.md
+++ b/docs/developer-guide/code-overview.md
@@ -103,7 +103,7 @@ Describe here `kubectl plugin`, `dbg`, `waitshutdown` and cover the hack scripts
 
 ## Deploy files
 
-This directory contains the `yaml` deploy files used as examples or references in the docs to deploy Ingress NGINX and other componentes.
+This directory contains the `yaml` deploy files used as examples or references in the docs to deploy Ingress NGINX and other components.
 
 Those files are in [deploy](https://github.com/kubernetes/ingress-nginx/tree/main/deploy) directory.
 
diff --git a/docs/developer-guide/getting-started.md b/docs/developer-guide/getting-started.md
index d63f6e6e8..8d500f147 100644
--- a/docs/developer-guide/getting-started.md
+++ b/docs/developer-guide/getting-started.md
@@ -29,7 +29,7 @@ Start a local Kubernetes cluster using [kind](https://kind.sigs.k8s.io/), build
 ```console
 make dev-env
 ```
-- If you are working on the v1.x.x version of this controler, and you want to create a cluster with kubernetes version 1.22, then please visit the [documentation for kind](https://kind.sigs.k8s.io/docs/user/configuration/#a-note-on-cli-parameters-and-configuration-files), and look for how to set a custom image for the kind node (image: kindest/node...), in the kind config file.
+- If you are working on the v1.x.x version of this controller, and you want to create a cluster with kubernetes version 1.22, then please visit the [documentation for kind](https://kind.sigs.k8s.io/docs/user/configuration/#a-note-on-cli-parameters-and-configuration-files), and look for how to set a custom image for the kind node (image: kindest/node...), in the kind config file.
 
 ### Testing
 
diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 1c454827e..05d6a3f87 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -166,5 +166,5 @@ According to the above example, this URL will be http://10.192.0.3:31086
     - This will open the currently deployed service grafana in the default editor configured in your shell (vi/nvim/nano/other)
     - scroll down to line 34 that looks like "type: NodePort"
     - change it to look like "type: ClusterIP". Save and exit.
-    - create a ingress reource with backend as "grafana" and port as "3000"
+    - create a ingress resource with backend as "grafana" and port as "3000"
   - Similarly, you can edit the service "prometheus-server" and add a ingress resource.
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 721e17c32..481356936 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -775,7 +775,7 @@ nginx.ingress.kubernetes.io/enable-opentracing: "true"
 ### Opentracing Trust Incoming Span
 
 The option to trust incoming trace spans can be enabled or disabled globally through the ConfigMap but this will
-sometimes need to be overriden to enable it or disable it for a specific ingress (e.g. only enable on a private endpoint)
+sometimes need to be overridden to enable it or disable it for a specific ingress (e.g. only enable on a private endpoint)
 
 ```yaml
 nginx.ingress.kubernetes.io/opentracing-trust-incoming-span: "true"
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index f048d4bcd..b217eee49 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -1267,7 +1267,7 @@ _**default:**_ "false"
 
 ## ssl-reject-handshake
 
-Set to reject SSL handshake to an unknown virtualhost. This paramter helps to mitigate the fingerprinting using default certificate of ingress.
+Set to reject SSL handshake to an unknown virtualhost. This parameter helps to mitigate the fingerprinting using default certificate of ingress.
 _**default:**_ "false"
 
 _References:_

From f7a5704be85bbd133c2d1b1a88f740ce743946e7 Mon Sep 17 00:00:00 2001
From: Daniel Sim <daniel.sim@wework.com>
Date: Mon, 6 Dec 2021 08:50:32 -0500
Subject: [PATCH 248/376] Add relabelings in controller-servicemonitor.yaml
 (#8008)

* Add relabelings above metricRelabelings in controller-servicemonitor.yaml

* Bump chart version to 4.0.13, Add to CHANGELOG

* Rename PR/CHANGELOG
---
 charts/ingress-nginx/CHANGELOG.md                             | 4 ++++
 charts/ingress-nginx/Chart.yaml                               | 2 +-
 charts/ingress-nginx/templates/controller-servicemonitor.yaml | 3 +++
 charts/ingress-nginx/values.yaml                              | 1 +
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index c773b3504..e895efc36 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.13
+
+- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
+
 ### 4.0.12
 
 - [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 1c62844e0..729a011ec 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.12
+version: 4.0.13
 appVersion: 1.1.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index cf383f0f8..3e602d44d 100644
--- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -19,6 +19,9 @@ spec:
     {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
       honorLabels: true
     {{- end }}
+    {{- if .Values.controller.metrics.serviceMonitor.relabelings }}
+      relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 8 }}
+    {{- end }}
     {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
       metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }}
     {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index cf84ea807..a96bfbfd0 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -663,6 +663,7 @@ controller:
       scrapeInterval: 30s
       # honorLabels: true
       targetLabels: []
+      relabelings: []
       metricRelabelings: []
 
     prometheusRule:

From 3f9d443b1e9423e3b182fb81f3b9b9c5328bbbd3 Mon Sep 17 00:00:00 2001
From: Jennifer Kirsch <7807969+DysphoricUnicorn@users.noreply.github.com>
Date: Mon, 6 Dec 2021 21:01:33 +0100
Subject: [PATCH 249/376] Add link to example error page manifest (#8014)

Without this change it was a bit difficult to find the manifest so users might not know that there is one.
---
 docs/examples/customization/custom-errors/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/examples/customization/custom-errors/README.md b/docs/examples/customization/custom-errors/README.md
index 3a925bed7..00b999859 100644
--- a/docs/examples/customization/custom-errors/README.md
+++ b/docs/examples/customization/custom-errors/README.md
@@ -4,7 +4,9 @@ This example demonstrates how to use a custom backend to render custom error pag
 
 ## Customized default backend
 
-First, create the custom `default-backend`. It will be used by the Ingress controller later on.
+First, create the custom `default-backend`. It will be used by the Ingress controller later on.  
+To do that, you can take a look at the [example manifest](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/customization/custom-errors/custom-default-backend.yaml)
+in this project's GitHub repository.
 
 ```
 $ kubectl create -f custom-default-backend.yaml

From 6163231ef604664ccb0728367245527f13ec9fe7 Mon Sep 17 00:00:00 2001
From: Ana Claudia Riekstin <17534478+anaclaudiar@users.noreply.github.com>
Date: Tue, 7 Dec 2021 11:01:02 -0500
Subject: [PATCH 250/376] fix to really execute plugins in order (#8018)

---
 rootfs/etc/nginx/lua/plugins.lua           | 14 +++++++------
 rootfs/etc/nginx/lua/test/plugins_test.lua | 23 ++++++++++++++++++++++
 2 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 rootfs/etc/nginx/lua/test/plugins_test.lua

diff --git a/rootfs/etc/nginx/lua/plugins.lua b/rootfs/etc/nginx/lua/plugins.lua
index 0c1fd899b..55e208a32 100644
--- a/rootfs/etc/nginx/lua/plugins.lua
+++ b/rootfs/etc/nginx/lua/plugins.lua
@@ -1,6 +1,5 @@
 local require = require
 local ngx = ngx
-local pairs = pairs
 local ipairs = ipairs
 local string_format = string.format
 local ngx_log = ngx.log
@@ -20,8 +19,11 @@ local function load_plugin(name)
     ngx_log(ERR, string_format("error loading plugin \"%s\": %s", path, plugin))
     return
   end
-
-  plugins[name] = plugin
+  local index = #plugins
+  if (plugin.name == nil or plugin.name == '') then
+    plugin.name = name
+  end
+  plugins[index + 1] = plugin
 end
 
 function _M.init(names)
@@ -39,9 +41,9 @@ end
 function _M.run()
   local phase = ngx.get_phase()
 
-  for name, plugin in pairs(plugins) do
+  for _, plugin in ipairs(plugins) do
     if plugin[phase] then
-      ngx_log(INFO, string_format("running plugin \"%s\" in phase \"%s\"", name, phase))
+      ngx_log(INFO, string_format("running plugin \"%s\" in phase \"%s\"", plugin.name, phase))
 
       -- TODO: consider sandboxing this, should we?
       -- probably yes, at least prohibit plugin from accessing env vars etc
@@ -50,7 +52,7 @@ function _M.run()
       local ok, err = pcall(plugin[phase])
       if not ok then
         ngx_log(ERR, string_format("error while running plugin \"%s\" in phase \"%s\": %s",
-            name, phase, err))
+            plugin.name, phase, err))
       end
     end
   end
diff --git a/rootfs/etc/nginx/lua/test/plugins_test.lua b/rootfs/etc/nginx/lua/test/plugins_test.lua
new file mode 100644
index 000000000..d7f789d0f
--- /dev/null
+++ b/rootfs/etc/nginx/lua/test/plugins_test.lua
@@ -0,0 +1,23 @@
+describe("plugins", function()
+  describe("#run", function()
+    it("runs the plugins in the given order", function()
+      ngx.get_phase = function() return "rewrite" end
+      local plugins = require("plugins")
+      local called_plugins = {}
+      local plugins_to_mock = {"plugins.pluginfirst.main", "plugins.pluginsecond.main", "plugins.pluginthird.main"}
+      for i=1, 3, 1
+      do
+        package.loaded[plugins_to_mock[i]] = {
+          rewrite = function()
+            called_plugins[#called_plugins + 1] = plugins_to_mock[i]
+          end
+        }
+      end
+      assert.has_no.errors(function()
+        plugins.init({"pluginfirst", "pluginsecond", "pluginthird"})
+      end)
+      assert.has_no.errors(plugins.run)
+      assert.are.same(plugins_to_mock, called_plugins)
+    end)
+  end)
+end)
\ No newline at end of file

From 5cff197bc51079f18a9714c69a0dd11e4bcf310b Mon Sep 17 00:00:00 2001
From: Yecheng Fu <cofyc.jackson@gmail.com>
Date: Wed, 8 Dec 2021 00:40:00 +0800
Subject: [PATCH 251/376] add canary-weight-total annotation (#6338)

---
 .../nginx-configuration/annotations.md        |  5 ++-
 internal/ingress/annotations/canary/main.go   |  6 ++++
 internal/ingress/controller/controller.go     |  1 +
 internal/ingress/types.go                     | 11 +++++--
 rootfs/etc/nginx/lua/balancer.lua             |  6 +++-
 rootfs/etc/nginx/lua/test/balancer_test.lua   | 14 ++++++++
 test/e2e/annotations/canary.go                | 33 +++++++++++++++++++
 7 files changed, 71 insertions(+), 5 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 481356936..46f7c23d4 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -41,6 +41,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/canary-by-header-pattern](#canary)|string|
 |[nginx.ingress.kubernetes.io/canary-by-cookie](#canary)|string|
 |[nginx.ingress.kubernetes.io/canary-weight](#canary)|number|
+|[nginx.ingress.kubernetes.io/canary-weight-total](#canary)|number|
 |[nginx.ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
 |[nginx.ingress.kubernetes.io/configuration-snippet](#configuration-snippet)|string|
 |[nginx.ingress.kubernetes.io/custom-http-errors](#custom-http-errors)|[]int|
@@ -138,7 +139,9 @@ In some cases, you may want to "canary" a new set of changes by sending a small
 
 * `nginx.ingress.kubernetes.io/canary-by-cookie`: The cookie to use for notifying the Ingress to route the request to the service specified in the Canary Ingress. When the cookie value is set to `always`, it will be routed to the canary. When the cookie is set to `never`, it will never be routed to the canary. For any other value, the cookie will be ignored and the request compared against the other canary rules by precedence.
 
-* `nginx.ingress.kubernetes.io/canary-weight`: The integer based (0 - 100) percent of random requests that should be routed to the service specified in the canary Ingress. A weight of 0 implies that no requests will be sent to the service in the Canary ingress by this canary rule. A weight of 100 means implies all requests will be sent to the alternative service specified in the Ingress.
+* `nginx.ingress.kubernetes.io/canary-weight`: The integer based (0 - <weight-total>) percent of random requests that should be routed to the service specified in the canary Ingress. A weight of 0 implies that no requests will be sent to the service in the Canary ingress by this canary rule. A weight of <weight-total> means implies all requests will be sent to the alternative service specified in the Ingress. `<weight-total>` defaults to 100, and can be increased via `nginx.ingress.kubernetes.io/canary-weight-total`.
+
+* `nginx.ingress.kubernetes.io/canary-weight-total`: The total weight of traffic. If unspecified, it defaults to 100.
 
 Canary rules are evaluated in order of precedence. Precedence is as follows:
 `canary-by-header -> canary-by-cookie -> canary-weight`
diff --git a/internal/ingress/annotations/canary/main.go b/internal/ingress/annotations/canary/main.go
index 3930b84d7..d9e53b3b8 100644
--- a/internal/ingress/annotations/canary/main.go
+++ b/internal/ingress/annotations/canary/main.go
@@ -32,6 +32,7 @@ type canary struct {
 type Config struct {
 	Enabled       bool
 	Weight        int
+	WeightTotal   int
 	Header        string
 	HeaderValue   string
 	HeaderPattern string
@@ -59,6 +60,11 @@ func (c canary) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.Weight = 0
 	}
 
+	config.WeightTotal, err = parser.GetIntAnnotation("canary-weight-total", ing)
+	if err != nil {
+		config.WeightTotal = 100
+	}
+
 	config.Header, err = parser.GetStringAnnotation("canary-by-header", ing)
 	if err != nil {
 		config.Header = ""
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 75c06ad2d..99d1c8f35 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -896,6 +896,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 				upstreams[defBackend].NoServer = true
 				upstreams[defBackend].TrafficShapingPolicy = ingress.TrafficShapingPolicy{
 					Weight:        anns.Canary.Weight,
+					WeightTotal:   anns.Canary.WeightTotal,
 					Header:        anns.Canary.Header,
 					HeaderValue:   anns.Canary.HeaderValue,
 					HeaderPattern: anns.Canary.HeaderPattern,
diff --git a/internal/ingress/types.go b/internal/ingress/types.go
index 033fa9cc4..78c2245ff 100644
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@@ -111,10 +111,15 @@ type Backend struct {
 // alternative backend
 // +k8s:deepcopy-gen=true
 type TrafficShapingPolicy struct {
-	// Weight (0-100) of traffic to redirect to the backend.
-	// e.g. Weight 20 means 20% of traffic will be redirected to the backend and 80% will remain
-	// with the other backend. 0 weight will not send any traffic to this backend
+	// Weight (0-<WeightTotal>) of traffic to redirect to the backend.
+	// e.g. <WeightTotal> defaults to 100, weight 20 means 20% of traffic will be
+	// redirected to the backend and 80% will remain with the other backend. If
+	// <WeightTotal> is set to 1000, weight 2 means 0.2% of traffic will be
+	// redirected to the backend and 99.8% will remain with the other backend.
+	// 0 weight will not send any traffic to this backend
 	Weight int `json:"weight"`
+	// The total weight of traffic (>= 100). If unspecified, it defaults to 100.
+	WeightTotal int `json:"weightTotal"`
 	// Header on which to redirect requests to this backend
 	Header string `json:"header"`
 	// HeaderValue on which to redirect requests to this backend
diff --git a/rootfs/etc/nginx/lua/balancer.lua b/rootfs/etc/nginx/lua/balancer.lua
index e83257a6f..b6c420c9f 100644
--- a/rootfs/etc/nginx/lua/balancer.lua
+++ b/rootfs/etc/nginx/lua/balancer.lua
@@ -259,7 +259,11 @@ local function route_to_alternative_balancer(balancer)
     end
   end
 
-  if math.random(100) <= traffic_shaping_policy.weight then
+  local weightTotal = 100
+  if traffic_shaping_policy.weightTotal ~= nil and traffic_shaping_policy.weightTotal > 100 then
+    weightTotal = traffic_shaping_policy.weightTotal
+  end
+  if math.random(weightTotal) <= traffic_shaping_policy.weight then
     return true
   end
 
diff --git a/rootfs/etc/nginx/lua/test/balancer_test.lua b/rootfs/etc/nginx/lua/test/balancer_test.lua
index 4f40bc6ae..2d42ad330 100644
--- a/rootfs/etc/nginx/lua/test/balancer_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer_test.lua
@@ -203,6 +203,20 @@ describe("Balancer", function()
           balancer.sync_backend(backend)
           assert.equal(false, balancer.route_to_alternative_balancer(_primaryBalancer))
         end)
+
+        it("returns true when weight is 1000 and weight total is 1000", function()
+          backend.trafficShapingPolicy.weight = 1000
+          backend.trafficShapingPolicy.weightTotal = 1000
+          balancer.sync_backend(backend)
+          assert.equal(true, balancer.route_to_alternative_balancer(_primaryBalancer))
+        end)
+
+        it("returns false when weight is 0 and weight total is 1000", function()
+          backend.trafficShapingPolicy.weight = 1000
+          backend.trafficShapingPolicy.weightTotal = 1000
+          balancer.sync_backend(backend)
+          assert.equal(true, balancer.route_to_alternative_balancer(_primaryBalancer))
+        end)
       end)
 
       describe("canary by cookie", function()
diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go
index d189c972d..31e740434 100644
--- a/test/e2e/annotations/canary.go
+++ b/test/e2e/annotations/canary.go
@@ -773,6 +773,39 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 				Contains(canaryService)
 		})
 
+		ginkgo.It("should route requests only to canary if canary weight is equal to canary weight total", func() {
+			host := "foo"
+			annotations := map[string]string{}
+
+			ing := framework.NewSingleIngress(host, "/", host,
+				f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return strings.Contains(server, "server_name foo")
+				})
+
+			canaryIngName := fmt.Sprintf("%v-canary", host)
+			canaryAnnotations := map[string]string{
+				"nginx.ingress.kubernetes.io/canary":              "true",
+				"nginx.ingress.kubernetes.io/canary-weight":       "1000",
+				"nginx.ingress.kubernetes.io/canary-weight-total": "1000",
+			}
+
+			canaryIng := framework.NewSingleIngress(canaryIngName, "/", host,
+				f.Namespace, canaryService, 80, canaryAnnotations)
+			f.EnsureIngress(canaryIng)
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				Expect().
+				Status(http.StatusOK).
+				Body().
+				Contains(canaryService)
+		})
+
 		ginkgo.It("should route requests evenly split between mainline and canary if canary weight is 50", func() {
 			host := "foo"
 			annotations := map[string]string{}

From 84db822a944aaddd560f5d0bc4044f073b2e6fd3 Mon Sep 17 00:00:00 2001
From: Alex Sears <searsaw@users.noreply.github.com>
Date: Tue, 7 Dec 2021 14:26:37 -0500
Subject: [PATCH 252/376] Add newline indenting to admission webhook
 annotations (#8015)

Signed-off-by: Alex Sears <me@alexsears.com>
---
 .../admission-webhooks/job-patch/job-createSecret.yaml          | 2 +-
 .../admission-webhooks/job-patch/job-patchWebhook.yaml          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index 46afc214c..e57bfde49 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -8,7 +8,7 @@ metadata:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     {{- with .Values.controller.admissionWebhooks.annotations }}
-    {{- toYaml . | indent 4 }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 1e9438825..4f8ba14db 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -8,7 +8,7 @@ metadata:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     {{- with .Values.controller.admissionWebhooks.annotations }}
-    {{- toYaml . | indent 4 }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}

From a9029d2bc7ae8626152e5fc010829374fc950950 Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@google.com>
Date: Sun, 12 Dec 2021 05:19:59 -0800
Subject: [PATCH 253/376] images: use k8s-staging-test-infra/gcb-docker-gcloud
 (#7999)

---
 cloudbuild.yaml                               | 2 +-
 images/cfssl/cloudbuild.yaml                  | 2 +-
 images/custom-error-pages/cloudbuild.yaml     | 2 +-
 images/echo/cloudbuild.yaml                   | 2 +-
 images/fastcgi-helloserver/cloudbuild.yaml    | 2 +-
 images/go-grpc-greeter-server/cloudbuild.yaml | 2 +-
 images/httpbin/cloudbuild.yaml                | 2 +-
 images/kube-webhook-certgen/cloudbuild.yaml   | 2 +-
 images/nginx/cloudbuild.yaml                  | 2 +-
 images/test-runner/cloudbuild.yaml            | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 22f4771bb..a9d4a214c 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -4,7 +4,7 @@ timeout: 1800s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: 'gcr.io/k8s-testimages/gcb-docker-gcloud:v20210722-085d930'
+  - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90'
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/cfssl/cloudbuild.yaml b/images/cfssl/cloudbuild.yaml
index d80d2aeaf..a71001c89 100644
--- a/images/cfssl/cloudbuild.yaml
+++ b/images/cfssl/cloudbuild.yaml
@@ -2,7 +2,7 @@ timeout: 600s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml
index 9b913b3e6..45cff0021 100644
--- a/images/custom-error-pages/cloudbuild.yaml
+++ b/images/custom-error-pages/cloudbuild.yaml
@@ -2,7 +2,7 @@ timeout: 1800s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/echo/cloudbuild.yaml b/images/echo/cloudbuild.yaml
index 3e4d67d06..2f773cebc 100644
--- a/images/echo/cloudbuild.yaml
+++ b/images/echo/cloudbuild.yaml
@@ -2,7 +2,7 @@ timeout: 1200s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml
index d80d2aeaf..a71001c89 100644
--- a/images/fastcgi-helloserver/cloudbuild.yaml
+++ b/images/fastcgi-helloserver/cloudbuild.yaml
@@ -2,7 +2,7 @@ timeout: 600s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml
index 14c64db31..b92b9c877 100644
--- a/images/go-grpc-greeter-server/cloudbuild.yaml
+++ b/images/go-grpc-greeter-server/cloudbuild.yaml
@@ -4,7 +4,7 @@ options:
   # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
   machineType: N1_HIGHCPU_8
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20210622-762366a
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/httpbin/cloudbuild.yaml b/images/httpbin/cloudbuild.yaml
index 02f28b8ca..b92b9c877 100644
--- a/images/httpbin/cloudbuild.yaml
+++ b/images/httpbin/cloudbuild.yaml
@@ -4,7 +4,7 @@ options:
   # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
   machineType: N1_HIGHCPU_8
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml
index 8bdd225c5..d1eb9fe6e 100644
--- a/images/kube-webhook-certgen/cloudbuild.yaml
+++ b/images/kube-webhook-certgen/cloudbuild.yaml
@@ -17,7 +17,7 @@ timeout: 10800s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index c5aca043e..d507b8f1a 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -4,7 +4,7 @@ options:
   # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
   machineType: N1_HIGHCPU_32
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20210722-085d930
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml
index 7258ab384..253b99799 100644
--- a/images/test-runner/cloudbuild.yaml
+++ b/images/test-runner/cloudbuild.yaml
@@ -2,7 +2,7 @@ timeout: 3600s
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled

From ec21629b81b29b0f0f810a014c634bc78cfb5544 Mon Sep 17 00:00:00 2001
From: Tim Bannister <tim@scalefactory.com>
Date: Sun, 12 Dec 2021 13:21:58 +0000
Subject: [PATCH 254/376] Revise main documentation page (#8019)

- Revise to be more in line with the style guide for Kubernetes official docs
- Avoid recommending that readers use `k8s.io` namespaced controller names
  for their own custom controller configuration.

Co-authored-by: James Strong <strong.james.e@gmail.com>

Co-authored-by: James Strong <strong.james.e@gmail.com>
---
 docs/index.md | 118 +++++++++++++++++++++++++++++---------------------
 1 file changed, 69 insertions(+), 49 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 6aa2ea81c..182674947 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,31 +1,35 @@
-# Welcome
+# Overview
 
 This is the documentation for the NGINX Ingress Controller.
 
-It is built around the [Kubernetes Ingress resource](http://kubernetes.io/docs/user-guide/ingress/), using a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#understanding-configmaps-and-pods) to store the NGINX configuration.
+It is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/), using a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) to store the controller configuration.
 
-Learn more about using Ingress on [k8s.io](http://kubernetes.io/docs/user-guide/ingress/).
+You can learn more about using [Ingress](http://kubernetes.io/docs/user-guide/ingress/) in the official [Kubernetes documentation](https://docs.k8s.io).
 
 ## Getting Started
 
 See [Deployment](./deploy/) for a whirlwind tour that will get you started.
 
 
-# FAQ - Migration to apiVersion networking.k8s.io/v1
+# FAQ - Migration to apiVersion `networking.k8s.io/v1`
 
-- Please read this [official blog on deprecated ingress api versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) If you are using ingress objects in your pre K8s v1.22 cluster, and you upgrade to K8s v1.22, then this document may be relevant to you.
+If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), and you plan to upgrade to Kubernetess v1.22, this section is relevant to you.
+
+- Please read this [official blog on deprecated Ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) 
 
 - Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
 
-## What is an ingressClass and why is it important for users of Ingress-NGINX controller now ?
+## What is an IngressClass and why is it important for users of Ingress-NGINX controller now ?
 
 IngressClass is a Kubernetes resource. See the description below.
-Its important because until now, a default install of the Ingress-NGINX controller did not require a ingressClass object. But from version 1.0.0 of the Ingress-NGINX Controller, a ingressclass object is required.
+Its important because until now, a default install of the Ingress-NGINX controller did not require any IngressClass object. From version 1.0.0 of the Ingress-NGINX Controller, an IngressClass object is required.
 
-On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress object they must serve. The ingressClass field of a ingress object is the way to let the controller know about that. 
+On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress objects they serve. The `ingressClassName` field of an Ingress is the way to let the controller know about that. 
 
 ```
-_$ k explain ingressClass                                                           
+kubectl explain ingressclass                                                           
+```
+```
 KIND:     IngressClass                                                               
 VERSION:  networking.k8s.io/v1                     
 
@@ -63,23 +67,25 @@ FIELDS:
 
 There are 2 reasons primarily.
 
-(Reason #1) Until K8s version 1.21, it was possible to create a ingress resource, with the "apiVersion:" field set to a value like:
+_(Reason #1)_ Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as:
 
-  - extensions/v1beta1
-  - networking.k8s.io/v1beta1
+  - `extensions/v1beta1`
+  - `networking.k8s.io/v1beta1`
 
-You would get a message about deprecation but the ingress resource would get created.
+You would get a message about deprecation, but the Ingress resource would get created.
 
-From K8s version 1.22 onwards, you can ONLY set the "apiVersion:" field of a ingress resource, to the value "networking.k8s.io/v1". The reason is [official blog on deprecated ingress api versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/).
+From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/).
 
-(Reason #2) When you upgrade to K8s version v1.22, while you are already using the Ingress-NGINX controller, there are several scenarios where the old existing ingress objects will not work. Read this FAQ to check which scenario matches your use case.
+_(Reason #2)_ if you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case.
 
 ## What is ingressClassName field ?
 
-ingressClassName is a field in the specs of a ingress object.
+`ingressClassName` is a field in the specs of an Ingress object.
 
+```shell
+kubectl explain ingress.spec.ingressClassName
+```
 ```
-% k explain ingress.spec.ingressClassName
 KIND:     Ingress
 VERSION:  networking.k8s.io/v1
 
@@ -97,25 +103,27 @@ DESCRIPTION:
      for this field. For more information, refer to the IngressClass
      documentation.
 ```
- the spec.ingressClassName behavior has precedence over the annotation.
+
+The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation.
 
 
 
-## I have only one instance of the Ingresss-NGINX controller in my cluster. What should I do ?
+## I have only one instance of the Ingress-NGINX controller in my cluster. What should I do ?
 
-- If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use ingressclass, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your ingress class, so any new Ingress objects will have this one as default ingressClass.
+- If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use IngressClass, you should add the annotation `ingressclass.kubernetes.io/is-default-class` in your IngressClass, so that any new Ingress objects will have this one as default IngressClass.
 
-In this case, you need to make your Controller aware of the objects. If you have several Ingress objects and they don't yet have the [ingressClassName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#ingress-v1-networking-k8s-io) field, or the ingress annotation (`kubernetes.io/ingress.class`),  then you should start your ingress-controller with the flag [--watch-ingress-without-class=true](## What is the flag '--watch-ingress-without-class' ?) .
+In this case, you need to make your controller aware of the objects. If you have any Ingress objects that don't yet have either the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field set in their manifest, or the ingress annotation (`kubernetes.io/ingress.class`), then you should start your Ingress-NGINX controller with the flag `--watch-ingress-without-class=true`.
 
-You can configure your helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. 
+You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. 
 
-We highly recommend that you create the ingressClass as shown below:
+We recommend that you create the IngressClass as shown below:
 ```
+---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    app.kubernetes.io/component: controller
+    app.kubernetes.io/component: controller 
   name: nginx
   annotations:
     ingressclass.kubernetes.io/is-default-class: "true"
@@ -124,16 +132,17 @@ spec:
 ```
 And add the value "spec.ingressClassName=nginx" in your Ingress objects
 
-## I have multiple ingress objects in my cluster. What should I do ?
-- If you don't care about ingressClass, or you have a lot of ingress objects without ingressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`.
+## I have multiple Ingress objects in my cluster. What should I do ?
+- If you don't care about ingress classes, or you have a lot of Ingress objects without any IngressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`.
 
-## What is the flag '--watch-ingress-without-class' ?
-- Its a flag that is passed,as an argument, to the ingress-controller executable, in the pod spec. It looks like this ;
+### What is the flag '--watch-ingress-without-class' ?
+- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this ;
 ```
 ...
 ...
 args:
   - /nginx-ingress-controller
+  - --watch-ingress-without-class=true
   - --publish-service=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller
   - --election-id=ingress-controller-leader
   - --controller-class=k8s.io/ingress-nginx
@@ -141,45 +150,56 @@ args:
   - --validating-webhook=:8443
   - --validating-webhook-certificate=/usr/local/certificates/cert
   - --validating-webhook-key=/usr/local/certificates/key
-  - --watch-ingress-without-class=true
 ...
 ...
 ```
 
 ## I have more than one controller in my cluster and already use the annotation ?
+
 No problem. This should still keep working, but we highly recommend you to test!
 
-## I have more than one controller running in my cluster, and I want to use the new spec ?
-In this scenario, you need to create multiple ingressClasses (see example one). But be aware that ingressClass works in a very specific way: you will need to change the .spec.controller value in your IngressClass and point the controller to the relevant ingressClass. Let's see some example, supposing that you have two Ingress Classes:
+Even though `kubernetes.io/ingress.class` is deprecated, the Ingress-NGINX controller still understands that annotation.
+If you want to follow good practice, you should consider migrating to use IngressClass and `.spec.ingressClassName`.
 
-- Ingress-Nginx-IngressClass-1 with .spec.controller equals to "k8s.io/ingress-nginx1"
-- Ingress-Nginx-IngressClass-2 with .spec.controller equals to "k8s.io/ingress-nginx2"
+## I have more than one controller running in my cluster, and I want to use the new API ?
+
+In this scenario, you need to create multiple IngressClasses (see example one). But be aware that IngressClass works in a very specific way: you will need to change the `.spec.controller` value in your IngressClass and configure the controller to expect the exact same value.
+
+Let's see some example, supposing that you have three IngressClasses:
+
+- IngressClass `ingress-nginx-one`, with `.spec.controller` equal to `example.com/ingress-nginx1`
+- IngressClass `ingress-nginx-two`, with `.spec.controller` equal to `example.com/ingress-nginx2`
+- IngressClass `ingress-nginx-three`, with `.spec.controller` equal to `example.com/ingress-nginx1`
+
+(for private use, you can also use a controller name that doesn't contain a `/`; for example: `ingress-nginx1`)
 
 When deploying your ingress controllers, you will have to change the `--controller-class` field as follows:
 
-- Ingress-Nginx-Controller-nginx1 with `k8s.io/ingress-nginx1`
-- Ingress-Nginx-Controller-nginx2 with `k8s.io/ingress-nginx2`
+- Ingress-Nginx A, configured to use controller class name `example.com/ingress-nginx1`
+- Ingress-Nginx B, configured to use controller class name `example.com/ingress-nginx2`
 
-Then, when you create an Ingress Object with IngressClassName = `ingress-nginx2`, it will look for controllers with `controller-class=k8s.io/ingress-nginx2` and as `Ingress-Nginx-Controller-nginx2` is watching objects that points to `ingressClass="k8s.io/ingress-nginx2`, it will serve that object, while `Ingress-Nginx-Controller-nginx1` will ignore the ingress object.
+Then, when you create an Ingress object with its `ingressClassName` set to `ingress-nginx-two`, only controllers looking for the `example.com/ingress-nginx2` controller class pay attention to the new object. Given that Ingress-Nginx B is set up that way, it will serve that object, whereas Ingress-Nginx A ignores the new Ingress.
 
-Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the flag `--watch-ingress-without-class=true`, then it will serve:
+Bear in mind that, if you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true`, then it will serve:
 
-- objects without ingress-class
-- objects with the annotation configured in flag `--ingress-class` and same class value
-- and also objects pointing to the ingressClass that have the same .spec.controller as configured in `--controller-class`
+1. Ingresses without any `ingressClassName` set
+2. Ingresses where the the deprecated annotation (`kubernetes.io/ingress.class`) matches the value set in the command line argument `--ingress-class`
+3. Ingresses that refer to any IngressClass that has the same `spec.controller` as configured in `--controller-class`
 
+If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. If you have two Ingress-NGINX controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict.
 
-## I am seeing this error message in the logs of the Ingress-NGINX controller "ingress class annotation is not equal to the expected by Ingress Controller". Why ?
-- It is highly likely that you will also see the name of the ingress resource in the same error message. This error messsage has been observed on use the deprecated annotation, to spec the ingressClass, in a ingress resource manifest. It is recommended to use the ingress.spec.ingressClassName field, of the ingress resource, to spec the name of the ingressClass of the ingress resource being configured.
+## I am seeing this error message in the logs of the Ingress-NGINX controller: "ingress class annotation is not equal to the expected by Ingress Controller". Why ?
+
+- It is highly likely that you will also see the name of the ingress resource in the same error message. This error messsage has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in a Ingress resource manifest. It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining.
 
 ## How to easily install multiple instances of the ingress-NGINX controller in the same cluster ?
 - Create a new namespace
   ```
   kubectl create namespace ingress-nginx-2
   ```
-- Use helm to install the additional instance of the ingress controller
-- Ensure you have helm working (refer to helm documentation)
-- We have to assume that you have the helm repo for the ingress-NGINX controller already added to your helm config. But, if you have not added the helm repo then you can do this to add the repo to your helm config;
+- Use Helm to install the additional instance of the ingress controller
+- Ensure you have Helm working (refer to the [Helm documentation](https://helm.sh/docs/))
+- We have to assume that you have the helm repo for the ingress-NGINX controller already added to your Helm config. But, if you have not added the helm repo then you can do this to add the repo to your helm config;
   ```
   helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
   ```
@@ -187,13 +207,13 @@ Bear in mind that, if your `Ingress-Nginx-Controller-nginx2` is started with the
   ```
   helm repo update
   ```
-- Now you install the additional instance of the ingress-NGINX controller like this ;
+- Now, install an additional instance of the ingress-NGINX controller like this ;
   ```
   helm install ingress-nginx-2 ingress-nginx/ingress-nginx  \
   --namespace ingress-nginx-2 \
-  --set controller.ingressClassResource.name=nginx-2 \
-  --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx-2" \
+  --set controller.ingressClassResource.name=nginx-two \
+  --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \
   --set controller.ingressClassResource.enabled=true \
   --set controller.ingressClassByName=true
   ```
-- If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values like names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs.
+- If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values such as names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs.

From 8ccec8449652b08d65d0a29838e66b5ea8624b29 Mon Sep 17 00:00:00 2001
From: dmitry-j-mikhin <41896087+dmitry-j-mikhin@users.noreply.github.com>
Date: Sun, 12 Dec 2021 16:25:58 +0300
Subject: [PATCH 255/376] fix nginx compilation flags (#8023)

* use '-O2' instead of '-Og'
  '-O2' produce production optimized binary while '-Og' is used mostly
  for debugging
* use '-mtune=generic' instead of '-mtune=native'
  '-mtune=native' produce optimal code for builder host system, but it
  can be sub-optimal for execution host system
---
 images/nginx/rootfs/build.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index ab64d5d94..1aa655523 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -637,7 +637,7 @@ WITH_FLAGS="--with-debug \
 
 # "Combining -flto with -g is currently experimental and expected to produce unexpected results."
 # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
-CC_OPT="-g -Og -fPIE -fstack-protector-strong \
+CC_OPT="-g -O2 -fPIE -fstack-protector-strong \
   -Wformat \
   -Werror=format-security \
   -Wno-deprecated-declarations \
@@ -656,7 +656,7 @@ if [[ ${ARCH} != "aarch64" ]]; then
 fi
 
 if [[ ${ARCH} == "x86_64" ]]; then
-  CC_OPT+=' -m64 -mtune=native'
+  CC_OPT+=' -m64 -mtune=generic'
 fi
 
 WITH_MODULES=" \

From 7bae2e7321a7bc623e85fbcae8ecab11206f2499 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Wed, 15 Dec 2021 11:38:27 -0300
Subject: [PATCH 256/376] Comment busy owners (#8035)

* Cleanup owners files

* Cleanup owners files
---
 OWNERS         | 2 --
 OWNERS_ALIASES | 8 ++++++--
 docs/OWNERS    | 3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/OWNERS b/OWNERS
index 1d90c4cd5..20082fb1f 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,9 +1,7 @@
 # See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
 
 approvers:
-- ingress-nginx-admins
 - ingress-nginx-maintainers
-- sig-network-leads
 
 reviewers:
 - ingress-nginx-reviewers
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index f147d0f89..286a0d998 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -9,16 +9,15 @@ aliases:
   ingress-nginx-admins:
   - bowei
   - rikatz
+  - strongjz
 
   ingress-nginx-maintainers:
   - ElvinEfendi
-  - justinsb
   - rikatz
   - strongjz
 
   ingress-nginx-reviewers:
   - ElvinEfendi
-  - cmluciano
   - rikatz
   - strongjz
   - tao12345666333
@@ -31,5 +30,10 @@ aliases:
   - ChiefAlexander
   - cpanato
 
+  ingress-nginx-docs-maintainers:
+  - IamNoah1
+  - longwuyuan
+  - tao12345666333
+
   ingress-nginx-kube-webhook-certgen-reviewers:
   - invidian
diff --git a/docs/OWNERS b/docs/OWNERS
index 1d3805a73..e8b886e5b 100644
--- a/docs/OWNERS
+++ b/docs/OWNERS
@@ -1,4 +1,7 @@
 # See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
 
+approvers:
+- ingress-nginx-docs-maintainers
+
 labels:
 - area/docs
\ No newline at end of file

From 13e711bdddf4fe302ffe899ee3ca2c40d9120ae7 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 15 Dec 2021 12:51:51 -0500
Subject: [PATCH 257/376] remove 109 check till gosec resolves issues (#8044)

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 67a9ac74d..b7cf3bce1 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -51,7 +51,7 @@ jobs:
           # G601 for zz_generated.deepcopy.go
           # G306 TODO: Expect WriteFile permissions to be 0600 or less
           # G307 TODO: Deferring unsafe method "Close"
-          args: -exclude=G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ ./...
+          args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ ./...
 
   build:
     name: Build

From 2ff5af08d425d9b20744c333f4d68a7781c0b86b Mon Sep 17 00:00:00 2001
From: Mani Kanth <manikanth04@gmail.com>
Date: Wed, 22 Dec 2021 16:23:35 +0530
Subject: [PATCH 258/376] docs_multiple_instances_one_cluster_ticket_7543
 (#8042)

---
 docs/index.md                       | 6 ++++--
 docs/user-guide/multiple-ingress.md | 8 +++++---
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 182674947..b06141814 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -132,8 +132,10 @@ spec:
 ```
 And add the value "spec.ingressClassName=nginx" in your Ingress objects
 
-## I have multiple Ingress objects in my cluster. What should I do ?
-- If you don't care about ingress classes, or you have a lot of Ingress objects without any IngressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`.
+
+## I have multiple ingress objects in my cluster. What should I do ?
+- If you have lot of ingress objects without ingressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`.
+
 
 ### What is the flag '--watch-ingress-without-class' ?
 - Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this ;
diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md
index b0125c3b2..f13574044 100644
--- a/docs/user-guide/multiple-ingress.md
+++ b/docs/user-guide/multiple-ingress.md
@@ -2,13 +2,14 @@
 
 By default, deploying multiple Ingress controllers (e.g., `ingress-nginx` & `gce`) will result in all controllers simultaneously racing to update Ingress status fields in confusing ways.
 
-To fix this problem, you can either use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) (preferred) or use the `kubernetes.io/ingress.class` annotation (in deprecation).
+To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class), the `kubernetes.io/ingress.class` annotation  is deprecated from kubernetes v1.22+.
 
 ## Using IngressClasses
 
 If all ingress controllers respect IngressClasses (e.g. multiple instances of ingress-nginx v1.0), you can deploy two Ingress controllers by granting them control over two different IngressClasses, then selecting one of the two IngressClasses with `ingressClassName`.
+When two or more 
 
-First, ensure the `--controller-class=` is set to something different on each ingress controller:
+First, ensure the `--controller-class=` and `--ingress-class` are set to something different on each ingress controller:
 
 ```yaml
 # ingress-nginx Deployment/Statfulset
@@ -19,7 +20,8 @@ spec:
          - name: ingress-nginx-internal-controller
            args:
              - /nginx-ingress-controller
-             - '--controller-class=k8s.io/internal-ingress-nginx'
+             - '--controller-class=k8s.io/internal-nginx'
+             - '--ingress-class=k8s.io/internal-nginx'
             ...
 ```
 

From fea7fed6dad9e468f46d24a05f13aa4df0e85350 Mon Sep 17 00:00:00 2001
From: Moh Basher <36448614+besha100@users.noreply.github.com>
Date: Thu, 23 Dec 2021 12:34:38 +0100
Subject: [PATCH 259/376] Disable default modsecurity_rules_file if
 modsecurity-snippet is specified (#8021)

* Disabled default modsecurity_rules_file if modsecurity-snippet is specifed

The default modsecurity_rules_file overwrites the ModSecurity-snippet if it is specified with custom config settings like "SecRuleEngine On". This will not let Modsecurity be in blocking mode even if "SecRuleEngine On" is specified in the ModSecurity-snippet configuration

* Remove unnecessary comments

Only have the default Modsecurity conf settings in case Modsecurity configuration snippet is not present and remove unnecessary comments

* Fixed modsecurity default file only if Modsecurity snippet present

Fixed if condition  Modsecurity snippet present have modsecurity default config file

* Added e2e test to disabling modsecurity conf

Added e2e in case modsecurity-snippet enabled to disable settings in default modsecurity.conf

* Validate writing to a different location

Validate also modsecurity to write to a different location instead of the default directory

* Fixed the formatting

* Fixed if empty ModsecuritySnippet

* Fixed ModsecuritySnippet condition

* Fixed the condition also in ingress controller template

* Removed the default config condition  in ingress controller template

* Fixed the default config condition in ingress controller template

* Fixed pull-ingress-nginx-test

* Revert "Fixed the default config condition in ingress controller template"

This reverts commit 9d38eca40fe615a4c756500ca57b05634240edde.

* Revert template_test

* Adjusted the formating %v
---
 .../ingress/controller/template/template.go   |  2 +-
 .../controller/template/template_test.go      |  4 +-
 rootfs/etc/nginx/template/nginx.tmpl          |  6 +--
 .../annotations/modsecurity/modsecurity.go    | 37 +++++++++++++++++++
 4 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index ae5ec259a..e5be1490a 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -1537,7 +1537,7 @@ func buildModSecurityForLocation(cfg config.Configuration, location *ingress.Loc
 `, location.ModSecurity.TransactionID))
 	}
 
-	if !isMSEnabled {
+	if !isMSEnabled && location.ModSecurity.Snippet == "" {
 		buffer.WriteString(`modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
 `)
 	}
diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
index cfb65c08e..b65e33c32 100644
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@@ -1781,8 +1781,8 @@ func TestModSecurityForLocation(t *testing.T) {
 		{"configmap enabled, configmap OWASP enabled, annotation enabled, OWASP disabled", true, true, true, true, false, "", "", ""},
 		{"configmap disabled, annotation enabled, OWASP disabled", false, false, true, true, false, "", "", fmt.Sprintf("%v%v", loadModule, modSecCfg)},
 		{"configmap disabled, annotation disabled, OWASP disabled", false, false, false, true, false, "", "", ""},
-		{"configmap disabled, annotation enabled, OWASP disabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v%v", loadModule, modsecRule, modSecCfg)},
-		{"configmap disabled, annotation enabled, OWASP enabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v%v", loadModule, modsecRule, modSecCfg)},
+		{"configmap disabled, annotation enabled, OWASP disabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v", loadModule, modsecRule)},
+		{"configmap disabled, annotation enabled, OWASP enabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v", loadModule, modsecRule)},
 	}
 
 	for _, testCase := range testCases {
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index c6e978ffe..0cc8d3cab 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -153,10 +153,10 @@ http {
     modsecurity_rules '
       {{ $all.Cfg.ModsecuritySnippet }}
     ';
-    {{ end }}
-
+    {{ else }}
     modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
-
+    {{ end }}
+    
     {{ if $all.Cfg.EnableOWASPCoreRules }}
     modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
     {{ end }}
diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go
index f88d6541e..4de85818d 100644
--- a/test/e2e/annotations/modsecurity/modsecurity.go
+++ b/test/e2e/annotations/modsecurity/modsecurity.go
@@ -342,4 +342,41 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 			Expect().
 			Status(http.StatusOK)
 	})
+
+	ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() {
+		host := "modsecurity.foo.com"
+		nameSpace := f.Namespace
+
+		snippet := `SecRuleEngine On
+		SecRequestBodyAccess On
+		SecAuditEngine RelevantOnly
+		SecAuditLogParts ABIJDEFHZ
+		SecAuditLogType Concurrent
+		SecAuditLog /var/tmp/modsec_audit.log
+		SecAuditLogStorageDir /var/tmp/
+		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-modsecurity":  "true",
+			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
+		}
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;") &&
+					strings.Contains(server, "SecAuditLog /var/tmp/modsec_audit.log")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("User-Agent", "block-ua").
+			Expect().
+			Status(http.StatusForbidden)
+	})
 })

From cf6ea087392f6f14aeec76664e0fe99f294fe2b1 Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Thu, 23 Dec 2021 20:40:30 +0100
Subject: [PATCH 260/376] align bug report with feature request regarding kind
 documentation (#8051)

---
 .github/ISSUE_TEMPLATE/bug_report.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index f266d0f29..9f8fd83ba 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -131,6 +131,9 @@ kubectl exec -it -n ingress-nginx $POD_NAME -- curl -H 'Host: foo.bar' localhost
 
 **Anything else we need to know**:
 
-<!-- If this is actually about documentation, add `/kind documentation` below -->
+<!-- If this is actually about documentation, uncomment the following block -->
 
-/kind bug
+<!-- 
+/kind documentation
+/remove-kind bug
+-->

From ce9deaa33280c6125d67a4da765a94114d048862 Mon Sep 17 00:00:00 2001
From: Tobias Salzmann <796084+Eun@users.noreply.github.com>
Date: Thu, 23 Dec 2021 20:46:30 +0100
Subject: [PATCH 261/376] Add stream-snippet as a ConfigMap and Annotation
 option (#8029)

* stream snippet

* gofmt -s
---
 .../nginx-configuration/annotations.md        |  18 +++
 .../nginx-configuration/configmap.md          |   5 +
 internal/ingress/annotations/annotations.go   |   3 +
 .../ingress/annotations/streamsnippet/main.go |  40 +++++
 .../annotations/streamsnippet/main_test.go    |  64 ++++++++
 internal/ingress/controller/config/config.go  |  12 +-
 internal/ingress/controller/controller.go     |  17 +++
 internal/ingress/controller/nginx.go          |   1 +
 internal/ingress/types.go                     |   2 +
 rootfs/etc/nginx/template/nginx.tmpl          |   5 +
 test/e2e/annotations/streamsnippet.go         | 138 ++++++++++++++++++
 test/e2e/settings/stream_snippet.go           |  85 +++++++++++
 12 files changed, 386 insertions(+), 4 deletions(-)
 create mode 100644 internal/ingress/annotations/streamsnippet/main.go
 create mode 100644 internal/ingress/annotations/streamsnippet/main_test.go
 create mode 100644 test/e2e/annotations/streamsnippet.go
 create mode 100644 test/e2e/settings/stream_snippet.go

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 46f7c23d4..5a217c27d 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -99,6 +99,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none](#cookie-affinity)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/ssl-redirect](#server-side-https-enforcement-through-redirect)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/ssl-passthrough](#ssl-passthrough)|"true" or "false"|
+|[nginx.ingress.kubernetes.io/stream-snippet](#stream-snippet)|string|
 |[nginx.ingress.kubernetes.io/upstream-hash-by](#custom-nginx-upstream-hashing)|string|
 |[nginx.ingress.kubernetes.io/x-forwarded-prefix](#x-forwarded-prefix-header)|string|
 |[nginx.ingress.kubernetes.io/load-balance](#custom-nginx-load-balancing)|string|
@@ -927,3 +928,20 @@ nginx.ingress.kubernetes.io/mirror-request-body: "off"
 The request sent to the mirror is linked to the original request. If you have a slow mirror backend, then the original request will throttle.
 
 For more information on the mirror module see [ngx_http_mirror_module](https://nginx.org/en/docs/http/ngx_http_mirror_module.html)
+
+
+### Stream snippet
+
+Using the annotation `nginx.ingress.kubernetes.io/stream-snippet` it is possible to add custom stream configuration.
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/stream-snippet: |
+      server {
+        listen 8000;
+        proxy_pass 127.0.0.1:80;
+      }
+```
\ No newline at end of file
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index b217eee49..d35a19b1a 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -156,6 +156,7 @@ The following table shows a configuration option's name, type, and the default v
 |[main-snippet](#main-snippet)|string|""|
 |[http-snippet](#http-snippet)|string|""|
 |[server-snippet](#server-snippet)|string|""|
+|[stream-snippet](#stream-snippet)|string|""|
 |[location-snippet](#location-snippet)|string|""|
 |[custom-http-errors](#custom-http-errors)|[]int|[]int{}|
 |[proxy-body-size](#proxy-body-size)|string|"1m"|
@@ -988,6 +989,10 @@ Adds custom configuration to the http section of the nginx configuration.
 
 Adds custom configuration to all the servers in the nginx configuration.
 
+## stream-snippet
+
+Adds custom configuration to the stream section of the nginx configuration.
+
 ## location-snippet
 
 Adds custom configuration to all the locations in the nginx configuration.
diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go
index 9fb53dd1e..fe7400ac7 100644
--- a/internal/ingress/annotations/annotations.go
+++ b/internal/ingress/annotations/annotations.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/streamsnippet"
 	"k8s.io/klog/v2"
 
 	apiv1 "k8s.io/api/core/v1"
@@ -115,6 +116,7 @@ type Ingress struct {
 	InfluxDB           influxdb.Config
 	ModSecurity        modsecurity.Config
 	Mirror             mirror.Config
+	StreamSnippet      string
 }
 
 // Extractor defines the annotation parsers to be used in the extraction of annotations
@@ -165,6 +167,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
 			"BackendProtocol":      backendprotocol.NewParser(cfg),
 			"ModSecurity":          modsecurity.NewParser(cfg),
 			"Mirror":               mirror.NewParser(cfg),
+			"StreamSnippet":        streamsnippet.NewParser(cfg),
 		},
 	}
 }
diff --git a/internal/ingress/annotations/streamsnippet/main.go b/internal/ingress/annotations/streamsnippet/main.go
new file mode 100644
index 000000000..fb22f754c
--- /dev/null
+++ b/internal/ingress/annotations/streamsnippet/main.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package streamsnippet
+
+import (
+	networking "k8s.io/api/networking/v1"
+
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+)
+
+type streamSnippet struct {
+	r resolver.Resolver
+}
+
+// NewParser creates a new server snippet annotation parser
+func NewParser(r resolver.Resolver) parser.IngressAnnotation {
+	return streamSnippet{r}
+}
+
+// Parse parses the annotations contained in the ingress rule
+// used to indicate if the location/s contains a fragment of
+// configuration to be included inside the paths of the rules
+func (a streamSnippet) Parse(ing *networking.Ingress) (interface{}, error) {
+	return parser.GetStringAnnotation("stream-snippet", ing)
+}
diff --git a/internal/ingress/annotations/streamsnippet/main_test.go b/internal/ingress/annotations/streamsnippet/main_test.go
new file mode 100644
index 000000000..0b8e3e3aa
--- /dev/null
+++ b/internal/ingress/annotations/streamsnippet/main_test.go
@@ -0,0 +1,64 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package streamsnippet
+
+import (
+	"testing"
+
+	api "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+)
+
+func TestParse(t *testing.T) {
+	annotation := parser.GetAnnotationWithPrefix("stream-snippet")
+
+	ap := NewParser(&resolver.Mock{})
+	if ap == nil {
+		t.Fatalf("expected a parser.IngressAnnotation but returned nil")
+	}
+
+	testCases := []struct {
+		annotations map[string]string
+		expected    string
+	}{
+		{map[string]string{annotation: "server { listen: 8000; proxy_pass 127.0.0.1:80}"},
+			"server { listen: 8000; proxy_pass 127.0.0.1:80}",
+		},
+		{map[string]string{annotation: "false"}, "false"},
+		{map[string]string{}, ""},
+		{nil, ""},
+	}
+
+	ing := &networking.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: networking.IngressSpec{},
+	}
+
+	for _, testCase := range testCases {
+		ing.SetAnnotations(testCase.annotations)
+		result, _ := ap.Parse(ing)
+		if result != testCase.expected {
+			t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
+		}
+	}
+}
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
index d17135f1c..f37516e78 100644
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@@ -659,6 +659,9 @@ type Configuration struct {
 	// ServerSnippet adds custom configuration to all the servers in the nginx configuration
 	ServerSnippet string `json:"server-snippet"`
 
+	// StreamSnippet adds custom configuration to the stream section of the nginx configuration
+	StreamSnippet string `json:"stream-snippet"`
+
 	// LocationSnippet adds custom configuration to all the locations in the nginx configuration
 	LocationSnippet string `json:"location-snippet"`
 
@@ -956,10 +959,11 @@ type TemplateConfig struct {
 	MaxmindEditionFiles      *[]string
 	MonitorMaxBatchSize      int
 
-	PID        string
-	StatusPath string
-	StatusPort int
-	StreamPort int
+	PID            string
+	StatusPath     string
+	StatusPort     int
+	StreamPort     int
+	StreamSnippets []string
 }
 
 // ListenPorts describe the ports required to run the
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 99d1c8f35..7d958a626 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -538,6 +538,7 @@ func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.S
 		PassthroughBackends:   passUpstreams,
 		BackendConfigChecksum: n.store.GetBackendConfiguration().Checksum,
 		DefaultSSLCertificate: n.getDefaultSSLCertificate(),
+		StreamSnippets:        n.getStreamSnippets(ingresses),
 	}
 }
 
@@ -562,6 +563,11 @@ func dropSnippetDirectives(anns *annotations.Ingress, ingKey string) {
 			anns.ExternalAuth.AuthSnippet = ""
 		}
 
+		if anns.StreamSnippet != "" {
+			klog.V(3).Infof("Ingress %q tried to use stream-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey)
+			anns.StreamSnippet = ""
+		}
+
 	}
 }
 
@@ -1779,3 +1785,14 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net
 
 	return ingresses
 }
+
+func (n *NGINXController) getStreamSnippets(ingresses []*ingress.Ingress) []string {
+	snippets := make([]string, 0, len(ingresses))
+	for _, i := range ingresses {
+		if i.ParsedAnnotations.StreamSnippet == "" {
+			continue
+		}
+		snippets = append(snippets, i.ParsedAnnotations.StreamSnippet)
+	}
+	return snippets
+}
diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index 4d1aa3916..ed5590c3e 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -599,6 +599,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC
 		StatusPath:               nginx.StatusPath,
 		StatusPort:               nginx.StatusPort,
 		StreamPort:               nginx.StreamPort,
+		StreamSnippets:           append(ingressCfg.StreamSnippets, cfg.StreamSnippet),
 	}
 
 	tc.Cfg.Checksum = ingressCfg.ConfigurationChecksum
diff --git a/internal/ingress/types.go b/internal/ingress/types.go
index 78c2245ff..db4f37f99 100644
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@@ -76,6 +76,8 @@ type Configuration struct {
 	ConfigurationChecksum string `json:"configurationChecksum,omitempty"`
 
 	DefaultSSLCertificate *SSLCert `json:"-"`
+
+	StreamSnippets []string
 }
 
 // Backend describes one or more remote server/s (endpoints) associated with a service
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 0cc8d3cab..bf780fe80 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -827,6 +827,11 @@ stream {
         proxy_pass              upstream_balancer;
     }
     {{ end }}
+
+    # Stream Snippets
+    {{ range $snippet := .StreamSnippets }}
+    {{ $snippet }}
+    {{ end }}
 }
 
 {{/* definition of templates to avoid repetitions */}}
diff --git a/test/e2e/annotations/streamsnippet.go b/test/e2e/annotations/streamsnippet.go
new file mode 100644
index 000000000..cc9aca715
--- /dev/null
+++ b/test/e2e/annotations/streamsnippet.go
@@ -0,0 +1,138 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package annotations
+
+import (
+	"context"
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.DescribeSetting("stream-snippet", func() {
+	f := framework.NewDefaultFramework("stream-snippet")
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.It("should add value of stream-snippet to nginx config", func() {
+		host := "foo.com"
+
+		snippet := `server {listen 8000; proxy_pass 127.0.0.1:80;}`
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, map[string]string{
+			"nginx.ingress.kubernetes.io/stream-snippet": snippet,
+		})
+		f.EnsureIngress(ing)
+
+		svc, err := f.KubeClientSet.
+			CoreV1().
+			Services(f.Namespace).
+			Get(context.TODO(), "nginx-ingress-controller", metav1.GetOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining ingress-nginx service")
+		assert.NotNil(ginkgo.GinkgoT(), svc, "expected a service but none returned")
+
+		svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{
+			Name:       framework.EchoService,
+			Port:       8000,
+			TargetPort: intstr.FromInt(8000),
+		})
+
+		_, err = f.KubeClientSet.
+			CoreV1().
+			Services(f.Namespace).
+			Update(context.TODO(), svc, metav1.UpdateOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating service")
+
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+
+		f.WaitForNginxConfiguration(
+			func(cfg string) bool {
+				return strings.Contains(cfg, snippet)
+			})
+
+		f.HTTPTestClient().
+			GET("/healthz").
+			WithURL(fmt.Sprintf("http://%v:8000/healthz", f.GetNginxIP())).
+			Expect().
+			Status(http.StatusOK)
+	})
+
+	ginkgo.It("should add stream-snippet and drop annotations per admin config", func() {
+		host := "cm.foo.com"
+		hostAnnot := "annot.foo.com"
+
+		cmSnippet := `server {listen 8000; proxy_pass 127.0.0.1:80;}`
+		annotSnippet := `server {listen 8001; proxy_pass 127.0.0.1:80;}`
+
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "false",
+			"stream-snippet":            cmSnippet,
+		})
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		ing1 := framework.NewSingleIngress(hostAnnot, "/", hostAnnot, f.Namespace, framework.EchoService, 80, map[string]string{
+			"nginx.ingress.kubernetes.io/stream-snippet": annotSnippet,
+		})
+		f.EnsureIngress(ing1)
+
+		svc, err := f.KubeClientSet.
+			CoreV1().
+			Services(f.Namespace).
+			Get(context.TODO(), "nginx-ingress-controller", metav1.GetOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining ingress-nginx service")
+		assert.NotNil(ginkgo.GinkgoT(), svc, "expected a service but none returned")
+
+		svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{
+			Name:       framework.EchoService,
+			Port:       8000,
+			TargetPort: intstr.FromInt(8000),
+		})
+
+		_, err = f.KubeClientSet.
+			CoreV1().
+			Services(f.Namespace).
+			Update(context.TODO(), svc, metav1.UpdateOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating service")
+
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+
+		f.WaitForNginxConfiguration(
+			func(cfg string) bool {
+				return strings.Contains(cfg, cmSnippet) && !strings.Contains(cfg, annotSnippet)
+			})
+
+		f.HTTPTestClient().
+			GET("/healthz").
+			WithURL(fmt.Sprintf("http://%v:8000/healthz", f.GetNginxIP())).
+			Expect().
+			Status(http.StatusOK)
+	})
+})
diff --git a/test/e2e/settings/stream_snippet.go b/test/e2e/settings/stream_snippet.go
new file mode 100644
index 000000000..90f928c23
--- /dev/null
+++ b/test/e2e/settings/stream_snippet.go
@@ -0,0 +1,85 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"context"
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.DescribeSetting("configmap stream-snippet", func() {
+	f := framework.NewDefaultFramework("cm-stream-snippet")
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.It("should add value of stream-snippet via config map to nginx config", func() {
+		host := "foo.com"
+		snippet := `server {listen 8000; proxy_pass 127.0.0.1:80;}`
+
+		f.SetNginxConfigMapData(map[string]string{
+			"stream-snippet": snippet,
+		})
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		svc, err := f.KubeClientSet.
+			CoreV1().
+			Services(f.Namespace).
+			Get(context.TODO(), "nginx-ingress-controller", metav1.GetOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining ingress-nginx service")
+		assert.NotNil(ginkgo.GinkgoT(), svc, "expected a service but none returned")
+
+		svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{
+			Name:       framework.EchoService,
+			Port:       8000,
+			TargetPort: intstr.FromInt(8000),
+		})
+
+		_, err = f.KubeClientSet.
+			CoreV1().
+			Services(f.Namespace).
+			Update(context.TODO(), svc, metav1.UpdateOptions{})
+		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating service")
+
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+
+		f.WaitForNginxConfiguration(
+			func(cfg string) bool {
+				return strings.Contains(cfg, snippet)
+			})
+
+		f.HTTPTestClient().
+			GET("/healthz").
+			WithURL(fmt.Sprintf("http://%v:8000/healthz", f.GetNginxIP())).
+			Expect().
+			Status(http.StatusOK)
+	})
+})

From d5fd674313330f322a598752ddbe07fecc098be7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 23 Dec 2021 11:48:29 -0800
Subject: [PATCH 262/376] Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
 (#8058)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.2.1 to 1.3.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/spf13/cobra/compare/v1.2.1...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod |  29 ++++-----
 go.sum | 201 ++++++++++++++++++++++++++++++++++++++++++++++++---------
 2 files changed, 186 insertions(+), 44 deletions(-)

diff --git a/go.mod b/go.mod
index ea740a4e4..dc45a8044 100644
--- a/go.mod
+++ b/go.mod
@@ -10,10 +10,9 @@ require (
 	github.com/imdario/mergo v0.3.12
 	github.com/json-iterator/go v1.1.12
 	github.com/kylelemons/godebug v1.1.0
-	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/mitchellh/hashstructure v1.1.0
-	github.com/mitchellh/mapstructure v1.4.2
+	github.com/mitchellh/mapstructure v1.4.3
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
 	github.com/ncabatoff/process-exporter v0.7.9
 	github.com/onsi/ginkgo v1.16.4
@@ -23,13 +22,13 @@ require (
 	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.31.1
-	github.com/spf13/cobra v1.2.1
+	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981
-	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
-	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d
-	google.golang.org/grpc v1.41.0
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d
+	google.golang.org/grpc v1.42.0
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/go-playground/pool.v3 v3.1.1
 	k8s.io/api v0.22.2
@@ -48,7 +47,7 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.81.0 // indirect
+	cloud.google.com/go v0.99.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.18 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
@@ -62,7 +61,7 @@ require (
 	github.com/andybalholm/brotli v1.0.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -121,17 +120,17 @@ require (
 	github.com/yudai/gojsondiff v1.0.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	golang.org/x/mod v0.4.2 // indirect
-	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
-	golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 // indirect
+	golang.org/x/mod v0.5.0 // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sys v0.0.0-20211205182925-97ca703d548d // indirect
 	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
-	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
-	golang.org/x/tools v0.1.2 // indirect
+	golang.org/x/tools v0.1.5 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
-	google.golang.org/protobuf v1.26.0 // indirect
+	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
diff --git a/go.sum b/go.sum
index 02f4f714f..669f21dc4 100644
--- a/go.sum
+++ b/go.sum
@@ -17,8 +17,17 @@ cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKP
 cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
 cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
 cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0 h1:at8Tk2zUz63cLPR0JPWm5vp77pEZmzxEQBEfRKn1VV8=
 cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
+cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
+cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
+cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
+cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
+cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
+cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
+cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
+cloud.google.com/go v0.98.0/go.mod h1:ua6Ush4NALrHk5QXDWnjvZHN93OuF0HfuEPq9I1X0cM=
+cloud.google.com/go v0.99.0 h1:y/cM2iqGgGi5D5DQZl6D9STN/3dR/Vx5Mp8s752oJTY=
+cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -28,6 +37,7 @@ cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM7
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@@ -60,6 +70,7 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
@@ -90,9 +101,11 @@ github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
+github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
 github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ129pdm9Ek7bH7yutN3hByqsMoNrWAxRQc=
 github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
@@ -108,29 +121,38 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
+github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
+github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
+github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
@@ -152,6 +174,7 @@ github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfc
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -185,8 +208,11 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
+github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -195,6 +221,8 @@ github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL
 github.com/fasthttp/websocket v1.4.3-rc.6 h1:omHqsl8j+KXpmzRjF8bmzOSYJ8GnS0E3efi1wYT+niY=
 github.com/fasthttp/websocket v1.4.3-rc.6/go.mod h1:43W9OM2T8FeXpCWMsBd9Cb7nE2CACNqNvCqQCoty/Lc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/structs v1.0.0 h1:BrX964Rv5uQ3wwS+KRUAJCBBw5PQmgJfJ6v4yly5QwU=
 github.com/fatih/structs v1.0.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
@@ -311,6 +339,7 @@ github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -358,6 +387,7 @@ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -369,6 +399,9 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -379,6 +412,8 @@ github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
+github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
@@ -402,14 +437,24 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
+github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
+github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -418,13 +463,21 @@ github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
+github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY=
+github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
+github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
+github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
+github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
+github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
@@ -445,6 +498,7 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -481,6 +535,7 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
+github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -494,19 +549,29 @@ github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/markbates/pkger v0.17.1/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
+github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
+github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
@@ -518,9 +583,8 @@ github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.2 h1:6h7AQ0yhTcIsmFmnAwQls75jp2Gzs4iB8W7pjMO+rqo=
-github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.4.3 h1:OVowDSCllw/YjdLkam3/sm7wEtOy59d8ndGgCcyj8cs=
+github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4=
 github.com/mmarkdown/mmark v2.0.40+incompatible/go.mod h1:Uvmoz7tvsWpr7bMVxIpqZPyN3FbOtzDmnsJDFp7ltJs=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
@@ -596,9 +660,10 @@ github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnh
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -614,12 +679,14 @@ github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZ
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
+github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
@@ -635,6 +702,7 @@ github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
+github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.31.1 h1:d18hG4PkHnNAKNMOmFuXFaiY8Us0nird/2m60uS1AMs=
@@ -657,7 +725,9 @@ github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE
 github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873 h1:N3Af8f13ooDKcIhsmFT7Z05CStZWu4C7Md0uDEy4q6o=
 github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873/go.mod h1:dmPawKuiAeG/aFYVs2i+Dyosoo7FNcm+Pi8iK6ZUrX8=
@@ -681,15 +751,16 @@ github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJ
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
-github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
-github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
+github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0=
+github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -699,7 +770,7 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
-github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
+github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
@@ -722,6 +793,7 @@ github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhV
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
@@ -764,8 +836,11 @@ go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
+go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
+go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs=
 go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
 go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
 go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
@@ -823,13 +898,14 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -864,8 +940,9 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.5.0 h1:UG21uOlmZabA4fW5i7ZX6bjw1xELEGg/ZLgZq9auk/Q=
+golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -890,6 +967,7 @@ golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -916,12 +994,14 @@ golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d h1:20cMwl2fHAzkJMEA+8J4JgqBQcQGzbisXo31MIeenXI=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d h1:LO7XpTYMwTqxjLcGWPijK3vRXg1aWdlNOVOHRq45d7c=
+golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -933,9 +1013,13 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
+golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -970,9 +1054,12 @@ golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -983,6 +1070,7 @@ golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1009,6 +1097,7 @@ golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1019,11 +1108,20 @@ golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 h1:c8PlLMqBbOHoqtjteWm5/kbe6rNY2pbRfbIMVnepueo=
+golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E=
+golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=
@@ -1035,8 +1133,9 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1065,6 +1164,7 @@ golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1107,8 +1207,12 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.5 h1:ouewzE6p+/VEB31YYnTbEJdi8pFqKp4P4n85vwo3DHA=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1138,7 +1242,17 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
+google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
+google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
+google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
+google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
+google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
+google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
+google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
+google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
+google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
+google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
+google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1191,8 +1305,30 @@ google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c h1:wtujag7C+4D6KMoulW9YauvK2lgdvCMS260jsqqBXr0=
+google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
+google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
+google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
+google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
+google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
+google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
+google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
+google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
+google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
+google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211129164237-f09f9a12af12/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211203200212-54befc351ae9/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa h1:I0YcKz0I7OAhddo7ya8kMnvprhcWM045PmkBdMO9zN0=
+google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
@@ -1218,9 +1354,15 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.41.0 h1:f+PlOh7QV4iIJkPrx5NQ7qaNGFQ3OTse67yaDHfju4E=
-google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
+google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
+google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
+google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/grpc v1.42.0 h1:XT2/MFpuPFsEX2fWh3YQtHkZ+WYZFQRfaUgLZYj/p6A=
+google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
+google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1232,8 +1374,9 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1252,7 +1395,7 @@ gopkg.in/go-playground/pool.v3 v3.1.1/go.mod h1:pUAGBximS/hccTTSzEop6wvvQhVa3QPD
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

From d6284d16728063c870aa602e0585999607acbcaa Mon Sep 17 00:00:00 2001
From: Noelle Leigh <5957867+noelleleigh@users.noreply.github.com>
Date: Thu, 23 Dec 2021 14:50:10 -0500
Subject: [PATCH 263/376] docs: fix typo'd executible name (#8041)

In "Checking ingress controller version", the paragraph cites the incorrect name for the executable (the one in the code block is correct).
This commit fixes that inconsistency.
---
 docs/deploy/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index b9ce87e5d..af29ef767 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -295,7 +295,7 @@ For more information about bare metal deployments (and how to use port 80 instea
 
 ### Checking ingress controller version
 
-Run `ingress-nginx-controller --version` within the pod, for instance with `kubectl exec`:
+Run `/nginx-ingress-controller --version` within the pod, for instance with `kubectl exec`:
 
 ```console
 POD_NAMESPACE=ingress-nginx

From 079d0cd41573ab0ef052b5398622e8c414eaa3d2 Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Thu, 23 Dec 2021 15:02:29 -0500
Subject: [PATCH 264/376] Report expired certificates (#8045) (#8046)

Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
---
 internal/ingress/controller/controller.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 7d958a626..7c200bd8f 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -1332,7 +1332,10 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 
 			servers[host].SSLCert = cert
 
-			if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) {
+			now := time.Now()
+			if cert.ExpireTime.Before(now) {
+				klog.Warningf("SSL certificate for server %q expired (%v)", host, cert.ExpireTime)
+			} else if cert.ExpireTime.Before(now.Add(240 * time.Hour)) {
 				klog.Warningf("SSL certificate for server %q is about to expire (%v)", host, cert.ExpireTime)
 			}
 		}

From 362c97bd0976affb3d82074b65d46ae3f597692d Mon Sep 17 00:00:00 2001
From: ZxYuan <lvp0526@gmail.com>
Date: Fri, 24 Dec 2021 04:08:30 +0800
Subject: [PATCH 265/376] Remove force sync / 30s for non-external backends
 (#7958)

---
 rootfs/etc/nginx/lua/balancer.lua | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/rootfs/etc/nginx/lua/balancer.lua b/rootfs/etc/nginx/lua/balancer.lua
index b6c420c9f..2c6a83ae9 100644
--- a/rootfs/etc/nginx/lua/balancer.lua
+++ b/rootfs/etc/nginx/lua/balancer.lua
@@ -23,7 +23,6 @@ local ngx = ngx
 -- it will take <the delay until controller POSTed the backend object to the
 -- Nginx endpoint> + BACKENDS_SYNC_INTERVAL
 local BACKENDS_SYNC_INTERVAL = 1
-local BACKENDS_FORCE_SYNC_INTERVAL = 30
 
 local DEFAULT_LB_ALG = "round_robin"
 local IMPLEMENTATIONS = {
@@ -146,10 +145,7 @@ end
 
 local function sync_backends()
   local raw_backends_last_synced_at = configuration.get_raw_backends_last_synced_at()
-  ngx.update_time()
-  local current_timestamp = ngx.time()
-  if current_timestamp - backends_last_synced_at < BACKENDS_FORCE_SYNC_INTERVAL
-      and raw_backends_last_synced_at <= backends_last_synced_at then
+  if raw_backends_last_synced_at <= backends_last_synced_at then
     return
   end
 

From 66c5793af32f9ea9027bee054bad41268d1f7db1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 23 Dec 2021 13:20:29 -0800
Subject: [PATCH 266/376] Bump google.golang.org/grpc from 1.41.0 to 1.43.0
 (#8054)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.41.0 to 1.43.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.41.0...v1.43.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index dc45a8044..6e2f1abf9 100644
--- a/go.mod
+++ b/go.mod
@@ -28,7 +28,7 @@ require (
 	github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981
 	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
 	golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d
-	google.golang.org/grpc v1.42.0
+	google.golang.org/grpc v1.43.0
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/go-playground/pool.v3 v3.1.1
 	k8s.io/api v0.22.2
diff --git a/go.sum b/go.sum
index 669f21dc4..96021702c 100644
--- a/go.sum
+++ b/go.sum
@@ -1360,8 +1360,9 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.42.0 h1:XT2/MFpuPFsEX2fWh3YQtHkZ+WYZFQRfaUgLZYj/p6A=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
+google.golang.org/grpc v1.43.0 h1:Eeu7bZtDZ2DpRCsLhUlcrLnvYaMK1Gz86a+hMVvELmM=
+google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

From 8e9bf7f62c454bed1009a9a99ded721f1ed61ca0 Mon Sep 17 00:00:00 2001
From: learn0208 <learn0208@gmail.com>
Date: Fri, 24 Dec 2021 05:28:29 +0800
Subject: [PATCH 267/376] fix custom-error-pages file not exist (#7728)

---
 images/custom-error-pages/rootfs/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile
index fc09e92d1..cdceb032b 100755
--- a/images/custom-error-pages/rootfs/Dockerfile
+++ b/images/custom-error-pages/rootfs/Dockerfile
@@ -29,6 +29,7 @@ RUN go get . && \
 FROM gcr.io/distroless/static:nonroot
 
 COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/nginx-errors /
+COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/www /www
 USER nonroot:nonroot
 
 CMD ["/nginx-errors"]

From 6d4c51c31f0c36ab95a920f9f08fc858fdbd544e Mon Sep 17 00:00:00 2001
From: Bhumij Gupta <bhumijgupta@gmail.com>
Date: Fri, 24 Dec 2021 03:02:30 +0530
Subject: [PATCH 268/376] Added docs for --ingress-class-by-name flag in the
 cli arguments page (#7624)

* Added docs for --ingress-class-by-name flag in the cli arguments page

Signed-off-by: bhumijgupta <bhumijgupta@gmail.com>

* Updated docs to match the flag description in code

Signed-off-by: bhumijgupta <bhumijgupta@gmail.com>
---
 docs/user-guide/cli-arguments.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index b3bac7d96..bbf06b720 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -28,6 +28,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 | `--http-port`                      | Port to use for servicing HTTP traffic. (default 80) |
 | `--https-port`                     | Port to use for servicing HTTPS traffic. (default 443) |
 | `--ingress-class`                  | Name of the ingress class this controller satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation "kubernetes.io/ingress.class" (deprecated). If this parameter is not set, or set to the default value of "nginx", it will handle ingresses with either an empty or "nginx" class name. |
+| `--ingress-class-by-name`          | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. (default false) |
 | `--kubeconfig`                     | Path to a kubeconfig file containing authorization and API server information. |
 | `--log_backtrace_at`               | when logging hits line file:N, emit a stack trace (default :0) |
 | `--log_dir`                        | If non-empty, write log files in this directory |

From 452515ca2f4961aef7e1624c596f4e75865f71f8 Mon Sep 17 00:00:00 2001
From: agile6v <agile6v@gmail.com>
Date: Fri, 24 Dec 2021 05:54:30 +0800
Subject: [PATCH 269/376] doc: improvement (#7996)

---
 docs/user-guide/nginx-configuration/annotations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 5a217c27d..2dacc5293 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -641,7 +641,7 @@ Note: All timeout values are unitless and in seconds e.g. `nginx.ingress.kuberne
 
 ### Proxy redirect
 
-With the annotations `nginx.ingress.kubernetes.io/proxy-redirect-from` and `nginx.ingress.kubernetes.io/proxy-redirect-to` it is possible to
+The annotations `nginx.ingress.kubernetes.io/proxy-redirect-from` and `nginx.ingress.kubernetes.io/proxy-redirect-to` will set the first and second parameters of NGINX's proxy_redirect directive respectively. It is possible to
 set the text that should be changed in the `Location` and `Refresh` header fields of a [proxied server response](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect)
 
 Setting "off" or "default" in the annotation `nginx.ingress.kubernetes.io/proxy-redirect-from` disables `nginx.ingress.kubernetes.io/proxy-redirect-to`,

From 1bd083276d41261cf2025a964cfbe247369f4336 Mon Sep 17 00:00:00 2001
From: nasa9084 <nasa9084@users.noreply.github.com>
Date: Thu, 30 Dec 2021 02:21:36 +0900
Subject: [PATCH 270/376] set edit_uri value with main branch (#8088)

---
 mkdocs.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mkdocs.yml b/mkdocs.yml
index e15e015dc..c76a640f6 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -2,6 +2,7 @@ site_name: NGINX Ingress Controller
 repo_name: "kubernetes/ingress-nginx"
 repo_url: https://github.com/kubernetes/ingress-nginx
 site_url: https://kubernetes.github.io/ingress-nginx
+edit_uri: edit/main/docs/
 
 # Extensions
 markdown_extensions:

From a14edba8d562390da444023256dad7175122b170 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20M=C3=B3zes?= <hydrapolic@gmail.com>
Date: Thu, 30 Dec 2021 01:02:50 +0100
Subject: [PATCH 271/376] Expose GeoIP2 Continent code as variable (#8072)

---
 rootfs/etc/nginx/template/nginx.tmpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index bf780fe80..954d07fd7 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -181,6 +181,7 @@ http {
     geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb {
         $geoip2_country_code source=$remote_addr country iso_code;
         $geoip2_country_name source=$remote_addr country names en;
+        $geoip2_continent_code source=$remote_addr continent code;
         $geoip2_continent_name source=$remote_addr continent names en;
     }
     {{ end }}
@@ -189,6 +190,7 @@ http {
     geoip2 /etc/nginx/geoip/GeoIP2-Country.mmdb {
         $geoip2_country_code source=$remote_addr country iso_code;
         $geoip2_country_name source=$remote_addr country names en;
+        $geoip2_continent_code source=$remote_addr continent code;
         $geoip2_continent_name source=$remote_addr continent names en;
     }
     {{ end }}

From e625c2507a4b73f779daa8b375aeeb0ad8ca5fa2 Mon Sep 17 00:00:00 2001
From: Wei Wu <62574090+weiwu-sre@users.noreply.github.com>
Date: Wed, 29 Dec 2021 16:14:50 -0800
Subject: [PATCH 272/376] Fix chashsubset backend with canary (#7235)

* Fix chashsubset backend with canary

* use floor for buckets calculation to remove hot spot

* Remove testing code
---
 rootfs/etc/nginx/lua/balancer/chashsubset.lua    |  5 +++--
 .../nginx/lua/test/balancer/chashsubset_test.lua | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/rootfs/etc/nginx/lua/balancer/chashsubset.lua b/rootfs/etc/nginx/lua/balancer/chashsubset.lua
index d9ceb471e..f004521bd 100644
--- a/rootfs/etc/nginx/lua/balancer/chashsubset.lua
+++ b/rootfs/etc/nginx/lua/balancer/chashsubset.lua
@@ -25,7 +25,6 @@ local function build_subset_map(backend)
 
   local set_count = math.ceil(#endpoints/subset_size)
   local node_count = set_count * subset_size
-
   -- if we don't have enough endpoints, we reuse endpoints in the last set to
   -- keep the same number on all of them.
   local j = 1
@@ -61,7 +60,9 @@ function _M.new(self, backend)
     instance = resty_chash:new(subset_map),
     hash_by = complex_val,
     subsets = subsets,
-    current_endpoints = backend.endpoints
+    current_endpoints = backend.endpoints,
+    traffic_shaping_policy = backend.trafficShapingPolicy,
+    alternative_backends = backend.alternativeBackends,
   }
   setmetatable(o, self)
   self.__index = self
diff --git a/rootfs/etc/nginx/lua/test/balancer/chashsubset_test.lua b/rootfs/etc/nginx/lua/test/balancer/chashsubset_test.lua
index bbf55838c..59cb1e588 100644
--- a/rootfs/etc/nginx/lua/test/balancer/chashsubset_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer/chashsubset_test.lua
@@ -86,5 +86,21 @@ describe("Balancer chash subset", function()
         assert.are.equal(#endpoints, 3)
       end
     end)
+
+    it("set alternative backends", function()
+      local backend = get_test_backend(7)
+      backend.trafficShapingPolicy  = {
+        weight = 0,
+        header = "",
+        headerValue = "",
+        cookie = ""
+      }
+      backend.alternativeBackends = {
+        "my-dummy-canary-backend"
+      }
+      local instance = balancer_chashsubset:new(backend)
+      assert.not_equal(instance.traffic_shaping_policy, nil)
+      assert.not_equal(instance.alternative_backends, nil)
+    end)
   end)
 end)

From 71de8e1a23fac0f3fc4c6cf87d9e454573604a69 Mon Sep 17 00:00:00 2001
From: Scott Crooks <sc250024@users.noreply.github.com>
Date: Sat, 8 Jan 2022 11:53:04 +0100
Subject: [PATCH 273/376] docs(charts): using helm-docs for chart (#8061)

This enables the use of the `helm-docs` tool on the Helm chart located in `charts/ingress-nginx`. This will make it possible to automatically document new variables in the `values.yaml` file.

Signed-off-by: Scott Crooks <scott.crooks@gmail.com>
---
 .github/workflows/ci.yaml             |  12 +
 charts/ingress-nginx/CHANGELOG.md     |   4 +
 charts/ingress-nginx/Chart.yaml       |   4 +-
 charts/ingress-nginx/README.md        | 253 +++++++++++++++++++
 charts/ingress-nginx/README.md.gotmpl | 235 ++++++++++++++++++
 charts/ingress-nginx/values.yaml      | 334 +++++++++++++-------------
 6 files changed, 670 insertions(+), 172 deletions(-)
 create mode 100644 charts/ingress-nginx/README.md.gotmpl

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b7cf3bce1..a6dfe75da 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -123,6 +123,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.17'
+
       - name: cache
         uses: actions/download-artifact@v2
         with:
@@ -132,6 +137,13 @@ jobs:
         run: |
           ./build/run-in-docker.sh ./hack/verify-chart-lint.sh
 
+      - name: Run helm-docs
+        run: |
+          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
+          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
+          git diff --exit-code
+          rm -f ./helm-docs
+
       - name: fix permissions
         run: |
           sudo mkdir -p $HOME/.kube
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index e895efc36..91dbb0dc7 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.14
+
+- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md
+
 ### 4.0.13
 
 - [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 729a011ec..dd01623cf 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.13
+version: 4.0.14
 appVersion: 1.1.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
@@ -24,4 +24,4 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - use controller v1.1.0
+    - using helm-docs to populate values table in README.md
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 5e5c8b235..0407f7a79 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,6 +2,8 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
+![Version: 4.0.14](https://img.shields.io/badge/Version-4.0.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.0](https://img.shields.io/badge/AppVersion-1.1.0-informational?style=flat-square)
+
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
 This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
@@ -226,3 +228,254 @@ Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: In
 Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error.
 
 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
+
+## Requirements
+
+Kubernetes: `>=1.19.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
+| controller.admissionWebhooks.annotations | object | `{}` |  |
+| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
+| controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.enabled | bool | `true` |  |
+| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
+| controller.admissionWebhooks.failurePolicy | string | `"Fail"` |  |
+| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
+| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
+| controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
+| controller.admissionWebhooks.objectSelector | object | `{}` |  |
+| controller.admissionWebhooks.patch.enabled | bool | `true` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660"` |  |
+| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
+| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
+| controller.admissionWebhooks.patch.image.registry | string | `"k8s.gcr.io"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.1.1"` |  |
+| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
+| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
+| controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
+| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job |
+| controller.admissionWebhooks.patch.runAsUser | int | `2000` |  |
+| controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
+| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.port | int | `8443` |  |
+| controller.admissionWebhooks.service.annotations | object | `{}` |  |
+| controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
+| controller.admissionWebhooks.service.loadBalancerSourceRanges | list | `[]` |  |
+| controller.admissionWebhooks.service.servicePort | int | `443` |  |
+| controller.admissionWebhooks.service.type | string | `"ClusterIP"` |  |
+| controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes |
+| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
+| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet |
+| controller.autoscaling.behavior | object | `{}` |  |
+| controller.autoscaling.enabled | bool | `false` |  |
+| controller.autoscaling.maxReplicas | int | `11` |  |
+| controller.autoscaling.minReplicas | int | `1` |  |
+| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
+| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
+| controller.autoscalingTemplate | list | `[]` |  |
+| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
+| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap |
+| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
+| controller.containerName | string | `"controller"` | Configures the controller container name |
+| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports the nginx-controller listens on |
+| controller.customTemplate.configMapKey | string | `""` |  |
+| controller.customTemplate.configMapName | string | `""` |  |
+| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
+| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
+| controller.electionID | string | `"ingress-controller-leader"` | Election ID to use for status update |
+| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. |
+| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
+| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use |
+| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
+| controller.extraEnvs | list | `[]` | Additional environment variables to set |
+| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
+| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
+| controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
+| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. |
+| controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
+| controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
+| controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
+| controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
+| controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
+| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
+| controller.image.allowPrivilegeEscalation | bool | `true` |  |
+| controller.image.digest | string | `"sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a"` |  |
+| controller.image.image | string | `"ingress-nginx/controller"` |  |
+| controller.image.pullPolicy | string | `"IfNotPresent"` |  |
+| controller.image.registry | string | `"k8s.gcr.io"` |  |
+| controller.image.runAsUser | int | `101` |  |
+| controller.image.tag | string | `"v1.1.0"` |  |
+| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller) |
+| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` |  |
+| controller.ingressClassResource.default | bool | `false` |  |
+| controller.ingressClassResource.enabled | bool | `true` |  |
+| controller.ingressClassResource.name | string | `"nginx"` |  |
+| controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. |
+| controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` |  |
+| controller.keda.behavior | object | `{}` |  |
+| controller.keda.cooldownPeriod | int | `300` |  |
+| controller.keda.enabled | bool | `false` |  |
+| controller.keda.maxReplicas | int | `11` |  |
+| controller.keda.minReplicas | int | `1` |  |
+| controller.keda.pollingInterval | int | `30` |  |
+| controller.keda.restoreToOriginalReplicaCount | bool | `false` |  |
+| controller.keda.scaledObject.annotations | object | `{}` |  |
+| controller.keda.triggers | list | `[]` |  |
+| controller.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
+| controller.labels | object | `{}` | Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels |
+| controller.lifecycle | object | `{"preStop":{"exec":{"command":["/wait-shutdown"]}}}` | Improve connection draining when ingress controller pod is deleted using a lifecycle hook: With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds to 300, allowing the draining of connections up to five minutes. If the active connections end before that, the pod will terminate gracefully at that time. To effectively take advantage of this feature, the Configmap feature worker-shutdown-timeout new value is 240s instead of 10s. |
+| controller.livenessProbe.failureThreshold | int | `5` |  |
+| controller.livenessProbe.httpGet.path | string | `"/healthz"` |  |
+| controller.livenessProbe.httpGet.port | int | `10254` |  |
+| controller.livenessProbe.httpGet.scheme | string | `"HTTP"` |  |
+| controller.livenessProbe.initialDelaySeconds | int | `10` |  |
+| controller.livenessProbe.periodSeconds | int | `10` |  |
+| controller.livenessProbe.successThreshold | int | `1` |  |
+| controller.livenessProbe.timeoutSeconds | int | `1` |  |
+| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. |
+| controller.metrics.enabled | bool | `false` |  |
+| controller.metrics.port | int | `10254` |  |
+| controller.metrics.prometheusRule.additionalLabels | object | `{}` |  |
+| controller.metrics.prometheusRule.enabled | bool | `false` |  |
+| controller.metrics.prometheusRule.rules | list | `[]` |  |
+| controller.metrics.service.annotations | object | `{}` |  |
+| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available |
+| controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
+| controller.metrics.service.servicePort | int | `10254` |  |
+| controller.metrics.service.type | string | `"ClusterIP"` |  |
+| controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
+| controller.metrics.serviceMonitor.enabled | bool | `false` |  |
+| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
+| controller.metrics.serviceMonitor.namespace | string | `""` |  |
+| controller.metrics.serviceMonitor.namespaceSelector | object | `{}` |  |
+| controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
+| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
+| controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
+| controller.minAvailable | int | `1` |  |
+| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready |
+| controller.name | string | `"controller"` |  |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment |
+| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods |
+| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
+| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
+| controller.priorityClassName | string | `""` |  |
+| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
+| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
+| controller.publishService.enabled | bool | `true` | Enable 'publishService' or not |
+| controller.publishService.pathOverride | string | `""` | Allows overriding of the publish service to bind to Must be <namespace>/<service_name> |
+| controller.readinessProbe.failureThreshold | int | `3` |  |
+| controller.readinessProbe.httpGet.path | string | `"/healthz"` |  |
+| controller.readinessProbe.httpGet.port | int | `10254` |  |
+| controller.readinessProbe.httpGet.scheme | string | `"HTTP"` |  |
+| controller.readinessProbe.initialDelaySeconds | int | `10` |  |
+| controller.readinessProbe.periodSeconds | int | `10` |  |
+| controller.readinessProbe.successThreshold | int | `1` |  |
+| controller.readinessProbe.timeoutSeconds | int | `1` |  |
+| controller.replicaCount | int | `1` |  |
+| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
+| controller.resources.requests.cpu | string | `"100m"` |  |
+| controller.resources.requests.memory | string | `"90Mi"` |  |
+| controller.scope.enabled | bool | `false` | Enable 'scope' or not |
+| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
+| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
+| controller.service.annotations | object | `{}` |  |
+| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 |
+| controller.service.enableHttp | bool | `true` |  |
+| controller.service.enableHttps | bool | `true` |  |
+| controller.service.enabled | bool | `true` |  |
+| controller.service.external.enabled | bool | `true` |  |
+| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available |
+| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
+| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
+| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
+| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. |
+| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. |
+| controller.service.labels | object | `{}` |  |
+| controller.service.loadBalancerSourceRanges | list | `[]` |  |
+| controller.service.nodePorts.http | string | `""` |  |
+| controller.service.nodePorts.https | string | `""` |  |
+| controller.service.nodePorts.tcp | object | `{}` |  |
+| controller.service.nodePorts.udp | object | `{}` |  |
+| controller.service.ports.http | int | `80` |  |
+| controller.service.ports.https | int | `443` |  |
+| controller.service.targetPorts.http | string | `"http"` |  |
+| controller.service.targetPorts.https | string | `"https"` |  |
+| controller.service.type | string | `"LoadBalancer"` |  |
+| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
+| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
+| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready |
+| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
+| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. |
+| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
+| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
+| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet |
+| controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
+| defaultBackend.affinity | object | `{}` |  |
+| defaultBackend.autoscaling.annotations | object | `{}` |  |
+| defaultBackend.autoscaling.enabled | bool | `false` |  |
+| defaultBackend.autoscaling.maxReplicas | int | `2` |  |
+| defaultBackend.autoscaling.minReplicas | int | `1` |  |
+| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
+| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
+| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| defaultBackend.enabled | bool | `false` |  |
+| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
+| defaultBackend.extraArgs | object | `{}` |  |
+| defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
+| defaultBackend.extraVolumeMounts | list | `[]` |  |
+| defaultBackend.extraVolumes | list | `[]` |  |
+| defaultBackend.image.allowPrivilegeEscalation | bool | `false` |  |
+| defaultBackend.image.image | string | `"defaultbackend-amd64"` |  |
+| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` |  |
+| defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
+| defaultBackend.image.registry | string | `"k8s.gcr.io"` |  |
+| defaultBackend.image.runAsNonRoot | bool | `true` |  |
+| defaultBackend.image.runAsUser | int | `65534` |  |
+| defaultBackend.image.tag | string | `"1.5"` |  |
+| defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
+| defaultBackend.livenessProbe.failureThreshold | int | `3` |  |
+| defaultBackend.livenessProbe.initialDelaySeconds | int | `30` |  |
+| defaultBackend.livenessProbe.periodSeconds | int | `10` |  |
+| defaultBackend.livenessProbe.successThreshold | int | `1` |  |
+| defaultBackend.livenessProbe.timeoutSeconds | int | `5` |  |
+| defaultBackend.minAvailable | int | `1` |  |
+| defaultBackend.name | string | `"defaultbackend"` |  |
+| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment |
+| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods |
+| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
+| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| defaultBackend.port | int | `8080` |  |
+| defaultBackend.priorityClassName | string | `""` |  |
+| defaultBackend.readinessProbe.failureThreshold | int | `6` |  |
+| defaultBackend.readinessProbe.initialDelaySeconds | int | `0` |  |
+| defaultBackend.readinessProbe.periodSeconds | int | `5` |  |
+| defaultBackend.readinessProbe.successThreshold | int | `1` |  |
+| defaultBackend.readinessProbe.timeoutSeconds | int | `5` |  |
+| defaultBackend.replicaCount | int | `1` |  |
+| defaultBackend.resources | object | `{}` |  |
+| defaultBackend.service.annotations | object | `{}` |  |
+| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available |
+| defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
+| defaultBackend.service.servicePort | int | `80` |  |
+| defaultBackend.service.type | string | `"ClusterIP"` |  |
+| defaultBackend.serviceAccount.automountServiceAccountToken | bool | `true` |  |
+| defaultBackend.serviceAccount.create | bool | `true` |  |
+| defaultBackend.serviceAccount.name | string | `""` |  |
+| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints |
+| dhParam | string | `nil` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` |
+| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials |
+| podSecurityPolicy.enabled | bool | `false` |  |
+| rbac.create | bool | `true` |  |
+| rbac.scope | bool | `false` |  |
+| revisionHistoryLimit | int | `10` | Rollback limit |
+| serviceAccount.automountServiceAccountToken | bool | `true` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| tcp | object | `{}` | TCP service key:value pairs |
+| udp | object | `{}` | UDP service key:value pairs |
+
diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl
new file mode 100644
index 000000000..5cd9e59e1
--- /dev/null
+++ b/charts/ingress-nginx/README.md.gotmpl
@@ -0,0 +1,235 @@
+{{ template "chart.header" . }}
+[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
+
+This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Chart version 3.x.x: Kubernetes v1.16+
+- Chart version 4.x.x and above: Kubernetes v1.19+
+
+## Get Repo Info
+
+```console
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm repo update
+```
+
+## Install Chart
+
+**Important:** only helm3 is supported
+
+```console
+helm install [RELEASE_NAME] ingress-nginx/ingress-nginx
+```
+
+The command deploys ingress-nginx on the Kubernetes cluster in the default configuration.
+
+_See [configuration](#configuration) below._
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+## Uninstall Chart
+
+```console
+helm uninstall [RELEASE_NAME]
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
+
+## Upgrading Chart
+
+```console
+helm upgrade [RELEASE_NAME] [CHART] --install
+```
+
+_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
+
+### Upgrading With Zero Downtime in Production
+
+By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
+
+### Migrating from stable/nginx-ingress
+
+There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
+
+1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one
+1. For critical services in production that require zero-downtime, you will want to:
+    1. [Install](#install-chart) a second Ingress controller
+    1. Redirect your DNS traffic from the old controller to the new controller
+    1. Log traffic from both controllers during this changeover
+    1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
+    1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)
+
+Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
+
+## Configuration
+
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands:
+
+```console
+helm show values ingress-nginx/ingress-nginx
+```
+
+### PodDisruptionBudget
+
+Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one,
+else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info.
+
+### Prometheus Metrics
+
+The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+
+You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
+Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
+
+### ingress-nginx nginx\_status page/stats server
+
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+
+- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
+- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
+  You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server
+
+### ExternalDNS Service Configuration
+
+Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
+
+```yaml
+controller:
+  service:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com.
+```
+
+### AWS L7 ELB with SSL Termination
+
+Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/aws/l7/service-l7.yaml):
+
+```yaml
+controller:
+  service:
+    targetPorts:
+      http: http
+      https: http
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+```
+
+### AWS route53-mapper
+
+To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
+
+```yaml
+controller:
+  service:
+    labels:
+      dns: "route53"
+    annotations:
+      domainName: "kubernetes-example.com"
+```
+
+### Additional Internal Load Balancer
+
+This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
+
+By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL.
+
+You'll need to set both the following values:
+
+`controller.service.internal.enabled`
+`controller.service.internal.annotations`
+
+If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken.
+
+`controller.service.internal.annotations` varies with the cloud service you're using.
+
+Example for AWS:
+
+```yaml
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal ELB
+        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+Example for GCE:
+
+```yaml
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing
+        # For GKE versions 1.17 and later
+        networking.gke.io/load-balancer-type: "Internal"
+        # For earlier versions
+        # cloud.google.com/load-balancer-type: "Internal"
+
+        # Any other annotation can be declared here.
+```
+
+Example for Azure:
+
+```yaml
+controller:
+  service:
+      annotations:
+        # Create internal LB
+        service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+Example for Oracle Cloud Infrastructure:
+
+```yaml
+controller:
+  service:
+      annotations:
+        # Create internal LB
+        service.beta.kubernetes.io/oci-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
+
+Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
+
+### Ingress Admission Webhooks
+
+With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+**This feature is enabled by default since 0.31.0.**
+
+With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
+
+### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
+
+If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
+
+```console
+Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable
+```
+
+Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error.
+
+As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index a96bfbfd0..e923b3e15 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -12,9 +12,9 @@ controller:
   image:
     registry: k8s.gcr.io
     image: ingress-nginx/controller
-    # for backwards compatibility consider setting the full image url via the repository value below
-    # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-    # repository:
+    ## for backwards compatibility consider setting the full image url via the repository value below
+    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
+    ## repository:
     tag: "v1.1.0"
     digest: sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
     pullPolicy: IfNotPresent
@@ -22,154 +22,149 @@ controller:
     runAsUser: 101
     allowPrivilegeEscalation: true
 
-  # Use an existing PSP instead of creating one
+  # -- Use an existing PSP instead of creating one
   existingPsp: ""
 
-  # Configures the controller container name
+  # -- Configures the controller container name
   containerName: controller
 
-  # Configures the ports the nginx-controller listens on
+  # -- Configures the ports the nginx-controller listens on
   containerPort:
     http: 80
     https: 443
 
-  # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+  # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
   config: {}
 
-  ## Annotations to be added to the controller config configuration configmap
-  ##
+  # -- Annotations to be added to the controller config configuration configmap
   configAnnotations: {}
 
-  # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
+  # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
   proxySetHeaders: {}
 
-  # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
+  # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
   addHeaders: {}
 
-  # Optionally customize the pod dnsConfig.
+  # -- Optionally customize the pod dnsConfig.
   dnsConfig: {}
 
-  # Optionally customize the pod hostname.
+  # -- Optionally customize the pod hostname.
   hostname: {}
 
-  # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
+  # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
   # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
   # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
   dnsPolicy: ClusterFirst
 
-  # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
+  # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
   # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
   reportNodeInternalIp: false
 
-  # Process Ingress objects without ingressClass annotation/ingressClassName field
+  # -- Process Ingress objects without ingressClass annotation/ingressClassName field
   # Overrides value for --watch-ingress-without-class flag of the controller binary
   # Defaults to false
   watchIngressWithoutClass: false
 
-  # Process IngressClass per name (additionally as per spec.controller)
+  # -- Process IngressClass per name (additionally as per spec.controller)
   ingressClassByName: false
 
-  # This configuration defines if Ingress Controller should allow users to set
+  # -- This configuration defines if Ingress Controller should allow users to set
   # their own *-snippet annotations, otherwise this is forbidden / dropped
   # when users add those annotations.
   # Global snippets in ConfigMap are still respected
   allowSnippetAnnotations: true
 
-  # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
+  # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged
   hostNetwork: false
 
   ## Use host ports 80 and 443
   ## Disabled by default
-  ##
   hostPort:
+    # -- Enable 'hostPort' or not
     enabled: false
     ports:
+      # -- 'hostPort' http port
       http: 80
+      # -- 'hostPort' https port
       https: 443
 
-  ## Election ID to use for status update
-  ##
+  # -- Election ID to use for status update
   electionID: ingress-controller-leader
 
-  # This section refers to the creation of the IngressClass resource
-  # IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
+  ## This section refers to the creation of the IngressClass resource
+  ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
   ingressClassResource:
     name: nginx
     enabled: true
     default: false
     controllerValue: "k8s.io/ingress-nginx"
 
-    # Parameters is a link to a custom resource containing additional
+    # -- Parameters is a link to a custom resource containing additional
     # configuration for the controller. This is optional if the controller
     # does not require extra parameters.
     parameters: {}
 
-  # labels to add to the pod container metadata
+  # -- Labels to add to the pod container metadata
   podLabels: {}
   #  key: value
 
-  ## Security Context policies for controller pods
-  ##
+  # -- Security Context policies for controller pods
   podSecurityContext: {}
 
-  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
-  ## notes on enabling and using sysctls
-  ###
+  # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls
   sysctls: {}
   # sysctls:
   #   "net.core.somaxconn": "8192"
 
-  ## Allows customization of the source of the IP address or FQDN to report
-  ## in the ingress status field. By default, it reads the information provided
-  ## by the service. If disable, the status field reports the IP address of the
-  ## node or nodes where an ingress controller pod is running.
+  # -- Allows customization of the source of the IP address or FQDN to report
+  # in the ingress status field. By default, it reads the information provided
+  # by the service. If disable, the status field reports the IP address of the
+  # node or nodes where an ingress controller pod is running.
   publishService:
+    # -- Enable 'publishService' or not
     enabled: true
-    ## Allows overriding of the publish service to bind to
-    ## Must be <namespace>/<service_name>
-    ##
+    # -- Allows overriding of the publish service to bind to
+    # Must be <namespace>/<service_name>
     pathOverride: ""
 
-  ## Limit the scope of the controller
-  ##
+  # Limit the scope of the controller to a specific namespace
   scope:
+    # -- Enable 'scope' or not
     enabled: false
-    namespace: ""   # defaults to $(POD_NAMESPACE)
-    # When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
-    #   only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
+    # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE)
+    namespace: ""
+    # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
+    # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
     namespaceSelector: ""
 
-  ## Allows customization of the configmap / nginx-configmap namespace
-  ##
-  configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
+  # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE)
+  configMapNamespace: ""
 
-  ## Allows customization of the tcp-services-configmap
-  ##
   tcp:
-    configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
-    ## Annotations to be added to the tcp config configmap
+    # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE)
+    configMapNamespace: ""
+    # -- Annotations to be added to the tcp config configmap
     annotations: {}
 
-  ## Allows customization of the udp-services-configmap
-  ##
   udp:
-    configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
-    ## Annotations to be added to the udp config configmap
+    # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE)
+    configMapNamespace: ""
+    # -- Annotations to be added to the udp config configmap
     annotations: {}
 
-  # Maxmind license key to download GeoLite2 Databases
-  # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
+  # -- Maxmind license key to download GeoLite2 Databases.
+  ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
   maxmindLicenseKey: ""
 
-  ## Additional command line arguments to pass to nginx-ingress-controller
-  ## E.g. to specify the default SSL certificate you can use
+  # -- Additional command line arguments to pass to nginx-ingress-controller
+  # E.g. to specify the default SSL certificate you can use
+  extraArgs: {}
   ## extraArgs:
   ##   default-ssl-certificate: "<namespace>/<secret_name>"
-  extraArgs: {}
 
-  ## Additional environment variables to set
+  # -- Additional environment variables to set
   extraEnvs: []
   # extraEnvs:
   #   - name: FOO
@@ -178,35 +173,34 @@ controller:
   #         key: FOO
   #         name: secret-resource
 
-  ## DaemonSet or Deployment
-  ##
+  # -- Use a `DaemonSet` or `Deployment`
   kind: Deployment
 
-  ## Annotations to be added to the controller Deployment or DaemonSet
+  # -- Annotations to be added to the controller Deployment or DaemonSet
   ##
   annotations: {}
   #  keel.sh/pollSchedule: "@every 60m"
 
-  ## Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels
+  # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels
   ##
   labels: {}
   #  keel.sh/policy: patch
   #  keel.sh/trigger: poll
 
 
-  # The update strategy to apply to the Deployment or DaemonSet
+  # -- The update strategy to apply to the Deployment or DaemonSet
   ##
   updateStrategy: {}
   #  rollingUpdate:
   #    maxUnavailable: 1
   #  type: RollingUpdate
 
-  # minReadySeconds to avoid killing pods before we are ready
+  # -- `minReadySeconds` to avoid killing pods before we are ready
   ##
   minReadySeconds: 0
 
 
-  ## Node tolerations for server scheduling to nodes with taints
+  # -- Node tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
   tolerations: []
@@ -215,7 +209,7 @@ controller:
   #    value: "value"
   #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
 
-  ## Affinity and anti-affinity
+  # -- Affinity and anti-affinity rules for server scheduling to nodes
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
   ##
   affinity: {}
@@ -259,7 +253,7 @@ controller:
     #         - controller
     #     topologyKey: "kubernetes.io/hostname"
 
-  ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
+  # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   ##
   topologySpreadConstraints: []
@@ -270,12 +264,12 @@ controller:
     #     matchLabels:
     #       app.kubernetes.io/instance: ingress-nginx-internal
 
-  ## terminationGracePeriodSeconds
+  # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
   ## wait up to five minutes for the drain of connections
   ##
   terminationGracePeriodSeconds: 300
 
-  ## Node labels for controller pod assignment
+  # -- Node labels for controller pod assignment
   ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
   ##
   nodeSelector:
@@ -284,17 +278,17 @@ controller:
   ## Liveness and readiness probe values
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
   ##
-  # startupProbe:
-  #   httpGet:
-  #     # should match container.healthCheckPath
-  #     path: "/healthz"
-  #     port: 10254
-  #     scheme: HTTP
-  #   initialDelaySeconds: 5
-  #   periodSeconds: 5
-  #   timeoutSeconds: 2
-  #   successThreshold: 1
-  #   failureThreshold: 5
+  ## startupProbe:
+  ##   httpGet:
+  ##     # should match container.healthCheckPath
+  ##     path: "/healthz"
+  ##     port: 10254
+  ##     scheme: HTTP
+  ##   initialDelaySeconds: 5
+  ##   periodSeconds: 5
+  ##   timeoutSeconds: 2
+  ##   successThreshold: 1
+  ##   failureThreshold: 5
   livenessProbe:
     httpGet:
       # should match container.healthCheckPath
@@ -319,16 +313,16 @@ controller:
     failureThreshold: 3
 
 
-  # Path of the health check endpoint. All requests received on the port defined by
+  # -- Path of the health check endpoint. All requests received on the port defined by
   # the healthz-port parameter are forwarded internally to this path.
   healthCheckPath: "/healthz"
 
-  # Address to bind the health check endpoint.
+  # -- Address to bind the health check endpoint.
   # It is better to set this option to the internal node address
-  # if the ingress nginx controller is running in the hostNetwork: true mode.
+  # if the ingress nginx controller is running in the `hostNetwork: true` mode.
   healthCheckHost: ""
 
-  ## Annotations to be added to controller pods
+  # -- Annotations to be added to controller pods
   ##
   podAnnotations: {}
 
@@ -336,14 +330,14 @@ controller:
 
   minAvailable: 1
 
-  # Define requests resources to avoid probe issues due to CPU utilization in busy nodes
-  # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
-  # Ideally, there should be no limits.
-  # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
+  ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
+  ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
+  ## Ideally, there should be no limits.
+  ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
   resources:
-  #  limits:
-  #    cpu: 100m
-  #    memory: 90Mi
+  ##  limits:
+  ##    cpu: 100m
+  ##    memory: 90Mi
     requests:
       cpu: 100m
       memory: 90Mi
@@ -383,9 +377,9 @@ controller:
   # Mutually exclusive with hpa autoscaling
   keda:
     apiVersion: "keda.sh/v1alpha1"
-  # apiVersion changes with keda 1.x vs 2.x
-  # 2.x = keda.sh/v1alpha1
-  # 1.x = keda.k8s.io/v1alpha1
+    ## apiVersion changes with keda 1.x vs 2.x
+    ## 2.x = keda.sh/v1alpha1
+    ## 1.x = keda.k8s.io/v1alpha1
     enabled: false
     minReplicas: 1
     maxReplicas: 11
@@ -419,7 +413,7 @@ controller:
  #         value: 2
  #         periodSeconds: 60
 
-  ## Enable mimalloc as a drop-in replacement for malloc.
+  # -- Enable mimalloc as a drop-in replacement for malloc.
   ## ref: https://github.com/microsoft/mimalloc
   ##
   enableMimalloc: true
@@ -432,11 +426,11 @@ controller:
   service:
     enabled: true
 
-    ## If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
-    ## using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    ## It allows choosing the protocol for each backend specified in the Kubernetes service.
-    ## See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244
-    ## Will be ignored for Kubernetes versions older than 1.20
+    # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
+    # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+    # It allows choosing the protocol for each backend specified in the Kubernetes service.
+    # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244
+    # Will be ignored for Kubernetes versions older than 1.20
     ##
     appProtocol: true
 
@@ -444,7 +438,7 @@ controller:
     labels: {}
     # clusterIP: ""
 
-    ## List of IP addresses at which the controller services are available
+    # -- List of IP addresses at which the controller services are available
     ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
     ##
     externalIPs: []
@@ -468,14 +462,14 @@ controller:
     ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
     # healthCheckNodePort: 0
 
-    ## Represents the dual-stack-ness requested or required by this Service. Possible values are
-    ## SingleStack, PreferDualStack or RequireDualStack.
-    ## The ipFamilies and clusterIPs fields depend on the value of this field.
+    # -- Represents the dual-stack-ness requested or required by this Service. Possible values are
+    # SingleStack, PreferDualStack or RequireDualStack.
+    # The ipFamilies and clusterIPs fields depend on the value of this field.
     ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
     ipFamilyPolicy: "SingleStack"
 
-    ## List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically
-    ## based on cluster configuration and the ipFamilyPolicy field.
+    # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically
+    # based on cluster configuration and the ipFamilyPolicy field.
     ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
     ipFamilies:
       - IPv4
@@ -490,12 +484,12 @@ controller:
 
     type: LoadBalancer
 
-    # type: NodePort
-    # nodePorts:
-    #   http: 32080
-    #   https: 32443
-    #   tcp:
-    #     8080: 32808
+    ## type: NodePort
+    ## nodePorts:
+    ##   http: 32080
+    ##   https: 32443
+    ##   tcp:
+    ##     8080: 32808
     nodePorts:
       http: ""
       https: ""
@@ -505,15 +499,15 @@ controller:
     external:
       enabled: true
 
-    ## Enables an additional internal load balancer (besides the external one).
-    ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
     internal:
+      # -- Enables an additional internal load balancer (besides the external one).
       enabled: false
+      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
       annotations: {}
 
       # loadBalancerIP: ""
 
-      ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
+      # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
       loadBalancerSourceRanges: []
 
       ## Set external traffic policy to: "Local" to preserve source IP on
@@ -521,9 +515,9 @@ controller:
       ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
       # externalTrafficPolicy: ""
 
+  # -- Additional containers to be added to the controller pod.
+  # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
   extraContainers: []
-  ## Additional containers to be added to the controller pod.
-  ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
   #  - name: my-sidecar
   #    image: nginx:latest
   #  - name: lemonldap-ng-controller
@@ -545,18 +539,18 @@ controller:
   #    - name: copy-portal-skins
   #      mountPath: /srv/var/lib/lemonldap-ng/portal/skins
 
+  # -- Additional volumeMounts to the controller main container.
   extraVolumeMounts: []
-  ## Additional volumeMounts to the controller main container.
   #  - name: copy-portal-skins
   #   mountPath: /var/lib/lemonldap-ng/portal/skins
 
+  # -- Additional volumes to the controller pod.
   extraVolumes: []
-  ## Additional volumes to the controller pod.
   #  - name: copy-portal-skins
   #    emptyDir: {}
 
+  # -- Containers, which are run before the app containers are started.
   extraInitContainers: []
-  ## Containers, which are run before the app containers are started.
   # - name: init-myservice
   #   image: busybox
   #   command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
@@ -576,10 +570,10 @@ controller:
     key: "/usr/local/certificates/key"
     namespaceSelector: {}
     objectSelector: {}
-    ## Labels to be added to admission webhooks
+    # -- Labels to be added to admission webhooks
     labels: {}
 
-    # Use an existing PSP instead of creating one
+    # -- Use an existing PSP instead of creating one
     existingPsp: ""
 
     service:
@@ -608,20 +602,20 @@ controller:
       image:
         registry: k8s.gcr.io
         image: ingress-nginx/kube-webhook-certgen
-        # for backwards compatibility consider setting the full image url via the repository value below
-        # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-        # repository:
+        ## for backwards compatibility consider setting the full image url via the repository value below
+        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
+        ## repository:
         tag: v1.1.1
         digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
         pullPolicy: IfNotPresent
-      ## Provide a priority class name to the webhook patching job
+      # -- Provide a priority class name to the webhook patching job
       ##
       priorityClassName: ""
       podAnnotations: {}
       nodeSelector:
         kubernetes.io/os: linux
       tolerations: []
-      ## Labels to be added to patch job resources
+      # -- Labels to be added to patch job resources
       labels: {}
       runAsUser: 2000
 
@@ -637,7 +631,7 @@ controller:
 
       # clusterIP: ""
 
-      ## List of IP addresses at which the stats-exporter service is available
+      # -- List of IP addresses at which the stats-exporter service is available
       ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
       ##
       externalIPs: []
@@ -652,14 +646,14 @@ controller:
     serviceMonitor:
       enabled: false
       additionalLabels: {}
-      # The label to use to retrieve the job name from.
-      # jobLabel: "app.kubernetes.io/name"
+      ## The label to use to retrieve the job name from.
+      ## jobLabel: "app.kubernetes.io/name"
       namespace: ""
       namespaceSelector: {}
-      # Default: scrape .Release.Namespace only
-      # To scrape all, use the following:
-      # namespaceSelector:
-      #   any: true
+      ## Default: scrape .Release.Namespace only
+      ## To scrape all, use the following:
+      ## namespaceSelector:
+      ##   any: true
       scrapeInterval: 30s
       # honorLabels: true
       targetLabels: []
@@ -705,12 +699,12 @@ controller:
         #     description: Too many 4XXs
         #     summary: More than 5% of all requests returned 4XX, this requires your attention
 
-  ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
-  ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
-  ## to 300, allowing the draining of connections up to five minutes.
-  ## If the active connections end before that, the pod will terminate gracefully at that time.
-  ## To effectively take advantage of this feature, the Configmap feature
-  ## worker-shutdown-timeout new value is 240s instead of 10s.
+  # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
+  # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
+  # to 300, allowing the draining of connections up to five minutes.
+  # If the active connections end before that, the pod will terminate gracefully at that time.
+  # To effectively take advantage of this feature, the Configmap feature
+  # worker-shutdown-timeout new value is 240s instead of 10s.
   ##
   lifecycle:
     preStop:
@@ -720,7 +714,7 @@ controller:
 
   priorityClassName: ""
 
-## Rollback limit
+# -- Rollback limit
 ##
 revisionHistoryLimit: 10
 
@@ -734,9 +728,9 @@ defaultBackend:
   image:
     registry: k8s.gcr.io
     image: defaultbackend-amd64
-    # for backwards compatibility consider setting the full image url via the repository value below
-    # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-    # repository:
+    ## for backwards compatibility consider setting the full image url via the repository value below
+    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
+    ## repository:
     tag: "1.5"
     pullPolicy: IfNotPresent
     # nobody user -> uid 65534
@@ -745,7 +739,7 @@ defaultBackend:
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
 
-  # Use an existing PSP instead of creating one
+  # -- Use an existing PSP instead of creating one
   existingPsp: ""
 
   extraArgs: {}
@@ -754,7 +748,7 @@ defaultBackend:
     create: true
     name: ""
     automountServiceAccountToken: true
-  ## Additional environment variables to set for defaultBackend pods
+  # -- Additional environment variables to set for defaultBackend pods
   extraEnvs: []
 
   port: 8080
@@ -775,7 +769,7 @@ defaultBackend:
     successThreshold: 1
     timeoutSeconds: 5
 
-  ## Node tolerations for server scheduling to nodes with taints
+  # -- Node tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
   tolerations: []
@@ -786,29 +780,29 @@ defaultBackend:
 
   affinity: {}
 
-  ## Security Context policies for controller pods
-  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
-  ## notes on enabling and using sysctls
+  # -- Security Context policies for controller pods
+  # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
+  # notes on enabling and using sysctls
   ##
   podSecurityContext: {}
 
-  ## Security Context policies for controller main container.
-  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
-  ## notes on enabling and using sysctls
+  # -- Security Context policies for controller main container.
+  # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
+  # notes on enabling and using sysctls
   ##
   containerSecurityContext: {}
 
-  # labels to add to the pod container metadata
+  # -- Labels to add to the pod container metadata
   podLabels: {}
   #  key: value
 
-  ## Node labels for default backend pod assignment
+  # -- Node labels for default backend pod assignment
   ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
   ##
   nodeSelector:
     kubernetes.io/os: linux
 
-  ## Annotations to be added to default backend pods
+  # -- Annotations to be added to default backend pods
   ##
   podAnnotations: {}
 
@@ -847,7 +841,7 @@ defaultBackend:
 
     # clusterIP: ""
 
-    ## List of IP addresses at which the default backend service is available
+    # -- List of IP addresses at which the default backend service is available
     ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
     ##
     externalIPs: []
@@ -858,7 +852,7 @@ defaultBackend:
     type: ClusterIP
 
   priorityClassName: ""
-  ## Labels to be added to the default backend resources
+  # -- Labels to be added to the default backend resources
   labels: {}
 
 ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
@@ -866,8 +860,8 @@ rbac:
   create: true
   scope: false
 
-# If true, create & use Pod Security Policy resources
-# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+## If true, create & use Pod Security Policy resources
+## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
 podSecurityPolicy:
   enabled: false
 
@@ -876,24 +870,24 @@ serviceAccount:
   name: ""
   automountServiceAccountToken: true
 
-## Optional array of imagePullSecrets containing private registry credentials
+# -- Optional array of imagePullSecrets containing private registry credentials
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []
 # - name: secretName
 
-# TCP service key:value pairs
-# Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
+# -- TCP service key:value pairs
+## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
 ##
 tcp: {}
 #  8080: "default/example-tcp-svc:9000"
 
-# UDP service key:value pairs
-# Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
+# -- UDP service key:value pairs
+## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
 ##
 udp: {}
 #  53: "kube-system/kube-dns:53"
 
-# A base64ed Diffie-Hellman parameter
-# This can be generated with: openssl dhparam 4096 2> /dev/null | base64
-# Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
+# -- (string) A base64-encoded Diffie-Hellman parameter.
+# This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
+## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
 dhParam:

From 17b6c99a05d9f4ce9ede1343599a2f08e84838b1 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sat, 8 Jan 2022 11:17:44 -0300
Subject: [PATCH 274/376] Fix helm releaser GH Token

---
 .github/workflows/helm.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index b4aa5a5ff..50b7fc05b 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -54,9 +54,9 @@ jobs:
           git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.1.0
+        uses: helm/chart-releaser-action@v1.2.1
         env:
-          CR_TOKEN: "${{ secrets.PERSONAL_TOKEN }}"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
         with:
           charts_dir: charts

From 4dda149ed02dad03cc6dcc862be1b8c93dc9824a Mon Sep 17 00:00:00 2001
From: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Date: Sat, 8 Jan 2022 18:18:19 +0100
Subject: [PATCH 275/376] chart/ghaction: set the correct permission to have
 access to push a release (#8115)

Signed-off-by: Carlos Panato <ctadeu@gmail.com>
---
 .github/workflows/helm.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index 50b7fc05b..a99fcfaa6 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -33,6 +33,10 @@ jobs:
   chart:
     name: Release Chart
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # needed to write releases
+
     needs:
       - changes
     if: |

From a13305185abf95fe2d6585a51d7ba1878aea711a Mon Sep 17 00:00:00 2001
From: gi mbu <slawek.wolak@gmail.com>
Date: Sun, 9 Jan 2022 18:06:00 +0100
Subject: [PATCH 276/376] generating SHA for CA only certs in backend_ssl.go +
 comparision of ProxySSL structures in types_equals.go (#8098)

---
 internal/ingress/controller/store/backend_ssl.go |  2 ++
 internal/ingress/types_equals.go                 | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go
index 377f62015..41a5b2b40 100644
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@@ -154,6 +154,8 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 			return nil, fmt.Errorf("error configuring CA certificate: %v", err)
 		}
 
+		sslCert.CASHA = file.SHA1(sslCert.CAFileName)
+
 		if len(crl) > 0 {
 			err = ssl.ConfigureCRL(nsSecName, crl, sslCert)
 			if err != nil {
diff --git a/internal/ingress/types_equals.go b/internal/ingress/types_equals.go
index 18ffa9042..3e39940a3 100644
--- a/internal/ingress/types_equals.go
+++ b/internal/ingress/types_equals.go
@@ -317,6 +317,9 @@ func (s1 *Server) Equal(s2 *Server) bool {
 	if s1.AuthTLSError != s2.AuthTLSError {
 		return false
 	}
+	if !(&s1.ProxySSL).Equal(&s2.ProxySSL) {
+		return false
+	}
 
 	if len(s1.Locations) != len(s2.Locations) {
 		return false
@@ -401,6 +404,9 @@ func (l1 *Location) Equal(l2 *Location) bool {
 	if !(&l1.Proxy).Equal(&l2.Proxy) {
 		return false
 	}
+	if !(&l1.ProxySSL).Equal(&l2.ProxySSL) {
+		return false
+	}
 	if l1.UsePortInRedirects != l2.UsePortInRedirects {
 		return false
 	}
@@ -558,6 +564,12 @@ func (s1 *SSLCert) Equal(s2 *SSLCert) bool {
 	if s1.PemSHA != s2.PemSHA {
 		return false
 	}
+	if s1.CAFileName != s2.CAFileName {
+		return false
+	}
+	if s1.CRLFileName != s2.CRLFileName {
+		return false
+	}
 	if !s1.ExpireTime.Equal(s2.ExpireTime) {
 		return false
 	}

From c917ffacd28c848475ef0be3fdabdfefe69c3074 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 9 Jan 2022 18:45:12 -0300
Subject: [PATCH 277/376] Freeze code generation boilerplate year for proper
 validation (#8117)

---
 hack/boilerplate/boilerplate.generated.go.txt | 16 ++++++++++++++++
 hack/update-codegen.sh                        |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 hack/boilerplate/boilerplate.generated.go.txt

diff --git a/hack/boilerplate/boilerplate.generated.go.txt b/hack/boilerplate/boilerplate.generated.go.txt
new file mode 100644
index 000000000..daba3a171
--- /dev/null
+++ b/hack/boilerplate/boilerplate.generated.go.txt
@@ -0,0 +1,16 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
index a80a03b3a..9023a3a1a 100755
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -41,4 +41,4 @@ ${CODEGEN_PKG}/generate-groups.sh "deepcopy" \
   k8s.io/ingress-nginx/internal k8s.io/ingress-nginx/internal \
   .:ingress \
   --output-base "$(dirname ${BASH_SOURCE})/../../.." \
-  --go-header-file ${SCRIPT_ROOT}/hack/boilerplate/boilerplate.go.txt
+  --go-header-file ${SCRIPT_ROOT}/hack/boilerplate/boilerplate.generated.go.txt

From 38c73233f3db84866892c68845fa188802550d0e Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 9 Jan 2022 21:29:12 -0300
Subject: [PATCH 278/376] Remove deprecated libraries, update other libs, add
 ci v1.23 (#8118)

---
 .github/workflows/ci.yaml                     |   2 +-
 go.mod                                        |  43 ++-
 go.sum                                        | 275 +++---------------
 internal/file/structure.go                    |   7 +-
 internal/ingress/annotations/auth/main.go     |  15 +-
 .../ingress/annotations/auth/main_test.go     |   4 +-
 internal/ingress/annotations/authtls/main.go  |   4 +-
 .../annotations/defaultbackend/main.go        |   3 +-
 internal/ingress/annotations/fastcgi/main.go  |   5 +-
 .../annotations/globalratelimit/main.go       |   4 +-
 .../annotations/globalratelimit/main_test.go  |   4 +-
 .../ingress/annotations/ipwhitelist/main.go   |   5 +-
 internal/ingress/annotations/proxyssl/main.go |   4 +-
 internal/ingress/controller/checker.go        |  11 +-
 .../ingress/controller/store/backend_ssl.go   |   3 +-
 .../ingress/controller/template/template.go   |   4 +-
 internal/ingress/errors/errors.go             |   7 +-
 internal/ingress/status/status.go             |   3 +-
 test/e2e/framework/framework.go               |   5 +-
 19 files changed, 97 insertions(+), 311 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a6dfe75da..a4f6b8ad8 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -186,7 +186,7 @@ jobs:
 
     strategy:
       matrix:
-        k8s: [v1.19.11, v1.20.7, v1.21.2, v1.22.0]
+        k8s: [v1.19.11, v1.20.7, v1.21.2, v1.22.0, v1.23.0]
 
     steps:
 
diff --git a/go.mod b/go.mod
index 6e2f1abf9..d3497ed21 100644
--- a/go.mod
+++ b/go.mod
@@ -14,10 +14,9 @@ require (
 	github.com/mitchellh/hashstructure v1.1.0
 	github.com/mitchellh/mapstructure v1.4.3
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
-	github.com/ncabatoff/process-exporter v0.7.9
+	github.com/ncabatoff/process-exporter v0.7.10
 	github.com/onsi/ginkgo v1.16.4
-	github.com/opencontainers/runc v1.0.2
-	github.com/pkg/errors v0.9.1
+	github.com/opencontainers/runc v1.0.3
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/client_model v0.2.0
@@ -25,25 +24,23 @@ require (
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
-	github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981
+	github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a
 	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
-	golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d
+	golang.org/x/net v0.0.0-20211209124913-491a49abca63
 	google.golang.org/grpc v1.43.0
-	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/go-playground/pool.v3 v3.1.1
-	k8s.io/api v0.22.2
-	k8s.io/apiextensions-apiserver v0.22.2
-	k8s.io/apimachinery v0.22.2
-	k8s.io/apiserver v0.22.2
-	k8s.io/cli-runtime v0.21.5
-	k8s.io/client-go v0.22.2
-	k8s.io/code-generator v0.22.2
-	k8s.io/component-base v0.22.2
-	k8s.io/klog/v2 v2.10.0
-	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
+	k8s.io/api v0.22.5
+	k8s.io/apiextensions-apiserver v0.22.5
+	k8s.io/apimachinery v0.22.5
+	k8s.io/apiserver v0.22.5
+	k8s.io/cli-runtime v0.22.5
+	k8s.io/client-go v0.22.5
+	k8s.io/code-generator v0.22.5
+	k8s.io/component-base v0.22.5
+	k8s.io/klog/v2 v2.9.0
 	pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732
 	sigs.k8s.io/controller-runtime v0.10.3
-	sigs.k8s.io/mdtoc v1.0.1
+	sigs.k8s.io/mdtoc v1.1.0
 )
 
 require (
@@ -75,13 +72,12 @@ require (
 	github.com/go-logr/logr v0.4.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/spec v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 // indirect
+	github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/google/go-querystring v1.0.0 // indirect
@@ -107,6 +103,7 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
@@ -131,15 +128,17 @@ require (
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 // indirect
-	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
+	k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect
+	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
 	moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e // indirect
-	sigs.k8s.io/kustomize/api v0.8.8 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.10.17 // indirect
+	sigs.k8s.io/kustomize/api v0.8.11 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 96021702c..156bbe48b 100644
--- a/go.sum
+++ b/go.sum
@@ -52,17 +52,14 @@ github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
 github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM=
 github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
-github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
 github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q=
 github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
 github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
-github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
@@ -71,20 +68,13 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
-github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
-github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
-github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c=
-github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -92,12 +82,9 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.0.2 h1:JKnhI/XQ75uFBTiuzXpzFrUriDPiZjlOSzh6wXogP0E=
 github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
-github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -106,12 +93,7 @@ github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ1
 github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
-github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
-github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -123,8 +105,6 @@ github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edY
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
-github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
@@ -141,7 +121,6 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
-github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -153,11 +132,9 @@ github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
-github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -165,17 +142,14 @@ github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
@@ -185,23 +159,17 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4k=
 github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0=
-github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
-github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
-github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -214,8 +182,6 @@ github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPO
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
-github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fasthttp/websocket v1.4.3-rc.6 h1:omHqsl8j+KXpmzRjF8bmzOSYJ8GnS0E3efi1wYT+niY=
@@ -229,8 +195,6 @@ github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSw
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
-github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
-github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -242,8 +206,6 @@ github.com/gavv/httpexpect/v2 v2.3.1 h1:sGLlKMn8AuHS9ztK9Sb7AJ7OxIL8v2PcLdyxfKt1
 github.com/gavv/httpexpect/v2 v2.3.1/go.mod h1:yOE8m/aqFYQDNrgprMeXgq4YynfN9h1NgcE1+1suV64=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -251,7 +213,6 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
@@ -262,69 +223,25 @@ github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
 github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/zapr v0.4.0 h1:uc1uML3hRYL9/ZZPdgHS/n8Nzo+eaYL/Efxkkamf7OM=
 github.com/go-logr/zapr v0.4.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
-github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
-github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
-github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
-github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
-github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
 github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
 github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM=
 github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
-github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
-github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk=
-github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
-github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
-github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
-github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/spec v0.19.5 h1:Xm0Ao53uqnk9QE/LlYV5DEU09UAgpliA85QoT9LzqPw=
-github.com/go-openapi/spec v0.19.5/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
-github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
-github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
-github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
-github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
-github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
-github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
-github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
 github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -358,10 +275,9 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 h1:LP/6EfrZ/LyCc+SXvANDrIJ4sP9u2NAtqyv6QknetNQ=
-github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU=
+github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 h1:oKYOfNR7Hp6XpZ4JqolL5u642Js5Z0n7psPVl+S5heo=
+github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
@@ -405,7 +321,6 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
@@ -414,32 +329,23 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
 github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
-github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
-github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
@@ -459,7 +365,6 @@ github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerX
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -476,7 +381,6 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J
 github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
 github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -487,17 +391,13 @@ github.com/imkira/go-interpol v1.0.0 h1:HrmLyvOLJyjR0YofMw8QGdCIuYOs4TJUBDNU5sJC
 github.com/imkira/go-interpol v1.0.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -525,7 +425,6 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
@@ -533,21 +432,15 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
-github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
-github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
-github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
-github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/markbates/pkger v0.17.1/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -556,14 +449,12 @@ github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope
 github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
@@ -608,73 +499,46 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg=
-github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU=
-github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k=
-github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w=
-github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
-github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
-github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/ncabatoff/fakescraper v0.0.0-20201102132415-4b37ba603d65/go.mod h1:Tx6UMSMyIsjLG/VU/F6xA1+0XI+/f9o1dGJnf1l+bPg=
 github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QUgeEjeXnVb+oYuEDQc6gLvrZJTYo94=
 github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag=
-github.com/ncabatoff/process-exporter v0.7.9 h1:RRvLF8pbWwLryEZiNMKJGfCTQkJW8SNabneiKQq3DBY=
-github.com/ncabatoff/process-exporter v0.7.9/go.mod h1:I/1yUBpScNw5UC/Qf2DC9vWqol2cR6jPqSVulMEnzxQ=
+github.com/ncabatoff/process-exporter v0.7.10 h1:+Ere7+3se6QqP54gg7aBRagWcL8bq3u5zNi/GRSWeKQ=
+github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn6d5plh41Jv6Tmttj7Ek=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs=
-github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
-github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
-github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg=
-github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
+github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k=
+github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
-github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis=
-github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74=
-github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA=
-github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
-github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
-github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
-github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc=
-github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -682,33 +546,28 @@ github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndr
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
 github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
 github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
+github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/common v0.31.1 h1:d18hG4PkHnNAKNMOmFuXFaiY8Us0nird/2m60uS1AMs=
 github.com/prometheus/common v0.31.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
+github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
@@ -717,7 +576,6 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
 github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -728,7 +586,6 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
-github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873 h1:N3Af8f13ooDKcIhsmFT7Z05CStZWu4C7Md0uDEy4q6o=
 github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873/go.mod h1:dmPawKuiAeG/aFYVs2i+Dyosoo7FNcm+Pi8iK6ZUrX8=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
@@ -747,7 +604,6 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
@@ -755,16 +611,13 @@ github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY52
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
-github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
 github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0=
 github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -772,9 +625,6 @@ github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/y
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
-github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
-github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
-github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
@@ -789,21 +639,17 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasthttp v1.27.0 h1:gDefRDL9aqSiwXV6aRW8aSBPs82y4KizSzHrBLf4NDI=
 github.com/valyala/fasthttp v1.27.0/go.mod h1:cmWIqlu99AO/RKcp1HWaViTqc57FswJOfYYdPJBl8BA=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
-github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
@@ -829,12 +675,10 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981 h1:fT5BTZ0s8G56nHHHyIf0/y1DE98CP5cDD7YTzyojDt8=
-github.com/zakjan/cert-chain-resolver v0.0.0-20210427055340-87e10242a981/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A=
+github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a h1:CbXWHAnmrtTKgX+yMVVANuRJP8ld88ELbAYAYnBdLJ4=
+github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
-go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
@@ -845,11 +689,6 @@ go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lL
 go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
 go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
 go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4=
-go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
-go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -871,19 +710,14 @@ go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16g
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
@@ -891,12 +725,8 @@ golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90te
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -904,6 +734,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -946,16 +777,13 @@ golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -965,7 +793,6 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -990,7 +817,6 @@ golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
@@ -1000,8 +826,9 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d h1:LO7XpTYMwTqxjLcGWPijK3vRXg1aWdlNOVOHRq45d7c=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1038,21 +865,17 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1064,7 +887,6 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1136,7 +958,6 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1144,11 +965,9 @@ golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -1158,8 +977,6 @@ golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
@@ -1167,8 +984,6 @@ golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1178,7 +993,6 @@ golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
@@ -1220,7 +1034,6 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1N
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
 gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
-google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1254,7 +1067,6 @@ google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUb
 google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
 google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
@@ -1267,7 +1079,6 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
 google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
@@ -1329,15 +1140,11 @@ google.golang.org/genproto v0.0.0-20211203200212-54befc351ae9/go.mod h1:5CzLGKJ6
 google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa h1:I0YcKz0I7OAhddo7ya8kMnvprhcWM045PmkBdMO9zN0=
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
@@ -1385,10 +1192,8 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
 gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM=
 gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
 gopkg.in/go-playground/pool.v3 v3.1.1 h1:4Qcj91IsYTpIeRhe/eo6Fz+w6uKWPEghx8vHFTYMfhw=
@@ -1402,14 +1207,12 @@ gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
@@ -1420,7 +1223,6 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1428,38 +1230,39 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.21.5/go.mod h1:Un8C5Hemo2r3MfPOjZvwQQ9KkBbiTBUCGrjlivo9uJ0=
-k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw=
 k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8=
-k8s.io/apiextensions-apiserver v0.22.2 h1:zK7qI8Ery7j2CaN23UCFaC1hj7dMiI87n01+nKuewd4=
+k8s.io/api v0.22.5 h1:xk7C+rMjF/EGELiD560jdmwzrB788mfcHiNbMQLIVI8=
+k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs=
 k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA=
-k8s.io/apimachinery v0.21.5/go.mod h1:3PfBV+4PPXNs0aueD+7fHcGyhdkFFYqXeshQtsKCi+4=
-k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk=
+k8s.io/apiextensions-apiserver v0.22.5 h1:ML0QqT7FIlmZHN+9+2EtARJ3cJVHeoizt6GCteFRE0o=
+k8s.io/apiextensions-apiserver v0.22.5/go.mod h1:tIXeZ0BrDxUb1PoAz+tgOz43Zi1Bp4BEEqVtUccMJbE=
 k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
-k8s.io/apiserver v0.22.2 h1:TdIfZJc6YNhu2WxeAOWq1TvukHF0Sfx0+ln4XK9qnL4=
+k8s.io/apimachinery v0.22.5 h1:cIPwldOYm1Slq9VLBRPtEYpyhjIm1C6aAMAoENuvN9s=
+k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U=
 k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI=
-k8s.io/cli-runtime v0.21.5 h1:ZpPmrRsHvzdMzXrcr1/ZSBHLKrhS1aHyMr2hGJNlNpI=
-k8s.io/cli-runtime v0.21.5/go.mod h1:TKlcXsRVImtcPDGEe72pyZtD9UgBJNupIf3hmsIeekE=
-k8s.io/client-go v0.21.5/go.mod h1:EUornVlr3rBrPKXUoMPNggJdEQmvFNMpYO3Kb6432kw=
-k8s.io/client-go v0.22.2 h1:DaSQgs02aCC1QcwUdkKZWOeaVsQjYvWv8ZazcZ6JcHc=
+k8s.io/apiserver v0.22.5 h1:71krQxCUz218ecb+nPhfDsNB6QgP1/4EMvi1a2uYBlg=
+k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ=
+k8s.io/cli-runtime v0.22.5 h1:bZqLgx1INiPgXyMk/Hu3o5NFmdfvlvtsoE+wHJuKA2U=
+k8s.io/cli-runtime v0.22.5/go.mod h1:12ah4O0kaevIYHsRcFGt8RKER0wlTN2yCgHp1c4Uxp4=
 k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U=
-k8s.io/code-generator v0.22.2 h1:+bUv9lpTnAWABtPkvO4x0kfz7j/kDEchVt0P/wXU3jQ=
+k8s.io/client-go v0.22.5 h1:I8Zn/UqIdi2r02aZmhaJ1hqMxcpfJ3t5VqvHtctHYFo=
+k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y=
 k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
-k8s.io/component-base v0.22.2 h1:vNIvE0AIrLhjX8drH0BgCNJcR4QZxMXcJzBsDplDx9M=
+k8s.io/code-generator v0.22.5 h1:jn+mYXI5q7rzo7Bz/n8xZIgbe61SeXlIjU5jA8jLVps=
+k8s.io/code-generator v0.22.5/go.mod h1:sbdWCOVob+KaQ5O7xs8PNNaCTpbWVqNgA6EPwLOmRNk=
 k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug=
+k8s.io/component-base v0.22.5 h1:U0eHqZm7mAFE42hFwYhY6ze/MmVaW00JpMrzVsQmzYE=
+k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 h1:Uusb3oh8XcdzDF/ndlI4ToKTYVlkCSJP39SRY2mfRAw=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
 k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
-k8s.io/klog/v2 v2.10.0 h1:R2HDMDJsHVTHA2n4RjwbeYXdOcBymXdX/JRb1v0VGhE=
-k8s.io/klog/v2 v2.10.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
-k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
-k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
-k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c h1:jvamsI1tn9V0S8jicyX82qaFC0H/NKxv2e5mbqsgR80=
+k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g=
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e h1:C7q+e9M5nggAvWfVg9Nl66kebKeuJlP3FD58V4RR5wo=
@@ -1472,16 +1275,14 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/controller-runtime v0.10.3 h1:s5Ttmw/B4AuIbwrXD3sfBkXwnPMMWrqpVj4WRt1dano=
 sigs.k8s.io/controller-runtime v0.10.3/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=
-sigs.k8s.io/kustomize/api v0.8.8 h1:G2z6JPSSjtWWgMeWSoHdXqyftJNmMmyxXpwENGoOtGE=
-sigs.k8s.io/kustomize/api v0.8.8/go.mod h1:He1zoK0nk43Pc6NlV085xDXDXTNprtcyKZVm3swsdNY=
-sigs.k8s.io/kustomize/kyaml v0.10.17 h1:4zrV0ym5AYa0e512q7K3Wp1u7mzoWW0xR3UHJcGWGIg=
-sigs.k8s.io/kustomize/kyaml v0.10.17/go.mod h1:mlQFagmkm1P+W4lZJbJ/yaxMd8PqMRSC4cPcfUVt5Hg=
-sigs.k8s.io/mdtoc v1.0.1 h1:6ECKhQnbetwZBR6R2IeT2LH+1w+2Zsip0iXjikgaXIk=
-sigs.k8s.io/mdtoc v1.0.1/go.mod h1:COYBtOjsaCg7o7SC4eaLwEXPuVRSuiVuLLRrHd7kShw=
+sigs.k8s.io/kustomize/api v0.8.11 h1:LzQzlq6Z023b+mBtc6v72N2mSHYmN8x7ssgbf/hv0H8=
+sigs.k8s.io/kustomize/api v0.8.11/go.mod h1:a77Ls36JdfCWojpUqR6m60pdGY1AYFix4AH83nJtY1g=
+sigs.k8s.io/kustomize/kyaml v0.11.0 h1:9KhiCPKaVyuPcgOLJXkvytOvjMJLoxpjodiycb4gHsA=
+sigs.k8s.io/kustomize/kyaml v0.11.0/go.mod h1:GNMwjim4Ypgp/MueD3zXHLRJEjz7RvtPae0AwlvEMFM=
+sigs.k8s.io/mdtoc v1.1.0 h1:q3YtqYzmC2e0hgLXRIOm7/QLuPux1CX3ZHCwlbABxZo=
+sigs.k8s.io/mdtoc v1.1.0/go.mod h1:QZLVEdHH2iNIR4uHAZyvFRtjloHgVItk8lo/mzCtq3w=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
-sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=
diff --git a/internal/file/structure.go b/internal/file/structure.go
index 485db79c8..d109e8c03 100644
--- a/internal/file/structure.go
+++ b/internal/file/structure.go
@@ -17,9 +17,8 @@ limitations under the License.
 package file
 
 import (
+	"fmt"
 	"os"
-
-	"github.com/pkg/errors"
 )
 
 const (
@@ -50,13 +49,13 @@ func CreateRequiredDirectories() error {
 			if os.IsNotExist(err) {
 				err = os.MkdirAll(directory, ReadWriteByUser)
 				if err != nil {
-					return errors.Wrapf(err, "creating directory '%v'", directory)
+					return fmt.Errorf("creating directory %s: %w", directory, err)
 				}
 
 				continue
 			}
 
-			return errors.Wrapf(err, "checking directory %v", directory)
+			return fmt.Errorf("checking directory %s: %w", directory, err)
 		}
 	}
 
diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go
index 0a642f99f..e05988365 100644
--- a/internal/ingress/annotations/auth/main.go
+++ b/internal/ingress/annotations/auth/main.go
@@ -22,7 +22,6 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/pkg/errors"
 	api "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
 	"k8s.io/client-go/tools/cache"
@@ -118,14 +117,14 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) {
 	s, err := parser.GetStringAnnotation("auth-secret", ing)
 	if err != nil {
 		return nil, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "error reading secret name from annotation"),
+			Reason: fmt.Errorf("error reading secret name from annotation: %w", err),
 		}
 	}
 
 	sns, sname, err := cache.SplitMetaNamespaceKey(s)
 	if err != nil {
 		return nil, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "error reading secret name from annotation"),
+			Reason: fmt.Errorf("error reading secret name from annotation: %w", err),
 		}
 	}
 
@@ -137,7 +136,7 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) {
 	secret, err := a.r.GetSecret(name)
 	if err != nil {
 		return nil, ing_errors.LocationDenied{
-			Reason: errors.Wrapf(err, "unexpected error reading secret %v", name),
+			Reason: fmt.Errorf("unexpected error reading secret %s: %w", name, err),
 		}
 	}
 
@@ -158,7 +157,7 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) {
 		}
 	default:
 		return nil, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "invalid auth-secret-type in annotation, must be 'auth-file' or 'auth-map'"),
+			Reason: fmt.Errorf("invalid auth-secret-type in annotation, must be 'auth-file' or 'auth-map': %w", err),
 		}
 	}
 
@@ -179,14 +178,14 @@ func dumpSecretAuthFile(filename string, secret *api.Secret) error {
 	val, ok := secret.Data["auth"]
 	if !ok {
 		return ing_errors.LocationDenied{
-			Reason: errors.Errorf("the secret %v does not contain a key with value auth", secret.Name),
+			Reason: fmt.Errorf("the secret %s does not contain a key with value auth", secret.Name),
 		}
 	}
 
 	err := os.WriteFile(filename, val, file.ReadWriteByUser)
 	if err != nil {
 		return ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "unexpected error creating password file"),
+			Reason: fmt.Errorf("unexpected error creating password file: %w", err),
 		}
 	}
 
@@ -205,7 +204,7 @@ func dumpSecretAuthMap(filename string, secret *api.Secret) error {
 	err := os.WriteFile(filename, []byte(builder.String()), file.ReadWriteByUser)
 	if err != nil {
 		return ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "unexpected error creating password file"),
+			Reason: fmt.Errorf("unexpected error creating password file: %w", err),
 		}
 	}
 
diff --git a/internal/ingress/annotations/auth/main_test.go b/internal/ingress/annotations/auth/main_test.go
index bffb8e0a8..c552851ae 100644
--- a/internal/ingress/annotations/auth/main_test.go
+++ b/internal/ingress/annotations/auth/main_test.go
@@ -22,7 +22,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/pkg/errors"
+	"errors"
 
 	api "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
@@ -81,7 +81,7 @@ type mockSecret struct {
 
 func (m mockSecret) GetSecret(name string) (*api.Secret, error) {
 	if name != "default/demo-secret" {
-		return nil, errors.Errorf("there is no secret with name %v", name)
+		return nil, fmt.Errorf("there is no secret with name %v", name)
 	}
 
 	return &api.Secret{
diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
index dd89df4f3..cbe014c4a 100644
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@@ -17,7 +17,7 @@ limitations under the License.
 package authtls
 
 import (
-	"github.com/pkg/errors"
+	"fmt"
 	networking "k8s.io/api/networking/v1"
 
 	"regexp"
@@ -102,7 +102,7 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
 
 	authCert, err := a.r.GetAuthCertificate(tlsauthsecret)
 	if err != nil {
-		e := errors.Wrap(err, "error obtaining certificate")
+		e := fmt.Errorf("error obtaining certificate: %w", err)
 		return &Config{}, ing_errors.LocationDenied{Reason: e}
 	}
 	config.AuthSSLCert = *authCert
diff --git a/internal/ingress/annotations/defaultbackend/main.go b/internal/ingress/annotations/defaultbackend/main.go
index 7b239497d..b1685015e 100644
--- a/internal/ingress/annotations/defaultbackend/main.go
+++ b/internal/ingress/annotations/defaultbackend/main.go
@@ -19,7 +19,6 @@ package defaultbackend
 import (
 	"fmt"
 
-	"github.com/pkg/errors"
 	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
@@ -46,7 +45,7 @@ func (db backend) Parse(ing *networking.Ingress) (interface{}, error) {
 	name := fmt.Sprintf("%v/%v", ing.Namespace, s)
 	svc, err := db.r.GetService(name)
 	if err != nil {
-		return nil, errors.Wrapf(err, "unexpected error reading service %v", name)
+		return nil, fmt.Errorf("unexpected error reading service %s: %w", name, err)
 	}
 
 	return svc, nil
diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go
index a7e96a014..b32b85997 100644
--- a/internal/ingress/annotations/fastcgi/main.go
+++ b/internal/ingress/annotations/fastcgi/main.go
@@ -20,7 +20,6 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/pkg/errors"
 	networking "k8s.io/api/networking/v1"
 	"k8s.io/client-go/tools/cache"
 
@@ -85,7 +84,7 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) {
 	cmns, cmn, err := cache.SplitMetaNamespaceKey(cm)
 	if err != nil {
 		return fcgiConfig, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "error reading configmap name from annotation"),
+			Reason: fmt.Errorf("error reading configmap name from annotation: %w", err),
 		}
 	}
 
@@ -97,7 +96,7 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) {
 	cmap, err := a.r.GetConfigMap(cm)
 	if err != nil {
 		return fcgiConfig, ing_errors.LocationDenied{
-			Reason: errors.Wrapf(err, "unexpected error reading configmap %v", cm),
+			Reason: fmt.Errorf("unexpected error reading configmap %s: %w", cm, err),
 		}
 	}
 
diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go
index 02a732847..c5763d0cb 100644
--- a/internal/ingress/annotations/globalratelimit/main.go
+++ b/internal/ingress/annotations/globalratelimit/main.go
@@ -17,10 +17,10 @@ limitations under the License.
 package globalratelimit
 
 import (
+	"fmt"
 	"strings"
 	"time"
 
-	"github.com/pkg/errors"
 	networking "k8s.io/api/networking/v1"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
@@ -86,7 +86,7 @@ func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) {
 	windowSize, err := time.ParseDuration(rawWindowSize)
 	if err != nil {
 		return config, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "failed to parse 'global-rate-limit-window' value"),
+			Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err),
 		}
 	}
 
diff --git a/internal/ingress/annotations/globalratelimit/main_test.go b/internal/ingress/annotations/globalratelimit/main_test.go
index 341a9883c..815d6cfff 100644
--- a/internal/ingress/annotations/globalratelimit/main_test.go
+++ b/internal/ingress/annotations/globalratelimit/main_test.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/pkg/errors"
 	api "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -159,8 +158,7 @@ func TestGlobalRateLimiting(t *testing.T) {
 			},
 			&Config{},
 			ing_errors.LocationDenied{
-				Reason: errors.Wrap(fmt.Errorf(`time: unknown unit "mb" in duration "2mb"`),
-					"failed to parse 'global-rate-limit-window' value"),
+				Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: time: unknown unit \"mb\" in duration \"2mb\""),
 			},
 		},
 	}
diff --git a/internal/ingress/annotations/ipwhitelist/main.go b/internal/ingress/annotations/ipwhitelist/main.go
index 4fd40ee2b..77c2b6cc0 100644
--- a/internal/ingress/annotations/ipwhitelist/main.go
+++ b/internal/ingress/annotations/ipwhitelist/main.go
@@ -17,11 +17,10 @@ limitations under the License.
 package ipwhitelist
 
 import (
+	"fmt"
 	"sort"
 	"strings"
 
-	"github.com/pkg/errors"
-
 	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/internal/net"
 
@@ -75,7 +74,7 @@ func (a ipwhitelist) Parse(ing *networking.Ingress) (interface{}, error) {
 	ipnets, ips, err := net.ParseIPNets(values...)
 	if err != nil && len(ips) == 0 {
 		return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "the annotation does not contain a valid IP address or network"),
+			Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err),
 		}
 	}
 
diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go
index 2452d90da..22f49b3eb 100644
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@@ -17,11 +17,11 @@ limitations under the License.
 package proxyssl
 
 import (
+	"fmt"
 	"regexp"
 	"sort"
 	"strings"
 
-	"github.com/pkg/errors"
 	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
@@ -132,7 +132,7 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
 
 	proxyCert, err := p.r.GetAuthCertificate(proxysslsecret)
 	if err != nil {
-		e := errors.Wrap(err, "error obtaining certificate")
+		e := fmt.Errorf("error obtaining certificate: %w", err)
 		return &Config{}, ing_errors.LocationDenied{Reason: e}
 	}
 	config.AuthSSLCert = *proxyCert
diff --git a/internal/ingress/controller/checker.go b/internal/ingress/controller/checker.go
index e6aa8ea85..3229778bb 100644
--- a/internal/ingress/controller/checker.go
+++ b/internal/ingress/controller/checker.go
@@ -24,7 +24,6 @@ import (
 	"strings"
 
 	"github.com/ncabatoff/process-exporter/proc"
-	"github.com/pkg/errors"
 
 	"k8s.io/ingress-nginx/internal/nginx"
 )
@@ -43,27 +42,27 @@ func (n *NGINXController) Check(_ *http.Request) error {
 	// check the nginx master process is running
 	fs, err := proc.NewFS("/proc", false)
 	if err != nil {
-		return errors.Wrap(err, "reading /proc directory")
+		return fmt.Errorf("reading /proc directory: %w", err)
 	}
 
 	f, err := os.ReadFile(nginx.PID)
 	if err != nil {
-		return errors.Wrapf(err, "reading %v", nginx.PID)
+		return fmt.Errorf("reading %v: %w", nginx.PID, err)
 	}
 
 	pid, err := strconv.Atoi(strings.TrimRight(string(f), "\r\n"))
 	if err != nil {
-		return errors.Wrapf(err, "reading NGINX PID from file %v", nginx.PID)
+		return fmt.Errorf("reading NGINX PID from file %v: %w", nginx.PID, err)
 	}
 
 	_, err = fs.Proc(pid)
 	if err != nil {
-		return errors.Wrapf(err, "checking for NGINX process with PID %v", pid)
+		return fmt.Errorf("checking for NGINX process with PID %v: %w", pid, err)
 	}
 
 	statusCode, _, err := nginx.NewGetStatusRequest("/is-dynamic-lb-initialized")
 	if err != nil {
-		return errors.Wrapf(err, "checking if the dynamic load balancer started")
+		return fmt.Errorf("checking if the dynamic load balancer started: %w", err)
 	}
 
 	if statusCode != 200 {
diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go
index 41a5b2b40..19283d2fd 100644
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@@ -22,7 +22,6 @@ import (
 
 	"k8s.io/klog/v2"
 
-	"github.com/pkg/errors"
 	apiv1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -180,7 +179,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 	if secretName == s.defaultSSLCertificate {
 		path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert)
 		if err != nil {
-			return nil, errors.Wrap(err, "storing default SSL Certificate")
+			return nil, fmt.Errorf("storing default SSL Certificate: %w", err)
 		}
 
 		sslCert.PemFileName = path
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
index e5be1490a..9b61d059a 100644
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@@ -36,8 +36,6 @@ import (
 	text_template "text/template"
 	"time"
 
-	"github.com/pkg/errors"
-
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
@@ -81,7 +79,7 @@ type Template struct {
 func NewTemplate(file string) (*Template, error) {
 	data, err := os.ReadFile(file)
 	if err != nil {
-		return nil, errors.Wrapf(err, "unexpected error reading template %v", file)
+		return nil, fmt.Errorf("unexpected error reading template %s: %w", file, err)
 	}
 
 	tmpl, err := text_template.New("nginx.tmpl").Funcs(funcMap).Parse(string(data))
diff --git a/internal/ingress/errors/errors.go b/internal/ingress/errors/errors.go
index 11ca0f3cf..93c9ee5e0 100644
--- a/internal/ingress/errors/errors.go
+++ b/internal/ingress/errors/errors.go
@@ -17,9 +17,8 @@ limitations under the License.
 package errors
 
 import (
+	"errors"
 	"fmt"
-
-	"github.com/pkg/errors"
 )
 
 var (
@@ -50,7 +49,7 @@ func NewInvalidAnnotationContent(name string, val interface{}) error {
 // NewLocationDenied returns a new LocationDenied error
 func NewLocationDenied(reason string) error {
 	return LocationDenied{
-		Reason: errors.Errorf("Location denied, reason: %v", reason),
+		Reason: fmt.Errorf("Location denied, reason: %v", reason),
 	}
 }
 
@@ -109,5 +108,5 @@ func New(m string) error {
 // Errorf formats according to a format specifier and returns the string
 // as a value that satisfies error.
 func Errorf(format string, args ...interface{}) error {
-	return errors.Errorf(format, args...)
+	return fmt.Errorf(format, args...)
 }
diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go
index 791e88818..bf79701fc 100644
--- a/internal/ingress/status/status.go
+++ b/internal/ingress/status/status.go
@@ -25,7 +25,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/pkg/errors"
 	"k8s.io/klog/v2"
 
 	pool "gopkg.in/go-playground/pool.v3"
@@ -294,7 +293,7 @@ func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress,
 		ingClient := client.NetworkingV1().Ingresses(ing.Namespace)
 		currIng, err := ingClient.Get(context.TODO(), ing.Name, metav1.GetOptions{})
 		if err != nil {
-			return nil, errors.Wrap(err, fmt.Sprintf("unexpected error searching Ingress %v/%v", ing.Namespace, ing.Name))
+			return nil, fmt.Errorf("unexpected error searching Ingress %s/%s: %w", ing.Namespace, ing.Name, err)
 		}
 
 		klog.InfoS("updating Ingress status", "namespace", currIng.Namespace, "ingress", currIng.Name, "currentValue", currIng.Status.LoadBalancer.Ingress, "newValue", status)
diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go
index 11405c69f..f0463bd0d 100644
--- a/test/e2e/framework/framework.go
+++ b/test/e2e/framework/framework.go
@@ -24,7 +24,6 @@ import (
 
 	"github.com/gavv/httpexpect/v2"
 	"github.com/onsi/ginkgo"
-	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -508,7 +507,7 @@ func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name
 		deployment.Spec.Replicas = NewInt32(int32(replicas))
 		_, err = kubeClientSet.AppsV1().Deployments(namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
 		if err != nil {
-			return errors.Wrapf(err, "scaling the number of replicas to %v", replicas)
+			return fmt.Errorf("scaling the number of replicas to %d: %w", replicas, err)
 		}
 
 		err = waitForDeploymentRollout(kubeClientSet, deployment)
@@ -521,7 +520,7 @@ func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name
 		LabelSelector: fields.SelectorFromSet(fields.Set(deployment.Spec.Template.ObjectMeta.Labels)).String(),
 	})
 	if err != nil {
-		return errors.Wrapf(err, "waiting for nginx-ingress-controller replica count to be %v", replicas)
+		return fmt.Errorf("waiting for nginx-ingress-controller replica count to be %d: %w", replicas, err)
 	}
 
 	return nil

From fd820db469f61860b381ac75931a261aac87439d Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 9 Jan 2022 22:31:11 -0300
Subject: [PATCH 279/376] Update to go v1.17.6 (#8119)

---
 .github/workflows/ci.yaml   | 6 +++---
 images/test-runner/Makefile | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a4f6b8ad8..0d9ba2ad2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -67,7 +67,7 @@ jobs:
         id: go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17
+          go-version: '1.17.6'
 
       - name: Set up Docker Buildx
         id: buildx
@@ -126,7 +126,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: '^1.17'
+          go-version: '1.17.6'
 
       - name: cache
         uses: actions/download-artifact@v2
@@ -319,7 +319,7 @@ jobs:
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17
+          go-version: '1.17.6'
 
       - name: kube-webhook-certgen image build
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index 664782a09..4caebebd3 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -39,7 +39,7 @@ build: ensure-buildx
 		--progress=$(PROGRESS) \
 		--pull \
 		--build-arg BASE_IMAGE=$(NGINX_BASE_IMAGE) \
-		--build-arg GOLANG_VERSION=1.17.0 \
+		--build-arg GOLANG_VERSION=1.17.6 \
 		--build-arg ETCD_VERSION=3.4.3-0 \
 		--build-arg K8S_RELEASE=v1.21.3 \
 		--build-arg RESTY_CLI_VERSION=0.27 \

From a17181e43ec85534a6fea968d95d019c5a4bc8cf Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 10 Jan 2022 01:37:11 -0300
Subject: [PATCH 280/376] Update go in runner and release v1.1.1 (#8120)

* Update go in runner and release v1.1.1

* Update build/run-in-docker.sh

Co-authored-by: Jintao Zhang <tao12345666333@163.com>

Co-authored-by: Jintao Zhang <tao12345666333@163.com>
---
 TAG                       | 2 +-
 build/run-in-docker.sh    | 2 +-
 test/e2e-image/Dockerfile | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/TAG b/TAG
index 795460fce..56130fb3a 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.1.0
+v1.1.1
diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index d345a81ec..e89abe9d8 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -37,7 +37,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210916-gd9f96bbbb@sha256:5b434c08e582b58b96867152682c1e754ee609c82390abf3074992d4ec53ed25}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220110-gfd820db46@sha256:273f7d9b1b2297cd96b4d51600e45d932186a1cc79d00d179dfb43654112fe8f}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index fc5f30000..e53d02242 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210916-gd9f96bbbb@sha256:5b434c08e582b58b96867152682c1e754ee609c82390abf3074992d4ec53ed25 AS BASE
+FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220110-gfd820db46@sha256:273f7d9b1b2297cd96b4d51600e45d932186a1cc79d00d179dfb43654112fe8f AS BASE
 
 FROM alpine:3.12
 

From d8c9a6c238f714587da4d2ac2dcd0d3d39419ccf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9D=8E=E8=BF=9C=E5=90=9B?= <1123431949@qq.com>
Date: Tue, 11 Jan 2022 15:23:16 +0800
Subject: [PATCH 281/376] Fix ingress module a syntax error (#8129)

---
 docs/examples/multi-tls/multi-tls.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/examples/multi-tls/multi-tls.yaml b/docs/examples/multi-tls/multi-tls.yaml
index 3612ab6d7..167e48ae0 100644
--- a/docs/examples/multi-tls/multi-tls.yaml
+++ b/docs/examples/multi-tls/multi-tls.yaml
@@ -129,7 +129,7 @@ spec:
       - path: /
         pathType: Prefix
         backend:
-          service
+          service:
             name: nginx
             port:
               number: 80

From a9495ecae0306030076d258513c2dbc89bf78b72 Mon Sep 17 00:00:00 2001
From: Mario Vejlupek <mario@vejlupek.cz>
Date: Wed, 12 Jan 2022 15:30:37 +0100
Subject: [PATCH 282/376] Add custom error pages example file (#8060)

* Add custom error pages example file

* Update docs/examples/customization/custom-errors/README.md

Co-authored-by: Jintao Zhang <tao12345666333@163.com>

Co-authored-by: Jintao Zhang <tao12345666333@163.com>
---
 .../customization/custom-errors/README.md     |  2 ++
 ...default-backend-error_pages.configMap.yaml | 19 ++++++++++++++++++
 .../custom-default-backend.helm.values.yaml   | 20 +++++++++++++++++++
 .../custom-errors/custom-default-backend.yaml | 16 +++++++++++++++
 4 files changed, 57 insertions(+)
 create mode 100644 docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
 create mode 100644 docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml

diff --git a/docs/examples/customization/custom-errors/README.md b/docs/examples/customization/custom-errors/README.md
index 00b999859..a137fd6dc 100644
--- a/docs/examples/customization/custom-errors/README.md
+++ b/docs/examples/customization/custom-errors/README.md
@@ -2,6 +2,8 @@
 
 This example demonstrates how to use a custom backend to render custom error pages.
 
+If you are using Helm Chart, look at [example values](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml) and don't forget to add [configMap](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml) to your deployment, otherwise continue with [Customized default backend](#customized-default-backend) manual deployment.
+
 ## Customized default backend
 
 First, create the custom `default-backend`. It will be used by the Ingress controller later on.  
diff --git a/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml b/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
new file mode 100644
index 000000000..86b1c44e8
--- /dev/null
+++ b/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
@@ -0,0 +1,19 @@
+# Custom error page configMap
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: custom_error_pages
+data:
+  404: |
+    <!DOCTYPE html>
+    <html>
+      <head><title>PAGE NOT FOUND</title></head>
+      <body>PAGE NOT FOUND</body>
+    </html>
+  503: |
+    <!DOCTYPE html>
+    <html>
+      <head><title>CUSTOM SERVICE UNAVAILABLE</title></head>
+      <body>CUSTOM SERVICE UNAVAILABLE</body>
+    </html>
diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
new file mode 100644
index 000000000..ce42bb9b5
--- /dev/null
+++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
@@ -0,0 +1,20 @@
+controller:
+  custom-http-errors: "404,503"
+defaultBackend:
+  enabled: true
+  image:
+    registry: k8s.gcr.io
+    image: ingress-nginx/nginx-errors
+    tag: "0.48.1"
+  extraVolumes:
+  - name: custom_error_pages
+    configMap:
+      name: custom_error_pages
+      items:
+      - key: "404"
+        path: "404.html"
+      - key: "503"
+        path: "503.html"
+  extraVolumeMounts:
+  - name: custom_error_pages
+    mountPath: /www
diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml
index 579e48544..4b40d36e7 100644
--- a/docs/examples/customization/custom-errors/custom-default-backend.yaml
+++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml
@@ -44,3 +44,19 @@ spec:
         # env:
         # - name: DEBUG
         #   value: "true"
+
+        # Mounting custom error page from configMap
+        # volumeMounts:
+        # - name: custom_error_pages
+        #   mountPath: /www
+
+      # Mounting custom error page from configMap
+      # volumes:
+      # - name: custom_error_pages
+      #   configMap:
+      #     name: custom_error_pages
+      #     items:
+      #     - key: "404"
+      #       path: "404.html"
+      #     - key: "503"
+      #       path: "503.html"

From fc38b9f2aa2d68ee00c417cf97e727b77a00c175 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Wed, 12 Jan 2022 22:18:37 +0530
Subject: [PATCH 283/376] changes for release v1.1.1 (#8125)

---
 Changelog.md                                  | 46 +++++++++++
 README.md                                     | 34 ++++----
 RELEASE.md                                    | 66 ++++++++++++---
 charts/ingress-nginx/CHANGELOG.md             | 38 +++++++++
 charts/ingress-nginx/Chart.yaml               | 40 ++++++++-
 charts/ingress-nginx/README.md                | 14 ++--
 charts/ingress-nginx/values.yaml              |  8 +-
 .../provider/aws/deploy-tls-termination.yaml  | 82 +++++++++----------
 deploy/static/provider/aws/deploy.yaml        | 82 +++++++++----------
 deploy/static/provider/baremetal/deploy.yaml  | 82 +++++++++----------
 deploy/static/provider/cloud/deploy.yaml      | 82 +++++++++----------
 deploy/static/provider/do/deploy.yaml         | 82 +++++++++----------
 deploy/static/provider/exoscale/deploy.yaml   | 82 +++++++++----------
 deploy/static/provider/kind/deploy.yaml       | 82 +++++++++----------
 deploy/static/provider/scw/deploy.yaml        | 82 +++++++++----------
 docs/deploy/index.md                          | 20 ++---
 16 files changed, 545 insertions(+), 377 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index e755ea2c2..ccc60e746 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,51 @@
 # Changelog
 
+### 1.1.1
+
+**Image:** 
+- k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+
+This release contains several fixes and improvements. This image is now built using Go v1.17.6 and gRPC v1.43.0. See detailed list below.
+
+_Changes:_
+
+- [8120](https://github.com/kubernetes/ingress-nginx/pull/8120)    Update go in runner and release v1.1.1
+- [8119](https://github.com/kubernetes/ingress-nginx/pull/8119)    Update to go v1.17.6
+- [8118](https://github.com/kubernetes/ingress-nginx/pull/8118)    Remove deprecated libraries, update other libs
+- [8117](https://github.com/kubernetes/ingress-nginx/pull/8117)    Fix codegen errors
+- [8115](https://github.com/kubernetes/ingress-nginx/pull/8115)    chart/ghaction: set the correct permission to have access to push a release
+- [8098](https://github.com/kubernetes/ingress-nginx/pull/8098)    generating SHA for CA only certs in backend_ssl.go + comparision of P…
+- [8088](https://github.com/kubernetes/ingress-nginx/pull/8088)    Fix Edit this page link to use main branch
+- [8072](https://github.com/kubernetes/ingress-nginx/pull/8072)    Expose GeoIP2 Continent code as variable
+- [8061](https://github.com/kubernetes/ingress-nginx/pull/8061)    docs(charts): using helm-docs for chart
+- [8058](https://github.com/kubernetes/ingress-nginx/pull/8058)    Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
+- [8054](https://github.com/kubernetes/ingress-nginx/pull/8054)    Bump google.golang.org/grpc from 1.41.0 to 1.43.0
+- [8051](https://github.com/kubernetes/ingress-nginx/pull/8051)    align bug report with feature request regarding kind documentation
+- [8046](https://github.com/kubernetes/ingress-nginx/pull/8046)    Report expired certificates (#8045)
+- [8044](https://github.com/kubernetes/ingress-nginx/pull/8044)    remove G109 check till gosec resolves issues
+- [8042](https://github.com/kubernetes/ingress-nginx/pull/8042)    docs_multiple_instances_one_cluster_ticket_7543
+- [8041](https://github.com/kubernetes/ingress-nginx/pull/8041)    docs: fix typo'd executible name
+- [8035](https://github.com/kubernetes/ingress-nginx/pull/8035)    Comment busy owners
+- [8029](https://github.com/kubernetes/ingress-nginx/pull/8029)    Add stream-snippet as a ConfigMap and Annotation option
+- [8023](https://github.com/kubernetes/ingress-nginx/pull/8023)    fix nginx compilation flags
+- [8021](https://github.com/kubernetes/ingress-nginx/pull/8021)    Disable default modsecurity_rules_file if modsecurity-snippet is specified
+- [8019](https://github.com/kubernetes/ingress-nginx/pull/8019)    Revise main documentation page
+- [8018](https://github.com/kubernetes/ingress-nginx/pull/8018)    Preserve order of plugin invocation
+- [8015](https://github.com/kubernetes/ingress-nginx/pull/8015)    Add newline indenting to admission webhook annotations
+- [8014](https://github.com/kubernetes/ingress-nginx/pull/8014)    Add link to example error page manifest in docs
+- [8009](https://github.com/kubernetes/ingress-nginx/pull/8009)    Fix spelling in documentation and top-level files
+- [8008](https://github.com/kubernetes/ingress-nginx/pull/8008)    Add relabelings in controller-servicemonitor.yaml
+- [8003](https://github.com/kubernetes/ingress-nginx/pull/8003)    Minor improvements (formatting, consistency) in install guide
+- [8001](https://github.com/kubernetes/ingress-nginx/pull/8001)    fix: go-grpc Dockerfile
+- [7999](https://github.com/kubernetes/ingress-nginx/pull/7999)    images: use k8s-staging-test-infra/gcb-docker-gcloud
+- [7996](https://github.com/kubernetes/ingress-nginx/pull/7996)    doc: improvement
+- [7983](https://github.com/kubernetes/ingress-nginx/pull/7983)    Fix a couple of misspellings in the annotations documentation.
+- [7979](https://github.com/kubernetes/ingress-nginx/pull/7979)    allow set annotations for admission Jobs
+- [7977](https://github.com/kubernetes/ingress-nginx/pull/7977)    Add ssl_reject_handshake to defaul server
+- [7975](https://github.com/kubernetes/ingress-nginx/pull/7975)    add legacy version update v0.50.0 to main changelog
+- [7972](https://github.com/kubernetes/ingress-nginx/pull/7972)    updated service upstream definition
+- [7963](https://github.com/kubernetes/ingress-nginx/pull/7963)    Change sanitization message from error to warning
+
 ### 1.1.0
 
 **Image:**
diff --git a/README.md b/README.md
index 8f4109a00..6c604ddba 100644
--- a/README.md
+++ b/README.md
@@ -28,22 +28,24 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 ### Support Versions table 
 
-| Ingress-nginx version | k8s supported version  | Alpine Version | Nginx Version |
-|-----------------------|-------------           |----------------|---------------|
-| v1.1.0                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.0.5                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.0.4                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.0.3                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.0.2                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.0.1                | 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.0.0                | 1.22, 1.21, 1.20, 1.19 | 3.13.5         |  1.20.1       |
-| v0.49.3               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v0.49.2               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v0.49.1               | 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v0.49.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
-| v0.48.1               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
-| v0.47.0               | 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
-| v0.46.0               | 1.21, 1.20, 1.19       | 3.13.2         |  1.19.6       |
+| Ingress-nginx version | k8s supported version        | Alpine Version | Nginx Version |
+|-----------------------|------------------------------|----------------|---------------|
+| v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
+| v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v1.0.5                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v1.0.4                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v1.0.3                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v1.0.2                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v1.0.1                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
+| v1.0.0                | 1.22, 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
+| v0.50.0               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
+| v0.49.3               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
+| v0.49.2               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
+| v0.49.1               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
+| v0.49.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
+| v0.48.1               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
+| v0.47.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
+| v0.46.0               | 1.21, 1.20, 1.19             | 3.13.2         |  1.19.6       |
 
 † _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
 
diff --git a/RELEASE.md b/RELEASE.md
index 32c64d0dd..10f765929 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -167,14 +167,23 @@ Promoting the images basically means that images, that were pushed to staging co
     - annotations
       - artifacthub.io/prerelease: "true" 
       - artifacthub.io/changes: |
-        - Add the titles of the PRs merged after previous release
+        - Add the titles of the PRs merged after previous release here. I used the github-cli to get that list like so `gh pr list -s merged -L 38 -B main | cut -f1,2`
 
-### d. Edit the values.yaml
+### d. Edit the values.yaml and run helm-docs
   - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
 
     - tag
     - digest
 
+  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs is used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs manually, and check in the resulting autogenerated README.md at the path /charts/ingress-nginx/README.md 
+    ```
+          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
+          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
+          git diff --exit-code
+          rm -f ./helm-docs
+    ```
+    Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not not checking the new README.md manually etc.
+
 ### e. Edit the static manifests
 
   - Prepare to use a script to update the edit the static manifests and set the "image", "digest", "version" etc. fields to the desired value.
@@ -207,22 +216,57 @@ Promoting the images basically means that images, that were pushed to staging co
       data:
         http-snippet:|
           server{
-          listen 2443;
-          return 308 https://$host$request_uri;
+            listen 2443;
+            return 308 https://$host$request_uri;
           }
       ```
 
 ### f. Edit the changelog
   [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) 
-    - Add the PRs merged after previous release
-    - One useful command to get this list is
-      ```
-      git log controller-v0.48.1..HEAD --pretty=%s
-      ```
+- Add the PRs merged after previous release
+- If you use the github cli https://cli.github.com/, then that is one useful command to get this list of PRs
+- One way of using gh cli and getting the list of PRs for changelog is described below
+  - Install and configure github cli as per the docs of gh-cli
+  - Change dir to your clone, of your fork, of the ingress-nginx project
+  - Run the below command and save the output to a txt file
+
+    ```
+    gh pr list -s merged -L 38 -B main | cut -f1,2 > ~/tmp/prlist.txt
+    ```
+    - The -L 38 was used for 2 reasons.
+      - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1.
+      -  The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
+  - Then use some easy automation in bash/python/whathaveyou to get the PR-List that can be used in the changelog
+  - I save output of above command to a file called prlist.txt. It looks somewhat like this ;
+
+    ```
+    % cat ~/Downloads/prlist.txt 
+    8129    fix syntax in docs for multi-tls example
+    8120    Update go in runner and release v1.1.1
+    8119    Update to go v1.17.6
+    8118    Remove deprecated libraries, update other libs
+    8117    Fix codegen errors
+    8115    chart/ghaction: set the correct permission to have access to push a release 
+    ....
+    ```
+  - Then I use the bash scripty way seen below to convert those PR numbers into links. If I saved the below content in a script called prlist_to_changelog.sh, then I run the command `prlist_to_changelog.sh prlist.txt`
+
+    ```
+    #!/usr/bin/bash
+
+    file="$1"
+
+    while read -r line; do
+      pr_num=`echo "$line" | cut -f1`
+      pr_title=`echo "$line" | cut -f2`
+      echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"
+    done <$file
+
+    ```
 
 ### g. Edit the Documentation:
-    - Update the version in [docs/deploy/index.md](docs/deploy/index.md)
-    - Update Supported versions in the Support Versions table in the README.md 
+- Update the version in [docs/deploy/index.md](docs/deploy/index.md)
+- Update Supported versions in the Support Versions table in the README.md 
 
 ### h. Edit stable.txt
 
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index 91dbb0dc7..616948228 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,44 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.15
+
+- [8120] https://github.com/kubernetes/ingress-nginx/pull/8120    Update go in runner and release v1.1.1
+- [8119] https://github.com/kubernetes/ingress-nginx/pull/8119    Update to go v1.17.6
+- [8118] https://github.com/kubernetes/ingress-nginx/pull/8118    Remove deprecated libraries, update other libs
+- [8117] https://github.com/kubernetes/ingress-nginx/pull/8117    Fix codegen errors
+- [8115] https://github.com/kubernetes/ingress-nginx/pull/8115    chart/ghaction: set the correct permission to have access to push a release
+- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098    generating SHA for CA only certs in backend_ssl.go + comparision of P…
+- [8088] https://github.com/kubernetes/ingress-nginx/pull/8088    Fix Edit this page link to use main branch
+- [8072] https://github.com/kubernetes/ingress-nginx/pull/8072    Expose GeoIP2 Continent code as variable
+- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061    docs(charts): using helm-docs for chart
+- [8058] https://github.com/kubernetes/ingress-nginx/pull/8058    Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
+- [8054] https://github.com/kubernetes/ingress-nginx/pull/8054    Bump google.golang.org/grpc from 1.41.0 to 1.43.0
+- [8051] https://github.com/kubernetes/ingress-nginx/pull/8051    align bug report with feature request regarding kind documentation
+- [8046] https://github.com/kubernetes/ingress-nginx/pull/8046    Report expired certificates (#8045)
+- [8044] https://github.com/kubernetes/ingress-nginx/pull/8044    remove G109 check till gosec resolves issues
+- [8042] https://github.com/kubernetes/ingress-nginx/pull/8042    docs_multiple_instances_one_cluster_ticket_7543
+- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041    docs: fix typo'd executible name
+- [8035] https://github.com/kubernetes/ingress-nginx/pull/8035    Comment busy owners
+- [8029] https://github.com/kubernetes/ingress-nginx/pull/8029    Add stream-snippet as a ConfigMap and Annotation option
+- [8023] https://github.com/kubernetes/ingress-nginx/pull/8023    fix nginx compilation flags
+- [8021] https://github.com/kubernetes/ingress-nginx/pull/8021    Disable default modsecurity_rules_file if modsecurity-snippet is specified
+- [8019] https://github.com/kubernetes/ingress-nginx/pull/8019    Revise main documentation page
+- [8018] https://github.com/kubernetes/ingress-nginx/pull/8018    Preserve order of plugin invocation
+- [8015] https://github.com/kubernetes/ingress-nginx/pull/8015    Add newline indenting to admission webhook annotations
+- [8014] https://github.com/kubernetes/ingress-nginx/pull/8014    Add link to example error page manifest in docs
+- [8009] https://github.com/kubernetes/ingress-nginx/pull/8009    Fix spelling in documentation and top-level files
+- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008    Add relabelings in controller-servicemonitor.yaml
+- [8003] https://github.com/kubernetes/ingress-nginx/pull/8003    Minor improvements (formatting, consistency) in install guide
+- [8001] https://github.com/kubernetes/ingress-nginx/pull/8001    fix: go-grpc Dockerfile
+- [7999] https://github.com/kubernetes/ingress-nginx/pull/7999    images: use k8s-staging-test-infra/gcb-docker-gcloud
+- [7996] https://github.com/kubernetes/ingress-nginx/pull/7996    doc: improvement
+- [7983] https://github.com/kubernetes/ingress-nginx/pull/7983    Fix a couple of misspellings in the annotations documentation.
+- [7979] https://github.com/kubernetes/ingress-nginx/pull/7979    allow set annotations for admission Jobs
+- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977    Add ssl_reject_handshake to defaul server
+- [7975] https://github.com/kubernetes/ingress-nginx/pull/7975    add legacy version update v0.50.0 to main changelog
+- [7972] https://github.com/kubernetes/ingress-nginx/pull/7972    updated service upstream definition
+
 ### 4.0.14
 
 - [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index dd01623cf..961efc061 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.14
-appVersion: 1.1.0
+version: 4.0.15
+appVersion: 1.1.1
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,4 +24,38 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - using helm-docs to populate values table in README.md
+    - #8120    Update go in runner and release v1.1.1
+    - #8119    Update to go v1.17.6
+    - #8118    Remove deprecated libraries, update other libs
+    - #8117    Fix codegen errors
+    - #8115    chart/ghaction: set the correct permission to have access to push a release
+    - #8098    generating SHA for CA only certs in backend_ssl.go + comparision of P…
+    - #8088    Fix Edit this page link to use main branch
+    - #8072    Expose GeoIP2 Continent code as variable
+    - #8061    docs(charts): using helm-docs for chart
+    - #8058    Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
+    - #8054    Bump google.golang.org/grpc from 1.41.0 to 1.43.0
+    - #8051    align bug report with feature request regarding kind documentation
+    - #8046    Report expired certificates (#8045)
+    - #8044    remove G109 check till gosec resolves issues
+    - #8042    docs_multiple_instances_one_cluster_ticket_7543
+    - #8041    docs: fix typo'd executible name
+    - #8035    Comment busy owners
+    - #8029    Add stream-snippet as a ConfigMap and Annotation option
+    - #8023    fix nginx compilation flags
+    - #8021    Disable default modsecurity_rules_file if modsecurity-snippet is specified
+    - #8019    Revise main documentation page
+    - #8018    Preserve order of plugin invocation
+    - #8015    Add newline indenting to admission webhook annotations
+    - #8014    Add link to example error page manifest in docs
+    - #8009    Fix spelling in documentation and top-level files
+    - #8008    Add relabelings in controller-servicemonitor.yaml
+    - #8003    Minor improvements (formatting, consistency) in install guide
+    - #8001    fix: go-grpc Dockerfile
+    - #7999    images: use k8s-staging-test-infra/gcb-docker-gcloud
+    - #7996    doc: improvement
+    - #7983    Fix a couple of misspellings in the annotations documentation.
+    - #7979    allow set annotations for admission Jobs
+    - #7977    Add ssl_reject_handshake to defaul server
+    - #7975    add legacy version update v0.50.0 to main changelog
+    - #7972    updated service upstream definition
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 0407f7a79..32dfd36e2 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.0.14](https://img.shields.io/badge/Version-4.0.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.0](https://img.shields.io/badge/AppVersion-1.1.0-informational?style=flat-square)
+![Version: 4.0.15](https://img.shields.io/badge/Version-4.0.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -303,17 +303,17 @@ Kubernetes: `>=1.19.0-0`
 | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
-| controller.image.digest | string | `"sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a"` |  |
+| controller.image.digest | string | `"sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"k8s.gcr.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.1.0"` |  |
+| controller.image.tag | string | `"v1.1.1"` |  |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller) |
-| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` |  |
-| controller.ingressClassResource.default | bool | `false` |  |
-| controller.ingressClassResource.enabled | bool | `true` |  |
-| controller.ingressClassResource.name | string | `"nginx"` |  |
+| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
+| controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster |
+| controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not |
+| controller.ingressClassResource.name | string | `"nginx"` | Name of the ingressClass |
 | controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. |
 | controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` |  |
 | controller.keda.behavior | object | `{}` |  |
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index e923b3e15..93096dda1 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -15,8 +15,8 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.1.0"
-    digest: sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+    tag: "v1.1.1"
+    digest: sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
@@ -96,9 +96,13 @@ controller:
   ## This section refers to the creation of the IngressClass resource
   ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
   ingressClassResource:
+    # -- Name of the ingressClass
     name: nginx
+    # -- Is this ingressClass enabled or not
     enabled: true
+    # -- Is this the default ingressClass for the cluster
     default: false
+    # -- Controller-value of the controller that is processing this ingressClass
     controllerValue: "k8s.io/ingress-nginx"
 
     # -- Parameters is a link to a custom resource containing additional
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml
index a3d7c7cdd..63c3b0a33 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/deploy-tls-termination.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -51,10 +51,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -119,10 +119,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -139,10 +139,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -223,10 +223,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -245,10 +245,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -276,10 +276,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -311,10 +311,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -337,7 +337,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -429,10 +429,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -447,10 +447,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -487,10 +487,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -503,10 +503,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -527,10 +527,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -552,10 +552,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -577,10 +577,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -602,10 +602,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -613,10 +613,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -654,10 +654,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -665,10 +665,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 2014ca51d..e4856da9f 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -267,10 +267,10 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -302,10 +302,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -417,10 +417,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -435,10 +435,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -642,10 +642,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -653,10 +653,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 983e2d51b..900c34020 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -324,7 +324,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -412,10 +412,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -430,10 +430,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -470,10 +470,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -486,10 +486,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -510,10 +510,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -535,10 +535,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -560,10 +560,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -585,10 +585,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -596,10 +596,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -637,10 +637,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -648,10 +648,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 3eef6bb59..0e0852550 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -299,10 +299,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -325,7 +325,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -414,10 +414,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -432,10 +432,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -472,10 +472,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -488,10 +488,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -512,10 +512,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -537,10 +537,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -562,10 +562,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -587,10 +587,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -598,10 +598,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -639,10 +639,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -650,10 +650,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 094ace53e..d72cac794 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -217,10 +217,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -239,10 +239,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -301,10 +301,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -327,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,10 +416,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -434,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -475,10 +475,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -491,10 +491,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -515,10 +515,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -540,10 +540,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -565,10 +565,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -590,10 +590,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -601,10 +601,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -642,10 +642,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -653,10 +653,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index b599f414f..784993a92 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -273,10 +273,10 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -308,10 +308,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -334,7 +334,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -423,10 +423,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -441,10 +441,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -481,10 +481,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -497,10 +497,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -521,10 +521,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -546,10 +546,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -571,10 +571,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -596,10 +596,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -607,10 +607,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -648,10 +648,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -659,10 +659,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index a8cd76371..c87aa857e 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -44,10 +44,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -112,10 +112,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -132,10 +132,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -216,10 +216,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -238,10 +238,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -264,10 +264,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -298,10 +298,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -328,7 +328,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -425,10 +425,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -443,10 +443,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -483,10 +483,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -499,10 +499,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -523,10 +523,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -548,10 +548,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -573,10 +573,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -598,10 +598,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -609,10 +609,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -650,10 +650,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -661,10 +661,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 9ebc76cfd..a97984338 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -13,10 +13,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -28,10 +28,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -45,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 rules:
@@ -113,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
 roleRef:
@@ -133,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -217,10 +217,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx
@@ -239,10 +239,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller-admission
@@ -266,10 +266,10 @@ metadata:
   annotations:
     service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -301,10 +301,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: ingress-nginx-controller
@@ -327,7 +327,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a
+          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
           imagePullPolicy: IfNotPresent
           lifecycle:
             preStop:
@@ -416,10 +416,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
   name: nginx
@@ -434,10 +434,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
   name: ingress-nginx-admission
@@ -474,10 +474,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 ---
@@ -490,10 +490,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -514,10 +514,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -539,10 +539,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 rules:
@@ -564,10 +564,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 roleRef:
@@ -589,10 +589,10 @@ metadata:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -600,10 +600,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
@@ -641,10 +641,10 @@ metadata:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.10
+    helm.sh/chart: ingress-nginx-4.0.15
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
 spec:
@@ -652,10 +652,10 @@ spec:
     metadata:
       name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.10
+        helm.sh/chart: ingress-nginx-4.0.15
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.0
+        app.kubernetes.io/version: 1.1.1
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
     spec:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index af29ef767..51bc4be50 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -49,7 +49,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n
 **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead:
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! info
@@ -181,16 +181,16 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (NLB)
 
 By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS with using an NLB.
 
-1. Download the the [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml) template:
+1. Download the the [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml) template:
    ```console
-   wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy-tls-termination.yaml
+   wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml
    ```
 
 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
@@ -232,7 +232,7 @@ Then, the ingress controller can be installed like this:
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! warning
@@ -246,7 +246,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -254,13 +254,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -274,7 +274,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -286,7 +286,7 @@ This section is applicable to Kubernetes clusters deployed on bare metal servers
 For quick testing, you can use a [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport). This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), see [bare-metal considerations](./baremetal.md).

From 5552fdf814f8ee16b534c354d3e710fafd4cb53b Mon Sep 17 00:00:00 2001
From: Tiago Ferreira <tacf@users.noreply.github.com>
Date: Wed, 12 Jan 2022 19:08:14 +0000
Subject: [PATCH 284/376] Fix api version for ingress objects on K8s version
 <1.19 (#8112)

---
 docs/user-guide/basic-usage.md | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md
index cbb7004c7..089c08b3e 100644
--- a/docs/user-guide/basic-usage.md
+++ b/docs/user-guide/basic-usage.md
@@ -9,7 +9,7 @@ Let's say that you want to expose the first at `myServiceA.foo.org` and the seco
 If cluster version < 1.19 you can create two **ingress** resources like this:
 
 ```
-apiVersion: networking.k8s.io/v1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
   name: ingress-myservicea
@@ -20,14 +20,11 @@ spec:
     http:
       paths:
       - path: /
-        pathType: Prefix
         backend:
-          service:
-            name: myservicea
-            port:
-              number: 80
+          serviceName: myservicea
+          servicePort: 80
 ---
-apiVersion: networking.k8s.io/v1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
   name: ingress-myserviceb
@@ -40,15 +37,12 @@ spec:
     http:
       paths:
       - path: /
-        pathType: Prefix
         backend:
-          service:
-            name: myserviceb
-            port:
-              number: 80
+          serviceName: myserviceb
+          servicePort: 80
 ```
 
-If cluster version >= 1.19 the Ingress resource above will not work, instead of annotations you should use the new `ingressClassName: nginx` property.
+If the cluster uses Kubernetes version >= 1.19.x, then its suggested to create 2 ingress resources, using yaml examples shown below. These examples are in conformity with the `networking.kubernetes.io/v1` api.
 
 ```
 apiVersion: networking.k8s.io/v1

From 5f7656f4ccb24dc29ed24941ebddaeab802d7285 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Thu, 13 Jan 2022 21:22:30 +0530
Subject: [PATCH 285/376] updating releasemd (#8135)

---
 RELEASE.md | 99 +++++++++++++++++++++++++++++++-----------------------
 1 file changed, 57 insertions(+), 42 deletions(-)

diff --git a/RELEASE.md b/RELEASE.md
index 10f765929..4396c20fc 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -167,7 +167,49 @@ Promoting the images basically means that images, that were pushed to staging co
     - annotations
       - artifacthub.io/prerelease: "true" 
       - artifacthub.io/changes: |
-        - Add the titles of the PRs merged after previous release here. I used the github-cli to get that list like so `gh pr list -s merged -L 38 -B main | cut -f1,2`
+        - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below
+          - Install and configure github cli as per the docs of gh-cli  https://cli.github.com/,
+          - Change dir to your clone, of your fork, of the ingress-nginx project
+          - Run the below command and save the output to a txt file
+
+            ```
+            gh pr list -s merged -L 38 -B main | cut -f1,2 > ~/tmp/prlist.txt
+            ```
+            - The -L 38 was used for 2 reasons.
+              - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1.
+              -  The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
+            - If you save the output of above command to a file called prlist.txt. It looks somewhat like this ;
+
+              ```
+              % cat ~/Downloads/prlist.txt 
+              8129    fix syntax in docs for multi-tls example
+              8120    Update go in runner and release v1.1.1
+              8119    Update to go v1.17.6
+              8118    Remove deprecated libraries, update other libs
+              8117    Fix codegen errors
+              8115    chart/ghaction: set the correct permission to have access to push a release 
+              ....
+              ```
+              You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs.
+          - Now you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, its possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links. 
+
+            ```
+            #!/usr/bin/bash
+
+            file="$1"
+
+            while read -r line; do
+              pr_num=`echo "$line" | cut -f1`
+              pr_title=`echo "$line" | cut -f2`
+              echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"
+            done <$file
+
+            ```
+          - If you saved the bash script content above, in a file called `prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`
+
+          ```
+          prlist_to_changelog.sh prlist.txt > changelog_content.txt`
+          ```
 
 ### d. Edit the values.yaml and run helm-docs
   - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
@@ -182,7 +224,7 @@ Promoting the images basically means that images, that were pushed to staging co
           git diff --exit-code
           rm -f ./helm-docs
     ```
-    Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not not checking the new README.md manually etc.
+    Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc.
 
 ### e. Edit the static manifests
 
@@ -223,46 +265,16 @@ Promoting the images basically means that images, that were pushed to staging co
 
 ### f. Edit the changelog
   [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) 
-- Add the PRs merged after previous release
-- If you use the github cli https://cli.github.com/, then that is one useful command to get this list of PRs
-- One way of using gh cli and getting the list of PRs for changelog is described below
-  - Install and configure github cli as per the docs of gh-cli
-  - Change dir to your clone, of your fork, of the ingress-nginx project
-  - Run the below command and save the output to a txt file
-
-    ```
-    gh pr list -s merged -L 38 -B main | cut -f1,2 > ~/tmp/prlist.txt
-    ```
-    - The -L 38 was used for 2 reasons.
-      - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1.
-      -  The other reason to use -L 38 was to ommit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
-  - Then use some easy automation in bash/python/whathaveyou to get the PR-List that can be used in the changelog
-  - I save output of above command to a file called prlist.txt. It looks somewhat like this ;
-
-    ```
-    % cat ~/Downloads/prlist.txt 
-    8129    fix syntax in docs for multi-tls example
-    8120    Update go in runner and release v1.1.1
-    8119    Update to go v1.17.6
-    8118    Remove deprecated libraries, update other libs
-    8117    Fix codegen errors
-    8115    chart/ghaction: set the correct permission to have access to push a release 
-    ....
-    ```
-  - Then I use the bash scripty way seen below to convert those PR numbers into links. If I saved the below content in a script called prlist_to_changelog.sh, then I run the command `prlist_to_changelog.sh prlist.txt`
-
-    ```
-    #!/usr/bin/bash
-
-    file="$1"
-
-    while read -r line; do
-      pr_num=`echo "$line" | cut -f1`
-      pr_title=`echo "$line" | cut -f2`
-      echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"
-    done <$file
-
-    ```
+- Each time a release is made, a new section is added to the Changelog.md file
+- A new section in the Changelog.md file consists of 3 components listed below
+  - the "Image"
+  - the "Description"
+  - the "PRs list"
+- Look at the previous content to understand what the 3 components look like.
+- You can easily get the "Image" from a yaml manifest but be sure to look at a manifest in your git clone now and not the upstream on github. This is because, if you are following this documentation, then you generated manifests with new updated digest for the image, in step 4e above. You also most likely promoted the new image in a step above. Look at the previous release section in Changelog.md. The format looks like `k8s.gcr.io/ingress-nginx/controller:.......`. One example of a yaml file to look at is /deploy/static/provider/baremetal/deploy.yaml (in your git clone branch and not on the upstream).
+- Next, you need to have a good overview of the changes introduced in this release and based on that you write a description. Look at previous descriptions. Ask the ingress-nginx-dev channel if required.
+- And then you need to add a list of the PRs merged, since the previous release.
+- One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed.
 
 ### g. Edit the Documentation:
 - Update the version in [docs/deploy/index.md](docs/deploy/index.md)
@@ -296,3 +308,6 @@ Promoting the images basically means that images, that were pushed to staging co
 - Release to github
 
 - Edit the ghpages file as needed
+
+## TODO
+- Automate & simplify as much as possible, whenever possible, however possible

From c0098f305c05a79d2df5d58aed07138fd454fa3a Mon Sep 17 00:00:00 2001
From: serge-r <serge-r@users.noreply.github.com>
Date: Sat, 15 Jan 2022 08:27:41 +0700
Subject: [PATCH 286/376] Add ability to use custom prometheus buckets (#7171)

---
 cmd/nginx/flags.go                             | 12 ++++++++++++
 cmd/nginx/main.go                              |  2 +-
 internal/ingress/controller/controller.go      |  2 ++
 internal/ingress/metric/collectors/socket.go   | 18 +++++++++++++++---
 .../ingress/metric/collectors/socket_test.go   | 13 ++++++++++++-
 internal/ingress/metric/main.go                |  4 ++--
 6 files changed, 44 insertions(+), 7 deletions(-)

diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index 72a2bfb8d..f9d6702fe 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -22,6 +22,7 @@ import (
 	"os"
 	"time"
 
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spf13/pflag"
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -29,6 +30,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/controller"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
 	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
+	"k8s.io/ingress-nginx/internal/ingress/metric/collectors"
 	"k8s.io/ingress-nginx/internal/ingress/status"
 	ing_net "k8s.io/ingress-nginx/internal/net"
 	"k8s.io/ingress-nginx/internal/nginx"
@@ -161,6 +163,9 @@ Requires the update-status parameter.`)
 			`Enables the collection of NGINX metrics`)
 		metricsPerHost = flags.Bool("metrics-per-host", true,
 			`Export metrics per-host`)
+		timeBuckets         = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime")
+		lengthBuckets       = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength")
+		sizeBuckets         = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent")
 		monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics")
 
 		httpPort  = flags.Int("http-port", 80, `Port to use for servicing HTTP traffic.`)
@@ -283,6 +288,12 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		}
 	}
 
+	var histogramBuckets = &collectors.HistogramBuckets{
+		TimeBuckets:   *timeBuckets,
+		LengthBuckets: *lengthBuckets,
+		SizeBuckets:   *sizeBuckets,
+	}
+
 	ngx_config.EnableSSLChainCompletion = *enableSSLChainCompletion
 
 	config := &controller.Configuration{
@@ -293,6 +304,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		EnableProfiling:            *profiling,
 		EnableMetrics:              *enableMetrics,
 		MetricsPerHost:             *metricsPerHost,
+		MetricsBuckets:             histogramBuckets,
 		MonitorMaxBatchSize:        *monitorMaxBatchSize,
 		DisableServiceExternalName: *disableServiceExternalName,
 		EnableSSLPassthrough:       *enableSSLPassthrough,
diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index fb87ad84a..cbfca547c 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -133,7 +133,7 @@ func main() {
 
 	mc := metric.NewDummyCollector()
 	if conf.EnableMetrics {
-		mc, err = metric.NewCollector(conf.MetricsPerHost, reg, conf.IngressClassConfiguration.Controller)
+		mc, err = metric.NewCollector(conf.MetricsPerHost, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets)
 		if err != nil {
 			klog.Fatalf("Error creating prometheus collector:  %v", err)
 		}
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 7c200bd8f..a4ae4217c 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/controller/ingressclass"
 	"k8s.io/ingress-nginx/internal/ingress/controller/store"
 	"k8s.io/ingress-nginx/internal/ingress/errors"
+	"k8s.io/ingress-nginx/internal/ingress/metric/collectors"
 	"k8s.io/ingress-nginx/internal/k8s"
 	"k8s.io/ingress-nginx/internal/nginx"
 	"k8s.io/klog/v2"
@@ -97,6 +98,7 @@ type Configuration struct {
 
 	EnableMetrics  bool
 	MetricsPerHost bool
+	MetricsBuckets *collectors.HistogramBuckets
 
 	FakeCertificate *ingress.SSLCert
 
diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go
index 8fec7dded..a220d1456 100644
--- a/internal/ingress/metric/collectors/socket.go
+++ b/internal/ingress/metric/collectors/socket.go
@@ -56,6 +56,13 @@ type socketData struct {
 	Path      string `json:"path"`
 }
 
+// HistogramBuckets allow customizing prometheus histogram buckets values
+type HistogramBuckets struct {
+	TimeBuckets   []float64
+	LengthBuckets []float64
+	SizeBuckets   []float64
+}
+
 // SocketCollector stores prometheus metrics and ingress meta-data
 type SocketCollector struct {
 	prometheus.Collector
@@ -79,6 +86,8 @@ type SocketCollector struct {
 	hosts sets.String
 
 	metricsPerHost bool
+
+	buckets HistogramBuckets
 }
 
 var (
@@ -101,7 +110,7 @@ var defObjectives = map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001}
 
 // NewSocketCollector creates a new SocketCollector instance using
 // the ingress watch namespace and class used by the controller
-func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*SocketCollector, error) {
+func NewSocketCollector(pod, namespace, class string, metricsPerHost bool, buckets HistogramBuckets) (*SocketCollector, error) {
 	socket := "/tmp/prometheus-nginx.socket"
 	// unix sockets must be unlink()ed before being used
 	_ = syscall.Unlink(socket)
@@ -138,6 +147,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 				Help:        "The time spent on receiving the response from the upstream server",
 				Namespace:   PrometheusNamespace,
 				ConstLabels: constLabels,
+				Buckets:     buckets.TimeBuckets,
 			},
 			requestTags,
 		),
@@ -147,6 +157,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 				Help:        "The response length (including request line, header, and request body)",
 				Namespace:   PrometheusNamespace,
 				ConstLabels: constLabels,
+				Buckets:     buckets.LengthBuckets,
 			},
 			requestTags,
 		),
@@ -157,6 +168,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 				Help:        "The request processing time in milliseconds",
 				Namespace:   PrometheusNamespace,
 				ConstLabels: constLabels,
+				Buckets:     buckets.TimeBuckets,
 			},
 			requestTags,
 		),
@@ -165,7 +177,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 				Name:        "request_size",
 				Help:        "The request length (including request line, header, and request body)",
 				Namespace:   PrometheusNamespace,
-				Buckets:     prometheus.LinearBuckets(10, 10, 10), // 10 buckets, each 10 bytes wide.
+				Buckets:     buckets.LengthBuckets,
 				ConstLabels: constLabels,
 			},
 			requestTags,
@@ -186,7 +198,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 				Name:        "bytes_sent",
 				Help:        "The number of bytes sent to a client",
 				Namespace:   PrometheusNamespace,
-				Buckets:     prometheus.ExponentialBuckets(10, 10, 7), // 7 buckets, exponential factor of 10.
+				Buckets:     buckets.SizeBuckets,
 				ConstLabels: constLabels,
 			},
 			requestTags,
diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go
index 6ab972f58..3b124efa0 100644
--- a/internal/ingress/metric/collectors/socket_test.go
+++ b/internal/ingress/metric/collectors/socket_test.go
@@ -68,6 +68,17 @@ func TestNewUDPLogListener(t *testing.T) {
 }
 
 func TestCollector(t *testing.T) {
+
+	buckets := struct {
+		TimeBuckets   []float64
+		LengthBuckets []float64
+		SizeBuckets   []float64
+	}{
+		prometheus.DefBuckets,
+		prometheus.LinearBuckets(10, 10, 10),
+		prometheus.ExponentialBuckets(10, 10, 7),
+	}
+
 	cases := []struct {
 		name            string
 		data            []string
@@ -338,7 +349,7 @@ func TestCollector(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 			registry := prometheus.NewPedanticRegistry()
 
-			sc, err := NewSocketCollector("pod", "default", "ingress", true)
+			sc, err := NewSocketCollector("pod", "default", "ingress", true, buckets)
 			if err != nil {
 				t.Errorf("%v: unexpected error creating new SocketCollector: %v", c.name, err)
 			}
diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go
index 0cc07fe28..644a9b690 100644
--- a/internal/ingress/metric/main.go
+++ b/internal/ingress/metric/main.go
@@ -68,7 +68,7 @@ type collector struct {
 }
 
 // NewCollector creates a new metric collector the for ingress controller
-func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingressclass string) (Collector, error) {
+func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets) (Collector, error) {
 	podNamespace := os.Getenv("POD_NAMESPACE")
 	if podNamespace == "" {
 		podNamespace = "default"
@@ -86,7 +86,7 @@ func NewCollector(metricsPerHost bool, registry *prometheus.Registry, ingresscla
 		return nil, err
 	}
 
-	s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost)
+	s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, buckets)
 	if err != nil {
 		return nil, err
 	}

From 15b0aba03b700daacf0e9a3f5154ca1b9f77ee18 Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Sun, 16 Jan 2022 22:33:28 +0100
Subject: [PATCH 287/376] First sidecar module: OpenTelemetry (#8013)

* remove opentelemetry from main nginx image

* add opentelemetry sidecar image

* handle extra modules in helm chart

* fix running helm chart

* mount the modules volume in the init container

* merge the mounted folder

* fix the otel image

* fix licence year

* fix cloudbuild image

* use the same nginx version as in the main image

* only retrieve /etc/nginx/modules for now
---
 .../ci/daemonset-extra-modules.yaml           |  10 ++
 .../ci/deployment-extra-modules.yaml          |  10 ++
 .../templates/controller-daemonset.yaml       |  28 ++++-
 .../templates/controller-deployment.yaml      |  29 ++++-
 charts/ingress-nginx/values.yaml              |   9 ++
 images/nginx/rootfs/Dockerfile                |   2 +
 images/nginx/rootfs/build.sh                  |  45 -------
 images/nginx/rootfs/entrypoint.sh             |  27 +++++
 images/opentelemetry/Makefile                 |  57 +++++++++
 images/opentelemetry/README.md                |   5 +
 images/opentelemetry/cloudbuild.yaml          |  24 ++++
 images/opentelemetry/rootfs/Dockerfile        |  28 +++++
 images/opentelemetry/rootfs/build.sh          | 111 ++++++++++++++++++
 images/opentelemetry/rootfs/init_module.sh    |  21 ++++
 14 files changed, 353 insertions(+), 53 deletions(-)
 create mode 100644 charts/ingress-nginx/ci/daemonset-extra-modules.yaml
 create mode 100644 charts/ingress-nginx/ci/deployment-extra-modules.yaml
 create mode 100644 images/nginx/rootfs/entrypoint.sh
 create mode 100644 images/opentelemetry/Makefile
 create mode 100644 images/opentelemetry/README.md
 create mode 100644 images/opentelemetry/cloudbuild.yaml
 create mode 100644 images/opentelemetry/rootfs/Dockerfile
 create mode 100755 images/opentelemetry/rootfs/build.sh
 create mode 100755 images/opentelemetry/rootfs/init_module.sh

diff --git a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
new file mode 100644
index 000000000..f299dbf1c
--- /dev/null
+++ b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
@@ -0,0 +1,10 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+  service:
+    type: ClusterIP
+  extraModules:
+    - name: opentelemetry
+      image: busybox
diff --git a/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/charts/ingress-nginx/ci/deployment-extra-modules.yaml
new file mode 100644
index 000000000..ec5923548
--- /dev/null
+++ b/charts/ingress-nginx/ci/deployment-extra-modules.yaml
@@ -0,0 +1,10 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  service:
+    type: ClusterIP
+  extraModules:
+    - name: opentelemetry
+      image: busybox
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 365a3cea7..72811fbe4 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -143,8 +143,12 @@ spec:
               hostPort: {{ $key }}
               {{- end }}
           {{- end }}
-        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
           volumeMounts:
+          {{- if .Values.controller.extraModules }}
+            - name: modules
+              mountPath: /modules_mount
+          {{- end }}
           {{- if .Values.controller.customTemplate.configMapName }}
             - mountPath: /etc/nginx/template
               name: nginx-template-volume
@@ -165,8 +169,20 @@ spec:
       {{- if .Values.controller.extraContainers }}
         {{ toYaml .Values.controller.extraContainers | nindent 8 }}
       {{- end }}
-    {{- if .Values.controller.extraInitContainers }}
-      initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+
+
+    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
+      initContainers:
+      {{- if .Values.controller.extraInitContainers }}
+        {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.extraModules }}
+        {{- range .Values.controller.extraModules }}
+          - name: {{ .Name }}
+            image: {{ .Image }}
+            command: ['sh', '-c', '/usr/local/bin/init_module.sh']
+        {{- end }}
+      {{- end }}
     {{- end }}
     {{- if .Values.controller.hostNetwork }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
@@ -185,8 +201,12 @@ spec:
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
-    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
+    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
       volumes:
+      {{- if .Values.controller.extraModules }}
+        - name: modules
+          emptyDir: {}
+      {{- end }}
       {{- if .Values.controller.customTemplate.configMapName }}
         - name: nginx-template-volume
           configMap:
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index 2c0641bb5..a1943cd91 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -140,8 +140,12 @@ spec:
               hostPort: {{ $key }}
               {{- end }}
           {{- end }}
-        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
           volumeMounts:
+          {{- if .Values.controller.extraModules }}
+            - name: modules
+              mountPath: /modules_mount
+          {{- end }}
           {{- if .Values.controller.customTemplate.configMapName }}
             - mountPath: /etc/nginx/template
               name: nginx-template-volume
@@ -162,8 +166,21 @@ spec:
       {{- if .Values.controller.extraContainers }}
         {{ toYaml .Values.controller.extraContainers | nindent 8 }}
       {{- end }}
-    {{- if .Values.controller.extraInitContainers }}
-      initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
+      initContainers:
+      {{- if .Values.controller.extraInitContainers }}
+        {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.extraModules }}
+        {{- range .Values.controller.extraModules }}
+          - name: {{ .name }}
+            image: {{ .image }}
+            command: ['sh', '-c', '/usr/local/bin/init_module.sh']
+            volumeMounts:
+              - name: modules
+                mountPath: /modules_mount
+        {{- end }}
+      {{- end }}
     {{- end }}
     {{- if .Values.controller.hostNetwork }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
@@ -182,8 +199,12 @@ spec:
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
-    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
+    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
       volumes:
+      {{- if .Values.controller.extraModules }}
+        - name: modules
+          emptyDir: {}
+      {{- end }}
       {{- if .Values.controller.customTemplate.configMapName }}
         - name: nginx-template-volume
           configMap:
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 93096dda1..a030ff2db 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -559,6 +559,15 @@ controller:
   #   image: busybox
   #   command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
 
+  extraModules: []
+  ## Modules, which are mounted into the core nginx image
+  # - name: opentelemetry
+  #   image: busybox
+  #
+  # The image must contain a `/usr/local/bin/init_module.sh` executable, which
+  # will be executed as initContainers, to move its config files within the
+  # mounted volume.
+
   admissionWebhooks:
     annotations: {}
     # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index 4893f3c54..a9e180315 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -33,6 +33,7 @@ ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
 COPY --from=builder /usr/local /usr/local
 COPY --from=builder /opt /opt
 COPY --from=builder /etc/nginx /etc/nginx
+COPY --from=builder entrypoint.sh /usr/local/entrypoint.sh
 
 RUN apk update \
   && apk upgrade \
@@ -72,4 +73,5 @@ RUN apk update \
 
 EXPOSE 80 443
 
+ENTRYPOINT ["/usr/local/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index 1aa655523..bee2561d0 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -35,12 +35,6 @@ export NGINX_DIGEST_AUTH=1.0.0
 # Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master
 export NGINX_SUBSTITUTIONS=b8a71eacc7f986ba091282ab8b1bbbc6ae1807e0
 
-# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main
-export OPENTELEMETRY_CPP_VERSION=1.0.0
-
-# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/c655b8...main
-export OPENTELEMETRY_CONTRIB_COMMIT=c655b849f017a5363085a4b4e6fcae8a4b7621ad
-
 # Check for recent changes: https://github.com/opentracing-contrib/nginx-opentracing/compare/v0.19.0...master
 export NGINX_OPENTRACING_VERSION=0.19.0
 
@@ -144,11 +138,6 @@ if [[ ${ARCH} == "s390x" ]]; then
   export LUA_STREAM_NGX_VERSION=0.0.7
 fi
 
-export USE_OPENTELEMETRY=true
-if [[ ${ARCH} == "s390x" ]] || [[ ${ARCH} == "armv7l" ]]; then
-  export USE_OPENTELEMETRY=false
-fi
-
 get_src()
 {
   hash="$1"
@@ -226,9 +215,6 @@ get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \
 get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \
         "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz"
 
-get_src 37b2a2abf75e865449ff1425cee96dbd74659ac0c612c84ee5f381244360cab2 \
-        "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz"
-
 get_src 6f97776ebdf019b105a755c7736b70bdbd7e575c7f0d39db5fe127873c7abf17 \
         "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz"
 
@@ -482,32 +468,6 @@ cmake -DCMAKE_BUILD_TYPE=Release \
 make
 make install
 
-if [ $USE_OPENTELEMETRY = true ]; then
-  # build opentelemetry lib
-  apk add protobuf-dev \
-    grpc \
-    grpc-dev \
-    gtest-dev \
-    c-ares-dev
-
-  cd $BUILD_PATH
-  git clone --recursive https://github.com/open-telemetry/opentelemetry-cpp opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION
-  cd "opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION"
-  git checkout v$OPENTELEMETRY_CPP_VERSION
-  mkdir .build
-  cd .build
-
-  cmake -DCMAKE_BUILD_TYPE=Release \
-        -DBUILD_TESTING=OFF \
-        -DWITH_EXAMPLES=OFF \
-        -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
-        -DWITH_OTLP=ON \
-        -DWITH_OTLP_HTTP=OFF \
-        ..
-  make
-  make install
-fi
-
 # Get Brotli source and deps
 cd "$BUILD_PATH"
 git clone --depth=1 https://github.com/google/ngx_brotli.git
@@ -675,11 +635,6 @@ WITH_MODULES=" \
   --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \
   --add-dynamic-module=$BUILD_PATH/ngx_brotli"
 
-if [ $USE_OPENTELEMETRY = true ]; then
-  WITH_MODULES+=" \
-    --add-dynamic-module=$BUILD_PATH/opentelemetry-cpp-contrib-$OPENTELEMETRY_CONTRIB_COMMIT/instrumentation/nginx"
-fi
-
 ./configure \
   --prefix=/usr/local/nginx \
   --conf-path=/etc/nginx/nginx.conf \
diff --git a/images/nginx/rootfs/entrypoint.sh b/images/nginx/rootfs/entrypoint.sh
new file mode 100644
index 000000000..9479831f1
--- /dev/null
+++ b/images/nginx/rootfs/entrypoint.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Copyright 2022 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [ -d "/modules_mount/etc/nginx/modules" ]; then
+	for dir in /modules_mount/etc/nginx/modules/*; do
+		cp "$dir"/* "/etc/nginx/modules/$(basename "$dir")"
+	done
+fi
+
+exec "$@"
diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile
new file mode 100644
index 000000000..bc5876525
--- /dev/null
+++ b/images/opentelemetry/Makefile
@@ -0,0 +1,57 @@
+# Copyright 2021 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.DEFAULT_GOAL:=build
+
+# set default shell
+SHELL=/bin/bash -o pipefail -o errexit
+
+DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
+INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
+
+# 0.0.0 shouldn't clobber any released builds
+TAG ?= 0.0
+REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
+
+IMAGE = $(REGISTRY)/opentelemetry
+
+# required to enable buildx
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+# build with buildx
+PLATFORMS?=linux/amd64,linux/arm
+OUTPUT=
+PROGRESS=plain
+build: ensure-buildx
+	docker buildx build \
+		--platform=${PLATFORMS} $(OUTPUT) \
+		--progress=$(PROGRESS) \
+		--pull \
+		--tag $(IMAGE):$(TAG) rootfs
+
+# push the cross built image
+push: OUTPUT=--push
+push: build
+
+# enable buildx
+ensure-buildx:
+# this is required for cloudbuild
+ifeq ("$(wildcard $(INIT_BUILDX))","")
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash
+else
+	@exec $(INIT_BUILDX)
+endif
+	@echo "done"
+
+.PHONY: build push ensure-buildx
diff --git a/images/opentelemetry/README.md b/images/opentelemetry/README.md
new file mode 100644
index 000000000..f5c3d90de
--- /dev/null
+++ b/images/opentelemetry/README.md
@@ -0,0 +1,5 @@
+# OpenTelemetry library builder
+
+**How to use this image:**
+This image only contains the necessary files in /usr/local and /etc/nginx/opentelemetry to 
+be copied to Ingress Controller deployment when OpenTelemetry is enabled
diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml
new file mode 100644
index 000000000..d507b8f1a
--- /dev/null
+++ b/images/opentelemetry/cloudbuild.yaml
@@ -0,0 +1,24 @@
+timeout: 10800s
+options:
+  substitution_option: ALLOW_LOOSE
+  # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
+  machineType: N1_HIGHCPU_32
+steps:
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
+    entrypoint: bash
+    env:
+      - DOCKER_CLI_EXPERIMENTAL=enabled
+      - TAG=$_GIT_TAG
+      - BASE_REF=$_PULL_BASE_REF
+      - REGISTRY=gcr.io/k8s-staging-ingress-nginx
+      # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx
+      # set the home to /root explicitly to if using docker buildx
+      - HOME=/root
+    args:
+    - -c
+    - |
+      gcloud auth configure-docker \
+      && make push
+substitutions:
+  _GIT_TAG: "12345"
+  _PULL_BASE_REF: "master"
diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile
new file mode 100644
index 000000000..bef5b5562
--- /dev/null
+++ b/images/opentelemetry/rootfs/Dockerfile
@@ -0,0 +1,28 @@
+# Copyright 2021 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+FROM alpine:3.14.2 as builder
+
+COPY . /
+
+RUN apk update \
+	&& apk upgrade \
+	&& apk add -U bash \
+	&& /build.sh
+
+FROM busybox:latest 
+
+COPY --from=builder init_module.sh /usr/local/bin/init_module.sh
+COPY --from=builder /etc/nginx/modules /etc/nginx/modules
diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh
new file mode 100755
index 000000000..60ace8bae
--- /dev/null
+++ b/images/opentelemetry/rootfs/build.sh
@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+export NGINX_VERSION=1.19.9
+
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main
+export OPENTELEMETRY_CPP_VERSION=1.0.0
+
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/f4850...main
+export OPENTELEMETRY_CONTRIB_COMMIT=f48500884b1b32efc456790bbcdc2e6cf7a8e630
+
+export BUILD_PATH=/tmp/build
+
+rm -rf \
+   /var/cache/debconf/* \
+   /var/lib/apt/lists/* \
+   /var/log/* \
+   /tmp/* \
+   /var/tmp/*
+
+
+mkdir -p /etc/nginx
+mkdir --verbose -p "$BUILD_PATH"
+cd "$BUILD_PATH"
+
+apk add \
+  curl \
+  git \
+  build-base
+
+get_src()
+{
+  hash="$1"
+  url="$2"
+  f=$(basename "$url")
+
+  echo "Downloading $url"
+
+  curl -sSL "$url" -o "$f"
+  echo "$hash  $f" | sha256sum -c - || exit 10
+  tar xzf "$f"
+  rm -rf "$f"
+}
+
+
+get_src e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49 \
+        "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
+
+get_src 45c52498788e47131b20a4786dbb08f4390b8cb419bd3d61c88b503cafff3324 \
+        "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz"
+
+# improve compilation times
+CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1))
+
+export MAKEFLAGS=-j${CORES}
+
+apk add \
+  protobuf-dev \
+  grpc \
+  grpc-dev \
+  gtest-dev \
+  c-ares-dev \
+  pcre-dev
+
+cd $BUILD_PATH
+git clone --recursive https://github.com/open-telemetry/opentelemetry-cpp opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION
+cd "opentelemetry-cpp-$OPENTELEMETRY_CPP_VERSION"
+git checkout v$OPENTELEMETRY_CPP_VERSION
+mkdir .build
+cd .build
+
+cmake -DCMAKE_BUILD_TYPE=Release \
+      -DBUILD_TESTING=OFF \
+      -DWITH_EXAMPLES=OFF \
+      -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
+      -DWITH_OTLP=ON \
+      -DWITH_OTLP_HTTP=OFF \
+      ..
+make
+make install
+
+# build nginx
+cd "$BUILD_PATH/nginx-$NGINX_VERSION"
+./configure \
+  --prefix=/usr/local/nginx \
+  --with-compat \
+  --add-dynamic-module=$BUILD_PATH/opentelemetry-cpp-contrib-$OPENTELEMETRY_CONTRIB_COMMIT/instrumentation/nginx
+
+make modules
+mkdir -p /etc/nginx/modules
+cp objs/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so
+
+# remove .a files
+find /usr/local -name "*.a" -print | xargs /bin/rm
diff --git a/images/opentelemetry/rootfs/init_module.sh b/images/opentelemetry/rootfs/init_module.sh
new file mode 100755
index 000000000..f1e4b27d7
--- /dev/null
+++ b/images/opentelemetry/rootfs/init_module.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+cp -R /etc/nginx/modules /modules_mount/etc/nginx/modules

From 9cf5d951aaab5d55427aa0e72b316eaaa48bfe26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ga=C3=A9tan=20Collaud?= <gaetancollaud@gmail.com>
Date: Sun, 16 Jan 2022 22:37:28 +0100
Subject: [PATCH 288/376] jwt accomodation (#8126)

---
 docs/examples/customization/jwt/README.md | 48 +++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 docs/examples/customization/jwt/README.md

diff --git a/docs/examples/customization/jwt/README.md b/docs/examples/customization/jwt/README.md
new file mode 100644
index 000000000..a751ccb7b
--- /dev/null
+++ b/docs/examples/customization/jwt/README.md
@@ -0,0 +1,48 @@
+# Accommodation for JWT
+
+JWT (short for Json Web Token) is an authentication method widely used. Basically an authentication server generates
+a JWT and you then use this token in every request you make to a backend service. The JWT can be quite big and is
+present in every http headers. This means you may have to adapt the max-header size of your nginx-ingress in order
+to support it.
+
+## Symptoms
+
+If you use JWT and you get http 502 error from your ingress, it may be a sign that the buffer size is not big enough.
+
+To be 100% sure look at the logs of the `ingress-nginx-controller` pod, you should see something like this:
+
+```
+upstream sent too big header while reading response header from upstream...
+```
+
+
+## Increase buffer size for headers
+
+In nginx, we want to modify the property `proxy-buffer-size`. The size is arbitrary. It depends on your needs. Be aware
+that a high value can lower the performance of your ingress proxy. In general a value of 16k should get you covered.
+
+### Using helm
+If you're using helm you can simply use the [`config` properties](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L37).
+```yaml
+ # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+  config: 
+    proxy-buffer-size: 16k
+```
+
+## Manually in kubernetes config files
+
+If you use an already generated config from for a provider, you will have to change the `controller-configmap.yaml`
+
+```yaml
+---
+# Source: ingress-nginx/templates/controller-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+# ...
+data:
+  #...
+  proxy-buffer-size: "16k"
+```
+
+References:
+ * [Custom Configuration](../custom-configuration/)
\ No newline at end of file

From ae6ab1d5ed705b9721a587bb18c3883f7ecffbdc Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 16 Jan 2022 19:08:06 -0300
Subject: [PATCH 289/376] use github token for docs

---
 .github/workflows/docs.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 4fdff33d2..420808443 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -37,6 +37,9 @@ jobs:
       (github.repository == 'kubernetes/ingress-nginx') &&
       (needs.changes.outputs.docs == 'true')
 
+    permissions:
+      contents: write # needed to write releases
+
     steps:
 
       - name: Checkout master
@@ -45,4 +48,4 @@ jobs:
       - name: Deploy
         uses: ./.github/actions/mkdocs
         env:
-          PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
+          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

From 0bc01f7c35410ce5cb07ee86ab530e99ae352026 Mon Sep 17 00:00:00 2001
From: Alois <aloisbarreras@icloud.com>
Date: Sun, 16 Jan 2022 17:17:28 -0500
Subject: [PATCH 290/376] Updating from/to www redirect to use
 X-Forwarded-Proto (#7623)

---
 rootfs/etc/nginx/template/nginx.tmpl | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 954d07fd7..07e36925b 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -586,11 +586,17 @@ http {
                 request_uri = string.sub(request_uri, 1, -2)
             end
 
+            {{ if $cfg.UseForwardedHeaders }}
+            local redirectScheme = ngx.var.http_x_forwarded_proto
+            {{ else }}
+            local redirectScheme = ngx.var.scheme
+            {{ end }}
+
             {{ if ne $all.ListenPorts.HTTPS 443 }}
             {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
-            return string.format("%s://%s%s%s", ngx.var.scheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
+            return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
             {{ else }}
-            return string.format("%s://%s%s", ngx.var.scheme, "{{ $redirect.To }}", request_uri)
+            return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri)
             {{ end }}
         }
 

From 37326815882ad9a12886a0445217dde637fd0dc2 Mon Sep 17 00:00:00 2001
From: Nicolas Lamirault <nicolas.lamirault@gmail.com>
Date: Sun, 16 Jan 2022 23:29:28 +0100
Subject: [PATCH 291/376] Support additonal labels and all Kubernetes
 recommanded labels (#7186)

* Add: Kubernetes recommanded labels

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>

* Add: support additional labels

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>

* Add: commonLabels default value

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>
---
 charts/ingress-nginx/templates/_helpers.tpl | 4 ++++
 charts/ingress-nginx/values.yaml            | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
index 726224f18..a72af5d9d 100644
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@@ -88,7 +88,11 @@ helm.sh/chart: {{ include "ingress-nginx.chart" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
+app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.commonLabels}}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
 {{- end -}}
 
 {{/*
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index a030ff2db..d30c170b6 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -7,6 +7,12 @@
 # nameOverride:
 # fullnameOverride:
 
+## Labels to apply to all resources
+##
+commonLabels: {}
+# scmhash: abc123
+# myLabel: aakkmd
+
 controller:
   name: controller
   image:

From 784f9c53bbf50aa49f8f6a82d951e95828b21f2f Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Mon, 17 Jan 2022 05:35:28 +0530
Subject: [PATCH 292/376] checking mkdocs & ghpages (#8150)

---
 docs/user-guide/basic-usage.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md
index 089c08b3e..2142121d2 100644
--- a/docs/user-guide/basic-usage.md
+++ b/docs/user-guide/basic-usage.md
@@ -6,7 +6,7 @@ First of all follow the instructions to install ingress-nginx. Then imagine that
 
 Let's say that you want to expose the first at `myServiceA.foo.org` and the second at `myServiceB.foo.org`.
 
-If cluster version < 1.19 you can create two **ingress** resources like this:
+If the cluster version is < 1.19, you can create two **ingress** resources like this:
 
 ```
 apiVersion: networking.k8s.io/v1beta1
@@ -91,4 +91,4 @@ On many cloud providers ingress-nginx will also create the corresponding Load Ba
 kubectl get services -n ingress-nginx
 ```
 
-To test inside minikube refer to this documentation: [Set up Ingress on Minikube with the NGINX Ingress Controller](https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/)
\ No newline at end of file
+To test inside minikube refer to this documentation: [Set up Ingress on Minikube with the NGINX Ingress Controller](https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/)

From 1614027cd42aa3fac53d62afc235b86adec7543d Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Sun, 16 Jan 2022 19:57:28 -0500
Subject: [PATCH 293/376] Minor documentation cleanup (#7826)

* clarify link

* Add section headers

* console blocks

* grpc example json was not valid

* multi-tls update text

The preceding point 1 related to https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/ingress.yaml
and the deployments referenced in https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/README.md

They are not relevant to the current instructions.

* add whitespace around parens

* grammar

setup would be a proper noun, but it is not the intended concept, which is a state

* grammar

* is-only
* via

* Use bullets for choices

* ingress-controller

nginx is a distinct brand.

generally this repo talks about ingress-controller, although it is quite inconsistent about how...

* drop stray paren

* OAuth is a brand and needs an article here

also GitHub is a brand

* Indent text under numbered lists

* use e.g.

* Document that customer header config maps changes do not trigger updates

This should be removed if
https://github.com/kubernetes/ingress-nginx/issues/5238
is fixed.

* article

* period

* infinitive verb + period

* clarify that the gRPC server is responsible for listening for TCP traffic and not some other part of the backend application

* avoid using ; and reword

* whitespace

* brand: gRPC

* only-does is the right form

`for` adds nothing here

* spelling: GitHub

* punctuation

`;` is generally not the right punctuation...

* drop stray `to`

* sentence

* backticks

* fix link

* Improve readability of compare/vs

* Renumber list

* punctuation

* Favor Ingress-NGINX and Ingress NGINX

* Simplify custom header restart text

* Undo typo damage

Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
---
 README.md                                     |   4 +-
 docs/e2e-tests.md                             |   2 +-
 docs/examples/affinity/cookie/README.md       |  10 +-
 docs/examples/auth/basic/README.md            |  14 ++-
 docs/examples/auth/client-certs/README.md     |  21 ++--
 docs/examples/auth/external-auth/README.md    |  10 +-
 .../auth/oauth-external-auth/README.md        |  40 +++---
 .../configuration-snippets/README.md          |   9 +-
 .../customization/custom-headers/README.md    |  12 +-
 .../external-auth-headers/README.md           |  10 +-
 .../customization/ssl-dh-param/README.md      |   8 +-
 docs/examples/customization/sysctl/README.md  |   2 +-
 docs/examples/docker-registry/README.md       |   2 +-
 docs/examples/grpc/README.md                  |  30 ++---
 docs/examples/multi-tls/README.md             |   5 +-
 docs/examples/psp/README.md                   |   6 +-
 docs/examples/rewrite/README.md               |   6 +-
 docs/examples/static-ip/README.md             |  23 ++--
 docs/how-it-works.md                          |   2 +-
 docs/index.md                                 |  23 ++--
 docs/kubectl-plugin.md                        |   8 +-
 docs/troubleshooting.md                       | 116 +++++++++---------
 docs/user-guide/default-backend.md            |   2 +-
 docs/user-guide/monitoring.md                 |   4 +-
 docs/user-guide/multiple-ingress.md           |   4 +-
 .../nginx-configuration/configmap.md          |   2 +-
 .../third-party-addons/opentracing.md         |   2 +-
 27 files changed, 208 insertions(+), 169 deletions(-)

diff --git a/README.md b/README.md
index 6c604ddba..3fec178e5 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# NGINX Ingress Controller
+# Ingress NGINX Controller
 
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx)
 [![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
@@ -28,7 +28,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 ### Support Versions table 
 
-| Ingress-nginx version | k8s supported version        | Alpine Version | Nginx Version |
+| Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version |
 |-----------------------|------------------------------|----------------|---------------|
 | v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md
index 552a11f1e..29ef07161 100644
--- a/docs/e2e-tests.md
+++ b/docs/e2e-tests.md
@@ -1,6 +1,6 @@
 
 
-# e2e test suite for [NGINX Ingress Controller](https://github.com/kubernetes/ingress-nginx/tree/main/)
+# e2e test suite for [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx/tree/main/)
 
 
 
diff --git a/docs/examples/affinity/cookie/README.md b/docs/examples/affinity/cookie/README.md
index a37bef6f1..891f828a2 100644
--- a/docs/examples/affinity/cookie/README.md
+++ b/docs/examples/affinity/cookie/README.md
@@ -14,13 +14,13 @@ Session affinity can be configured using the following annotations:
 |nginx.ingress.kubernetes.io/session-cookie-name|Name of the cookie that will be created|string (defaults to `INGRESSCOOKIE`)|
 |nginx.ingress.kubernetes.io/session-cookie-secure|Set the cookie as secure regardless the protocol of the incoming request|`"true"` or `"false"`|
 |nginx.ingress.kubernetes.io/session-cookie-path|Path that will be set on the cookie (required if your [Ingress paths][ingress-paths] use regular expressions)|string (defaults to the currently [matched path][ingress-paths])|
-|nginx.ingress.kubernetes.io/session-cookie-samesite|SameSite attribute to apply to the cookie|Browser accepted values are `None`, `Lax`, and `Strict`|
+|nginx.ingress.kubernetes.io/session-cookie-samesite|`SameSite` attribute to apply to the cookie|Browser accepted values are `None`, `Lax`, and `Strict`|
 |nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none|Will omit `SameSite=None` attribute for older browsers which reject the more-recently defined `SameSite=None` value|`"true"` or `"false"`
 |nginx.ingress.kubernetes.io/session-cookie-max-age|Time until the cookie expires, corresponds to the `Max-Age` cookie directive|number of seconds|
 |nginx.ingress.kubernetes.io/session-cookie-expires|Legacy version of the previous annotation for compatibility with older browsers, generates an `Expires` cookie directive by adding the seconds to the current date|number of seconds|
 |nginx.ingress.kubernetes.io/session-cookie-change-on-failure|When set to `false` nginx ingress will send request to upstream pointed by sticky cookie even if previous attempt failed. When set to `true` and previous attempt failed, sticky cookie will be changed to point to another upstream.|`true` or `false` (defaults to `false`)|
 
-You can create the [example Ingress](ingress.yaml) to test this:
+You can create the [session affinity example Ingress](ingress.yaml) to test this:
 
 ```console
 kubectl create -f ingress.yaml
@@ -66,13 +66,15 @@ Accept-Ranges: bytes
 ```
 
 In the example above, you can see that the response contains a `Set-Cookie` header with the settings we have defined.
-This cookie is created by NGINX, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive.
-If the user changes this cookie, NGINX creates a new one and redirects the user to another upstream.
+This cookie is created by the NGINX Ingress Controller, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive.
+If a client sends a cookie that doesn't correspond to an upstream, NGINX selects an upstream and creates a corresponding cookie.
 
 If the backend pool grows NGINX will keep sending the requests through the same server of the first request, even if it's overloaded.
 
 When the backend server is removed, the requests are re-routed to another upstream server. This does not require the cookie to be updated because the key's [consistent hash][consistent-hashing] will change.
 
+## Caveats
+
 When you have a Service pointing to more than one Ingress, with only one containing affinity configuration, the first created Ingress will be used.
 This means that you can face the situation that you've configured session affinity on one Ingress and it doesn't work because the Service is pointing to another Ingress that doesn't configure this.
 
diff --git a/docs/examples/auth/basic/README.md b/docs/examples/auth/basic/README.md
index ffd8495f3..5e890df80 100644
--- a/docs/examples/auth/basic/README.md
+++ b/docs/examples/auth/basic/README.md
@@ -3,6 +3,8 @@
 This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with `htpasswd`.
 It's important the file generated is named `auth` (actually - that the secret has a key `data.auth`), otherwise the ingress-controller returns a 503.
 
+## Create htpasswd file
+
 ```console
 $ htpasswd -c auth foo
 New password: <bar>
@@ -11,11 +13,15 @@ Re-type new password:
 Adding password for user foo
 ```
 
+## Convert htpasswd into a secret
+
 ```console
 $ kubectl create secret generic basic-auth --from-file=auth
 secret "basic-auth" created
 ```
 
+## Examine secret
+
 ```console
 $ kubectl get secret basic-auth -o yaml
 apiVersion: v1
@@ -28,8 +34,10 @@ metadata:
 type: Opaque
 ```
 
+## Using kubectl, create an ingress tied to the basic-auth secret
+
 ```console
-echo "
+$ echo "
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -57,6 +65,8 @@ spec:
 " | kubectl create -f -
 ```
 
+## Use curl to confirm authorization is required by the ingress
+
 ```
 $ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com'
 *   Trying 10.2.29.4...
@@ -84,6 +94,8 @@ $ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com'
 * Connection #0 to host 10.2.29.4 left intact
 ```
 
+## Use curl with the correct credentials to connect to the ingress
+
 ```
 $ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar'
 *   Trying 10.2.29.4...
diff --git a/docs/examples/auth/client-certs/README.md b/docs/examples/auth/client-certs/README.md
index a60aa14e7..94cf6c697 100644
--- a/docs/examples/auth/client-certs/README.md
+++ b/docs/examples/auth/client-certs/README.md
@@ -1,11 +1,12 @@
 # Client Certificate Authentication
 
 It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource.
-Before getting started you must have the following Certificates Setup:
 
-1. CA certificate and Key(Intermediate Certs need to be in CA)
-2. Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
-3. Client Certificate(Signed by CA) and Key
+Before getting started you must have the following Certificates configured:
+
+1. CA certificate and Key (Intermediate Certs need to be in CA)
+2. Server Certificate (Signed by CA) and Key (CN should be equal the hostname you will use)
+3. Client Certificate (Signed by CA) and Key
 
 For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md#client-certificate-authentication).
 
@@ -15,13 +16,13 @@ You can have as many certificates as you want. If they're in the binary DER form
 openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
 ```
 
-Then, you can concatenate them all in only one file, named 'ca.crt' as the following:
+Then, you can concatenate them all into one file, named 'ca.crt' with the following:
 
 ```bash
 cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt
 ```
 
-**Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5
+**Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm (Digest) is something better than md5
 for each certificate generated. Otherwise you will receive an error.
 
 ## Creating Certificate Secrets
@@ -29,7 +30,7 @@ for each certificate generated. Otherwise you will receive an error.
 There are many different ways of configuring your secrets to enable Client-Certificate
 Authentication to work properly.
 
-1. You can create a secret containing just the CA certificate and another
+*   You can create a secret containing just the CA certificate and another
     Secret containing the Server Certificate which is Signed by the CA.
 
     ```bash
@@ -37,14 +38,14 @@ Authentication to work properly.
     kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
     ```
 
-2. You can create a secret containing CA certificate along with the Server
-    Certificate, that can be used for both TLS and Client Auth.
+*   You can create a secret containing CA certificate along with the Server
+    Certificate that can be used for both TLS and Client Auth.
 
     ```bash
     kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
     ```
 
-3. If you want to also enable Certificate Revocation List verification you can 
+*  If you want to also enable Certificate Revocation List verification you can
    create the secret also containing the CRL file in PEM format:
    ```bash
    kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt --from-file=ca.crl=ca.crl
diff --git a/docs/examples/auth/external-auth/README.md b/docs/examples/auth/external-auth/README.md
index 62ae72e2c..ad3ee8b09 100644
--- a/docs/examples/auth/external-auth/README.md
+++ b/docs/examples/auth/external-auth/README.md
@@ -1,6 +1,6 @@
 # External Basic Authentication
 
-### Example 1:
+### Example 1
 
 Use an external service (Basic Auth) located in `https://httpbin.org`
 
@@ -44,7 +44,7 @@ status:
 $
 ```
 
-Test 1: no username/password (expect code 401)
+## Test 1: no username/password (expect code 401)
 
 ```console
 $ curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com'
@@ -74,7 +74,8 @@ $ curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com'
 * Connection #0 to host 172.17.4.99 left intact
 ```
 
-Test 2: valid username/password (expect code 200)
+## Test 2: valid username/password (expect code 200)
+
 ```
 $ curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com' -u 'user:passwd'
 * Rebuilt URL to: http://172.17.4.99/
@@ -121,7 +122,8 @@ BODY:
 -no body in request-
 ```
 
-Test 3: invalid username/password (expect code 401)
+## Test 3: invalid username/password (expect code 401)
+
 ```
 curl -k http://172.17.4.99 -v -H 'Host: external-auth-01.sample.com' -u 'user:user'
 * Rebuilt URL to: http://172.17.4.99/
diff --git a/docs/examples/auth/oauth-external-auth/README.md b/docs/examples/auth/oauth-external-auth/README.md
index f6e21f488..a08928720 100644
--- a/docs/examples/auth/oauth-external-auth/README.md
+++ b/docs/examples/auth/oauth-external-auth/README.md
@@ -6,7 +6,7 @@ The `auth-url` and `auth-signin` annotations allow you to use an external
 authentication provider to protect your Ingress resources.
 
 !!! Important
-    This annotation requires `ingress-nginx-controller v0.9.0` or greater.)
+    This annotation requires `ingress-nginx-controller v0.9.0` or greater.
 
 ### Key Detail
 
@@ -32,45 +32,47 @@ metadata:
 ### Example: OAuth2 Proxy + Kubernetes-Dashboard
 
 This example will show you how to deploy [`oauth2_proxy`](https://github.com/pusher/oauth2_proxy)
-into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using github as oAuth2 provider
+into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using GitHub as the OAuth2 provider.
 
 #### Prepare
 
 1. Install the kubernetes dashboard
 
-```console
-kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.10.1.yaml
-```
+    ```console
+    kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.10.1.yaml
+    ```
 
-2. Create a [custom Github OAuth application](https://github.com/settings/applications/new)
+2. Create a [custom GitHub OAuth application](https://github.com/settings/applications/new)
 
-![Register OAuth2 Application](images/register-oauth-app.png)
+    ![Register OAuth2 Application](images/register-oauth-app.png)
 
-- Homepage URL is the FQDN in the Ingress rule, like `https://foo.bar.com`
-- Authorization callback URL is the same as the base FQDN plus `/oauth2/callback`, like `https://foo.bar.com/oauth2/callback`
+    - Homepage URL is the FQDN in the Ingress rule, like `https://foo.bar.com`
+    - Authorization callback URL is the same as the base FQDN plus `/oauth2/callback`, like `https://foo.bar.com/oauth2/callback`
 
-![Register OAuth2 Application](images/register-oauth-app-2.png)
+    ![Register OAuth2 Application](images/register-oauth-app-2.png)
 
 3. Configure oauth2_proxy values in the file [`oauth2-proxy.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml) with the values:
 
-- OAUTH2_PROXY_CLIENT_ID with the github `<Client ID>`
-- OAUTH2_PROXY_CLIENT_SECRET with the github `<Client Secret>`
-- OAUTH2_PROXY_COOKIE_SECRET with value of `python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'`
+    - OAUTH2_PROXY_CLIENT_ID with the github `<Client ID>`
+    - OAUTH2_PROXY_CLIENT_SECRET with the github `<Client Secret>`
+    - OAUTH2_PROXY_COOKIE_SECRET with value of `python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'`
 
 4. Customize the contents of the file [`dashboard-ingress.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml):
 
-Replace `__INGRESS_HOST__` with a valid FQDN and `__INGRESS_SECRET__` with a Secret with a valid SSL certificate.
+    Replace `__INGRESS_HOST__` with a valid FQDN and `__INGRESS_SECRET__` with a Secret with a valid SSL certificate.
 
 5. Deploy the oauth2 proxy and the ingress rules running:
 
-```console
-$ kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
-```
+    ```console
+    $ kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
+    ```
 
-Test the oauth integration accessing the configured URL, like `https://foo.bar.com`
+### Test
+
+Test the oauth integration accessing the configured URL, e.g. `https://foo.bar.com`
 
 ![Register OAuth2 Application](images/github-auth.png)
 
-![Github authentication](images/oauth-login.png)
+![GitHub authentication](images/oauth-login.png)
 
 ![Kubernetes dashboard](images/dashboard.png)
diff --git a/docs/examples/customization/configuration-snippets/README.md b/docs/examples/customization/configuration-snippets/README.md
index d60a3d1a0..5ef230ff1 100644
--- a/docs/examples/customization/configuration-snippets/README.md
+++ b/docs/examples/customization/configuration-snippets/README.md
@@ -2,13 +2,16 @@
 
 ## Ingress
 
-The Ingress in [this example](ingress.yaml) adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at [this example](../custom-headers/README.md).
+The Ingress in [this example](ingress.yaml) adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at [an example of specifying customer headers](../custom-headers/README.md).
 
 ```console
-$ kubectl apply -f ingress.yaml
+kubectl apply -f ingress.yaml
 ```
 
 ## Test
 
 Check if the contents of the annotation are present in the nginx.conf file using:
-`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf`
+
+```console
+kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf
+```
diff --git a/docs/examples/customization/custom-headers/README.md b/docs/examples/customization/custom-headers/README.md
index 378f2aa87..499bfc386 100644
--- a/docs/examples/customization/custom-headers/README.md
+++ b/docs/examples/customization/custom-headers/README.md
@@ -1,5 +1,15 @@
 # Custom Headers
 
+## Caveats
+
+Changes to the custom header config maps do not force a reload of the ingress-nginx-controllers.
+
+### Workaround
+
+To work around this limitation, perform a rolling restart of the deployment.
+
+## Example
+
 This example demonstrates configuration of the nginx ingress controller via
 a ConfigMap to pass a custom list of headers to the upstream
 server.
@@ -29,4 +39,4 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main
 ## Test
 
 Check the contents of the ConfigMaps are present in the nginx.conf file using:
-`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf`
\ No newline at end of file
+`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf`
diff --git a/docs/examples/customization/external-auth-headers/README.md b/docs/examples/customization/external-auth-headers/README.md
index 9aaf6864b..946088b4b 100644
--- a/docs/examples/customization/external-auth-headers/README.md
+++ b/docs/examples/customization/external-auth-headers/README.md
@@ -1,7 +1,7 @@
 # External authentication, authentication service response headers propagation
 
 This example demonstrates propagation of selected authentication service response headers
-to backend service.
+to a backend service.
 
 Sample configuration includes:
 
@@ -37,7 +37,7 @@ public-demo-echo-service   public-demo-echo-service.kube.local             80
 secure-demo-echo-service   secure-demo-echo-service.kube.local             80        1m
 ```
 
-Test 1: public service with no auth header
+## Test 1: public service with no auth header
 
 ```console
 $ curl -H 'Host: public-demo-echo-service.kube.local' -v 192.168.99.100
@@ -60,7 +60,7 @@ $ curl -H 'Host: public-demo-echo-service.kube.local' -v 192.168.99.100
 UserID: , UserRole:
 ```
 
-Test 2: secure service with no auth header
+## Test 2: secure service with no auth header
 
 ```console
 $ curl -H 'Host: secure-demo-echo-service.kube.local' -v 192.168.99.100
@@ -89,7 +89,7 @@ $ curl -H 'Host: secure-demo-echo-service.kube.local' -v 192.168.99.100
 * Connection #0 to host 192.168.99.100 left intact
 ```
 
-Test 3: public service with valid auth header
+## Test 3: public service with valid auth header
 
 ```console
 $ curl -H 'Host: public-demo-echo-service.kube.local' -H 'User:internal' -v 192.168.99.100
@@ -113,7 +113,7 @@ $ curl -H 'Host: public-demo-echo-service.kube.local' -H 'User:internal' -v 192.
 UserID: 1443635317331776148, UserRole: admin
 ```
 
-Test 4: secure service with valid auth header
+## Test 4: secure service with valid auth header
 
 ```console
 $ curl -H 'Host: secure-demo-echo-service.kube.local' -H 'User:internal' -v 192.168.99.100
diff --git a/docs/examples/customization/ssl-dh-param/README.md b/docs/examples/customization/ssl-dh-param/README.md
index 9029b834b..2eae67ce2 100644
--- a/docs/examples/customization/ssl-dh-param/README.md
+++ b/docs/examples/customization/ssl-dh-param/README.md
@@ -1,7 +1,7 @@
 # Custom DH parameters for perfect forward secrecy
 
 This example aims to demonstrate the deployment of an nginx ingress controller and
-use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
+use a ConfigMap to configure a custom Diffie-Hellman parameters file to help with
 "Perfect Forward Secrecy".
 
 ## Custom configuration
@@ -27,7 +27,7 @@ $ kubectl create -f configmap.yaml
 ## Custom DH parameters secret
 
 ```console
-$> openssl dhparam 4096 2> /dev/null | base64
+$ openssl dhparam 4096 2> /dev/null | base64
 LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...
 ```
 
@@ -52,4 +52,6 @@ $ kubectl create -f ssl-dh-param.yaml
 ## Test
 
 Check the contents of the configmap is present in the nginx.conf file using:
-`kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf`
+```console
+$ kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf
+```
diff --git a/docs/examples/customization/sysctl/README.md b/docs/examples/customization/sysctl/README.md
index b285808b5..54fbe4355 100644
--- a/docs/examples/customization/sysctl/README.md
+++ b/docs/examples/customization/sysctl/README.md
@@ -1,6 +1,6 @@
 # Sysctl tuning
 
-This example aims to demonstrate the use of an Init Container to adjust sysctl default values using `kubectl patch`
+This example aims to demonstrate the use of an Init Container to adjust sysctl default values using `kubectl patch`.
 
 ```console
 kubectl patch deployment -n ingress-nginx ingress-nginx-controller \
diff --git a/docs/examples/docker-registry/README.md b/docs/examples/docker-registry/README.md
index 102c8d39d..8ba230f2c 100644
--- a/docs/examples/docker-registry/README.md
+++ b/docs/examples/docker-registry/README.md
@@ -1,6 +1,6 @@
 # Docker registry
 
-This example demonstrates how to deploy a [docker registry](https://github.com/docker/distribution) in the cluster and configure Ingress enable access from Internet
+This example demonstrates how to deploy a [docker registry](https://github.com/docker/distribution) in the cluster and configure Ingress to enable access from the Internet.
 
 ## Deployment
 
diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md
index 7a9c2aef2..2d1929b66 100644
--- a/docs/examples/grpc/README.md
+++ b/docs/examples/grpc/README.md
@@ -1,28 +1,28 @@
 # gRPC
 
-This example demonstrates how to route traffic to a gRPC service through the nginx controller.
+This example demonstrates how to route traffic to a gRPC service through the Ingress-NGINX controller.
 
 ## Prerequisites
 
 1. You have a kubernetes cluster running.
-2. You have a domain name such as `example.com` that is configured to route traffic to the ingress controller.
+2. You have a domain name such as `example.com` that is configured to route traffic to the Ingress-NGINX controller.
 3. You have the ingress-nginx-controller installed as per docs.
-4. You have a backend application running a gRPC server and listening for TCP traffic.  If you want, you can use <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> as an example.
-5. You're also responsible for provisioning an SSL certificate for the ingress. So you need to have a valid SSL certificate, deployed as a Kubernetes secret of type tls, in the same namespace as the gRPC application.
+4. You have a backend application running a gRPC server listening for TCP traffic.  If you want, you can use <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> as an example.
+5. You're also responsible for provisioning an SSL certificate for the ingress. So you need to have a valid SSL certificate, deployed as a Kubernetes secret of type `tls`, in the same namespace as the gRPC application.
 
 ### Step 1: Create a Kubernetes `Deployment` for gRPC app
 
 - Make sure your gRPC application pod is running and listening for connections. For example you can try a kubectl command like this below:
-  ```
+  ```console
   $ kubectl get po -A -o wide | grep go-grpc-greeter-server
   ```
 - If you have a gRPC app deployed in your cluster, then skip further notes in this Step 1, and continue from Step 2 below.
 
-- As an example gRPC application, we can use this app <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go> .
+- As an example gRPC application, we can use this app <https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go>.
 
 - To create a container image for this app, you can use [this Dockerfile](https://github.com/kubernetes/ingress-nginx/blob/5a52d99ae85cfe5ef9535291b8326b0006e75066/images/go-grpc-greeter-server/rootfs/Dockerfile). 
 
-- If you use the Dockerfile mentioned above, to create a image, then given below is an example of a Kubernetes manifest, to create a deployment resource, that uses that image. If needed, then edit this manifest to suit your needs. Assuming the name of this yaml file is  `deployment.go-grpc-greeter-server.yaml` ;
+- If you use the Dockerfile mentioned above, to create a image, then you can use the following example Kubernetes manifest to create a deployment resource that uses that image. If necessary edit this manifest to suit your needs.
 
   ```
   cat <<EOF | kubectl apply -f -
@@ -59,7 +59,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 
 ### Step 2: Create the Kubernetes `Service` for the gRPC app
 
-- You can use the following example manifest to create a service of type ClusterIP. Edit the name/namespace/label/port to match your deployment/pod ;
+- You can use the following example manifest to create a service of type ClusterIP. Edit the name/namespace/label/port to match your deployment/pod.
   ```
   cat <<EOF | kubectl apply -f -
   apiVersion: v1
@@ -78,7 +78,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
     type: ClusterIP
   EOF
   ```
-- You can save the above example manifest to a file with name `service.go-grpc-greeter-server.yaml` and edit it to match your deployment/pod, if required. You can create the service resource with a kubectl command like this ;
+- You can save the above example manifest to a file with name `service.go-grpc-greeter-server.yaml` and edit it to match your deployment/pod, if required. You can create the service resource with a kubectl command like this:
 
   ```
   $ kubectl create -f service.go-grpc-greeter-server.yaml
@@ -86,7 +86,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 
 ### Step 3: Create the Kubernetes `Ingress` resource for the gRPC app
 
-- Use the following example manifest of a ingress resource to create a ingress for your grpc app. If required, edit it to match your app's details like name, namespace, service, secret etc. Make sure you have the required SSL-Certificate, existing in your Kubernetes cluster, in the same namespace where the gRPC app is. The certificate must be available as a kubernetes secret resource, of type "kubernete.io/tls" https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. This is because we are terminating TLS on the ingress;
+- Use the following example manifest of a ingress resource to create a ingress for your grpc app. If required, edit it to match your app's details like name, namespace, service, secret etc. Make sure you have the required SSL-Certificate, existing in your Kubernetes cluster in the same namespace where the gRPC app is. The certificate must be available as a kubernetes secret resource, of type "kubernete.io/tls" https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. This is because we are terminating TLS on the ingress.
 
   ```
   cat <<EOF | kubectl apply -f -
@@ -121,7 +121,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
   EOF
   ```
 
-- If you save the above example manifest as a file named `ingress.go-grpc-greeter-server.yaml` and edit it to match your deployment and service, you can create the ingress like this ;
+- If you save the above example manifest as a file named `ingress.go-grpc-greeter-server.yaml` and edit it to match your deployment and service, you can create the ingress like this:
 
   ```
   $ kubectl create -f ingress.go-grpc-greeter-server.yaml
@@ -144,7 +144,7 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
   ```
   $ grpcurl grpctest.dev.mydomain.com:443 helloworld.Greeter/SayHello
   {
-    "message": "
+    "message": "Hello "
   }
   ```
 
@@ -162,12 +162,12 @@ This example demonstrates how to route traffic to a gRPC service through the ngi
 > https://proto.stack.build, a protocol buffer / gRPC build service that can use
 > to help make it easier for your users to consume your API.
 
-> See also the specific GRPC settings of NGINX: https://nginx.org/en/docs/http/ngx_http_grpc_module.html
+> See also the specific gRPC settings of NGINX: https://nginx.org/en/docs/http/ngx_http_grpc_module.html
 
 ### Notes on using response/request streams
 
-1. If your server does only response streaming and you expect a stream to be open longer than 60 seconds, you will have to change the `grpc_read_timeout` to accommodate for this.
-2. If your service does only request streaming and you expect a stream to be open longer than 60 seconds, you have to change the
+1. If your server only does response streaming and you expect a stream to be open longer than 60 seconds, you will have to change the `grpc_read_timeout` to accommodate this.
+2. If your service only does request streaming and you expect a stream to be open longer than 60 seconds, you have to change the
 `grpc_send_timeout` and the `client_body_timeout`.
 3. If you do both response and request streaming with an open stream longer than 60 seconds, you have to change all three timeouts: `grpc_read_timeout`, `grpc_send_timeout` and `client_body_timeout`.
 
diff --git a/docs/examples/multi-tls/README.md b/docs/examples/multi-tls/README.md
index 198bc6d38..cc990151b 100644
--- a/docs/examples/multi-tls/README.md
+++ b/docs/examples/multi-tls/README.md
@@ -2,9 +2,8 @@
 
 This example uses 2 different certificates to terminate SSL for 2 hostnames.
 
-1. Deploy the controller by creating the rc in the parent dir
-2. Create tls secrets for foo.bar.com and bar.baz.com as indicated in the yaml
-3. Create [multi-tls.yaml](multi-tls.yaml)
+1. Create tls secrets for foo.bar.com and bar.baz.com as indicated in the yaml
+2. Create [multi-tls.yaml](multi-tls.yaml)
 
 This should generate a segment like:
 ```console
diff --git a/docs/examples/psp/README.md b/docs/examples/psp/README.md
index 4d5f317fb..f8426baf2 100644
--- a/docs/examples/psp/README.md
+++ b/docs/examples/psp/README.md
@@ -1,17 +1,17 @@
 # Pod Security Policy (PSP)
 
-In most clusters today, by default, all resources (e.g. Deployments and ReplicatSets)
+In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`)
 have permissions to create pods.
 Kubernetes however provides a more fine-grained authorization policy called
 [Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
 
 PSP allows the cluster owner to define the permission of each object, for example creating a pod.
 If you have PSP enabled on the cluster, and you deploy ingress-nginx,
-you will need to provide the Deployment with the permissions to create pods.
+you will need to provide the `Deployment` with the permissions to create pods.
 
 Before applying any objects, first apply the PSP permissions by running:
 ```console
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml
 ```
 
-Note: PSP permissions must be granted before to the creation of the Deployment and the ReplicaSet.
+Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`.
diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md
index fbe9f30c7..c529c34ef 100644
--- a/docs/examples/rewrite/README.md
+++ b/docs/examples/rewrite/README.md
@@ -1,6 +1,6 @@
 # Rewrite
 
-This example demonstrates how to use the Rewrite annotations
+This example demonstrates how to use `Rewrite` annotations.
 
 ## Prerequisites
 
@@ -15,9 +15,9 @@ Rewriting can be controlled using the following annotations:
 |Name|Description|Values|
 | --- | --- | --- |
 |nginx.ingress.kubernetes.io/rewrite-target|Target URI where the traffic must be redirected|string|
-|nginx.ingress.kubernetes.io/ssl-redirect|Indicates if the location section is accessible SSL only (defaults to True when Ingress contains a Certificate)|bool|
+|nginx.ingress.kubernetes.io/ssl-redirect|Indicates if the location section is only accessible via SSL (defaults to True when Ingress contains a Certificate)|bool|
 |nginx.ingress.kubernetes.io/force-ssl-redirect|Forces the redirection to HTTPS even if the Ingress is not TLS Enabled|bool|
-|nginx.ingress.kubernetes.io/app-root|Defines the Application Root that the Controller must redirect if it's in '/' context|string|
+|nginx.ingress.kubernetes.io/app-root|Defines the Application Root that the Controller must redirect if it's in `/` context|string|
 |nginx.ingress.kubernetes.io/use-regex|Indicates if the paths defined on an Ingress use regular expressions|bool|
 
 ## Examples
diff --git a/docs/examples/static-ip/README.md b/docs/examples/static-ip/README.md
index f74be5757..992839a24 100644
--- a/docs/examples/static-ip/README.md
+++ b/docs/examples/static-ip/README.md
@@ -1,6 +1,6 @@
 # Static IPs
 
-This example demonstrates how to assign a static-ip to an Ingress on through the Nginx controller.
+This example demonstrates how to assign a static-ip to an Ingress on through the Ingress-NGINX controller.
 
 ## Prerequisites
 
@@ -11,15 +11,15 @@ and that you have an ingress controller [running](../../deploy/) in your cluster
 
 ## Acquiring an IP
 
-Since instances of the nginx controller actually run on nodes in your cluster,
+Since instances of the ingress nginx controller actually run on nodes in your cluster,
 by default nginx Ingresses will only get static IPs if your cloudprovider
 supports static IP assignments to nodes. On GKE/GCE for example, even though
-nodes get static IPs, the IPs are not retained across upgrade.
+nodes get static IPs, the IPs are not retained across upgrades.
 
 To acquire a static IP for the ingress-nginx-controller, simply put it
 behind a Service of `Type=LoadBalancer`.
 
-First, create a loadbalancer Service and wait for it to acquire an IP
+First, create a loadbalancer Service and wait for it to acquire an IP:
 
 ```console
 $ kubectl create -f static-ip-svc.yaml
@@ -30,7 +30,7 @@ NAME               CLUSTER-IP     EXTERNAL-IP       PORT(S)
 ingress-nginx-lb   10.0.138.113   104.154.109.191   80:31457/TCP,443:32240/TCP   15m
 ```
 
-then, update the ingress controller so it adopts the static IP of the Service
+Then, update the ingress controller so it adopts the static IP of the Service
 by passing the `--publish-service` flag (the example yaml used in the next step
 already has it set to "ingress-nginx-lb").
 
@@ -42,7 +42,7 @@ deployment "ingress-nginx-controller" created
 ## Assigning the IP to an Ingress
 
 From here on every Ingress created with the `ingress.class` annotation set to
-`nginx` will get the IP allocated in the previous step
+`nginx` will get the IP allocated in the previous step.
 
 ```console
 $ kubectl create -f ingress-nginx.yaml
@@ -65,7 +65,7 @@ request_uri=http://104.154.109.191:8080/
 
 ## Retaining the IP
 
-You can test retention by deleting the Ingress
+You can test retention by deleting the Ingress:
 
 ```console
 $ kubectl delete ing ingress-nginx
@@ -85,16 +85,16 @@ ingress-nginx   *         104.154.109.191   80, 443   13m
 
 ## Promote ephemeral to static IP
 
-To promote the allocated IP to static, you can update the Service manifest
+To promote the allocated IP to static, you can update the Service manifest:
 
 ```console
 $ kubectl patch svc ingress-nginx-lb -p '{"spec": {"loadBalancerIP": "104.154.109.191"}}'
 "ingress-nginx-lb" patched
 ```
 
-and promote the IP to static (promotion works differently for cloudproviders,
-provided example is for GKE/GCE)
-`
+... and promote the IP to static (promotion works differently for cloudproviders,
+provided example is for GKE/GCE):
+
 ```console
 $ gcloud compute addresses create ingress-nginx-lb --addresses 104.154.109.191 --region us-central1
 Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/ingress-nginx-lb].
@@ -114,4 +114,3 @@ users:
 
 Now even if the Service is deleted, the IP will persist, so you can recreate the
 Service with `spec.loadBalancerIP` set to `104.154.109.191`.
-
diff --git a/docs/how-it-works.md b/docs/how-it-works.md
index 1e530d045..b7d48b00c 100644
--- a/docs/how-it-works.md
+++ b/docs/how-it-works.md
@@ -1,6 +1,6 @@
 # How it works
 
-The objective of this document is to explain how the NGINX Ingress controller works, in particular how the NGINX model is built and why we need one.
+The objective of this document is to explain how the Ingress-NGINX controller works, in particular how the NGINX model is built and why we need one.
 
 ## NGINX configuration
 
diff --git a/docs/index.md b/docs/index.md
index b06141814..bda45d317 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,6 +1,6 @@
 # Overview
 
-This is the documentation for the NGINX Ingress Controller.
+This is the documentation for the Ingress NGINX Controller.
 
 It is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/), using a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) to store the controller configuration.
 
@@ -26,7 +26,7 @@ Its important because until now, a default install of the Ingress-NGINX controll
 
 On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress objects they serve. The `ingressClassName` field of an Ingress is the way to let the controller know about that. 
 
-```
+```console
 kubectl explain ingressclass                                                           
 ```
 ```
@@ -67,7 +67,9 @@ FIELDS:
 
 There are 2 reasons primarily.
 
-_(Reason #1)_ Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as:
+### Reason #1
+
+Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as:
 
   - `extensions/v1beta1`
   - `networking.k8s.io/v1beta1`
@@ -76,7 +78,9 @@ You would get a message about deprecation, but the Ingress resource would get cr
 
 From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/).
 
-_(Reason #2)_ if you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case.
+### Reason #2
+
+If you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case.
 
 ## What is ingressClassName field ?
 
@@ -85,7 +89,7 @@ _(Reason #2)_ if you are already using the Ingress-NGINX controller and then upg
 ```shell
 kubectl explain ingress.spec.ingressClassName
 ```
-```
+```console
 KIND:     Ingress
 VERSION:  networking.k8s.io/v1
 
@@ -112,7 +116,7 @@ The `.spec.ingressClassName` behavior has precedence over the deprecated `kubern
 
 - If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use IngressClass, you should add the annotation `ingressclass.kubernetes.io/is-default-class` in your IngressClass, so that any new Ingress objects will have this one as default IngressClass.
 
-In this case, you need to make your controller aware of the objects. If you have any Ingress objects that don't yet have either the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field set in their manifest, or the ingress annotation (`kubernetes.io/ingress.class`), then you should start your Ingress-NGINX controller with the flag `--watch-ingress-without-class=true`.
+In this case, you need to make your controller aware of the objects. If you have any Ingress objects that don't yet have either the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field set in their manifest, or the ingress annotation (`kubernetes.io/ingress.class`), then you should start your Ingress-NGINX controller with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class).
 
 You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. 
 
@@ -130,7 +134,8 @@ metadata:
 spec:
   controller: k8s.io/ingress-nginx
 ```
-And add the value "spec.ingressClassName=nginx" in your Ingress objects
+
+And add the value `spec.ingressClassName=nginx` in your Ingress objects.
 
 
 ## I have multiple ingress objects in my cluster. What should I do ?
@@ -138,7 +143,7 @@ And add the value "spec.ingressClassName=nginx" in your Ingress objects
 
 
 ### What is the flag '--watch-ingress-without-class' ?
-- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this ;
+- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this:
 ```
 ...
 ...
@@ -209,7 +214,7 @@ If you start Ingress-Nginx B with the command line argument `--watch-ingress-wit
   ```
   helm repo update
   ```
-- Now, install an additional instance of the ingress-NGINX controller like this ;
+- Now, install an additional instance of the ingress-NGINX controller like this:
   ```
   helm install ingress-nginx-2 ingress-nginx/ingress-nginx  \
   --namespace ingress-nginx-2 \
diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md
index 7f4205746..01be19f59 100644
--- a/docs/kubectl-plugin.md
+++ b/docs/kubectl-plugin.md
@@ -226,7 +226,9 @@ Use the `--service <service>` flag if your `ingress-nginx` `LoadBalancer` servic
 
 ### ingresses
 
-`kubectl ingress-nginx ingresses`, alternately `kubectl ingress-nginx ing`, shows a more detailed view of the ingress definitions in a namespace. Compare:
+`kubectl ingress-nginx ingresses`, alternately `kubectl ingress-nginx ing`, shows a more detailed view of the ingress definitions in a namespace.
+
+Compare:
 
 ```console
 $ kubectl get ingresses --all-namespaces
@@ -235,7 +237,7 @@ default     example-ingress1   testaddr.local,testaddr2.local   localhost   80
 default     test-ingress-2     *                                localhost   80      5d
 ```
 
-vs
+vs.
 
 ```console
 $ kubectl ingress-nginx ingresses --all-namespaces
@@ -272,7 +274,7 @@ Checking deployments...
       https://github.com/kubernetes/ingress-nginx/issues/3808
 ```
 
-to show the lints added **only** for a particular `ingress-nginx` release, use the `--from-version` and `--to-version` flags:
+To show the lints added **only** for a particular `ingress-nginx` release, use the `--from-version` and `--to-version` flags:
 
 ```console
 $ kubectl ingress-nginx lint --all-namespaces --verbose --from-version 0.24.0 --to-version 0.24.0
diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index 2bcc97dca..2e8684a8b 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -13,7 +13,7 @@ Do not move it without providing redirects.
 There are many ways to troubleshoot the ingress-controller. The following are basic troubleshooting
 methods to obtain more information.
 
-Check the Ingress Resource Events
+### Check the Ingress Resource Events
 
 ```console
 $ kubectl get ing -n <namespace-of-ingress-resource>
@@ -41,7 +41,7 @@ Events:
   Normal  UPDATE  58s   ingress-nginx-controller  Ingress default/cafe-ingress
 ```
 
-Check the Ingress Controller Logs
+### Check the Ingress Controller Logs
 
 ```console
 $ kubectl get pods -n <namespace-of-ingress-controller>
@@ -58,7 +58,7 @@ NGINX Ingress controller
 ....
 ```
 
-Check the Nginx Configuration
+### Check the Nginx Configuration
 
 ```console
 $ kubectl get pods -n <namespace-of-ingress-controller>
@@ -80,7 +80,7 @@ http {
 ....
 ```
 
-Check if used Services Exist
+### Check if used Services Exist
 
 ```console
 $ kubectl get svc --all-namespaces
@@ -130,14 +130,14 @@ Both authentications must work:
 
 **Service authentication**
 
-The Ingress controller needs information from apiserver. Therefore, authentication is required, which can be achieved in two different ways:
+The Ingress controller needs information from apiserver. Therefore, authentication is required, which can be achieved in a couple of ways:
 
-1. _Service Account:_ This is recommended, because nothing has to be configured. The Ingress controller will use information provided by the system to communicate with the API server. See 'Service Account' section for details.
+* _Service Account:_ This is recommended, because nothing has to be configured. The Ingress controller will use information provided by the system to communicate with the API server. See 'Service Account' section for details.
 
-2. _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`.
+* _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`.
    The format of the file is identical to `~/.kube/config` which is used by kubectl to connect to the API server. See 'kubeconfig' section for details.
 
-3. _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/).
+* _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/).
    Please do not use this approach in production.
 
 In the diagram below you can see the full authentication flow with all options, starting with the browser
@@ -247,72 +247,72 @@ Note: The below is based on the nginx [documentation](https://docs.nginx.com/ngi
 
 1. SSH into the worker
 
-```console
-$ ssh user@workerIP
-```
+    ```console
+    $ ssh user@workerIP
+    ```
 
 2. Obtain the Docker Container Running nginx
 
-```console
-$ docker ps | grep ingress-nginx-controller
-CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
-d9e1d243156a        k8s.gcr.io/ingress-nginx/controller   "/usr/bin/dumb-init …"   19 minutes ago      Up 19 minutes                                                                            k8s_ingress-nginx-controller_ingress-nginx-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0
-```
+    ```console
+    $ docker ps | grep ingress-nginx-controller
+    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+    d9e1d243156a        k8s.gcr.io/ingress-nginx/controller   "/usr/bin/dumb-init …"   19 minutes ago      Up 19 minutes                                                                            k8s_ingress-nginx-controller_ingress-nginx-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0
+    ```
 
 3. Exec into the container
 
-```console
-$ docker exec -it --user=0 --privileged d9e1d243156a bash
-```
+    ```console
+    $ docker exec -it --user=0 --privileged d9e1d243156a bash
+    ```
 
 4. Make sure nginx is running in `--with-debug`
 
-```console
-$ nginx -V 2>&1 | grep -- '--with-debug'
-```
+    ```console
+    $ nginx -V 2>&1 | grep -- '--with-debug'
+    ```
 
 5. Get list of processes running on container
 
-```console
-$ ps -ef
-UID        PID  PPID  C STIME TTY          TIME CMD
-root         1     0  0 20:23 ?        00:00:00 /usr/bin/dumb-init /nginx-ingres
-root         5     1  0 20:23 ?        00:00:05 /ingress-nginx-controller --defa
-root        21     5  0 20:23 ?        00:00:00 nginx: master process /usr/sbin/
-nobody     106    21  0 20:23 ?        00:00:00 nginx: worker process
-nobody     107    21  0 20:23 ?        00:00:00 nginx: worker process
-root       172     0  0 20:43 pts/0    00:00:00 bash
-```
+    ```console
+    $ ps -ef
+    UID        PID  PPID  C STIME TTY          TIME CMD
+    root         1     0  0 20:23 ?        00:00:00 /usr/bin/dumb-init /nginx-ingres
+    root         5     1  0 20:23 ?        00:00:05 /ingress-nginx-controller --defa
+    root        21     5  0 20:23 ?        00:00:00 nginx: master process /usr/sbin/
+    nobody     106    21  0 20:23 ?        00:00:00 nginx: worker process
+    nobody     107    21  0 20:23 ?        00:00:00 nginx: worker process
+    root       172     0  0 20:43 pts/0    00:00:00 bash
+    ```
 
-7. Attach gdb to the nginx master process
+6. Attach gdb to the nginx master process
 
-```console
-$ gdb -p 21
-....
-Attaching to process 21
-Reading symbols from /usr/sbin/nginx...done.
-....
-(gdb)
-```
+    ```console
+    $ gdb -p 21
+    ....
+    Attaching to process 21
+    Reading symbols from /usr/sbin/nginx...done.
+    ....
+    (gdb)
+    ```
 
-8. Copy and paste the following:
+7. Copy and paste the following:
 
-```console
-set $cd = ngx_cycle->config_dump
-set $nelts = $cd.nelts
-set $elts = (ngx_conf_dump_t*)($cd.elts)
-while ($nelts-- > 0)
-set $name = $elts[$nelts]->name.data
-printf "Dumping %s to nginx_conf.txt\n", $name
-append memory nginx_conf.txt \
-        $elts[$nelts]->buffer.start $elts[$nelts]->buffer.end
-end
-```
+    ```console
+    set $cd = ngx_cycle->config_dump
+    set $nelts = $cd.nelts
+    set $elts = (ngx_conf_dump_t*)($cd.elts)
+    while ($nelts-- > 0)
+    set $name = $elts[$nelts]->name.data
+    printf "Dumping %s to nginx_conf.txt\n", $name
+    append memory nginx_conf.txt \
+            $elts[$nelts]->buffer.start $elts[$nelts]->buffer.end
+    end
+    ```
 
-9. Quit GDB by pressing CTRL+D
+8. Quit GDB by pressing CTRL+D
 
-10. Open nginx_conf.txt
+9. Open nginx_conf.txt
 
-```console
-cat nginx_conf.txt
-```
+    ```console
+    cat nginx_conf.txt
+    ```
diff --git a/docs/user-guide/default-backend.md b/docs/user-guide/default-backend.md
index d57b89323..f15561086 100644
--- a/docs/user-guide/default-backend.md
+++ b/docs/user-guide/default-backend.md
@@ -1,6 +1,6 @@
 # Default backend
 
-The default backend is a service which handles all URL paths and hosts the nginx controller doesn't understand
+The default backend is a service which handles all URL paths and hosts the Ingress-NGINX controller doesn't understand
 (i.e., all the requests that are not mapped with an Ingress).
 
 Basically a default backend exposes two URLs:
diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 05d6a3f87..7d86260f0 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -22,11 +22,11 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
   --set-string controller.podAnnotations."prometheus\.io/scrape"="true" \
   --set-string controller.podAnnotations."prometheus\.io/port"="10254"
   ```
-  - You can validate that the controller is configured for metrics by looking at the values of the installed release, like this ;
+  - You can validate that the controller is configured for metrics by looking at the values of the installed release, like this:
   ```
   helm get values ingress-controller --namespace ingress-nginx
   ```
-  - You should be able to see the values shown below ;
+  - You should be able to see the values shown below:
   ```
   ..
   controller:
diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md
index f13574044..83eeb3f48 100644
--- a/docs/user-guide/multiple-ingress.md
+++ b/docs/user-guide/multiple-ingress.md
@@ -82,7 +82,7 @@ metadata:
     kubernetes.io/ingress.class: "gce"
 ```
 
-will target the GCE controller, forcing the nginx controller to ignore it, while an annotation like
+will target the GCE controller, forcing the Ingress-NGINX controller to ignore it, while an annotation like:
 
 ```yaml
 metadata:
@@ -91,7 +91,7 @@ metadata:
     kubernetes.io/ingress.class: "nginx"
 ```
 
-will target the nginx controller, forcing the GCE controller to ignore it.
+will target the Ingress-NGINX controller, forcing the GCE controller to ignore it.
 
 You can change the value "nginx" to something else by setting the `--ingress-class` flag:
 
diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
index d35a19b1a..b48cc1028 100755
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@@ -221,7 +221,7 @@ Enables the return of the header Server from the backend instead of the generic
 
 ## allow-snippet-annotations
 
-Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`;
+Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`
 
 Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this 
 may allow a user to add restricted configurations to the final nginx.conf file
diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md
index 27c64e300..468be24f7 100644
--- a/docs/user-guide/third-party-addons/opentracing.md
+++ b/docs/user-guide/third-party-addons/opentracing.md
@@ -140,7 +140,7 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma
 kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/master/kubernetes/deployment.yaml
 ```
 
-Also we need to configure the NGINX controller ConfigMap with the required values:
+Also we need to configure the Ingress-NGINX controller ConfigMap with the required values:
 
 ```
 $ echo '

From 0e5d4ad425cf519f7c674a16b9e8bda523b2566e Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 16 Jan 2022 22:25:28 -0300
Subject: [PATCH 294/376] Automatically generate helm docs (#8151)

---
 .github/workflows/ci.yaml        |  7 -------
 .github/workflows/helm.yaml      | 20 ++++++++++++++++++++
 charts/ingress-nginx/values.yaml |  2 +-
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0d9ba2ad2..62843b1d7 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -137,13 +137,6 @@ jobs:
         run: |
           ./build/run-in-docker.sh ./hack/verify-chart-lint.sh
 
-      - name: Run helm-docs
-        run: |
-          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
-          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
-          git diff --exit-code
-          rm -f ./helm-docs
-
       - name: fix permissions
         run: |
           sudo mkdir -p $HOME/.kube
diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index a99fcfaa6..7545e5d66 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -56,6 +56,26 @@ jobs:
         run: |
           git config --global user.name "$GITHUB_ACTOR"
           git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
+      
+      - name: Set up Go 1.17
+        id: go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: Run helm-docs
+        run: |
+          cd ${GITHUB_WORKSPACE}
+          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
+          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
+          git diff --exit-code ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md
+          if [ $? -ne 0 ]; then
+             git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md
+             git commit -m "Update helm README"
+             git push --quiet https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main > /dev/null 2>&1 
+          fi
+          rm ./helm-docs
+
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.2.1
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index d30c170b6..778951098 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -34,7 +34,7 @@ controller:
   # -- Configures the controller container name
   containerName: controller
 
-  # -- Configures the ports the nginx-controller listens on
+  # -- Configures the ports that the nginx-controller listens on
   containerPort:
     http: 80
     https: 443

From 2db580a51385c26a356ace9b511d0878955c5444 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 16 Jan 2022 22:49:11 -0300
Subject: [PATCH 295/376] fix helmdoc push shell script (#8152)

---
 .github/workflows/helm.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index 7545e5d66..0dd718846 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -68,8 +68,8 @@ jobs:
           cd ${GITHUB_WORKSPACE}
           GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
           ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
-          git diff --exit-code ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md
-          if [ $? -ne 0 ]; then
+          DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
+          if [ ! -z "$DIFF" ]; then
              git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md
              git commit -m "Update helm README"
              git push --quiet https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main > /dev/null 2>&1 

From 51fa86e690c25433af02783d232289e6206b5a37 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 16 Jan 2022 22:52:10 -0300
Subject: [PATCH 296/376] Trigger new helmdoc generation

---
 charts/ingress-nginx/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 778951098..4e7e6ade1 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -42,7 +42,7 @@ controller:
   # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
   config: {}
 
-  # -- Annotations to be added to the controller config configuration configmap
+  # -- Annotations to be added to the controller config configuration configmap.
   configAnnotations: {}
 
   # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers

From c667cf083b53829c876f877585e8fa00cabc633f Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 16 Jan 2022 22:59:36 -0300
Subject: [PATCH 297/376] Last attempt to fix helm docs (#8153)

---
 .github/workflows/helm.yaml      | 4 +++-
 charts/ingress-nginx/values.yaml | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index 0dd718846..1134a66f0 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -64,6 +64,8 @@ jobs:
           go-version: 1.17
 
       - name: Run helm-docs
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         run: |
           cd ${GITHUB_WORKSPACE}
           GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
@@ -72,7 +74,7 @@ jobs:
           if [ ! -z "$DIFF" ]; then
              git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md
              git commit -m "Update helm README"
-             git push --quiet https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main > /dev/null 2>&1 
+             git push --force https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main  
           fi
           rm ./helm-docs
 
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 4e7e6ade1..bddd1eb5c 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -71,7 +71,7 @@ controller:
   # Defaults to false
   watchIngressWithoutClass: false
 
-  # -- Process IngressClass per name (additionally as per spec.controller)
+  # -- Process IngressClass per name (additionally as per spec.controller).
   ingressClassByName: false
 
   # -- This configuration defines if Ingress Controller should allow users to set

From cce04fca486f81b5107a720e3b2d36f1b7a820b2 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Mon, 17 Jan 2022 10:09:30 -0300
Subject: [PATCH 298/376] Rollback on helmdoc generation (#8154)

---
 .github/workflows/helm.yaml | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index 1134a66f0..b0adb644e 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -57,28 +57,6 @@ jobs:
           git config --global user.name "$GITHUB_ACTOR"
           git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
       
-      - name: Set up Go 1.17
-        id: go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-
-      - name: Run helm-docs
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          cd ${GITHUB_WORKSPACE}
-          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
-          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
-          DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
-          if [ ! -z "$DIFF" ]; then
-             git add ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md
-             git commit -m "Update helm README"
-             git push --force https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git main  
-          fi
-          rm ./helm-docs
-
-
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.2.1
         env:

From 4badf201733f5a693289df56b5301eb0ba29d00f Mon Sep 17 00:00:00 2001
From: Marc Portabella Clotet
 <56038098+marcportabellaclotet-mt@users.noreply.github.com>
Date: Tue, 18 Jan 2022 00:16:49 +0100
Subject: [PATCH 299/376] #7271 feat:
 avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1 (#8155)

* feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1

* fix: added-eol

* feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1

* fix: added-eol
---
 .../templates/default-backend-poddisruptionbudget.yaml          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
index 3a6e8ebde..00891cee5 100644
--- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.defaultBackend.enabled -}}
 {{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }}
 apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
 kind: PodDisruptionBudget
@@ -17,3 +18,4 @@ spec:
       app.kubernetes.io/component: default-backend
   minAvailable: {{ .Values.defaultBackend.minAvailable }}
 {{- end }}
+{{- end }}

From 2aa34202c1ae42fc689cc6980817aedc80b75229 Mon Sep 17 00:00:00 2001
From: Aditya Kamath <theunrealgeek@gmail.com>
Date: Mon, 17 Jan 2022 15:24:49 -0800
Subject: [PATCH 300/376] Allow to configure delay before controller exits
 (#8143)

* Allow to configure delay before controller exits

Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>

* Address comments

Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
---
 cmd/nginx/flags.go                        | 3 +++
 cmd/nginx/main.go                         | 8 ++++----
 cmd/nginx/main_test.go                    | 2 +-
 docs/user-guide/cli-arguments.md          | 1 +
 internal/ingress/controller/controller.go | 3 ++-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index f9d6702fe..f620690b5 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -197,6 +197,8 @@ Takes the form "<host>:port". If not provided, no admission controller is starte
 		statusUpdateInterval = flags.Int("status-update-interval", status.UpdateInterval, "Time interval in seconds in which the status should check if an update is required. Default is 60 seconds")
 
 		shutdownGracePeriod = flags.Int("shutdown-grace-period", 0, "Seconds to wait after receiving the shutdown signal, before stopping the nginx process.")
+
+		postShutdownGracePeriod = flags.Int("post-shutdown-grace-period", 10, "Seconds to wait after the nginx process has stopped before controller exits.")
 	)
 
 	flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases`)
@@ -321,6 +323,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		PublishStatusAddress:       *publishStatusAddress,
 		UpdateStatusOnShutdown:     *updateStatusOnShutdown,
 		ShutdownGracePeriod:        *shutdownGracePeriod,
+		PostShutdownGracePeriod:    *postShutdownGracePeriod,
 		UseNodeInternalIP:          *useNodeInternalIP,
 		SyncRateLimit:              *syncRateLimit,
 		HealthCheckHost:            *healthzHost,
diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index cbfca547c..7293e6b10 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -155,14 +155,14 @@ func main() {
 	go startHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux)
 	go ngx.Start()
 
-	handleSigterm(ngx, func(code int) {
+	handleSigterm(ngx, conf.PostShutdownGracePeriod, func(code int) {
 		os.Exit(code)
 	})
 }
 
 type exiter func(code int)
 
-func handleSigterm(ngx *controller.NGINXController, exit exiter) {
+func handleSigterm(ngx *controller.NGINXController, delay int, exit exiter) {
 	signalChan := make(chan os.Signal, 1)
 	signal.Notify(signalChan, syscall.SIGTERM)
 	<-signalChan
@@ -174,8 +174,8 @@ func handleSigterm(ngx *controller.NGINXController, exit exiter) {
 		exitCode = 1
 	}
 
-	klog.InfoS("Handled quit, awaiting Pod deletion")
-	time.Sleep(10 * time.Second)
+	klog.Infof("Handled quit, delaying controller exit for %d seconds", delay)
+	time.Sleep(time.Duration(delay) * time.Second)
 
 	klog.InfoS("Exiting", "code", exitCode)
 	exit(exitCode)
diff --git a/cmd/nginx/main_test.go b/cmd/nginx/main_test.go
index e6d24b301..2a29953ad 100644
--- a/cmd/nginx/main_test.go
+++ b/cmd/nginx/main_test.go
@@ -105,7 +105,7 @@ func TestHandleSigterm(t *testing.T) {
 
 	ngx := controller.NewNGINXController(conf, nil)
 
-	go handleSigterm(ngx, func(code int) {
+	go handleSigterm(ngx, 10, func(code int) {
 		if code != 1 {
 			t.Errorf("Expected exit code 1 but %d received", code)
 		}
diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index bbf06b720..b9cd0c564 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -40,6 +40,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 | `--maxmind-retries-count`          | Number of attempts to download the GeoIP DB. (default 1) |
 | `--maxmind-license-key`            | Maxmind license key to download GeoLite2 Databases. https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
 | `--metrics-per-host`               | Export metrics per-host (default true) |
+| `--post-shutdown-grace-period`     | Additional delay in seconds before controller container exits. (default 10) |
 | `--profiler-port`                  | Port to use for expose the ingress controller Go profiler when it is enabled. (default 10245) |
 | `--profiling`                      | Enable profiling via web interface host:port/debug/pprof/ (default true) |
 | `--publish-service`                | Service fronting the Ingress controller. Takes the form "namespace/name". When used together with update-status, the controller mirrors the address of this service's endpoints to the load-balancer status of all Ingress objects it satisfies. |
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index a4ae4217c..48a91b67b 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -118,7 +118,8 @@ type Configuration struct {
 
 	MonitorMaxBatchSize int
 
-	ShutdownGracePeriod int
+	PostShutdownGracePeriod int
+	ShutdownGracePeriod     int
 }
 
 // GetPublishService returns the Service used to set the load-balancer status of Ingresses.

From a665a409da87028896dbb3d8dfc78cf8a154e275 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arthur=20Woimb=C3=A9e?= <arthur.woimbee@gmail.com>
Date: Tue, 18 Jan 2022 00:28:49 +0100
Subject: [PATCH 301/376] helm: ServiceMonitor: sane default namespaceSelector
 (#7998)

* helm: service-monitor: sane default namespaceSelector

* chart version bump (4.0.16)
---
 charts/ingress-nginx/Chart.yaml                               | 2 +-
 charts/ingress-nginx/templates/controller-servicemonitor.yaml | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 961efc061..4d48ca0c3 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.15
+version: 4.0.16
 appVersion: 1.1.1
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index 3e602d44d..74abe43a3 100644
--- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -30,6 +30,10 @@ spec:
 {{- end }}
 {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
   namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }}
+{{- else }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
 {{- end }}
 {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
   targetLabels:

From d16e0dec4865cbd5b937dbffb957423c308331c5 Mon Sep 17 00:00:00 2001
From: Alastair Firth <afirth@users.noreply.github.com>
Date: Tue, 18 Jan 2022 00:28:56 +0100
Subject: [PATCH 302/376] Static manifest generation uses kustomize instead of
 python (#8099)

* regenerate at 4.0.12

* bash for loop and static values files

* add .tool-versions

* fixup static manifests with kustomize instead of python

* remove spec.replicas where set

* generate manifests for all supported versions

* update docs

* remove all versions except default (1.20) for now

* update to 1.1.1/4.0.15
---
 RELEASE.md                                    |   61 +-
 deploy/static/provider/aws/deploy.yaml        | 1090 ++++++++--------
 .../deploy.yaml}                              | 1112 ++++++++--------
 .../kustomization.yaml                        |   11 +
 deploy/static/provider/baremetal/deploy.yaml  | 1096 ++++++++--------
 deploy/static/provider/cloud/deploy.yaml      | 1098 ++++++++--------
 deploy/static/provider/do/deploy.yaml         | 1094 ++++++++--------
 deploy/static/provider/exoscale/deploy.yaml   | 1090 ++++++++--------
 deploy/static/provider/kind/deploy.yaml       | 1114 ++++++++---------
 deploy/static/provider/scw/deploy.yaml        | 1092 ++++++++--------
 docs/deploy/index.md                          |   20 +-
 hack/.tool-versions                           |    2 +
 hack/generate-deploy-scripts.sh               |  227 +---
 .../common/kustomization.yaml                 |   14 +
 hack/manifest-templates/common/namespace.yaml |    7 +
 .../provider/aws/kustomization.yaml           |    4 +
 .../kustomization.yaml                        |    4 +
 .../aws/nlb-with-tls-termination/values.yaml  |   36 +
 .../provider/aws/values.yaml                  |    9 +
 .../provider/baremetal/kustomization.yaml     |    4 +
 .../provider/baremetal/values.yaml            |    7 +
 .../provider/cloud/kustomization.yaml         |    4 +
 .../provider/cloud/values.yaml                |    4 +
 .../provider/do/kustomization.yaml            |    4 +
 .../provider/do/values.yaml                   |   11 +
 .../provider/exoscale/kustomization.yaml      |    4 +
 .../provider/exoscale/values.yaml             |   17 +
 .../provider/kind/kustomization.yaml          |    4 +
 .../provider/kind/values.yaml                 |   24 +
 .../provider/scw/kustomization.yaml           |    4 +
 .../provider/scw/values.yaml                  |    9 +
 .../static-kustomization-template.yaml        |   11 +
 32 files changed, 4566 insertions(+), 4722 deletions(-)
 rename deploy/static/provider/aws/{deploy-tls-termination.yaml => nlb-with-tls-termination/deploy.yaml} (55%)
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml
 create mode 100644 hack/.tool-versions
 create mode 100644 hack/manifest-templates/common/kustomization.yaml
 create mode 100644 hack/manifest-templates/common/namespace.yaml
 create mode 100644 hack/manifest-templates/provider/aws/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml
 create mode 100644 hack/manifest-templates/provider/aws/values.yaml
 create mode 100644 hack/manifest-templates/provider/baremetal/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/baremetal/values.yaml
 create mode 100644 hack/manifest-templates/provider/cloud/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/cloud/values.yaml
 create mode 100644 hack/manifest-templates/provider/do/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/do/values.yaml
 create mode 100644 hack/manifest-templates/provider/exoscale/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/exoscale/values.yaml
 create mode 100644 hack/manifest-templates/provider/kind/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/kind/values.yaml
 create mode 100644 hack/manifest-templates/provider/scw/kustomization.yaml
 create mode 100644 hack/manifest-templates/provider/scw/values.yaml
 create mode 100644 hack/manifest-templates/static-kustomization-template.yaml

diff --git a/RELEASE.md b/RELEASE.md
index 4396c20fc..74fd3f1e4 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,6 +1,6 @@
 # RELEASE PROCESS
 
-## 1. BUILD the new Ingress-Nginx-Controller image 
+## 1. BUILD the new Ingress-Nginx-Controller image
 
 ### a. Make changes in codebase
 
@@ -8,7 +8,7 @@
 
 ### b. Make changes to appropriate files in [images directory ](images)
 
-- Make changes in /images 
+- Make changes in /images
 
 ### c. Create Pull Request
 
@@ -18,7 +18,7 @@
 
   - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21), [SHA256](images/nginx/rootfs/build.sh#L124).
 
-  - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.  
+  - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.
 
 ### d. Merge
 
@@ -26,7 +26,7 @@
 
 ### e. Make sure cloudbuild is a success
 
-- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. 
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
 
 - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
 
@@ -42,7 +42,7 @@
 ### b. Make changes to appropriate files in [images directory ](images)
 
 - Sometimes, you may also be needing to rebuild, images for one or multiple other related components of the Ingress-Nginx-Controller ecosystem. Make changes to the required files in the /images directory, if/as applicable, in the context of the release you are attempting.  :
-   
+
   - [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e-image)
 
     - Update references to e2e-test-runner image [If applicable] :
@@ -72,24 +72,24 @@
 
 ### e. Make sure cloudbuild is a success
 
-- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. 
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
 
 - Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
 
 
 ## 3. PROMOTE the Image(s):
 
-Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images: 
+Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images:
 
 ### a. Get the sha
 
-- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above 
+- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above
 
   - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
 
   - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller
 
-  - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: 
+  - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:
 
   ```
   ...
@@ -99,7 +99,7 @@ Promoting the images basically means that images, that were pushed to staging co
 
 ### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io)
 
-- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization. 
+- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization.
 
 - Fork that other project (if you don't have a fork already).
 
@@ -113,7 +113,7 @@ Promoting the images basically means that images, that were pushed to staging co
 
 - For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake.
 
-- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before 
+- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before
 
 - Save and commit
 
@@ -130,13 +130,13 @@ Promoting the images basically means that images, that were pushed to staging co
 
 ## 4. PREPARE for a new Release
 
-- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). 
+- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller).
 
 - This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.
 
 ### a. Make sure your git workspace is ready
 
-- Get your git workspace ready 
+- Get your git workspace ready
 
   - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx
 
@@ -165,7 +165,7 @@ Promoting the images basically means that images, that were pushed to staging co
     - appVersion
     - kubeVersion (**ONLY if applicable**)
     - annotations
-      - artifacthub.io/prerelease: "true" 
+      - artifacthub.io/prerelease: "true"
       - artifacthub.io/changes: |
         - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below
           - Install and configure github cli as per the docs of gh-cli  https://cli.github.com/,
@@ -230,41 +230,21 @@ Promoting the images basically means that images, that were pushed to staging co
 
   - Prepare to use a script to update the edit the static manifests and set the "image", "digest", "version" etc. fields to the desired value.
 
+  - This script depends on kustomize and helm. The versions are pinned in `hack/.tool-versions` and you can use [asdf](https://github.com/asdf-vm/asdf#asdf) to install them
 
-  - This script depends on python and a specific python package `pip3 install ruamel.yaml`
+  - Execute the script to update static manifests using that script [hack/generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
 
-  - Execute the script to update static manifests using that script [generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
   - Open some of the manifests and check if the script worked properly
 
   - Use grep -ir to search for any misses by the script or undesired changes
 
   - The script should properly set the image and the digest fields to the desired tag and semver
 
-  - Manually fix one problem that the script can not take care of.
 
-    - This problem is wrong formatting of a snippet in the file [deploy-tls-termination.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/static/provider/aws/deploy-tls-termination.yaml)
-    - In the configMap section, for the configMap named ingress-nginx-controller, the "configMap.data" spec has a snippet
-
-    - This snippet becomes a single line, formatted with the newline character "\n"
-
-    - That single line formatted with "\n" needs to be changed as it does not meet yaml requirements
-
-    - At the time of writing this doc, the 'configMap.data' spec is at line number 39.
-
-    - So editing begins at line 40 (at the time of writing this doc)
-
-    - Make that snippet look like this ;
-      ```
-      data:
-        http-snippet:|
-          server{
-            listen 2443;
-            return 308 https://$host$request_uri;
-          }
-      ```
 
 ### f. Edit the changelog
-  [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md) 
+
+  [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md)
 - Each time a release is made, a new section is added to the Changelog.md file
 - A new section in the Changelog.md file consists of 3 components listed below
   - the "Image"
@@ -277,8 +257,9 @@ Promoting the images basically means that images, that were pushed to staging co
 - One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed.
 
 ### g. Edit the Documentation:
+
 - Update the version in [docs/deploy/index.md](docs/deploy/index.md)
-- Update Supported versions in the Support Versions table in the README.md 
+- Update Supported versions in the Support Versions table in the README.md
 
 ### h. Edit stable.txt
 
@@ -294,7 +275,7 @@ Promoting the images basically means that images, that were pushed to staging co
 
 - Open PR for releasing the new version of the Ingress-Nginx-Controller ;
   - Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/7490)
-  - Create a PR 
+  - Create a PR
 
 ### b. Merge
 
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index e4856da9f..b74690c33 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -1,227 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -229,459 +251,413 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
-  namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
     app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
     service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
-    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: LoadBalancer
   externalTrafficPolicy: Local
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: https
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
-  minReadySeconds: 0
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 443
-              protocol: TCP
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 300
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
similarity index 55%
rename from deploy/static/provider/aws/deploy-tls-termination.yaml
rename to deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
index 63c3b0a33..242624ef3 100644
--- a/deploy/static/provider/aws/deploy-tls-termination.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
@@ -1,234 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
-  http-snippet: |
-    server{
-      listen 2443;
-      return 308 https://$host$request_uri;
-    }
-  proxy-real-ip-cidr: XXX.XXX.XXX/XX
-  use-forwarded-headers: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -236,464 +251,425 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
-  namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
     app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  http-snippet: |
+    server {
+      listen 2443;
+      return 308 https://$host$request_uri;
+    }
+  proxy-real-ip-cidr: XXX.XXX.XXX/XX
+  use-forwarded-headers: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
-    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
     service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
     service.beta.kubernetes.io/aws-load-balancer-type: nlb
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: LoadBalancer
   externalTrafficPolicy: Local
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: tohttps
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: http
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: tohttps
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: http
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
-  minReadySeconds: 0
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 80
-              protocol: TCP
-            - name: tohttps
-              containerPort: 2443
-              protocol: TCP
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 80
+          name: https
+          protocol: TCP
+        - containerPort: 2443
+          name: tohttps
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 300
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml
new file mode 100644
index 000000000..ca2086ea9
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 900c34020..af3463951 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -1,227 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -229,454 +251,408 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
+- kind: ServiceAccount
+  name: ingress-nginx
   namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: NodePort
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: https
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
-  minReadySeconds: 0
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 443
-              protocol: TCP
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 300
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 0e0852550..87f64383a 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -1,227 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -229,456 +251,410 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
+- kind: ServiceAccount
+  name: ingress-nginx
   namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: LoadBalancer
   externalTrafficPolicy: Local
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: https
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
-  minReadySeconds: 0
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 443
-              protocol: TCP
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 300
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index d72cac794..6409fffde 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -1,228 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
-  use-proxy-protocol: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -230,458 +251,413 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
-  namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
     app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: LoadBalancer
   externalTrafficPolicy: Local
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: https
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
-  minReadySeconds: 0
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 443
-              protocol: TCP
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 300
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
-    timeoutSeconds: 29
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+  timeoutSeconds: 29
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index 784993a92..ef0769852 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -1,227 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -229,36 +251,91 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
-  namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
     app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
@@ -268,426 +345,325 @@ metadata:
     service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http
-    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: '1'
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
     service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
     service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: LoadBalancer
   externalTrafficPolicy: Local
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: https
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-daemonset.yaml
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
-  minReadySeconds: 0
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 443
-              protocol: TCP
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 300
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index c87aa857e..4cd1c32d4 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -1,227 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -229,467 +251,421 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
+- kind: ServiceAccount
+  name: ingress-nginx
   namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: NodePort
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: https
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   strategy:
     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
-  minReadySeconds: 0
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-            - --watch-ingress-without-class=true
-            - --publish-status-address=localhost
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-              hostPort: 80
-            - name: https
-              containerPort: 443
-              protocol: TCP
-              hostPort: 443
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        - --watch-ingress-without-class=true
+        - --publish-status-address=localhost
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          hostPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
-        ingress-ready: 'true'
+        ingress-ready: "true"
         kubernetes.io/os: linux
-      tolerations:
-        - effect: NoSchedule
-          key: node-role.kubernetes.io/master
-          operator: Equal
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index a97984338..4f918c422 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -1,228 +1,249 @@
-
+#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ingress-nginx
   labels:
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-serviceaccount.yaml
 apiVersion: v1
+automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
-automountServiceAccountToken: true
 ---
-# Source: ingress-nginx/templates/controller-configmap.yaml
 apiVersion: v1
-kind: ConfigMap
+kind: ServiceAccount
 metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
   namespace: ingress-nginx
-data:
-  allow-snippet-annotations: 'true'
-  use-proxy-protocol: 'true'
 ---
-# Source: ingress-nginx/templates/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
----
-# Source: ingress-nginx/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/controller-role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    resourceNames:
-      - ingress-controller-leader
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 ---
-# Source: ingress-nginx/templates/controller-rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -230,457 +251,412 @@ roleRef:
   kind: Role
   name: ingress-nginx
 subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx
-    namespace: ingress-nginx
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service-webhook.yaml
-apiVersion: v1
-kind: Service
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
     app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: ingress-nginx-controller-admission
-  namespace: ingress-nginx
-spec:
-  type: ClusterIP
-  ports:
-    - name: https-webhook
-      port: 443
-      targetPort: webhook
-      appProtocol: https
-  selector:
     app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/component: controller
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
 ---
-# Source: ingress-nginx/templates/controller-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true'
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  type: LoadBalancer
   externalTrafficPolicy: Local
-  ipFamilyPolicy: SingleStack
   ipFamilies:
-    - IPv4
+  - IPv4
+  ipFamilyPolicy: SingleStack
   ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-      appProtocol: http
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: https
-      appProtocol: https
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
   selector:
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
 ---
-# Source: ingress-nginx/templates/controller-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/component: controller
-  revisionHistoryLimit: 10
-  minReadySeconds: 0
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
     spec:
-      dnsPolicy: ClusterFirst
       containers:
-        - name: controller
-          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
-          imagePullPolicy: IfNotPresent
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /wait-shutdown
-          args:
-            - /nginx-ingress-controller
-            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --election-id=ingress-controller-leader
-            - --controller-class=k8s.io/ingress-nginx
-            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-            - --validating-webhook=:8443
-            - --validating-webhook-certificate=/usr/local/certificates/cert
-            - --validating-webhook-key=/usr/local/certificates/key
-          securityContext:
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
-            runAsUser: 101
-            allowPrivilegeEscalation: true
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: LD_PRELOAD
-              value: /usr/local/lib/libmimalloc.so
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /healthz
-              port: 10254
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 443
-              protocol: TCP
-            - name: webhook
-              containerPort: 8443
-              protocol: TCP
-          volumeMounts:
-            - name: webhook-cert
-              mountPath: /usr/local/certificates/
-              readOnly: true
-          resources:
-            requests:
-              cpu: 100m
-              memory: 90Mi
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 300
       volumes:
-        - name: webhook-cert
-          secret:
-            secretName: ingress-nginx-admission
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-  name: nginx
-  namespace: ingress-nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
-# before changing this value, check the required kubernetes version
-# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-  name: ingress-nginx-admission
-webhooks:
-  - name: validate.nginx.ingress.kubernetes.io
-    matchPolicy: Equivalent
-    rules:
-      - apiGroups:
-          - networking.k8s.io
-        apiVersions:
-          - v1
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - ingresses
-    failurePolicy: Fail
-    sideEffects: None
-    admissionReviewVersions:
-      - v1
-    clientConfig:
-      service:
-        namespace: ingress-nginx
-        name: ingress-nginx-controller-admission
-        path: /networking/v1/ingresses
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ingress-nginx-admission
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-  labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: admission-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-  - kind: ServiceAccount
-    name: ingress-nginx-admission
-    namespace: ingress-nginx
----
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-create
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-create
     spec:
       containers:
-        - name: create
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - create
-            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-            - --namespace=$(POD_NAMESPACE)
-            - --secret-name=ingress-nginx-admission
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
 ---
-# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
   annotations:
     helm.sh/hook: post-install,post-upgrade
     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
-    helm.sh/chart: ingress-nginx-4.0.15
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
 spec:
   template:
     metadata:
-      name: ingress-nginx-admission-patch
       labels:
-        helm.sh/chart: ingress-nginx-4.0.15
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.15
+      name: ingress-nginx-admission-patch
     spec:
       containers:
-        - name: patch
-          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-          imagePullPolicy: IfNotPresent
-          args:
-            - patch
-            - --webhook-name=ingress-nginx-admission
-            - --namespace=$(POD_NAMESPACE)
-            - --patch-mutating=false
-            - --secret-name=ingress-nginx-admission
-            - --patch-failure-policy=Fail
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-      restartPolicy: OnFailure
-      serviceAccountName: ingress-nginx-admission
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
+      restartPolicy: OnFailure
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.15
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 51bc4be50..c3443e731 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -55,8 +55,11 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 !!! info
     The YAML manifest in the command above was generated with `helm template`, so you will end up with almost the same resources as if you had used Helm to install the controller.
 
-If you are running an old version of Kubernetes (1.18 or earlier), please read
-[this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions.
+!!! attention
+  If you are running an old version of Kubernetes (1.18 or earlier), please read
+  [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions.
+  Because of api deprecations, the default manifest may not work on your cluster.
+  Specific manifests for supported Kubernetes versions are available within a subfolder of each provider.
 
 ### Pre-flight check
 
@@ -186,12 +189,13 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 
 ##### TLS termination in AWS Load Balancer (NLB)
 
-By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS with using an NLB.
+By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB.
 
-1. Download the the [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml) template:
-   ```console
-   wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy-tls-termination.yaml
-   ```
+1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template
+
+  ```console
+  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+  ```
 
 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
    ```
@@ -205,7 +209,7 @@ By default, TLS is terminated in the ingress controller. But it is also possible
 
 4. Deploy the manifest:
    ```console
-   kubectl apply -f deploy-tls-termination.yaml
+   kubectl apply -f deploy.yaml
    ```
 
 ##### NLB Idle Timeouts
diff --git a/hack/.tool-versions b/hack/.tool-versions
new file mode 100644
index 000000000..5baa8790a
--- /dev/null
+++ b/hack/.tool-versions
@@ -0,0 +1,2 @@
+kustomize 4.1.3
+helm 3.7.1
diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index 28625721b..2ec0adc1b 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -22,194 +22,51 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+# for backwards compatibility, the default version of 1.20 is copied to the root of the variant
+# with enough docs updates, this could be removed
+# see     # DEFAULT VERSION HANDLING
+K8S_DEFAULT_VERSION=1.20
+# K8S_TARGET_VERSIONS=("1.19" "1.20" "1.21" "1.22") TODO @afirth revert for #8000
+K8S_TARGET_VERSIONS=("1.20")
+
 DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)
 
-RELEASE_NAME=ingress-nginx
-NAMESPACE=ingress-nginx
+# clean
+rm -rf ${DIR}/deploy/static/provider/*
 
-NAMESPACE_VAR="
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: $NAMESPACE
-  labels:
-    app.kubernetes.io/name: $RELEASE_NAME
-    app.kubernetes.io/instance: ingress-nginx
-"
+TEMPLATE_DIR="${DIR}/hack/manifest-templates"
 
-# Baremetal
-OUTPUT_FILE="${DIR}/deploy/static/provider/baremetal/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: NodePort
+# each helm values file `values.yaml` under `hack/manifest-templates/provider` will be generated as provider/<provider>[/variant][/kube-version]/deploy.yaml
+# TARGET is provider/<provider>[/variant]
+TARGETS=$(dirname $(cd $DIR/hack/manifest-templates/ && find . -type f -name "values.yaml" ) | cut -d'/' -f2-)
+for K8S_VERSION in "${K8S_TARGET_VERSIONS[@]}"
+do
+  for TARGET in ${TARGETS}
+  do
+    TARGET_DIR="${TEMPLATE_DIR}/${TARGET}"
+    MANIFEST="${TEMPLATE_DIR}/common/manifest.yaml" # intermediate manifest
+    OUTPUT_DIR="${DIR}/deploy/static/${TARGET}/${K8S_VERSION}"
+    echo $OUTPUT_DIR
 
-  publishService:
-    enabled: false
-EOF
+    mkdir -p ${OUTPUT_DIR}
+    cd ${TARGET_DIR}
+    helm template ingress-nginx ${DIR}/charts/ingress-nginx \
+      --values values.yaml \
+      --namespace ingress-nginx \
+      --kube-version ${K8S_VERSION} \
+      > $MANIFEST
+    kustomize --load-restrictor=LoadRestrictionsNone build . > ${OUTPUT_DIR}/deploy.yaml
+    rm $MANIFEST
+    cd ~-
+    # automatically generate the (unsupported) kustomization.yaml for each target
+    sed "s_{TARGET}_${TARGET}_" $TEMPLATE_DIR/static-kustomization-template.yaml > ${OUTPUT_DIR}/kustomization.yaml
 
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-# Cloud - generic
-OUTPUT_FILE="${DIR}/deploy/static/provider/cloud/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-
-# AWS - NLB
-OUTPUT_FILE="${DIR}/deploy/static/provider/aws/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
-      service.beta.kubernetes.io/aws-load-balancer-type: nlb
-      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/aws/deploy-tls-termination.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-
-    annotations:
-      # This example is for legacy in-tree service load balancer controller for AWS NLB,
-      # that has been phased out from Kubernetes mainline.
-      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
-      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
-      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"
-      service.beta.kubernetes.io/aws-load-balancer-type: nlb
-      # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
-      # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
-      # increased to '3600' to avoid any potential issues.
-      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
-
-    targetPorts:
-      http: tohttps
-      https: http
-
-  # Configures the ports the nginx-controller listens on
-  containerPort:
-    http: 80
-    https: 80
-    tohttps: 2443
-
-  config:
-    proxy-real-ip-cidr: XXX.XXX.XXX/XX
-    use-forwarded-headers: "true"
-    http-snippet: |
-      server {
-        listen 2443;
-        return 308 https://\$host\$request_uri;
-      }
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-# Kind - https://kind.sigs.k8s.io/docs/user/ingress/
-OUTPUT_FILE="${DIR}/deploy/static/provider/kind/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  updateStrategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-  hostPort:
-    enabled: true
-  terminationGracePeriodSeconds: 0
-  service:
-    type: NodePort
-  watchIngressWithoutClass: true
-
-  nodeSelector:
-    ingress-ready: "true"
-  tolerations:
-    - key: "node-role.kubernetes.io/master"
-      operator: "Equal"
-      effect: "NoSchedule"
-
-  publishService:
-    enabled: false
-  extraArgs:
-    publish-status-address: localhost
-EOF
-
-# Digital Ocean
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/do/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
-  config:
-    use-proxy-protocol: "true"
-  admissionWebhooks:
-    timeoutSeconds: 29
-
-EOF
-
-# Scaleway
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/scw/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
-  config:
-    use-proxy-protocol: "true"
-
-EOF
-
-# Exoscale
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
-
-OUTPUT_FILE="${DIR}/deploy/static/provider/exoscale/deploy.yaml"
-cat << EOF | helm template $RELEASE_NAME ${DIR}/charts/ingress-nginx --namespace $NAMESPACE --values - | $DIR/hack/add-namespace.py $NAMESPACE > ${OUTPUT_FILE}
-controller:
-  kind: DaemonSet
-  service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-      service.beta.kubernetes.io/exoscale-loadbalancer-name: "nginx-ingress-controller"
-      service.beta.kubernetes.io/exoscale-loadbalancer-description: "NGINX Ingress Controller load balancer"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: "source-hash"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "http"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: "/"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: "10s"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: "3s"
-      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
-  publishService:
-      enabled: true
-EOF
-
-echo "${NAMESPACE_VAR}
-$(cat ${OUTPUT_FILE})" > ${OUTPUT_FILE}
+    # DEFAULT VERSION HANDLING
+    if [[ ${K8S_VERSION} = ${K8S_DEFAULT_VERSION} ]]
+    then
+      cp ${OUTPUT_DIR}/*.yaml ${OUTPUT_DIR}/../
+      sed -i "1s/^/#GENERATED FOR K8S ${K8S_VERSION}\n/" ${OUTPUT_DIR}/../deploy.yaml
+      rm -rf ${OUTPUT_DIR} # TODO @afirth remove for #8000 - this avoids the duplicate files for easier review of the build script changes
+    fi
+  done
+done
diff --git a/hack/manifest-templates/common/kustomization.yaml b/hack/manifest-templates/common/kustomization.yaml
new file mode 100644
index 000000000..a4b5f64cf
--- /dev/null
+++ b/hack/manifest-templates/common/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- manifest.yaml
+- namespace.yaml
+
+patches:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+  patch: |-
+    - op: remove
+      path: /spec/replicas
diff --git a/hack/manifest-templates/common/namespace.yaml b/hack/manifest-templates/common/namespace.yaml
new file mode 100644
index 000000000..db890604b
--- /dev/null
+++ b/hack/manifest-templates/common/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
diff --git a/hack/manifest-templates/provider/aws/kustomization.yaml b/hack/manifest-templates/provider/aws/kustomization.yaml
new file mode 100644
index 000000000..cd6ef95be
--- /dev/null
+++ b/hack/manifest-templates/provider/aws/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common
diff --git a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml
new file mode 100644
index 000000000..ecec1095c
--- /dev/null
+++ b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../../common
diff --git a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml
new file mode 100644
index 000000000..5b36b3dd2
--- /dev/null
+++ b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml
@@ -0,0 +1,36 @@
+# AWS NLB with TLS termination
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+
+    annotations:
+      # This example is for legacy in-tree service load balancer controller for AWS NLB,
+      # that has been phased out from Kubernetes mainline.
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb
+      # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
+      # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
+      # increased to '3600' to avoid any potential issues.
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+
+    targetPorts:
+      http: tohttps
+      https: http
+
+  # Configures the ports the nginx-controller listens on
+  containerPort:
+    http: 80
+    https: 80
+    tohttps: 2443
+
+  config:
+    proxy-real-ip-cidr: XXX.XXX.XXX/XX
+    use-forwarded-headers: "true"
+    http-snippet: |
+      server {
+        listen 2443;
+        return 308 https://$host$request_uri;
+      }
diff --git a/hack/manifest-templates/provider/aws/values.yaml b/hack/manifest-templates/provider/aws/values.yaml
new file mode 100644
index 000000000..743721fc4
--- /dev/null
+++ b/hack/manifest-templates/provider/aws/values.yaml
@@ -0,0 +1,9 @@
+# AWS - NLB
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
diff --git a/hack/manifest-templates/provider/baremetal/kustomization.yaml b/hack/manifest-templates/provider/baremetal/kustomization.yaml
new file mode 100644
index 000000000..cd6ef95be
--- /dev/null
+++ b/hack/manifest-templates/provider/baremetal/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common
diff --git a/hack/manifest-templates/provider/baremetal/values.yaml b/hack/manifest-templates/provider/baremetal/values.yaml
new file mode 100644
index 000000000..3c5a0840b
--- /dev/null
+++ b/hack/manifest-templates/provider/baremetal/values.yaml
@@ -0,0 +1,7 @@
+# Baremetal
+controller:
+  service:
+    type: NodePort
+
+  publishService:
+    enabled: false
diff --git a/hack/manifest-templates/provider/cloud/kustomization.yaml b/hack/manifest-templates/provider/cloud/kustomization.yaml
new file mode 100644
index 000000000..cd6ef95be
--- /dev/null
+++ b/hack/manifest-templates/provider/cloud/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common
diff --git a/hack/manifest-templates/provider/cloud/values.yaml b/hack/manifest-templates/provider/cloud/values.yaml
new file mode 100644
index 000000000..7d8266c0f
--- /dev/null
+++ b/hack/manifest-templates/provider/cloud/values.yaml
@@ -0,0 +1,4 @@
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
diff --git a/hack/manifest-templates/provider/do/kustomization.yaml b/hack/manifest-templates/provider/do/kustomization.yaml
new file mode 100644
index 000000000..cd6ef95be
--- /dev/null
+++ b/hack/manifest-templates/provider/do/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common
diff --git a/hack/manifest-templates/provider/do/values.yaml b/hack/manifest-templates/provider/do/values.yaml
new file mode 100644
index 000000000..2b0578414
--- /dev/null
+++ b/hack/manifest-templates/provider/do/values.yaml
@@ -0,0 +1,11 @@
+# Digital Ocean
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  config:
+    use-proxy-protocol: "true"
+  admissionWebhooks:
+    timeoutSeconds: 29
diff --git a/hack/manifest-templates/provider/exoscale/kustomization.yaml b/hack/manifest-templates/provider/exoscale/kustomization.yaml
new file mode 100644
index 000000000..cd6ef95be
--- /dev/null
+++ b/hack/manifest-templates/provider/exoscale/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common
diff --git a/hack/manifest-templates/provider/exoscale/values.yaml b/hack/manifest-templates/provider/exoscale/values.yaml
new file mode 100644
index 000000000..76863f013
--- /dev/null
+++ b/hack/manifest-templates/provider/exoscale/values.yaml
@@ -0,0 +1,17 @@
+# Exoscale
+controller:
+  kind: DaemonSet
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/exoscale-loadbalancer-name: "nginx-ingress-controller"
+      service.beta.kubernetes.io/exoscale-loadbalancer-description: "NGINX Ingress Controller load balancer"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: "source-hash"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: "http"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: "/"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: "10s"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: "3s"
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
+  publishService:
+      enabled: true
diff --git a/hack/manifest-templates/provider/kind/kustomization.yaml b/hack/manifest-templates/provider/kind/kustomization.yaml
new file mode 100644
index 000000000..cd6ef95be
--- /dev/null
+++ b/hack/manifest-templates/provider/kind/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common
diff --git a/hack/manifest-templates/provider/kind/values.yaml b/hack/manifest-templates/provider/kind/values.yaml
new file mode 100644
index 000000000..f327c351e
--- /dev/null
+++ b/hack/manifest-templates/provider/kind/values.yaml
@@ -0,0 +1,24 @@
+# Kind - https://kind.sigs.k8s.io/docs/user/ingress/
+controller:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  hostPort:
+    enabled: true
+  terminationGracePeriodSeconds: 0
+  service:
+    type: NodePort
+  watchIngressWithoutClass: true
+
+  nodeSelector:
+    ingress-ready: "true"
+  tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Equal"
+      effect: "NoSchedule"
+
+  publishService:
+    enabled: false
+  extraArgs:
+    publish-status-address: localhost
diff --git a/hack/manifest-templates/provider/scw/kustomization.yaml b/hack/manifest-templates/provider/scw/kustomization.yaml
new file mode 100644
index 000000000..cd6ef95be
--- /dev/null
+++ b/hack/manifest-templates/provider/scw/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../common
diff --git a/hack/manifest-templates/provider/scw/values.yaml b/hack/manifest-templates/provider/scw/values.yaml
new file mode 100644
index 000000000..cee5e2b1e
--- /dev/null
+++ b/hack/manifest-templates/provider/scw/values.yaml
@@ -0,0 +1,9 @@
+# Scaleway
+controller:
+  service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  config:
+    use-proxy-protocol: "true"
diff --git a/hack/manifest-templates/static-kustomization-template.yaml b/hack/manifest-templates/static-kustomization-template.yaml
new file mode 100644
index 000000000..fd273c7c4
--- /dev/null
+++ b/hack/manifest-templates/static-kustomization-template.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/{TARGET}?ref=master
+# ```
+
+resources:
+  - deploy.yaml

From feba7e1ffc7f2047f1cae5cb5f093f5b34c58abd Mon Sep 17 00:00:00 2001
From: Rafael Maciel <22459495+rbgnk@users.noreply.github.com>
Date: Wed, 19 Jan 2022 23:31:51 -0300
Subject: [PATCH 303/376] docs: correct typo (#8169)

* change docker-destkop to docker-desktop
---
 docs/deploy/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index c3443e731..9f613308b 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -159,7 +159,7 @@ Kubernetes is available in Docker Desktop:
 - Mac, from [version 18.06.0-ce](https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018)
 - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25)
 
-First, make sure that Kubernetes is enabled in the Docker settings. The command `kubectl get nodes` should show a single node called `docker-destkop`.
+First, make sure that Kubernetes is enabled in the Docker settings. The command `kubectl get nodes` should show a single node called `docker-desktop`.
 
 The ingress controller can be installed on Docker Desktop using the default [quick start](#quick-start) instructions.
 

From 39e721de731e95bf87359378d11af503c31928b7 Mon Sep 17 00:00:00 2001
From: Frederik-Baetens <smurfendrek123@gmail.com>
Date: Thu, 20 Jan 2022 10:17:52 +0100
Subject: [PATCH 304/376] Docs: add documentation about default ingress helm
 value, corrections to only ingress section (#7943)

* add explanation about ingressClassResource.default for helm users

Also cleaned up the entire "I have only one instance of the
Ingress-NGINX controller in my cluster" section

* docs: default ingressclass only when running one controller

* fix link to what is the flag watch ingress

* clarify usage of default ingress class annotation
---
 docs/index.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index bda45d317..2b35e7e01 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -111,12 +111,17 @@ DESCRIPTION:
 The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation.
 
 
+## I have only one ingress controller in my cluster. What should I do?
 
-## I have only one instance of the Ingress-NGINX controller in my cluster. What should I do ?
+If a single instance of the Ingress-NGINX controller is the sole Ingress controller running in your cluster, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, so any new Ingress objects will have this one as default IngressClass.
 
-- If you have only one instance of the Ingress-NGINX controller running in your cluster, and you still want to use IngressClass, you should add the annotation `ingressclass.kubernetes.io/is-default-class` in your IngressClass, so that any new Ingress objects will have this one as default IngressClass.
+When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file.
 
-In this case, you need to make your controller aware of the objects. If you have any Ingress objects that don't yet have either the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field set in their manifest, or the ingress annotation (`kubernetes.io/ingress.class`), then you should start your Ingress-NGINX controller with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class).
+If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the Ingress-NGINX controller aware of the old objects:
+
+- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources.
+- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass
+- Alternatively you can make the Ingress-NGINX controller watch Ingress objects without the ingressClassName field set by starting your Ingress-NGINX with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class) . When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`
 
 You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. 
 

From 922e27fea7a2409f2a23a741b939ddfe01130324 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Fri, 21 Jan 2022 05:02:30 +0530
Subject: [PATCH 305/376] reintroduce helm-docs step in ci (#8164)

---
 .github/workflows/ci.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 62843b1d7..63bc7da08 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -137,6 +137,17 @@ jobs:
         run: |
           ./build/run-in-docker.sh ./hack/verify-chart-lint.sh
 
+      - name: Run helm-docs
+        run: |
+          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.6.0
+          ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
+          DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
+          if [ ! -z "$DIFF" ]; then
+            echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs"
+          fi
+          git diff --exit-code
+          rm -f ./helm-docs
+
       - name: fix permissions
         run: |
           sudo mkdir -p $HOME/.kube

From 53ac0ddd4214d9a3662751ba3741af3375af5478 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Thu, 27 Jan 2022 10:52:50 +0800
Subject: [PATCH 306/376] Using Go install for misspell (#8191)

* chore: using go install misspell

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

* chore: fix typo

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 Makefile                                           | 2 +-
 docs/index.md                                      | 2 +-
 docs/user-guide/nginx-configuration/annotations.md | 4 ++--
 test/e2e/settings/namespace_selector.go            | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index ad2c8340d..b1c90e0f1 100644
--- a/Makefile
+++ b/Makefile
@@ -167,7 +167,7 @@ live-docs: ## Build and launch a local copy of the documentation website in http
 
 .PHONY: misspell
 misspell:  ## Check for spelling errors.
-	@go get github.com/client9/misspell/cmd/misspell
+	@go install github.com/client9/misspell/cmd/misspell@latest
 	misspell \
 		-locale US \
 		-error \
diff --git a/docs/index.md b/docs/index.md
index 2b35e7e01..63afaa66d 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -63,7 +63,7 @@ FIELDS:
 
 ```
 
-## What has caused this change in behaviour ?
+## What has caused this change in behavior?
 
 There are 2 reasons primarily.
 
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 2dacc5293..57542f25f 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -251,7 +251,7 @@ Client Certificate Authentication is applied per host and it is not possible to
 
 To enable, add the annotation `nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName`. This secret must have a file named `ca.crt` containing the full Certificate Authority chain `ca.crt` that is enabled to authenticate against this Ingress.
 
-You can further customize client certificate authentication and behaviour with these annotations:
+You can further customize client certificate authentication and behavior with these annotations:
 
 * `nginx.ingress.kubernetes.io/auth-tls-verify-depth`: The validation depth between the provided client certificate and the Certification Authority chain. (default: 1)
 * `nginx.ingress.kubernetes.io/auth-tls-verify-client`: Enables verification of client certificates. Possible values are:
@@ -944,4 +944,4 @@ metadata:
         listen 8000;
         proxy_pass 127.0.0.1:80;
       }
-```
\ No newline at end of file
+```
diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go
index 4fa28826a..ea162d594 100644
--- a/test/e2e/settings/namespace_selector.go
+++ b/test/e2e/settings/namespace_selector.go
@@ -98,7 +98,7 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func()
 			_, err = f.KubeClientSet.CoreV1().Namespaces().Update(context.TODO(), ns, metav1.UpdateOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err, "labeling not matched namespace")
 
-			// update ingress to trigger reconcilation
+			// update ingress to trigger reconciliation
 			ing, err := f.KubeClientSet.NetworkingV1().Ingresses(notMatchedNs).Get(context.TODO(), notMatchedHost, metav1.GetOptions{})
 			assert.Nil(ginkgo.GinkgoT(), err, "retrieve test ingress")
 			if ing.Labels == nil {

From 6eecefd3dab9e1784be609e3e83af0418a216539 Mon Sep 17 00:00:00 2001
From: Sandip Bhattacharya <sandipb@showmethesource.org>
Date: Thu, 27 Jan 2022 04:06:50 +0100
Subject: [PATCH 307/376] docs: fix inconsistent controller annotation (#8196)

The annotation for the controller class was inconsistent in the example. From my best understanding, I have tried to fix the inconsistency.

Also, removed an incomplete sentence. And made one sentence more clear by breaking it up.
---
 docs/user-guide/multiple-ingress.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md
index 83eeb3f48..246e38b52 100644
--- a/docs/user-guide/multiple-ingress.md
+++ b/docs/user-guide/multiple-ingress.md
@@ -2,12 +2,11 @@
 
 By default, deploying multiple Ingress controllers (e.g., `ingress-nginx` & `gce`) will result in all controllers simultaneously racing to update Ingress status fields in confusing ways.
 
-To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class), the `kubernetes.io/ingress.class` annotation  is deprecated from kubernetes v1.22+.
+To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation  is deprecated from kubernetes v1.22+.
 
 ## Using IngressClasses
 
 If all ingress controllers respect IngressClasses (e.g. multiple instances of ingress-nginx v1.0), you can deploy two Ingress controllers by granting them control over two different IngressClasses, then selecting one of the two IngressClasses with `ingressClassName`.
-When two or more 
 
 First, ensure the `--controller-class=` and `--ingress-class` are set to something different on each ingress controller:
 
@@ -20,7 +19,7 @@ spec:
          - name: ingress-nginx-internal-controller
            args:
              - /nginx-ingress-controller
-             - '--controller-class=k8s.io/internal-nginx'
+             - '--controller-class=k8s.io/internal-ingress-nginx'
              - '--ingress-class=k8s.io/internal-nginx'
             ...
 ```

From 0c2070ef4a70f09c0abe4d668dcdfd951522c9db Mon Sep 17 00:00:00 2001
From: Billy Walker <39878488+bwlkr@users.noreply.github.com>
Date: Thu, 27 Jan 2022 03:12:50 +0000
Subject: [PATCH 308/376] Adding annotations to the controller service account
 (#8173)

* fix: adding annotations to the controller service account

* fix: adding annotations to the controller service account
---
 charts/ingress-nginx/README.md                                | 1 +
 charts/ingress-nginx/templates/controller-serviceaccount.yaml | 4 ++++
 charts/ingress-nginx/values.yaml                              | 1 +
 3 files changed, 6 insertions(+)

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 32dfd36e2..15536a79e 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -473,6 +473,7 @@ Kubernetes: `>=1.19.0-0`
 | rbac.create | bool | `true` |  |
 | rbac.scope | bool | `false` |  |
 | revisionHistoryLimit | int | `10` | Rollback limit |
+| serviceAccount.annotations | object | `{}` | Annotations for the controller service account |
 | serviceAccount.automountServiceAccountToken | bool | `true` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
index a4d7db5d2..824b2a124 100644
--- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml
+++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
@@ -10,5 +10,9 @@ metadata:
     {{- end }}
   name: {{ template "ingress-nginx.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations:
+  {{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+  {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index bddd1eb5c..67144b097 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -888,6 +888,7 @@ serviceAccount:
   create: true
   name: ""
   automountServiceAccountToken: true
+  annotations: {}
 
 # -- Optional array of imagePullSecrets containing private registry credentials
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

From 32aa3404f7a99c01d12329bbbe81550200b0ee27 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 26 Jan 2022 19:36:52 -0800
Subject: [PATCH 309/376] Bump github.com/opencontainers/runc from 1.0.3 to
 1.1.0 (#8179)

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.3 to 1.1.0.
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/master/CHANGELOG.md)
- [Commits](https://github.com/opencontainers/runc/compare/v1.0.3...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod |  8 ++++----
 go.sum | 31 ++++++++++++++++---------------
 2 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/go.mod b/go.mod
index d3497ed21..496cb25c9 100644
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/moul/pb v0.0.0-20180404114147-54bdd96e6a52
 	github.com/ncabatoff/process-exporter v0.7.10
 	github.com/onsi/ginkgo v1.16.4
-	github.com/opencontainers/runc v1.0.3
+	github.com/opencontainers/runc v1.1.0
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/client_model v0.2.0
@@ -60,7 +60,7 @@ require (
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/eapache/queue v1.1.0 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
@@ -73,7 +73,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
-	github.com/godbus/dbus/v5 v5.0.4 // indirect
+	github.com/godbus/dbus/v5 v5.0.6 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -95,7 +95,7 @@ require (
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mmarkdown/mmark v2.0.40+incompatible // indirect
-	github.com/moby/sys/mountinfo v0.4.1 // indirect
+	github.com/moby/sys/mountinfo v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
diff --git a/go.sum b/go.sum
index 156bbe48b..64e23953d 100644
--- a/go.sum
+++ b/go.sum
@@ -101,7 +101,6 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
@@ -114,11 +113,11 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
+github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -135,7 +134,7 @@ github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWH
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
-github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
+github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -152,8 +151,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsr
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
-github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
+github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
+github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -234,8 +233,9 @@ github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5F
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro=
+github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
@@ -479,8 +479,8 @@ github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4=
 github.com/mmarkdown/mmark v2.0.40+incompatible/go.mod h1:Uvmoz7tvsWpr7bMVxIpqZPyN3FbOtzDmnsJDFp7ltJs=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
-github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
+github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI=
+github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
@@ -522,11 +522,11 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
-github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k=
-github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
+github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8=
+github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
+github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -589,7 +589,7 @@ github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43
 github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873 h1:N3Af8f13ooDKcIhsmFT7Z05CStZWu4C7Md0uDEy4q6o=
 github.com/savsgio/gotils v0.0.0-20210617111740-97865ed5a873/go.mod h1:dmPawKuiAeG/aFYVs2i+Dyosoo7FNcm+Pi8iK6ZUrX8=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
@@ -909,7 +909,6 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -926,7 +925,6 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -938,9 +936,12 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

From 8cf73d9720106921447537098980319441859e21 Mon Sep 17 00:00:00 2001
From: Tiago Ferreira <tacf@users.noreply.github.com>
Date: Thu, 27 Jan 2022 16:34:59 +0000
Subject: [PATCH 310/376] Fix Indentation of example and link to cert-manager
 tutorial (#8203)

---
 docs/user-guide/tls.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md
index 158d23fde..8a18069d4 100644
--- a/docs/user-guide/tls.md
+++ b/docs/user-guide/tls.md
@@ -115,7 +115,7 @@ spec:
   tls:
     - hosts:
         - ingress-demo.example.com
-        secretName: ingress-demo-tls
+      secretName: ingress-demo-tls
     [...]
 ```
 
@@ -156,5 +156,5 @@ data:
 [SNI]: https://en.wikipedia.org/wiki/Server_Name_Indication
 [mozilla-ssl-config-old]: https://ssl-config.mozilla.org/#server=nginx&config=old
 [cert-manager]: https://github.com/jetstack/cert-manager/
-[full-cert-manager-example]:https://cert-manager.io/docs/tutorials/acme/ingress/
+[full-cert-manager-example]:https://cert-manager.io/docs/tutorials/acme/nginx-ingress/
 [cert-manager-issuer-config]:https://cert-manager.io/docs/configuration/

From 40c69a1ef706a76c6b47d317003965ba9186cde3 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Fri, 28 Jan 2022 22:16:31 +0800
Subject: [PATCH 311/376] chore: add Artifact Hub lint (#8204)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 .github/workflows/ci.yaml        |  7 ++++
 charts/ingress-nginx/Chart.yaml  | 70 ++++++++++++++++----------------
 charts/ingress-nginx/README.md   | 10 +++--
 charts/ingress-nginx/values.yaml |  1 +
 4 files changed, 49 insertions(+), 39 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 63bc7da08..25b8d5e14 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -148,6 +148,13 @@ jobs:
           git diff --exit-code
           rm -f ./helm-docs
 
+      - name: Run Artifact Hub lint
+        run: |
+          wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
+          tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
+          ./ah lint -p charts/ingress-nginx || exit 1
+          rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
+
       - name: fix permissions
         run: |
           sudo mkdir -p $HOME/.kube
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 4d48ca0c3..e57e3ebb6 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -24,38 +24,38 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - #8120    Update go in runner and release v1.1.1
-    - #8119    Update to go v1.17.6
-    - #8118    Remove deprecated libraries, update other libs
-    - #8117    Fix codegen errors
-    - #8115    chart/ghaction: set the correct permission to have access to push a release
-    - #8098    generating SHA for CA only certs in backend_ssl.go + comparision of P…
-    - #8088    Fix Edit this page link to use main branch
-    - #8072    Expose GeoIP2 Continent code as variable
-    - #8061    docs(charts): using helm-docs for chart
-    - #8058    Bump github.com/spf13/cobra from 1.2.1 to 1.3.0
-    - #8054    Bump google.golang.org/grpc from 1.41.0 to 1.43.0
-    - #8051    align bug report with feature request regarding kind documentation
-    - #8046    Report expired certificates (#8045)
-    - #8044    remove G109 check till gosec resolves issues
-    - #8042    docs_multiple_instances_one_cluster_ticket_7543
-    - #8041    docs: fix typo'd executible name
-    - #8035    Comment busy owners
-    - #8029    Add stream-snippet as a ConfigMap and Annotation option
-    - #8023    fix nginx compilation flags
-    - #8021    Disable default modsecurity_rules_file if modsecurity-snippet is specified
-    - #8019    Revise main documentation page
-    - #8018    Preserve order of plugin invocation
-    - #8015    Add newline indenting to admission webhook annotations
-    - #8014    Add link to example error page manifest in docs
-    - #8009    Fix spelling in documentation and top-level files
-    - #8008    Add relabelings in controller-servicemonitor.yaml
-    - #8003    Minor improvements (formatting, consistency) in install guide
-    - #8001    fix: go-grpc Dockerfile
-    - #7999    images: use k8s-staging-test-infra/gcb-docker-gcloud
-    - #7996    doc: improvement
-    - #7983    Fix a couple of misspellings in the annotations documentation.
-    - #7979    allow set annotations for admission Jobs
-    - #7977    Add ssl_reject_handshake to defaul server
-    - #7975    add legacy version update v0.50.0 to main changelog
-    - #7972    updated service upstream definition
+    - "#8120    Update go in runner and release v1.1.1"
+    - "#8119    Update to go v1.17.6"
+    - "#8118    Remove deprecated libraries, update other libs"
+    - "#8117    Fix codegen errors"
+    - "#8115    chart/ghaction: set the correct permission to have access to push a release"
+    - "#8098    generating SHA for CA only certs in backend_ssl.go + comparision of P…"
+    - "#8088    Fix Edit this page link to use main branch"
+    - "#8072    Expose GeoIP2 Continent code as variable"
+    - "#8061    docs(charts): using helm-docs for chart"
+    - "#8058    Bump github.com/spf13/cobra from 1.2.1 to 1.3.0"
+    - "#8054    Bump google.golang.org/grpc from 1.41.0 to 1.43.0"
+    - "#8051    align bug report with feature request regarding kind documentation"
+    - "#8046    Report expired certificates (#8045)"
+    - "#8044    remove G109 check till gosec resolves issues"
+    - "#8042    docs_multiple_instances_one_cluster_ticket_7543"
+    - "#8041    docs: fix typo'd executible name"
+    - "#8035    Comment busy owners"
+    - "#8029    Add stream-snippet as a ConfigMap and Annotation option"
+    - "#8023    fix nginx compilation flags"
+    - "#8021    Disable default modsecurity_rules_file if modsecurity-snippet is specified"
+    - "#8019    Revise main documentation page"
+    - "#8018    Preserve order of plugin invocation"
+    - "#8015    Add newline indenting to admission webhook annotations"
+    - "#8014    Add link to example error page manifest in docs"
+    - "#8009    Fix spelling in documentation and top-level files"
+    - "#8008    Add relabelings in controller-servicemonitor.yaml"
+    - "#8003    Minor improvements (formatting, consistency) in install guide"
+    - "#8001    fix: go-grpc Dockerfile"
+    - "#7999    images: use k8s-staging-test-infra/gcb-docker-gcloud"
+    - "#7996    doc: improvement"
+    - "#7983    Fix a couple of misspellings in the annotations documentation."
+    - "#7979    allow set annotations for admission Jobs"
+    - "#7977    Add ssl_reject_handshake to defaul server"
+    - "#7975    add legacy version update v0.50.0 to main changelog"
+    - "#7972    updated service upstream definition"
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 15536a79e..17b534154 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.0.15](https://img.shields.io/badge/Version-4.0.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square)
+![Version: 4.0.16](https://img.shields.io/badge/Version-4.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -237,6 +237,7 @@ Kubernetes: `>=1.19.0-0`
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| commonLabels | object | `{}` |  |
 | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
 | controller.admissionWebhooks.annotations | object | `{}` |  |
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
@@ -278,10 +279,10 @@ Kubernetes: `>=1.19.0-0`
 | controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | controller.autoscalingTemplate | list | `[]` |  |
 | controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
-| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap |
+| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
 | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
 | controller.containerName | string | `"controller"` | Configures the controller container name |
-| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports the nginx-controller listens on |
+| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
 | controller.customTemplate.configMapKey | string | `""` |  |
 | controller.customTemplate.configMapName | string | `""` |  |
 | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
@@ -293,6 +294,7 @@ Kubernetes: `>=1.19.0-0`
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
+| controller.extraModules | list | `[]` |  |
 | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
 | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. |
@@ -309,7 +311,7 @@ Kubernetes: `>=1.19.0-0`
 | controller.image.registry | string | `"k8s.gcr.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
 | controller.image.tag | string | `"v1.1.1"` |  |
-| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller) |
+| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
 | controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster |
 | controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not |
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 67144b097..079094b2b 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -888,6 +888,7 @@ serviceAccount:
   create: true
   name: ""
   automountServiceAccountToken: true
+  # -- Annotations for the controller service account
   annotations: {}
 
 # -- Optional array of imagePullSecrets containing private registry credentials

From fbdfc6505b8fd9eea937ae10af641cbc1dfdc5cd Mon Sep 17 00:00:00 2001
From: naseemkullah <24660299+naseemkullah@users.noreply.github.com>
Date: Sun, 30 Jan 2022 06:52:23 -0500
Subject: [PATCH 312/376] feat(metrics): add path and method labels to requests
 counter (#8201)

---
 internal/ingress/metric/collectors/socket.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go
index a220d1456..44ca4b48b 100644
--- a/internal/ingress/metric/collectors/socket.go
+++ b/internal/ingress/metric/collectors/socket.go
@@ -190,7 +190,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool, bucke
 				Namespace:   PrometheusNamespace,
 				ConstLabels: constLabels,
 			},
-			[]string{"ingress", "namespace", "status", "service", "canary"},
+			requestTags,
 		),
 
 		bytesSent: prometheus.NewHistogramVec(

From a2a0e67fee9964796f56e3428cf6d1dc99ced261 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 31 Jan 2022 03:22:24 -0800
Subject: [PATCH 313/376] Bump github.com/prometheus/client_golang from 1.11.0
 to 1.12.1 (#8210)

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.11.0 to 1.12.1.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.11.0...v1.12.1)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod |  6 +++---
 go.sum | 10 ++++++----
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/go.mod b/go.mod
index 496cb25c9..fa5be593d 100644
--- a/go.mod
+++ b/go.mod
@@ -18,9 +18,9 @@ require (
 	github.com/onsi/ginkgo v1.16.4
 	github.com/opencontainers/runc v1.1.0
 	github.com/pmezard/go-difflib v1.0.0
-	github.com/prometheus/client_golang v1.11.0
+	github.com/prometheus/client_golang v1.12.1
 	github.com/prometheus/client_model v0.2.0
-	github.com/prometheus/common v0.31.1
+	github.com/prometheus/common v0.32.1
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
@@ -119,7 +119,7 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	golang.org/x/mod v0.5.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.0.0-20211205182925-97ca703d548d // indirect
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
diff --git a/go.sum b/go.sum
index 64e23953d..f7fe66f18 100644
--- a/go.sum
+++ b/go.sum
@@ -550,8 +550,9 @@ github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDf
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_golang v1.12.1 h1:ZiaPsmm9uiBeaSMRznKsCDNtPCS0T3JVDGF+06gjBzk=
+github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -564,8 +565,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.31.1 h1:d18hG4PkHnNAKNMOmFuXFaiY8Us0nird/2m60uS1AMs=
-github.com/prometheus/common v0.31.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
+github.com/prometheus/common v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4=
+github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -943,8 +944,9 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=

From 0f464333a91b523581c6b1e74e49dd8afeb72906 Mon Sep 17 00:00:00 2001
From: stoupance <84509312+stoupance@users.noreply.github.com>
Date: Tue, 1 Feb 2022 18:34:10 +0100
Subject: [PATCH 314/376] Remove Capabilities.APIVersions for Kustomize to
 parse file (#7829)

---
 charts/ingress-nginx/templates/controller-servicemonitor.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index 74abe43a3..4dbc6da9f 100644
--- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -1,4 +1,4 @@
-{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:

From dcd552ceb55b14087ad4e2a8c076055fa932e095 Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Wed, 2 Feb 2022 14:12:22 +0100
Subject: [PATCH 315/376] use functional options to reduce number of methods
 creating an EchoDeployment (#8199)

---
 test/e2e/annotations/affinity.go              |  2 +-
 test/e2e/annotations/affinitymode.go          | 10 ++-
 test/e2e/annotations/authtls.go               |  2 +-
 test/e2e/annotations/canary.go                |  8 +--
 test/e2e/annotations/cors.go                  |  2 +-
 test/e2e/annotations/customhttperrors.go      |  2 +-
 test/e2e/annotations/proxyssl.go              |  2 +-
 test/e2e/annotations/upstreamhashby.go        |  2 +-
 test/e2e/framework/deployment.go              | 67 ++++++++++++-------
 test/e2e/ingress/multiple_rules.go            |  4 +-
 test/e2e/loadbalance/ewma.go                  |  2 +-
 test/e2e/loadbalance/round_robin.go           |  2 +-
 test/e2e/lua/dynamic_configuration.go         |  7 +-
 test/e2e/settings/default_ssl_certificate.go  |  2 +-
 test/e2e/settings/disable_catch_all.go        |  2 +-
 .../settings/disable_service_external_name.go |  2 +-
 test/e2e/settings/ingress_class.go            |  2 +-
 test/e2e/settings/namespace_selector.go       |  2 +-
 test/e2e/status/update.go                     |  2 +-
 test/e2e/tcpudp/tcp.go                        |  2 +-
 20 files changed, 75 insertions(+), 51 deletions(-)

diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go
index 479860043..4ca567e4c 100644
--- a/test/e2e/annotations/affinity.go
+++ b/test/e2e/annotations/affinity.go
@@ -36,7 +36,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 	f := framework.NewDefaultFramework("affinity")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(2)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(2))
 	})
 
 	ginkgo.It("should set sticky cookie SERVERID", func() {
diff --git a/test/e2e/annotations/affinitymode.go b/test/e2e/annotations/affinitymode.go
index 3b533906e..6d22ea59f 100644
--- a/test/e2e/annotations/affinitymode.go
+++ b/test/e2e/annotations/affinitymode.go
@@ -34,7 +34,10 @@ var _ = framework.DescribeAnnotation("affinitymode", func() {
 	ginkgo.It("Balanced affinity mode should balance", func() {
 		deploymentName := "affinitybalanceecho"
 		replicas := 5
-		f.NewEchoDeploymentWithNameAndReplicas(deploymentName, replicas)
+		f.NewEchoDeployment(
+			framework.WithDeploymentName(deploymentName),
+			framework.WithDeploymentReplicas(replicas),
+		)
 
 		host := "affinity-mode-balance.com"
 		annotations := make(map[string]string)
@@ -64,7 +67,10 @@ var _ = framework.DescribeAnnotation("affinitymode", func() {
 	ginkgo.It("Check persistent affinity mode", func() {
 		deploymentName := "affinitypersistentecho"
 		replicas := 5
-		f.NewEchoDeploymentWithNameAndReplicas(deploymentName, replicas)
+		f.NewEchoDeployment(
+			framework.WithDeploymentName(deploymentName),
+			framework.WithDeploymentReplicas(replicas),
+		)
 
 		host := "affinity-mode-persistent.com"
 		annotations := make(map[string]string)
diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go
index 093afe14e..790165475 100644
--- a/test/e2e/annotations/authtls.go
+++ b/test/e2e/annotations/authtls.go
@@ -30,7 +30,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 	f := framework.NewDefaultFramework("authtls")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(2)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(2))
 	})
 
 	ginkgo.It("should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret", func() {
diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go
index 31e740434..4f1bdcad6 100644
--- a/test/e2e/annotations/canary.go
+++ b/test/e2e/annotations/canary.go
@@ -39,10 +39,10 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 
 	ginkgo.BeforeEach(func() {
 		// Deployment for main backend
-		f.NewEchoDeploymentWithReplicas(1)
+		f.NewEchoDeployment()
 
 		// Deployment for canary backend
-		f.NewEchoDeploymentWithNameAndReplicas(canaryService, 1)
+		f.NewEchoDeployment(framework.WithDeploymentName(canaryService))
 	})
 
 	ginkgo.Context("when canary is created", func() {
@@ -132,7 +132,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 
 				ginkgo.By("returning a 503 status when the mainline deployment has 0 replicas and a request is sent to the canary")
 
-				f.NewEchoDeploymentWithReplicas(0)
+				f.NewEchoDeployment(framework.WithDeploymentReplicas(0))
 
 				resp, _, errs := gorequest.New().
 					Get(f.GetURL(framework.HTTP)).
@@ -145,7 +145,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 
 				ginkgo.By("returning a 200 status when the canary deployment has 0 replicas and a request is sent to the mainline ingress")
 
-				f.NewEchoDeploymentWithReplicas(1)
+				f.NewEchoDeployment()
 				f.NewDeployment(canaryService, "k8s.gcr.io/e2e-test-images/echoserver:2.3", 8080, 0)
 
 				resp, _, errs = gorequest.New().
diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go
index 64b633173..c249b3877 100644
--- a/test/e2e/annotations/cors.go
+++ b/test/e2e/annotations/cors.go
@@ -29,7 +29,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
 	f := framework.NewDefaultFramework("cors")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(2)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(2))
 	})
 
 	ginkgo.It("should enable cors", func() {
diff --git a/test/e2e/annotations/customhttperrors.go b/test/e2e/annotations/customhttperrors.go
index c0115cb52..7256b93fa 100644
--- a/test/e2e/annotations/customhttperrors.go
+++ b/test/e2e/annotations/customhttperrors.go
@@ -101,7 +101,7 @@ var _ = framework.DescribeAnnotation("custom-http-errors", func() {
 
 		ginkgo.By("using the custom default-backend from annotation for upstream")
 		customDefaultBackend := "from-annotation"
-		f.NewEchoDeploymentWithNameAndReplicas(customDefaultBackend, 1)
+		f.NewEchoDeployment(framework.WithDeploymentName(customDefaultBackend))
 
 		err = framework.UpdateIngress(f.KubeClientSet, f.Namespace, host, func(ingress *networking.Ingress) error {
 			ingress.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/default-backend"] = customDefaultBackend
diff --git a/test/e2e/annotations/proxyssl.go b/test/e2e/annotations/proxyssl.go
index 0e928664e..3672a4d81 100644
--- a/test/e2e/annotations/proxyssl.go
+++ b/test/e2e/annotations/proxyssl.go
@@ -150,7 +150,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
 	ginkgo.It("proxy-ssl-location-only flag should change the nginx config server part", func() {
 		host := "proxyssl.com"
 
-		f.NewEchoDeploymentWithNameAndReplicas("echodeployment", 1)
+		f.NewEchoDeployment(framework.WithDeploymentName("echodeployment"))
 
 		secretName := "secretone"
 		annotations := make(map[string]string)
diff --git a/test/e2e/annotations/upstreamhashby.go b/test/e2e/annotations/upstreamhashby.go
index 9474f2b2b..c4732a18d 100644
--- a/test/e2e/annotations/upstreamhashby.go
+++ b/test/e2e/annotations/upstreamhashby.go
@@ -77,7 +77,7 @@ var _ = framework.DescribeAnnotation("upstream-hash-by-*", func() {
 	f := framework.NewDefaultFramework("upstream-hash-by")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(6)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(6))
 	})
 
 	ginkgo.It("should connect to the same pod", func() {
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index c5fded856..3775af8bc 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -40,30 +40,45 @@ const HTTPBinService = "httpbin"
 // NginxBaseImage use for testing
 const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9"
 
+type deploymentOptions struct {
+	namespace string
+	name      string
+	replicas  int
+}
+
+// WithDeploymentNamespace allows configuring the deployment's namespace
+func WithDeploymentNamespace(n string) func(*deploymentOptions) {
+	return func(o *deploymentOptions) {
+		o.namespace = n
+	}
+}
+
+// WithDeploymentName allows configuring the deployment's names
+func WithDeploymentName(n string) func(*deploymentOptions) {
+	return func(o *deploymentOptions) {
+		o.name = n
+	}
+}
+
+// WithDeploymentReplicas allows configuring the deployment's replicas count
+func WithDeploymentReplicas(r int) func(*deploymentOptions) {
+	return func(o *deploymentOptions) {
+		o.replicas = r
+	}
+}
+
 // NewEchoDeployment creates a new single replica deployment of the echoserver image in a particular namespace
-func (f *Framework) NewEchoDeployment() {
-	f.NewEchoDeploymentWithReplicas(1)
-}
+func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) {
+	options := &deploymentOptions{
+		namespace: f.Namespace,
+		name:      EchoService,
+		replicas:  1,
+	}
+	for _, o := range opts {
+		o(options)
+	}
 
-// NewEchoDeploymentWithReplicas creates a new deployment of the echoserver image in a particular namespace. Number of
-// replicas is configurable
-func (f *Framework) NewEchoDeploymentWithReplicas(replicas int) {
-	f.NewEchoDeploymentWithNameAndReplicas(EchoService, replicas)
-}
-
-// NewEchoDeploymentWithNameAndReplicas creates a new deployment of the echoserver image in a particular namespace. Number of
-// replicas is configurable and
-// name is configurable
-func (f *Framework) NewEchoDeploymentWithNameAndReplicas(name string, replicas int) {
-	f.newEchoDeployment(f.Namespace, name, replicas)
-}
-
-func (f *Framework) NewEchoDeploymentWithNamespaceAndReplicas(namespace string, replicas int) {
-	f.newEchoDeployment(namespace, EchoService, replicas)
-}
-
-func (f *Framework) newEchoDeployment(namespace, name string, replicas int) {
-	deployment := newDeployment(name, namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:131ece0637b29231470cfaa04690c2966a2e0b147d3c9df080a0857b78982410", 80, int32(replicas),
+	deployment := newDeployment(options.name, options.namespace, "k8s.gcr.io/ingress-nginx/e2e-test-echo@sha256:131ece0637b29231470cfaa04690c2966a2e0b147d3c9df080a0857b78982410", 80, int32(options.replicas),
 		nil,
 		[]corev1.VolumeMount{},
 		[]corev1.Volume{},
@@ -73,8 +88,8 @@ func (f *Framework) newEchoDeployment(namespace, name string, replicas int) {
 
 	service := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: namespace,
+			Name:      options.name,
+			Namespace: options.namespace,
 		},
 		Spec: corev1.ServiceSpec{
 			Ports: []corev1.ServicePort{
@@ -86,14 +101,14 @@ func (f *Framework) newEchoDeployment(namespace, name string, replicas int) {
 				},
 			},
 			Selector: map[string]string{
-				"app": name,
+				"app": options.name,
 			},
 		},
 	}
 
 	f.EnsureService(service)
 
-	err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, name, namespace, replicas)
+	err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, options.name, options.namespace, options.replicas)
 	assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready")
 }
 
diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go
index 030be172a..07f5c1427 100644
--- a/test/e2e/ingress/multiple_rules.go
+++ b/test/e2e/ingress/multiple_rules.go
@@ -31,8 +31,8 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func()
 	f := framework.NewDefaultFramework("simh")
 	pathprefix := networking.PathTypePrefix
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithNameAndReplicas("first-service", 1)
-		f.NewEchoDeploymentWithNameAndReplicas("second-service", 1)
+		f.NewEchoDeployment(framework.WithDeploymentName("first-service"))
+		f.NewEchoDeployment(framework.WithDeploymentName("second-service"))
 	})
 
 	ginkgo.It("should set the correct $service_name NGINX variable", func() {
diff --git a/test/e2e/loadbalance/ewma.go b/test/e2e/loadbalance/ewma.go
index 52e235569..15289f372 100644
--- a/test/e2e/loadbalance/ewma.go
+++ b/test/e2e/loadbalance/ewma.go
@@ -32,7 +32,7 @@ var _ = framework.DescribeSetting("[Load Balancer] EWMA", func() {
 	f := framework.NewDefaultFramework("ewma")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(3)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(3))
 		f.SetNginxConfigMapData(map[string]string{
 			"worker-processes": "2",
 			"load-balance":     "ewma"},
diff --git a/test/e2e/loadbalance/round_robin.go b/test/e2e/loadbalance/round_robin.go
index f035005dd..bc74ba9fb 100644
--- a/test/e2e/loadbalance/round_robin.go
+++ b/test/e2e/loadbalance/round_robin.go
@@ -32,7 +32,7 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() {
 	f := framework.NewDefaultFramework("round-robin")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(3)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(3))
 		f.UpdateNginxConfigMapData("worker-processes", "1")
 	})
 
diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go
index 0a88fb07b..b382e52cc 100644
--- a/test/e2e/lua/dynamic_configuration.go
+++ b/test/e2e/lua/dynamic_configuration.go
@@ -43,7 +43,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() {
 	f := framework.NewDefaultFramework("dynamic-configuration")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(1)
+		f.NewEchoDeployment()
 		ensureIngress(f, "foo.com", framework.EchoService)
 	})
 
@@ -124,7 +124,10 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() {
 
 		ginkgo.It("handles endpoints only changes consistently (down scaling of replicas vs. empty service)", func() {
 			deploymentName := "scalingecho"
-			f.NewEchoDeploymentWithNameAndReplicas(deploymentName, 0)
+			f.NewEchoDeployment(
+				framework.WithDeploymentName(deploymentName),
+				framework.WithDeploymentReplicas(0),
+			)
 			createIngress(f, "scaling.foo.com", deploymentName)
 
 			resp := f.HTTPTestClient().
diff --git a/test/e2e/settings/default_ssl_certificate.go b/test/e2e/settings/default_ssl_certificate.go
index 421a1543b..eede8ef75 100644
--- a/test/e2e/settings/default_ssl_certificate.go
+++ b/test/e2e/settings/default_ssl_certificate.go
@@ -38,7 +38,7 @@ var _ = framework.IngressNginxDescribe("[SSL] [Flag] default-ssl-certificate", f
 	port := 80
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(1)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(1))
 
 		var err error
 		tlsConfig, err = framework.CreateIngressTLSSecret(f.KubeClientSet,
diff --git a/test/e2e/settings/disable_catch_all.go b/test/e2e/settings/disable_catch_all.go
index f5d9bfadc..dce772f9a 100644
--- a/test/e2e/settings/disable_catch_all.go
+++ b/test/e2e/settings/disable_catch_all.go
@@ -34,7 +34,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() {
 	f := framework.NewDefaultFramework("disabled-catch-all")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(1)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(1))
 
 		err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
 			args := deployment.Spec.Template.Spec.Containers[0].Args
diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go
index 910a906ca..d8da89d4a 100644
--- a/test/e2e/settings/disable_service_external_name.go
+++ b/test/e2e/settings/disable_service_external_name.go
@@ -35,7 +35,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f
 	f := framework.NewDefaultFramework("disabled-service-external-name")
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(2)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(2))
 
 		err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
 			args := deployment.Spec.Template.Spec.Containers[0].Args
diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go
index 09134ccba..2372d209b 100644
--- a/test/e2e/settings/ingress_class.go
+++ b/test/e2e/settings/ingress_class.go
@@ -45,7 +45,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 	otherController := "k8s.io/other-class"
 
 	ginkgo.BeforeEach(func() {
-		f.NewEchoDeploymentWithReplicas(1)
+		f.NewEchoDeployment(framework.WithDeploymentReplicas(1))
 
 		doOnce.Do(func() {
 			_, err := f.KubeClientSet.NetworkingV1().IngressClasses().
diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go
index ea162d594..7c07a841d 100644
--- a/test/e2e/settings/namespace_selector.go
+++ b/test/e2e/settings/namespace_selector.go
@@ -37,7 +37,7 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func()
 	prepareTestIngress := func(baseName string, host string, labels map[string]string) string {
 		ns, err := framework.CreateKubeNamespaceWithLabel(f.BaseName, labels, f.KubeClientSet)
 		assert.Nil(ginkgo.GinkgoT(), err, "creating test namespace")
-		f.NewEchoDeploymentWithNamespaceAndReplicas(ns, 1)
+		f.NewEchoDeployment(framework.WithDeploymentNamespace(ns))
 		ing := framework.NewSingleIngressWithIngressClass(host, "/", host, ns, framework.EchoService, f.IngressClass, 80, nil)
 		f.EnsureIngress(ing)
 		return ns
diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go
index 23679afdc..43d61b0e9 100644
--- a/test/e2e/status/update.go
+++ b/test/e2e/status/update.go
@@ -69,7 +69,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() {
 		})
 		assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating ingress controller deployment flags")
 
-		f.NewEchoDeploymentWithReplicas(1)
+		f.NewEchoDeployment()
 
 		ing := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil))
 
diff --git a/test/e2e/tcpudp/tcp.go b/test/e2e/tcpudp/tcp.go
index 9b1885510..553cb46d3 100644
--- a/test/e2e/tcpudp/tcp.go
+++ b/test/e2e/tcpudp/tcp.go
@@ -38,7 +38,7 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() {
 	f := framework.NewDefaultFramework("tcp")
 
 	ginkgo.It("should expose a TCP service", func() {
-		f.NewEchoDeploymentWithReplicas(1)
+		f.NewEchoDeployment()
 
 		config, err := f.KubeClientSet.
 			CoreV1().

From a46626b259d87bfde2a9967cf3a16862638521b3 Mon Sep 17 00:00:00 2001
From: Kundan Kumar <kundan.kumar@india.nec.com>
Date: Mon, 7 Feb 2022 01:40:52 +0530
Subject: [PATCH 316/376] 8217 fix removed extra v (#8218)

---
 cmd/plugin/ingress-nginx.yaml.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/plugin/ingress-nginx.yaml.tmpl b/cmd/plugin/ingress-nginx.yaml.tmpl
index 1283cb7f3..9fce2d92d 100644
--- a/cmd/plugin/ingress-nginx.yaml.tmpl
+++ b/cmd/plugin/ingress-nginx.yaml.tmpl
@@ -6,7 +6,7 @@ spec:
   shortDescription: Interact with ingress-nginx
   description: |
     The official kubectl plugin for ingress-nginx.
-  version: v%%%tag%%%
+  version: %%%tag%%%
   homepage: https://kubernetes.github.io/ingress-nginx/kubectl-plugin/
   platforms:
   - uri: https://github.com/kubernetes/ingress-nginx/releases/download/nginx-%%%tag%%%/kubectl-ingress_nginx-darwin-arm64.tar.gz

From 6b6ebf0a7c5d3cdc8eacdfb0ec63f50e811d5dc4 Mon Sep 17 00:00:00 2001
From: Alexander Brand <alexbrand09@gmail.com>
Date: Sun, 6 Feb 2022 15:14:53 -0500
Subject: [PATCH 317/376] Update the $req_id placeholder description (#8163)

---
 docs/user-guide/nginx-configuration/log-format.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/log-format.md b/docs/user-guide/nginx-configuration/log-format.md
index e39c5f695..4a8a45755 100644
--- a/docs/user-guide/nginx-configuration/log-format.md
+++ b/docs/user-guide/nginx-configuration/log-format.md
@@ -29,7 +29,7 @@ log_format upstreaminfo
 | `$upstream_response_length` | the length of the response obtained from the upstream server |
 | `$upstream_response_time` | time spent on receiving the response from the upstream server as seconds with millisecond resolution |
 | `$upstream_status` | status code of the response obtained from the upstream server |
-| `$req_id` | the randomly generated ID of the request  |
+| `$req_id` | value of the `X-Request-ID` HTTP header. If the header is not set, a randomly generated ID. |
 
 Additional available variables:
 

From 4b4895b53bb5fd00874deeeb914d5d36fd19556e Mon Sep 17 00:00:00 2001
From: Tomas Hulata <tombo@sysart.tech>
Date: Sun, 6 Feb 2022 21:18:51 +0100
Subject: [PATCH 318/376] add ingress.class (#8136)

Signed-off-by: tombokombo <tombo@sysart.tech>
---
 charts/ingress-nginx/Chart.yaml            | 2 +-
 charts/ingress-nginx/README.md             | 3 ++-
 charts/ingress-nginx/templates/_params.tpl | 3 +++
 charts/ingress-nginx/values.yaml           | 4 ++++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index e57e3ebb6..6a8510284 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.16
+version: 4.0.17
 appVersion: 1.1.1
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 17b534154..e5e93a146 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.0.16](https://img.shields.io/badge/Version-4.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square)
+![Version: 4.0.17](https://img.shields.io/badge/Version-4.0.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -311,6 +311,7 @@ Kubernetes: `>=1.19.0-0`
 | controller.image.registry | string | `"k8s.gcr.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
 | controller.image.tag | string | `"v1.1.1"` |  |
+| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
 | controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster |
diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl
index 64a462eaa..305ce0dd2 100644
--- a/charts/ingress-nginx/templates/_params.tpl
+++ b/charts/ingress-nginx/templates/_params.tpl
@@ -12,6 +12,9 @@
 {{- end }}
 - --election-id={{ .Values.controller.electionID }}
 - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
+{{- if .Values.controller.ingressClass }}
+- --ingress-class={{ .Values.controller.ingressClass }}
+{{- end }}
 - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
 {{- if .Values.tcp }}
 - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 079094b2b..eb6db4a05 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -116,6 +116,10 @@ controller:
     # does not require extra parameters.
     parameters: {}
 
+  # -- For backwards compatibility with ingress.class annotation, use ingressClass.
+  # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation
+  ingressClass: nginx
+
   # -- Labels to add to the pod container metadata
   podLabels: {}
   #  key: value

From d769ceaa5b29af5095224a44fdfcc774612a3981 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 6 Feb 2022 12:22:52 -0800
Subject: [PATCH 319/376] Bump google.golang.org/grpc from 1.43.0 to 1.44.0
 (#8209)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.43.0 to 1.44.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.43.0...v1.44.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index fa5be593d..98d374bf0 100644
--- a/go.mod
+++ b/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a
 	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
 	golang.org/x/net v0.0.0-20211209124913-491a49abca63
-	google.golang.org/grpc v1.43.0
+	google.golang.org/grpc v1.44.0
 	gopkg.in/go-playground/pool.v3 v3.1.1
 	k8s.io/api v0.22.5
 	k8s.io/apiextensions-apiserver v0.22.5
diff --git a/go.sum b/go.sum
index f7fe66f18..573fc3f84 100644
--- a/go.sum
+++ b/go.sum
@@ -1171,8 +1171,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.43.0 h1:Eeu7bZtDZ2DpRCsLhUlcrLnvYaMK1Gz86a+hMVvELmM=
-google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
+google.golang.org/grpc v1.44.0 h1:weqSxi/TMs1SqFRMHCtBgXRs8k3X39QIDEZ0pRcttUg=
+google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

From 04035cc1c2487a73f47450e3d2f45721391de4fe Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Sun, 6 Feb 2022 15:28:51 -0500
Subject: [PATCH 320/376] Do not validate ingresses with unknown ingress class
 in admission webhook endpoint. (#8221)

---
 internal/ingress/controller/controller.go     |  6 ++++
 .../ingress/controller/controller_test.go     |  4 +++
 internal/ingress/controller/store/store.go    |  3 ++
 test/e2e/admission/admission.go               | 29 +++++++++++++++++++
 4 files changed, 42 insertions(+)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 48a91b67b..9afe00953 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -233,6 +233,12 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		return nil
 	}
 
+	// Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller.
+	if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" {
+		klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err)
+		return nil
+	}
+
 	if n.cfg.Namespace != "" && ing.ObjectMeta.Namespace != n.cfg.Namespace {
 		klog.Warningf("ignoring ingress %v in namespace %v different from the namespace watched %s", ing.Name, ing.ObjectMeta.Namespace, n.cfg.Namespace)
 		return nil
diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
index b67929b97..5e3eb9113 100644
--- a/internal/ingress/controller/controller_test.go
+++ b/internal/ingress/controller/controller_test.go
@@ -63,6 +63,10 @@ type fakeIngressStore struct {
 	configuration ngx_config.Configuration
 }
 
+func (fakeIngressStore) GetIngressClass(ing *networking.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) {
+	return "nginx", nil
+}
+
 func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration {
 	return fis.configuration
 }
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index 7e9b89735..2b15dc74d 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -98,6 +98,9 @@ type Storer interface {
 
 	// Run initiates the synchronization of the controllers
 	Run(stopCh chan struct{})
+
+	// GetIngressClass validates given ingress against ingress class configuration and returns the ingress class.
+	GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error)
 }
 
 // EventType type of event associated with an informer
diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go
index 2099e54d4..c4c1ef76d 100644
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@@ -191,6 +191,12 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 			assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error")
 		}
 	})
+
+	ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() {
+		out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass)
+		assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out)
+		assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl")
+	})
 })
 
 func uninstallChart(f *framework.Framework) error {
@@ -270,6 +276,29 @@ spec:
             port:
               number: 80
 ---
+`
+	invalidV1IngressWithOtherClass = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: extensions-invalid-other
+  annotations:
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      invalid directive
+spec:
+  ingressClassName: nginx-other
+  rules:
+  - host: extensions-invalid
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: echo
+            port:
+              number: 80
+---
 `
 )
 

From 935ea3d8303cfa56bd42358f39adfa922a883038 Mon Sep 17 00:00:00 2001
From: Ricardo Katz <rikatz@users.noreply.github.com>
Date: Sun, 6 Feb 2022 17:42:51 -0300
Subject: [PATCH 321/376] Update libraries in webhook image (#8227)

---
 images/kube-webhook-certgen/rootfs/go.mod |  12 +-
 images/kube-webhook-certgen/rootfs/go.sum | 208 +++-------------------
 2 files changed, 35 insertions(+), 185 deletions(-)

diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod
index edd26c0df..edd74bea3 100644
--- a/images/kube-webhook-certgen/rootfs/go.mod
+++ b/images/kube-webhook-certgen/rootfs/go.mod
@@ -5,10 +5,10 @@ go 1.16
 require (
 	github.com/onrik/logrus v0.9.0
 	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.2.1
-	github.com/tidwall/gjson v1.8.1 // indirect
-	k8s.io/api v0.22.0
-	k8s.io/apimachinery v0.22.0
-	k8s.io/client-go v0.22.0
-	k8s.io/kube-aggregator v0.22.0
+	github.com/spf13/cobra v1.1.3
+	github.com/tidwall/gjson v1.14.0 // indirect
+	k8s.io/api v0.22.6
+	k8s.io/apimachinery v0.22.6
+	k8s.io/client-go v0.22.6
+	k8s.io/kube-aggregator v0.22.6
 )
diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum
index c1592f68d..5889d4e49 100644
--- a/images/kube-webhook-certgen/rootfs/go.sum
+++ b/images/kube-webhook-certgen/rootfs/go.sum
@@ -9,33 +9,18 @@ cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6T
 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
 cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
@@ -69,7 +54,6 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
@@ -81,7 +65,6 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
@@ -109,7 +92,6 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
@@ -161,15 +143,11 @@ github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@@ -189,11 +167,7 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -201,19 +175,11 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -252,7 +218,6 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
@@ -276,7 +241,6 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -285,7 +249,6 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
@@ -302,7 +265,6 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -335,13 +297,11 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
@@ -386,20 +346,15 @@ github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
-github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
-github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
-github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -411,18 +366,16 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/tidwall/gjson v1.8.1 h1:8j5EE9Hrh3l9Od1OIEDAb7IpezNA20UdRngNAj5N0WU=
-github.com/tidwall/gjson v1.8.1/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk=
-github.com/tidwall/match v1.0.3 h1:FQUVvBImDutD8wJLN6c5eMzWtjgONK9MwIBCOrUJKeE=
-github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.1.0 h1:K3hMW5epkdAVwibsQEfR/7Zj0Qgt4DxtNumTq/VloO8=
-github.com/tidwall/pretty v1.1.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/tidwall/gjson v1.14.0 h1:6aeJ0bzojgWLa82gDQHcx3S0Lr/O51I9bJ5nv6JFx5w=
+github.com/tidwall/gjson v1.14.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
@@ -438,9 +391,6 @@ go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4=
@@ -465,7 +415,6 @@ golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -492,7 +441,6 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
@@ -502,8 +450,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -521,7 +467,6 @@ golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -531,46 +476,26 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE=
-golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 h1:0Ja1LBD+yisY6RWM/BH7TJVXWsSjs2VwBSmvSX4HdBc=
-golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -605,28 +530,14 @@ golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -643,7 +554,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -688,26 +598,10 @@ golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -723,27 +617,13 @@ google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsb
 google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -761,31 +641,11 @@ google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvx
 google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -795,17 +655,9 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@@ -832,7 +684,6 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
@@ -860,34 +711,33 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.22.0 h1:elCpMZ9UE8dLdYxr55E06TmSeji9I3KH494qH70/y+c=
-k8s.io/api v0.22.0/go.mod h1:0AoXXqst47OI/L0oGKq9DG61dvGRPXs7X4/B7KyjBCU=
-k8s.io/apimachinery v0.22.0 h1:CqH/BdNAzZl+sr3tc0D3VsK3u6ARVSo3GWyLmfIjbP0=
-k8s.io/apimachinery v0.22.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
-k8s.io/apiserver v0.22.0/go.mod h1:04kaIEzIQrTGJ5syLppQWvpkLJXQtJECHmae+ZGc/nc=
-k8s.io/client-go v0.22.0 h1:sD6o9O6tCwUKCENw8v+HFsuAbq2jCu8cWC61/ydwA50=
-k8s.io/client-go v0.22.0/go.mod h1:GUjIuXR5PiEv/RVK5OODUsm6eZk7wtSWZSaSJbpFdGg=
-k8s.io/code-generator v0.22.0/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
-k8s.io/component-base v0.22.0/go.mod h1:SXj6Z+V6P6GsBhHZVbWCw9hFjUdUYnJerlhhPnYCBCg=
+k8s.io/api v0.22.6 h1:acjE5ABt0KpsBI9QCtLqaQEPSF94jOtE/LoFxSYasSE=
+k8s.io/api v0.22.6/go.mod h1:q1F7IfaNrbi/83ebLy3YFQYLjPSNyunZ/IXQxMmbwCg=
+k8s.io/apimachinery v0.22.6 h1:z7vxNRkFX0NToA+8D17kzLZ/T4t+DqwzUlqqbqRepRs=
+k8s.io/apimachinery v0.22.6/go.mod h1:ZvVLP5iLhwVFg2Yx9Gh5W0um0DUauExbRhe+2Z8I1EU=
+k8s.io/apiserver v0.22.6/go.mod h1:OlL1rGa2kKWGj2JEXnwBcul/BwC9Twe95gm4ohtiIIs=
+k8s.io/client-go v0.22.6 h1:ugAXeC312xeGXsn7zTRz+btgtLBnW3qYhtUUpVQL7YE=
+k8s.io/client-go v0.22.6/go.mod h1:TffU4AV2idZGeP+g3kdFZP+oHVHWPL1JYFySOALriw0=
+k8s.io/code-generator v0.22.6/go.mod h1:iOZwYADSgFPNGWfqHFfg1V0TNJnl1t0WyZluQp4baqU=
+k8s.io/component-base v0.22.6/go.mod h1:ngHLefY4J5fq2fApNdbWyj4yh0lvw36do4aAjNN8rc8=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
 k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
-k8s.io/kube-aggregator v0.22.0 h1:he3plI8vlaPJxR9vsy/lL5ga1V8CoA8M8x1Bn8eTCeM=
-k8s.io/kube-aggregator v0.22.0/go.mod h1:zHTepg0Q4tKzru7Pwg1QYHWrU/wrvIXM8hUdDAH66qg=
-k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
-k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
-k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9 h1:imL9YgXQ9p7xmPzHFm/vVd/cF78jad+n4wK1ABwYtMM=
-k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/kube-aggregator v0.22.6 h1:/iaXzOWia2dqOQkIA9eJtkmfTveJMLz3Dci9ZA/WgmU=
+k8s.io/kube-aggregator v0.22.6/go.mod h1:0RSTzxqiwsj5HUlov195Z72ZKyE4qgedKXCl6sLKAjM=
+k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c h1:jvamsI1tn9V0S8jicyX82qaFC0H/NKxv2e5mbqsgR80=
+k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
+k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g=
+k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
-sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

From be65620b313029ddd2e68c03c52460c717c2fd86 Mon Sep 17 00:00:00 2001
From: Indhu Kumar <kamalakumar.indhu@gmail.com>
Date: Mon, 7 Feb 2022 01:47:45 -0800
Subject: [PATCH 322/376] prometheus+grafana using servicemonitor (#8186)

* prometheus+grafana using servicemonitor

* fix review comments

* markdown changes

* more formatting changes

* fix review comments
---
 docs/images/grafana-dashboard1.png    | Bin 0 -> 360254 bytes
 docs/images/prometheus-dashboard1.png | Bin 0 -> 387285 bytes
 docs/user-guide/monitoring.md         | 187 ++++++++++++++++++++++++--
 3 files changed, 179 insertions(+), 8 deletions(-)
 create mode 100644 docs/images/grafana-dashboard1.png
 create mode 100644 docs/images/prometheus-dashboard1.png

diff --git a/docs/images/grafana-dashboard1.png b/docs/images/grafana-dashboard1.png
new file mode 100644
index 0000000000000000000000000000000000000000..a4dfd81a74b8dcf6e8e0b8ac9fc4641d80659fcc
GIT binary patch
literal 360254
zcmeFZWpEtJvMnshl0~+dY%w#-VrE8*nVFfHEwIJR%rs(Vmc`7>%<zr&-sj#E?>jeQ
z$G$(`o9KzI>F%oPuFA|>xiWh~Wu-+v!+eDS0Rj0eCMqZo0s=Du0s?^t^$~bvD$7?I
z1mu&6sepj2n1BGDtev%ysf8g3h-he>GURuK!LRA+zoMfjz!0O6+(dHG$?<EUz~mw1
zpvCaA0-_PVAMa=TnWM{<?iYtxIzkvwhiIyTyK7Swk{xB!gk@in5M>^<*{ynyEk9h2
z@_08hHZp>k+}aZV()bSR!)cqvM8lcLhEE(P<_3en3zpmgu43cL08Pov48!~7@Qvoo
zir11%ISmEy%J!-)6igd^0m3_pH?}_P;)=im>SMhwmKz9yfZEbK%^wOj9;l)W^C7^c
z4$PSRf(Bwtb~DGH9op6+WC=tz$F6ab3WVvDFI}}~*w2ZHo9~!lH@pYLgq<I&1KI8Y
zfl|+TWO!J4T|C4xs|{Qa1O9yMzRzfO?b!I!(w<#SP!&T3pByaWAW`G;!JDz^YyI}l
zP_Tzew=k+W;U>yM_t({-!Km*#6g?}OKlU+%%J5H-FX9{_LGqw>5JSa1r$b2fyB|S6
z_Rx4(i4ye)BLs)q=j43%5Y8w2@qu20dY?%SpA=NjGXx#lAnSr6je7E#HIBBHMq$XP
z=>AIMAX7WA0`f9dFn;J2Gs`EZI?5CU7Wo%`KCgu;k$6~;$_G7TRcVi0abwA<Xl$-r
z!nl6&&H4aVX*@W1rN#a*hCE$cikE861=+TFw5$;1vMxy2Kxo9FN1X!K<<5Iu8kH2@
z5pk?)!f2_GuS0>fP|%9IkzD8@$Xkj|k3@l;wnL4qLccIeCi_Pr8aH58vGkl(<yy>W
z(!WEY7ff=elav3DlI;scH@5HZquA<9@F(l|i0=cvU1{j!5&c=PY~^O<Ji(6WlZ`Km
z0Vt@AJiP$pFG!J|^DppWowx|lJ{B%o=j(+aD15J1bR{0_z9XH#vpc`At&{h-;vsE!
ztzCAiZt7Z#twS3KzMYQ+MnG<j21?Pto;~2-Qg-`E#)kcbcQr7BGer^z#qWXA!}txy
z((}QFhZBa|U&p?;)ixuGv+WQ$9cd9d3Th4-J77scka+Se8w-*>^My{4nxU->!s@f7
z+j?gMPc0nv)~96z){WB%cv$#=bS}JMrQWham@AGY@8R{7`m9O9=4iP~C_99O+oz<j
zw_kC(l~C$l0o+3>j6p}EI5-chJWnZySGu?ltt0>_j)1goX+8AH92G7dJ<`gLr4StX
z9o;2IgX@Q1FVR>qWZ-HEAA@<yhYGTPF(jxZ&?LwVRq=P$^7r=X?@8oK2&s1QlfZgm
zgG)vx?i~*}INCZw@LrV3y?VA9e)1AP=<BV};6n!CHjEy59I~YbVZB5Fd2Fso?Zs@c
zjQ?O$8bO+XM$V>jf!E;;E!8mf31y952lmPqBE171+*g(kt;YvE8jPfy0(OHv!LLY%
zBoR`ak4*(`*5^itasH!|Z|gc<A*4vBm<^f+nB_Wq1FW(PsSC7Q2ggJd9u#yIzC#ZP
zy-+CvWDn|vFj%xK5lpCne6#}*EFz(u0SN;xxrh?M(a$o`&zFpL;B289yo*1V1_W|p
zUHv@->0`qVv-=9avBTU5tC|oc`$+TGOn}v5X!_6yQT{e_fL9An7o^Ra`we$ZyciBD
ziLI|=l!&|=QB{ROg*x1mJ8x0?sidR0%2S2VV_dlkt`zgh2icZ=tS4<9Cb9$B7Dvlx
zyf0z>=t9#4+v{t47*CJ;IW73t&X9H9b7C7PWGK~uq5ye*2wlhxx{XiE5@`X>f&@SL
zYVqAVTNC+5NXGDJ@U4hWNtqFsLZd=kiI4_;ws|i}d!rk2`Q^z?u}$F*zz<-GVx|l7
z%Z-Y6i_!Aqi%FCy<w|6i%A7P#!WJ3pysFU_!j2^(@vjD_28Rch1|znIx25fPgi`bb
zE((ZbtI4m(;$l5x8DrgJ>kkhPcMrJ_w`PP6?Pn-w;0rU9y$fG`iv{Wms*6m&vpJGG
zlGcT~r98$9=crEknH1IXFUqTZK0!GFEtByt-ze?;y>348yKu5_sv-MAJf_q%Z*VfT
zRJBw!%T@HM+Nd5)byzLDtam24Ofk<<@F-uYf?3nO*6D{+`YqDQ$|8Dg#!<9GsUyGR
zJv*!e;2?F<RkD8{&4D>hBtvFRnn&Pln)q;W-_D`NaoF+h5O8?Af3V+pM0_AMRWiwu
zKiAoTG5ZOQFrn&)ZM3cbg>AqE)GSnINH5`SL<7TS>#OJso~N%@(yQ0Y(If8X#E)4Y
z**;Q!I{bW!xfygDwDq~*s}%#M{ydkwbMBhx>Ol2RNRd@~{)pp<%^yY>mW*cfhu@g#
z;aK7^Dj2y9mo2;Kpcw|4RW0q7bBANCzUojgXj-~;T|+2D4eISOP$m^5aTy64AsX4$
zlo^#7z3ejYhVByYK8>EK%Tl#aGf*q3GpS#zB&$W%q?)RlyY`1!>{t@ls+l{E9k$j*
zI9A{AAGsavF+Vb6rRb%orMLr_mUx%ImduvSodh|oo3WZBoGfn(TZ3CC+J;`MKOC+f
z;MvXZPn?R{T-%~>C~>ShWV2VLhNYUN;jlBN=A=rb9;InVRAa@loAnmj=d?ArG;B9n
zI5%>r8DG!;CeFbWX}7I&-f2{7)UwZM3~U^=HMem;IbEl*S=;s+_CKW`)6WvA={J_4
zl_}ce9;cy|sBozGti{sm*s9-};F58Ne-HjNa=~_Z)j2m+KXI3Nmf<Ds#pc!gk{(s{
zg%G30b41_U-n;xw=`9k(h}W$n-Y1f`hSy5RaXkkw9M5YaGSirfLy6fO{z$P>qLS&}
z=G+}X>yFk;4h{<qPY!GPc?MeQlP2yX-UufZWhrwh=`x{*u!{mXJ^_QCP>)n3eQ<x#
z#`TYzuN>yb2cl*M9@~!tB67EKlZAb@`wdlFN)gTImZ;Q`<x!yYsfmj8clwrkuzKFu
zGFZ4AZD!9?4Zm#}x5j#>whDUABE1t3QY)!8tg<b$Ijh*j7|E%NNDe&hL@$T7BcXFh
zMv`sFd+CH?C!@v1rNmc$E^^R2Y$k`Mnc|q{nX-^9NG3BMbQyFHHpWCr{Z8#lvm;B3
zPET#)ctK_fQXf4TT{o~8*x#sfHFu?b;Cr5Vrtxjp$y-;=_ud^E*;9R0Evaq_@a=-p
ztq-AAqjgKe{@Kd*<S8vVHkRtUyuJM5YUX<2D$>KgiFI+{5%X;NaDoIWR+O95QLiJ#
z7sVvsBoH(}GWZq7aU-iu$cplf@3oRFv#_|(+H7)KV5+ttw4hG1KBLX$v1YS!Gs9?|
z(S<SDIC(Uc<!Xa!wzRC~=fanols%OZRk{LutNUfmE3zxQ-4~@z`ReNJiig1~Omqy|
z#OC!2_zj-vc(Yh>32T~b^#)hOHqqKb$Eu}G$ME*pi(#7h=2+!eZ?!IUyNmwcJW8*u
zl}z@gM-1bJDe=e&;R$Ohhz)vk;wN#vl(-dN>x-?v**h*Aw$Dnc+GlmO>RqV~sXZ)4
z4iydsImREwS3K2fHN3hh+RVIu7RE%gc4`0Fele7vDfPsRX-%{CY#VMeTvoQBepFmm
zLJ2^uN40cs;xc_|%xLj0UeImG@#x=6+f2i5-gHVUzbGzRu&i}grB<V?I9ZGV6j)jh
ztOj{XKLJjSk7;>8;0EAZ?%7`UFd+%ynQ<?<YtPV2w3)H;acN2f4)f=3reTjbzRG`H
zjQYVfxx7E;a<9Cn?Tqt{L(Nh0Y`%Icb_+HVK9!97_Y#rmA$OAFrR`PhZgT-iYLk=O
z^T90RPvfzS&m8WDSVzmDSFd|fTIa1c+u3)$j}qw#hiaT^aBsU8OB+h#vrWTV37Cr>
zi(i-eYjN9=Tz0l+qDzb`Y|Ay9a6DUIgf}D9S*EO<mN(bjyg2S|k2r*!AJ4{GMH-Zy
zw2!=cKjc8pv@gB1wRhKS&38u!Q%7y$u6T~PKVOC(4;G9;$e7AdrYCWixSl>fn<%R&
zFNKHFvTKWL-8v_{X1(+WDFZ6J9vJt><I|zJ(kk*QAXlke&Ci|ov`@Xi-SypayCmF|
zzj>-=@U4}@ui}n*O1|EgdLNQb77UF$Wni`odNr~{v(Vvfh&TF+fPP|TVnp^~;Q-Cd
z>!|tAQZGkBapvdmM|M`>5A{r1+CmE#Mhe2=4<ech%ZtL9W8pUnqepR!Dsmry=hM{q
znI&$3VMQYjP<T!vxQ~h9V*UxF2+?PJ(%1Jj;=_lG`feTT4-?-rTl^^kpw2$2r=k{?
zU7_A<#okR>+da2IhCwZN-o3PgSXM;IhVnc>0bP$ULlrS2DJc*NU>OPo9P}#)1h51O
z{Bnb0{#RKTlnms<AIHH!K!Qy{!2h}i=(YUuiT>;NpZgELf<PdFN05MDmrSsKT@5pl
z`Qcw>2t4395IzL~F)`p?LEp~M(8}J#+5x^<ycl=@+D25>9s~r9`27niCQoz@yr+57
z?<x)|Qj+ZY)|NE72G)9pG%l7l@9ltay08O_mWB?xcrKO}R`%>JTm*ky!453HAEqV1
z`{NP^b1niEDOo%LYdb?cW*RygIs$GOJUl#3I|Czjc|qa7ssn#<5tukQ*s#;mIy*bl
zI5W~%+Zof+v$3(!(lO97Fi-=pptg6la?o|5wz4Puvyp$bBWP%^Z)a-bU}|lJ_uj6q
zp0%R`7XiV0NB{Nt^F9q-O#izlEBn753;2Mv?`LS~Y3OMGt8HLa&iAA2vZgME7OH}#
zmcTIs_Q6fhNYB9eM}`02ssHZs->RzocU1-!X4ZeN`fsQH&#H>{hIRthmcULOxc_^?
z{;K@%C;zI*N&Ein|27tX4)h;Kfg{Zg!%6#Jv&IdBb7|27oJcHFL7DHsJy6WvKVa_y
zMfT?&SO%+~v&E+O1Oed%5fkM5?gDz82HApAx7eqRD2oD0?xz(7aii6oy*ln@>BDp&
zlv|YPcb$!gcI?6@WJ(}ZJQ<EBg^23jAGxl`Cs?J!_g(P*as<C7X<=byfibC@EtT{c
zF2;Z%X*<Kh$mwc(lp8XktU+R5)Cc^ZZ<)~u^TA+?{F9TVB+$_y|8(;a@BveE0!P9F
z{imBRzmN~`K4z9nss8Cryx%=U?ePa9Ua)_>1%?5e2rO<?RsE+A@;(AECJT`Nd`^78
zVNiihz$)6;RR7}#0aiqrsD}UNQwjo&LIG?7t$5eSQ0#vpVq}?yxc^)%K#|D4gOg=a
ze;*wk`t^^+69ih8cbNNsAr?fkg;27*>V?TEam4>v#6giVed0a;7egtUDT|ot1Cag3
zLMidjMVyEil=|s^F_h7~Sp>YGmRV+2O7Z^-%L6nRw|{deeL0C`Yfa?HZP$I}OI2(a
zj59nhuU8>njGCQJezm_Y(zL(brX0^#b&EUB<3Rt|PSHUOrlo0vWZe>@k0iBa`g%nK
ziev+IjMP?<sOh`aC`QQ5^Q7rvk+Y4Z{I++Old2TzZ{2j8@579Zolf}oZmLooL~m5y
z5H5d$nm|#K>g{qWet<v?AYvmBZB2)+Ud8+nPoogD6<QXg%MH{;a%kBBj2}T;uJ7lL
zodKeKF;Szh<7Xm+mImS0c4Mm;Fea^>7zBT>^N^n%e0dTQ7n@Jy8++Q-o=+Lo_IqO(
zXMj6H&0JB$VC~=8y;xrDug~_m;?-O&_XBgo-A)6{Yw}|*@*1!5TZ0+iujB}76F-4s
zz>5Vg9#6Gn(Cm0bYippre!1<E&LY+4mB5l((;9yAI(}zs4LiSkG|I&$2x`fI-1j$4
zN{?Ws#RE)a-GJp1K%O&2qA&3~_qxxoNR{*cv-V*_8n%Qgu3r~Ftr?J0=z)VpslEC|
z2Ji}q+f+@7=xG63&tFio1Bn5Gtm&kTRoLBL#wmrZ&lb1dZBeB4;ZkjbjqdtnnKzd@
zA%9N>@r1#4D6lrSrD3gp<C*jI!mn9I#v(2eV&Fb}w68)n54V1RK}{uiX}VEX7t(*9
zG9m;~-Y9hs?~Bdf8rf}8Hk@~MGx(zkFVe_^+9E65a!)*K{r*ccXlv`s$W<s4Bq|dk
ze@`h97(t~GmOw4c`IAl%mvOc+M|zb?soPLA7R(TL1;B`+Lw#`S$qcT4O=@JrK(VE}
zHy%ds4to`ZZdc@3WfZ<-oNaZUn1x&0oQA5vm>^T_|4oq%Ndh4aIROED%Nn_bvVy<-
zysJk!i>3`zZcztyg%64}AP9V36b3gjQyMvl0Icy=4M)){!}ck`%Q?AvnQ5RTT&z3Q
z^|G+u2~t7SLZe;3i_hQKdL(_2dz?U)l4XtD!RsOa8gE(%Wq?}11F!)Dg3Nwum@lol
zObLZx{E>TF<?Oi+)oZ2%4@ZSdq-Jk>PcAmii<_9K?ga5*i{P-2e{*ToBk6$F<M6SR
zBCFx@Tk`ktZ=4US>rL>ZRHyFp0Jgz^II)Em_(MxRS>ih=e!o4fGWMj$!Wq-gXUFLi
z<hr*jPtFES%ZtxrT!<2&mVOYPe{(UWM_vc7!tMZ&#4g};p76DGYFP9xZc22<m7)D%
z3zDGrZNvG6X~{>4i+!TE8WT$3Oxuo~lSN<I4{t*k-yXPemdgS6ANSHj@_d*({kZ=g
z6!A@jw(*;X(@{qrvWQy0#aq*%0q9v?<gE`Wh1208;rU8}UpENh=Oo1LA}R6?Tr3YO
z1~X~ja!3(*V>><xp1gVB!doe;d-&VS^vLt3=<wnGt=Wy{9RX+Mvw*BDgEj=3KleY)
zAK+fz#;`;v5guq@NWk2dv!j1Yh}(x!;BC8{?i33o(>|q<{A!PE^2~nMXvq2!>bA~C
zQa$oasmjc#zp2qiV5xY35A(AD3`>L!TmvkL;bki79^?(xGXx{S;G%fQpj=jR1N+2z
zje@8McK=U(|L;}blmf6tC(DZXz6f>E!C%D4#G+eIw@XrXOPQdT3&!SY-%%-XDC*&x
zlq1;>_nDMkWkyq26oezZ1~3N^{!IyZiNGE`CEE*xhAe2?8!VSfwo_}yo!4|PA~{?y
zT~uGMf3>#kmg4+djeoO_;6STjOP64w|EE0~JfrrAD)%a#ZmexPu3vji4|{#s!>u+r
zAW&_#iXi2#00Z2giglvSD;3Er!WGHN-7a~1??HK`v_C1mK5xPAHF$L=R9meSxCX}E
z0gZRaPvD|)DL)WW^|XK3&*~kFB`+r)N3k_~o}lgZYc!=j?vBU9Ix3R!-Pq}-Zn-`=
zVH>`^+{PFyb0gm`my}~Dm&uQQ>6b{LIk6jq-)h`VNq8AMF}OA$%6vD%QCFT=SJV4j
zF502p8}`*sCtqD3;uL3V>U&ufIxoNTK3!iXFvO7_JnxI(#5dX-vtA&q^ZP_cEHycn
zFj>iSq(~$J5Re+$Bxo1f1;-MEJ$zLwb)@lgJ1An_LC6M?Y}PaWWckaC)sAv8t+aLf
zOAuyI@HjL)oX973QED?k%v>~%*6T~yRq#)2;FTs8`_YKyHnUNNH;2v!0~5^<eroLh
z*-ny4f^Vkc(MVze2Yye;o%dQH&u)eY(K!G1aVH^T=L7MlMdWh43#tCSMQP1AghB@$
zBq$sbDI9bcnp07Ak1Z4p2zsByvOZJefrD>jpH?#PmAtOX=60yR-GT661Mj_)D6_w;
z1%V-6Y0K&Jx3N^4XR)lluRo~G<7Rgj;$-$7SaaSjP~W$7Wx1|-CF(`iG^-WkjG>l?
z8Z2+VFXP|VTK1hGu3{RECCdI7>Lbq<f21ho5HZ#xQrv#`JnFXB>c{Q}EnW`8A@C$l
z!xn|pWhfI{-BGo@`y*`k28RO%yS^`Pq%*}hG?;B_wC1xOMA}{tLdSPIpY23CP@KKr
zUYzY*kAxeC$+{GU!cc50RvYaLj^MX|P@156oI5mjK`V+fXBl@+xm-hNjP>O$*CB}^
za%Mk@=T)|Y0n<2McaG+#X7ew$0I`_U^rUi@al#A>)x{QWRDXw?EjHldaty6;o)K=i
z-odd9o8j&ixa@gXW`&Xde4cuaVge7DFP%h)N~vTg4timn0vNru3BBAq!B6LU*jAWA
zgCkgMduhs->W=x(D{N&wVu-mPE1a|n(aJ*;j<0I_)tLI_NLZfl-X+20Y=B+r38<~O
zrr}F%Q}uL`Iwa`HuRK_Lch~X?N+^$)IRC(^m)OA8`dF1KV`A<gn?}#2$XA2(^BjE<
zR?|9_BX~o$Z*Z`B=_$oN)NQuV<<C1p82o^6n$j=gBWMmU>3~Pf?<9RduoFNEoalzY
zA4OEb!Q|wnlQc@Ry)0x$bFMq@$fc{H&t8GId835Z@bO2{P_}iY<89^0r5)#-$JVK{
z?$MZo7TEiG_r|)~f1%}atGee3i)9aW7R?-Cy|9^5wCFC$n<71J24koIZ8CbFDW1%q
z;BW`i#9VJXnyg6^@s&BoZf8gg2<^dY9yWr{b~<(M2F)v4v0T!Bx(E3zXx|3-08D;o
zSDS3qRG+myv4iZ6XHXN0aAADy`*9#6zEHihd@Vz*h1VVQGWXf|^7?c}`*7NHon-j>
zfuBFb$+~63h)t@jk}5~A2I^^rCJ!V~XstOG;pC{I{W9Y=fVQbH{?op93g+GEVSS!<
zyA^PHVQ0`MQ$BvO+j2U-mq@NR!Bek)J?t~Qq|ycqQ6Jr&Eahpvz^+J?A2_r!S+6dB
z?zUgbe7(FJ-Wd4-kISv}>UwN@dQ<3~(^qG>1Xx>cki@B>-E0bqFf(il*aNZ-1VERW
znZu{fY$ndj6Vi>w4|Qf|7~Opn#ywLkCf-ahui1a2ehn~G_#3`xZxHq{sZOz@QeqFs
zZrztS?P^<j-W~Qx=0BkFz$jiU<Q`i&2SIdd`_lM_Gf-O?K@9hyg=E>t8m_M_W;8QV
z>?91?T=?14P##j1j<l9|{gl21PK$Q5f*Cfr6!@2$EBpqGC+gPir%?Qk?75?`tAP7H
z;s!9tDLz*9ty;!WGT*@Mx}#ZEC0zXcE~P^o1R7F+CJ*x<7+nCdE57_KN<3%@xQ<4#
zSzPxDr>?Hc(=E>m9hW;P5ViD@8+`g|-lj0yHCN&c_k+IjJcO|Ci$#B=zM`S-jJ570
zAcR^o-0U5u+eYkpfu20xXtOt4COd-ZdqnE?qHi@iVGMWP0T%+%o1Cb)m$0(}88#74
z0o@xG>4Jy8g|khnx7GCecV~hp^3HbZk*W{;+P21f$qZ9vr~TY7S=tFuHn9j4%5szm
zBLb97&W|HcA9?m4_<tQRcx1I*^rc^}+@&xQ?>ung>4c%(0VS^pX+fi2-N644a5lk^
zvp(I!V7^O0tj9GU;b(KzG={zH{ieRxmv_Yr1wkL>G*uw;^8y*?cV{kP8v>`z8yVaE
zdbQY|AAxN8oR+t$RcoDhrlP9G7P^7wd8hkiiL<ecQ=QqYT=rrLmo2W>b=&o^YZ@ty
zrp`k(dYlh)zs8xi_Y1M(k>)x{aJ1`bYMy+yAT-PA-I{j-i4<)dHiuJ#EnoW8c)O@o
z<Ad~g5$ZTiLZ`p=U5_D5q9@{ATj>UI63vDy(!d-z9>R16Tg#6P`-C+th}wm^5K~Vj
zZ86H)WWi0Br_4^f+XXht$B&=CM%PY`d7QT1t#V8j(3VY*?En6c{$FK1a)`bkD~%D#
z#BO@&+9NqYDrmnzJg!(i&+Z$kzKY*crLO0s)Ckj~fmR6nO{-1qH{A^Mmlc$rWJkJ}
zEA$bkp7ap^9WIO@@x9Gm%W!KAKgyVh4BCJigif=c)k(|)@U{%49dYvN)#m6d+Mc*0
z-Z<_f?GCbD%a{HZi`R9SG^OdA;^59*7o^3^9z4ojbGt(giyJeM4i{4HdfCZqYx_Y5
z3mnk<wv;sZIoh001xSY7tgwRCNm$?(#@#TD_~!vPx0PGp^Pi{E=H6Y>t*_%!pk?hi
z7~@q9L_d19Ou9Q7gB}^#`nl50+W?Q6b!H->gDb*b&z#R2wC&Ft015#<ha%|xcjpEO
zAdcrqby3U*UYrZc1$!9pEga4k`$v0sTP-deVH3IpKrLbDbaSGVC_e?kVdF!_vf`a1
zS@7W+Bq4{^TRh0AX|B>8QEz^*?immTm;Ak%jxZse#3@0c$Uai^!HcyaTPmjXa0`86
za}(G5nNJPSMD?9}0m|fP&YEbY`9^G^V(R8WS=&?0s_`bMgCU8ZfC!2*Q)tos6q|@r
zp!`sbG*d_mfrIbbph=Qn#p5EC#kuIX-J9Q~`Q*-WQbjdm1-No1DGIkQpp$2ghJ-_3
zviXLg!p9XU7&YfTZ^yvrso$9|+jw2b@?y3Tk5qkCQrs{R`j&|M$j$x1hOZf4=cwJ)
zK7nnI=gFe1=DZjBoacXlE#TmriFlE)m=Lv%q~>Zlj}w(%W>%yrL;UGUeN=qQ1gKY9
z0FvXa(=)zJX@$a2_Ri|np24k=!%)*W$qZihsW9Et7R!qW37fp6dk9MeKU%G7I&)Yn
zgoJ5D4!>lyB!wGqPixHnZn&pl4O>@87D^M8J}HcoAlQ_>`z`6%DVewW>SfoE;z#bw
zo*#pkGs>9NeL&uCcHlM)_PW7PV!(v|g4Ut~EQZ*u^g$Jxv%6_hJU1#W_=W&g!<Z%=
zDn$lx@YlL{^&L#DC8boBJ;s9CPLH!)MU|MPtgYWPROza2=FH9Eh*Cump|ACR(*81R
z@?j#6<WI=C<w;)wUYm(L2NVsd6+bp(vdmFIvhIf@Ml=%DjewbPA(_zxWo_5NDmwKR
z7hB_$r}DWwyFe87rA*7i8#bJ)NFQ>w5pz(>Jn`V6*g<IDh50H%!`;&UnqrS=AG9wc
z@(-NFm&4m#FebXTPJP!9Vw($!CFwEfS}saj-dl<bfD;zu8-q~^nz-8&4%gDgY%F~o
zZ2THyo}b@|6k-EofO1uDy;fe@GYfsA7bC_S?hcR5z%R}H@ZAL)61FL=S%Vyb6{6Ai
z!x;k9xg^W^ZrkPKQAMI$*0Ygzt`9Q`1IbW7I2=c5wPZ4DH}yvHH(ZH1E9{kjNsr`F
z&DHK`Y?*q!_!2;w?Tak<;f_h<UJ`h10|QwEi%8IaCPH-1@DcjKZ4uJ+qh1m;X7T1t
zpascwOREhDGg}+f#7y0>oX(c=UMn%R#%$M%rK)X9URD|{q{#YbaPpyMQDE}JSe7Ov
zKfrppnjT0c5Vl_lu}MionP)LPQiG2mD0I5WMDvQm`sk2jfKjWk20(DDNR-)|elXZ;
zh#Tj^9(v4@#=SN9!%j_ikMm!BE+%AUUbUQYPOrX&J>?stb%|78R+5FN%@dFN#ave5
zfarC70eQK6MY(LloGt**B{{}+<WZz_VnZ%(pgo?4GT~-J7wrplZ!Dm{+?>!U)mzWW
z(b07CadLR}efMNP%4y^U+nk^mXZ%$r%9N7wuVs-BOwEGv?RaR%>KlvoYU;O~mapUA
zwAEkAt<ONkl5x=k#sxsj;6-_5-?=T^{wEiW>{*acC=(y~#84B&L^CVQ=WflEf6)Jh
zx$P+wTiV7rgIW_@r2wyPj+n(|TdlK9=+w!y@LZfkhDuybcgQN|Oq%UpE8zTUO<W=!
z$F#20nI~&+%#HWiYSKHpt#wwdu!jAS*s7hP#F>HTHQjM#(@u!md84$YKDVpxI5tY#
z2P3kp?vQIgCm$(GX`^s?q{?iHi)nwhzrCs-PPg*flpSP4nfx3F;tu?mr#q&aPuIbS
z6J5!h$ExAECcpKpaEcxwN@b(IvUN&9%An}Byql>T9m7lzAd&)rFsmgKJoO(iTc!*G
zJ*?u=Pvf>_6SpUGib@q;q*65QZ$&wg>}ttOR`~0AE17&BQcqeOFhpYZhG{E)Eq%OU
zk(v5WXbOnh-M{&=l7#sCq~$oJbvyO(!Ko9p=Xxa!ZdW5tXlduPtjkFGB|fSiRNDBr
zw3({ss~dW9^T^ESFyuEd#`&Q6jouuNpA}PplFfH-sD*?}N?6;f3C|b~o_WYg$6Npx
zk?oLNhld<2sf)M;C%MaOZ6IL_TnM2S%1<0xDNQ6u(}h+>00TtqR?CHr=Aq11w(5MS
z6H1)9zj$%8vHL>5FxDWW;5ZsM8s6M7jMHSZ^LXa^D8;PPe*(g-1tf+;_vHBUDiedr
z+$vSo^qGhK9Kr#`zOn1gn1()EPo8(Cj;{QIQ<S%4*b0YK>Pv#%g@4l6bqc{E5cQAF
z3Aa<q=Z0J#eCsIXSM$!_Q(X*)9Ta;fiM_GbqR28ouR)voGIN&X#=`E>CVYTnornmY
zSqR1vr%s=N?vF^@Ew!4|RXJ<f8uMiz*ur_oR0`0<TNJa|ft1U%T8*e$`A8GlBWoU4
zb+wjroR$~eP$pFj){{L+X2dW`l6wtwo7N$6x<y~&6YH9vPSs<Sppy9sa)<lC%Es<?
z)gRyegi?RsemXEUjrmMI{eyDJxfD1(uaHNnyPmD9JdXz$tLaE=Z?P$(8!U+yD+4qj
z5C@Wg5UeDl3BdT<Xu{~PBmM|igI`!hUKW1puh&Rl7`AEpt!ZrhT+j#>yY_V&TP#yb
zxX?zvL8=^LGhEZSp0zq-m9zpu+t0BycX1%?l19V_rtV1{^*=ayEJ*J-DMUdF)}%Q-
z3%u62nC*iIZ^^EL6YkRZo4nSVDCmiVc<m=+n9u%;qqqfuJo%y!rkiNLca8Z1jKF_R
ze@jDZACy)G6A1a0!`eQv|GSEi0J>2=t`}{s0bJRL=S4_$KaJH@L+vQQ$Zf?~VFr6s
zBP3R$=+=KYmRpfqcN4b82aN+E-S+V<uNN5WP~+r0AOup=nEb+Nb=sxY5|vPt+vr-d
zQ;kv@UDBG6e+dN^TGvwjNnv=(WrKlf!wU5Cms+z0;V*F#RFA*UI9?qZKbyBPKVsKX
zD+Aj5s9}b}j1e?X{{lnzUci3toq#kiC#B3#zLeUK<D8@OmX1`7ZjKsQr#gxAZj$lf
zit}g37{2en8^kPGQil{;AL%0(Zij}FjguH4DNC%?cfx63N#8*+mHKV$^Zgcl5shP8
zNV@YX#OXul-O9$j4BG<}+ubtkb^x;UuP{_fHdn8@3rbg^&(W}GBeqk<mpXA>sLBoq
z(<jj|sCg<?dY7a1Dd0<v?H7F|V8dny8X4Rla_6ngGtS!E)zZ~kcxl=i0MC2R;owV0
zytR#by$oNj_Cs<l#1m);jWZm}Q}eYzBIRazCE_RuRdgRlSyEDI$ENb7V$(RBNi>ax
z6SI3;P$tqV4xNWbotuOXR+__G-a5@#ux4YVdBZtLq_HTca554Zn(4q6vjl`)1o_sy
zo+4^ZmzWIGcSA9)8-!>Yx8+$5)0|ghF|Cd_f;Ot~Gkf<cOl#OL=d_FJ`Cx#MF6mj%
zS!KMn#gP!``HG}EQ5mLC;v%wG%zLN3!g^b!E};8^*WO=Z&l!KAmG~A{cr>kGHn0(l
zTjVvjL=2=)8e8sOo2xAj6y9B(ygauD4*oQM^}7YNB(5ju`sCN@2#kkJLOAnGKz|qP
zBfeSQJ`ixytTZ_zd5k^N3}F;p`OR#hQL7D`7Npa}QD7hbfNXzjlbX=xd3$C|Vp1)e
zeR?oX<J|eJ#7%C!&S49v_L~s3Jn~O){$aXQZ>=1k!!l$XcJZl>3vxc#79;$(u<^@U
zV`OEsVCaYM-Y<N!<(h;gaW-cUdl`;>58quMmgrc<!(eGk$={U5!C0Tq?fbrj;*tQ0
z04}{QIG=DYeALs)#(fKK`ryevK<;v)%UM}~f@ifKjEoy4?g?5w)wF+>_l%@N>ph@Q
z;+%G+_4%e4!YRXjz%<SXGHcwfIPS`tn!)0nq>dG0qTGH5AVd+u?c0+na70E$fDb4K
zI_bzZJ_4TcwBAFA2uBonQq4}vlv=@uWOpIX->8Vh_Dnqg#{lcRI&=>`A65^=I7IE6
z64>G!BY15y?2K0=(u9`~Xc=1UJF6zYH~EoI3Jt^9$~Gf`VDXtMgpMysa@O;<Xe5Pa
znDgYm6U#d>*k`HbLERV!mB65#u`I`{aEw;TFPk;>4{ArpL`2>C6Jc@J*%MGs)BP!a
z;LSc`@h;z<hdga{P%%T)Ce~DFG=_aIaSLFKg5v7vi@=<IUc>z|9LZKfp;!z<HQeRd
z{DAqOc7OyZUi&TO>?7_x!IziIA1J`N)ngRrRWvEsp?l;wqHkoE?}H{Bomoa^Z=*`C
zO{0r72=D<|EZEuAPCD|UG|HVIHS4}4RKHZ5B!y8ll$*_T=ao{djq|(_X&16B;(Fb4
z?>HtSBOS}XohRKk|1$I9AD27+?iPR6CNaViPoXF-e(ddI4?Pt8aP}eYqG2nNLr&8^
zbJ6nLa^Z3c%{xAjyYvs+^?3>lwoSnkQ_oX<td_)zTf%au;tCkj{KJovlU8|{8Ryls
zx(XRba3bk&NiE}OdaN4L;3*H+2QpWd*Udn8GL@-tZN6;NFVKE_N`}X_d%;B~;H*;M
zZDW7VOMa`D#BkYqD!)P?Vtiqlw7p>FJ$TlC@e%^Ic;0Fp1#O}`NFT>2^tJM~aO#md
zl`r+@P*OG^xo%7>j%x1WZrQV41m${&l6I)9eg%WQ9RfC8iI(Vz<G}fJnfL}%gNVcF
z7^<bs;b0Q%f&kpI2rIx-;H+IF-POoc=U20$>o}93q*TgGoVrz`1YV}pPTQlI|FVt1
z-H)y^qfwfKl8UC;nw3_baUd5Xy4JQLueQS!DE9WW#xC;7<MH6_*5Jd%(ziLlRgb2-
zlyc|G6dTknj;n!-np}?S8(mkS!`<-i^1fUYw4jm=kliW{n1=po%KUH-QLE$FgDBFd
z%De8_iz=l6FvI{oNnHqEQH&nAZ+lx!s%~#&Sv}!f^K=*?V);soi=drE!vdxjQhokQ
zU#-{kAaBob;)Eqh)%_XhM*O^+Ca+O^6<X%R6FjziQM9XkyaYR{c{**baHlDZY9bYI
z8)?HJ%8WRw@i=XK`<Vi{dQcRlYVd>JA94+7bZ%^)Kn0(u)irlXt`a`alDpp=R`dmB
zTYYsYZ!K?Kw=YkNpoeqSRBLW?IGq$Y52TOlHr9Q(BxX3yddtVMx7>*-{$%tVN}5Vl
zzs5cPfZy?h<%R4jMrJJLXHHO2!sv83=wfZ7e7VUAerSCXx))Z%QMq~y;Mbh#vt?q6
zaj!r84<|Ikea<OtU>*TcM(M+VnBMJ+MfwNkLrVo-%sQT@CA^uvf!*fM0U1C;VJny&
z7pomEq)?XzWLF9f=FW_KqnXnD?@@U2cS2+nw$0_J1v~w%Fpm*Gr#SkHV({FuSWXhi
zvcd|-kVYwkU1;ZNucgc|`?B#QC%bmw_Dp63>HcRwdLHvn%R&wZO6@f9<ZwbdcBb*_
z?!?jT=b-4#{h@Z!sSo|~@gs~$oex@9b+KY`9%{7-0O8kzP<p-&%E4x}U`hrAVlq6{
z#H_5aq*<y{K62eV$=k#*l7+3pqV$ndN0E7;Q|+V$0vKn;pZbL}-*$6*<h$9D`CJ`Z
z)5`+a8Al%Ece6l01Y=E-Q09a7pjlE1X--*d8@glxWg-#JDLO$5rzG4a80%;mwX_pb
z5l^LwLWUAZR-@G#6uCcZzi`@-FNF!g@$#C>ePmNcYfbvbS~_%E(-~|kBkAzzH+Y6r
z&+CzP|L}!4!Xwbb9C%!bPf7uzcoFO*eWnlOme3{%T&*fJvVAq@NsKFFY2L$OaWccr
zXKjYU&0bKyj^->2cVX;H5t~V4A?LW?x@s<W)hkkdN46V=Gmo(r%Se6~4v_Sv+T^G`
zBSIa*&5j}ac`JLP`Zfjae6TD4ZDjw+r-K#s8ms^12%LqQ`)<70?hG0-DA5`g2?8<>
z(*BVyGZu40U)Jkj6G$Bh3>2Q}b5B{=2b+B7!R>;2a!jh``qORuv9~ZwTz{~I1$5Og
zU*KT5&RZs}mIHp5gR)^K9Jow|7LXnFB@}8F-bskVaDhE8nwu@x9l&%oApEz<u>qQ#
zZZvuzEqHt*YOG+8ea4~typ>M-RToe_H)mvD3Un>M(0il;X`N8n1U_C^-JG=t2(~4_
z3khUl!i*#wWgol70)=69o2S*U#k!+BPV01^=sNTI$f4{VbfelWmOuqDQfHCG%^oCT
zaVSBxBtdQ?E$3Co@Rm$1I{#GHw-%%cy}G%UMhVS}z2}FTINsCF%uT}|SFk4dvRG_-
zsUp*#PO&*O5fhbxHe-^Qwqa8|<lbxs4($WPDxRQ$6?koi$7NP^=|d5dNwf;SzxvI=
z(#!%0$36gPDr{dAl{HBd>dlS@57XTt#gK`UyAH8VI*8IlRSSk4n4a`7K+7V=?VfJ2
z^F~pXjVRP6A0)vRb77rC62a8e^)>Ww4AHf(yV##Q7D}A=a<>7OVneKWVEikqtxwJR
zyu3&<v1}jRqzgN+>(@w)$t9L`S89NCse2sW;+X{}B~WBvb|!UsKB(USh%@VcXS`Tu
z9-Z<mdekSe8%F9|&U!~>(oq%b{Ro7bbwEfZz-|4tz=^&MZ|=#nzt|FTrLGBYFH@=7
z=2110#K9<rwJdm|;o}@1Bf~y32!ocT?R5|st9MIxr~maoD>T^vxP=sgw%tXZ8B6)4
z7+K};+_EcU9Pc`3T>~3F5*>0|DVk{aqzcKNg>glIz70>|%1k~NJzJh=!BXQ+-VxhQ
z95ru6Pw5Hr(ay~c%7htc*$2i=@BDQr)xau*<P+*T9bz6B0=)B{F3;mnW=-&(X!=t0
zr9f{_K#;@Jh~L2+rrd%3`1Rp<$QbKqT4cCe?H@Wmh*z3P%>uT#yiBToDhE-!Z=O)p
zI8PviBpm2B<m1|X5yiF122oNo=g_1ThE91JdI$OX>K<H!d}1x$t)swu)DGWe3vJ?m
zYS<^``Apx>kn;r+QSC&{Q889K)*>ItaK<)AGL88+@`5<DiIlDfP;}0J-Zjtq0l8Sx
ztrcIERgam4D*AnmWm~spm>O1ob?cibecL#>D0Sw5A5A}++Mt%a;!U{+mfAbOYyqje
zNH?xu`dzF_B9kuZGeC7SFq1B)_ukcR?Cq85+Sff-qwzA*2Pc_kKTHRoGmhh}1$M@&
z*0_NEq^}!~<P-FQ-J|`ljQ+sFm$lhD!WcG)T9SzCS5DLkBf^P^UK}P9A4-~Y*kgxe
z2N9Jjf0bc?|2ZOMS*`z$tO`QifleKw5|30CC4j)^!6LD3Ra>=^OAMO+c^0jT>yb3W
zW1C!@f)DP}A8OaUuDay7b7wo_?KwfjAym=|b6UHywQ}tnFrwtT@olSf{pC)XV=3xw
z3pY;lsF*!M`#E<@>UU=3ln4~E^YQ)C0*OwCRBPJ)#a2F>I>tT|E5TX)n(Nd80S*DG
z1-_LUT(5ZWF7;P%K+GSiyEzPo(Upar{H=mir85z84}C)GcYdgvm_rcK-sf`z7ID?e
zPm2KJ7$39}HZ*FDjom=Yc}(WggCI+n=ZrHvU&2z%uAwX^gbAl3uZa7jC@-ktBo61(
zX|WZ30MP$teF=palkgt{KQUBm6?)!^lKIt7!d)D*{b+LA3v|#ubC$j0;r}EB1&p_F
zE{M^W62Hq*-s(85)z+3E8&YQW9tzdfglo9Y>|6qUD=dj3=Dvo@9m;{Nsa@AaaL!6Y
z&Qd}CdFQ?_#zm;ItF(K&V4tT4mAI2-ng{`mAkOwbx>W9Z(K9IJ?!Ov49uAUb99lT*
z>@u3qZe8xr|1^rN2JuR(y$o%+*rMxmvN*Hr*$^SySfvLhU($~|B9lhOnMTQ6_bj+5
zO_#YRH47om<5mCyCgEsTOpsYENEr<VR!$p?Z#~nraQ%S@;K)*d*Ze3ct@tw&><e45
z!W|ek>I25L*GGD?#|f69$-DZ)E0{MWLn+02?c$W|wRp~RJP|6js>v+*B0b{%GxXUm
zKbI7Ml!9T6$kyl{BI}Q@FVSxBZhWmg7K-t1N9=l@HQb_%%ArPkV<{WC3ps&%qyIT$
zInxKB@*CfehluZ1z?6Y9Sd+T_+h6+PLxsC<qK-$h7nt6!5;RyB?Xso{#FKtu&#byp
z3@LiQSgF>&Sxsvcm#npKY!2}7T%D|zRUGftJO`DvXUNVP*P#k4u-@$5@<8-`n=OBu
zW{a{%*Ze*_+KpnVt5s=BXjlhac+AR9EQ^4Aynsz!Ap5>L0=htI!r)GRI|rC2aX>)0
z#4?%?FYJbSeR(U_=0e&K1;s8DFc%|dH@(H)nzmG}s1&a4INNMCS8=kui0Apdl~F{c
z&v^9q>5OGqKc<geNh69)*c2@c)sZ@vKw$Z9PTT$(gV9Jz0Zqi7YPN|5_8?T97gmb@
zCxH;>h%D2zdsh#=6}c`~Q_Ljnv3`g#y>k#-FfdS<!BlZKR6;uxZbqtfa%%)yW;)22
zrZR>CruW0$<z6;|6p#ZXVxhh`;!F81<&tk{3^!vaWIl8xrbaOKrc{nCwONYXUE<%Z
zojh8)0qOrULfapE%tuKyv{QDCCl?x5b-&M^^&$I|-oT)HsI{78xnJ)EWa6sGvdt6H
zDWpTWoj69`-WqlwjrnALXKQistC(-FS2*<h(a``?)BtU`Nm!#7#O34dZQ2@llP^3J
z+L~kE`+-J>J-%L=TMC-ePO`IrA~v$0xxI2b4?BRBG{Yg8uxG+HDROxF20?DYNy|L7
zIriJwdHh>f{CmCvcs9-n-TCr-dx6LGZ%FnbSD@p+3b}*QtJr*V)E-^J;YJ<t5!z0t
z5$OOAV+Kx7GeiNOXzG;9kofcLt|WS`=ZpP#MYQ|rm+b|;=j*9AYUkAp?Sj-tHx<tS
z)=3Axt|DMeL18I={HL>WyCsPt!P=I=eYgG!E7Xov>xr=I%}l~FtBY*#V2qKg7L5Y5
z=;+fPkP_|UYbEaA%kU<d(^wi)c(nlY0wo8pouAa19)PyH{@vfCdNN-npr+}SR1@fn
zS;Ps93XrDS{L;Tr)<zCKA4H+rcn^E&LOb1`3ubiO6ajk2B76XDH~LudUcaeMKLpcq
zmeE)zB8S`qLs{K0COIDQxDDR1sV<v?Rz>*VTV8H`PrD#IH+OxVhrD0yf5Nf9vxl*t
zmlAnu^i1X3Yrgf}9J~5YE2yWK+(oGAfc&I+Y<5Cm;eMXTNgwxbe+FFszLRwJu;_B=
zjHg=6Ds#VWlCIqEc9?TMAdZ-h`o5^!Vm{pf@S(&4pFqY<IYoru`ZBTeSh9jU5Dll)
zEE0)vrWzVXdoGnci@2=Lu`~|T&g(v!9EB~h{phv(`}m2Sd&a)Qsnrt7#PVkEyJhsD
zeXgny+vdyhYZf8rtUi6CPMg2bC@z}j1rB5|uD4(5yl`XisCg$CZ0!0-pvEK4?iEFO
zpxUDr=YM{)pkr0MV;1}(9cjYpO-A+LF~ja>%3dPJtng6xY(RC{?YS}uiyyx?&Ow*$
zUPi`4GC?4G+>9!eeicOXfh6MoGek|ySPIw@UKM-~uSf|S!<1~0)I}hWhkz=V%o+n`
zpA3wH3P<Dl^k8M9)hhzCuhN2{DfgLsEmPt^+$OhejgZwYL=Y$Rl<U;K>EeIue-N6U
zx4h^<M!NdpB~jGsww&nz)_c7Z>4S1rY=a74M0B#Kb&}qVwKD;E>e&5ybrcuk8l+3U
zAeER$N&`wg#3S`Z!w;W{m8ZEqE^Y-fXk{<{Hf;7J4l!rQ>V8h!8&T!w%T^RmYQtNq
zcUG#aaMuuFPhC!2C%no*;8pm#g-WL8-9o`-QgX?&z?Z4V)8^6YodW8y*2_m84;r;P
zizAq4f5F;(7qlHlbkH7EEg-Ruz;I}nyw%9omwdr)nMn8p5Fxh}@5GMl-NJ3XRS3+A
zYUrg;KdN%;RzA|St&U)Sx}rlDoX7bC{FiSjra`z>(2ZG#J|5SM*`tXZn7`<I0rS?l
z;xE=b@2FkX4g@V4{xl4>Em23~Jc}Jz+7`8;JW&m&c~9Qo+g>jpyIm<VZ`N8egYX62
z>^d2(F7PcZZ5D{F=7S*hDtcwgu2o2n|D+!ebB}d9ZC;-ZaU^QJC~Lj=-~tR0#=Tx{
zl*Jw%Ac_(2>P=G+Y&QJ<ML*uDC0?A)4^l49kgAhWmZ)&$Y09d#+Z@IzYdHv3J$}8K
z&k`VQ%yxuifmv$hT}Rs1i9=L^sgsDCZSmHEGKu0i1$Q-3(F<Hye>#murHnt&GxC%q
z&g>oHQIQeyo}>}&hzCX#QCl=q<A~TAJ)SRuCtLf!u}e^jC`1Q*szIC}Xl<7vIDITv
z=0Ho?n0x0IG%#a%Ht|i~3506t7dqYUBv1MuKFmYL3$#{(4^Jx-n&$+_+t2FBPY{K#
zw!3HTZ%%!I6>W>rv1z09r@!fAxJs0DiylW=v?ZEIsVeo3XEPvc(;DwPmAJ)NZiT+f
zE3p+wrl0g>V<G7H8%JX@A0x88HXyGk<X2wY^7*GxCtr&}?crz2>;Ut<sDVk9hv`AQ
zH<28WO}gHg!Ux&|(`)^HeYl?XHD`o0EAPsi17l)&YwV4g`-Elc#2jfGYVxy!JUwvz
zx?SMZj%sm{%o)pdB&B%-^=Y=$QF@XZ4_x>wt4f~ba;}s7SK<FD`#hIa$K1~a=myeK
zQLfD3f=gB66h;Aafs`5@=Dn{oD!fYO3i;j4291F!flFra-q2fU4Si|eUb~pWxjJe^
zpOK_^?-yFlaSIlnyF_cKyO)P0ac8Z=t+D({=p31a0I%%9s1ut_ba$6~8B(laK7dP}
z;(;$iI`K|t<Yiz^rBiSmw@z(<W;k|^UO3zbAI#I0E8)7~y!3)qV!~;wqIOE#e5VLZ
zU_#eoWx`i(-7Lj3I<*P#+HkaSnd;g3JbU;kR85PxNLN0U!jqMf_N(Us-Kyb*&obfq
z-!cHo8stDaIp6>C8J2SUhDFP<3jk3|nc=Rs>T%?Fr{%sFBTZFb&{Lz6{RjUyI*(N%
z1zU@*siGh)3+C8fXX~k1oWu5-Nbr&wh*Werz^nyK%(em2eeFu7alo8WLV!>i-;d4r
zXes7P`O;16jMX0T^5&K%YG2eXb#;Y)>~JkjxP89O+w&F8cMf0DfER?76b_xOB-?|$
zo0XO<N<ZP@_~ElH{=ed?o(zRjTTKb4Z*mVG;}(A8_{`=aPQnl8%W!h9Nkzncou}a*
z;3G3^n+DJ8l)x)(NiNsz&Yx8Ltg#3Y3Vp+dwFGD#s^K@kjJ@zX8LYd4wF~<ERKZ#2
z;>(@ppwVU#N4feL2`Xh1N#m2RCA&m>I9j=l^4bQh%F9RS;iiUF6lu$q#}cF*qMk-p
z>n4~T_@9j9oWl`*&~6rxxZ9OO`d#<^D+(%#c5&5`2hO`MSNy#0YwNmp$qe=I!6ywz
zv&|hBd$;Yt9ER<=Trr6Q56#VR*v%la3nZ#qvjj0-V2Z1IW3>Q3T{!xc?+5!f*(1(t
zL`v!lL-Mq4<34Ls#$q2dZKmB3t<A7>n>T88uUIr{OqZ}<>Y&t@+H~HHdxl_No*+Wf
zQ+5b+-aUXtvWy*IzJWOAO|L{Vo#z^rHVNnn)D47drym=;`}pr&jJx#@IWq~tG0V@m
zvLy-$RGQmCQZn^cp4*8lN=f*V$4eC{=0&qg+`BJ+&%m&B%;ODaV}Xuga|VS7MR43o
zHxAZGx|f*cIK%#JN@^t=fPi2?E#E!sQU~}yKRIdM&s8s_17$wUQ~!sC9yrxH1~fcI
zE<q0e6j5@nVS-q)G7y!Cb^*w&9bx}A9iX}ut$w(QZ=7{ugf_VdL{iE+_|GW{KH$}a
zKoy-2@|mrgEZU9n!}7wlrwXgH*h=+M4F%D1bB%Lozt=hNl1s{zs17UPKEEoRd_o4k
zLIRk<dA;nVwu#_)dmdr=A=-&zXoxbAzwpXA()w(POJebtmP(Umey+Yx2@^|n&ue0q
z^gsbE<9U<M6NlbC9FC{1@DkyfU`r#c99<Z5Z$1=(|BQR6HLInX$R((nJY)5wy%dL-
zH&d-<N=QeWG=|CqYB`~_gT3f%=W^f{iFK1{p#Zj7tO%bFKZ@Kp$ZY*8OhWD%yw+K4
zJB-FQj+^@Q96oMvn|dJ4&<wVyImEER^}2L+VH2$a$0eoS`>JqLPb>jUVVR4pS$A8m
z#y6PWVJZt;0_3I)PBzd8Oy>Y!&{zi)^j#I+%*`F`bvX}Z-wTGL^}g%lX$WEDFXTub
zxmQ~i)NjU5B_rt^D|H?bws&@hxs@tan@!?F6gO%~9M<{BH0pp<4Nt=^AAADcT15Rv
zQgd!QNA%NPdY8+qKM6B#t2X_f2`uuOPi|+DNvz$_D{ncMqc)g>3ZT>hUx4q~rHib`
zm;0<y$Pp=tbTlP6-4i%$%R%b~N6I*QsCtHeQ|8MPPmuCp23xe%FA%FU3pO5ErR5ED
zlvg32In}+%ZnW9p#Fk{oDFfHd5hekz0fsk9mmTk@t=QY~3f_FQE|ro|1uG|^B${n1
zc~uHdy_Z{_Z^nrnx&po6y!gV%hq`Z%ESJ7HpP~1DDDja%;{g)Ioz0%X@m4DCBmW<J
zZy8qQ*0zmGm$VYnNT*77i?noufOK~^NVk-vfPhRoCJoXZ(miRUW74^AT<d+;diS%Q
zZ-2+$-;e#{ISzkJrw4f7V~lHzYh2eEHzC;AJG%~!;;DGdUTP)a`RV%GU{%JAVLsbo
zIkf|hZTRYU>^=+ZTM|0@Pk!oDZJsSyFI%IUwP|Z#PFz6A0>vkQI!#><J#AKgXIqCr
zZJ-}6Ec?C#V|FkHgm65|X<lwCc{nFuK4IwRUW5UBwW8oa?SfZ9y6?S&&2e`$2|b%B
zHT>2AN{3MrYl0uA?yOa`eX{P9N`tc;6Sv<hm({$AH;$X^u8Bp8!JqZCukxDO4sh>B
zUV<wxSaXiH?58ut^4yNo@l}h*L|eP75R5=BGjrdh#(8;DPC|VmlePC>wHT#`R9zJd
z`_w-l&G*FUR6Hz%)k?eLndf|Bnual@dPv6mrZN<q9d6oo0_45xR5i@cbz<ojz4TT{
z9$}a1)wlnSPeaZRqmA3?DJ?voYeKkPdhbG%K6G|mNYsLi$xQwYpz~<&udo^t_%jA!
zsWPZLqaR;Ff21oFStoa_AC9o5+4*c*qEePOU(GpN#=FR{OK6G&49m6`<$}l<U!?~+
z&231Eh!Y1eG6#q@lc{QdeJGBEyCS(}fsZa<w`>3yh*G082E-?35O8k71bA5*0{P^3
ze)__cR}Bf1n_Q9|1U)CagPnUBQ&<`)Q1gnZgr;<+9%?&Vcg!e>SqZQo!f+eCJp=uw
zSjneg=al8YQ*f}#6Fj^5I22N8_w$wtaTNFTU=|Y9qqF=nW^*tY9}$L`;Q)WYoB(S?
zKI^qaIiIN>@10KhWB7I3`~U#I-6-vD3ssC+Qw5Y{23=qP@!uU^tH}-Y`F}7+A1`>}
z$!GDXa>7S)nds(Ro;e!q&vE#VL@jKVT+Qvde(#6%x2~coSr{J;j3R}W6WPp);BWkw
z767C)mssg*4iTroEB>G@2&k-?$&Ivg<7D^0<B+v`l2qhsv*)5K+u@5nkhNw2)zmp&
z-ir2Krgsdj^g6E)(7un|tgT^jerD0tG8xg@Te7%0-&ZQT54M>(y$sIX<QYH2AHA-f
zy$8_YiQmTdH>st3#>bcuKUy)C>4F2&fzDbIoHX&W&H?^tW+~Xb?jkdY9DDw0UX@^k
zEO`U7R&@$XbhRZ!htv9c4m~ZW$*G<G0=C2PxU1${T;)teq74#>inJ#3qC!U3TrP3#
zh#-ou57sEBDxN_Z8&kWUv-55*=C&-XRxx}!r**WYD#1qpS0t$k+1nBBr^>ee*;M1C
zl)qook$l9Wi*qN_vsOn7#NR`<$OWp;tDhKmRpT7i>jSK<b~!){k^m)oV$Z!+CvfK4
zA1Sf}7<!)GEAiu&X$EUF|Ar~%1&7GdT8K-thpQS$aNPGR*8skRu%%;U2PSSgMzO?p
zgCM{VR>>+kdxYKf8rEFD8XqVx@jAUzCNUk>phF_lnG*2U?2wso;b?7KDJO0HH7;~e
z(2qpv7&=t5I}57vs=EmxP8&g8Ckyf8jP|&JdL3LnmzMPcy<I0BYB|(5GpG_Wokz?R
z)k1|2GaI_7kgcWfUDccz@`7|ymQsivI*1<}O&4iO^12>uYd-ySSr0Yo<*&IO(>YBH
z!yS2~zWnPSVFQ}S^i=`H%rf)6C~19Vz<5wf@Z7iiTgk<idpDAMj{%6ok}i>Rr4C6=
zHl>jKOs?oQeCefJOX=KZZNqDYIE;2)4z3!FeL*CV5|{0hY4aRnD4YIxLviU#a6zV^
zQPDu}v)+LD)o&?`nuqB<JjkHx%kgTDP;TVtTUbKmsSl@pNmX67<Y=YDXw!|%k=-@T
z9x5=_5hf*xipeiUIr!j}^AWUkRO%g`i;x0vBX(obT`sQ`f~&TsQWwuEzjNTe1|2kQ
zZM<f7zfS$uu#;)jDmasfqky3Z4V(WMRB4E&t^r?N2-5$ZsM19MB_&kC*ZPn`1GbN>
z1U<Bx)jAg8Bmm9|KW$mVG3;7UDYnP40LJKA0a`PAIQG28b%bc~_03_cYcE{K0hG#i
zsydO_{!%fMo6Qdar^-Z#LL}nlpp)Y5mAy{r+=I2Z(3^TCVau_1ha<``CG>()`o*2I
z^vX27>x-K^^Ypk6*7JxF=Q!$AH@8#r3CbVIjKYuXoQpj9-+1H*zl-m?La2srvOq)G
z-sm0*VYXR=28bGd&Z0Vug&mZ`=F22!+AP%{FW7GhYu4=WTqsr920b6mA>N<ZK}7a$
zZ@4AT&UoXVWL5!ng;*y|sk38f-+tbHg91=^(m2&o^<rgRZ%DZMB3K1kfhx{c<_%f>
z{*>o}%w4<GMbHV8&km3Am;gl*=ZLwl4xU+@(1C#IInH#zo7M7@y>L#s<>%0<T}aE4
z6xI=hI$4K-Ybmz;*Pa3_wg8jw7ooY!@gVfHtl&C?Y9E=rs5G6Olx+odwJNWBpV%R8
zBhSb{)v*vV50$YJue<F6=E{?L)6XfludlAQ))U(cYfHSwUh7ob1>Xcd6K|=p$Vz5$
z?{`$MJ|HLIb#fRnlI@!L()YU#1WI!gjC6Mj8dPH~x0|h|7%T8pTlOM`o#WmiQ5ClQ
z9Vg4gA<zgj18Tyl_>Q`HBy<-SV&S=mJKKzggKJn?CXSNPPv6<bg!v<wZ)rfT>JRNX
z0AsHgs81KEVUd-9Yj}HSNr0|(!N;p{nRb&Ar+<SaQ^y9Xyy?@hb7T`qYvY+I=?;R~
zrWs>nYhy}M*3MT)Lnk}DH%WEXzhehZl-D0*ZqJIM5sn;cw#A&XpDCBznno8uD+CQ*
z-XX4mS|VgU=O!5Rd#}bfev%mtCA(`MYDng^t9>_ZZa{KIT?1u|+?#O#=pPhy{fwX}
zcl#_l*g2yKmO6CS0qpaQ>Khi*w1bO8kxXWx`{g}5x5b*pymxWw8R`H4si8G{B-6tJ
zy~f(jIA(>}+h=W>Xx*Np#iEuA&FoG`==u`Q-QpNl*ZD%D>C$H`S6iR!>27ySG|_et
z8qk4wK4r*rc@easxqvSpqYVy@+{_6DP`J#t`LlAo1yrdIAsfHYSPQqQs+*s*`??NM
z@7%m2UUOeKMD@Y558}|DzhhC=Y}AEl6S6Q>+?=uyI{1n*=9SUAe~=O(<2#>O%Tu9m
zy4gg&J9B4Zb=;KY@=XY>+#9fcyxZCC-o%B?J{z5@MzvfLyZQ5mx8sn{d+-`aA1l5S
z!y|g^E&%r?WS$QqY>8~a;P0I!-%HVP5Ajj-+*KK`c0lL`EY4&6$Cq9`44{@Dtl1n0
zYP@oslE__OY6}nb;!DVBGw4vQC`_VP4{i=KP9iJ9`=4zDV~>imBVwz@cAW2Hv9D_6
z^$L=TEN0@3suejE%BH4Y8Vapcygms!mLM+#V14ZXyds8vNrE6i0a?h?>2OP9L5z6e
zbX)o3ZIGk`?2d1-Px`BSdoE%%w;jD~{(L(Qc^Kw{E8hp#=mqy4-=X<|>K@wu&M+f^
z4P@mQpykVrR}g{EdaxO?drP^(wdAI1^J1n)E<royN;6bjm=EahD3$8C*A^OdOILX*
z!dHWPxK&`SoyYy=H%`Y#p5CsOFg6(V=)YOc7d$y=wB4o~0We^hvQa;jBh<nV6b!Dj
z?Z5YUPO47#ZIsM4*b^wf2AeqO@?KztUR9^Dxqjk5>Ftmo-K>Ho?54<$%3T7ISk4<q
zuyywQ>u4if<JZkln}}_o_&bE4kgE#$0=m`^am2zBLoS9$-fbXZ-fAp}dnX0BsA~W{
z*h*=>aqKbRx;a`Ezc7e)SQ%(@sJ{%~Z9?*k_8-M4{1+a3C_r>+O+4qT_ii}HHI1uo
zJrLL>r4j(PJ2SFtJw06+0IF#L!%Ga0=`rsSH0^zEE)8<~CX<-7Bi&h>g%jVFig&t-
z2kaf?wUZE%CoK;@PEN;%oe;`=UNaT<aoSAC7O9kOHol<^J%w(LoQJl{{bUB?`pTfx
z``lB{ypsBmPx111FU43Z=oVmcejJ=3{%P1-6fEyzT~I3RrZOib1Q1oNQ9nCV0C;I_
z{Uv!6J<zY>b;6pLTYQHt+n-jp$3ebyFeUDa06Gxfkxi1sy_%?5CamPZcUkYJn%RX3
z02hI60r;x52Uvv)Ps@3C@aJsisulB#cx>yE`W@_5IYP=7pVn|RL*|S^&NJZoCM~$U
z*6&Vw$avJ6UhBIp!%(|sq2l#!@16``kHFP&cjuNnPpl<bQ{>j$!Dyjse2r34C=amb
zur|KkP*?lzUXpHVH`8E}Apd7MhAX(!K6-2RsGqZBlc)yLc75x<rMJ99+TA0l35_F~
zB6ZXW0k5`&G|drZ$dgql9|7>4y~y3JaB3%xL*JuPCf)PT@^}NUg`&_Nama@e_F-Cg
zQDGJNp3^~k{rMW|7Y~JAcgE)-7b$+68Se+4>E+>!emTCErmzZc8e3%iHTTNir)@R%
zt1DV3j)5*vgm{EEB^$4YHJuF@rg(bYUzx%xes+002T{y+3-?t#E=aShlJqC=^VRj-
zf1-yR%cfqZ^zf$5>H+84%;ri3%D6zSzngo$2fa={_x?itxPUq!?4ntD>CV+ufKYvR
z1EIm!R~ewkWKx&{`Njzg<4<1Qyeuwh-zkFlF9sbe^a|cksrfct&&ixbRCb3kgMf07
zS;RAX%7LWPv4RYvJ4AfX7FkbuMEDaW;fQ%mQvOH8&L?f0Bb)is;FpwBXP7Vbh`kO2
zmBdQYU+dP|WaODwsSTs~5&9ZEWS*SQ+omXL-VBY1F2K$K?P96PqL4;otDlwrR<kF$
zL>MP28xfS*H3HpN10G-JTnh6miEl@INokQtKHnNqcaLMgB>PO8mA=+GfeTKIN!=bK
zMB7*n9N<-?lPsCr`cfcvbC)ynU+kmEX)zs)xOx|aAy{kTv-7PhfCBNEV@aEXa?9-e
z?l3ViY(SgKVPt-9WLB_jQM7aU5hnFrwJJKnG5>-EdhV9_D=flYTAbJ7RBUq_c0*Fv
z0wmO&_QN!*#CeHh&{Z(cyr{EVl2lXRyG^-tTAz}jc(wP9vs^<G_P;qexp0BdF7^#U
zH4Luj)A+@Ivj+{7=W9eUh^u~y$1eWP#BhDZs-hHJh3P=V>GhpyMb25_tk^epdE`(_
zAR9of*jz|TV*FX9LH&kP_r)*?fKMpjxszLIfjF3<-};5<Vir0#Tw5CC^N&ys*WIC}
z+sX&nIjOkv+)`o5j6C*fi4xqQZ9?yF?}pb&^1W}TL(u0}i9(i9onJAFvM8!~2WkYD
zSia}2mLf6U$7hk>jRkhtX{RPV0DQcL=X;`Zh+$PO?3VGSvtq<%AP~q?p^ni{)mkrH
z#!9WGfi(Q}r?bmbsY?4b_2Ii)*tsa8#NfGY6to(fua&1iUVWlp@HXsTFMj%Md!EDA
zrJh)C{~d|SR3B~sw7#uV$5FNV+rCp%jFq@t($Chdwt?!`49#7FH_z;EFKq{BR-|2z
zBZxk2NmKhV+aiC^*Qim_^Sm>rmAmsm-_U>HZ<Bjix;ZSmLMwYe#2Eja{uiuPZKdaE
zZcj;}=v&|C<bu1|@MT)>51aJq?qqC8I;%qV!0#~xMp7zXI;5!<?mqIVYPq`|%bU-?
zlpcttZ-+Bpn(W46E-`XUXYW!NhG@)!$GvjT8*?XgOcJ`87grxkpOK^qMrJaS*TFYJ
zcc;0LBtmmM=n*sJk?6IKTac5{qp#7_4z!|orYwRY#MQKGH0wH`@x7?u8aKeUu|}YN
zYJ)IRs#CgTyfh-c^&H$h=z5|OA=<vVp<o(OCZz8R;EIIeVpkp!n8QMcqFl}l2Ki|}
zw)&{DNjNM5*y?@_@am4MwOp?H@}``<))tZHg(-pLkb_NI&Ku4(llz)}Jfktj8C`PT
z!n(R>9dTjx-OAwF_(bGcXE2@sfv?U_Y`=i$GdJHjy^ct;^wof2wy~2d*!|`Xoyznq
z(Z2YuQsxu+2-H~Z1engKYH${{ANxezm)qKSQ;t)BM38)-0!!;RJ_N=d*vAM>Z?hI0
zFYYoM1Ridy9Htj*>Cg%!jF%R^ecHZG-)~Ig1g&A)d$M3)zY;>TM>A98now-Khx6b8
zg*tQpGD~6&_nSH=z*kWt31K}~ueM=Df5CpPk$<MWGqtTuV!gp;c*$Lp*w(r*Uv0Cf
z(Q@NcMTD_Suip}|teHcCC$HmZ%|{~ZP7Lj(iW$Ys(GIm;u@YpA&3bUJFd6C@tI?KB
zmv%6LNM8_#{&l#=!jBnt-ib-p;b|bDzrgY^W^lnF;HBD%aN|s}WXAK3`55eBgsl-f
zIS28X-$4%3R|9!c6b1j9x>}LGt3yuS7cCZ05?T8E&*CafIFE-qFx1T~jPwGNS(O>f
zy?qlRLsE1y{$f6#)u-PJgGwN&33~>`tKX!v7?#x3Yd8#SL9IxWXi3whifXbo10}EC
z>Br>0e4#$YT;r*NQkJ73I&pOw^E)pV)f~D<00raH#?;dA_F)g`mUKGstWLbjf)i>j
zH)!=c2l|gmglq-hnr~x-9zH`7N5^gb@t|C6CIY1{fp^OL!!CtYPrlX}SYtVsb&w8M
zsA!04YVKQTXa>)qCV5fJ1O#@8hE|*}))s0f*{@0V;nj?@5O>yRl*yPq0YB8}zGVy~
z;eKm>B_XU`Hf-#$U{BkidbJh<nRMA&TO4`OIf<odiG<b+P`NrehR=K-1bd96aID{W
z9ym$*J#~2`--}`1g|sa2C<*Vj#eo1eS`I2<pv?i9C&fvSn^4*@{z%Z<s4t%4nVgwu
zA{!iQ|3!U__<UUQqF;+o$EK@qGY6^az^B!m9^%VVYcRxR(Hi)bC-lN`Ny$+f3b5+e
zza{J0b>3;z*|~#UG8a?SLApH2Ld`Q$3ptvW03!~$_63>ut^Z@|gQz?GhOmJ4lonFd
z#Y-@K?o#kuI%3WHr&n?x$ff*F-YCL0|5{l%E$n?bR1#Do`Zg+knP>j+(*b=g`~{VY
zKY$7R-O5y)!ma7ZhTXNTcmCrfSNtSv*lRUFsKy=abvHj;PzesNzLFC5yuZTlW9Fg-
ztB>TjX0vSTZ~_gHHPc@seD8!KCIidM3l^hE`0@;LzwDqX)v?m2UPqc&U|swun$~OP
z+nwi;)DR7l5Z@QPS{K`%x_bdsh1)%T$-yB~ckPBc!D?wN1`D72!C_4FO(x;B%B;~O
zH-OBB`3_<0&ypG!p+`)<9$`-j9g=BT()@ns+4J9I6ig?<EM$5%pU?-clt62@l7FPz
z-F5NQnDG&;!xcM`m7*yaioUTOc+?5BBd4KeKxpr3`~)W|jC$YM=TlpxcO)-LMBs>O
z_<95Z(B)h`l?c9qCAYQbk2m?AR<BtGS7!#Wg4tuw_`wP1@}5zxIEBA{nb6c~qCj?_
z1Dy5T9@$LMX8tUiA-iTWOR?5!{>gOb#^A_}a|WLqIIkn6#JBDXpY5j~V@yF`=e8}e
zrvV-hi7s7qx!SzA0Bg;eo(k_fKP$lt)P&Kx_fD{C@&6Q}<S!qKwO8`O^S^|*C*LuD
zad}oP&C_@@<8XxMzL8)Dr6*h=L;+ZwKtD6rEP6V<nu~T^x$CBEdPQYhxodYfhZM@E
zKQZ$0!}w~ldBvbrW1;NO?r(nZMy*zz&EkvH+7DpOV4WK|#@2Gdh(*{6Yfs`~)@*b~
zOzVmhS>w<xp)LKrMsX>g$r%$Zg-I0h_-4qfA5JAWu9gvBc+oetUyr0$d8WOfb>-{C
z1e%@zV8qAUMyW^q1xF$8MJAtZ((NI1`AS#;5yt<PG8-KSE4MDCl|`$#&~lQi0JZU>
z|C}mxyvB0jMcdH`2T5aLc^_>L!^b$vn}%&!%tvtH!qr*bbJgCIorC;QT=Q2fACCL9
zDO}pR4w~F(KJ2|ADK-@gB`O&IliF|>A?MJs9xKMc02*uilp_naM^5?;DsH^YbZ|hg
z>WwDT3e1s+a9@2;Lc=2^wQsc)9=2`63#-6o&m=@5en0lIsf$OW>yz_d^Wyez?z#sV
z7i4?Y1}*I{r=b{pxpS*T0w`8V(1_nI@W}9M2ih*(mdsJMr1H7t4NxZdomUQgkp=)=
zi%ds36NUCA)rJ!M$d(h_V%9tfRyh2?IY<NClY_C+&ADVs*gaKB2xPY8l`*ZXyl<f+
zLe$jbqD1NMOx>}z@CWq|usMK?*g%>EtK3PgU148I6P5Gu5b{M^pXiL+W5TF3QGGrj
z#|oi(#^gHgC$6qc@qGgVidn@5KRA<Xv40ED2sx-9ij>}l;KFJ>GnpxuTz4}%%hdb<
zgkEbe_Vl7pkKD;>#7LTEuUJQS;iNxpo&9C|41mXhSMzpU1IP!pK&AZ&VvNTbtAn0H
zKtBd3y!_pFU7)X4^7>#k!cyje$aYd9USY~BuQNYmp&Vl5gJExT<n7uU{(Rsw^0d6*
z{S89!aV~P_z}ywjj+;0C#`^eYI?p<c{xsVb8aSJNcfm_$v5{0hF;e%=#-RY9A9>0A
z{^rp7Mso#!v{Y4p@AwKCI2K1viOY2#yCB+kggTYhf#gY?tK|+}JD)o-{W&Z%);^;B
zG;IXv(u@N`H_P>(x&*Pt+T}9dNPg>^MJ<+_H#ym_O&eSfZnr%*9~vp<_8|r+{;9ae
zH_bnqFz^03F^(lenfXFKYzsR##}Pg-StCP5ad`Jj?P}+yHDNXP?aUu-$?Ft=h#!>7
zu;kl}Q2?BgdiwZhDUhoi9~!tIiuiz6$VpEX)E%q7eeT6@oEa(g;+4t{t2b^Y;Skrd
zW$?#if?k#ErCNu0{w^g^*NF<;F*&?!IDr;{m?B7RHSjXZ#Oo~+xw%+?B6q|a=cb~n
z51HJ>L~Jf~ILddcR6@d<U%S*!@=M9-$TZZw4X;1;coexW*}|x2X`fDbU1<<%^+ye`
z0vN8lqmG!*G!{#v)$K$o1%MPrLhWQ}lh0OJ#6y#iEKEt(yK{rz;GO)2M&AXIh9QXe
zZsZ8T$Vv}(z_1uYp^$TD3Z^fEsnMQvBG)R%qxKDVk7Fx057!7MKUbSJ-}?4eCIq3H
z&a;uT&#}2d{yG!^8@R{IYZV_IvW?6&Yd5Mlm6eV6pzC|nkDJO)wl!ayfgXC!1Tik%
z^!c^+rS&L=xUs**k*Di|*p)nL!|2?v%4)i%v&#N>JiL{v5kUnTvh~GwQbQ^Y^ZCk+
zp3gjAjh2d;;@WwOTzu?NhKDk$RLaqtT|nxsFUz%15n3UM%-Zs#By1AEMPWY_gt)XY
z{c?RsEf(PI|JlKBKcVfPXzr;w>7ymPir5UAuRWx*F0C8WeC-TnzFW73pb{#7jF;l(
zFlfgG)H_r!1lbbZT&?`vYHbz=^3;Knw9}E-%|6#yzO}LfG3@5u8rCRjAy~@q7Xi)B
z6+D)7T1-r`olEQ6M-s@z-p|~uiLz<BqjP|%PSuI2h^3H<0m?vp`io?S)wuzKgtzZ`
z3E!`5C_=Lj+@XcUI1U-kT)A+B*HN(5)L^g_$k>i0(eFIP=$`(iq?=ryZ=sLXuh{`h
zY<%}+HZG%UQPVW+pq1O4&h#0(hcxfkHZaW6>-xw??Pw$Y8Lo@*Dl`3wpxznD0*`KH
zUx6y%K#Q^ma3u`NG_>MA1QDh6;AXGmu7~&?KjhZ44WgS1r|y^9SMW;{_$a&G8p!1j
z_hHB06NLsl2u?|?-;l@T(|FbUlgpMf*~YJfvotE^WzLk5!|pJW#>srlBDboR$%LxR
z#n!X7fpA`WxZY(Q%QGkO{h3}qd%-4vWHmjX1p$DR??tDAUJ)U%4{Z6$&+LrUDS)m0
zELZK^)Ct*t>CswhIFoXCq!`)bO{oGzEn`}cb+N^CDJ|Aw#~Hw4Kf+L+S-5o{fFJR#
z1JWBH5iY`$e$FD(99$w)-tv#Jtp^LH35BNlO=%BYiUE?1)-@rm-38O!$}COU`M6Q;
zNnMT1%c(gduV9l@w&fTz{|jg1i%l5}9H_cHt>n0?46WHn_6amG<H_7TYRvP6Jku7L
z+z&M-jqW&F$TO=%1<R<DrxB$e!d#BWB%}h?W#5rE6?vL_8{2JbaG9svAJPneLvs9J
zU53nQ6VD(+(COi%6Mf7y=s!{7m`V)VRFJbQz-l%eZUqqe4sJCs7mM{Y&WfAPuNiF!
zpleZ|kIRcJ<_}jJUA3JQiuk8&HCO?RLwpu&q#a423u<sESeCHN&vhlo-QUq5%uD&^
z1&39>xOf<6%JrpDrTO^uch-0I`Q~d$u(_&pa;cmmgsAg*fx{IgW0ERGPANoOh7)iB
zSNh}owGf}NrtJ-e#jjFo-Uf*m5;Zl~e1|j<rg2C!Q>Cg3^871QL6KIjeaQfDR_NhU
zEShIi-{w|KI;&h)lmAm7c4a)$CV{M&Hb(OUDHn+Vpb2Bo_*iU>7St+`hnp?C^!bjK
zu==#vf7RVH2WKbE@Qz!e`iqPY-Y9JHgZtIgd>LaKq(~=f%Z*cbZ_gD$1lS0(Jo>l$
z+b@F;Sn9$&_8hw35FE^%-+;xdS3vpQP~MtdMrQfGJbN@W2R-*Q33o9<1V*M|wTGBp
zZ+>0AlqvJa>SVSF!gShUWb5rof~<;%Umerd&4A@!S6ilzizTREy3cj1fVzRq4T8nD
z8OE}vLbc20Lu51xp8z^cN~O@0+fq%ahg6d0T>z;LT-%&=?U}1Saz(>RPK3pGFFrTf
z3L`!{E40$bPONMW-TH2A4%$E(P*Znh8eQqaY%gP*0ApO9Xo-1?OdSBwyd;_3^s>O=
zpO05#`L;Q#VhM|o8^OC%9Ag;Qpt*w;Tgl}x|0OTNQS;+UKj!(n;igu7f(?bVv~tLf
z(R<G=8hvj$fJro?1~)D8WXJV8pc-OwUMwM{ZS6OkfVRc3+r!!mXalbBQ&H3fZA^p8
zTI9XI^UOF#lxX{^YJ2GKghj{*N2E=F=HGjqH?=tm!7HJd-Ayr5NL$VByy-dhQleqV
z`F8F9b!{?3punVXl6?)phjj*{q<Ft(g|9{@;!FhOSk9jTY*0hTJRB!cEKIbV<RVsR
z6cGm$S<qhO84Po2Ek}215=$Iw_XjIyXx>~ue5u><s>4A&{yV5ia-&){c8p6f!Y)7?
zr~Fls5@u%uZL3Mud7q{8m1!j!pkFUTVM1Q-0T5-k&Z=Ly=tPqz$WuKrX*8-J(gU5q
z2XacEkAujXc|QEYBmnI_zvY8&{#<>*76RTyn_J;-jOCh}TFO*`Jth;W+s=1{BaZ{?
z^E=rQ7#+*1rTdl?V3*!F-tw<o;IFE(hFhS;m@eI)98=T$BDYaaj(}&n604@2hAu4x
zD1>lXk6tx%VBj^@gu0Dp!$>h63~nuX9yY)9zIIvERxH>1$IXW-RvbVWzXqgGh{1{o
zjNrKr$Y@H>#5{>nJjs+?tEw8bh(X4^JP9eJ?reuO15G++e?V@fAAsExM|f?Y^qr@d
zpxo45emOgi2pDvnv(@4a=0+23cVdx0W;y^AG8TZtesTnV6+5(){2kibsJg*^t;+W|
zHYasg4P2G${u<CxF-*rz@7G*U(Nbo42Q>}kK`C=Iw>M-h2>=0EZ^&}LKShr4%)MvW
z9m@lN!oGE7VO|SHV1ntc5ldXg^9Z-)vUOm-GATlw%a31mw41FA-^L7fQ2!wtX_Ya(
zruO&%_&J_T;{H=Kk+J6r)X_dN%v7(Lg|B-`>%@V`p16o>A{ddQAm`@8n|aQ~WQM$U
zbRW=#wdrP~r~V#jj}2lSKdhBAMCY&04?*%c@V=M5j?obJcV7i$rFo2EeB=C5U2M<h
zcOKl2Tg<@z=KC+!dh(=<HcY>LM{@u=4r+}gw40S{8g+P1`kjEx9s}Sd1XDs2H}F#L
z<n2?kElu5zCg1cgkH+HrqtxcDM^tz2$ho{OHLkWQdZ;r3gi#F@7a)h^;TGN!Mk71l
ztPpqr91s?K?tzH&cuq;S;~FhLC6?J27NV7BoxSDUVUsqq4JrXr(0kxkxHYJ^7cNin
zYJX-s+$tiI(;EoK-lMuT`Ph(8QBwVU0LmYQA~M){3T`62l{};c<*PMA2>!jzA|DFa
zfh&WaO0<a?t@@fYS5jaTTY*xrP)G-$D4XX8CFOgHd%vw{r^!eI`pTvV6x@I+2<0v-
zor(S+8VvIeyXVxZFa<|<S@uZzCYCCYGgw91|LVaidakMumJ8v$1g;keL9M(|5S;1~
zFQ@y|=zGE3@in%9%9~xdwnIOd=Jmx%+ugk33ay%sMCWCC|17@9E-b7Yk~y$K*6zj~
zrkbaG*KslOj(&q}YK~~tAs|9CS6r)q`-KRGS$OW($Sl~u0EQXyg8^C6IgkP<Z4GCn
zQiTF1kyHX+X_qRrVZ$PBAeO>4RS`(U1*gF_iwt6)mZ-7%+x0;vB-;!11yyfwUwwMo
ztewQFuR~W?9{<k)^yKmQ286gEuv*nM=G1sA+&a7wnu-UemhDSwz9TC5t?yA`hlD=c
z)pwioe2SKB%TL8Sw#&DtWV6n{**tGzZgHom6D7GzGQ&oqU<Nbkfr`fr<)tH}DM&-;
zP(+QbQupw+Hi9=aKgUGFzx%-gsKo#k)riH&@pVKBX1sWAqp&y8F1-|qIwJd@%37Sd
zNg~BGVsX|7k4d-Iuzp&w07n#BCO+eC#U>l3&a2E0O3rSmb9lkF9r~r1T_OIHZ79JA
zNag#EmJ_QPtd=e&siVRVwTBVVg@mp$ltf_AGpzol_~<Yqul~HGwijEXC4g#XdoG*B
zRgz>}`6<8bm@E)HbXE}d;s9t4NIs2|6V&K?1vCUI-HsFJSp%^uY$0i)Tg}D;F^}kR
zsd>1MjJ+r?vn9ShT#c-)XEq)t2V(SJ1!PuI?!dz<KO!fLdN!>tKI9LnaXSMQAD$$_
z@vxg%A#i**T2Ly+s%of)oaqt-?1vZmNr-={S(lhHbph2(u@L6Y*0GqN5kVyrxKZXY
zD&_>e%;YT5`!Zc{61Z<2cs)>%<rDw8^Vy4)JZl(caD2$*y7$H6baSn~Fq$RkkpQyI
zO2lOoi=hs7D3jXg!-mS8=|m(?fJ$vLcH)1yRk3a+`hh?81+D|v+i|T}aRZ9$079RA
zfR1V%Wq(OwIMLe!8~mf8Y4f;dS}!ThcH8tVkB{~hl`%1vKLVEPB9FK{-+rWD)e>F#
zp~GDweQm6N`5ge6`vzz-ETO@P^10knb1jU%l;V%bv*%~r0R-a&8fdG!?+)r+V~cgJ
z*qZ=G`=fx45oievU(I<9bX=cc*mIA2Fq}-c&jQFEZX=OVf!BiUirRQr!PUXD4MkZ-
zShekgw4q3A|A>P{MS3jiJTiB(oQkR(4X{-Aife%q@D5iAp2LKqBoehfp5U5m+3@rk
zGXDbrYwTlVOhU{Yh<FExe1qp+77k-&OsLMkR~Onz$sUheBhS=r`e?v3--`#|;^T+K
zC0vKX7*tNVSxc~~5K|6bil{Dk3MCPMs7&|lTOAKE!Z5pu&#IA3ceKyrOzKmN<^W3a
zbZ&r5cw#cF7SZQh%DLJlAKlDF0ZGf3zC+*0k<FaFDT0Dy!J@(8ybPdRp3F2gYasei
z*Yx6MfRqYQOh>M!&qn9XVmScF<%wYlJ>O&u_W|vVRMgLh2-W${Q-E+S#iiLqoeK?y
z+OUyd^FhObL-)2Rq84nY964oh=n(+mG+wAv9L8HUu<=<%p&gLpT4dSiPedE^oIjjj
zPc=>I55>mhO+veK$9UmXHix(B#ns??$l||BpYZ{x;7ilF#^MIe6v;25oqo?V0{Cuu
ztvCjm-c$9_gzmnu6IYLW9}-!U!ebNlp&FMnSa}v1&$fBPW@KuE*YWe!_kv87`L9CR
z#giV)fry&89JK^J;0fzF&Ph!PK@6awSh6>W-D_-^I-fR_a-S#3JzY6zJUq2xa3Xf|
zwOKBrawdsr^-T6)kZmL$5T9WAhG3$DY54^!emF}=J5wvY%G&dN3w}{@!lQ7iLR-HH
zAQ-mrir*(rJGOVq(Vz9nKxO$W5Q+F6pnXvs_-3!|XJ+EtUyXlIQEa|AWiB-%y(2L$
zg*b7c@4d8bIxZqioU--716$w7z2Gd`kRk&VZQ5HK50ngtl`W|>1%o+MZjs%3GPnkS
ztI@*AW!L6x($LU5_nc_^UbKJ-KATnrc^(93Wbpeau$SBA-7u!)=AB$?iPs?i_|;F-
zQpLNIA8;}r@H2IYdw}js>4L{DIw@#X<mxLr($hM*;p<jM*ph?xfPER(W^zDpHpO8#
z*lPaOUR4eNj2c#ZziEg#LGj4OcYNYLQ^>_s(!N^c;+DB|0pW8V<uQS#hmK_d`IQ0%
zGvaA`_N#Wy2kV+xFd(m;t_<BAa>9FhHU9k5D~)X1j652P0OHOn4Gq{hen5HoU!ik=
zX$=jmyMRbjZDkF|*L3`S7&yH0Yybs^9>SA(W^pg2eOnz@AQThOIj!%)w(wQA=QAut
zsBupui2=<BTPtuH&}SnMpRQPeReLx*ES-@Pe!4zF*imVKjURx4Gn=JRYDG!`*LaH(
zZ1&^;s_e<c5LHdH@6z8Ts0>Kpds&;C`bmI%h7zILfc`*W+v@D0$&HNbyOHAi+)qP;
zg`@WXIwylRqU1d}u$!y0C?He=zz#b#cTuWm-6Fj+1-9z0XimlVO(L2e0w=vY1}v^)
zDR@?5`X4DMidPM&shOM(E<HoM9u`fm-cD`-bS*n@REz_fMg#x;1lvb_YOKJnS!avj
zFOVFI&$qcc5v)%O7+~}^`c;jABRJab1g=Jco5{R;gZ!5N{t|a%#^`}s=&o8qPYshn
zqk9k&V|AiSL10Tuz<YZGA6`4@&>F+As{>PLY#SOv>XBll+J1J(>C32ZJ4aw<?P3dh
zSW+X?SQWTPhi<S^*LgvQrWf`}<pH^=8uS~x+6J;BW^a%4oxM-i?mz~D^~&(J#IBd(
z1gbD2Xc|?ld-MGUhX`B@K0$F5LKb;sMDYNE(8fLbzJ2)mJ}iJl-P>Qmc$)&JF<g>l
zj>XV53UKNVvhEFmjiYaC)yfLV9WmTWEwj~9g7@oinyo(G%Q-O%Nw0;b=HL1bGshH8
ze`WPKpPkc*;A2$dR{`{UsDNq^ZVes6y@!ToS;>7hHLjg5*sFp`-S^*M$=(y7te?Rj
zFZKUvGZ3=J?4_(J$5FC{fE&s+g$HTE8~vj415evkjJ&1w3+;5$Q-jofOzO|UKRi1Q
znA?VSA7M0fDZrkpiiJ>3?i2UMLJd#{rXF<JpRJDFR06(i$Ry~Y$nUC<-mu`E6KG!*
zc-m8<+t^)kbddR;lppN}9vanZdH?q-ya^xE$~mID-y+fi$AZy<F%lxzcht%^A6A}M
zb8#|jm^KsuTkSytAa^et45-=8%p<d#jcPQw?(V9Aj0zY}qGo29p9utKJ`w+gRMdLd
z0!dFoC=N9|`|L8aWKmbSDgBQUwtq8Dn#G#I#qFH^T$Y^&1lXgGi2a{FA`k)k?3%8C
zM?;TiPycXynAiI)Ht$0;BEtx$D8$&doaq8MKP+b2ge~9f{%Li=`gi}7DU=_pluR1!
z28k=$7TOrRIK2w+AE@2?*JmFQRrNQS+QySbTd)!84NioqukWO$zr4X&1eC@f)gxiY
z+5WL}@;AdJC2T;0pW)4Hmt(sipWbXf4a6$UIC%*Va!XU!9}TMv;BlW({rT(`|IQWU
zM)6<WNU}$<>wJG9^K9oSFM5om3CZNkd&_?C&}{^mMly&PO=1{y_I}avSw3@=L)sIr
z9jE`ecm4IHum<35fg!`-&HLNU<HPX(8Iu@)QOOTS&6v_rFHC7Be;=pQ`oM}b?(g-v
z+0Sxn(XN$0>H88Bze*_b52D$B&%jfW?E<)QzuIm6;b!2T@Z0q0|Fi1{Dz!hL_jW7f
zxdmg(F?4@iSja7caDhk6ZGRZHDtwL@*UZ(62s7(x`;j%3^5D3r?7BzbJv_|wGu3DK
zs0_otzV-REL;KuY)fbs(Xk<3??AGJ99`Upanf%!JdIV6>U8EI&cz_2SD|i6c?o6iJ
z@$WD751*H%{NOq>&2V_JC;i?Gbdc~}H2~-=PKFlty6_@#w?|tQa@eA!9E#k8&#O37
zez9lu2_Rl2ud79R%IzA}4czma0{#QNQpIEER!^oR#Ol|03y*d^{^`_qLzB}HU~9ez
z08!}i=JIqrMk1?a5jdE9H&Q>*{$sxQ*O%m>Pmn?bk-J<4i(rhCLilV?oVRdPtyH|s
z?VhWK9X<LNiNLEgONhOtrSGCHhN0MXq*Zs$yF6)B79X<&_0#TMD7Y^)>*TKP`dnx*
zp_>^o)%}ir9)%}})m#uK5chFsLf1-Hc-V;0Jd5B=oru-UQRz&Tsp~M5;>kZNv;1lE
z=6?jwEliwAae(!E%$oUor!!<!Din{uwW+F5x8DHE93K1q86G-eM&7gJa>StGkqn*5
zxYdC}d2Fe&5{9gDh|mVWXNn3hyIC}<V9$=KSpGMr8h=I1AGv@q4DRw1dv?Fv7w=8n
z>ynZF56#v;0wMqBmvkRsiOHi8?Ns3UnJ_O-$n{-W6uaJbB_paUCL$jKu1;9u!jszU
zAD!ZrblP8FRSLQ~s7i*jw(?0(HG_-1+I=2A_bd)@Fti-F#&nJOadroI{=;(o+fMx7
z|B4_BEYY7&qAi3|H&*mW*LR1hi)IQh$Ceq2a8|s5B@=*L=n?TLQeG)sMgvZCYD>O!
z=iTv!Ye8t<v|6IV%wg6^ooD^quIamj3XK<|-5PfPjxhAMo%C@fX8WPo`EkGap@>db
z#lJ8R=(PwCx{03aztE9TrEGe1{=tG#wf!0UQ%c$%#ZtKUdZAC1gudnW;91=1T+s>2
z&7Cr-E9-ROWdlS2PX=y|0PWy^(^2Z#D;NwcNjUD`Yv0p7wu~>i&@gvZCJ<C89rWmi
zf=rpc!~Eh6uM|Ct0Xni~7GHhQ%dTWd24%dSHlXy`>f66|u<_!#{zYStp}8=TQJcX3
zaz+35RQtoy{D4_Cdm_n^J$Pcriur#k>i&B&|LuqOKj5R86qWXX#@A}HzDook2;AtG
zm6TBnafNtywIPu)Jo?8R-_`PoHB$||6cRic8lmb>p}Qhg%?T=2a5<c1_Qh1(Ot|=M
zF_+=@W<7_(C=zuSN)Qn+x8|z;{$mG(s~=bkZucjl@wWGkd`4!%yX$Q)|91z5$_~&C
zT?GIf&wTH%LN4zvn%Q&YVmS~K+REO=-BGt@x$a9JVGOS`VbTJ_b`p9`XVDTeaJ~NI
zI7BrIpx`IJtyaV*I0QDK54hPBxly7A<$|s!bcHW{ToEKV7rb-t@9AUs23}gU3^#5G
z<-l0`&_n_={pX(Zzx+T)4hxu`V29ufiF!maWlOGiTCaGY7m)duKaG2Mde*{(>FV`I
z*w9_!G3uqCNvR-oJZ@8NIG2)pYwj$`3gv>VGh<t>>g8S?O9H?!-R0hX!+s9Ab#>_;
z^_%Jol>E07_di1xLH5bpG$ay-&>7zcIJ3(na?7Vw563-+tJ4CWqC_J_l2!cAP$&da
z;%y@(Cp;0(?ns$-6Yey##C1P30e)P5a(<s8IZ^97fLO}Sj=o%c{%qFng1PYVftnoX
zkz0JI<>9o1c=`XI^0@!i<HkC}n+c~mOZ4OaZ`u+5;~X5l6#mbX{NG0AKV$NL8xY{H
z{~442jLE-_z`uU;pLOz|G5OaK_}6d#vrhj1Jtps$5vwH=`LzUnFAlP9Pul+H4Llah
zA8-KC$$zlf;zH3irO9uyz*%|yw^Fb0GkChPw<2*De}79lI@r(ZXyHtUfGu_`2wtOX
z)1nXB3}^tNh6}5lS-ihD6DAT5eKZvN?;G@3ys!!^8@kzerCTcfUs+_Y8}OUhT9B{)
zR{w~d1pZ4C=i`$N;HQ;@{mv{<v!QW72Bj%SUgW`njDv0#h<wcd_lMNN36=hk4_FA`
zv9d`#{;D=n=$HS}0{A2MB2@4@vFOI9(Er;*RepK0F<H!_*Fp?jo=}m?_2gij1c9O!
zIS55uwG2@N$a=9TGXKuYdnW^{h%(5YEjO@god4f1_l|rG<-Oj}CFMHWUpHi7HQel`
zFOyvZ$v^?(9SqDAh~95l5|BRo$l+hOGfDoAJsX{}6Z-ee&|Hd~!9NwT+FY|~@Y!GQ
z_mLl_A4I4h<n_0#yVn93xT*%XD+k~g(3Ai0;6NC?dIuCbifOP^n_s|(Ay$h7xn=$}
z0q@9}QN*cVjr(yjM<l2Im1+7%(h9qCtVP7K{w;IXlmiA!4WCsXXu^^s027@5gqKVT
znCwaToFer=@}GX3p;-TePM=5ZUkGpVVl?0Q_>J;k?-YCdIG0}7CkTHVEYRa%?W}GL
z0N2kvzbCts&xE&L0*j^c%j4?7qIxlkh`s9m*CHYJucpFE{2>cBSIwkn68_gay~zaT
zFOpTX<!_ydj~u{YY3eq4J-Q@5!}`$t1@@O06)?YQxS>UQ=mFwzbL67@f45bMO@hzC
zNii2rOX?bs{p&_7-2FIz#}d8xe=U7rbb-MFMI^HV34bgsY_YoXlZ+U^?Hrg6#YvDz
z?ElM!{{a`!hM+Or1v9U1sOwd))d2+zVOVv2=M3)MV#m((dbT$>h`_5dahiMqW+Vy)
zSgLF722;SGz5xR3%wlu^nAkt2q*HD=pJ*U#Em}Y?AJS}Et8vrIa5LvPkj@G~?25f_
zkLD5$M_4`gj1B;+V4P*wjIeLr{HC~nOrOcPdYdbS{{&8<W^O56r9O6QSd7pj%~YB1
z>~L&Wu@&tq#_x40tcDE?j%t_YFV?jJM>=~IDf{^n*BN)MhaJY%H3jfo&%&cgYP9gr
z9Hg+YwfqP`E??w+c+S-ddvVB}7MPky+E?bcvi3XQ3nI!|XDQ~K&1ihCHj*PfXo0n^
zs$(9fSskLT<C4hzaEm4ph9epA2$1o*+Q46(-O7A6FE}jV&Yp1QJ+14R%e~#1u;F?(
zzXa(ln#BCp#g(+33e5X9b?@yBHuo}6u93jkqhw+6{7$EP&2$V@{K9Nqe3%6<KLolR
z2q}a$dtO}YX5wxs&9Z#7Y$gT5=M)Ag2?4{o^~^sIQ&3~UO^nCBzpo%Xo;n7bucY5+
zU~0&)<K{5DtaT|)nJM0VmKsexq633ZNADU?+zD-DOs=vWZ-u<K-=<EU?^*P8c}8Zn
z@PVwrVJjs!=J{5pXNxJG&*d>vh4Fw%h3Cacrny_r5pufbwUzy980{?P?PY@XDj@w2
zj%ju&Z8~{je<Xr5UjT7~avYB<H14f^bQ!y9l;8ArLr3}e;?J4W>SJp~kn%gR<8Ig`
z^_gmEOV+<vV7Hz8A$XpUxG!#At(-sTzM6x^f=8R-6g~rp4Rz8c4c3@L-&P!VTyz0u
z8gXxVhVF}hyepF1jb5Elmd9spIn9bZv-*5T-Ni-ae+%!Rt0!?|zt6!Hs`PF687;AI
z4p5+snK5y<y|o)hQi3F95g0ka`tTwVjDT(DC*^^T*KX(fccc9^r#X7PTV%!a9GTAT
zf<&AiKpyhaq9=J35L}Y+-i7!+WXNk8>)lh^O{H#y0^G!(iAYW@bYizjjv_P*j}@0e
zbF|LaJ;aRex99U^IUXf|i@F2-$wyF(UxO~f)07Uk_n2Mb&+(IWyiy}QwlZov0sGy8
zEW8jhy}{Rd%iQL~fKN-zYDuj=m!bPR*liKv!(HE-efgi&?%u~+`o8&+o2$JNr2`;)
z@^E%3n%zb6`50nOk#uhtLIs*w=;7|t64Yyg_Cs&*{U`OyjcNV7!Ai$1E<GvHo?T}@
z9!}EhO$5O3yee7i?I`trfl8rMMDs|-IuNJMrl#kw^*pW+jsf|MM%v-k8QH0NeVy|+
z_P&rd!`8cVM`nr%f9sMy@%dWcRgV^O%Ce^R%7=2Rrd9ObH8fU1+V&kv7VZbipLL38
zil;wvR=+-vU|w4(*k{VC)a{+}5GeAPWTA>7c`@qYXW(Rm&3!uBAs%CMmlvYq^kf0H
ziTf$xl>Xk#apJsrw<i4U3pk-~zC|lF7C-eCoK3&|u*wz*uGmbm??A0t!5q|xrY2yw
z%j2lpHoPfmz1p<=S*NLcGh<!wu`jnPT~mg*z~gM2a%ui3`X$THK&SgsTyOk*T7TI;
z_h(rq?@b=yWD3cp_=1jDU7OS>wlJUloz4c`tuYwzVNqt%<5l3V_NoA$<@pmB<;}h6
zRwQ&}R6jObDOdy%^5l)lq@j6DQl-OZ1QRZ3DWkk53wFodX=M!=Cg~DCiXYDUex-g8
zM(dcBCuxuwVYj(f`!)MvaI{%nvflV>0j9sX@@6=$La3bHML*$sySl!oglsxLjU@@@
zFOPR#RRYZ3t2aqiQ92mFT(ojvl)rt(tToYnG_z*e_1S!F-)K*zNJEa@a!jk6S?|rr
zj@aM@{~`B^!_mBLtLCQx*ZOpWXDE4@PoDPEDx@>hW>Rw5^^RA$ZcUgn4HK_dHoc(D
zc^7Zou!Ig`mdj+<mJf%*1tg{*qVI1dQ;j*k+9cudGF%q;`Kd$s;50R%bD*q=AVn|^
z-p6PyY=QQ<dDY}7!*ixH(@MQb^Um`j!MC-UB%R$+hdnqSuk`YF7i^pE@qT`DRM1{J
zW+?4f9l+la&k0c%*f1a6P3*~M-U$I;z1h7l;y5U$P5H9rR1m1=9?l@By?geUZVdmC
zZfGhji(8rpROHe`1hS8O)?-D7@$4)VS#4z%I83CXK7Ri;nb}insp<hcM+)lUf}op1
zcw+hV_Vayks${Kcm!&XBztLmJ;kD;5yFmC23eLOp#^$4dO2Z?#Tw(=~ZdqknPK!hp
zc=Z5Pb<Z;A1TStFQgc_iK;h3s^T!d+bpP(s!XCR9(VakshE%UO#S6mva1s0~E~l+X
zmMhzO8XQ4qOUT!SD~s89tkc1Mh4LY1`d3`S9xiLskxq+GH@s!v2e*A?gM-^t!>;~s
zJF(ipX~Iqu8*#$$)TAf+3#B~IMs=O^=C&y*{u(Xs&85ArhF@4e#3i{<{X*{s1(!Ao
zyR5ZhNsy(OL?}b7foQZn#jO335Vjjn1m<l@^R-Lg_qK6zn(u<P7&b^7NW9Q{IL~k{
zNcgar8SgE|PlYd>?$LMGfuBxsclEtz1&1dymIRPOL8VPo$Jc!XqhLUYYQbGnqQ|=l
z11RZAd^+A1ee(7-$y^tINA2NEyF+(8q0H=7PLtLQM2_><V*jF&o|6@1$RER*P3<5^
z(w@T{V=bRRh`AW645lQL%<bplX#F?R=N1rKEB=Wnw3SsWj%o&Yr<Rxx%{$ROdqy7v
zV60WV<E=*PS@p`Lr!I<|ej?re)at5#7e@)3ApXkyTzz2IHEPZkL={{qmk6`J^IQR0
zmPzHS!P?yF{Gm&KhYA>NR;x@>wXEpmWNyrFD&pyyV}Rehm3b3)lKPeTG>iSRKT^0D
z2G2wr?A8me?`gJu6p}fjf+_q4Nk$)F2i~;_mzM|X8!Z={vhI0(83FSApUV$t7y55z
z1r5nYG#O8CKgP@MaSysS8qV?#477=y!{IY$GA1!;e;`ZagKqItMf0D~@m*ixXFbn-
zi&+tquqd^4$UE!0>P!_Y^=En}^=-K6tsJ@b`U(dqvl^WpNEh%GtK?T0EL7@0R>D{>
z@?L~D)DRV_SJZl*@8Nm+LKvTa%*TG3MAN?W^l2Y1_u8qF;qA=!IeNJ$teW&_hx7Cj
zo#|zu5I-lUl@cFqGWU3@T^9VCU}2Vi(5p;lAXkvY78$7=C~7^gK~%xu+dJ|imHC80
zhE-2XCy9u|Z#I{gSg2Fc;5`|snb0*SsW#gaTmz&-?_A-ulx^WmE-_jFv8L~)fv#GM
zjLgH%`&05(_rE&Y+XuETv0fq7I_qxx+#GDt@j0gn0jk{WW-7|Jw@?KJh6zp*pOBZI
zqVSD}c@$cZp00erO5TOx|IzgnSYKb9)7=&B2)yI9oCDQk$IDg(QJ!(a$VPUaOdx0Z
zTvzC{*OfzK2cZs%dUBtXE2lq3ES2bIwXL2Elvck6I1C=I?cUqo5OgaWvo?q~-7L*3
z*&1ZgEt7D;X+^HRyo@?5^>m6#;e0vcXw5%+K|~a@b*+-$rzQqcdDB&;S=Ny3H`~(-
z4>w15O*NbC7&0``A3|D%hIiMIKeYRp${F+|@~+AH`}i1?z4`cJw21S^aLRyug2`E)
zP5Xw*f}*vSGfr)CtIT;+g=pBpD0Sk#D0pi3F?&V;GJGI6&zgiEoE<CNqg5cG&2)3f
zxLYC^?NpL`e*`MuUn|KGD>zk534SfEa`>!ks_gZv=Z4pnj*9$zg95;h_hh+=`ylOP
zrtr8A3~g-0D_h`E4~uO3+OBCa5Z0pLAVU{j_QzyCe1G!%{$c|^M*@`MO7J{}IjANW
zs`g7U$2jfnDxeGH*h%deI}CAtbJ$_|j(i;XkBif|bmmo5yfC=81K3M1R6lbU<)yHB
zhIJ6YlA7>2n^T|PR!S}rzhxOp1KYcu^`M+aj0zdPix%cbtgd6bOr}$em(igONmY*%
z?nhq#(&RB7wIQA?FF?{Xgi<_OhF<4e$X#_h>%vR0r25^b(K~%7gATDT#|;VCrFe-(
zmmHwhupo@@PrP^QP+r0}6@%J}jba4kBY`}H*uFE4A@y`Z5>A3hQra~DvG$m+)Kspe
zVRu*>;|d!DMkl)xrgB#}JH&$gD&9uhcQqex`99NfhkL`V?kYQ?94__-v06i7eF6aa
z)Xp@zmKCb8wIsfpV5_J0cY680VM5bz?-#ub_)Xg@<kTS!_eqv)(YZdn=K1z3Mu}s?
zE^7<LsES!GS%)6>Y>pn(uQEJ<dxbICMq#e>jDo+H*7qIjRe)mwUW;EmCL&Te&kT0f
z1;5aGjwe*M1>{JyxD!2gtqe641~*i*IgVU6m)f=7RJ<-WiF55&7uyXm`;T_hyXWow
z1nJFfF31?Hr?LGm6u*x))#mhtb93R{x54&2B2TLB)tG%3zOF;HKA{Xm%Vl!U%kQdR
zwKI-xB<oYl*CZA30r!EfZcGUN5#{;@Hr~~bJ5@j@Aq$Nz@|8Ab)s=khQ@2{%2bCu1
zLE06f%-0Wdwh(WL!%VoYpOR#`HWZ_;A(qS;$7`iz-{NRbociet=C)erj=yb)-l^Ni
zaS$C<%9Q?JWW8lnm21>4EG|kKgHDm|?h+&f3F+>VlI|{P5Lke8cgLc;ySux4(cpR5
zd%y2@#&>?|FCFmAdtNy)(mYz0_1KEvrfTfC+svr#BC?&BBCfhVpzeogrEo$#!+p{w
zR+~oO^rlgn&=6T$MnfPay9cbQS68YRS7%<~NfnxiJmO3VO?SB(B_m6i8#aSD_eEvT
zc{;zX1^c{}wRA_yZywOf4f}KAHLW}l@<P)*SIAdMwL4#*wcHmTX7^4xaW>I&G~GlH
z=(aiep2DpkTDO3uvUFP$rp@Tjt$RlgF6$Xk?YA(+)%@Oylhki(-B@#j)QRdIsTFqk
z_O&wR*1L0dBb`<}20g)2w!8;`iymWFeKyth!fa!ASuhwllG}H>`gpzhWOa<+c;ww3
zD~Y~fGB#hLeaLXPSV8u8*=#O7F<-l+mN0x9_FxtN@{>VYxnp_k2;8pDr<dSTg+Z^%
zg;S9A811dctlr=k#?#Z5zcSC)B)_!m$GbC!=68cf=|O8R%{ClA<XyTTL8l0<WOQHr
z?stK_ghC!aB>3@!&${E?C%L|VUkHspxZd6zR3GX1Am&S4OO6hl!Nq03X+wEK`pyxu
zr3c&Bd?pbp{G3H!FCP#oI8U)%XkJz?tQ&PWJ*!=@@C2DMb4$wSBZxy-5M9`&+S0SL
zoq(*K#A?e}Vl0gO$^cU`NbM-BpHt4L#f<h8iu7{G&mRDQuI66Yh1R?6C-w!->#$;m
z<}0MS(suyhBY8oXmfl%JIJr7GCmGi7s6kIWN1Ka$f15(PfNmj@HTpw8bk1Lq9M-m5
zYW*Qm;SOYESGW|?1k~2Sr|)e`7jHtHA?f#|FLq^e{J#{<triPS<92e0`%>zG^@y&5
z>j?%CA5^q$!jEErV+s`KfMt0nhIe?kcafN>Y?JwoA*+vOjLNq!PnV3UMXh1|t@nd1
zU<UK~ji7E}1VRh!)>Y9%(Zx*#x)jZ5uWeuJlK#;~x+ffagE7C1(Z9{py(?$Wymu7d
zZMr8>e&`kUhz_t#UPa}O%QWXlRkG?0&3w)8HlPBH6Rqp@vpP;Ow?HX;_rUbv#Xi+r
zOYA3mv|yaE!dg-y!Z?j2KMoEF<L|}g?EJC(4@(OAN4M*)Z|kk`s195?szrjH8)@bk
z!Dy4;AVH41Ykn8Xlna(M5FIbVOV2Dpl)!gm*4p;%-TGeUKg}m|!@+##sj-+)d#i`@
z>V2zOQU*1(*V}L+=zIQ{0=0&I=z@<V49jSI#2bGrdI>2V-Jx-}riT<2E|)>yQ=>RT
zFJ+tj7Q^vtF_em?s!xC5mCR8V6Yf>NPy}4NM|R!lf}V^53zcdXl`Ds%Ud>$v)xnQw
z)9gQzie(hE%B+J>@aPYbyXu=&rYcP`p&~f-YF?wF*BTtwlr&39^U&XhD5krkHOeSe
z_A`k2@$2neRJz{xpQOBsd{<25Y<5)pR#v^@Bi_f#;O*Pjt7rw4XhSwt`#0xqknY*f
zYY~E{2Jh|8pLf+g!X^Nq9Yp9_H}^bGsUHKyzp;Ivv1^$(-P^e)kf386&YQv5+<pOu
zUh`TbN*lgG3gA95+98*2Moa{4I^@VO(qC6xbE-DjUQutl>>3_S&9h>?sn$cZatOM!
z+W(nse(^((Wz@bIUp2*3o!Z<&^Vc{T<)Bdm=1m^?p<{g+s$<FdXxi2syP;|II*qR8
zqQ&Mk_tZDwqYQUweJZipowZbhdl#l8XRv)RXO3?uR8;CG4KZBDGuzAFXn^jK^fFCX
zw0slIJ;TSJJq>;mePG{#>N?HmsDyNeet4JW-t^7AZXYyyZug`<6@abf91Q)dU$J>u
z)^%uI9KUURy-K4P!p$&Ime(SlhuJjhI-Mfl<biTilv2_EjI|L*-Ek#(m23<Y?{aX8
ztI<BLXk~;@IZ0VeT(W{aw=kt-ebW!zfc~IrLnYX0jy}*P`j*<1fk~Q@n0v#ML6Ly#
zG*~{4J~S!JdZ|YsY`_}}YKS|?fdu_Tp<=OoA8kSAc=|l=32w={=~eU+Ns-Ogl2EqB
zsMS_+8IHAl;oTnoC5lYweUN5Q?!fd5i>C;nDtOf9I5yW_Y-~NXZ#cOHuZ%2qBlx=<
zW|vJFiHk<`LU9i~PES*1=Uv?HkTNX~WgI7{CwoG9i|Zz3csnB$co{W%Y!kX8zv6>R
zLyK{}JYfjKz$N%!bG&XI?iVE2^=@{Otg3jC_PP{H)mH>`3iR3KTdhQTg#vkk#WsA}
zJ#u~vcNdiWvyiLIio7B=bs=q^LBYw!Vav7_=nRCji(g!!iQ4%))B0)cTojJ3A}Htj
z@pBWfr}T<Q5n&<_6X36zO;ty9mg9zG!#o8^!qK+8;n$6FYtKaJ78%4o9KRM=al85z
zZ0n-QJF(F2Fli$5mi|voO?Vwtm`W=n^l-t^6g(=VoHicGR&$^@#Q7?s9m748X@vs>
zPpX@MTGnXn{qYTvafG0NS3T)z-(fbj!B(66$JLTMf=e82BhtD8Ci82>3geQ=NxBh!
zF1w1(Huvd+pe{c<gTbwjs5~WFyf<%|gqT4<k@?OD271}>U$@JL(oS%wl{d(UB5Vap
zZmTFzL7><eF-)J8Za_!g^9kWy+>YR=AX&VMBWtz9j#J*rApM(cfOLKlCKR-OyL%QQ
z8aD8Sy<th9+QcUEIMQQwxQ89DdU)FSQ&a|t`HW?1Z*8Yh+u@%$V~M}G8xt1<y~Zcf
zOoIH-U7eIwRu2Ac7M~Rr6wjc(83i-G>y5w+k(*(0cTV>jLWGB>A6D;Kc{lrsRzr_z
zv%K@dP##5Kv|^yZW3jZ>rg~tsto8Zh!zWiSx_QsIhP(v|1^5H?z6KG5NE_)W#a$8w
z2CW7mIuEMRn8cP(<zEe~8Xc`E!`-D5Cx>G&Q<uv|Nz5#cX3$*#BY9WfxZfr21X}ey
z19p7#kSE*y+s<MqrU%$4vfZI1QWB{o(&%Sz7y3v^lEpV$znemQsGKPjVW46u_ey+}
zTaFf9X$G%$`tyk20bp4<e$bNTm>C{(rqpwx1)ZY*XrV@`ZEXr=ED3tDI6dP~tXeCB
zcbB+7RbjPO0J$T!oHxW}A>0`=X~##V$Rhi+$nXc+YGp_e31i8^Qz&Xg(Ji)mz0WQu
z(;;W$DYey+q{e)>D13W(+A13N10uzrQ0nCuEw=rGxjCod^iQ1ZLLfmD>W`@wjg;RS
z)j`V**U>$##*4pT$4E0RAD3B5Sw%itHn><;R>InAj(yW>8==?zjDj*T4NJz4+7gr-
zuEA>$KHwu@r&Ht5DORml`~qjSNw^ePF;q!ze*94Hg4zAB*2uG^<7diSQ3C?iZqs6g
zc1!Ipj=#+OFZ~B>)6g9(DDKtCK_g6K{iO-d?=R$T6dHp5(Mg1iZ+Btf9nZC>C=#;s
z5Bp-6)4N&9nM^<ba_SbGY=>L;lS^N`ZNLt4eT=YbA~k*mYl6fy62Kbw@k_{@b(js#
zmPP<Ay+Nq}IP2|)pVnM@ZJ$tDqa@s-q?^M`vMf7)kU&<o+Z~SHyd$BMA)<ddI3cbK
zZEBY&N!b1=$|<K1oc1s}`Q52F0!ly7#MIk-WfD|?Z9|N6r_$6|n6)(hRPo5yleE+%
z8(5&gT&mnS!+*fsK_FNun>{YW&|ee~&OZsY+A*Z$^c>I&r(TT2;}_K>N8(Q(#y8!M
zQCuz?5uWM9(eJ%pR*Y3`GE5Z_D3`_IJ;xi{V6hvr8sDe~hgG-P^cot5IA3}6UzscR
zjKN<WKY4Fg?;|x5D({v*-NuyYcjdRI#!&xZ`$0{kQkZ(WKtE$h5f*%~S)2<)59R0C
zzr6uqWmO0ya^2G*l`r<lnp8gVW1>K?MhmOfu7K5$qWnP^>$3K61U|oGzBge9nR#l(
zA?`HCTyQaAU+m2d;YY%;{qwmXLRb`Y`CXDaDDC!}ctJf>)Abbhy>w=<z^*gz-vj17
z^rj21zcm!Fk$t;#@?{SWT9~ENqw7RYDiQMx1#Xl@oNZ9O0|)4%^r9G`{xx&{qcghC
zyk&wjqB`6GnriP_YRqS_A>dHzMP}z;!V<7UACoy;O8Kj%4k_~a*0-@(8x`v|uN%K4
zDHBfXttnGyy=4~lpG8^ro^k(G`isM)Bf)H%na`{(Uk?2r5I}t69TbXS!eGn3FrCKi
zwQdmvQ)tDMo~Q6oG)sqFwJWU<RJtgNV){)uPqNB2V%}r3SNfevvit&+n+7<Oy#fZY
z9pGqC{S8DRIxc)QIa%Pb?2YAjbtawh833I%hf0np`t6{>H3YHkcPLZ*72WAxWh+_)
ztSpRx6!b#$o;uVi<3@eDSl-}i)n!O}CGx$gk?2foy>SWzf96?h++Fx8K(&!W>-DPM
zr8u#A)sMx(!L6CoMl=nE2H(kZxp>f!aS)Jz{aCifp&NH}I&z2`M(NY>AJ^Bxz%9V2
z^)gcldc0@o{A5e|tt?B7)G#~xI$a-1wuqs0f@-*Czk!PTfzI4@kujD9IY;63;C3B<
z>()gxm&b6ZNk^Y@1F3gY{U~u?Zo+%`0KCtYPc%=M{a~0Am`#kn!29$jPwSe<Y4-c;
zQ-%(lu>*L;Iz~RCh?*uQk?}ojCfv#|hk<BhuW&><snp@9ps{-XA(N0D(FxH9(0y~A
z?CW|VlK3qpocy*r@c<G7DwOn267c{P9j`A#3AjnGQY_po021TD&C=oYXE4g|ean``
z=0zt9QiQ6`>QF%HSi%M>41QiBriDceu%#>AsAy;zf4AAW4m`BRx^dXI6c;(2%dnH$
z*KCVGnNw@I!qgDYKct5aKBAcFy$X&Cy~+uMnokQ{i9qob?QrDC7jlc-^pc9{d>%(q
zE5<xco>K1xw%BkC^n|_#xSg7P{GnJ@gvJlCTK%Q6;fw&$dj%qs_%P%%B8Hk2`a|hQ
z!DOn2mPuUSDF&xBaOgJ?_pmF)N%4J&hGTh5!o5!Nug}*g3NNGU7+Xr$WacWM)<pP`
z0;pjoN3fcvpGpYe>A~vxJp88`EN>MkcTe(gucA{M<^?Y)PI3lD<)_;+c1~jf+0R7@
zD~-iR1ysxe!VJMh@oybk<?@9B;|fQlRoeS^dnzOeu7Aa6O29JoQ+7?Yz)o8ykm!m#
z+ilR~Z4W|#VwN>Od(Fj>Qd!dw)+V4#)SHK)Z+vGy3E2JU4-7C5J_oV|@4#<A7Ci=>
z%S3p}cs{Jm=6*}{`@{n9`C@!`Q&|U0^pN^bWmt|dh7Bw93?Oy$-@+bJU=~!<IN>;b
z?Gx}trby!h0kn!|x7NX&b7_KHU+AID8`Bo5;6Qwd+duGL_`b#PfxVBCPrdWOI!Ze9
zjouAM={C+o7u4A6wT-7RXL?RcZ)EIW?wO(!_l;wNIxWH-NK}|~v}sxw{V2eFMT)}{
zvRWmy8PaLh0>dIB&nK+3>8kO3Vspqd$8%%}-9RYxjXi$@w5peT$gRkr_<F4J8<_(Y
z#M7a5m0L5pc;(e>V8N`7M{Xd%(5K(z{bM&6Re!zLmC0J<n-)(V*JB<!&!D2|S+mK;
zN8Cn6V_dxliuzTg&|29n8WvxP+EXhhmdJVz>_5l|M5>ByMN}tR9qP6U^lG8fFX^xe
z4G;=Dr8HjLD5!)iYsTlhXcj1I^h|_@%DAFhwqm3ElAS1}p&Co0)~eQecNQlhu3lg-
zwEYIbgdRNTSC}Mh6R=BUdzOI)@9cHfN$2EG;s?WNoppfw1HTN09_;ek?!yo+S+g4&
zhKiO;2@n0?E7mD_4pT%Z)0)o;n#hmIPUZ=HZ~RfFvhI2+RMT_b1U9|gEcf%2=Ziz4
zL1c+@_f_RhW9FPD?VUbsSiHJL!JUN73x_@3p{Bk+?0Bb6p$~U(lQ`JLYXzdz{5Jn_
zyaq($S3b<iL2gfKGp_=k@w+`dZ`a)hLpw;pyNQ_+#z8qV7E=K;#fl#uTMm7h(z|c|
zKAgIFASg!t)w&&4_hY<wTVJ4=wuT@CbUdC+J=jUTF8FU`DaL<FOQU(6$bfE8K<vCH
zJ{HGlicE@5MyJst#|ORIyyF`ih*=;uLV2r9G=o6(jyWB5k|8KAh`9=1`$!2<Jy9gb
zZZR;fqzMIP4AN2A+F;?gEBM?+rhhSI!$RACU3At=;!h3Iv_`9=O?>;rJ-N96uz6jQ
zGnH<$+8%yvuKXLn$ZU{t$2b*=1g;Jizqn3b#Bke0*Ry~&#^M(M)wZNXG*w)ui*yej
zo{Iz36f@{mJyB1atKhryT)q@jFA`H*veb5=*Ylz;W6jRYx;T@~{?<D?gjL$@$Ve#E
z^$uv2aX6N}*;`g?vUcIa1&;d)0LA0<=pNk!sirqa^OpOjj)M&~3bT9$OwGeiZj#bx
zPty}xA7V#H`@A{S2$kN$SDPxRl(~0|TlooI#Uf(~P@!%vCG6V(Pp&)|8!uIJoZ~ZR
zCZy4sqUpT>a3JNa<z$6B`DYxp4vWL+(a{oN9y*_3>+kVCu}dK)`b?@fu_0VI{!gb~
zI(^f_(#@3@R+09eq$};m>g)%>ZU?=}Hs09MI9a3#MOY+gt?h*1ys;QMEdVm;3cUrz
z0Bc(39$PeVS^D99GrV=@Kx#p3QuE3pEs@w5Q=qcmpPG)|v>DFAvcmX$;J&7uH_zw4
zBhyv75{r$e9%zxWb&lg5N@!Y+X`VOzaX{C5%E?)IAw^li!*DXk>N>q9uJE58Fd$x5
z<-5s#C`eM7b+z0yLtnckop+rtK5hT8J7V26Iy2W^FeA$I1j+7kQPf_(2s|9mC3M}(
zxJy6><X6}E@3V)ka3560HnsbRKUYFOma-?3qB)QqD2Gw+tu9oJ@*BB)z>oM8Jza1Q
zi~jU{L27nO8NW5%(UZ3C%2_PUYIUU;JS=s3-A}pLm7ekBj%rGpR;GGw+9KJSFB|fH
zes!8T%xvjE$q`u2KFeq{IERb$1a;C%uL&WNDeSpoPU$t|wKF~8Z4FvLe*PuoZHYbA
z8>l9>x))lS<*&V9K+$F17e)89d^NETUk!X7nq#+&Q2z8-Y}GQFw<DGS=H69u5!drX
z?(cgad?mSb5n2ZbP6ikAAL6wv`z3;S?Wyxyz3!<;)d2p=;_=Kw2c&+5JMJ_E+G3e|
zsO!(x_F#H)tw}3}q3^*PV@UUqgW;giaX+u;n)%b@ed(IO=>=A8u?;57nT<AHK6PRU
zTOqM%wlWa_IlVZJv{U}^GYOc#N$?9(t^6Pbp}-r$b<QU-8A<&(Bk&tyK?oL1U~&vJ
zSo=;a`ct8HUt4)FmRlBum}O+Vz}mp2cfrb~|GVCWzuLrM6i=ykk*`RBeM%^T`p}~{
zuS1>as#B{+_dS$x5G~A#=~o1Z2Lo|$EsQ{*-7zJC%kJkgAT$KL1NJyYBE5d{CbHN<
zL}2fv(<RAx4UP$DXZ1~LfAxM<)feGwv@G5BdvF{S`5b3V-z@Cp25N(dKn2=*x88GT
z9lbIzWvA=Bl%at9ki;^02guMdQsSiiVCn9O0-81aj^7rHO}EKmzQ|6o6({mEUqR|I
zq+q4?3mU{d64^wqMZKjk7$*15J*Lhx6*!#bnS8BwWx5qWV$YW^iQu6xXVaG&+>ApK
zUM=~$3t@*dwiAQ65VZ~m&6ZYMbN{#%^+BselDjg9LhczvRK>zuIaU;!Uz#irJl^j-
zZH!p(R@NE0FdSUd58F19{@eU9Qi9dtz}ZYRj2wX|xqdD~REg+k6vxmh+AM375D&(`
zraPWkipwaZ*Ylsy%hZhM*B{C%K_T&gN+osMfa_<mSo@`v3Wf|8r$=ZU6wtELLP3Lm
z2#N)W!9cV4Z)#|(-#=cQed7eb)8c_v3kuUc!6%X?Vkp-F54qmn>&Swr!;I>V-(&Zc
zJ@-hkxlQ4ZloMr03h=pa&&18&YCWJ08+pCC^A;C#HdcgriZQ0Yq;S!Dql9u*bhZ-c
z1lwe|-!8jT449cr<ywPN2%e&dntA4XB=^L9k_5^lwhNVX05K=vqB74&B5)N153U#@
z1_yi>CXPj4B$m6`0>f4&3IRYV-@LSG1Fw;bx!fBj(C~A@_1v&GmIG~AQMoj0*o;_s
z!X8s5n~EBXN>d`Ud1cA2!f6)d?w82ZgKv(k{GdrEXl>0W3rTuc7Y~7&jA@HJEP_Tm
z@y+Nta-T^22tVPybR1D7o*^Aw;$cn|GO#v~Q>;^q!&O_}pzo1}A7YrG@$CC)=`CC_
zRr<HY@?Yd17JO5KIaL5;6$uK;aD$6Fq@4rFcRk;*^U{>RreH-1T$d;Oz!iiKaE6DF
z`YkDxRb++D7Hg3j504n2Yf;*#(li0mWF`d4E9xD_Y;eFAM7r7W#ja~22&-`GW9n)K
zH9~LEWHs?d1;}FoP(H{;4|p{BT~y~;<7}&*iG&}RIFbc-Nj1QVEAdv0I;62M^vVXE
zAt>jtd&&50g?hYGZR~Nh%JHke8i+<PD5UY|dodLWwv=(&X~YSB1^G-V4)WHpq<5XR
z#<4TN^4Bmh-kdBd;XM_(-MtLg(uR$N>|V5<us?JobRM-Sa8D3l4s>Wx3r(UGmG#ay
z;&@-5r`TY09*QjekA=3W(FZnVhKFCmOmvgK#xb|;OZ8{T5Lz-T-Gkgg4yOe)56M5f
zFu$Y}@=A?A6g!gU&i@O31(L3;iok+ak@5|=9Ct1+%9XsJLB|>3xfuNDgV46Z56|TZ
zk;fa$6u|%am&vB%oN^)U)rDO1j#jNmDice<>YQ_eC+dOO@}%Ga?bLXJsL!h>9A!kM
zcDnd|aB)s6D}^Yesz-3W1nU@~G+<VXp9-XY;AT$~d|Cw<gRo?YJC6s-TLTP@khaKE
z0l=Gz8BfpS)D*g3E*&p!L)1P9qCdd5dmA9okIFJ%S24NORo=wAjeDe0<dVm8wR`|y
zE%D1UPo)jET8|8VVA9wNzLr$AT`d6ZxPeERlJjBVWz(!@a`j_^Hn^5aFaLvU1^*Y<
zHor*_%R6tWQ*-$&kCszRq<a)-)T!vLN0l0+OS7nZ%l%W%B9S#a(UAHlQ<5s2b6fx=
z{RdwZ%x@rd6rm)k$pl}H3EcuWexZGDc$ph*xxXt1wagg+?Z~-T<kWP=w_JzSYs#g<
zca`5vKm(s$@d?p)zQE@<*1&?OubEKjJh>ZvH^J*Bj&%<QIJ}K<`T8<(w+gdKF@hZp
zPsy7=@^`9UXQ*o$avAz@8ry5(W+aajgN$?Gkgsl+-yl3-4uG(odF06OpKXraxXY1B
zA@7Mu&8++w@6%x`w^QR<Ps04(DIuld@3V_ke}}j7-&(&GjRzkAUV!y~ACBLH!e_q@
zCx(UdQ+|LYHt{3_Yc=i!6K>aGQx&SJAjxfVg5uN84%>Rl1B_uRpJ-10HVro8vcffR
z&s9S@K2Ffxa)F8M|Fb#*bCB|f5Hh+c&iiSR_ZQ^?LW#d%EE62Li}^IyN4{nng(d_c
zae`!0VrD(xSH@Wh9Z~>~2W%h-&7KFi{Hc)1=v9_4StQ?ABPsj(vJ%U-5Q)C5A{9Qp
z8xwmn#Yw83@Yb}U0`!p$wT7l316Vr}96!Zn*ByE(0H=2FmR@AXJJnz`Adq({m8xr_
zu>>5W=f5nt^U^Q-AWGXo48c;E%qI0=`EiArkof^k6v7^6x~$xKIH%6LCxjk~m@Za{
zT*#ei6(GM-*LpN5Eq_0#MEbtFW+G(HfSLO11?D=$Bp$`1%+&*0;}*@UuZ){uf_F~3
zbA~+Zhz3H7Pc1FB><rMRnnUGaTvo~=k$QHAk{=y52^{=kbTHh)xNYlhg(my_%+V47
z0{jReF|q<mM9*Z;m_X@Ev}MIU`{Y$FaxV(uqJshilZh!n_^TY?me7kj2hMZ%4W^TI
z511O)cSuxd`xRannmet?%WJxi=Uivyj{Y&kcPE)(^OnAHG94fd-eWtKb~)O6`s6%g
zKFhr0p``Uz>{_~J$vuR9<Y!y!y*gCjM`#?z8k-257GsEYm09S$Z2+uY8@D`qwJ~Af
z?mB))mss&$o+mmD@y}-%^dMKJZQU)|zYOctPANugR`7Owy-g>C=3|603>&Dz$1o@F
za<w_2jrWFJOZYuU+g2@vjV#iM93!br>AS-v{QjJ)IibXkKNSqHDDpapZobxP7weQo
z=WA89bVOUjp(Zm?a&>^{`MSlF@(zsP(Jk43@KW9`Bud4kX#Q3~#;;#VU7JtjLn|5N
z&ds1$86Nd^JUPm-C0EK8`B{{<zFn>#FxRzd2yEebe=i18n-J8zNUL-m2wC@fbo7jn
z$|}ywpYXzL9QUV0jtrhe+HUhso-k}0hQbWOPWAQE<|$vtt2@y0P{gGVcLDqIpKO46
zqA<pP%k~`Fv}Fs}jkNELi9rpLMiQr<U$iX}R$re)6-)b=Z;qpqq-gYErSPuMhr!TO
zs2g<DAmwJzY{;8rq{u^SG<dU0IU%{g^%reHF|GV2|Ex02n(xw#S5vH!QusJ=L=gi!
z{0S!LzFZyzuY0u}yvDej`M)eUA7^&V96Bpg1icv8;QuqQNwpo->5BPW@Fez0js9sF
zQ~!F%_3*Z4DVFg3G-ChFyDAE~yQBdQPT5z+n|w~s(iQsK-yblA1Apbh9NYbMQ4hoA
z9BLurJzjK-lUmI0dtrNBkd2E(+!jkMvE`p<=EBfDyl2WX&hW0fi>>JlGG80VIz2ma
z^L+?9ZhP)LMgt4172~7qg{OL2j<o=3=2#-6BP)L10i$k3b*<aa1bDn`*{=C2kc_&W
zgTrI0oMcW^^CY%1$`8?wpUrm{%&jo^8@glt<#EUUd?j_(_bc*Xm9A|Xqk+qAQB1yD
zIU{=PiaG3>92L;RS5CV5-uv$|_k|MGH*f$yb~~;pE*^g5i~t$Ek_M22<?R7m5#i1y
zm#+_lGb#tjSQibKZ6RVNE<k&g{jIo}P|@hK3NAB$Zd)TNN)lApbxi52PkAfv6YdhF
zkK%v12^y*BQ5kX{i{C--*wc>%%j2ClhgAq~0WAXxGvJJB+F3iOx2>m;7(`xN5$llI
z9{cTgbcsDkeYx>ZDt2@669okYu$5`RH~3J)KbcRLWSgj+r~p<<T_t3Hz}mD7UhKdd
zJE(eKmhf$V%PQ0kZ<P5v(IFrW_}94=f4^bgcEo`mRZ_5j^xyx#r`4o4mXvd;b`{_H
z2I?YFk{{B}53ar_wVRGZM+lM2JLI1$Q=Rp=phHVfK96g|g)f3BerE2uZt3iYJEHcA
z!0%hq5UkjFU?(~w#R6piBSZ5M(&A#83q3`p)9Ls)^PMOs{20{xzQ*;T2%qX30jEf^
z;{vYZ_hRXExAd;y%aO*h3jZzX!9k`lXQ&&+L~c+VxxE4H7Wye@c_BuYe@8U{W%o)~
z0DHIG{S^2!jrQZIS9TCHzXx!_Yt3=Yfoabh!DFvs`L$tG3>_g83a2dKd#LYF34Tl7
z4V_&EXm?6XxF@vE1GZy?#-lyIKe>8kUx~!>(tgyd#S>3I<kKgA5h4<0YF0Do=AQ~e
z1n@OF@6k^m&pzOAfu4&HzsyhyXD4&;AX}I3ijK>hINb7QfX19vD{{72H!6EEHyJ+>
zECd^Y$M*oezgT?GV~R6(cELS3>{t5rtNzZZ!CVuItC+QJd}!z5X_H<VyosR{QBMp6
zP=UFX3A+v~&i?%QcelFa3A5897vqm*@Br^kWi%4Pxxm><DLT-AJzB;tPzromBouo0
zYlq2QYRczLVphIc<1eEm4Y}fPh8;li+`Rmkf+XvW^A!$>e3%tK{AN#Ansu{0e;hXm
zL@Kr~{H&VTVQ#@^(JHnrYdP+i>UgkU`9v$fVQTg>PymL{x+r~1yQ;Mcu*;A48yzjP
zS<M{MRvmved{o({RDl$$EK98%8FZNonXk}Cuf8s2H}Z3SP_N_2m-S`SCe^S%ac*UT
zuQq-<;b{LbI<|-eafCNp`dkTLz0+J?cw3N{%pk+FZz$h1hk0QiH^6S;!DEkfUl^qA
zAjojVV>0k3c<##=`Ld+bWXawaquS|zMztE)p&V8o2Q&Iwi{<3AhXX<qL68g`x=nv~
z{QM0uTXveFeOHzRYrqY_L3!x5{o{YvzpFB~H!z0azBp1%XDK++OYv=8+2QMg;wOk#
zs9d3Y)&dk~sxJIU=1krQ0BIQt-zavBG+|eqDk<2Vl`6BUlIs6dS8xSqBxLToEjN0(
zcmO)doyB_MK};`G7fWGUSgP2heTrS;MA(Q)@hEcp+!h`b=`Q5xnWr8&FE>)eWPkh0
z$EZ-zn=)*M-T-8Xql&})BZ|k;S}!{^A`@xVvr)nIXHUhfQ@9<RrI4Fd;$`<)#^xCn
z?h=Y=GwcE|JD}25k|aPB=%3Wg!SAh0g)byY|JpLcS)`5NZ+i?--Ujd$qs#S}3*pyl
zq0yozfi}~;&J#_ibLBhIjNVr&0s2J4Ye9LCdYPwE0?VAqD&J`(5)L@iYNpbM2W9Ec
z0OO=HEa%y8Zgj4-SKNux{IEowCzhI0ggmv{9udyK%k-tnN(et!aIKF7U4lgFMaM)!
zPgM0(f-4iobXYORujP;E^`0T9ra}bFiVI)L?um~8(!Fype<M1vX<&qr2tIb(s$L6k
zD8-6Ct%SlM-&_}C25^$Q<>UdsEZUZ-uHf03slT6q?>?Gbx6enCLp5Vy%eSc`9bK$K
z3Os@x^=|0Z>EqeNDb||g)x1es?8<;NnLgx-W`tl#`P^!;WKp1!j|pPSOTI>5D4B(|
z0ZtlR9297zsQ&m3m&&x9r&wl^miX7~1J>CBGGo6nV%B72rY9m9=fgB6U`4RqnfQXf
zxD6llmPuEMv>2wOA#!!*iU}FLddC?qjKsSBj-%I-No=yxLBve-kSl{QA+>yp+PO&V
zAx>iK!Q1K`%}++b9qrNY1_(ej0urW%U5EF$p~Wn3INV8F`~jJG&_o(vc4bIuWX%~4
zP4zqfNt{J9qO9H-4p?Fgbvr9xVfbFs#b5f9Y(OH%3m3H&Vqz5Y^1_#BBRt=3qQ9n1
z`qR!<P6L1%>C(1O$ovVdYEQ|tEdnwJ<Zgk-v-u`~m%PAqAwMViSN29zEwHU0(e4@C
z-Pd@+S5MvSWxriCX+9VkJTmz7Lnvv;8ird^Ik&Aw*yC;XITBz4?0s;V$KN|WQJPJ1
zpaY!#28pCJAayRqOQc4pQ^#TffBT=V@>#B0gQm50vqmf{1a=pN57BdnnmEnv!<?%$
zgdYo~DHO_z%vo*lUqU@6|GPo3txTG9l3z@?8l7yDzqvVFsE@BZ57ao)D9T~(q*|OB
z9&%zv#oRm>G9O_(S*i)YH65gYBD%TV8L0$&dgzM<mNmDmT%=BEq~82M`8grAA4$$#
z&L*A-1M0*fK?6SA-9PZv33^Wh_wk0{>zenEHO1s!_HftU2(F>CtE$!}cWof_*ed;_
zUtCUDbnbEhyWCgN6*$YOC<kBdM~p+xU(u6jl!#KLS2)`+*pe+)!;{(0|BWE*DCX}8
z)o7lp`<PQv9(1vF{XVJNL+heNID1jo<y)hd5V{&g;nGr*O(LN!B&TP}&LKlq1;@=}
zwyyLHC>?735@*fm!*O&fvz(^!Rsskj{*&2j_;mNEh{?3LAq@_K3R@{8!nB;@_=%Ff
z5H$dw82GO~2a`9eD>mkY7hv(B2ZKbql|~v@_sz;YEB3teW0=H|=t4yQDjSjTcgDnb
zted+->iVn0qm$s-bO}|EIv?Nsvv-OO5IMto*GKL$O`z)Q#3xN8%jRzxIoa*a5#l&r
z^o*cjC#UI>j#`uzB5wS(T6*}3X{gitQ44${nFA5VTaMxee)UR=o}O-2zf9vfC8+)6
z7ueY|h_RaN?0Y+A{ZTiQ4TZj~m-fZfY-{F%GrZq!zm%TVDG+A=u)MlF{c2V^)WGg1
zzMq|rdW=5?AQ1+vxKEbY5__c&7HhPI%w^HXhuyvezJ?Nbblx+j?lvO;7x`j+hIqQK
zU<m_&uT{`>wZpQ5rxcmYO-%kpMpL14Q+z+)`s?tp^}MI3^5kUJq`dC2lJ=PGjODR@
zJ4Y=*fgasCXM{_E@ayiImotI4?JQw`0Jbx%SJ%FZqGa2%DNybjwS;i;@&I68zKWx|
z;@Jh8C0`~f=9Ye01{pBnj1+mVez0HBPK{OKu`9ZPSq7%q%%C$-lS?Eq>o=k28>GG7
zb~n0O8rW^r{h^BJJ7km4ATXn&Gt4DkRT~tJ`y>u9gq?QW+ivw4$T6vuB5UMbpKuFl
zI&9Zm8&oKkt648nPU`;4H>Z4ag#ZX5gH^b(@O4vy{s$S>1WSXa<DPkwc+9Lo*=p;c
z53oeFe7Qw(6`wx@1<jbGxqSt0oN1<j7t2`!X6KyeJW*K?PJ_PDZO%LUv80y(4tcgm
zh1vR&34c57hK~+}Q2r26eGNcWYZ?*|`v_kRIJp#Men(UPw3JH|U0$^`KLDy4cO#rG
zD>=tjH6S@-tJ72FR{%ehu44}0Oq^DXpe~p=?M@Ui9E@gVrkKpVv!!%H);#+{bR3q}
zGyitgYL?Bl%mR4hm8AdWjZ<_P*X3bMCktch_Iqp(<fPNMCHbC)Hb1A0hsZGTbXvhk
zwHZ)5e|XW6S3DoW<pww$7^~iaf!{gq2ar^|h_Gp3h?53<**63DvQgE+;P51-?-Z9W
z-@gSxh5Hf$J}07GE$90N-qyPX_u@?)o{b1C^?~i#4m^~#p4{Ji=afX4F?l_FZh!m`
z1Ru|u>+<wa#Z&DwUQw>)e54vmWz}*eO%=Q$wE<kY{af0ra>BS{j>r1AjylAwM`D|;
z<|@+tJJ)D(u-7L}X`An3A0VsB!m+d}+R1<^_n#zLa<2~yjxwchi$)wnYDr5M5uY8O
zX~i^Zm5#^phx4|zmI#f+D)%Pi1EKZ5W530Z%%Ny4z%$>qZy|(#?PSuqhV~{q;XgZ+
zW|X`80HR?G@QT|e4WPW@*ye_8|N8$Sf<7A@M0uEy+=1x<H?%XoD3|d^CEEfn%}d}D
z4c;li`$c6~#1!~SFAS$6wjJ;{(eQtz_G~E5-*~LeWtnCpYOnER$y-4mSNY16_QnOv
zmfm+|_g4pStV23i(EAWa;$M5xk5X0GNawRxdmq+HYR&Vsug&(-%W0(NuDP^OOtVa}
zpANhjLF%uj7vTvgGhb#$2Y>Txl<prhzi_{}KhHa=oU+sr(K-kdDGA@u5%&NZ);uD-
zgKpmEkCv`DYOgDch|U)Cf0`KCjLh#Mow4~@nHHz{Syg<``SBWL&Qv)W9utjr?A1F$
z-(4FCIf$=6K|r-S46^|h-}=X;UFkl9nGumjQ-6MaRZE%XUg%Ab=}QfQLsb^fnN%E|
zg)lJzhu-tUz7wfIFXzzzXKoBT+3<24VnW!gY{mvN8GSHjyk{&_mh2&uc_Z(DWTk#f
zG1V^loy;S?k5d2In>iG1_(@})C)HC>1Mb+zl77}`S2ZuJdo(4Q*;ptgn32OzJ90yl
z&*gBYCbI6iA?Zkix=eSU=_H3GPNLZq&ri>&3FwK^SRQadHlYC=b3c=j74r0_xo{3h
z_B<GSK@)obJp{;2ssDcd?V4qvb;4HR&Odh{AAv{LPQPMb7pYa!xox@TP@EV2A2z{8
z0qd*%5+P5rQRpm>Ay4twGay^MF?pQ!Yq`-2T%>q#oX!Gps<F!`K`?E_th9<D;n=i7
zQ#Vv^&#hk^KS&1#bvkjJ%#8D^zAmGphDe(DQ<Ti7WyB_-BZQ~#d%SB!8cR23Y@Oyz
zr@nSLcD3>bSPGe6_m2rY-sJ3dPlAsp<NrQ<K6>&fOL$oOKB|P?eBjv>@y{Fx9n_|9
zwGaLF9bJJruiN8)x&X?Oj#$^ZfEIy0EdaR#9R*cj@BNwy%XBR-7rTORv=nuTfX!ce
zn_m*`Myg_Jtrk_?bBBABDeVJ58?gw}Ou$SyB@q#=^7AHlE`J|MRH#x!kH=wZEM5W_
z%Z5?}Ck2#wbKA=Bzr1YpGgA9reeFTNjHG4?7p33|7mq}EeJZkOEn<|!U~$KYT=(=U
zGbTTb#^i>5kmai%83~{Du1;w)F<D9|h`@bNy_i<aOiUrv(lf;~xjC35PZJN8+%!RQ
zhL_85Y#ykz+cv={nV_iZW<e^^sK)Lkbn^A!j#c`mF$IYPh)!NT0^Zz@uUk!wNW2Gu
zc*+Y%IjVaHZdGUV$|1Y~ghWxm8+mL{V}K-gA7)>6iZ>fbjjc(Xz2^TGZGh{8z4aK)
zh*Uc2L!-jYE*SRvw|~0{3K%2>1eIVbC5a+Byg86uRIOV#+0#)M8N`8g;im0|%kKJp
zL6p-2$MAMut;W{}j^m_||E9pblHQ<@%GnceizZX-xbZTBcRO~nt6;_pmTGP4q6$E_
zDs&o@@!~xm4t{V1MXxsTaeVWi!&)*$72&H7)PCU0dI{xh|Boc2T1Y4sSy(Du&tajd
z;r_5JGyCym(k{JiEe^?irWB*fSoVY7;-)=wdU&SR)g<>V?pWZsd;ohodvl#@O(@`P
zcK`mK`t7BELGtUaOSF5#A5Yu{V&AY#zycclpBZ=~r~R+IFY5O?LXW9%96ra#S|kxE
zgUea<kCL4?`oWNu9Wdos(GlyImvXUf5!*l|SvaAzGmX>WF}Sx9t2WvDlPv#JU0dau
zFsbR!#i=+_+3-J8HjgU~xNy5k9A%6x&&EMddy}%X<mHMDNWpkxSg|ti?$nxe<F0Ol
zpBP(irK>F_5gQ{g#ID2s0R_C;U7JFjju#RecqM~bzy>`QL@fU(;S!m`+lr~x2pMz|
z3{y(~CfBaHUhKQw-H?;x<%oPHpq1xoq+(q;rZQTNVhz3i+A0nqBFq-I;2*KpIR&}m
zj`b+y-SKxG6QG#3=M@^s6}5(*Ow*<|{SO^-O*VC_%oFA|pE%*@d+<epvW#Hf6e8iw
zInLuSkc|M>L`JsP8thN3DS-_jFm(xu<6gsmL4tvP?6zpZ*P6x4er5oyhITN8ivl4S
zhw(Bm^v2|lf%n=5n|d#P@YALTux4=ENL>x9SqGiQtiQ97klRs3Z?M`V_JSnDVxEr2
zVfYfsT3nr%0w0K}@$+97oH7S*2^u&5NqeL3dyjLX670_7E9!}?eIx1~CGEqehhl2u
z!Lhe=PNaPe&z0x9;x)!U_J^o~xxlt(sQ-Y)t>~s3xf4`EeJGP8AYANrq{k~bH|~Iz
zOP{E+9C_F@5-^Vc-mp1>FVF3zHNsW)pH7OqV)9oxuW9&~6)21oOEsJ6R(X@Y3O7%h
z<LPv4bH%=QrP4Z}V|KiH&-<0Q93{&_fs+jt^KeB$X)k0QK&;E)`g|qGZ&&{%eT>&B
zpR_8Lv(@-D?)Il~*7OB)T32pKN=modE0Cav>~9mGe}UL@Ayv?tJOBxtRRIeoUANuJ
zkqg0LhzmhdO6-fdN;||x2K^SC&e#51fhM7<X&Hrd7%kZfKrIpO7yG?kU6NVT$J;aS
z$6{eh3W}eB_G-~)c%|)hA5Rcn)kK8|C$q^4N<9kJNa6rh)e;FTT@6_JI}+cdr6&L{
z1O-i7r4ui^er0TG#pq#CtjyB$H62ik6OQGZ5yIq@5Dis!vltGlFholNE*qw8-y{TT
zt`}wK8pSyslIo!20|><<=NLplwaS0ZBLM+@;(4(`9Q~aQFeUpA2vM8N@WG#nW)@EY
zjxoBG>9~?%_X|0?h^KF|HA8o3lK|lR=DOcAD5vcNiXDOxc6V?E{o_hHa9;Z#s{~Mk
zVkC*pYv8Hupt@){N~M2*w-(iu)5={(_YEumZGUp^1ul{V)kmoJ_H+4EBGQ?vt<DXf
zfgb?w^&UVpf=j=JINtRES+?Ssr31EDPO$wfzY7W4pp4i3e(y&MH%$!qYODLt&BHe=
z2}p|!_tSrYk1m&p43kiakLBIKAmbj$M1s>)La_dIj7#{UzeCMX4R?aI3|22EEUv_U
zvOT|69@=s@J?E;iAR6tj@U%TPyy<4p$BaMDgt^~jmBCC1?}@$iQ)*adRC)i-shNIz
z#b|~5RG5zPXrIMbe4sS>rwi06{6RMx&A{P<beRRs%F>@!BgnRr$*AThU8a)P%6Oe2
z1~hxCFc-Oo#179uDBwd1Z%>$tFN*2#svb^C?ttH{<G~j9#-~AN-1b2QZ9u=Zc)}2~
zx^}hZe|~Q9vn12!*FGk8FnlAQDJtne<@tO^d7e}A5g&eVnnoA+@7fvDN2mUtMh!$c
zWYoTE{aXlVIfTFWpsxrh>9orim}PvXajy94OC$pElU6xV8ll#A;)Aq$Pw>+OF6X?z
z^7ticwFMr}^e56a_*aiPmjIV~Q1p{QWZ4IW-0l5-XwwsLdT}CObs1S>i5QJSQ7eQ?
z2|dqtiB`JV^x8uJ61JvMkJC<UH&l^nb?jC${Xu*#&|Mxd$v}$mqr9zo0)coFaurIY
z<SAB<w`0%L-Nx;v!H8qJh%bXAdej>d{QPp~e!dFleRqewdiDo2D=2XDRZ}lq9=+le
zW*Jv`KuF#HAJkHp2;p~g3>EEJ{#F*AD;;@?e8IG({{hgoBOKIFPEi(Ns%L3*E7=#m
zdvt@0grqzoGh>&)&_Z5L1$etdz#E9W1Hll>71EXlsaMHvfOYssV)Iz!cO!1z7zmj!
zu<m&{bt5&v^kolN6)~Zhnv9m;SAqHRKlhH5bj?^27l_omUNvzKT5xkCfz+4y)S6*R
zQ5DKI@1@aR2uGBEdu6Kr2!$G3b}xS@<XXXGJ&#xG371ROH8z75)_f^Zhg#k&Njw5m
zBNzy*4;&655k}vWu!NEKhW*iJeDJ?)K$t5Z;8?PrIt#Y-hIv5Tu{Z*Tl1)m%r<KR?
zpiH;Oh}U0b5XUxqWw0qzf4==apo@m#?C>^fPIliKFRJ60-Bbdp?H!|LsM_6`yIcDm
zwxkifW@GEs1u~bCDKMkFoCg9(3y`GZ=`oP8N8^HWgH-LsluOl(-OdA&o_T8Uf8k9Z
z^j$>?p8v{08NDP5!Ihb$>n<j;he2VOM_3Y^vPzGZ;Y=_2&#d9WjrY?%O?3iQ3Ke=V
zuaoSdjQhan2>d{<9RkoIGH_0&^NOy@y$zfP@%VmbANjZ6Hhz1cm{4E>*LT>e(CFUP
z%pBt_vObLRToN$5Zhdl4r#UN{`BlG%es6V*yty<U{`N|0jT(o@Z`pUAI_M+j;5>CC
zPVPF}K#glj<B`+VKWUQEH8wAEXKaNv=_&7*c@|E-DM9k#Kk74NVv}_;;3W`z&r+nj
zm^s~C`;nmc9M8}HB^knt30hz}wgudBINsW9UU5f%y|G`vf5_@V`2aNS2Ogp8vip^$
zxbi5ods}3?y+fwe2w;XqTzql2d^jnjQ|E|u8TQ3=+AX!*8u+v~xJGbqNV5k|5jDFz
z8jeaJ9PAuflT3P&;hQ#O#_;4XX|DR&<*A5qa8OSOHc^@Q{VZxCV22I_<lmdke|DzQ
z{-Uu(-Et*#RR+(AEoNIKoT)Dfs!O#FCN^_=LG%4gQ5t!k(t_Bz{J>^6b2Mr|jwj70
z)CfGDJB`r!Xa<YMJ(a%?|Ey8nw5-%<R*UWEVQ;au<z@r|YR&FKy7i-t5HoPVK>8ad
zs|--E2W0Z_aT9s6fT$%+_yyBGE=zxTy8*0yCC#4SPaIgkUi#_l^+bbS^!R(#J?KeO
zRi^1mb$G)Rv!sA@Qfe`s9$ud?dT6lpD$qDTM0PdFbkLy;SK~Sj0*U>q#Ma8p?Dk6a
z5(^{Zof6<c?FTMceB@DeElbB3UE|=pMXS6Da5Y`62oO>u-6Jx!LCO1Iw>#Wb%J%bQ
z>_nh33?onWtlfsMwbRhyPhG2y>1u6Jn>7l|Dmn_%FoyCq%0KyzVJFF*+v|%D#SKj{
z9tBp_1s|VKOdB0f$gP^zvEmf*t^nfWGmxqO+h50^+`5^IZ?GgEDMT4+1A<iu444e}
z@q5@}g%2>%NLFZ%)giT;Emn|kOTPh9(fNiKZULSGsTi_u7`fWo4W{8)Ev(_;-!?V5
zPTFoUd{a3IUMhz(SG|e8%SQ6p4|L5(xT@-8(8q0R>m7W-`JG`U2an@y&DD&{l@BSI
z6nAO6gIj>bnX5HlmA-b#DpYU)xm@L~!*QmF06+KuEv)%WC%{>x@m$*|+Q^Y&d1b00
z9)|ZRexT>HTnx&Ssl6O{?Q$dv*fRd{Jyz&bgk|f}<$T6T>;QTvq+5HgghDG;uT%aY
z7hk{8ngEng0v?_wsVBFh!G5~Aph;3L;_vH0#4YhfKR@p<0EJNV)|047(K3L_d2E!q
z*?N#z-(UnN$QOWu`~?1%Bxo=DXnhnxs1x!-$(&nRUS{i``H8i$A9LF*^s>5nzASOg
z+Oiusu9;T+3sUnasY>I2XDLDN1A*<q2P?I~?dFgsWk^_u+5XJbW=t4?tdV68?JZ_T
zYs|dK6>mJ?uO3DDe}`zQHz44)($Vnbm`-o%={iM{dw)(W@U2hA*vOdj$y4{(!P;QX
zLS<e2>E-`2Fgq3NNYO_B4!or~D+czIiY8nz_ax||-s#kO#_hesnK!534m~~>c<0}u
zlsyu9t)`xeY@CZ%0dp_SMv<hjP>SKhev5-`6Aqbsx7*{SDlhv@<tH8#caiAQ*8>nh
z->KcOnnE0mnrBk{!u@DPKVHaLUPrVlt7ZNZ@iUQceG|dPPcPWz&9boa=RH8SYV-c;
zXX0I=F@|c&+-UnaXBKhM&5i*Za-{QVm4C|CT5c(8viPrz9K77wW@9hQch@o0QA}dM
zF*Ms#W$lV1KYL4$8|<W7>s;dPQ$=)k;*4;)tQ(f@CUW-Q)U(GALk6@PAS73{A@C;q
zzxF-_wGekl9*nVVYJNe}S!k_Xij=s^oT3C-SyVu(+lg7dv}IEd2_O|WKgo1?b4WK9
z$LmyHFgfehz~QJjz?E6+_0SD2?vpWF=jj>!!wfwr=?%OZ8fwSt$`H)LZzMs}TT2(H
zwRsf*o!{hwx4!aQYep`z29`MqYlg-UE<XHLohn8>*BaJvbZIis67oChb!wFWSFm`g
z7TBb;{0YWE5YVQQ-fU$yEi~@FvYC#X-Jw-3tA#zcTwsrmL7V!bx3EbCs7H)Seb^Uo
z2xYf_xDa(gIaW(XBg{K$Lp`CbX)yGuDaHR9^v;lQqSEwmsS_HovV%&Ik7KOnvQJn6
zh<grD9T#Jo!IC-W_Yr^+p4~0#?s0*%ac03c8*82Ba{Xoyq&I}YHvi&zS*IB6C?~jA
z!NEOrnL!<4Y`ppkBb(vc=7c0-fFguNudXOazOBCp_4VbhJKiQlLW5bu5egU;SY;@G
z<OTjNh%1)Z_gR3Y<KDnEIBeG`0f-^<Pnw&TitX0Iy8nMm-KpqCCtw0ffN5n{P`)lC
z`%hYsFdk1X_Bk!oi&^+iX^9tp7<l(3l<1RgSm9u=K@Vz757cO+LYWhvV@1r{jpN7n
zUgm4PG&aW#GxVR5mC(wh5qvQ?CVv|F%4`v*NcT=>q)HxOKH;9967RJP-^1iJEX^vn
z6@(xa5WF~AL|4qG^C?dX(p0buoM7;Aq&In)4oTSCnL>D=O_vO@F?>^YCZmZI%4KS$
zXp^={p+E!~+rJbto)&&O@knGNKnS%0zWj5U`&;G+Op+=gM<)Y}8i0gN4cw)Td<G~q
zg}u{2mTAfr|NYs7K?kxlL{Ed(grTQ#@Hdu}B*6dKO#bfBGDG_Dl=z=TO@{p310b7+
zh6DoLXiSctX1a*yW^{eCaW|gm{iCUYfs=5@5(z}jfL#qxkY%#v!kPxkfhDa-sel|f
z-CA1t5t84T5#uzeLQ-~LNb`Sr>NdZyp1pKZ?oI#4CZ)atC#Er31$KUc%u036RhUC+
z(Q;b8nxpX*I(r}oeA_g3$hlDH4pORJ7toF)kEOa{E5?KX7g?1WjXk(0M@u?=FA?{q
z+B9ImGn4-|>h$uDx!?lsLzV9E=P<@%+;(RUJQ>*LO*2R7t3#lGfj#|;U#<H*PmuoU
zzlqIl7ZsoOJ)FVK1DoD%@JAarhWCmojkS*M;!L&4TvoYl(%H_wRzjgyJKw(v-vARN
z8cV8y!)mUhCaZ9DkU-J<GvaDX!O>J%yFl#2S%go{8%4x>E2Rc!$XbM2wriWWa8|C1
zwinddqt#+w>dUG&dL7!)-hS?I0@VzEgIFXIn=zuoOFYbyY2@gP^1ug+@i&kRgYiN5
z6!rPP`b<62i*Yky68tT_Nm{?x4_=2lZ~cN+h#?5-n%H75fDj11oi7<KzO*p#5odIy
z#EBxCPbBE*kTB+8jPgBXYo2^3EV9IzrwJn!djC{tIQZ%`q8+R!(sMs>xmP9~Bz-s6
zi4?!|hjnGTKROE`6kFS!L2kz%QanyZ!3{1}x*3D)_;Vz)K2!is<c)i#Cm799AT%LE
zqOz?ti8xu5oT1YZ!YnHovzpF0f6WCf<<)+w+wfu>#&UiGu1TjeCMvT5W<bS(nJ^$=
z9OMsG9s;(R<e`ie$`yL$Ej(^_U#_hvk<A9!)wbK<ECMrZbtx_^2w#2gI{+a_hY)cZ
z|KXBkJ+W^b1!};k_#ub89o75&18>h%1>66WXS%gbU1ndCO4*;z%a`)xY>*(Vy2(xo
z-JzyZx?M%Mcqz;_S`N2c0=%~!lzK@DH^~)OqJbaXW-Pv=Gau>v5iOcSEhX1AVsVBI
zj~SX#M}hQz*n96_I@>OMG(>`kkO-m^L39x%IuX4S1VKda(b;+kqW9jSvxDfpr0Bi(
zt=Fyh?%bQa-*<jz=FFU#@BI1xm)R5B<9^n?%C)X_t+AKVh|<sAdHKyeVB^d=ZGXHU
zk|N}a^~Cnq4;&<8eCBtHpC(h~uzx!}X<M`F@sE;Pq_f%{^o@eOWjQllvL34DRIv-1
z;D8;Hk3k5wybou>19Y7nI#B19m=hUE)$2$3^Ow7V_ec9wWd<W+FYa6<jx+mN6|x*W
z-5tsv5%e75K1W^~w89bf13ja5S-f)DYqc+Tc+#$0r2y|bT=(grSHBUB>f+EZhR<fb
zH2|$^TJZH8ewP+Ao25poK-4>TnbopcSbv&AT=BL?Rs|s|&{7w%F)}mGk<Tp|cl&Gy
zrG$iqCK_c*_`ohS_%xYZ9kz_XnqQnf+00EW$`c^GuG2h-@iK@$Esb70kFeWxO#cBU
z-+ikTG3RPu>i}~Y`wPOSsdDT#{a!*Tr$M_J*-H3-8QDTdHah>o`)4ZJK|!-BO^Y;Y
zKfa6}#en<l4nxRTnp%yESJujN_wAp~AN>~VcC%CLxh$+qt9ah{+G}o9-q0kIv_5o+
zwwVv-X|!k&^lI509P}Fr^8Jya&F|L15P5O`Dz)?u5#NXCp5w2SO@N>b@3YocHPgk;
zP#l_AXUn4a#+5*T{w;C6FF&PnA-sd+WwzCWyRnw_2i0YP>)6EOI+uyQ>-s*8YAIue
zH1|f0Vc&yt-hInUS_`v-HUTxdbzN7~moYEA)b7}nqtEpb<SEoy@b^^7qx=T0L?Uh)
zslaPzeVbw)B|2@OYQFl4_o_5K0_ZzEb#<2FQre83AQ}0L9{v2+quS#KZ*$a^Ehf(L
z{dqupw&~)+r}gKZi<8QhqiJ^<L&<rE4|f@G`>)*IJ4o^it8aTQb2`!t#C%ge+CH;T
zj(=1B?h@}rfdVGW@%YJY1}c+PMZ?7eWp7JMFmHTvpJY2Qb&FfNYUQ5n6ucP1X%qUI
z04;ZKbWQ_7r6geoj6bBzBGT}asnrpi6cok3lDfGJBK$m>XsKQ8woapFF+WuZL}ImC
zPxou&fYOgf^6||qKTd;s`PZ`FZpFpz;;f)_+x-FIFW+VxFBWmGD*nubGe^AetB3#W
z?R~Nn4_($L-K!L8WB0sfS;_@JMU*@&#2Q~|W>q+VhST0&z(5)~ETT5}`9v@!_kjh1
zR3jbBtNsC9?q#F!q&OJT;ChIacy-pl=gFE~O%~l(x45)>qG#=x-W1-AL(PR5@rk5%
z_~$_QJusdZ-SHi&YlhIalZ@f-2>wORqNj)ZYaexxuM&{<s6sn-*Dyz>88&lA-Zk2U
z6Uet9lp8;Gj_M$UUONX4t-$>LIFsX{%Flh1uZ{x=5eYgJcTXrZVns_$<kc+qrcT$_
zPDZK0pnh>sft1&SM_TC0jo#YQ=j_61*Ax4DPNy&0k$sX>HSO|WRWH0a8K)@?nP99!
z#u=~+@m(Wj;ULl@7)i1cHO8f?=;dP4u6h$$GF}TdEw#T|sWTbMUl8}bz48{SnxACZ
z&$e&fd&Q_$PCm`<Ctfb2IzpW{{l|{wa&xGzp>q3I@rg<?G88i!iDBHDVZ!uoE9pCl
z89&Nk+g5UMRE~H3d=Ihwlo)%8t9ObvyE<LUS99IY4&~k?9Lngko)4ey6F*Od58k%j
zU{N=nDo)o&bBcA9)V6;TCe$Eor&G)=V^=q!!kOhgdHX~ROQ9{fZ5T^u!Qg@~d@5x5
zf?oMMbv(N<BiU?b`WND{bY}rXPmtSoyb_Ij2X$E%KZLJ-xH~Hs{)TX+YL-^=jtv7!
zLyG-I!dD3#!`x@q6Xn7$eZ8>vg;}^1V&<cSD(7F%lZPGNilJ6#hPLQPBTFlA#$T{K
z@svs8SExNWgws_`t~m+2qew+-Tb&FA!)Fih=e6innQh)f$udk3Fqq%@@0CiW7Sa=H
z-I=5Y&@@<nr5ej^H(QH)_~_5O<VxXeJnr_=$sT>DG8PP!h6(B6n*4W%IUBdo?F#u<
z?-1L~TM^T{-aS+nbPoF3LM26-pSFM}dJN==W}f`sH{m44S4Vv^K*R&_C)uDrgGTf^
z2wC(A16WFLDrXKf<>&g2s0IoZoPIspwKJVg=sA8ezyIz<iE)GqU2dY@ot|olU;?I?
z;^`W;5s?+63J;>W&dN2{`NAFyI)v|B4?5@{zL-?v(zR1#=(MB=lzwQL@+WTZTr4in
zrX?X3cCp-*LUp!qs<B4@-Sz6XLmKEho*GwSg%pMw&X&sF8RUCMa>`+f93HP1=7+Qq
zuPiryv_~i>-@{swgJ1NK^%SexC5Tr@+k^iFHD6xpgxc}Yh1>FA-LF6)@7$50y_e?K
z>>t<-`-e;HR*Af%n!nm}>3X2sHCnw$$>o@UhW6GmHcol{$H$K?oZ4SQ@`G8udp|$O
zS@>r5t6wWtsLp&M+I!Dpsc4YE&_6<!Ta5|5bf{Werz={7E77LAYOY7%^6^&fp25ly
z%QTcFcy?p1)`mIMi;?AHPz(v75t^>Nk1G(msX8Al8<`{z3Q(>GP&sahX`c@7tT#>*
zV74!<9Ots_n92Pxn24ma%X<6Fe7y8UvXma-{mc2JZ>5vPb|rimEn9c*>`a~VF|QEU
zBI&9{30$5FU-}G6r=`NryTz25+<N@x-gBI9rp+`u>pl3Z3@jV>GW&}#dBmbl>vpIJ
z%gR?k7NI2KSjgkO-!z9HKQ2l>4~l#r|GejOX#S%v;o{Zbt)j7ke)VG^!@IdGo&Ge9
zttit(j+TIJe0Y1Vs$1G-<(seCMIXkWOOeBv2Bar^^T}TxhOc5h7Og+N|41AcNN~Si
zdm}4w0VXI`G;8d?cBxz}8M48ZRdS6&`eFp;_xlx@eNKs;TGrm`yv`eM(zAQ30~@Nv
z+n`%uLwRELbNf}YM{SD65^~4tPYP>^amT`etsn_FexkNYqtO~rK6n)S{*k44mW=9=
ztV(nvkGA8_CTnZ{g|Ro|){a+S`d-wJ<!cC7OG6Y+=++tU_w_K^Bro#LVDA8k!VhQ*
z5IEpHx*(y34zRs^yOg+xqJl23(^;v5Ov;VHnvv)BJjcPm#Y4sYkTyHf;6OmOq<$=g
zQ8@2t9d~7)ZLBoKtS)dGrM@SeD)<4hb3Yh4udscOHN|;K+I#jplnoY|XT`k0EM1oa
zJE_zS!B5~HU*UfEGeGF6T^^UuOCuwJBDaeUtqR!$$9Cu!?Z<K79Rfb%tvzbxVu>98
zF-tPW$x`Qy7#k&Y6y2%S+j<x!t-~)c1_q5NOQT}Ze7-85E<D^LuxJT2?sH4!`;<_-
zWFJH-<{BdV+dbtVPax%o;qOa4aCaYV04#;lZu2#F*sG3kF@dX(HI3esk!=XY#v-r{
zx?&F2T(&;{8735$=(IG3Ts(KUk>U^FI`!TV+erbnI-ya>RM=NGf$JWa%zt&+#cv~L
z?KX9Ia9|d<Gaw}I1;0JK83z1@OF;JKzheGeB0xx97MD{y8pxJ+ph-XB)GQeE83E)k
z$5ws66v4E+r90DcwDVLm27*LeWzsRPkX-FznJ<s3jK->U<~SvO;zk0Ebv{%wbgzn{
z^lZtHktN9(mRs>W&bhzOw4>H4XxL_HQNwnl24aDbJR1|S0i!+&i^81uyxgOt>hkUi
zMVp?@Bc9sOhSPC+gfx;;v?~9r3p9kje;vW~B-HgLfea)hAYLy-!GZyV*Nw&g>hP<U
zc4GhEbolQeq~#R?UC@EzEHRY_RTdc-isV>v+As2L8eGM(juf3Ml({|rCr-rm4yI8$
z^_pvg4`%$=wIP!Zly?{D$`j29aml@U@}O>cEt&LRt^MB{OUUncVsS0VpZIKZ9G}9k
zX!y%if<KE5@@(Z8F;4`cywfRjg5Fh=^eT+PKx|rgO}j^eLm{88PGV*0m9_im`#4}3
zUinwRAXB@%8gD1H>OYt5%F(uLoE~gZz(BiIj2IAju7&kQ{*M<3mKb=w{(uK0<oknf
zI6nggMsXDXmECW>hgdO?_T=OdI1(;tL9+EbK3q12eo@evMV7E*?TdaOb!e{P5RMPH
zOEL&b#(YC8EhUBE?QwCIyRbK$cw%!vM+a!>EZxzHVM2dim?b5lXUPxrdD&jLb+Y+}
zeIJ>)JQ&eV19LYY!4!3EI7>20e=>NFrOZzaeuSd$1C^lnPEG7qd<O`rs=HWq0tKbg
zkv!K+2>kxLgg}rGI~B>C@G)`;*kKTA{}-LN7wNeFf0Of9!3K);xJ|7wK+eC_3K`6Q
z;8sjQd^3JHY-uUvFC}rwdKae9f>m4^uc*pCj-{s=^`-6V^fYXLf5L7cKFj+mEn8kI
z2<@5Wywpr9W$>ePQR&BGWUhgR)nLsil~2%<=LlJBL&9WoPie$H1{}$+P7G$qv9Y5w
z$<&8yq)U6VKgn=5$;A--#U*3X<yY5hAOdf~5@KaS=v@@VwByPcAIF5jMz!+CgZM?`
z(3b|Dh>Zt|e{C|CUYI}bzbg=m<G>08GbYV?B5(<r9vTh)sLD~V%5pras}KPL?Th`;
zJ<XS~je)s)O_yg|%+ntRmV!PWx1zEhoA-0VZ=Ye|02$b~yu}t}u`f)mPYnhs4I@?g
z8d<6Z(Iy=)80Y$>3b757oXTGTS%Rj`shXy%5(m;5*~f6QOF;$h=TAp}P<+JiP*$kY
zs!7|2iNwDRqw7x)4+|C#gVlT#+V`)+|Ni{BKc@U+l%fwOTQO&H()OHVU0ewfQ;SK<
zJ8hf$PN>T+apy}38xsv-oG^$?bm6<iFpk{E$WAgIcI<^;2ejnTA{m_n-#Z^*T5obi
zEqLR|vi&K2I=ywORex%d(5d~3XO|$dsJEw<YG$Z<ZO{~@RMuPE_ZABIEhIF-Tgcek
zR7i#Q4Nyw!6ScVS+<fG53k6y3mNWadQtPdM{+owj4*G{e9|(ki7==9a4)S-Xnulxz
zHsWK)vI1_Q*Mjgjezw=&2!0&=l=h?T_79?h@Q&3?CG4Az&;-f1QGTf27Wi@>{Nlf#
zdB@*6G|9=1`6+Y@S&h80I{wZI8#)r2cf5xxJP+sDzmNOx>HcdB|6a9!J;T3#_unw_
zZxFuDTmH=%5c$);#_+E({F|QtTTT31t079+e@n~jlKNj`_}3Wzzo0mYn4W1O0TN@y
zEv<c-9g;wEW1)r2p^d(<UN0izIod+tEx1W{rNTW#p23Q&l@D!O3u&fI4GN#Z`44m>
zNG^|3%NqNz_pZtKD#L#eCA9lU>qCvwxFlcxgEFB~fseeb$Atw}J~sJxV2&t9wMP|(
zrU%n8ez}JijqFQ8?MrIyr@!ugbx|>?KCdpt`w+X87HN1WF}x$e`nOMDv`r7!w4H9l
z<tdcSL|y6u@$r;h+@yioaB0+F{#2tKJ6M33yuUUuWOpg8mndK;vLOFDuUZ>&;#751
zFO*yC7+-F-qfYzoM=F&2>Z}t&z;ns3>eLo_gi@=nngj{<82*aA`VS@raIyMlGf_VS
zJ%(cjq_Y1TWM=>dcGvA5!GHcRY&3T8m&wa*39(mV&}lvcYd&n=JW;K6{94-VCUs!i
z-!5l>mhlw8TK=+!1EN!$LftuzD(WOo2W2sOtv}q1quOMaCM->9*i8rRG@F7+CKeAl
zf;5+pxaU`K>DprzB1oXF>pQ;s?SnhPC$+8ei|x=1Lx&@qL$GvDas#4VXB5xPD%c3M
z8_G3BGfF}Wd+?vPPd+1stVPg?X5`9MXN!1|H&2a{3;?&8>`){G`gi@Ar#w!h7Usde
zkJ~4(5mKJpu2!m`_MDFEPjk(8jaz6&Q{hijhydbe@m!x-P8Owfe1f#Drd5orE`^2!
zE8e5refryOVF0s@-oSSezLVJ&O~jM3=&XBLx6>{T<e41%d8TPuqhC@Y5J)!G{}s{`
z=BYeC*^`QBX3SLSf>;|dd6y^%q8X(>JKq0%3!aDn_@%0t?444ef)GvJWolTUYsHQ#
zBUoc{f}@x!=vn#j9ob&Ll*R0?FZyl2e5thSU50}*{KjhaBY;*Ag~)^OVv+0Py!xMy
z)A|$Vdu?U)vRdJLxO59+$Jo6PpK$;C;3O|E4MUZX@`Fu=*7R9zh6e+&Sj3UX=~T6-
z_-c-9^jLwonp*kCFkOCTRyNCF$+cmNSbJr}-54}=gr4tqFdN5Y3L0D^uLqBi@^L8o
zDgMH_;Dx$KG}3z!AmuY>$H)Ru_3t}wM7-nk$E>&hgVAD}Adf=7CBx(~W%=#}*SO~q
zJ9k<ohhQM(FN<TX-BVM&;Jc`L*o){vSUV>)?@l@JyyR{rM>pCc<5QzcRCz&#wWv~~
zrOfqd<|y){RubI0sz?T>H^F%t#kTdG8Z7i;`m~W;2<IWo_vU}ZhdJ52cy|31S@rt^
zV-4jBQGGmyP18^vT)|l;UrnMJ+39JUP0*2Wm$k2udp%8Ml%HWyE816ROA&CFBu%I=
z3on@B&gh(1o@=8?p~GpB>9DdBIIon7FUyIU-+kP9AE|IyIU7ciYWMUF_kTQ@hX*sd
zqdp5|>cQfEKka`H&Ji4(XUgll|2^~9G5{|h93b-lN#eY|!wPI)@yCasfkCK9=FPpN
zk+>xVr_SRx^r=IAGKnq?-<@~+0x{X1Bad^J5lRLub$^^w(Di96>AB$4t(~Labm+mZ
zTF{P~Pw#iLn9j{Kn>Z8!8<#@=|2oQTFP^&BB2`<k9c$33Hn3$tGkWQNlnPC>8=6+y
z{Ni!g=y|(8$5;j|9M)!K9Zf|uGL%kW*6$#W2=^?`Q(JD1bgGqpU-wb7;L4!(yd8se
z9fqW3A5d*AaeZ-!{@06h7xKw4#jfB!8F%xJ$+qp?+}8!uZf7EHmrf1q6BVj%r>it4
z8%NW6E8A|XZ-uqcGM)kd`bcgVrw+S!jU2HCf`BE*L9`hM1!*HpEHWG{p5+d{I^fg_
z6B6FE>RcA_F)gUqs<vN^g6Hk3?<c??kfGorx)|U7*DeO<4=;Lz<-M}Zd`$QDxvK7H
zgL{M7$v)1tzyDn#*OtuZY^_Z8g<{4BxGEyaF+g?lP!a3Rw&Zj=s&n8alg36Vbtv6<
zs%%-X^y<)pkGr)c#mpM<%n~?R9TGIjb0W&D2J3aZoj%#TxdD>aa@S{0^FN=t{U_nO
z!I6?tOr2I&4d>PgosLG5e}wgd>A#VqSc`*Zlkd!KPHYVFc%8F*IMAMl!1l<|jPSd(
zsepWr9M@rrJB;RlNLenf1^Q+qfV8$XhB<{s+2Z2-<?3K&8I7HS#O95^Liu0)mEePd
z_9#_}p3MvE!K0prV`<S~Qo4z9*Rb^6$Dcj$QQoQ6rN&lq*FNqwVIJYHR?m`6STXj!
zU`l1wuKyfJwC6D&JCg4%O)X0}AKMdfKi|@lc?ddmn3g9_0$i-a8{#_4X|0~MjI>0Y
zZ4*tqH6&zpn%5b^|9Da)wBv9O)w?f|)wN}rlRp0^74W3-s3Sb4)w}gipcNz^1l=xS
zzB*5$_hG+8^e!iH5do<5wBU8Nh}2RWP?YVb6Ei^515wL_ItQYfJ%X&R>8@U3PB-D;
z0#~B}kG$c0^r33Mzk{U3Sp({WaKR*dPGLWT#3pSg)XE@nor&!1Qy&+4Ze9DYg8$Kf
zal5c4{G$ahKvelNh=5&9wov{>z8ersWbTLdB<+qFYTP`uKX~Y@R)|s|c<7BG&S@7a
z^G%~o8Pp*4bEZ_yvU98X)ZaR^Ej2dF4~)mE720{VsMe-2FV1G|j#sn!fO}yqgl5(g
zV<V2(gz$g13Cztvf5Y~iv;La97YO%N;EFL;WaFILENS=~v`UAj_Y%-Sz;#?J{aSq3
zH<WxI)`L9W9-~R?3c<1^UPk^+d7Rc{gE(BBUa$sX_71+YLR4mO!PI!i5+j+$+}Bo(
z>p)fqTAGMPr?<Bt$RHMd;L!GyWzFYek-V?(;nO}9xcni-{{rtEEaldKjUAUG_HjFL
zjDvio12;xBjK1(VgxG08L9x_G;pC!XTCXEJrL|_uJhEciNf<2CdeL%0tGxC+*ItT|
zYc)e@0TBBlKi|P<-z0MnWp21sEVr2YSh^F82nfOOo|G%>s>P)>#iBVi#VlzxT7@+4
z^J4dg^X+*iguhvAqaj03pkB5dz;lx{@>F6<x?hO}Gbl^?<1<s79d1Sy)}JWyPgg7R
zkDV*%-RH9K_>8dK*MisigE`ve3l<bK!I@MF`BI}7Tv_WyiaGKWeG%(CL8hsfr}WGA
zM?$xQJzs;qErmy2JnlN%J<zxH@YvjlrnQmQd&Uz8mv`7W<)=*V=Yyq7kui#qX^IYd
zO;vziw(HrUK?WloqC%Jv1JTqiG0Lk%j&h5H#xU6_82<Ch`26lfnX@x*Pc^k@b1fo)
zR?V;(md!#bbwA(noy{-JTIbw<T7~I`*SjW!%C{X#cMgaHirJTpPHB9KU489~a;@Kd
ziNo`xib`X&orEs!cJ!_NI?e&*H~#(;TZiwwSYs5|9dYNId{nRz{W0zPH;|(>=BVz5
zR;y<z<`-`vQ&UvMYAdl^_yp?ZM)bf<*q{F{wVal-KH{6wgD<C4S!{eS>5j5+I1Dy}
zaO0ky2lVJItb8*@H^zAUoLsYJKfFB(nsF|CKBDd3#x4BjtkDZ6kZk|TdQFnyqLosz
zjnDP2)RzI-7?+dXrnwE$$R2MA-Nnq9loBcG2OxD5T)9a=FfRmf@1l9iKYXsb`Nnwi
zhsdA$tIac#{%=b3(?OPhwu`KRB7oZI0bnr@93Ejyx#al)UB~BOQ%R&0a~1E$`H8Vs
z2==Fe7P7YD#ehIBPs^;lU^YZX<0J_(7dfkeC!nqGi&9%I(Lwle%s|GH(`*tW^Ig$g
zIptW*5zX(_Um74Q-GA>CuY`(Y2WN})&rYE*F^%`SoPna2X*nH;#PK=!5Wm{4;lkLu
zwjyEhy=+PZE1oNsV*&UDR_B^*ZlS_H2SKmc{6ppmkljE_Z_QUt9Of&HZdBG3<TFt1
zd}=2LtL%8(aL-7YrsU(QZd%&V+u4$ya&a)`sieQdu#rV%8TG(na<!U&V}!(<yN$pw
zaU(B~yA!Is++4cPUqDB#q<&q|5sKX0Q<T`oq83u-2pVbp1A{e=6^S!`*BbplxK+vL
zv8Rp1eV7UrLQUCgyO%{RWcCdG7X>wodG6Zq*q+4Ms%6f~Q;LSSx&5q{m${0?dJ;Cc
z64OJJ<`X>eHIJy^WXJZ+WM&mKT4_OU=8i)flVzI8iF04e+h`C8qyY8}|G{@G0}H%I
zI^;FGGK&o#>#m^@qVko8Mc)N3N?TryY0)2U`ug6afrn|ZsTv2Vh@~=3hrOkQJPG*3
z1ktqNy-KFN9hwBa?Oy(3!yeKR{Z=#t-lYVB%S(}H2*oW=GwfDxnLL4d`?X$~g1V)<
zBWVP<mHY?$+ynwvZ`Ggd-z~ay_3Z!!Wi?Z_s<2!NSJM!z6fW6@_?|{F@I9_<1gKW3
z<K?T*D^&7V;~T{i_z_a@HQjQeXbV)J46n^da?^+d5!Lb(Yn{rn?n3mGB!GTa6)B&)
zb)XKC&0?^Q=49|2l5LipA@EASoY-L!y<n|BL6nfKfFg>yM)7o?bR{p)Af8SCJ8zLi
zKKxv7KN-RBQ0l?%<$m~-1R04cHTz(xTg$}RA7(6GjXq{6$lO!MDZ~1wmL|#3Uumy=
zm0pD@OwA^1EX!DLIe2RE6mB6IzZuEm+<jlI-ddsGtlj2va?$u}SbEgPsZPwKy|Y&&
zjS`)<O4G40AG!LojUFrk7dZ%Q<I+}U98(?<&pojI=J&G;{Z!ygt;5f%O)bOMDu$zR
zWS<+-Ki^L9P!U15F=Uj2kTZ}VnGZBqNL)Z<toNB`ms5@;;Pzc_POuU9fL;WssyS8%
zIDkXDgM?dY&`(YB(!^T*^YHPD)t|W_k^3V?<;tX0>n)wat?K_6Ec}wo^QMwo?x?*}
zqNq=SiMZ_K2zbGI{PoBx&<v9N_WH~FASn`N_L}_Ub=XBZ^jz<=pcc*t%`Vfq)v_34
zr2I`OPBX=qnM{9jTikGa`Hfz+^K^fjiJ?2+X(3ZgKg0yEM|4)O=u(f`W_A669G?a8
zFJh9m21pY(*M6_CX4J(R)V#mow|T*CIPJ?DAjJ0u2tj-9DRf)3^$Y&{#L^?W@Uogq
zHuaeV%ldE*pXIlOzc5Es*=x}!qe{86FLRvts}G=rss<!K24|NdTT?_&-X?1vV5pwS
zRs>ukm13lCCOkKM%R9i-rabwp$wq%RjjP;AIkCp*=UU|EX3}XPE;Jif7E(}d?j?@!
zNIEyr3rFA;_Y)kH&r&l859@P~&<aE(nIT@nc{7|y8>25G7E5>A_#jody?Ns4QrVN5
z4hQp_WEsYL)w$bYcM&&a9&tm0WABpR^1T1B6(gZ^Yszb}Uy8YB2u;gv@eYA~VTsab
zC!6TDhg2b*${M;Y(=>8dM{Vzigme(k;YR6Ew^l*Gb$qIHjk+AU6`&SyM$5)=!|dEx
zUy~Q2|0q~u-`OAUDD_ZrF0r`KWwq*$-RH)OnFv8vw@WPgu-RUzH7-zpahT9=`9bdN
zO^EJ91^g+*D`}!PPX=eKettsy@aOHV2!I?dl;^Nns00vgy&u@+PyatI#xwc6x5jaM
zy&or%8;&kT<4$MZoP3;60f|D6pBPk~9X__SF`i#%2HPz%SFa9}!smPX1p~kQ@c_<e
zFinrMF#=e<OfjkjPf3DIYu5iDLsgg~;!3jA*J8QMJtJwAh94ECY2fA;sMoPQtsR1D
zTh?V}v6+symtV?pSccbBYt-Srx1FV8{c-h4>VoiF@&jraQc4YhE9vf6^Jc4`#PBtk
zYZ@*Np@Zh1pc}^NOi7R@$;1|=gN12x_}UOzY5^A6!_5oY@Pf3JO^1Up003(2ni7Ha
zYh{0MkPz?b`wfcdbD)hj|5@-8T8<{HQU{}IZr6Qcyt7Sojs|H%S-Bu=bL#XN+~gT7
z$U~(8l|gO)Q?Nxp3unFU7;+rX6@?Akb=cVr1otrcTNVZIY`2k}j3c6%wS}64oEp8f
z0$y$CEH4>&9Y0uuLA6edmuD#W$$Aj6>hl{AtHeuiyX$3%Ib~$|Pu{9}4NS{`RSir6
zTUTSsZmeJ!57ZSULQ}2@tM`l?)<>B@GDDrI%WVU%R+;K6(pPLTUpilM5V&WgQDH*X
zhZ}ch;<g1e7+ki0)-0_A)-tPAHXmS88W<8SC)?EDCtK56=$s7-l>P>ntOEcf;a_|N
zB~%cMpD#q`u`}?w@8yr^H>Sd(9lN0VojQBbGR=20l;usjm-h>jHHN&PTse-1_VXFO
z7W~b=O0u-fx?*xgj)7%3-$<R_(8lpN8@ueZ+R%j*t6zB+VX3$0NL`#Z<1^blaoT#t
zwbyCW*|$3mXYQE!<_fkHtCs*#W63WA-;*ownB!>n@VjMO3z^#rsN=ZJKhG-I2T?Wn
z-@{{ed3O(w!AJr+vaK=(N?WRAzXcRJ<!bqRxD1clez>-9A_|0XL+U$#Scv<VSQxLu
zecRJ3+~b~{vPZndc7Vs>_HT^#xjWDdLC@cc4}J!Dl$$36TbmBWmmjR)$`2SwM}v7p
zmBWn*`sGB|WVW1Xwq0XYL9D@{Je%|l3XYodKL}WB8xRNcM&9INA!D~b^Q<kEAd6*_
zl700papRNy#;F!*BEN)|`#kP^bAj+exVt7@zJ(=oHI^BEJt%H>ZkJs|#aFA=SfAjO
zcRwyIaNww?g4m3L34I#Kos|aYd&UZO%ZPpM9<UoG(s+Po!p`dz!Y6n>14Uk|F@|!s
zDp;g$B|ytPV?I&OVu52$;3{)GSVwzNw-sC5BKpT7Gnhf2Sdp1<OyG30CaG9=+5QC7
z0*g~e9E83)ZgS5%Fi>g%Zm~usvjvw_6@+#V)*pX_zIUIJF}4%sOUi2*NJIhFwA`bn
z<DyL$XZ<QqK_OpK3#IPGV*RYHCa3;#j^#<XnE3&Rebk!eLr83RD9KHQBK9})3H7)q
z*+t|po4p&ZsjHkme2^x<yG*^mIVLbC)A7C~wuo{e4inzh7k0#7hbq3<k@v1&G=zYO
zDA}1Cuh5CDkn6kq8al`zBDuH^`3(m3xawY~wJH-Rb2dZgCX9MzhLxMC;S^bLn<$B?
zQ)P3$2LSRAkA8xz%1A`!c5$GZs~h>kS4>4fpQ|h*JI=y#U^J2aP^&=;M_~(niN)oQ
zAXvt_+|^f0Lm^+i-^Xg&oc1oy-;l?_oXB|@3A|s<8~eFTHiV#hdU*<J`Qx(wv=MC3
zvEC7h;a1rY6|DILlcWV9HIwPWDt#cy++1!myZX{$(mQN-Z~)G5@bKEbFr$4aT)Lw_
z4la7_(@<3oV^ECWU%q9^aQ2Nm*z&%Pl&@@s#^HPA$1gWLxx$EsI_HP@rU1erio&{7
zidccZxo+nEC1>2vgg)L2@>6N~fiEc}hf89T_=8fPrO5AZf7F`I^&5ydzQbw{tE`;W
z&XY?rKR&(A3cdnw6x}#r<}JudBhj`k9mlOTi1C39fwU@a467qxbDWDhW&lF>Wn`q7
zaOQ;C1C*#^yk+>!WjRfkG%|{{Ai!Qwdv||`1LU0#Vizs4r&@hzPe>9B`~Lk`m#x<{
zN-5ZY?k`O&FlF_mtzMf8uT#iJM_9DOX<5Zuv)HOc9b}Ek-sg3Y{RsNPN;(RrAt^1$
zh|Exk*NZODH~30&gKv;~ppa^n!Jfj-K@pRoyF4r*Hjrh9il{}UAlW<<t;6{#>T?5M
zV>#>!R$^k0Q(@^~?JNa9-K-j4B}`x(5<l(2{Ve-+|KUb;YZs@ol#!Blr>a}hyG^|~
zUMnA}X&bOym{JU@?2j1bU94I;rW{*^efC4Ol5QDv8lo=bZX?m`(;gO%4`M-2$ht_+
z{$RYm{{`wROH$K@IWk4u!Q(b(q;@qpU*tdvj@BLLCcWNr%5uPd^#m>B5&cSY{iPv)
zV&?nFbB`2bx7GI!3(r#d!16ZAUuZS_Jm#;cYldbA<T#~bYR1QuB><o9mS-S9#k*d8
zBm}m>`wU?l>36#_6n-z2^I5`*J=ez%lFZfPSoQUnO7D~#16Au7una-1zd1OLAv;RW
zHZ3*I?PL)@cVY%l>eA><k~(Il$ev2yh<A@YiA4$DU}oHY%O;p_&@gkbYu@e^RuVa~
zKt}|ea}aQb<Vviz52(g4bM2qmT7HM*69wL;br-E|c4&ZxB)Y@y*sE!_7$-qG`Yz@-
zrH(g-?e6G#dtf3BD-%8E_iz8|QLYj400C5Vq#{xF6Ml6=HR}Ifz9H1`7WYI32u7<V
zJKe9Supr(!G!H&H)wDF#Dq6P+xLvEa@yzCZHYyEGa6<I=SSq*q8p{s8i)sYK!F!D&
zB|p7E!I4E%JNueN=WOAkX%Rn)-&f)2xBu~FNS9fp8V=`@@SZv#$}Jf7S1AGcWQW9+
zs<yKP5W>Rm3ZL%@-l%C0;(W&`;k>{3l+1PC?K|wIxuG$Ua8m)8Go+jd@qNmrVX|52
zgGRWNt_s`Oj&HS1_QTtx_&g;(iGBDwyOAaymKN4&^2fTVkjG--vxhd?4IJMQ*pG!q
zT#M5A@y=AEs^t^-umH6wnI<KB-cWd!j77z*_HvN7*R8!MH|qNsT|XxB3f(AzBv{E(
z(<D2$E}CI-%GBe%))>S~q*#MId`OrVQL!<D>>DBxQ4P#O8mE;$VQ|xcg+!y6jAOpV
z++i<13+@Kptcm~apBds0DP%{@p6Dp;+@&%#=Ns!v5KxL{&@d`som&@7BF(sGGA)<L
zMy-t3k8lDDw4g=E+a#k)jeN05Ko@fkXI1)sVQMRvYtyosM!K}|AbujoHh4%Q1c(GY
zMF>FI7+4E7dIEs>b}9qS@>@YDkZ*+NMxV@hIf(GZWZ|4sr^*~A(YZ<2*t;@!X$*&i
zw2#^xXqZaDRW>w73Q-vk8Z$ND)qaTDnGm(Ac_uZP(rk&d#vq4fjlCN!Xd7(rTJbU+
zlQOmIxfY$TAPh&G`Z$rp)w&&L^UghDYC2nX-$i=-wskHQtnW)Mxv-G}r}6OhCGTbs
zvl#`N-3=UnZ<skYb(ufmTtcD+plW73VOfFPu};0#RCE7#2`MRl8Va*q#Z3Kf;Q+=(
zfWKlt6ngilKhUT@=L-nugNp4KKT9(ELq!vH-e+>G)qgGOt1H=IT%BkTTTem-ncLM(
zMtJI8uu6gQOO~8YMZT|bpof>%beJI~<>-o-$o`@_$b~kQ-FYv>{uls$2xN7|bp7S2
zt{B6w{oaPH-qtebETggFMVzXV36iB1@1ueC6eiskX$il8`dCX(zvewKW*|sDfG84V
zVoyN>jTwC*N+u8W2Y|<PR!`@s_Vg})jYS_H`{`BWjFB)XIol5H(#!?4Bx{rzKLrpi
zk#mK!<A;6*u32yE=!}tRN0GajRWuZrU>$l)fhL6N&sg1xP*uUygxI=<4FnYP9rHfF
zeG2Qx4P@s?5cOU&h)f3e8F6dKSqz62Y3=lA@wr4eT+hQEGdNZz+Ro7y>@Gix7(hx$
z9F&Oj3IPVuu*}PeJpS}cKr8ZmP3JdX()eL=-}`XTwm&R}v${R%U86wdTc3G6=@Mg;
z_uIUBYGb6WeeI|af@v8vDflslW^9Yd-ih7fw3D`YX%@FF{A&;P^`+nZ3mqei&LEJ7
zGkZ;jI?`8_A+<Y8P{a{j$8qJWU3%u$AI_+M45i>|nmL79CmETYFNuZ&{P~o=0Il;5
z1+ggE*4@8#7`oMJ{o6d-Z}$ma^((IXk~v6};2k`gGadR)!>Caz<2MlF2Bg?PBis0E
zNXQSI2hb7q1FeLFRMPsTE-izHR5^wPqB5qLu9$)rr;iqj*C^ic-4PQ`sh?T^BaUC|
zcftEZ@wkTK$8Sk<XnG5_qJ!Dc$a4UKffXil<&+2M9x9eUVtIA47SFu=4auD6bowG@
zmS&!%%9NiROzsf@td3%7jbY3Fu)?4p8nu6m3?v>NpvVSM!E~+^6<l5)K`nsb6slXo
z*)2dLd$+%%C!6>+>+-{DX7&6fJ9PaXzGW8z{=u~kW%oCAWzA*iP8(VP?I4e0E`fbY
z{iT6B(~Md-CbKbb<hXSa#Cm!;+uWrpvXBh(TBw|t^`rhe<>ovX5PrC^sG1z}kka=_
za?quJ)a><xWFZX1pW&dIBD9nGlM;uL69?~E<PPUKOj=p44iyOm19v%V3zSmsVv~x&
zM|^`Zvd5rlm*JMaR=^i?Dj~?T3$wCbid)VgE^zbBoz970pKcJ)=VyKt!Br%sa#U`v
zEq*4eVhEI}+boWPvl0Y0>M`Q?wm121BEf%*f_y9le(Ec9C75v!s`|YoG4^DCpsRne
zz&_VMQyS5jO;a_E`(2D1pw~S)m~2iX6KlaGkuzeHgPNOo_h3>zTb5Emr;uyZyg%7>
zxQg{-rSdj6*dCx(Wc{_u-}{K&=hHE^5>M5EwfadheWp!|1zu0>_%_HGbkQ&p<!({g
zvbF_4j4HQ32LuI8M=Y-Ni*+n(o8fNM5MiO2R1&+5>J-I0Y)+EytU>LP9X9VMuAXD)
zPxqWHM5$^==KF}v+J3fJNKx2f;5rx_$dLc}I?T<r*eSy0@<e4s)UdSf*nP{Sa@hQn
z6kFS2$*0+0iaYx+F?*V_#bRA9x>Spu_F9U^w*3&Ki}7fRN1)<hxJgdql4wl8FqO3&
zd0dd?vN8Qpeic+_I8a1!{0B~#&aaF<#qxD4#X?zOn{W_<Zn|Y^h0@l}^gc-!`AJVW
zbuz%-Ty80MKadrWhZ+MYJdPSDkpLTfwEc^E2p+A>po>4buAN{R>0h`Uy*Bcvp&hXt
zXFc6s4qPCxK1dj3VLu;P23Mw=<L5$b*lkKj$7VY43Zq_sxhJw4?=Cp3(Yw!4Y6Qk7
znKRAL@cL9=I2ZR{4&^!9j5{Y4-E+GB&38eJV*3y_q=cNUn)4h;{T`Oe7Sc^@PY$p`
zIzJWWr6+p<N>E+{4Q~aqI>}Ti>QXDfRa1rqQ!ck6SnbbU3)+uG1fh_4+z!%;70phs
z<G)!XqWFa$@mwS?b4Vv~^i`5T?Aq7!^c7_yCVFf2Z;zG1c`C-*mXU56SmggnJ=6wN
z$^}#^j7OyFPY&Uc>4<JV*ZKBmbSFdsH`%vS?p<lC6)aGnD4oRHp{Uo^f5K|%$<EI|
zf00fDAa%NCF%j=rb`#AMY{R28)k>J1q2)Xl<Wju&5?eb%TtQ>&ZoJUc67<Z)MxM02
ziJ1RVFTxfcc5WNy&ltntGCCIqPY;2`kk;jse(pMe8|;quDSad={1SNTkIQKB@Re9c
z?$P9g2IoWEC(G2&vuifjsqo)cj}AXk>_J_l(ut%PyqND1Fi&7jd7`YdE5ix<h-S!K
zyfAXAlCMQgCoYS-A5hwDSX<$9d|q8tdpfJn>HuR<P3X8PurAwQIqXq3?J;v~-}W<e
zPb<}HqkL)(-R1;k!cLcHvYpa-*@$-Z4vv@@M=v7*!gN?gZ+bS(S$_T?l7*l-QmAa_
z(1)1-`EBYTB94l;1XB!Bhe>}V1c{h={R-b(e(FsiPW-h?6+$?2Lgkjy$7=DQfon(x
zL4NQ|#0LHkoxL3af>F(Ukx{R8L{~F<?`(o^+rv5Lrpwl_Inb3-!h0IOoy%#HTggsn
zGLpv(DrOwlAlJ=_qX;&m_b(5V*S`V4yT4YAUaELX==}JiH;KnVykj`%QG3%w?$Y6q
zQ~{(T=q{(guIL`ZmkW|tfLLrJ6}rns^=X5hvo$Hnd8yQ~xdW5zMeBCp)%)g&Z=Tx^
zKWH8tB|<1bW*<AhASC?8G@D4A12Tk@)4CsEt`VXCwdqVm&{=ATu)jbi`&~mgUyg7P
z&4@rU!`Q&FUIW=Edm4A7x}AmXd2nup0z7}v;`eEGGK(!m`lJC(3hFfqTK)Mi3i`xT
zPe6st40#-M&p0nr9qiei5t=dgpA7OC!yM%@cjCfdDDObE1T@M!U+j!g_K>-37a&+@
z;6BP*=7a5-I>F_x(`9gH<LRQz^V%!J3EPUWHOyK5-xCFDZ_HJ-G`F#c`^A6=ET5G1
zxla*wp3sV(VEq}4r@z8oPGiTkxXVfEx9FeEDS>wLd_uz4bGPl=ie4R@rp^cX=-K3I
zF>cm4xG2urmDajl8l(C1OpT5A4cNF4B!jlV<iqP4DWS$Gl?^x-C*-zu3Z5<1xXqyC
z=H!dsj{&Y3M2Zz<CXcyXlh%2@MtG=fXqS0)>CDXV?*gIJ_;kjtz2)zr;Z#!Ua|cUk
z*|#;KU%vr1fxYbkpcho^Tx9T1OeAKre!Xry+pFzi!jWo1_&B@V#1gzWSNRuKf18;i
zk0(^~%T?7H_v-LawV~PaPYySMw@L3-v~*qkuD&@;*Vp-YRER!1`7DXwHsg8an0DG+
zxs%sLGVEotW4Ci3m_?%$@QPaf83ndzgSkWU>TDIHZzZyWrI(a_MIf)lu)49yLmz-1
zg{{$|s}?h$r<vkL=QXk=ZG&z(CHLKIR=0<}c@ex9m(g@9NaDD;YnHd;9z@Y;J_m#c
z+o`|^;aVdRD#^&uJ2o3wPNI8%+{a0B0_B#+oNt&*!hhkEK*8dmpL)nYk7vKM-OkrQ
z+R(6Upty}XowOTrnt?vBn1LhrRSee&2D)XdqnSZXB4@on(-+S7n0_pb_}wIjCoOxq
z=G2t^`5r2q?=3B-UX9GD9bB?F9I`5?o?CcX;Bj))^TvOv*&%ASfcLwE@K#HbCUVez
z6R-9O#j|Jix%c>$v<j0m1NEBnR$Z6+JFsv&)UoXsyF}e3we9|u_TUE-dkxKc`H7zt
z50DASuNjOSw<Cn3K&K-cr52msap>FE`K&g;filUpIB6GQb?y!ncPZX_CW|~iM4wVx
zCU)>6ffQnM&xTa}X{IEJe%m2X@?$lx7AU+^Y8#CP?&w=^M}^sw?%zd5<pZx?v5wtr
zJ(d<PdKJxxOzq;WnKpBM+TX5uOWJtpCi##>F0OM3e<g0OO8vUz>VWfy(s%1h?$0=;
zL-CkHhl&P4AX?A*VZA6DNsB|~A2nU1TQdpEvRV)vPdkA=t;jM?i#9d&Gfc7w3sC-Z
z8&RoYfwTy6D~!(iP3pnMMkb_eoQp0&^~>Oi97qm#^SH**(XTV33{`-`=ahfgyw^A3
zI)J{n)Dub7ftSTFhYF|wQkD;_ti#K9rYaVb-KLa+0dK_)#bH=&xw^n&KX$fwmh0?y
z%#x&mbb=+ExF?bM6z2YcSt02mg(Vt-D|CQ&!&$&)L2h&VE-IMd@>F?$G~duSBUxCE
zfAw+PE4OO%J9JN#71j?orrRleNuR0`C8PV}F&ZSOQl^ak&}t4O31j1npHUHno*caC
z`O|jPahh$tN$CD-6m>CDsa-4~#AR(X*>$raEXZ(bvcP)Loq_b{I`7&zx{=-Ocbq?f
ze5NMXZY$*?fH#@G+{2YLlB;VTE>LCviIG31^c_zg22XZ*dkA*cR}K_f4l0k$fgO__
zr#?SU&b&|4nU~-r(M;OUY?d$N)*p7Ir^pbNh2A|#XclWz)i#d+z~`fjewU7}p~ZNp
z<&Qw!?n#1Tv!*m}>ssIf;wWy6>*bzsJ}@q@N*WkfUjn?KPNLej*uw9k@(k5@yw>9T
zSG{Qo?A~VV9Z(1pKLfUd75>#A7W<VrnxjsHkFwxdV}_dbFZ3%%L&$8Cq5k@DSXkX4
z(uGd|%o-O{0TqK}!Xb*tvXY9B5m6XRyM1_nT_J+LwGhDUnV%2%kRToG7QkS2Xen;h
zYW(B-LJJP9j2aw74FpROz^KBZm##sx+bgd-EE85s$3V9$Z2Im1tuV|h;kurhrU$mL
zJ89D$Gb`MZ!TzDHPbJA}W2}V6m`ec7$kG%h3SwJIX-FRmZcm;c$AD1TOZsSjgFf$P
zrX!oZy2Z7G+JzRn#={x<c?{^r0PCpVUzwt!2#)D|c+DQ7_=~Q6KncHi=lTQPh+bPo
z1Z**;XLW|KE^UAQVpgXnlC9d5pt)(1@b*nYJJhW70cVOSsT#$A;k!D9*p57!(Uay}
zD$Mb#-w${ucQ9Z;G0)~%8UoqUAHQw$s5&)mE;vb}EjVdHcPA6@EFx$+BY%CtXqnp=
zlGDyhWh3lFR>$pmK=eXT%W1L62#;2=(vO!#KY9hXaYtt-+=<nFcKzL8-eL&RJU_$X
zW!sXBwd&D>A_rH*s+7Pg*~iu(b5j`RujZ!E-bX-TfNe6?3O&phN?*fcu8w~N+T+%1
zx!EECZ9ux2@ZoXu(?DOvOv#S*xPV8p+W(aHE*yxUbpLNq`i7pS4t)DdWGz2j>j?tB
z^U_Z+I*o+48!yWS(kR9p9-)*fymkTP5>yP3ntJJH5zwGKcz~=mnxO+ae%Trajzna(
z(+XZ=rb^S7eEQ1{JPSW*OLUDP9kE(CN%*QM%|~H|2*`dEdQQ}e=Lu}8tqET<ejaR8
z`0ig0*k2Lb8d;iO5M(>fX<O6vtpd$tJ*&dH%i{Z_<D6=&JJ>(4KWLVb?<jl6fRuL>
zpll1jFqmXb17#~#PlW_|EW25`(iXyKTQVWx)tHxD*s-iOOgQjCljn@_71o+k)yY-|
z6(N}cq*fOWuNx|c3bHGLi9b!zur4KDcfPUy>3mbB(opVudvlfc!Bgr_+KH34>p!lh
zr;QA^_yT%cC$?gFaEK)Q<aoZLZLqC`K|h*FgWP8M%Em5=%Il%k)k>S<Y^guG#2Rjy
z=mycFxykyKQInDH__GKdB6WY)i-VZ{a#swgT2a8xMYNxL=FA5<Z2ZNq4Vs3+{Ze?r
zzoRhH-ke)%XO4<Nc|{@~bab;We5*}kw0vlW;5cjlpmwhl>qj*;%P(_j^v?e%6xA9a
z<=->(g-r-Vle#_!NKlUN*zq=K0cF^XlovhUYiPTs1!Dd*b&+QR(&_B?<J~{T5NPQS
zITvuPMAbveEZG2==}YOBo_oAeXHJ_n<cs^|#cIrsih2CIdcUL1G3{W1OK+p7hc8~J
zqO^S429WKIutY+iahf$SpxZYF6hz^*86ml>t(Uvh6q6j`yhRj=9pb@(gvyNV(I_N+
z%lUvj*~RC9CpMz2!i0LLWINAQ8e8wSWoIRxsA{=N_&nI68OZ96(hcEaimsS$Ox^|6
zUNh{bI#LCWYtNr;BNjcd+VbOPUwa!!-jTNZh4SXQy_kBk&cTrZZa2xtS1gh=ITfwk
zT*n*iNgS<2ObDuXvK)w=xrwqFPhYtFAxHE)%u4h$1T_jKzq0CoG$9GGKaazdBj9A7
zHs!fnNJ$o7FCWZb9SAo;y}!nY$Ts2U@mBrbtJeKrvn!ciT3$-46`Oqn1d2|s>zax5
zKQ+@|<VM9|w(iU}>PWzmbJ0kp@EwhT&MFVlG+V9lp|l#4avB6nnK^AKbxs=BIP0Fh
zd&WMSn^!ZtBCd@zy?SYEXG+N=s|w?2z8Gqsl7PL?oywyJM7j?T;`j1;tpR_CQ2V@_
zl|}?5764$TUpd7dTk`WfIv7aATgqrX^YUpKoxk5xwDe<1=lAaoX+x}voyE?(EuOa<
zq`J5{n+zo!wQ4_<J^yXQ5+L7&JiZJR$^m<muq%0+>ly)D5YRGmKemctGgV-YHXQWZ
zv2G?XY=IrjCRjG$;eLP$a!e`lonHA|3OvGuFve?z7~rqVvaU+xDVs*OrHACpI+cCa
zbVc+BVSgJ07n8?T&7Wf`!hg4GKU|%w$DLX%be%q{s@caxet2y=Ub{EB=aE`oFBt<N
zN3Kp$8+Na{JfeF<oB=3Ns#m9QEYR+}5|WJ20X)z#YETmq0@Ekm-RjS+d4G`tXGjhh
z6z<C#>d+fbG*-MA9`CPKJ{z^of|JmygaSnK7BVUJ_PEwm#TE?~L<AT0HWIF3t~mV^
zkk^qzkhuD$aRx9Alk5s6P2X1}3%FmF`ZK*}6T@RlPEa9WC94I^=L^0gEes>OQp8LF
zx83n{SF43s;n^A{p)!tLsKJ9Vyxzlgm}=hp6Ed3$hAj)?W3_vW<Y}FKpn0)>r$B0a
zif%n?n^74mMm$#426d{xy5upoa=s0U?--2hOjlFzpG?=oA5+=Z=z(r?FpI3`cTO>y
z+Ct4e+g~;Hyj7Q0aV*BARQySP>>yuETyg$8$U+N!5kSvg;x9LZVPqj(Ea34^@~VGO
zt>$tt#EBR)diGui>Jtn(Au)8+%~yhYHvN#log<q6My}8vbCDSm`8fYVU`arrU;FZ0
zCxJ?1wO=gYo_3e2hwI5AM^*Z~dGvYi(`ZJmgc&u}J9$8{T1x#*U31>is1XYh1;{^r
ziL~DWH16C;+2{DFLhacWovKub#nGSsd9t@T=Kz#k02IL}AiDJRo>S5<0A}CcvD^{o
z;A78wJ=<_uOqdlfRCk`&%RPo~eBe{#)In1W>9TeLyPlKcsR3TwddqX=s;8!YA`UwK
zuy^U6cIv&BtDvFatNO(|CkIUgo`koP_+Fud%Da`83m16>DGvl;jl3sZ5I^3d^Se^K
z$m$r6KwHq$EArOinh^KSeIjHEM0pKN$=r6_PHyLXk4{45ch#>H_j6h@m;K~g)Auj(
zQOW%uGd;yv$`9nS@0}PX<jki6qy#SYL^*_6{X^e-N9_3*e+>?>a(nA(59(|iyPWOr
zZob8F)Bc)Owu*`}?vOxY9l)hr+ZyZi2DEdt<tN==y*Huo%W5v*l4@Mq(!tomT>j7!
ze|%C}+(4bn*6@MFNssbKbpa~`?h8l0O4*VBEqnslmCuHJMu)QF35SNUS*5Ny=rK1O
zbWe|m@|-(#er&!~du0BO8*D9N(^8SoDKM4_0_&Ukfw(mVSc~Idx4fVON*Bcp@jmag
z1pZ6$>ZA2oY(uvf7(DD3{~#~+UHVC|2rG!;yoOK96sc^J?rJp!WG#1bF(QPM%FMPq
zv0Sh{l9s3=8%y@rpwW_Whf3rx&i&xpO>NHCm!lS24@cI~RWNdLN&q6-m-pT^{!X`S
z;2DhX9aG)@?z<^EJ%HE>h)QuIkN@p~Kg*ZGvB*^y9xvZCdWg|-@8arr0hxW<w(}Xy
z0l670)g55Cfc%*&=Vcrh=0jd5=!v|v^awWea)WpNs>pXl{fbPowG{)fz-Vs}!erTi
zLizwm%7x9yvbA__#8cNMjQqmv!0rnHB<4T&xW0^)0fy$137mqZu1v_%@&^XE<-UX*
zF#5t;qmj3-6Q_`PyHckO_nk5SpV+isxCcJRDs6UT47x5^sqH{*gHanczRohr>xc;l
zlekZf^?$1)E2^ubO4E^}{#t!ksamerM+|mb{lstg)zj@EzY>f{5c73=-T9AQqX5;R
zB;`r^Pf%usVuI9ZELAo^@&hbU-}+4(<-q4}oLOsKxmD<=XWMgkOc{bx6o-uMFC*xf
zjX|n(aMa)lsGQ39tgdUdrGH{1*SaknTJe7CsJgUfd2o!$*zQ~mEbG(bwIx<Ll}vAn
z_7Y7uyycW_SuSxVeQ8phsP!#PGu-@rUP7!n26i0fwNnbB{EG;RH!^$}q<F^j^ASn1
z#pLSUWUk7KqVe}km#*W3Ro3e-TAIYZCIm^IS@G&7{vjZQLKQPH7MtOgU+dsrTGKC#
z+ef`$)!^5hR=8cp*{=1EGu6N=uio1w*}_i+kjz}b9E`wodR4}tkZ{V7=eSkH^so-&
z`p->zunK*>9!qygI;8w0aZVbdN`QX{IPvv%XFd`(I!#47YX5?NE=5KuR7eh0*{fcG
z##Uvq5<`yGnN{CkZoM1ROIS4dp6howsv9Cln=w>BY3Zl|+fE!xux@bnX{EZ#BQ}Lz
zHEQh+PgwqeMeybPoY?4wDbDV{6p<s%yeIcv1HLw`mB%gabqi(kZ%9ja3bko=PMNye
zf5r9vm$LN=`ttl2j@AeW_Q4cJ(QDaHNiMs&4?Vq3hHvMaUMPih)VrRULHU-~_a0d=
z_!;z*5rbTw`jpQ3XhY`JLX6qV&io&Zn={EAOHJPz-(~+FfG{qAc&_XGDU2i@9xHb?
z?(Ok|Jb##N6dkdfqYwg>onQz`7z*ceKK#=kelU`M8<}r#8Uekz_M!5LYgY)(x!JNY
z4rQOTtP}<%bdJONcopAR5)E9O>}IR@ttT{G{S?&=Ih@bnG|V*dz2+pZ0{l_N7tg8g
zS!jXBVY&>Nc!*XK-|Fia*{Maq&y<7~fRz$Y+|wJRp!egjWUsTVBVc-VgP^Yz1sHLe
zcN%41M#v!LpB#Ru`I(cPt`ia8Y<b&xBb+Y?!O8Bg2pN*HEEe4#4gsApndtQ=DQot6
zHNTb;;x~4&WBwvPLjMqH8v8{;-W9yF8-G%}yeVWomZ|zqbfS6m&sp<mXNQdVp>Mgw
z9(S?xQAoKm&Dne@V5BKnR`-Q|x5&mELCm`X93yS$5C4>7bC7<yle}C#SRD0#arTx`
zRfby^s31s5NlBNI5+WhJMM}CmRJxV!ln|u5yGvlxr2^7j(jwgr()Zbb=bUfc`|JKe
z9mApT^SmqOnrp80Rv<H7UmVEhtFO>>=j1xSlCwfyW<A&<Us@|ZUmPbe?AS?ddMgvs
zFy*v*2`2EeWiAV<P9sGU`0dtQHyUWsaDGZhDn5KJ!XAh2V~YSaq#j+v&9#h}b9}8_
zyDT^^S!+%E6xk#5a!{7z%LpV8v+!Z;xx8#S_k5OJ{>tY>tGdybPPTrl^vd<DmOsRu
z*4OOp-@tGa*`1N?wf=?H<(*6jHo1zqPt|Db<1x_tme#%)(rg$wvmIJh0el$wwa1xB
zC_7t;Yp;@{@tF|!*(zInfliNq^N4^d?+nSba~KEt!=SMjANMcIx8Jy=i?Cy+!t@Vp
zu;Lv@DId%dci_Va#EVnR=NNN>CcFq0Nb2=c&fm;3%D7Aj4n3R6N<#gJOG+7%dDN^@
z*{0G4FP8iD1+@wf9$bEZnVi;#Gcp!DJCq~HQ*AN#qej}i^l*oFdaOGf)vo<Z{rIT#
z!?i=-2H5}k2ekKp4*%w6LCIoFlRiqcuDcwYBZ_5qe#yiF9X65)=fEr#ucqH8|8xVk
z)(kDY6|Is<LgTypQ!9idVxF0V$ecET?`6d|f3SZhTfReC_Atkvl((vT%YrEJ{jkUA
zjwv8~w`(|oCgcXLtZ{|;JX&-9<OYP%gnBPEyQS3{_umAK(JH&Oh&_yo)o~X95`q6a
zHRpBj5wNG$K15er$FugYKp~e=8s2{&2}69#nTyt(k4FE)>Co3#FHEKf7&=B+h|YXl
zn7@#|P?uq}vJ0JE>*Fl9+sG}W`p4zWW@6s4UZT28slADn5p|Ws8h?7>wI%&<vFp4F
zXVpg|y}9|We>|wQiaN5DnqX`1_+oO<JFyh0-Q4}n$f3h(rzj-AwTBQ)e9CW=^G}d4
zrMguC2E)Savn<|o(^g0Bg)bF)>OJ1S)P7tG#`)F@ZeP7h;4CHXjtTL!ze-y2!*&ub
z+5}nj&B4@kYEK<#;$=&&kl`;Y=1Q|SBo>E^nl)K7MXOG$QTiht`MKnNlsM{n(f_97
zwC`timen;G%E$jpIW6RB^v)VxUl}-Lx%j85-e-ZjC(xZmM0pat_sxpV6_?x5Im;Bv
z@m6nOHTy{=zoWVQ+kSy@!mjB)(h1n2=sK#!bfXnzlL1z^5MTlr?T***pv@av<lc4c
zN6*EXIIEw{r4jElQ>;Ru?fCiOrr>mv^5(t<8zJ^`Vnv3N{q{5^lO|VSQ{CC-ucpFz
z+~4G-mCiw<hw+#l-nEQbZ@-TmS6$sJI%d7e*)*^=t~Y}nXybx-2AX&^`D1n|;U^&#
z7frDRU#A-LmF&XoKiuR{J|hiCVFKEyP8QA~)?2ie?juaW?Lge_7@&GBT|L3iWi?oL
zbOIyc$>mEt+8(iLRe!NRH+N3t4*|_lBoG%YM==?k-BHit@w5UTfpB!FQq%u0T?#+V
z&BP1S-Neg16j;j53m78-do4HYr5}})5AiJ*Ze=bhXp5C*v;)m`XYEQ73vcrjGa5nf
z^OERETqe-+8J}g*J&SA8%p<ygiF6zTw3G2+f)ht-bFSx=P?PazlvZq%`C~JnJB;#v
z%J}>K5@W~Z1M+&oD$r}7n*-XDgwatWAP>nt*LDcfQ8ptO(S&5?aEKsw+EY%@$JFj@
z$8dD7s3Sl{g772P6jvslSF9glOjTOVejDYBB!5f`qXM6v|I-AwCboSygxe}CZF~mC
zOQh*CS%BJH5zN{@rxcj|cGniIR68U0BbWm^mC!~pa;3kG))RUt#5-2a2Y!dd1B?kz
z_pg1fJh0Ja$e5IH3w2W#Uia7UM1g?;76FERzLoT+3I!wbWsZ#{X|EQDZX{@4fZ&5|
zxJ<0&-k0n(+^HCJpZDdI@Rn`H*_9{?+kP4QObh2ABHB`&>lBo_K#?a_Qo<2yXEUU0
zvCoak#7Pj`uz^=^8i{iw5`yg!XrPgC0j*yeFq9BUQ}KL-DekFcj0P!sYiPcEBh3)B
zY;-Do#{FiP@bkQOA9KybeVOGfp_B6S;~f*#Vv8iQA08jNHh;}#A1hmhKV~z|YC9g~
zw>U_tob0KqHgB@%u6j-dn-tG_11w+qt^Uau&r^G;+`vZs0sHM=+9l1~G`WU)YyWy&
z$9?w^B0$4UTJ$IRUObqzqWcG(p${(Bauca1@tLBS;I<Y&zgTRwrp?`SDA$Zt#P53d
zo{iQmzd+H*sTLjYp>!vhkXx-I;!n%3ran0LG1E6OI)qLAJ-%bm<=`;|Sj9qKaIW;c
zBG^8X6=b$*Jn{o0Bzs_5hO2`fj2zeu^w#<LA@8nS3MNK=k#2acpFLlu;#;=&Zng0;
zQitAvc4(x0vd^afT2;s8(x8RZ6|T0y8m|`Q`n}PgDPmtpp0PCiHQ(ev`wI2|_?=9{
z1C^dEo>kNCp9c$Bov{jljZs+Yx&{*u7mSp$hi$z_nmo((E|^h6Vx&xBWKL1IOe#G;
zC^d8s6}gmpspgFn++`l0rzKfSoc_)Gbx@To*r8Xr(!JbE-i<956M@F4{cK#@p~52Z
ztiASQ#bk!+X$}skR2W~7C6Q0Hj+U?c9+zyBE`g4vo-!#=gR;%8nt_3j_aD#R9;2G$
z516LhO@ylgXvy`JJdUmV54Zi<!v)kRu`35eiGNx{s_=fG<?jN_!=pb?L7@GQ7`Xn+
zQhsKo2WE^zECqJJ;K-^nOTG};@bM56ixH>1;re_1P<`mp$msNhB+k$I<vDqwwj6>Z
zKgVB$<K6vc=iR#JO<dXgV3@D<77Gx|a=7+)HuQ^%1rkisp$J?`ePb*Ws?%ei!w<7`
z%Dn(gNFb#W?mLX@skr**OTCXfIq{FMGy&n0P`G#_bV`9WlyQ34;entA8?MxRXzxTe
zT2Yq2cWA?^=~QBJ`dwq&Gl7MFZM4upKHB=|?(H!SrZlq15gUbquRvoM^cuOh+4htw
zp4UpWAOpo@+3oC3KSXbsi|VX6MQx_~=2Vff<F^;Ja59~6%cnP)OPxodV!EfFU~`6q
zaGT2gatiVZ2!|g!Kei|Tu2ZT^7|)(2u+|>DHY##AvoM({Xxw;jiQ!OR^5si94XjXJ
z>jnD|c&;@X-YQRW)d!Qk(BkAfu~k8Up3Ufi&$**Gqt(Z|-qwT;6HlGUjO^bpJKZN!
z$wPW|1fiq+e@)c{fqlXc4vAwHW)t}xf2t~N#b^xWRF0yb#xSLJB+qOI^b@(LgfB$+
zVzvu^DMN_GwAVq%5Mjx)4KK@g)IH=7OJxvH#>|9iD!caA8FWg^?Qo!d;HxoR!`E(X
z2FGBhv~Yt#{`2U>G#yU@Kp$l?fI)YIfP9?B`U1K6<Y24L+*Efe+GN{6t+&Xby%}r8
zsU9@oD;hG!!!nS<XH}M$O0(y0Gox64x^y-(S0jH^o-UsKo{<hl0mIFDGJdEAk2?!o
zzc0)i*W4O6h}FTy);62{%W5}?pnkrZAg<I)WJm31$nLgOki9>!iIiFTMzHsXT5sO$
zXI+;|Jg22fg2l}j{n1^q%Hd$dDppRcPKWLhDlv<%)hd&JOflX0cyO3t)s%}JXY4#F
zJQCw=6+M4N5Y=;TZad<b4pz_%_aihsV$9+dt;Ft*tqvqkTIb%bvBs~L@6K~O9UZ^c
zN{50$xwYYH&7wN}YDwb<xrJttpWTkSXd3H2gYX9d(;Q#HG)FQgXh=wbFivAJm6JKG
zQJIsSShu6vEMJ+GqJl=iOfsR{2gca5Hz&nZyGKlLnD#KG5)3Blho!)B5l)O><5i2H
zq8BR#X4#tK^_it8sWZ;D;?6jlLZS<84WUhUt;Os+4z6r-`Tq5?kHJQ&v(Qgj61?vI
zn`UMyteGhi;XL#-tY_Gz+_|A9hPP?kwp1OkjyHmxJ>}hpaGIdVsZw*ri6;QP2=js+
zoX)p-J{1pw%_J&lm_&}yEnDt($IKX3_l_5tFy^b~rdw#ZW;y>+5i^X(XeZZ|$&tYb
zp*U)v5fmR@-d=e&eDOo28B7}C5ZvJbPn5%YqX0@J=*e<|soGh)y6pMRq`}Um0vF~{
zXcPBKr`aN%;wq@Alm9{|o=sz&6OUBmRMS}mH~n!+&w|o3pB5if24%H1+-X$f(ZsQ^
zcW&CmSS!hzfLkYv=1es9uyL6bYlJfEeB~*Ql=FBDAArxaK}_5yC|Zww3dI?q(HGx;
z&xK?eT=|!wS7_QqaV5~XKiCgQ@dK|k?NDJYd!MsVammBtYZYGGChaPV^B?(VS!*Je
zgwOn=7-*XtD>Oi<!eb)v2&B~K4P_Uye9hfh)hjd<X}#$D9<g@&0>oSVIyb9gfMK<w
z4(_dC9!E3k67Ef>S4|(V@R{*l6H50T8L<)fy~#^MXVGjJvmTIGs5A%g$h=gjuAqx!
zs8N%=*AS&*r6&xiWYzzCzR^z+z&ZrpY!)y|PUIV7BGh&*(_rkO%lWg>?}zm+=m8{I
z)x<kM!Xb*$lsIg9D}m$?6PsPI`VrWlhJj!xqe}-m?s(*+PMkZu8f>j1tLR!V*3YSI
z^zzS7X)_T^SKgDP1B1T<&&#IQJ>PBq^&k<>L!z504ECGez7*Y<hizu^j0e(;c;p=?
z5eO-DzR#2DcR=F!GdPEM+R&jVS0;Ewv2iM`Ii8El9p@?J+h@=M#Yx}HS%EE~h+oJ5
zqmK)ljGJh>oLb`O$NaYofRA9HFTPSqg0Px07ZtXGX(V5lLm9t+$oXiMR#oR?w9(O$
zhzMA|B2hEL%`(ZSHVJEe{_(w2(Y%D?PtHjEWKVmr<(HG_2^yWW&IT&wAKuqS8te;i
za45s%+c>nB6?;aiR{;5kQ~tzLVi2~&8Ig>3{s^ik#gGYN4s*+-FDAHCQMS+C>JRJ*
zymZTeDd)H*s4r!fypBtouL2#DMj5}sHbW^V4@$-AD5&!|Y%;Hhk6FkGg!1owl}g=%
zl!#!~(Yx+^J;!Oy={!rH2Bf3D8N#A4<oqvAXvZSb&k4@ll#lhc>+=#F1%IqKWU6-l
zaw@2HMu-JCQwRCk$_A`AAAw1!$-tKxcA|pHe7r!<xxZ<19W1)ETH$yw5pIoaZ1X8p
z2#N46a9#Q@EV^;>ST_uazS&(<h1dCvXY0y9Ra5Mg_-O~}{A7m<V}PTA<VzQQC|F|?
zNjf&%v<aJD9ZVPTRxJk&_0F&9^-sUhPFhv=ua7i~jEFt~Hip#!6YQDG<w}EKricKh
zpOhhmLK^kE>t-y3eYg*vXbl(nXCDqkY5xWLn1;Y!rurxHxp1I!9b>C2-#AuqGHERL
zJlL6sK{3aionijKmmoD7n;MC>^{ERXr#>`q_>*xQr&~E+gT2Ax(Iyzc#BOO9jihoJ
zu0tY2uM=z-z?u`i4-Z2F08f^}l=IS2XVZ_wE3frb#Vjr7p@p&wV<k>J>Jd-L;EEAZ
zu-_nmEun#1h+GAGId10DE(iW(&51-%%43!i=zRECt}p3o$v;p)&1NUQjC+XXLuS|!
zl!ioN?c!pibNHeuSXIYK-j7HI4h3{}fOV}C-Zj<{5WtEG`MQ}=u@Gi$n*16i*)Qgf
z$Mo@RcHWGXIVpde4<ovluoi@y{7TWkTa?!C*dArNl)Y~=fHcp8o*J#>ckg2%4Lm>h
z-FX-5xxDWgs`Yi~XZ}#V^OAkgL7*iq9LpBWD0Q<9?uqB3e)nQ5pR@u=1Fz=_^asJT
zTcUvvWs(x5W!(>Tn?!W~lCVjms4#DTjZ*5MW#yexVy-57FohWl79NOZ@}HW!xwzDV
zuDXRtCK3io7=g|-g(7*<<Gq--<7w)U!k<xW@}+I32P?948Q0r}e21Q3SlU9U;dE&+
zQkJ7cdV{GwihoSSwfItja&MD+IJgR<H88RCQ_x&qh=H}^z{WgK9zR(Ez-rfCy(dD`
zm(Z%=v_L9>jWd7TP%<4C8`)U#8zl-n&Fx|^>9?;BHHyCDb~-q|n*eO$>3Qr7y_g@t
zWR#<L4;w5%u1lLO?bANvjK|mkn(J^dJMY9c1ngA#8LQQC`LC0Q^%z?~?{@)pD2)<W
zUk#x9!5sQCoBD&e3ep~obg_nQ0pL2MLjzk=f<09^^Fs>v4OEHFE$&BR$e&EPvtr1u
z%@&fKaqZCmB(U8VAHN;I*R)a$8cRPfn)7H@L?yx?mx!V>abcA_Fx5?{%3Cl6YV0Z^
zwq5d9Mcc{M9G0#@4`#@9**%mGIjpCI!1%o0PB0NWjvYQW`nneQ(3eYQDNIO!wF_oL
z3ykRU>7?P$G_z*4)&Z2ec;WZKEN^Nv<aDGd?qJ|iyX)XXut|#O<8K_d6&(0ZnAK7*
zg#HCqyB?6pZc2&1&egm68?16tM*rziQrA}&y2V@BGs@Huf_~xQ_iu$);tbcRQl>&h
zUvSf!Y#h%Yu=uR?Zt)Ek8$3*H7R1~j3>rH`6RsCvk%OPyk=sPw(J)jjLGYRqHWn6+
zDR>5PKkIDl;Ao=6%S!RkdCI-lsz^1+0EG=`EpAoMed&+MTmdTI&NaNgC{#bsnnU^Q
zrNYwYC}}XhFDp3ntnPWjuw0WXqWt{Iu~l=QGJoe}C@S5-N;fTSET2@DTb&kYt|Oez
z){yBREK8TKEnwm_SUxSJt=?NtpWm$Lk49aRjZL0&qfPa=%AfyuY$Nu)3`lnRV<%y1
zEr}Iv{Q#>I*v`Nx>b+7O4|_0|*Cp@wR;c;wx@$o$N_|=iQ3jctU1WXCJLsa}wz92t
z$vpQT_Jz4`upJ;wsg`fniYH2B^Z)FVs;C8WBt7cfZ$FkU_m~M#nt0>$?Un4UsP*MF
zJszEd7w(y?(WzO#{pr$aeuz&iS}`>hn|`>b>U-achq9_CZBBK8<U_NKf^S-AI2JOk
zFOrDiiaFQYerD)|Yc|W<HS{k#;?skb2abSz97PKp0qxztzQ86;Z21;`@=?_FCnWAJ
z#ZE1Tgj8o237xzIpM11%p%XNCrI_IyI@)q-`C~U-ZxJYkLiLrOf0#OEdgc;Ps475T
zH~ttM4Zk=1sU*SU^F><l74OXVE(r-GTn=mKI$(jyJ$TqW!BGO;QSH;TkT7T4`gRNZ
zQ{!R(p-ffU@zZ2B9p|;Bp%Y67ou$eWOaVt#=cBcCC8jkj)}-fnp>n^DX8N=Se>)Uv
z%}Z*$1X_a0aPEp2iF|6wr(24aIM$45+TcUQ#d?*0-M2uo$8MrSE5M-Fzp#_akV_QO
z>;3p}ATu$s(&uHB`SApp_cM9;pIuQDm?$LH`rP!^8@~g7(RzHo*2X&qoqVTXKGR&$
z5|G66$(ixAajKr=Ms}6ouUj%d%C<<Br?#XUFiOl5JB!r?c#ieI5ShCW0`Dn47`eG8
zulkbC(TS0}=mKy597(prtGKkLfP@8F!WvEw=3O5#CVl)l!3H?PDeP6R8Zg{3k&{gv
zuL)ONl}lDXVxubKO_sFo)~}s$d^?E22@;E8q<{rzy6b>ilqUFC(#kF2_?s5J`hI}1
zl18dCqiSK5v^MF0VDASkR@22+gzu(2!ET3x=R=tev9^KYLCeKihDXljSNZMKT&nSC
zC-p{oTKlElk1~|a6Z=0DV3ChR$}bpJ?zg53xz_W6{|E^QrZ>_{xqK;c5S%LGHeGAu
z4>h0ZpikVet*Ca$^=4_jNO}k)$@Ii)SfFKo;BkKf>>W#g#m^U)A4Uwf<>a^U6|g<L
z_7*qW{bDLIiP{56*j61{pQ4dhxzbwGEhjGCRb9u@9zTY#OE;Bi$^Q4P2qQ*$Y@ccE
z6R?#$WYkh{ch73RIBluo+Z5SO*bf3&Eqy#)qy=Ces=E2j6|7{Bt%cP3s!mY6-wGSl
zX>a9u8;bGa7`SGvBKxE|YR7{7GFMjy)rFk9LK~<!@#SF8Pnq{DMVaa8g0*;3ZsF<&
z*uXR)du!uLs4;iFEYQ+wSnZ@-E(La9TZ{`2y=<g^zq)(1-}iHR&Nv*34MW+;HDDro
z{Sod2=xam3$`hJk@}gOGJ0ME3p8iPND#j~N7_eMIMk>rtS&N=aTpfi@$~QS!A5q)H
zHRr7T;NjVvmxE2hu*=oOY2@s3cFISBKFy_Hsbvd0k-69BS&E7`i?=$k!8;*&ml-C8
zF!I`UFr!UtG{;{mfxVQ;<#_XB^c?;0Oyh%&rRc(!20__^XTMtZzxf>d59!4_dV0Qs
zZGXCcSWcOyOa-<pMuHF>jr|fVHpC$18>(TNocQcJtCh?3%Yf&}xi;l6*s0lkRji=m
z{44S|>8-%#KU=lD_?}?l$rX62v`}WtL|kr&0#Jx9u^Z{hN!OEc$+tPenDra)x_#E|
z+Z*}0Yw~Ln2d&Kfv<&%8Z9T5Xy*pNj(sJ_8JQ0=5^8(7=iJ9l+{ldb-#f3u)e2Pj#
zBP#z@`1$AHG`i>5nG{FcH4EEU2ZR?G6*exsnubP34!V*46Eh}rJABRcEz=Hj=gF^@
zvlpjUTV&dtydmQ7ue4cl($Mq23q8xRsBX+!|4n%uuw7}DeO#y}nvPzUPRC&4^%`@H
zl0es1B<Lvi0;(oM?D#(D^s^z!p@)ChK)Pz{m!@pEPiV|UxWDpL8r{b=`}pgZEWk>k
z8IQ$H8(B%EM*QxoIZLrx<BsehivuQ{tNn(mDwSFH73tb*FJ1#_J-why*86Y>SRKCi
z#tUoZa;3m;V<2JUS+hLHFE7NoYp>UusyRo$ZN3=J=|E$VIoPJkA15;AcNsXf?)c6x
zEXHMOF~lO!Tv4LE15_**m*h5@noJ9)L=;WS>%<1t+74D_ER9W#TOq_tKFy6&?+IUE
zLGF2_A=K!gOGI2|QM2yH)EkUzyT>2q01lI&)@?-kO=+ren}53ibE4&bkZ@t^vjrrk
z=Ohi{6yKaU;A9Z+mlz<LhTuE#qeSYJ<>hQ2d~NST&#DJ)`uhS-Qz&$nt`1T?y19Lj
zern?WZFqx|Dt(Ue)Jv77m(-6#!zy94ySvw$r}T`J4^BgnGKSjo9y}$gv2pJE(AlBg
zQ4*8kd`7rQtgTGBC=(Aw0(hvXw-~}7Gz7cvQl6YmRs#LSd~d^|tX$GYJlI|n;rF~*
zlY8vT`IK3uPtmK&q8l8=AyS!9_07z>hI-9zVh8zWdp7$W_cZgSQ~dIGvB8^tKT~6v
zvC*%uE_cX3&ysyc0k<EJ0B&F2413+@9=trkKs{Jkb3NDbli2FL_JLhlfhLt8^VRpJ
z<wSlX6$$FTGt!NmL`$0U?MueBA%oZI9zN(<=}kKBfA^3ESpw$bFIDm!%7+F|>}QT*
z%P*^VJ0enJ)Y4}{_x}*h^v5kBQ((Elm8fRUiTY}_jEPoTZN(86lS`3%4DGO8aXIHE
z+eh<?=5Qu}^;G00(VBA_qj900)Zd&&(*qVGwGfT*UhhD29JJ7!CAc6if8U99i4f?l
zYbJ~R3=SvIk=Q}{(!}df{B<-&v)k>2?@z+QwNmrAS|vk$W}{`}QI&#xxa+Rd>At}b
z7!1E)>?e8y?pEiBG3;J(Dpof(unjCkDbMnEv&0HRWreE&P`iqsZ!Tjigo;EAMV`Z3
zoVn**_L8Yc5kBiZ;#htficIkv8+qM3{$4Rs)jb{iRbEjEhJx(nqroAqdiEvip@WYT
z%P!)V7wQTp$2C#aM)whb{edfoKoDzmmfXPGN2a*>fn@-@lxZGc-Rh$;P2H5ZU8x_u
z7*2RO{3lU-oO|zfHluVx-F`oxFt4zDW0gt$JC*JC->h+?wm<m48;G`!`wcu*3`A$#
zn>TA(WW1=diPIV#4qM8PRHmL3Nh&Hvk~myor%&%~B@|jlZ8x9U{Wz;3SPx}5Y)6-t
zo@gYVp}$0un2VILBiK5>_#^qCyLs7TzMhQn2`$!$(`YF>Jk(w2nHYF-AzW5C3G{*W
z5&Lr={iEr%^0S4t;|<rp&9pQE)X{j#GRk0uGPjfKP-dT53Y7V+s1&=|NDm3U8NQpP
z&VB%B7ki~K$Ds^3zdg7xn6h+vGy45?mdONFzMGl3hFA+7)TFEo`|eU4ftwzA?mmLu
z*UhC-D8Or#iWYDOma{noJ3~NhY0nC6EGg+D^W|Ja=VRP1?`B!5(%e4ok-peZp0Mg-
zqP7xmcqEDaSKaf#6gr1mi!oroKJtdlW0R1+a=QwDBud7!s;*8WCE+4t2lKJO`DUv1
z#MdD20@ELtQmLGZU0q#|N)~h;tISL)S4ZYY>h4xrk8fF#H?fS*vG(u>tq>x^%%>3k
zf1FwAgv2nEN0ZkjBg$@;ise3((i%@o9+-_6b{fYcJ}N9-iaaz!c<7$nfnCYzbD>Mx
z7g_JVCqXfN<c)`O^j_Z`7CiEX@+|6|c>o)c$N%lj(N(NSVmCF43JsBZK5%x-Yt>a;
zolRg&db0aut!|HoeqM*`0`+t^6H{T*FFHsScIqjCaX5`p?zK->*6Z{}4<1B=BYVsZ
zXL&TkHQCkdEt`SiSi|#@*fmrna@!g$>yM^hikI(vuD(%zp&t$J9#_j;Snp`$@n%t6
zhJTf;dTA=;IVKwb{MZu`08ay1!x$LzI8GR8<l=7CkW(r_kUHlYe-<6Few1Z7_A>w4
zTBW4mbuF^6&h4qgt=6L$ex>g`rq9odNf;NCwAmVps<JEXp@UkYr@+D?>>uU<?>Q&)
zC+B}p{|@CtBT)?d(vwGV?0f3!px=X2JoJ8IxL+o`J@xVUd-n`NuHc&2$G_Z4g$to-
zRg1Z8)|20GG<%F5z!#%@(6NxFAv(y!N>lzUMjro+*aG^If^H4LnD$F5gLa*H+}DfI
z!i}u{&&`rGGID4;%_rCs)<MOQvoi@CW?2rYDIh7V1-6sSi1qQ<e2}QG_2`*l(_8MQ
zw`l3wLj>{s=iGT+ErRj5I$&Nw4y%RK>riJwZMX*S70W1}V}@}A2@sHej>_LfoID|X
zYBA{$&T*Z>Xpp!=S-2t-J4!Cga&dnJ8CzWO_LfXIAqZS%Qx+`wJdOeEOqx$Bt%7@N
z{0wm?{d_$lC!42Z_pW}y-MI;FEC}CVK^qCvzhDw(1@3QIGYHSnEtI<pl?GjcDK6`g
zbI>NSRh@=yR<p2Tdr0!)&-v<3&MEU)<I0+D(HW;8FuA?)G4?r*mm_?V>O#J-k&Y5P
zRMU1!f}LGMK_TL~Oaa_vFxNW60=d&rwHE1&vY1ov@ksh>vG|Kt8+vuu!@;@5$@y5L
zdegqEsVWP`;S_g~NvO#}&w<PSRyEqv^nvV&X7JLR8<$}W{GW)+gAw;OwrYK8ekkWa
z1;O|=G*k#U4DoU!rA4)1z&#6GB3~Y1jXMLfT#jN;b^1m@KX(ktzt;C-e-;-xRJEs4
zC6<2KY$GzMB5`?9owdESx2K{<_U}fpR6RFFYo7H8-^3BvkAMJhYuF~p1(cYAFXcIB
zY%8LknwptyVPEA49DOP(P{*ri+}`;l;I<Uz<05WiV$xHtuk%c|N$M=sS&OZ(90NY&
z-ioq6RfKHDqcr8D^w-R>Ef~G7xT8w<p+EwV4@Qi`o3?D`MT|PVOPlw#S%&fY_%5}$
zt4>hpx0V6x79DzhB`-0hUk8@73Q$a0)ayyqbDu&N^e4&<V0Og>v#Y9Un@tjUXc<|9
z5O`>7hPUuh2*x&(54jnqq0J$Dnq^{Ej71#XsAk#rXbDNmDc;x}UJyBg9`Kh29Mu`h
zU(Y>PP>^ThC=HESp3L@&QmC3BJLXn*5DnnOQn2^F^|nFe4~-h^(!E|(|MHO&{kJ1i
z9Zt<xDs?t1=*5}|g7GQ?%C8a<6SGT7WK4^&EE0z}6||L^@bIDu)q@+{KJ_@CmlAII
z1P969#2h{exJgb6iKYBb7I9@|Wl`h&2ga!>`w>d2s<h8u^pIn%u2%3UIF?7IY=jD~
zIdqng{c^qyKYL%Jj!(J@S-RrNPO_lrjMccv>kX6E{be@D13#U2QDN>C4|(HMX}iiL
znw2i2(n~`B)S@t}ZUxWYEk>3kuEJUV!%O&VV%tc2vEZ*(yiI4r@m~Z;FnF^UYj3aS
z;39a}=4i@(O0och?0u@3*&Gq^>MQIF^r*;W%9|^YV+Rg|FRf^k_AdfKbWlGuCdBrt
ze2o@ZUKOw&i}#`a=<4C@mh+|Q<XC*fS7I^t-pZ(PwQ3YRl;NoG@;KJ4w27V?3Veun
zry+6LeZzQeU+1jlV1J<H<R;usSyg9FbF6zs*&p<6axKM#b7euLu^6jOhDB3c?ERv$
zSu;)xlo^+@uG$ggUFCPE^9~Bgss5X3P@?Q+22p!3B7e5&O3rMe*ynFKqgRuo3`{;m
zy!6;UE=@gAg@+=}Op<8H-J$&g5$pQYuKN$(oK_)8+$ElGjIRSYKPcFP+zbo7-_d|E
z>`M2*{nr?nV8+0u`%1-qWb33mgm*J)Snqtt;X1scpPwn$E^YS$4~9Xif;2o;Dn)0l
zt2gVqS%&>2pF&((j;IZG8jp{dHWr6NA`QA@PGO0LOUt8BIrUOuvUfnTFA}hq*-&XY
z#yRWZ<o)iMV{sD)RV}+R*Zs~pMUchxZsO~9<q{)2lu0@cU{vHq;cujAPauhrG#w`C
z+sC^64s}Z8JW2_w;~jzdgMTY6WIoc7c&Q+G*S)2IOrd^A>D?Z1_!6b0B-y)>nO$pd
zqGBo=z{yy&iF*Sryu9&#J6FC<jJf~%UwA+j0`bDz_@_4yGU@zI2`^cgMfHpTZF_e0
z13@=ALG`ltPBLA&0~Z9agL8g)?^)$`j={FJXF?xrzOEv}2{8*zJL@S_P*GW)ZD>3A
z>Mk7C7f`~eS`yYodtxcS^3~AzuiER5d?}CXcCFg=1WAR7Pj>vU{K{W%u@`aA0_~9@
z3>em8vsS0*RIJ*lUw&7re>Cd<5SCf>M<vJKfR=A<{^M*vD!C>b%>3!<W_DK&v30>@
zN?`1$yuSZq>~EFlE{G?g=HVkv9Grzn!U3Fx4Vxr)M}Gv4o|X{l^XflGmw_GKY{;9N
zqOq-J)|9VjEjL?o(VNmoh|unN&q7Ag2gH}9ejCZACh`vl)}NEu*phQ^^c+4ImEeT9
z?7s5vd`h6ZCdqkKR<?g}XyiKHZR<<zd>n!HKsRZ~^6GCcp>@BT12FXgMp>6LOa*!Q
z_(Mx#V&d$66tOO%jc|H?ue82G_iUWBBb@i#z$URGAZ^=?*{}+Ubq77a`f51e`r1oj
z(n&Huo?C%kty`%Ee)gCaqFH0n8;%G7E8+{d$={PtR9y<D0k^p`LcKgUU_R!HWx;7T
z!F8Jve5rv=&qJSz-G)G5Q@9x*ANc+%@U@ZR!f4h$p0?SM!&vQRxqcd}WiJ4iD+fiZ
z$LcE_w4BR(V640~Ul!V(lXyX8@J;_d^knuj%p6n~C?|6xBTw99E{fUN*`H{!1o&dk
zUdNd?IaNp5+a1^Dehvvs>|Xl^!6lR(^)DVf&9|Ar!u<vU2=^sZdKX3r#tZeV1mN``
zYkwn78$rcNLvJLsR!OVAEOfUifv$~25Bl4TQQ;<G-g<Sf|Co$cyM3dmn&8Vdn#u}V
ziQzwppH(r8=_w~YDJIZwPmK5soEVOa+28NR&tWI_1Sduu2tag4=6U}INN%1*M|XxE
z$D)4rYcuR|RsZ>=kv6(ljlfF<yzeRroX?2z7z377>Re8{S7O;&Sx=r8>cc~M-mh24
zHg4AMuq?Y-UdK^nqh^&^=gK56cDAQVnsjGNdPFEbAW0qKoKSN*-?ERY7v&EdDj{&Y
zPJYO99u-yfZpjX2_TyX6uU-I9tQ{8w9_<se-2ct+da=4?vbyveb(teqOFAZMf8VXz
zWqjL3C~(23n5x_M$saNf=9F^e;d7Db(!H%PmUmnrW;zNwOr&SQWti_ryIZ!}zg~r6
zS*Q&~!GZ{gb?&g3p1LJk3<|$ncX*Et+(Au)r#ZBu2&%+PWF1d(c#Uy@?(x(mtGBmz
z{|d=waofc*7LPH8ww`c<@;4)>Ok?SC8HKqag{%Y*o76&9Cm5e*f{UR|`B0u@-$mGT
z-e|Chz7ImY8_X3B`fA19Po^>zCwqff1Zgn^BQ!p6WWy_{ox*Zuz5SNrFCqPJgl-0V
zf5>4VejF86VH`YxY|yq^gW7=N2^>zEZD@*W)8(t7u`{c?8jN!E(|c>m-xeP5&{|`}
zt{$$tOVI3YAFICOcZO>In&l_*Q`)~nE=3;n^OVBA&2EeNz!01!KPVC3Tmtw(_Xt#@
zL0Rc&i>$m3vvOx74jCk0udm;%^l1<A6fAYecD8$5i_=KC3O8NPWk8R=iy}XH^t&NJ
zoc5%<gvh?}Vv@)I32!6VN?^UvJ5E#Y{Bxrcq%|7By(F*<n{v(V@_Y_$sR2z!w&p4`
zR4OKzbMoap4?6mh_2!-!jTUX5@5#(TfO+N882#2Z)Qh$&A{9RuDqW>Q#<OV6y*ZFV
zzojF_<FPbK0Lu{nA6I1MsSxxOLj1@bA#ktC<Frpqe5$x!a^^fT`)YWcO73-mC*<%p
zJrFlmNoR{jpC85UCp(L`G;n3jp0N-pN(CHOjAv~(cGl)SFt|&FkXBHT2CMnVk^U=4
z?|D527p3>oF<cDZ`Fuw&WStspe90`To;@2X)1%EVF{QPbs){z;cuBOrkzG|Hs#2`=
zR5JDw%uu^il=fZt7<<N`c$uSq(CN)#K9>=Lc(}6e4dyo``jO%v7h^F}>{dYJR+I(h
z{#$=PGM+Pvf||^UnCg%-^;Sx5DWDAaeIoaI4+GKTKc?N2szM=|a=u`s<c2ibmrnlb
zz2zJnHq<xM%J1#+1HBwNK$@Y=y`^BHajF+1@xJ;F<Akxmss>3(dD(x*OM3}e3Z_2$
zl{{<+g$t+(DvY{QhH+}%?zUMA_v<tfV>T}G#S40*>^K*BLVn$phwIY+DG$ZrXYXa>
zPXSD?P<ee%9b_>Ou-UQ_<fNDp8n$FTISGm(@uxJm0o&E=)b5ChzBC5o^5?G?J(yTy
zOz79@u)uGAz@O!Q^(^1TMe8qKn(*Dj1w;X(4L8MLxb<b2L;nWOJ9__zB+N@*!}S#s
z!k0V!hF45YV&0l^5U-hwW{j1biwu>n!9c_Ah=yHk^V$Do8BZ=qe%qrobQHn%wpKLH
z!DDVq+`xXcJ4X_+X)o6QM_7E^8&}|R5t_F9k)*CrnF7Ga2y=wIaZ6P0v)jkZfB|Us
zDPIk|SkL<Yr@A4oZ8$~}Hi~*pN?ebQihdou%>TPINH}WHruaIm*3wDz{O!UjvJ&~R
z3;lT;OQs@aYQl&I&+GNsljh2jeoM74kS<tBEcNpNEN%&b!=X5-Jud%-F||YIFuUhz
zm0#L$mhpwqCG_T1FvF6`*=X{AYb*o_u2q_?5F*N64$180{><b@DDphGh?iMK8zBla
zHfmD$zErWS(yaW3e{{oVSwPSud}frk$920L)+x~sX2YB}n(3sz2od|Lq+#4zjPPrK
z6pW$wE9oq~BKGaav>7j&S-(UK1-2u-u{lVfQ>Ndy%l}o~th6~zo#|ZS>YT?u%G_&A
zZcak#wN70URUYgRAmi(5I<#8~K260NdRo->9>JRc&>W76#{iDDF@1BYteFxt74w+k
z;OcZg-`>$IhBHcf5=3yl3dkvnFz|8!RIsD{PjE!=a)gs$s>-s6#w%(Nx&?$juk%nu
z7KJEu&T-OuMI_}6n^10DV@|_e+imKIh%!65{>|3r=OL)$_c}yw*PnDy?$%u6+c!x?
z1KwmS(WiCXT*w>ZLGqH7;gOoZ#D#Uer%Fpn<CR&aZYGK|^qJ1=m(T&C(`x!mx33><
z5hiVasY!GdX29MgICb@dakW1c_(9mnI^fQJOHWXP{96qQhCi0qd8C(bXb)rO$eg5p
zn7UQ$n$=qV#X}i?M+sjGt9{lT9wHcDeo_m8<wXiC7Kllp#kg6`rR`~}mmz*ABF$UN
zS51b4E9GZCcGc?{TWCe;+)3XMZ?G@1<M5~Q*C)l`3nzShQEZV+pX7}rqu=x29t~9!
zJj)MD-4JG31muC`H?Iv;q~W3Qr+9zH5RB2vl(}=vL1mbLu6+C%yo_hyWyEQw>WP8%
z@wcoO@qcR(<S5PR$AwT!jxj)D=U>~3N`3xBr}q+d-}gZ=!}03OAN)nA+bd2kB)qiS
z8tlG#6qbX5yX(MRPHK&~40?~N;Xyrin~KvOgILStr?UK*ng!y?xi5_?jEFMuAYD!E
zoC2b$w$(YPFAJW2bE4b`q$?TV5N#9NBpmR_`mz+DPSQn388|~JgMnP+S80_X3~9S{
z$kFHP$g0THD<!C0Jr=T{qcZmzn{3wZe@A7(XwVk*eMn0e$G(yd)9b&nleF6VE;T^^
z?!B6hwqcEwH@5MV3BU6IDew#d9LS^eGH~!vk-=>Q<DiUqMILc@DE-GWYiw98)f(KN
zPVEU%L3mke=o_6(<q5&Q;hd@eo6-@y#^9qgY?rR?XG0HS6kgb56{#OOAy=jcd_|N(
zF1m^&9Qyh;M3K*8M{XCvtL7H=1$Psl#)H8A^~!DYAL<J)WXT*5EqRlNbqo5^!2=NS
za3fL;D0tqpkc@;+dhJ<tkC>z7H5DY0k|L2H7z9y~;Smx#U|UZ>gX4*D;H!IH8GzGn
zSVt25Pb5c%S4P6bZp5>jK~l^f#EEz+Oel1Ju_nOOENh~?gtrRW3l=RO2ZlD>zFq3M
z5hez;JM6Vm>g?ngv?L$@oenB*g0k*)3%)GD3+@f(&8EVl1~1qzQ%)BvjcFuC`nm>r
zAjhgbrtK+kypNS!VgL|MfI2I|O-};w^M62mYFN+x-)AdEq^n#FbUQ0SSG@y=w^yfO
z<}oR-8I#uFigO#&nkpN93Gxh*r?N9&X{;N{25iEyqFU%D`UT#W{aAtEI?`Dck>Nih
zA`j3U(}!gPN64bQ&-V}>3irOe&>L{Dm1&8wKCkb2ksyPt4aXw_Ug)cv7Ygq5A4a=-
zp{K`4Z!|ZWM{RPu*F$st<%k23HPhTu<%e?I2=blWpzPz!c7eHDq^KzrSgN=5)<-95
z{t9dG<(4KzOp~}1zY)!A5vTXKlXTS>cDL0jMLoy_hU2k~)L~Kg;3l);_T8SsLr-VD
zzmKQhv)Bb+U15b~?H>E3Jdg(+K-RV~lI=vMkc+#?&$h__;}{E`DE9PwmanA)*giez
z_=sIxDQJ<p;FtdQzaB7?@ee&@*&hp=Xf&j??bG$X1y5A@!0xtaq|gE&sO2b!9pMis
zR)V_~j9;J(;A;dKy7M6zzu?lxY@>v|O6UtQ5J%<#8H?VZ5P=0rdwG+kOtAk`=y^lT
zK=e+)GC)QTTcFY~yROo-i`~}_2|GKj0F2&8?vkf%)L5WCgmn-^OD%9l^RgN=cn*p6
zN+0d`(|)e%9c2?u?~UeLx<zbZn&81~He}b3f58LK{1XiEtfEWc&h`P^!6O1jf-;!(
zPyZ$10bxS~@K!2n6Z9Z1m)&44q5onoEMq1}zDV_2L$uPCAY|;>nU<+x$is9_T<jc3
z;<0uX?3HR&D4AaI@#Gj!3i$aDAVaZkO%82Ryx;gAk$Y!#w%XE5kA26)ckd{dkAU0O
z(Aw%96jcIVDojlC%M?2eeXIiOSk$u$OCwwl8J1{Sqv%1aH1G|0&gYe!?SbIC2e)CE
z@jqc$9iI+VNT2~RW{MSnWe`J5(Oxe*as_n@A@=`6&2kI0I=Jkl5E)N4SeAH?!u*`9
z#2b$QtLe*%T6~olEvsnb7R=799w)1uQ-Vwp<_%eUFe5DX^hD;YcD!E@2VNcvq-WG(
z2x*`Wcvkra;3xPZFLG_e5R4W7ykDY%IY<C;>T8fCieL_c%E&8n&x;Bl=Coqs{|P8D
zh>w8N8Vg0KTY8f02*{r&VxuLhT+uP+f`uyy3ViT`cP@K4$tfQ^`G0css|;o8%ATa*
zN(E<`aT}K=DI&ST?dLuA{jofW&SU)^lIyc%RyVySL@H25#w#>!S^Xgk_A@%_BSlzU
z*k^sA56t5AgWQ*3#1GhOuEK`{a0;zRLstl}R~mgJ5h`G>;q2`Gz+Tf~_8Oev4eV9?
z#$G@E$6mt>;F>k%W1+?6qIr$~z($1@u|0Ve<g|}J%X;n#*3*Th!=OI^XIS=Y3VeJU
zWY7ai`*oY269spkpj+Foa{VmXEr|7Bk!|xRF%bw6+Q8`N1WlBj$!w<u9YA!{mwYll
z$mz_ZgMWkaa(=>($3&}%&M+~eTmm$V3;E%hC?_8i=`4x^Ga>n|_zd0>WFyO9Z#U5D
zd7H?&b)OoN$Vp0!9}lzlvEL-jz}~fi9gTga2X$|t6f9$s|2Lbf;}5V(w~;mC%mxBq
zj3K7<uRno>QvcxBgW&|XcD<N5nV&WnDwBjqefDHdG~LeMC^3d9qK+FUyEdIOqmHRi
z8Adg8#4u9|PYwBVBQIup^74VMm^Zr<Jk(igxgGWFerv+`<IkMrQ?+61Jx8XLl{D=U
z)xc4~ms=F_U&2i)K?C));h}AVeIy3Uu%KtzK?dst0^For{h%M#t?hx4gJ+|kZh>xx
z9$X`b>r}F{T6Hn0QRuhGc7KHd<r6fy_3t<t&!($Ab<b7F*_0#-#=9rCni%Z`MJ4LD
zN8oE}-J^@#JtTBy-Z!+pV$J;h@8wuUcU_)I*4kMN-x5#V?VSkq>nr``rGpvH4^PQb
zIKX=eMhHb-Y=*GStJ_2^Ye@!-1?<K#!s5<T*;?cp0Icd*QBUaMCVyB=*@k|(XHjQu
zu4)cWgRdE6(*Rt|0$`U3e8X!Hq0Mh1^z?0n_Tt0O+vb*H7uGzv(%%@{EnV6R$F(1o
zew=rU2V|ywdhG+)EYo`)ilhPcMg}#*m>a7y5rNxmMo-rzQsAt&hSjTjn!bH};w;uo
z>2v0xrv5yY>b&bsj(is@>%wkzPe{q#Q8!|wnl4}z(n_nP0%%>bGwFm~_+e|jAQw$%
zirOtQu@}0LBJ8VDMDG@HOThlrt_7n{B;C41e;dKj&z=fEX1KjcL$4mCNq-KC4pIZ=
zNM-4YK?;XZP6fclE#Vrdc4Kaow^1uB7oNy<b-?P2whQ`<$=?wA1bCX&B)W%Dy;uh9
z%7M8m?pvw7RV;J0{z}_Za~R8<&m6~JSt*WoHZ9o=cad*}TO}j%y`p%3hl$i$suW01
zDtm!5RhO%{_i(0{(1i$T8qcdAgir{ZJt;rW+ezI|#t79E2Z3(H<G8)1J5Jpd{!C!-
zM3PN05xq`b@a2?dR(jtVTpNOkMiX6p@1|YPX-v3rB#mC1C&;YmkE3QN!$LsnwH?{F
zB!-7Njq9tIvcgRk;V449V67Ai^v-vnO4A33Pc(-<4;iGCfSZ(pahp;o#Nc_@^y@Q4
z#am*>w%mpv!<D-x-p}6u_DW_;6-W!tvN;qF5iS5ETrl^e%cND%;@CI4-cJq<tI~An
z?-C!%*@Qug1gn*w-xB3RRU2)SLCAhw@r3|cSmYK)$eRqd9t{lE*^O+&x&z60X<aMy
z1(^f*rjBC`s>p*xpEvpH<^+qQ<pi&pKxOS}78I}h1gz9A&nK}WnpdxIxqZVh{EueW
zCHxIww6XgNaV#LQ8`c|ID}g{cs5kW<#vaFMB<g_}&kBy~mo7yJ>{#l?j(hIxm;@y*
zoYF2U2~QCzS1ahQ`@l0b+Dk-xr1ChH-Wh)D{L3SBsqrT6s?otHhT}Cx18s*W(B))A
zM-%)q`${eoiU?yjtTbO7aGF@=S(K&jZ(&AMjd>7RYhUgi;&%@xr&AKVkg#hgmmWyl
zzU)-EUNc+6Z?Q+#SH8Uub&H&D_Byq?9%lO8WOp=j_ep1xQ6?K|G4I7M7&+b>|M+As
z+tq<qI58Rju*rj{`MN>ml|}VB^H7xn@?cdOeF342;}~iyC+IjHmT_IUlmGxH?d-M_
zxSZ524%H#lF@jZ8=4cfj2oYEmkVFK9t5P9P&g&`GRcZ<dF_i9{Q3*r_v`PbRX3)lp
z2KAp-ry_{PxCJ-%LH-~6xFc*fhlWw4O<84{J1qa2hVVNZ)XhIcw^+BBJ`&8?M2@>>
zkTE51#3&q}O#QwzANg;kN7dx4)suFGjS5{8#A;#!mMCQw-PkV5GG>s+Zi`+hO?MuJ
zjfK*klMgm!eEk?DnttR*j>f@fHkpi79FDyFeBwklF+@At^xEr_vCq5y?#7yyipnu@
z@Es5WUuTj}#;=!hzNW$?EXAG>1Q6py)3D2R5#gZ|Tz%D#KrN{mBtNGGU`+y}Qx~ue
zA<!Vw$YbjMNC`sDEjN*R7qY!PLqrQQBNE<-k&I$llq&+fku@VvomFd?ze*4}>W>j^
zD_TCv(lSL}T}8&23W~Q4vxs8&jckhF1ZgAM2H^BU9O@jB@a|hy-bMK-NEZcWqWLA)
z`l8c=%@UI;Z|wRRH)o3C*y8$|$?3XnsBTeE61%R1?>fh4LJr<ROc{kq69g5`cO|wS
ztGKO{Pl(+gW)#tF`CwVF7Kg8&`-5M%Pitbe{EdR+xp&we6=TmopMoVM&A3bIuumWq
zJPF(Pzym0J&hHgD9Nc7@$b@b>h>rg~^UKm@i4<#WNSfSD#yZ8i1-;x@tkrauS{IcZ
zs9Q1i=n5!b<G1V%CxCES{D|^(c9t{0`q7ZxP>ue(A+ao7W|hssDV^p!UB%E;`Fm@4
znrFrDRuTk5E$yh`p~XXsNARTcwRJ13W>Mp%*?p+>?TM4Nvt2~R7M`G{tOZgWLaS)#
zvfZj#u!8nYW7zV@z6Ng$8LA;BaBYHJA&-35D@-qAd-lU>Wb>gzYDKRNKdME+e0$O>
zgZ#Hb(D?5;=U0@%iSaH1mZTsbOs<8tGSp*+aVFPI3bGYDS?Ei6P_JYP+VvF!#8G>c
zYl~ohlOaU^|73{!aHMW3KGAmMQqlWc80F2=l25-aH@1EJ$Ld}hmA;vAiHsDWQpB9`
zoT{PijTs8;M4+?tpFow*QBqgI(4vSx?iZb^7t5Eyowlr3cA%eILhfAZ2=L0RXz{)y
zybkB^`$Bzy=HO_|!<RjN5UWLCJcro**%KFjd?DysrE$&<Irz0!%!#qFsR#hhD=(F4
zXU>rc2QgTl*#5(6^e6*evA(8jsCfsvlU4g}X2t~+VkIZ{#E9j=@v$x9-WG~@a;o(U
z{UU~&6fzbGp?nC!L5p0@L%?Csz&MPNNfJg-ic{XGu1aosA4muM?Ayds1;L4_>O^em
zwli<*(f&;3gnK#+lxi=A5<|XdfB@Bc#xja+{yL|-`%eUl+`3mh=R;@Qp$1{bGzr?N
zD_CbZ)EO{FUL=h;!skv=>tpt&qM{?3(<N~{HI+bP2kAq&p^OqMXr$`i?u7b8%(7yt
zu&-zouXmZmN`PEjp|c^?5~^PMwgWM4!-A>G{Yn$4+Wv-_h3U2-9>MHEcPk~Y%6(q_
zGEu>Ugvb{F1&o_CLV<WF)`5Ot)CsC!-ufly(e&Ra@U=J~Lh_ztNzy=wsq9m5!Oh4L
z1)45vfe@O+1&0UF9Xt*Q8*kCO=0P^?yYU-R<XhN)Rqo04D@S)z`J~}TNn0SjPj;>Q
zj5y6+fy!Mo)UEzxbSyT?(9~##M(6d{&Id0JtM-Yu3xQz7_-hN<_pvjoJWx>@#_~O&
zkZbDoQgHfBp?<Ja`&_r&$pKK<j0%rS?MA)_@;giV^aljKLNb=dlJ<ER93&tcpnjBS
zvnBu4tO(Ndpe7zGAmWzv$Q&tP+Q@j<2qUo3R2umjmQWE{X?x_2eNYAQ@456)Vr2x+
z8y|@b!0f14VWk(|!EtQIDj|;)mvS<%QrvyK{lY@`<h!DZU{_(^_YaNhFt%qJlqkK)
zZUIk$SQndDHjoOENQ*AQVZ#hcl)gkyRB$z3phRK%`e5k;sP|WHQZL3GAVyY)h&>yW
z*EgFZ+4wS`2wG^oJsMnQNh2QIjPHVh`hkkad2_vX*r2!CCfP38twB(IUC^yJo_y!C
z3+_~c;GEvfRFzNxCaGy@f>Z$4tUx@0?l%;va|Al+u!L~P0`Kz1v^jz?$FHI7JnW&G
zMdJL+ZZ{_5=~OF_jDw=JUUWGKytnYYx^1PDJmnLiIJs+Dx@poBcoE_?-%;rq$_Mu9
zYMBEMNZorhcU2f<0;=%hQjLr@E`d6s%q1#z*~W3K=1~Sv&>1qkJ+oG6w2oxIVx5~H
z9WTT{l*Q^u22pr=!e5OI$Y;wAvgiOV8<JCcu>!*Masx^p;GA&dK)!`Hlfys)N*ZRE
zhwVV_APN@ZA(}XP(;5@A*%jX;{e)|LX{O*hUD)TGkoz>hg3JtOX?oEs`w9%n0V074
z*`4qlEbu>1mpMTe%18LHuodaVgvj2JN9`4(q%>8{engDIzA7)SITpbE4lS-fA>?rS
z>sy(^Hq~uGISF1X6R@#T)T@~1uMnefb9G~B-Aga07i<yR?fepUX1<Aop+_-)c)U44
zv3(bsqBJTEw0mlYtf1R5n#<!!=AlA~#k+d$^ylMaS}!&djt=I^x0_gJJu<1(sHb4&
zb$UX>@M*V5o)%zUM=8~B7s1(X+>AMz4p^pYTbqF!%KqN8$cr+dgx}tL{Ve{TMZhm7
z1zfmEJ`=ivcpF&tGK-)DYC}{hP$qhD(D{Qd3pXhJ02@tl7nK6wqmdp)>|0<)`IRoK
zWw!Qxkl@S=U4MxF)g+8*R$tWEOruKN6i90-0$s?vX)(U2FT1DfhExk$Mv<=DhI(sG
z+KJ^uMSnaMUK#7!bh7Jzcii!#^8q2sfZ;M}TXC;T+8y6C%0NS$#<6nGBoD_#(`3gA
zh#%B52bpb;XC~=J`%pioKr3bo>zajEQeP%MNAoJWYkX};N6W*V=|#f&UOQUx@|4)W
zUM6M^81h~`hHHWpLIOBrUKE{RQckL!&^0q;?G}Bcxw$N{Z(jro9pE)C*9sAghhOOv
zBb3tvf-<o#e1Z#ZvV&bjp8;SxHtAO)RLqcT(^leub%1JSfe-f9(`5btdWDZST?zj;
zw`|8Jx`FhaIQ;L*imq(b-+17rZzz{khk~=-+MygpRTl&e($AdW!el-Z{3sUC&x=wj
zjs0-$c&@J_>9wEiBEHmgS<EuFUNq>p^O=yT25jeBdF&zdr5I&t?gEI-c${s`QngP4
zex9`z`^imO&S(?e;=YyNFEf>z1vC=OVtEd5_@8G|{Ujdb9JGJ-nqunC3GF4bn?2CC
z?EnEW`yJFwxy_k;6GKU$sjPi4DQ;3y+F7&w&X@c}iE*nvB*5On=hG#K^TcJCLP_hm
z?;XcTXec$Pzw0r;=U}!?zsdV}>HugUIDKt|9{~Om`&svOgBX866QBiXA{Z?#CycnN
z8*JPn#{}T7CP;WrQ?^Qgq^DxIamU>|cML=5=?GtzB(N$oL{PJO+}D^wc+|>oUF70)
z$EX56uxM&9#D>K>B~gBs-Lrams<zM7ZOFcGTcN2N+ul>w$5m<#Wi_@Bw7lL~C3P7)
zcZLWh=oJ5AAb?*!7@IU28|iel-@*<SNU=0*=SyHMAske@e^0rYyB(u3ajVCPMh7Bb
zXp}-gBb+s_EpSdoqO+`YTS{<S{QTsbc%ZWIr!?F0_|vBi{2xLNj*J0V7Qg1(g^cf?
zJdg9Zw$%Y5#G;Lrz3n!{Yd%$&OAfl3;aNM5<<<AM^cI?JlE0|gS$;dVfDK3e_UxS$
zIVzk6b<6+5-g`zhxovI3A}Th(3KkF)1rZVHLTHMDND~1O5Tep+6bJ!Ah=_`c0)k2}
zQl&=eNhm5JQbP@rkf3x3Nu(r^ge32cy7zg{dG|BMdH#Om`{RfjxYs?`TC-g9nsdsm
z2Wn&t4!-{U#o2aqk2_8S%mR4-V8__7Xhq<xeI0udy>9)3Q$QxB$1!;v0HNRh#y>z5
z0fI2b_vo=>M@p`i#ZOJSH?iMJMCR;0o!g54T`BOG5<jCcC;MX9VVxb!6S<#@oL)2P
zRL6JlZOWV;D=WJ$iCL$UY`0r$4)e;>dxU#(v-@S$hW{W~eZ-yF=BXzjSJiSqu%8vr
zh-drxogdf8s7)y53Vl7Kj`zU$0zqszQ854YORHkXs6ZqW2xcX|JbG02vL$>&!rtTW
zPMs!JQ*JncpPXD-K(_gd!F0>*#w*U>a-WRg=7$#^lFzC=Vzr{C@LdGrwkxO0_NQ`J
zbL_l(%YmFO#+nztthcLWN2dB5ZRzx3hun`YIs){WN=z)spo8J9qds*wUJ!7zv<yU>
zfc(q%G~<Tz>#M9Fhv&pM0tzj+XDd*^w_)oVe!7M<0mL7x9h(;cg{EUK+7s-66qHv`
zNF)$!`@Vjiv6FfwbGd50Bs=zb!V~WzliQBaK*!OLS}RQf%o=gG#Bu-YD|bpn_j|`(
zM9<|@K7kTqw=BqR4NlbtFoiWTG}@D>KoYcT0vw2#O&LC;VHZ;mdMA=?Tl5h5K+2W5
zIa_<zackbTqkwA5)o<mDXnlai<gO7}>SmVq?c3cr_^sXo;0f<++6i$9{;?EOJescH
zrwyItii<{vYVAC(sQ9wDIJm;S>wrD8KjG;d;0_pt+mpVo&K!NYlUV8SIzE^t0?FT<
z(*^yhe6*nFiG0ltKO3?>5WB%+IAS(t-|eHm>xu5pQ9q#*wy{1JHx~fA`-)<V+K1Zt
z<vCzXB|bzuo)jS5ZdiJ)21GVJmj;xF){H4;<8diKj^=<IUsoS*1q=gP?3Wx*0&=`+
zYiA0@GK*Wj82!}?pwIKcL2rup>RfZch9_6vk7RzO*UaT#4XNncYULdd@N$M)uBF^H
zsb7}?zp(qRdTo$q$8yZ#niHk8`$0(8@f!BAu_r}QT~j);hqJ#A&1E*vtM_j?ohqGI
zOHDYQYJ22(_Svi4kLtZ|dJ72dM~Bs~p1EqA0JWT|%sT$l|04?Hq%w(SK{7#y$$-{y
zycVZg8QKYp)Nngu?z6afytueHzpBd2`)b(>LTYEZGTQmsl;eAZ-<akVm|C24r31Rz
zvFN^M?yiW=`I+2W=sVyubIsZ1;La&O^mvBh=$Jjizxm<0;ZmuAb9Db9zXjIIwG&y~
zJGL`YVjJMS-4VQRtpi9heW_><AjtuT0d>1IN&XcOo<WIucLZDqut0@KX<SJ}Ydm9J
z+12+?=LWyl8O>4b*6KH)SSLyZ)@<{hI)lMT4^yIFM8>k!pQ~+B7XcE!QB&p%m2A5E
zc+2;i8bRTivKpgzW@_l>kjHoz`|!v=K!0)KmYxEPB*oY<`;X)G@lxtKKOcpaXP&<I
z=$MAl<AY@{zmtu9D5v%L8~%7%`j8XlwO&AV!m}4ic3-~_OB-dW3uWPkN?yV<j!$B_
zc!^6NbY%lGPu4~8R_=~`FSCiWLMGd4dfd8{ODc3QdRIml=@nzYGoIy+10OK(7ja4?
zpD)LytW}^L6FTXgJbO9aNcB<VVRco1bI5phjkn`rNsj(ew&0NZXg8EesJivM%F7p^
zckKMWW&O@I;}U7~C1Nk2BS+7SUIL5^M9~P*yek{2e$uNQ$Y26Iu6l=)id}br?A*2W
z!#XHg?S}w~Mmx`+6PuA&+Ie8|>00H}U$n378`X4x(XJ|9zP_EeEqyen!_;>e{h>#%
zWh;MF0&#5p-oL&tupwuSP4~hv8UvVqy*2ty>($(D!1TLCX5&g8$Ev?rS5|bFe5kfQ
zr|*z*=K+I%ds^Pc<xQKIlEPPqO#IBv`-u4!M}|s@JOPmA4-@C^T>wY=19AUZWzHH6
zVZh-&8}RoVw*e1iiRJNt2dYP&?k-t~)f!mmSHJbN=)d0Szx@<>8nDd|i_Go+diJmE
z?0@x#miRC0p8fZ-|Er(+^_-h)tVZj!ihoJ;zx@<&3UJ1z%?&pGw?FW&?|s|@oSOm-
zx8KR$zqs!I&3jK=2R!B9(bj+ej=z8L{Wa&&%&&cozyGhL{5PMzpaCuXI}-li{^(|F
zV7<wN7Z3iotCfxqTr;7N^(X!};`vj;RsgK`bhZ4p|LtnmqE?__;djLG-$>@qwOxCT
zv>CA8o8H!9|La2tAPN9b`8zcH{R02>D;p#O>unw=_(S&kUo1H?ecSy5*=5D$uNI$N
zl2=qrOh`zV0s&aZKg(?WPEUU^FW>7j44^uxra(3x5e7TQFSffs^v|dE^5*q7mr<Vs
zw;nTabZ|I91qCNmR8)jOZ~R>d^B?bc`Sf}peChL-9ZB|)gwF=Ck9mUz`-ZptvoI$j
z4SKjGk43aztn({mXufT(e0H_<4x-uH%iBA_{n>Wa|LJ0Fl)ik66i{NGrg6pD`Q~V(
zDJV3FTXi&ECKvhddiLK|w{!0ocfNOyVRslXlu_X-sl356q^9N+sP>d;(A|@NQ}zEt
z`XBeaDK4%ttWqzzddbh+9g(w)dN>^LKivetb*TXQuwJV;1h`=`1Nic-^RL_@gj&{^
zw*Ryz(st|f^YgFR4qDvX_uv(8@Ot%;KU{-<TRN~i1^@?d9?U2~;svV?1`S^<#U`}@
z)f{<f^e{^AS1IK`Jz>$o0HTR6cM>Ymw{dNY<9Ezln*nz{ihK4KL;2s&i8SulLqN-=
zLY^Q<-E*gCfaAy+e6UuX_fJ>f;Ou6Af7`1U+oJC(mYt8RmL`ixZ20Hh&Xe9@!!HIu
z|C@aFPrown_zoK(B>}>o@Ag2J?;qa?DE#Bu>Tmv=P4Q1(y0T|;aa7Vezb8LR*Jy74
z@T5?swbe*%_znO4<IAmEFTZue;0M#Y8W%#YuGOmkzfX#+7vEfr92C9x7cuf5zqDuL
zy}5744APG1l>8}3{Esymkhg6ZY?>1~`xl?#KmPyMUk#qDKMVZ<q(XOQ4*n0jM+Y7R
zW<*K<#T)vkHA`QJ%+?M8ytd7_xqlK2;57n}8Uw{X`zNLFKYS_2;Id>r5S`!mfc}GE
z06BbtM`p9_xYEC4@P85v@NXBbq~C}*1MIesl>lkxANFbUM1#R)pip7Q|9@=$AL;ym
z<=6lan{P#%lIu6Gs0lpL|4W!XP)f3X<=E->+M3}jlTEI8BC-qh#M*J~phbS!vUXQs
zH~!xPVX{pkyys?x$&fjfVOQ=Tuhh7F9Y|^&`Ria^2AWi?-5|w0*v7SZ{r7nTxE82U
z#;d??jKQT#mnK#ZM@^(b#3uM>?`#14;pF$rUaI+}rDju|p^p9-2If7pBledfcmfbZ
z0Y#+se=DNM%Nv%(DIjWHr8R!7qCrfF*BjcEczYv;Kew)^ygb&?)6g)AB+sTp#4iN~
z297|J_m{s1h{#G*Vl8Ydml#d&sBkmQ7+T1*v9b9g(8SaCuyS$9U1fCXgHZiIf6cz7
zKA=Jt9*96n407HE!CHd<x-|yQfD&2LR;bZUHiy<O;9~<fx0kD7e8G$g@l&ftQ%Efw
zu$Ymp^B4-Pf*TC_^2*UyadL8U5r>R8SviVGYwQ`(F#Xs!tKihSlqM*epl}L{Pg(eS
zKiZA3WT}OUVYDg1h=!P;;U2AU$<WHiMsjGGB~aNUWshuNP$L|vO$-b8d}EUD+p`|@
z`8w2eH}~?Z)v7Zz755|Yrjf#U`pMl=@OF`}KDy*o#>0`|)@SI_U2eaW;sn5w1Mc~T
zf7{mAo395fyv&iYOZA%TPju}|j7v$<d3f^2$3T>cmsb&_sJdEx@ncN?M4SBXE&Xh7
zH^_q`ON-j|Rg&rJd8<kK?M}JI+Ng0|t=E?Ny^iuJCe7uo5<`Zmsi~c%Rfhm2*z(!v
zkNhs*{c||pYYIi*2M&j;{f$usrh_p=o_~>3Yt=Zzn$|{zCLD}x76o1D-WL+fXdZ_m
z&d^dz?JJF(L%dQwrJu_?tY3av?ic5u201J`qDkKJ8KF#9MNd?0%Ne|;^`<MBNRx(*
zYRMK%bVNHH&5B^+l0z*mL)#8j-D1oQ_Dz2p{d}@t+&wgA;~jS$<youHxfHqalQ+fI
zqs3<!#I@c}56|q~&;NQYG=i-PG(`BV65>mLiEi?5BH5ZbyMF|T6ZTByZ8NE{{yKj-
zs>&lBT2XrK-ALz{vT!7a9(rCoc+M5FGRhBEXfEd=uE6&Pe8}$`{~?nBt(IhG1e7jm
zlM{ucLd-NqOVcVZf`Y1DH2WW~^DDUL8~5k#JUH^(TAvFwzAXXB(I8~akFB(*$@3{c
za9I0^mr7!+StwVyIl=xV^xUpT=fGYV?!&XYo?)nZ!wb{cF9?3q1(lh3>wPvK)<@j>
zs9M2eAN+K=aCf%(B*F+F@urFI+*3Doi89(i^Wl^Fdwy;~z}<90j5mlTp7`Y)y4tT@
z!Y1!se{nwl?bR28@nv4u$9)|M1q1ut-lur!t}uxY0%$9RSdRsr3z4(9t``-3D)5rj
z)B{@YMy*V!H^-l0+J73~GM3mE)Gc4(*$cZ<J46(;fU{pF2iMQOqPWIFvG2{~09yOj
z3f(^%WY3e|ws6~|<cB+JTk;*qu?gd}QxfW70xHCT!NK9$05A@d55I8XL5iP#1h1tq
zV0KdcbLaR4+J>ASyHx+Co0q-Qd>6Ncy3UVx(@r(IzFqa<iFZ?OAp+R%EAw&h<f_lC
zf%62pQor<hHUHHp6>f`1qEiL~sOrnk%R8T$!mhBndX?a23FpZhT@!8Cdwj>54nY1g
z!bktj2%p;t#I0Kc`ySMR9sq@slgZ;@pL_u%RW>I#lNV5{duwV`C7`Zel~a}+T7S`5
zIx+Ugmhr+%Nv95KKWNY%KNkA!LvObaD={}t+oJnWP@`%|W218{=q71%P4_*u%pKY0
zg3rwVI7`{mznve)c!;RTuVU+BAgU`}ET~^HiL*>(XqQd<7S=XML5IqKx^@1YDF$fP
z2I$jcFkP*Oo*4_A=s-=i0&?>IB`1@nn>)N^AdRNMBq$7S$3D~uT&;Uw{haA8<Ik||
zb<wgd+ppXZIX<|KD(2{WOmqa)?R(17B2(HrGwfq%*X|9AR^K}NaW7rqSvTwuU8(BK
z<5j}K!Yd)i2lfNfG60xVYp##&A2P{rmtA^K<aq%?jUVw+ZCCB>xdkecrx@0e#H510
zL~w$W%4*418&{@$QaB5v6VXz<>Cz#>Zc-9iyP&kREc|CLXR$>*Yq&O*@R<;oVz!?h
z)-0@<5G$!ohzW9i#9w7O_C7x>qV@B3$r2n93Z3dumLy|trD^!NHUTx?ezjzaOQqBN
zpRLzdCi;;VRWbzGK0K#jvTe;w&CAkj=<8EBeo{DlSRW{)$Cn%W@P~jpvEi<{Pd1_%
zjTPEo^*Qsq?HBvU@ETswMsVTV;U5tt))3Q@K%CiM6+WT+mwv{WYbNTlzB+1D9}?$r
z4zA4Pik^osCN+yDX;}I(_%%NFM-zRLD@v}e?PrdL<UXTz4cfB2WU2MOqvZ|Uih`P&
z3!Itt(DL%)iXnTncYZh@v5Il+dj;}sN}NGDX%3$kL$ESB)A;D6h{|m>JWJz!!}H>4
zL?!wGb)!qBrqpS+Gj^;!W`259k&OZx<vcF1w$O88XNEkfY`4@`d~PjNPE8MR=dDgO
z_KJ2~b@UtW%v7EBL(k$V=|eO*?0kLN{M%-WzWk+!D*TR6yvLNFJ!V;sbwU}pd!uLV
zNPv%gHNhHaJ<XP<!2>B}HPzY~L$t-#7JY)uyO|OZyvJ=BO642tz)A+s`7LwXQLYZX
zffd1A`9^|`J`d%yN1R)^NRVTe9Cz{d%fW88eIM>ZCGC?(A2pclWj8x;N4HmL(^SOj
z>(cA!j~)tQf4llVzi&VXXzlnLNZSfDtt;D9-5x<ho<_ncGtuyCTn)C%>@icZ4t<`M
zX3-CKIfZ=~BumiEx+H5-iobeIkH?A5(I0@auqSJn9_(Es$Wh82MD;h*-o_?D(Vxf)
z63`Y2OK))DbE&#hL3|_2+9oqPxw7L_Q`KBmLy+gFRik~KfnF_p2SdcH$V_|vsA)fc
z!Z(MzlWoW-D3JBY3=QCXfzL;5USdz`n<c#y9rbAH%(HBn$LV;32mG<L!&rybLd3DG
zaHePqt7UquQShbx5a$iGVJMUH1?c+W!GLn@cnfW#Wf8+0$%78{-NAf^nDu4*XKN7k
z2)A5RP!t2y0W`$%V3heQ@@vR;OQnr+kQ>^G5r(=vM5&%CiNCnFW4`ekoi{G&Qy)qg
z(&l}K!kV6liwrJmtgf_jpW!(i3aY6BmQM`k4+>O#*pyM`vU+{0o13=QUIUe!99qOQ
z*%ay=Q*`m3xXYU5B9=OisE_T})tx*BcwaS5#F@Y`h)WHpD^jR!Z;}(G6U(SMI6;Mx
zgPd!b=k*hvv|)F|(gHE6&0%A@^ixhXHfo*8-N7+sJi_@zo?}Ien4@-yXH#(5pgxM<
zIFDta=Ji(h<5}`#c@kaZ%1Sz%Qji7WvMzCw7^7V$O8oSG60wUb(^+99;;ibGr%+<J
zX^A<d6v@}C;AQ+&qpdi>c1(C2CDG%}bo;b4^Oop2{<*n5sdSxP!t9;mDJj3alMBCt
z)uaD+uxfC8{p0mj#>>Fe_w9{ei=sEF#Z^tA1@F4Q4n9Ew9IHDZ`Ko@uPd|tbBfHE&
zF*K>br0tRc=;3E(nJQMYmQHZfVmVnI89<<s4Q7VVfNs(WQKH(N_N=w(mC>!b-|F>T
zzG>yigui<EQfsL*kwwmu(If@<jj+9Xu1IQ-mc`wn(^jCN(VrAbu&%n!e5P6_e3p)?
z5G<grOre7bPcalR`>Gj`Y6nYs*y1MrV!?uuR8M#M&Y@9n<ef3aYr2DmQI8i2DskH2
zST^aMVnhq-usij>?zbVn2c$sHnBhDmTcCPH+?&Is^;fpg3N3;8xmJFD&lr^HT!+#`
zf5)|+Zu^5i-@qCUV6FX{<Slhi;Vja;m9!fz!TUo9_T<4^&iwB$#V0;Q)1IYFBVK2q
zEX^a7KhFUrz%`qTyp6vv^}By66^EQpbcv<O6ke0bvaz*=$5a^R0aIGaB)76o`6?Qe
zF#3a)`-kvJ3gX-MyE+r%$j`-=V`>#pyoQGPc7<{n!O`Ps-RuGMYM)QKqrtF(J-<*!
zb~KD5ob&ny_W>Lz<Bik0>SSs77Sr(1YuucjpOG1;mPgG{^F*Nc`Z6genf|Rle}d@a
zdcVVSu~B%mj1dsPtL(kFCwowOJO;<_l|Ls~((y`hH?`x31zT_l7&xLv8-0I(fFZIE
z|1i?$*A4rYAk+X695H5Scdw*5A?Mi~(;@PfRt}4syZcZ=zfd}Lm0GSJe<=LJes@^#
zTaApS-hQf*wN!%-Zm02b#ktRl9A?Dof)JV>37P~NQ_%;Mdv}wfIW_YOv}M<tp~mF1
z9_b#=1Vki^j3^;By)emoGW@z`xD0<hhZecDQ$-kOk-@%ih6qbY*}L>c|8yfQHEoRf
z(o;Vs_D#u$$`I>)TpwCMzaN~XSC5ODSJ0ikpO_CG?N5&|f!QDMt>;H#UAwUmVrBoV
z<^XF%xY?L+Ger0{R*oC4w=j{rxU8B;szhXoHqowvo|Y)o;D@w7o(M$gvY<@phYKE$
zV;v||aKH9ikF!v~(aV66Ec<2?x6jp2l}C>*<(37eGo8{*g!FrOma6#&vKg`G5Z$4I
z^N~88JO{W$&{Sw2XJ$O3g&jH%4}btp$O0K{HVTeu<ew^|`eP<B$p|<&B<lTvSGp75
z4&|J^l(BrhpHl}#FlHlQ@!iuSj+$JaaT9!|=Wvbawb9(LOe8f96()*{D4V{bE9Kur
zitTQ4a=$<d27=m`AX+`T1!izI+^CN$VnRuxp%3>X#f?W9*}m8=rpEIKsi0MpCe`aY
zzw3{_Dg1)a&i+S?baX4w(E5{A058-qvD~=c>ar-Ps_=TycQ-|CH3y=Xj{qTrqOZ^0
zzZN*ad+%D~UhIygOF`5<$WQimxP41OP{FBbDOi4hCEDwgWFvz^NAhJnvS6vhoxH)t
zpV4wH!dlu2_Lf2S@%=)KKqJm=r5KjZu*G+v#I$O=9*lat2qVQ3Kf-oEl6W&RmTWwI
z!DQSqXoMU-e%va_RhF6@Amo{q!cMSu_sPIS08DqHN(yy3**RmOLg&XfQi6qXh>vVo
znv(GAR4*XZY;)OtNJEL*nyDKhC!X1)@uFCDnfsOg!o>v-3{)wZ$mWC8+@0&i7nq|C
zcWa!WpiuAjm~Q`sEj_&ctvw<>#|$X*$GdkU^gFZkEo+GW(PvDDy8BoykGZiG#`|xh
z@?@wpa2#i26kL)z(=az@>LC0LGc>u@9Aqti*n|4*&&RNIKRsVF<Fi}yfB-|m5c#R}
z>?u~BKxZ%P8FalB&21qQ%ZaHMaG<kkynBG%9kSx}QI!IP5cSZ&CcM;CBa7$DD!rP8
zMW&+^X4kFL#<*5k7a&eJ#FB?i4C5Cfe$dOK$;xwt?{;+_CP;<(qDb6%#4*f=<~SW`
zrN-6koi%OCi7gZbb9a#9mt|DSIaM!sWn4(y+2xnsA=FoC^r!pX&N$m^TM`Y3M=~Os
z;ib5O*d6Jfea}_YC9>w#7;Uo_JFW`()GaS=bMy_%RlnVmiJ$r8-p50qr>B&ZqtEmF
zN!4At`9!%{;T{ZYKRvX5$)TR%kXHEmn@OBL<^DVrIqDc`1G{?$aH@g%)xaG2zGnF=
z91Ipp?3>Hg{d8dajeG>FAw*_#$vb8%CaT>U7%w4fo_T{_G6acx9*EmNHgDG?*VA}I
zQdvENx=Kr!7B14>$Y1?Lvdf~ugk~eUxpPxx6jglOSy?^3Q|>j)21=Z<ne-X=*OUjF
zQgHiqdeGR^Q|-&D2{hQn0*BemgDPBDFI-Qbc3;MExh+k5tq&lub$5Z9N1iP`q5%c;
z1H2IO>`#=cwezB!L5YlpXLJm?y<K-UT=I?$Xf~)%q{<_UZ5U%AED5awTy;d+85WbR
z^KxAo&%xQaqvyHy!|OYU3vVRfJ4kVDE3nN!82U}Ju+hLY>rznA8&&9wK2+1nB@J@O
zZhIU7uZtGM(!hL*w!<rO*qe{+3$UT`w9hYQdFwwmG=<<2se2AVIf#mJ5fBI)0yMF3
z8_1~rimJB$*?T9EN(@Zds}@oh4rGk&NO}dNDl*q%R*`Lr$Y7Fv!07Mn=kBT;tD#;Z
zw<y21Qhx@h`td8ufLZG4DSmbu738nrYMGDP$gH`1yX(g#K|u)sn)P1Ks3AWkWjUG0
zYNAt<EOk|j2Ep}d3`XxkjUg)TjDki_nPfQaMv><2@|%Gy&rS@OdTlV6QkCfjsV;$I
zekOcaM6H0&RF2TyU|3hSo23u<?d)`2Ma7BFBSoD!%OFYa>TDRT4c>9QVUoaQ>Fo-9
z$}aht3Q%5(#>2YH3WB5-d`X<CzpfR4{{zsz1KIS~Ei2lZw>x{V>AU*Ay>tsT_V`uq
z^O6)Ansa#Ao#NMJ%CUk(kvtikPei?pb$+tQ+(IIFiYj^~Q7YnRR_WV&mmM8m%Li`r
z*1ZASd~(x~?ro5!!tx65!AreTvQ0n6s*<IKTZc#Hj63Fy+c1`}byvWYciiRvU07tf
z6PBsnkzzCo$F9yYQkax-C(Y-^pY?Y3({ozOiF2FdffgIkntp_c_VgZwi*;Wzrx^n&
zZObnU`kUPS(V6~4kWg=XqBQ%GQvJ7Gv!OpBE|+>5yKU7=T&*c0&a_4s)l1_5q?dK2
z>HDA^S(*dW?~ykox~8ZXmo>uFOJ_3u>lVC2`B7Rl`#V`a2le^$+dYQ!<fLLiSKet#
zcxv=S_)|Ne$cUg6%}=Q&S*|_;4!S&7oKHbxn+`dGqFb@ljU|+L@Aq)jS2;sZ-=?~?
zXKtnkOT}QV>m$1B5#O{S%eu8O%nw*OVcOhGfqS3c&qgksIPKctk^-7vc^{Qq_HBiL
zy`PWGke4Ipf-erHgH%^&(j;7{542y~EBh<_)IbfD$lu3N^^S%1ee$3NW`&l;5g^W2
z`U+Yu)+{xp%NZh(nU&rJSvz4(Sen`}JwAvOgcBw&)uraK>0_@P{S{fGOOLKLXO=hJ
zyw;anm*yApt6AQ0=U<4#hQI6S*MjVGJAVWprBFXssanWEj$fWe8=oBPE++c#m+Wr~
zX@vUxgp@jdqNshVIva2fK+OWV`qUlhIR~HRFP3~S9EHqXhYtHHtW4x=^kguD=?(g=
zv}LCs3_E6S@Qpf<w)#bH?aF1-2OwkJZyT1Xa$oa{T8D{Vo&l@PmfDPdk-pt*X2AOQ
zWHyDm)Gevg<BTNqqdsl0Vu-=QN<bM^X54elW(N#(r|O_hw=@B&E*rYlXNL`PFRB&;
zvjqA%MTP?~AN*CVwGjwc?bL}HKs7PldzFGZm+_^V6Ez_JDsXW$$gKGFx5I|Gny7Tl
z$DYGUZ8xJ2-PEWqyLTY+DzYrg-*N7d1eYUxdoEwh`&I$mSpTRaq?)#^K)-(Rp3cvn
z2KRReQ~lkS2T#9?jZbaQ%V;6Irqbf^j={4^WN06&Ft(oJtoQ9{;w}G{H#e8s+b<Pf
zYsgPRt0&R;u|(S52HO`Y02sU0bvY;0i<lx3ipWX}Zd>j+1OX=dC4=az{gWKNVuik4
zScjVA&S70Ixv`d{^yzTf^16A4-q<Uup@x&>oi|4!ZzI4@(U5R6>FdTZy;d&Cf91u1
zMvuSn^=E}0I=`U$^Xq{&eb7B$e9Ez%jilwz2cdhpAC}n^$hSS;8wH<{AKDw|23m%(
z4mueZ3TuvBJXFtrm)y9qX&p5Q%<E{Jtmb8uf9SK+=M=gwYKCFBZZLZUEX>qj6&-bt
zAeX~|3K=n?du8jqY96!R5Jw;+^%?OrfBda?%#3iL@5S1v`^h+DSapkH6Ew<<V`HH^
zxgBU+nwU|M<Ph0@SUf|KP?+049Mzo!Kv~`PJOF@tUfJyg7di>K<`6Yt=O7d9-B2y+
zvrKZK-hMY6G9?9m&Y?B+9}-p-=laanG!!9y)=aTQikhzM4Nc~E&IAxW*T$5Vm%nPe
zI$AL+K9CZosVrQa;>8YB&6r$Z3p4z$Xx}SISr%FlcM6Z~SDK=_fGa-D^@9*jS((G#
zoH`u2slrIf8Fb^`DW5X^&VwQYjWY^mKN=!3t1T;7%B>wKg;|t&@&@^?r)KP<;~PD#
zwNNSAN0)w5xJVg0;e)i&V!t<jMFMy;qin>?hsSqtJ1x$Z%efnf4xL=sbh{dNrOD%V
zoHvE%{J}Sk7VHj$C-w2gn_BpbpR*>U@GH6IUI$ZDr>SC*-8PM&i>$yyD1Vmj?WE3d
zswnfOXU`JQyzbE!39QgLtp%V3EJ5BwJGwOM-Ay~E`EaQmKGQjH@KJIj3-E01dF-hy
zs-McrQ`bewE3(rMvw2S8UhJ%NdiTiC9uZl~-{-~?C^6&>UJa&q${J9B3WYV01W*Y9
z^6{7MUX3b|@yBQvU<g~vWX>kfk~zj&GQk%6^ljIY5GNDfUA?j3rcgJNsTK|kLO~^4
zfRK3nv;OgZa5%mJogT0_+sFE3ogPXC_fXbDJgQ<1N+eH*5wXfF{W;%~jIV|1_}0*}
zjQL!8c+Xt6Qth;tagtVquxV;6oLZ+hOt3&M_!jt-OWYitGXZNl@<IH2suz%vG)*+<
z0n~}R_|Z(;8wERR>!iUN7o{pWc81|}m%Pn9`uEz2ytLHgM%(+se(G_SrP9HDY2*0V
zThtvIiHC+vxN*Toh3ZSBCMF(gcG)^fUzKsp<I`@4N9nM0RNj=`s`k0rEr_9qwyIvH
zbm}7@Py{@N)FagATOK-xpqCs3Q`yd{iD2V8d!^oSzuMSWPQm0Z`$-c@u#<HuF?coz
zXq)#q0^gbUy<ZjQz}onP+)Xdo2}^DXe(wmGoy@Fib_7+C=#fAtHAtLDDFuz(LibNH
zYnor!<f-mk_S#2vmNT{DrJ5dlCWG!|Y>e8^c~7{}cxuSXvU4F+Kbp{n1R8673cpjm
zhCGpAvAyP06UgA3T3^?{c}ZhHo^CB2m3eCE*M{!e0yxp?TxA+JL-~h<7VRta14fj`
z%-k;Zu15a@JO&Cu#?yd6H82ODo;kL8uz%fn^4m9{pLwnM-;0_>>{(GXWfx;2_a>$j
z(sws&QyfXZl<A*)^Q5p?%Gr&bi@+5JS~1TiOKrd+*P+}z!Evc65h^fnDrh-xiGe4Y
zo0}JSj|tnPNhwShBNa(CFp)Pe<$w!3C;3KWzT&yl$4ezBTVpoVk}REzMLG^GQ8bsy
znI!o1F;X=1EM>aG%vcH@Vg^rLp|v_U=^AzGdOT9?(7hX_+8;J1EQB#u(V(C?E>LIs
zco+dOn8Gv(6RavqAF8svQ&Lu=Z0oyF_hS?c%02I+U%%;f*Ed00V~d$!6;02!>^`$(
z?jnwj9{8|zInZ0yDR}Pv?sVR@43s`EYx!rT#TP=U&mrhRNqIZLMVdT`I>NcF&w6Mx
z=n2Gcl7^N3m{G|YCg4jqK$n;#N+a}r{LLhAp(WL%$)`8+a?qj(`@6^}LE##ITJnaW
z&>i$DfVH-ygd5fKPlb(+KW;Q^pBULO&=f<{=$Ed3NJ;s9IWHRh%CA)XNB-a<5MfDH
zTPvKI>0HWV^|peb89#o?EY4RIF@0D{3F<n<l7Zx+QIo><Hm;C%rQ^09j9_GUJAOCB
z_@gS$q6TS8b@sqggWnqasV`+_@t!_K`j&G0NRip9%i=?-?u{pr;Rqu$<K$tyPFTmF
z^c#QGrE0tMogrPABAqbM18xn%ov<h6=g%`9>X6G;NGgwGDg^52O5E8D3H;bq5J)C2
z(0B<gzJ+mdmT$HBLv&x<VvVV+fCI|wgx{>Lf7ysf7V;MV3Ad}3cSPIUJI4!yySVFd
zje18tI04-}QX5z0uT;}dAjZtHEzQDgGQ-?SGp&ZF>TH&4%-s82vVMLFS?UX2CI@tr
z>}P26&|1?1Ff&B3s@eGZF{xFmQ=tXhb;L07JVep6z`0ezJ5xK378@q{x(4^y2a+)@
ztWTNITtiSQGeQ^d0u3-`-)exjrnvnH^nsYu|2GbVu?_vjV2OWvw-#c+|J*Rc@-dEB
z-qbbr?BYyA$@5t0(3Q8<0@)yXo&Hp}nmAbH8c&@clk7cvyejTl+E`~Gi+Xg4g(yJg
z!a2bSRHdcZfnxpgLC}(?KG8T(|29o*QsUYH%b=t0BL%wy*v(_qj|VSxS6Q}@#B=l$
z^xH7U&@gSFLv4=Cv$=tu%MkvJuLr+A5f8>Qs<S+Eg*EYo6*oR4EzaDJR+&@i%3Hft
zwF+6^_$pKd1`ShRKXPFEEgzq6QHrjK<`IYe$^^DC34v0*J5P5lfBC7rmb~pW9bH#e
zi?kO~?fH=d@8i)0Be=-!QovJsjuPvHIk&>cgbmYrN?=ZqGpEU$yF{-=-SGW>V1uDh
z)U^VcBOYJnQrbfOnh>lcN;$d>eg;TQW&Eh0M%}!+`LeMaUcP@Fl?<o)JQE}K)3Dq-
z3!?ZqvGM@giGpcYNwwD%741cK^=FOP67Ym{y&t|FlB~p#NbgD=619^_GlpDb;E*do
zU)``g_}+zx&(<q61K11Nv`z|UmgmxFSrKuj2a6-n6G!xq_ekl?eA`Ag8I1{RJk4#T
z#Y1JYb}F`V_FFPRN9n;u=?CwzVGDoSGWwmOOH%6})~{iFI}F|{t|2?{tcA?oKm(DF
zzuYI_-#0r+_XDzVAxUOKVZJledqGuZ^cP-tgU50$*P18RW6ggObi<-yuA;1mgf@P;
zdS8C5-a8;|NxKl-%3RA`2Ysm%_m;M8PO~o1I~CSZY*S#P{eUEso~lw`TcNVVJyb2o
zj5idi1(|nYAgc`Me&`T}ct2%jcx#V4;T0=3;>}?1`KrJf#*oL8O|gutK4kev>&j^T
zq_)Dt_;E{i23G;e;*pljb^YtV2M-6vHFTM-C1vIvy|q*$BKj&@=@TE9hPanTNJi-G
zJ$kF(#w%tEnr;^#R5G9(A_0we8^$VpE`Y48Q${4Si+o!#zd;!3%MyPQ^0BOKYmI(3
zZ;+4ox{E*P4`4|RxhbDHL{LAFjYj7B>`=?#Raj);D<jf5_XF)@U}>KEPaZxiZ2D0O
z9V)R?5$T^3y=$rc-F3K$6UqGYoK~@nW==XmyN)sE%>WYjiPsMcJM(faGoduEDYuWt
z5Plr*E1#zflN<SbveTCDfboOOkq9mYh<x{^1Fs}~pG{$+2l?*ngWXeD%7g35u%aVa
z6y6zbjDA*|$tm}yNp--7%w;8Jg!KS2d;ub%ZG)#H2n7YQ76DzhGWF5p^%?>MN!W<J
z5h*xJmCqHO`Xa1Zjx}{I5ODBlEz{|}OBEhMZOb|3yqdfH%y^!dk3Rd0>#%2Tb!2em
z<)|fuB@H;@FKNLA+n18fE~+QeMS||W2-2T!8!(S^S(UMD2YhYyXxGsd3tT<{<y(MX
zg@*cY#{qpG)HE9r{h|$h_zhB=#Ft%5Rz>K~DJ%cxT7HxJg)nOU2g2y8U{F$fqpv4B
zW!Vnxk=a0d#c+=R*2+@y?9$^N(&vv^qXC2|W6)xz-_ioa=)9j%cpxW(y?oT;Aflq9
z8w-pLnftP_%v}52C-otxS8o$L8_KZO*FZ*vI*j|3KkYbNhh;muJA0Jhn55c02LVua
zV-}EI)}yQ@hql%CSTv1F+>Y1Hd26pve$<RP=_o*uCR_ojR$EtAn}FEmSl$z{5ALw{
zwt_WsOi*#P)6sM!<E7?T@cZPKpPwNw^H|NSfWf!l-Cu>T42G{ImeYsWpFmGK=}Nlb
zpcnh-6Ot((bjQy6NZwBgAI_bG8;3m7T<<3<KuCi~99x4%>91wO%W`Er&!qfK^nU~h
zYmKZJg6aIl9=&)pz6+>*K(eruM6bIVkA6Yxl&|j+XQ<_jeGX~MLTvHtL03OwjjC(>
z>Q};QrKtx=A>+_UMJG#6n_AvW084-PUTwR3!3wxL@pY3vuHNkDOvBz4n-b*hzKJbc
zYL&MI4mZ8>C#GRq;hj||8x|U%@w7|Uk`w?I>B19FWu=$v`~Z>xH;OF=T1ffc0J5zg
zBndb;9a2(5Evar1awo{8nA{Bp#=0b>8I6=j?|_BPeCJ#+hGZ=NRI|rz9ZvJ2l0IKe
zOA3Ay*ucQUoRMlQ2!5I+w3dBtm*Q7xgsd#TNXo-t2#03gkL>LjmVPWpdw!l_;nAA$
zmS%CweJQdq<5(+e)(6-^NLQGlKX&|cawu7R)_<C0sd9MGtP#``m}4;;-kn&KMuX2M
zZ>bno(ikda1_9$0@~cYK++Cq8r_s)^sXHHk7AfaGO~aW1YP6DW(`2}HY-Go$rWi}J
z5F<PoDabkfN(n5>wbbpF*ab{ZS%Yqm0>n?G`pv`me|6ge92tO?Rk1gFupNuMNhDBj
zstEUlfi48)eVv*rxDUh~DaYc>L(aHM3V%4%o0}vNe9dw=hj{f4$i|WKbsoSLW*J0s
zMSm>zQSj3cIhN;PvKx7bW^uE@iKN`hxP7%(BvGzR#E^A-3v48`@)uQ$5`sjdB73Du
zv;A_~+GpE)OuMW7?P^flv8&o1gCVt{eGdTrx@qv$!O~ItSgnFM$<25rrx9ldq_C`L
zwSU%|vsYC&?#*V9y%&H4U4q-y))ye@;@a*jj;smE?{1&WhrYn^Gp*#=ncUL5%h^zY
zS^Wk*Ljcl>ZgB7c=eaGq#nH|X1qh}}=u68QPu%;~EmgSbrzG8xQrC&7-fQN;=FgLa
z(g$sr?-vZMi|^T3o!ztTh5&~RhAT<;<!uSR@b1=Gu{_w0oo7GY+cRr^;T>g;fX7@l
z@V$HKIhmtBeeRs|RM*7IdNcBmj)<dN@&x?jTY6`x<{#aC*FYySdlxXW@N>W0!8K^s
zz<GVj$!tXM3w4#OlAiuk+XKLsn2l9uBaAH7!3F4-B?mQB!SSc8r`EBkDU)4kn)cx0
z29?%e`X(y>O=|0zG;pS_>d;4Gp>gb9$=3s!YLGLCsfntsp6XKhXe)TT-)#YS6Fj1O
zc)CMSk{SE9=)zsYXyE{<1WG`})X;p)C3Plqg%*lIU-9eEU7uU-bNCxDPT7@KFEt4%
z>8XHrP$v3JnR?c3dwRU#G>N)$if3~~e`Rh~0uaTW#x<v^`^oz`jLt~pw%kv3VOh-X
z5h_SaG%LJ|hf6Ksp`ZHw<0irl9qL^gh!GsFofmS*+&vI@LG+{(Rj>LC>|<TZl`2mw
zcw&mrAqS!N*BZm^JA>iJ2AAfSNK5CR*z~WEB3WhrZL7ML6NF{wdZZmiv%Y6yk%VmJ
z@!;s|Fc;s~71SH8_Cusxjlw0^Cx6H3Hl9cuf)o}}tbed?1$JjHFDav!lys_c6B?~G
zEv*^mXZCwHLN?xOM}-j?<<<t2y*K}&RWDwUPTW{U6P<SW5(*tRH6Qzk$ek7IVa}>w
zvpCaO-tU^^FWP1YM$k$NF_%$f`KfAW+5}o`njGXq(McPyyF$86Qp}NgKuDDJIdC0e
z6$`IrVW&fnJz$)nE2-ei9OV=pG=oxqh?&YJrVrVD)m<7OTLmL|D{^S!2{ndA=-!^G
zS9t-o%06t0g~}bE7Obyoh1Tn=y3-WV(*HpG`Uy>EWXT>S=a1;8n&fmDcCi|KD=_(t
zxFl;+y@OzpImKid7|ZqaZkqQZESoH@el4WhdeF?hu`!qiuJ=7FIrC56*XQNQ3W6ne
zsKd=t$j^G`8#y#&-vXGG!Y~u>nX=t8e|^WczmM#$^=FTT$Y-0c&oKPOuYPJEyUi2G
zhT6o|8u?Zg!a*aa^c9mmP^qE7#-^~JW_mZ8ZSz$3==*Zw4HS8n4R)f5BPiC+{kc&O
z)1DhsT{0zguef)odZRvfqG|&|pP|T{OTm&KDolrj`n!wFvKEV%+~6>gP7->`RRm~5
z@6~}<Tx^q*O0`SI8l#}oUL(_U;x*Lgn$-rDO`o!|R@7P5!yQGR$$I*v>qQa0&Veb+
zJoLa-zXNUE8E~N+bqj1_X%4l3c{ssW!0*V)<-&!dVy7@aRM4DmPKK&B0BlZm@q6uS
z#rxz%%rxavX4gA(aVV-8?Jq70P&ZD4C9LySI|D7B#2%nzjI7KnI@Uab?IC939p~l-
zb%)`p_AqcX>#hxMsV0~5cu!Hm5;iIXK_IU3GUWpN2(O5tz?hZ*XrigPc)u(zIDkW}
zg(N+Ert}UQJf;1%t*Q-mhJUqg^v0|1(Vc}+XSPK&8Mc4IJ#^(e1@Xz_Ltx}95FLH2
zJLBzd3mcif{_Lb(V2uR!!Fs|qQT*?S)Id6GgNnTY1yRNc#OWVXb*GtMn^PQxSsH8c
z>toWfS*PzjHA_~*mtw(6<Gjyr1K(DEGrxVxq5d*~bf<x{qq0;csLGd&KTsBU*ZRwx
z`Eht6J@s;`+V=}`v$x_l6W^ZQjh_A7fV!TxMDX3un}|==Ye2mUdpk~&eJmMxIel+a
z-diz43kiJ%_xsmTC7|9srx1Dvtp-{`aifh$O)M$tRcp39P0pSwBdCcXs^j1RO<TJU
ziqnsaXK2IXA&p#umQy18fE_345Dk1NZ?`E-<x-4In*9YdTU!y{2l)hxsEckmLAKLH
z?>2cH>pG@3Wnagw!A>rA90;kQIaebE#z~>`@2cG{^KW)f2_M9Fs4JoZ@X)in`&0|M
z?>xB!O^a~3-lSD-?Z2@KgX8+KLN=1L*O!WU5ED7#swt<kb#si&Ls#Dw&X-?E%w@-H
zr@z^BA!g4@I4$C`QQUqvqpf!=ZUD8-zXkqd^M;q-@_}w$9VdPz*-&fOg6;`JT@Rim
zTd6ehzdMG`e23pEZv#1uuVziPBUto^MDrtA^!}B#JL0<_6;t~BpvM{3_pafYSYvJ0
zla&f~NuYDWPMK)!=}(Sz)8#^CO15;xigup~-LCy!v@e-F&ahlx?htL~jsCVG9oF)O
zBAcQLQfW{PxnPOGZw$giKY-SqZ8pN9hDoTYqiGsVDzZb9+#~fFySw669g5!#-2*qt
zldgM_c3UPm>jpP9m~bjGM!3N%c9vS)D%A{gK>vL1IH-3MAx}DW4{sDyHC~t*@zD$C
zd}c|?!=$>oxFb&<E_C`Wt0j%Hx!rJ6-0fh7)K^viJ099Ck+V}rRh<kRUx!}^t#h$!
zl_sBKct?X;UShz=ho#^q3pG&???La>9uRC^F@nMC#P>cXlHb-QJ6q!GpmSfls&bJb
zLUKLlm}Fg+$UruFmP)K~9I_eF^7zujTLi{%ouOdj=R%dA)m^<Je`T<LH<xr)8;NTe
z5>qm!DeePTd*@$=lV~5A&t)=`3`Mm%(L^gt(WE4IIu~XL3qdluXISviZ?CbPTC=N?
zCJfj`!X3a&ESujy%f-&{YR@-i_m<GfnmZ0i@cxh-#Ury9OVDa`--5gN*MIN+qV<}U
zNV*>WU?jAaW_6NrsQNbKeYUe~Z(+-A^R%k?t9XTq5$lSLRSxk*D5m_Cyhr^{V+~%L
z_?thPUB>Z2t$T#Lvr>;XES0BS*lq7H@unq~nU`Blj+hqi4sDfiGTkIPk~TkZuhYm}
zX*XoOA+hhAk@?%%yxdIhD;Cqtpd~-QU11mEz*nvjeUO|6Wz^n&&cIQOZotPV7VH(k
z9m3HFdya~PRmH7QE!~NcLa+8pw%Ig&Kq>c5P>_17wZnxM(o@e=%OMoMO2WuTDflvV
z)bY9gz}uY>5P>q*DmcPPS{DveMiptV{*cMbQg^rn%pshgYH>11vpCr>ibt{<YF&TC
zH(KbEH>ARXoVdXlP*JE4wnlb%PA&e^xs}DeovQokdn5;KW30!`$>8FdN4rF!^{qN3
zY+?3m!^|fpdrmpl4Aigh^jAQwcc62-LaA=OJNGW9@S0R{8n`H@fl}%NVEQ&U6pYKq
zITd!ZI&M+uB^KHTOd*scN%qs383EV`G<RmyPWI2OG?30TxV*)AtLOM^h49){l~xjf
zD8B;n<NaT!OdVW~>7e20mEe?PGR9QiIa-@shWFl7W^CK@V~z$TtXFd$%R!57iO$J;
z6P4!rQEB1J3qm5*wVO@0?Vx@<GcAofH+ji+BE@Rlr9SBB#jfXECQ)h1^O;E+UNhCo
zpH%2$VG?Mnou6opUVQQ}fT#%5HuqV`7gJNZzKr#ZuwZ%JOwmQh<W$dC$LLc{0#jMn
zAW!;qvZuaQNwedNqY2m+-aSOb#8BVkhCo5|$-FcL+qeanf|e?O@$KG?)PjTlaq?zE
zf~`*xMg<mGGwI`qP4%IMUAnOF+t%Hx<$v`8fLNtYnHJ)b=j)v=fjQ)y(1Tutx(8m?
zO99PU;hkRksEx1%Vj86D`Rit;m^WcM-&*30UtVIO8EZNfAv)U$52DD)4T1)}j*tz+
z(0hC47!=hh9=doVTj^R<I6&-oh}Fp{Sf+#2WFe~rO6BC^omip%o+a6*Y4UFE^Ifnw
zNq*_-LhG$1*g)g)t`8az=u7JjS#zPm@P#SzkwF0Avp$3<1;-j%|8;{4#3y;W@jSg8
zF#WKypmE)3Pw?ki{I`7>Op(~v;1e^%CT#fPZ1fZ_=;%#u-+fSQ16yZo-g26LvAD^w
zZ=30~hv5$XDSSC1ef!%?FuX4d#9oU2V=&Ke06aZ5<AMM%e3J90Mhsvtn~C+z3D?E2
z=MVO6h?XrJ*&+<j0^LdYvbidZtZweuR$T^pn|3<T+{XI~CS+lk7W-YIoWr+bnJ^5>
z5Z8b1ntApd<@QMbG<ekx!wC86yC^FL%@s@WR+-O^YHzJ7B05$z5=b`X9gmMbP@gR}
zY09|}qfM<}UfjN)(RsVF{K3aW*-jM}P2z^)%$H0D*AmuLX4Q^`&yEf$=Gt37K9b7}
zq-%6IRLz_^T`l@UtS1c2nAYp2`a)phJ##fSF0<T?FKhB~DUFR5yC=y$$koSZ7eA*3
zE}vFyi76B_YFg?}%W0JbwfNxRD6&SJ-rTj`p=}sB2C2fWa&P6BGVX<*NA0x>!${OM
zngor9oq86-N?Qy|IFxH$Uw7XL;D(HBmsC+{t)2<AtGZ^@>p{@<n!oZm1}psPj}WuJ
zZT)2gYrg5pjO+)@V7$BlB;v@I^$rbFG$+nuv35*hz20cy6@#>HkL8e+`16ZyYeRfI
z1zy1W&RI!DzCG9SL^)Id&?bIq$zvL<g@spi-_f(D&@+n?*eYR!aNQKXK6EGDF|x0%
z$g`Dv&y`f5rOgtjL(?pD!=SJD5zKe?_*>QDpDp6hdK^r{w6{p9eGI!hd)>-&u&Fw8
z%6;jl%%kf?90onu&U@-m{0DM*AboSi0u2bJB-Gv?c=0W{A!?T=h|mi7=6UBICt&8x
z!u(AY?B)@iguuH#AGoV^fpz7EM>EC@{NysyU26d0bElaa%G~`EUAYwc!PHt`&rLc#
zfz_Lxw@p&L7<0B$(~0HqZT#x5)<~t-*2U8)iGeH4j(Mq$0)E;}phqm&;pbTkWS>gN
zS!97%CXrIApOvPD{dfmI9<8f!$$Q{TpWa|6!=s3|9mdZ*4+|OHm)t%2JSZYMZzy37
z_fVSWv@G%|2Xb)W<Ly6sZ`aPvCz|Gl#5V%-L+Ah0WCGE>3b2W}>C73tzVR-Z+BDOA
zAWrCmNK-VQFQuv-UivyNc*{8{2$%<*dNfyaVcySp_gU>HrHwojImu&VcYMxYmgLHy
zOgIBWv&R-Msrbn~&wG1lTGGmPH!8Kh|7fNK)LRM?Q8cC~p$>9F&TP(t(f2oeB!^SF
zsQJ8?kN2+5aR(tGuMx#5akU8?H^r>;1tAymi#}JFj8FA332C<?-tC|t7-@OUjL>Ca
zG&G4N-K*o4Jeda06gTzs^o^l&OYUX)fCuU1`045Ou|s<`-KR76>RKARF?oxh5v8)D
z>h4TWd1hlhpzohuamf;g&@?Vh?2XIKlu)oOIW(pQowOA{)4{waR^qczYms`_f8-=n
z{F<Gn?+MN8FrQ3T`E(<L>4P5~Z$Odz{|XEN#+0M<n+-}EtNd+$pY&ZjzXS=CiP^^P
zW0tN|+&(gtcnKJdo(5P8n<ckYp;_j|QHhoh3p6WZSh@=IT)oqsS`uQKn}gb9>Dm|m
zpfRJJi%$y*I6){BJIbP{p1<_!sbWqLIBsevv%+XsCU-7|))laDA;})Xnv3@+KOch&
z`qZ^i9~Y;kIltz$#i3`;D4d<RWT~|hL|K{JUC8*E2JpMj(vY6?FCQLH2t%bG8kcFN
zNQVC)uU@OiGdjjtBqVnKgEQm^x&~{h1ZNUeq7=}$2O^bbaVMJu%yw<NciEt1Q=Be4
zZ$M|!GfjqeeTm)>rhg<0xll9=Mpvk}Gpyg`UWY|Y2&}M?;8ZUA<kPSKv(8a4qI@|<
zpeVf%=jNPPdr`f1y@Q|3;HYFCn>7OW3nfMCO#=`^Rls{xt3-i*jF4!^xf3>T_EnOw
zV}~}hkdtVm&ux&=dE7#F<>5z2@vK8y_?46@!ijW0zr8&wzv0&SHwKqifN|f)*UFdl
z*W7CW!@7UuHqJ@(3lIX&Ei*pepLQFYxa01W*pZr7S(xPRn47LA2|DNAA?BB#&)9kb
z9u~ZOF-6O#xWRjh-L7W7$FB66ygN2R#u02@fQqk`g9%W-_F8v(mSdEhUl$-^b%%DI
zp*0k`#EzMBKQH#VnVOAFMoTqTio&LZUMeV&FwE!8B4wE_%R+E90ZG!}DT`{$fekkc
zqcLrd<?tQK33r|8wWD0z(*(3@8<;8IxMZ*D3^N++X*{TbIZD$a)HdpMp1L>?<=&uX
zo*BwCnGR9hiXV#32w(KFNMl+kZsv`3;5vOM^M14yV6@v|hl><{Fbm0Gh+k<AGf$75
zD+biE=an~hEP;TD=f){6^ZHdktij0O?<+}X9-pGWImCQd^!W<duMp*P!j6_Lk$ce-
z%zmOzU-DwDT%2|eAQbW6+I6iq$B{KrQBQ`G-#>{B*MatRC~vt!r;q}CjF9hghH^~K
zLJm`<kf*vCTEXI{N*K1!PQ}iS0btX$3xkLY$l<BXWi(CyZPIK%jgA}*KgQMuWgH62
zHtnQrAU(c;&3N8y-0?d4YNg#VX94Q6JW4xvi)WU3Il51a?A(*J*QpHbDdAr229BZi
zPy0@`@0AT^r~j*?LFkrW21P^3jrr>+eA@lSj=pE<f**XeentOMv=AZ9mYZIJa;Yu6
zfKN&#l6G<?i6?ADG#=P8m1#<K1Y*$gduQEE7c;cwK7|M4pZ_etB_HiVq49b)BO9w8
zhd073s>H5vpJrM#ni*R(6rXjmzCF>sZ3fC^3`s3cST_TeReFJ7_j4WW1I&XEPq}D2
z)XrKz#q`0Unz;QOv(87+!Q(|!HuFpB#zSap%ij8z@B!;C*eaJ55E}mT#>!j?j@s-p
zbs+i>iDPP8vJdB%v(o(_CL+<F1Zr!yRk+pt&hBG3Dt|YeliIM99gy#RhmXhzsJ~-2
zdL9omfbAbZCig?@>uqyF4HeJ(5%TgA1uG8@ezfPRgvXIH+^7U~ru!&*N(j2g0lwI1
zYg!AV_BmFCjAqiPx3Q~LH!^_}Z@B4Md~U4v=ivf~Y5(e5_@!fV`v-99Ea*{e`WG&R
zI8yaUmz>0=^2+O1PoT@GU0US10;Hw*$z&x`Sn!km4S{cMPa`^etLOV$xJzX6&u`p}
z$@$9eN;~sAygBufE84h-sPz71kF&_u9Kpk1`vGV2-Qt(1`9X;#8zd~geKZgvKwZlv
z3xB@-M&cHCI#Uff+A!2~luW-pKOST=xUF<lDMaXeFH&$6K`*O=D4I^}U*Lce=IHVB
zl>futTZUErZC#*(A_^)Ph%}0Hsg!g{cT1~u$EF(<Dd}#MlH7E|76j?;O-VOM3!AuW
zgZMw^egEg4^SmGKb3dFfK8SAk#aeTYIp-K-N$(m6W}PxDZx{kZIdxR^)E0gPk7->M
zVI6%gA3`#|-3Fj!7~sU7;S1R%nlxV+J~$386fa;891j+GlYs4IO5a{s*z%g|u11pE
z_-slLujtAIi&X|Rk)vE(DTebDT`b*02~#kr$PJ|cvLGF1r~z7#0z;pnc)iYj2lYa*
zwt6qv+=H8>pFTXZ33lVGR?g)pbRD%jfYZDkm>zpUA$4OQ6H=X1=$GK0@0T#3x4NzT
zx~N1m!vU?>uF6<0WAD0rmLl~wCc*w9(cV+HZJRf$Yx&FRJ}NNHTrp`2`R7`bY8qLa
zL)!XBCkW{EpsTl`xum5_&FJ1l%7Dt0|6?I3{&sMmk$Msuk>0C?yaXTzoV?Pj&oLA>
zS`o{atGaEdaJ0@=FJNw#f6>F-lRED*ug7&^*(2$`x?y~4YE3bWKRT0mhg{rhcS31}
z{QXy#-knw(xEhsa)WmLa4RkGL&bKj>r0y#h2#~85t}-6XMWM~JOj1vJth_L*8Z5AV
zArjQDG0+7&()C-`@Sd%F@IqP$^HGU=hl-J>&9lC#!6-NuR9W!;%b^^L2yq(>PFVU-
zgz@U#nheFDzWDTc(cQL%Nf$(f=~(&Gsr1kmg5_hAKslH$R9mrZ(m2x6An)?Hwg#5T
zy%x#Y$C_pL4&OXNE8Y`|piymg5)Lf7+D`S_ZEw-zDw?bKu06W%3HSc}Za6qL`v(yv
zp|*_QeOj7Hw<5&8kgr-4gQjpG=lT_D<>Hr%upnfm?_`mAVk){fDMa*gF6q=haH@ZD
zirGwyx9QSTUo{9JGRb_crA96*nIKd(-iLd?g=&1B*xir5KYW)IZZ(s{M3!1<A%6FJ
z7cXba!Tp@|s>+tM&y)A{{qp!eqZRkmT+TzDOMTutNG8QR2gjtm<YUNge{cfo;oQzb
zVj}7G{4rI{Ay4QG#dmJrf$E5+iOofw;}@6_fHO$yjAoPUBZ9u>N;{TZ=Q>-nKiN4!
z(CSSqlkUMv!T|kh9|LftCv4NDlAoR-@wr?2wsV<^mTM1w-7)wcex(p{a^9?r>|40)
z%luQ#vx2rWTC5`?Qy@%AZ?-;XU{dVU#e;b1RwTUFFZY-Mmg9*RFj(8edwL{jZZz~=
zOOIF%1;daG{{h2aW<y`k`(Bag=dwLx)XRsrBH$%KOi?9(X1skr!y;EsGFy@TB|eKO
z1&2U7_tL00fXK~05Y}suD}^t=9%CGW4r(;vp&yRB!6uQH^U}TU4=ZbH0jO$FQT-tj
z_f=|k(1`2v4J>q(YP%ZZr2a;KBXRJo<Nzkp0O#6s-$Nd*1MKn69(AEsvePd9vz?xh
zr$U7l<KeZeE9vU$ZCi6~)|~IxZr@J!V14BI<Js@m0-nzFdDX(oz({cRQ@7+^9Yq^`
zh6YOOzS$Xh5&rzD=PEXpR`vT`iZb8NWD?88=Hna{C+YX^HB&yQ<*B(UG4Kv6WX_#2
z44t@=wyx+o9Tj*???QJhG7QR2<dIW>ubNeMVolQft^2$#EAEd(&JYYZIS+aHMyyRV
zXvOTJ!$?$v{0B6-AIa8pdfgtc<um2yG%PGYjPJGJ!#bEBg+jPL5cME$furDu_+PhR
z{reU&=+)1@xuue9IaS{a5)%7bKa+J$FfdMNi?-@&ZdX-6{s^%8Tv2gol|$uZ0wdlu
z`o;K@oYou0FzdPOjbBr#?z%3^M<CtY76m2MNsL>yVKuZQaojjAOR&9v{yUL`r=u+G
zq<?zw7~x+l475oz;;kzQAv*=~d1L&AZpTilg|jjTM{TFA#Y<rr{WbS@;+BpqvDmko
zQ`*hUCkj<T!`YP|rnml=iyEo_mAB$QL6s=PzaS4@iKnY%vh>;vGUJ4)l`J>cDP{T9
z_PUO2rEP6@@wR~Z(;LNB*Hy<KcKbx0f?32guFkwP=tPQIY9&T=z-Vd0-aL`BL(Nks
zFpr#w#HFF)M3qr03|BjLJ*Nme{%gZ#5vcU;JaZ7$KKQ}Afj0Dn{tRraLXe&H;~)P7
zJI~+T#j66(G4;H`6!w0>@?xu>aaI2O(d=}#_ptxzS^f3uem_w8^Aba>9`gJ*!2KV;
zNf$W08~{h3f68&^Q24L^`4~j3w^69@$5ZU*Ck_7zKNpu%2#kS_fTPbpmWKc9KZV}A
zMpGw&Vix+7@Lw1MsRFH~8*udb$I$qD`TliHV!v0Vn8U4qVGNXmi`)U|{Qnr1F0S<A
z5qUmFJ6{ctxxD|Vh5z~`;48jC5L$twPcqUN==h)h>91?z3;jK~x|8_rcfaC){3g;B
z<OuMPUlwT$<o5S3laEyFJeg8l@0$Ai-xR!iwroiMyKMg2B^O`)ciH@R+59)!oW-60
zMw|a8slO8U@2~!wr2eYk|7UjnFShwN*ruq!qf|2HvhMc0R3Q*&z8}EAWuQwFkBGEg
z8Kki3L_sH{ieoh*QNPQP`0fH+{c|uTbv_%7jXy=AL%cEV3Tqsrk?P#|gP@|>1pCQw
z$|U^Qx`}$T!^6@t(RYUdx-FrwR87Rnx3&0*zx|2L21vAYpvo5~c~a<9g5SGYCz5JB
zAebr|@<>=4(-3yBXM*=6Kf`pm{Gs^^^V&_jiXTV*Qk$lq1iW++fkcJV8*{y&3#OX?
z$}JFruQ4K;2V1{St(+4LyrKp$mf**)4|a!=AcSpK{~oV3OP_&ndt~7&`xU`b;H-2^
zVSS*tn<k&uD!sB%yB~RjxOYgkYtO6Yt`@V{20OHd4opSqMlHNo{uZ>7QX_BaHEwr$
zD2xk{1DW%@l^}%qYDP-E)HD(~x4Nw}jzH|-(}5<$P)&>KM2Sh%4Z<;riPIn42I_!l
z5efQ{(Y8dccEGuasj;$h?DK$9`maHra{Z2!nfpKBh?swYa&6Aw>G(tB%RyO(+M1dz
zP1=81TxqUW;HOFE-hA)WTeUz6@sE9=UE>t7Z>RdV*PqOX>_glv@?ecP(kpm_Xz6b$
zO8dgHyn4%IXBdmeMJ8R+wGQ8RPu9p~mqmVMn1iBI+vOmJMc!0|a=vMRo&Rtb@6Dh}
zj>f|pC;N~_ce-$Y#!3zI%1;T@-$9idP+VOa0+DuK`Nc8lIO%>Gz}3H`#e}gI?#mc=
z;K9$G@Md%cKJi!zza%)OD801^IL|E<UBJWtvE@e|B8!X-b867{$FMw&Iejj{VY^Df
z;Z#4}=s%k_!ZaIbw;xT6A&-)q(5zK#_^H^$-PPkQ^WXX}^VuOg73cRo2UuKm$jRgN
z)-M^}aq$_P0!8UC1|k3Z5f?-uyPL$%H3HcWUyf8jGC*Sp(4W<u3o&2W9)|$NUzE11
zxg9qk+-xgDJ>NOE!6x0COjkw`a_lGNclF>OeYcLH4N_eW{GJ`gT-V2b7pNSvX0Kd8
zfA?S1c2Q>ojw(PZk)ir}JdmXnh1msD1T%dqBoTui#<fDv6e|GuBZv)cjjMYE#_$JB
z>v-%dNef~%m6Q@Kp=qfK3%9oV-a2+hm`qm*ZL`W}z9DDAXaJr2$f(?D&Ha_G_;<Nz
zMErZP`nhvIms#3N=udPCB;%QdrFoW^!#<uYuQ2NFM9Zx!#Oo1Ry*Uh5k$mg4n9sj8
zuMUZKt+f1#f-a62-3UoBCZ<i3hzbdaV{IjIrwa{9A&&CGbPr;W#QEDDSO|^+ykZfJ
zR-8G@7{_9!7r;E)egnUI@5B64uY7z?MB5(67rx^UxExdQtOq#MTGi!rFP~_yFLig0
z<YC6L#qZS96|D`hGq(7IRBb1x2nR-Fp_4oUJ5+MMdarPV7qoeh<Byhbqq}-J5tOb+
z1#;Fe0>~OUr*qk(dH*&j@sZM=hdH{lFgKB8jFQXgTkVRlWAc0FnmO)#BEf?=x?AM*
z&9+ROjMkIL;t;e2#7;fAb?jKo#suIR&MDOK0VA(-7Y(t!FmWTb-Huh)D;Mr>m>1<;
z-)7CVz^+LLgg#$(VN8g#9my-W&q#s6+>(Jvvp=I$P?^8k|5)eef7OiuorH-en1(Yb
z8L_b9(LzkMA*eQOhq|VjMP!tIt<lzd3)uFD8+h=^5p%}&_`TSBw90hp*rm=xweu1u
z5|Jl*TVXgfis6(Wcy!=B@n7a8ImbrjfFm0PJ+wxR)eNr7*7UEs0;0&Sz$883zEXxy
z9cNM`kE0bk`Kpa&`Oe_bo<zQuxe>{GdML<H@e8A3I}p)M1WeTgY>KZEEq#*vMxp%d
z;8IbI49tA1r->wbjwS*t(m*(Xt?jVMo1})3_vmLrKVV`U&3ts{@PYzLS)ikN;cjd(
z##T!Pi5QeeGrrX3^>XTn{O1?fAvd*8H!u(8<Dhf>3er((C4o$6RZeC@<HKWPg6+OJ
z{|ho9EBs(RRJ#+i#w|S~O~+C|;~*%u(S=9S!($QdD{Dh@1x@JDdanKh?M79T8Z3^j
z4tV?Zi-f`)sJZie?ucVtz(elPhXwL*S~qM{$YfSD2zX({ti|4~SsFCaYi+>I{XBX+
z>w8;pwq(d)!7%LR-@ZQ5V4}0Se?1cPL_Xcv!20ZA2QrwoNfm3M%~EJ|c8Q49aJf|q
zvx(f~NQT%fo`N>Zb$uy@vYILUBB%_s&bofnwqxtZ!{gcU{Rx}SOqC7YrJfQPJ0%#Y
zx;BpbyzYvDte0<79Jo$FI}g@fwOx0;Y?k(ti=gAV_H8&(Y)@7`3asSk|6MQ*ZbUXe
ziZVS)g#*au*7x>7$RMA4l|4MbV0jGs`dfTWReEia9TcA<XjMWCL~33|CXsA^l#F}&
zR3x=2AckhHm00&GM)_PRYv&12fh(`WHeP4GEGTru90Y?npIdh<C%LiO@G_F9{qNI<
z+pR(E0}cLgBhMS)7u}XZ;0O!WTEg$O#(%H7Gn!o}(fK4Znsz`=6CFgi(wbkrHa+!<
z`#ZmaGiH6rjAKJg2sB(nM)ZQPtDJUejK)iS5tc<<j`jXvoMP0H>rtxElxIE9+Zh>=
ztt=Y165ANRLHtxjq_t)#a<J2le$h<UeSc+?=jf*^Q)pgM7~0>*Dp_Q#V#Vn;Mlo5C
z=GOU~rhNj-)f|nE*XBSgej2c$nhBCF-mrVL<95V6Q51teks;{>yXoJXqI)ia_Luf<
zl_0WX_pF-N2NmuBWv{ATqwg*6Sr5^(eeX@LUe++?OOc61qcUM?(sO96T4tU*JhZjs
z&KsIoQ`JBSrFBCqX3D71uX&Uk4fwjs6q1BtGe>e{O@6idQW*f{wFE(6QKv4yEF8CU
z+4Z@buABbz)BYU+NhOd?G<^k>+<5}^QbRJmR>D^kHffLqyY(?@WHi-spTQ|2wn16@
z^|UY5bi{hAcNI@r%Q|PwdH<dKc5_O{wUSfBJgwuK2J97lyXe{ja4P!WMc2<~jlm6R
zWX^8==~iX93s!Szo!}wGSe)~VAutEKe8@vlVnUK6>wI`vEadMNCC1qPtO>SvXd0%t
zml&^d#<4afPbYcS@-w|-g%hd+Df>j$vHYc+#e{fm!nE_?#M>fGJxJQB%bz{^Ut}G=
z-*3|C+h?yrz-m|a!)0VxFVm_3zBK7l;RQ2^n~5}co4T02$}4Jaw()#2i;GJ&nz^s<
z;Xz<-PCb*Dq<>hnzv8mgOKv?wpF0-!@?3#<v4}5j-SgU6>#<7c_e)klE3R?65nf4|
zsGE0!oYibI2=nraE9U~A<qnrV!VI$dTSTl>P3*`h_+T$yF<W^YUuh2=uuwT6@hcOu
z74kSn@Kmq<T<5|?Yk-2=*O7>1m#ri?fPk$MOUCdZIweSa@%b%rsbu(T@0h!|3~J$O
zm*XRXFLhpjie`sB;VDPak3DhyX__l`r_o)C0goZ)iKC=Yj-+>gwLLLPk-5f{A$j0h
znQ4!*8mooQ+wn@Xy9%P&w02rM!0Ipfp&%mec%4^YI!>o%&6xLKE4ynBK%WYG_O`h;
zmGGV}$>4e~ObO&rW5ghVGD>@p51C>Twv!i6&^eAI{O(adx{SUb=?*&$gqVNEoF%#&
z(b{e`(WM!)<fR;jL(0(Nr?=-Y9ilp^s7}d{*{V0sH64OCWTU?O-RsD>@^k#fAotom
zx-$?@gY2N|IlvOAZaG~6inD6XJmc<R4c9gkf);p*iOYuWeDP3Ds?F0F&JB@@)4DzO
zz^+`6y|0(C!g0TMK4~&}rXB{L$OJ`;yvymGLY)OW)gt|kl2w?y)zUa5n9y009@5&^
z^)VP%J8_+R+&<w&DWjYkx&!am^nnMI3p5^(JZ8KRPkZ5)5VLz58b+w&o{;4D+5pEI
zv7d*bR)1Q}`7%h>LVy#X2sI@-ccK-VA3H7m{7S_B#$}=cSIpa)Gj`4O&^9WF$8C~M
zCho`&kJ@hHsDiz-uYLrX6|}3}k2_TKhVQ<E6lW8B_{{;ME+l&9P)?|{{W9jbl@5>H
zIGVl5O+m%nV%%>u--OIj1Xq}c&WYE4?i+cx9wEx~9dvRMw%b824P7ZF)1m0nJgbk0
z4?Gh2q9)3NwWTfv2>w~Zu4l=g1n)N*%0z`DJw+?Idz&<lakWoWD(&2#Hzh1)cWA|O
zE0mg!nC@|NE~E7fWv#(WB#Ia9#w$xY+0|Zh>P@$$e;q`?i$^W0M)5{I8Ew-hK*lh!
zxVwcq4;L!*`)Y{Hqmu5oL+nhF;APTDC;K`}BUMF3L0*Q}hGA4c-kIpnctZ4DYjS7S
za9UP5CSrC=)SE^kuNef|KkwZ6V@0l;ja<B6aJwgZ)`=@tdk-lj%YbNsPOJI}g)Y&$
z>&s5geSxBmW1&+@Vt2J$P`CH1V-*VcEES5S8^craLpesYMtz4@!SRI~WJn<i2Vxbi
z>WMv2WhgUj8#68EjL-k1BnbnRpy{oe(^~Ib)JaUFscRU@J12MsQ`a379(y4s*#>eo
ztB1rre%`Ju4ULgL-{T!#klmWdCS}mNeLkH$d%$BzP%v)xT^)>T6UBW-pD7_VqPPvq
zTj~}th9KUj&5u*F6?tAF3mXwaIfcP<$d~K=68fA|g}55#uc}pH>@{ZFl{+6{jHDi2
zKEwi~H%h?D=6+_TmBJ68RrR7F76-j{ZTsVF_jts+a4_yBE<DTu2%^XWVESjS-*t=H
zftvisWz**cU)c!_s&K2#d@bi4W(WiM%4>dVc&|uVT%a1h(%;M143K6-Pk96-9l%9V
z&QN}g9MX!TM~|eZ3?R@X+l7|HKRyQ8*w|>?Zl9oN=LZ-z3Rc=JnRTjzQf$n2BNucb
zlrxo9o-cvIh*~Yx2Mqe<VoQcK<4tba96xn!rTuJC<^&Q-Pmi9hQ!0cJ%qrcRv3Ol*
zK^Yn}!fM{GNUgF*8pG@uZ)?^SXLc0Ajq0-Qr=Q~^Q9Lcc^%(~XVeI2ie>;GE(?^)F
zT7_Su`cckbwR1VLT&^7bSSE>L#ub5GrdQ}u3R)1)b_y~i3so(|L?Q=HL5E~@Y^r>-
zt93T>Zu~A~(gS)V(L!~y*0t&$y;{HO5E>wc`BL_WO>m>f9Gm5tP^dY?jWRp@uw<WK
z)JYiU$a+svzh?A1O{^---@b!<$aVkbA!Fz9eX18q6<xBHcYpz5_X5L6fm_<@SS5A0
zKb4{lFSS~Fwa>s%pwx=)0>z4%sPcMNvLrxoDO!Bln@&GZItQb+yC4D??9BkGHs;tn
zB-gZ`8s!y9;T~Cskcr$38-cd_u{UY;l$j(ryy0FtYJRsz!G4gckmfw(rhgp7iz{K3
z{k7EP0E2?ksV_HIXgf%9g#7D5p5b@@@)xuW4P<JY`OpvL!*_b3?*<t*)H&lcG}6{z
z96oV{n$L|%wByK#7K!8rej_<Ml(o@~>W6|K_GHT0h$?J*F{{FwX0#sAhh=;Wa$fgD
zC#I^Y#0vk0#rufDD3`1&ka+uJ^~rbIrwc|_X8R(CV&j#RjfBt?Rzj-=Ir(ab&1h6L
zB2592m|rtNLe>DtHx}bq%<YY?NBT2VEBfJ#GV1SFA3)M3J=XPY;L$`mF9bZW@~7UT
zELg^`Y5goEuaB7t0OQoDy?O{y9$U>hnb3ppIjWZ*PE@E!!lSuP3t9w;THBJ%P~ckO
z;qmpty*|}K*ADCK^3ohd(_bFpS&&k8{cmL(ty{PxB^YKZF}7wItL*f%$(R<*E9z0l
zG!oj2kJO`1D7^gE7|DZp1Y5Nyr2Qgz`<HZ%PbVTDk++KarpPdjD%UUx@4z%i%Q%{J
z`vj2T3na5S#yDo<hq-E{Eg}1eZ76T51*o7_EMT+OlI9<s?pk7*FvI(FYIk6c+xm{H
zn<!gJSf>dygs_`tqhp|h!eVb7$C<;piREtXQ@uG)2vZm#;YY@%Csc#vx1$Ujy&PW9
z67LOQ<ElTxhfLoNc<umwTkatA@`4dedZmyBrdsY`MD5gFSGe1ibmz@5bXl&@bxykw
zvVHhIu<QFf<V19w6PX&&4Bb0oMI<sq(|~_BtVqkdl)j6zZ`Rgq#ny<UBLPvfXb2eb
z)l{J4Xoq3wk3&n*mr-pTI=ZfsHaGG!F+uH;3#f4BHegZeE!#=1P|6Tib_xipi$_O%
zZk1mAIDU-wch2qa>%>3pOmxlh7TQO?o8WCY&|JW4Pt*HUrZ~_@?u@i>&V9Ish0e^|
zuGtN|ce;pWa_g^4H&g4Ch}sKAb9C2wuP5lWk!*KR6$;(@LKP8fQ;eY}!-g1g;SyA?
zJqb5_xQ>!B7=>|jy`==p86B;-ihQfeV=z$UGvrvnJy&O?8E(6xds0mzsr57jlC6}@
zpo9ffk;i-Pg|BBmypV3$jlM%JE}8(Re97LFyLG%j`Pk)V1#5Gl%iSLkmD-+#k*8KI
zVU#-w4P-W3?>QbbTz~3ihrM|%fFm=|M?zkM@Z)c+aQ&Jt#I0yKS4Pwq-&SuN7ot1T
zKjAoG78Ax8CN6bK9_Mx-enMz#kl3WZEsbGV#O{Q)1Fr!pqASibyJayd$=pw;<v@eV
z0Hp?E?hn>J*X8HlGp74*%jj=+5?aK6yM3(;H*v+XX6a1)0>JAtTG=n6a@0x))6D*(
z+dX>D@ajeMk<%Zs@?RDw%C6@|GYJg3JeS(bwoX+v8kg{k%r(6=)UbXCoebCHv=`l6
zZjzW&=1wz=*-AIG8%ZTDoI>pDoi5v^TDKAFSB;C9Lof{O+jIdX$$V3n6E*YN&k9<c
zlJ+D)jb|3|l2{F7c)33V$r+|pDSPj3ioT#e((#e_HNSK2Ov%T8zj^OSf7d%*tjAhO
z(r1h2Gax$BCl44c%-`HHDU)co=0AFe3V-`xfDQ%{pjqVPt*E5;mq=cPeHEXPjqm#^
zF{N0oz$Y<tuNr(ktr#En72}6&^<}=)>%WT?pO1V~#}cjlQDcwL6Gs{}`qGnN;d4w^
zn@c0yeF7=e3+ig*vpQAvCqIzzhQl)U%W4&C6k3O1>aG1X&8FIjB|6oo3t}TBwvhJ4
zV)fH_MhObLFd~!F$ijuP5bK3v)}|H1Vp=UnfkD^ZN@_U0=Kh;ZOW+50mnxY>QUGPm
z9Q|aB4ei$$PDlCO|6qsOTq)#+RcH^S%m%9`2G=)A;C*lqDqf#f<rYO}?w-L|et}}f
zA7FZa5>WkB39FeI6R`4)P$?WZI<E_$**us);inkBF>zfW&GA7e_`V~@gxFiF3xdfD
zwPe|XY58h3Giv$5oQlr16_w`5#_gQ<X4g&B*|SOaXh0Y&7%4j_v(R0dB`(zIur?`v
zCz1AM#=FB#fr|4}_9{3jlSacTgXvCv?5SjAgar?+*B&EzM67LSD2ohB6BMz`a)6k7
zUD(H=mGMZgRg644H?%3yXplOY<;K14b^RY*u8JOAnmsqTtbCO<d_;<;Uu)mADj@&-
zl#;l|=iNSykH5-$+u!d_R3w>nmTjBn^Z1aT!LBMGK_$R$$H(3Fth?+jffQn`Skwmd
zzeDJzV&Mm*gH`d(7qfHf`Do1#Gl}<1O$30TQ@`f5z@cH`^t)pBw7i0W%ScTg$f4Pq
zXd9p;>#Q**T}F2z7b(3+F{*q_jZk5irzu+}Z)_!@;rP7TdtEbUO(IpijaWXX{&k@V
zLRs~&o~-cox=5jR<Fb636iJaL!3m<V4&;$2-JwpRbP^y%uvXwBNb<@>_*_b=`iy5d
zeJ8gZJIJu{TP^<d8;KV>(p;Z!qi-l-<3g{k{KjC|@A*m>*k*8gvLrw#VB+Frv&a`t
zTq7r_Jte)CCtAjjVwU>tTjRrgi|ap8SmTi}u4o){qV&acNVU~15z;X&hrDmQ>1@9r
zTyr%a*iShjI-?SqGo2kpOc@?_b0mY;O48Em=gK5v`tYM6$}nEB(p(KX9D)gpK{m!C
z=}4(nbDV(_^4KHpawz~vN()EIOy%uWPdhm8b<bzggZ%X?zv>kx*x<37<P1H2n43Pz
zT&vj+8A@L;&o_|aTm95Rv)c5_zhDq8VcZKpN-y&nwCkB3;T0~4%5^`{wV>$+5d+i4
zp@RKNp#(C0H(>so^sSG!gJYoAW%LkT(;=m=ClYqQS=i+9Wg??e#RN#I;+lJ`>pCi2
zK*&#gX{IYoyrU}Cb#y2<I3aGZ)h)s}dUs&sV}#O1Kv;r0+Zu81AWbs8U3Z=SWMO8F
z-tmwH=rq}0ChNwJBy<mlzHBj7hq;*rx|;GOC!gKvZHoWoPOsf7M&7BNHf`d7fhQ{5
z=0w;M95Z@_<}3OzA3MbC#)5{?v%<?8AM@woR1+1wS1K<r@UgoRd>f7Ox%|5>10*;b
z#bNOwn~*y!%dy#7+nYC355D&)KV9XZR!og1{MDr|e^O|tpH$_c%(kj>V3|3Vm7&0F
za;xxUxI!<5F5#z-Y5b{n!H1ZLH*>cl#px@>H;tQOKmy#&$vN47F;ZeyqzarFBK<)p
zj$ow@UVD!J;{F5tmr5p!y&Y$FJGXLGf~*VPg@RUGdIbV#ruHa2Uq9SMjsIp<>RdO9
ztlZc-r>?yp#q6>zpV;~EJMG2bP$^G6QMgidTE`+KLOcI4nB_FaIN(;56h;)6Y^%1D
zKcOXDNk6H~qttRU)VjNot<BSbHK3w70Fx(buJ5pQZ$P4BuO48lgSOE&lnkxcgJtvx
z%}B{*3iaF&b6YrUxktW2h^@z@$7q04r`^4()PiMYWKZNw3R*<JrC|{aDhUjErt(rB
z3Cl?S;ul<RWpC8poW4_S#6f>2$Y$r6J%d$CJU#t+Ig!tZaj*YKADNV%mqFDEyS!Kc
z@FmgsWR0#gF=sE!fe`zdp3+ot?S<gk68?7xR3FWcP*#qHWr+$v#&Mfs$PB*f@yX+n
zg4ZSCJWF>Bbk)Wy^ftLvSu?XukDUwHOJ%1X$rldtrdhYG4;q#Tb+8`m%&B*&lC?`)
z3P%sPrUmiJ(6DSQ6Bg-oJOgJFm^>2l7h7_|mFRgkm*5HlZ8|Aznd=VS>btW7s@wP9
z7f^g0sIzQ+J^u3*_qv6d7&LHD5vj<KdY$v%gw%G7do=Qrx1QH{DjHfsEks6@=_1o+
zINKu0dHq-6$KywD(23sQblZg;W98~~PF6U+qr=<JH$9v)S&2@NjuUDP58F~1BiCEj
znl)`R1Dj|38HhJ~@AF-?u>rbbPLb63jDtIUJJ(@YMNq@k*Rb7Jgn9Z$4aW5JU$z~+
zw@G0!fm+O6X&$VxR#REn!<1;hE)hr%Tit3JSx2)_e-zI?@!XpX+nkYWXv(SY%zXu{
zPF<~J%gtWvA9y$Ck|iwKdPV|wvyoMrJ|d53RB!2hUg2ib>C2J=&i2xJL{zvnt_GuC
zm-*{Kwob&0NU04*&OwGCvuxRi)XJrP;jkk+YP|sAxS<yy?-OAdZaaw&t8||w|7-tI
z@<(g7NT+>}yG@-Opv+Z{e`U|;Y<s!=o9#7q?H-NB3qPeV6bL15@x5%zFQ)378Kwt1
ziK}D9gZP?zFR2xC%Bf?=OOMz_Dov**dh{@HBH!R(g&orj1Pcsq?XgJcwM|z@d*&jR
zONL8DW47e`51|gbGm@{@BYAO~18-(a0^>mRA!cu=i)(m}oBQWgctMA&(;yu>(gcCk
zM4;14pARH<JieRBV$*jnz44I34!ZR8vZ-JB6(2l4g$A-q4L6wiHJ*8hhyBiZAhlz5
z3Z4<}Q)MgO(QLSN#ZHD$uT$2=JtE9_i2d;F-f#Sydq)#YmhCy7^#Ca?#5k(!0cqTQ
z7jr+;k}sw0nJVI5v>VUZ@GZheP46NJu5K)&kGgiRQiHmel;xd?fB6*yycZG;WY-#h
zjFK|c#ijQ>+7uOGge=^NY9Hx+_Iq}#EB#8l)k0tTX+h*Wq>fnlH+hv0EU->N56JUQ
zJ4T1mJ5%kO-`NR0EuE(-ZVkm<&?86@Xf`|EcSI6sBA`o;yd;PX%?$y#EwnnJl&==n
zWO|hA8WrbuA|ENUK{={?Vr0=;>3ANs7<M!)J&;igo9S!1kAz1w3bPOwDqlO_-3Ic@
zUyPW=xO%^~{m5(}e^<_Y;pvWd8w?ZT@c1P^_aN#2n)1JytpGZu8hE_m7wvYgtRvX4
zM5|v4Sl~Es3tgZ8(+GNt>V+Xz;5U#utwfaC5JEZU)C=~5?nt;+=VEaM@q<mGGb@+?
zhvbUtj~D<5q*PP0No&Zbw>A4VkdfsWv59N+Qrsv;nZ8YB@G9VT)K@B_Yrn?^^>>Dw
zw&GqF%n!=Q9t@1Z%gPk^OeCI&T=LWaJ2j40Dw)&rR(N08(`r{=RPIX~|C}~^seZqV
zdp0PvEgGqkXzV|VY176W&C+B;K0mduo@&C<8&L0RiR5*^Gg88&uU(pZroLePKfQ6;
zS0vz#%Rc>-j(p>`7jN9-wxOWYRndFzuhe7^RBzr=A&s8^!0SBsy}H0X*HS5D9Zo~#
zXTSQ%=a}M*6j<f1zATa~RZr>Ccb>}0y^UmStEq<{)KVcEFv1D{K?2r|<KyqLn78LT
zE6+g%d#>}v`1|YG(9QXF;RSG(m;bspQfx4dLuy+$ZAMC=$Z9P%<UfHp*GPZdM^d-V
znI@ir4=WCX-2N2Q@&QxL!x)`-DFLHTCahGSmEPX?*z=wFBjkq2ca@)=&z}<gncu1c
zFGnO*J;&`v`7dS=6(cBKeUPSPz<VoIpgJA$NaKSH83W!`=|acpkjF1Yz3)Z^Cof&S
z7&<k}pN#~{E(9(A;j8%X?f&=e{_o1<|JRGT%--u;t9Ze*klyJ0+SdN(fhnzKp5C}o
zXOfCJmkO!)Z+cCfe^s<7R|=)hH}uGT$2>Ms&<;e)#M4l3Ab;LQs`iMOpX%!5Rjcb0
z%nA2>ML3*dIHSsSJ0mX)94>jj1;<ag4Rrm{b)XeL<i7kEL*VU1Uw{)XZ*p{h#j-55
zLTz~8K_w2sY=GQpTJYfQ>-wGxoDW1`%9eX~G3<CJ>YRG<FPKiU-REK+_3p$Q>y&ul
zg2+>FCJGwJxmI2{JtFp{@^Zgnb$yZxO6)75#c@y;R6d);&Hbm1KXP_K8(PSDGE(~u
zgh{<je4j}lFLIB6*`G2{e0J*Se6ly5G?$V&>A+T$_~BBQJ-&ljydUJwOB6ys`%6B|
zo)@FJd#}#L8~1;BzgOSJ`2mSyl&dA=)7bLj9+LJI$zwjKd{;h8>mJzYD{?DT)RdGV
z<l1H2KOcXge8yb3`FCklZewOeC2UKCI5=en=60yAg}=ogxMnJ<>9N3R3(jh4V8_ed
z32NkY6;%5(pvNdY*A8KBDb&{-T>n|oCPU@EcQ@+Dsw-DzIs|Yg%_$iURyNiW92|r`
z7f5S>MnN9xMF{lCIwOrCQhuvm_)yG5yDs^@4Nl&-NtxJ<?GL_;MIVu(gJB2>POSki
z$gKW7{#W*g>0fWvb3PHr|6@Up@ms=#IXhD)MUG5DS3U{wd@O%|W4(`P^CwDc#&`pH
z(htZ|q{A#~SXZ2{1P{8$`o%EW)8~8wE`^+cBgMBszPEEDnCjYfCmFV7DHJn@d9KN+
zmlrJxWSRK;0U!@TKw8OxgAhtxg^+EakIer;8wh;540-4Fahs9I57)C^!S+Fpwm^<i
zw(NXhHuhm44i#PwX0^@R3AYCc1E%BOJx(F`*-6D1@Mm2il_+QF$NgTpC-W7Mey(a=
zl_6)qYmoY6G#!Gfb}a)t3OhJ#@vXySPn_vb4dgFOEB`#QLckOOlaE~F<O3-cdUXXJ
zoQQG<?IHihl5h<*IMy_Nfs@eW0<8Xjk#F;zKp7uJK}O(M%TynmA{P${*0s4jfj5_C
zb@9ZJl7ll{-EI&nTkr?aj`{-`shOp?<oPhC?oHo8wZ5Z?9rQR~fGfQGy^oa2A2@jb
zoX=u=@uENe<5pxtE1rtkcJbB$6PI%U+<vh_fWq>(j6acKbPwljdfNMcn4V&c0y(TO
zD6pRr;;GlM>l9lNC|iL3TCc7ySr>9D&+G@e75dTqD`!eI^B?qu)XgCspo&i9eq8NE
zmXP=kcw7<Xy4Y-9>AoTuh7aQfGz9phKVwdZTv7J%z7vIAuyiJ7MRGlw1<rAX^ly;=
zPdH;2%yhXRi5r$V7iHz!Kd1Qoqqpa1?V~ef7yBO|yK}dZqpYe9hc;jgs_+_=rVZCX
zm+u3a4()S;kF4h3kef;)_M_?SLFYA-Kw+y+{?MMA4hG>--!GoHCsJ336z~o5VvO<O
zgQ`LNGUL09J5e{L)4Q2BMN#PAEBHuUYZkNN=L-Fbu_-%!=Mk&s@A=pzR8^`o-Yw|T
zp2yrLsQ(yQ!2UMq+$IWSxo89c(EcYT0k2==u5zd}9aRCF3a3N#Kd5xUr!A2|#I_92
zA_jaIIr8y*0P4N(mb#{B3jjfyy#$*oKq4$8fNK)(bw>|XC%fpgN|cR{TfG<EY*M7|
z4jE254n;f(L<K=SG5VqRQ*k<!f9zf?1u=E9mnDYPbrg1A1|N|-FCP+%YX~%?)Bf2T
znCI+jK=eAt(!$9%m+(mCu<z_7n)icv^0VEs_FDlc>CT7ei(NrkjvxE;Y~xKwDuuM1
zUF~)lpL@^(qiDZ)EBI+l<b=bD(nzt9!lm2~eGPyiLp#?R88wM}LV@HrX7tfQ%f<cf
zG0;r9?3WxJu5@+U{g&1u!#Z-krr^KMqrCw(i`S=k7m@~Y$0Er@ey(SkaZaNR<hE6k
z@nT%hKE=AlHITc0%U2_XiMz4n7zDVT2iO1e<Gc!Y7-Faa)XUCbq+}TobFaef6bY)*
zjU*~ccLV0PIJhjm+v9lIvZ7*VD$}LhgpkB4e_Y1!(e?6)5ne=NS;rQFq?-2f)m`h-
zGh+99dfA+pPY)JO6UYE1UgZ||>=V^uhY%MNoPGCK$1d<%9TD*;g&MV+;QY*@)V+eH
zmQGDhJ>WSz`z`2%9uxN@(b5^PY(wTd)Wmu|3w5y6ASU9jClTykCeR$06px~zx2W0v
zaCERR{Y5(u;tJLPQV0PAz26_kFmB#s(0D1XYNZ8;bvn^Q^*{t+So^rxY;>^tmX3Dh
zSx*<`@xSirzOYX?qB$5?<Vny#8d~M6Af?%9Q%X{^jZp^8;9$W0b)TYeV;<Il?P-m-
zBZ{S_?Cc1@%1+>D@}IA~4-7N_d0w^s64Pd<)E<X;BptO`&Ljb`<E&hv{;sj(T7U}D
z3Nv8HCbbj|NfxC34})t@QrHjjI)Xuk%F~m^G|MT0LcKQSkqV}gN0s?`5nvUNvY-%6
zAqwhb#ABYJ&l<i0K2*I^b$duEDj{MEZs|Izo@xb{LB!AW;4knv*JH{N)dU+AEBqBd
z-%7O4|E5toVzspH>ICvAU&SIc&pXa@wusPnQw?U>2SqCzFQ(ycjK%-dhh(1uyO*#)
zEV}}Xw(J-Ib8cDxR`(*|zzty8MyGlIbmMym+XMq{yn6w4BE905V0MGX$+ol&kM;Se
zs}r{feoH)h-q<DVIBo!ahwztu0i0l4B;_XfUnh-_#k??Wav1(#pO_m9ozWqG@{ena
z$*57<%G&rEjwOn@PG2et%(*${R0(6x-j;PA&&&=}+Kk|Ms$s|@_FD%h2#Z<ZO&i4d
zO0aO~(?Lzhw<LROBRhk0cfgxPDrD?fNV5URg^ru*-vtP<pP@f)u27eVv>Y$a?5D}V
z)?eF7@LnUu4)q8OWCv_1{czJYYas658Uiw!<vOK=w`xRYMSwPSxAyb>j#1I<`(_=R
zoc8O*!joE$)%YBmA9|~y9e8!@EhM^&>$k^;8pI(fLmzlJdgHUv@28@|6M@N0O=X79
zeX26^(Z@30U)FBW)DhSLCR)0d63q8tP7qAzi3aT_oq?m|(n?MhZYMVab;)w_TPM@v
zL`K`8OBoE2PMAWozr-^9aekFsYiM^31<?3H_jw(<Ml|;u!qQZNQ1mrVYuCyq-Q*h%
z$=@-Q8QLnfGvXKza&efW<n=wkRDFm{cOQKJb-KGVZo8E|tMbi>qXqhbT#EOaE{rc%
z$3!AKa;R;yDZ$WMaGkR?+k<t$#WZW70@_xiG4qp5cepzvL5hRw+lQMgbNS!0RK4;L
zF>8~mLd8U!<12(In3)>h^8vQABY-K{x`TIjuAIX*O{*qMYJCkDKyY3bK=PshL5U0)
zQZZZjeq4H<q>SvJX!2ad{D179{O{!c=n!(J`mw_|C-Jo_8%;?^B2N2j_{wEF?=GP}
zysqKcsDyNQjG5p$T6AUloIYN1Y!Q&hd(uGaIMcztm&dgLd?d+ZqsIWX2#}-brL8{Q
zZ{XoDe2?eKr)@C#d3V6ElxgpP`ZJWODC4a>u-g-Dk7sRqT$dr~%Ktsky|cD4CmOU@
zfr3TZ{h%ARA)DbbdNV;CB{#5{YyBWozkh^i(5Gld`vE<)-Lc0{U9KW!oO=stF3P-J
z#*(#a%f@OS%azx8y%*YrT~zyK4r6Jc%Af8;=aYs@&zyDN%{9rVdH1u*{z1RPfzc#5
z$cSA$tb#de%kxTBCS!Q7vXo6MOqgDGJ|}Z)bupy#fKE5*Y_Q4nuLql=HsC15>O=Cf
z!<&pB*S)Sf=nXNOQ4gs>D+e>bU7l6BoZ3-Dy_M~_m46rIiUun1Yn%D_JUeceUUW}1
z4=`oZV}qo2xrWG_=$3ICcKxS0ZW6JIPPmxZ^Hd;>8;oaPB8g%OKj4*SI)Kv|05PWl
zTUd#{mFQV9topc<Af3J=BZ5w~7vFQw3eYG0_2Z6(_5l?!0@zhg?ZhNuB8?u_Julo0
z{;BE(usV^w%l`S`A8JL7Bhv8WG8UKYd`FUrFsB4_oqF0<oqU?O(n>W+JC(lgL`>~r
zs(_dH)=bc3%t`ga(xQP^&grpfjkVK4C(*<>`{1siX$P4}Y^j^t6JGN;cIhosQRcch
zX>FwT=Xjsie0)gex@JnPTQ)G-0gP2%y_Q}WmrAw0Eqqp`eKGJ)#(hmGGkN+$Gn+3x
zY9wz+HcJuj!006CDOo2wrQ`kLuM0l-BCWvsWVQ=-@^du+mPN)#Y-eaotzMdg*J%Fj
z`^`<P;!^mKD2iF$i&Z|-Y&2%8%+v3SqOk$78u;4~5%<K-=))}PUr0({u?cK{LB*WS
z70`Hu!a_NW>T>T-RAwMJZSD{aC}dQ-soEnIGb!0|F*7?+F&uBrfCISNiwg7O!*a5l
zi(T6(Iqsu_dFnIwj$%8ve+jyuAkX7{cA7!bA&Txuh+njlbr>)=A7{?iGObU)yl}Vy
zY4nT8Ng5cK-S>jEfn=)#Z|;gfs_*W1Cjw1kszQ_bcMXvjZbo}I6s}|k0&7y^Pg(bK
zmYI)Qnshr&7~}L1L78Ft{uHOX2h~|Ujh&|!54bGLBOn~$z(JttLXugN-oX3p0R3=O
zaBEH_DQ*sF$iqRi{<W@VZgK;rQ@Xo$`~}ZUH<sn?_idfTkgYk|)<pw~=tr-J(ga0T
zUbSkS)iZYgZ>cFKOdIDR4FA;eF${mwD;H#dT95nP#?n8x8Bb{MQUn%Q3);>_#@XY#
z&MWi9ou#KOc}Ju9I12kT7-JQXFg*26v^tDI`neRX&8g_ODx@SnY0K2|9#?sn&B9oQ
z*bl#q;5BzMFj(jVaxTTCiISw2$)#O7&C<v7v0EnO$YOQ(qFDXM?!O!;puRCJ9NcQc
zzZkoJW*S0`qh+vIbor*}&y4ixSB1GHP-iupy?-A$xKac(q(;IFMH|A}m$_UTu#vtn
zYf}0=fUUWm+f}jc77jT5Vc_u1=jpukt<`0MoF-RF-zdxVlPWl5LUBqnfVa1r)9%up
zG6&JSeTSYe{RP&<ppI!QkJR_IPD8bGP{&?S!me0kxejF6#*ew^aAsQl3VEspJK6KE
zV03N#XkU5oeY8W=TJ5=xjG9Y&3LDSfudmT>@WwZ^`4EYYn%kKf@x<F|#6-S%>Rr-S
z{@KM376EDSsZjnN%i=XhwWHCw5Oi`aIn$BCx!F1dXPf~zpK(<zDZpy*nva@nYTsNG
zOFq1Ibb^R!NGHrO!nwT#sE+t%udF7?z>ZJ+i(xDCghK{FPRUSsW%`^F`<^pfxx4bD
z<9^3yUWxIrlXjwEi!US0*8NXR9($;+kL#<#jy87`W+Z!70lC$rW;(lak+CS0I(e<X
zARDQz?Vu`W(vGJIfYyG0Y_V%#i!^6E%+bj7vsoHbK=PN1q=I5j`?!{RcRkB_-Me^J
zG%B)>FVFkm-V<Biu7CejT3}R@(1=8*D~V|L?INzy{3)}_dKIr-|7D_tQlJiM6&f^5
z+grTjlz8IezA(<F+tB<8kaJn9GF@VRr<7CoX0HWp8ifp*dql@CGolP?^b!lkz{wF6
zd18BGC$PceeQvsi#3JYLECLJjxyL`&U<#Nyj5o#s&yjLJm5gb{2cM&cV}bmxjAkk3
z$hcSKp2=dmWE_=F6E|59FKesI>v?}h-mtuJ&SfJ>RXQX>xEl1Y5klzc%B;%%_piq>
zz?n|11-gE6B;{ti!SwA8uzsXXhJ8~78rMFfceDiT2j9VUj`NO&wKSzWB|@wc(Oko#
zYvm*}@R%~1f&2X&yTEKCo<;Per|U6{F>RX+EBYAh9d6WI#F`XfEE?XFRZvTGvwL67
z<(w`_$lI4wg=q)TP~<T^bC&{sROjwe{|4|GwpSfxN5#9rdAF*g9fXKFVoO7T7O;7@
zx<%o8+w&EchCSvbub9E?QmlNHnNF2lE$YU7#@E7X{`MY$Z_`sgRZ!B~_1+#B6G~q{
zc3P9+*)69gwX*0k8##UmkNY820?kswinuMqg{zP{yRNMr1li8b?O4p)+k35yB5~8C
zVQ4Jf0qR-cZ)8p2$y!!wQ^gtbiX>yQc@2mgsE-QDDi#36Jpw^&$Ot<*EGkkJ2_@V=
zn&r~rHrjfQ$2;YSG^rk>9pA9&v}Ifrbqa{noSJ9=Q%~Ijk7FrUqU#F&JT+mpep=dM
zP+lwowG`7sDf`k5(x{h>NgPX?PKnOexY+ZN<u0xGMpM`;3q^^el~Ov6aC~yM5mY$v
z|5a-Y%BZMfZCeL=wuB)NL}MQt2VTy-dFbT{bkhwk)b-pnM%9p2GvG5GDRYV_s9A0=
zu~f!1wDq%ZPezexE@<kv4%}yGK(KvxmP{X7JMGG^$3Ngopl%0EgP|oAzU;;#k^V16
z0piulK+hCGD7CXVs4bmk??>HhKK$#B0qodbT$?BZ8oVuy6jjyc&oI0%Nm3z7n8|ZK
zNvhfQ2>UFG_$hHmGTGbjwv13CT}I;P41-QzDt^A(Viedye79vEld=2gV&B7-ow@=U
zWHPwdXRoiQc*8^FFdZCVv7QJ|SejTLfsbdn^OjX+WoKt4xmO6*Ad;5%GRrQl(&>mu
z4W@6nl}*MUu1;uG+OB=-=%ZI-$;YpHcN}aVcWH%zZI>Un%!VJUZ0AV|KdxYXz&-A<
z?uXAYY_8v-9^u+l;&q?ScHbhcJ*33!B)x=Ue|`2%asYl%fRpy?;%d&8Kq<5NBGZG=
zk6H5p(i3F~LPXvNg%yW|NA3MrpL!EHy^pt<rmpPTOMr`}e27|nUQ#)6)O!_Ahq~o$
z`E>S3BFbemRsjv~OIMzB&l}ysrfR;scxs#Cpp)D|0-3jWd-;u>H(rYIC+lNzo^e>G
z=d(Az9JsMdR^s7S>zNrOGBMG&!fvT((YOA}3{3V^Uh^9|{xER}U+!msvhCOM!?M(3
z`1+;um9i9js)kui9Od9HQ!L#yDXZ^&b>yLFZW3`+1Zi4HxmqS>fdkp@!4=eDb2>rX
zbRrpc5^Giplf?(cs%`$eo#k11a2AW@@QTm1R#|~f#M%sD8PeU~gZvqd>7q)@CF6J_
z*t7JEr;JDGl_nPt<X(EP8EdybXVF=%-dTx?uu^oTwM&An)8?v|M34nN7vDeG9n$tw
zGtK_iwqLcOoMsnC^jZ7UQCI&;GpB92vSQqFc|ntH;hV;)LyhC+M!xLfu6PzDEs2`g
zg}0daqTl@E((O~sf}L_JN31Ntr>dI*6Laur$%a!~bo53F$qO}G^IbZW#(UFEN+9bv
zYwGDumX2|I9Iuiw!ck0iqNlb5#k;OjbN8D!8jGm0BvnH{Dcb@rRKCupKO;A#{f*TW
zzvrZvJf8{hxl&LuC2<hDn#O#@XJVddahm8Ck$!&iSkvu9C__&J>;40UPeWhub9CIG
zRPQpMg*aj13@gH*{jcr5C~>0Q8{$I@j#@OgWuDZYPB}YHH5wE@-CXxA+L6v*wx2vg
zgY1~}WSN#kOk^T}(5z3#fqB=F&A9!EYo0?Usl{AtgzbqZ`o>V*i19#{__l=FN|%)D
z!`*NCfl5PQIa6oEyHtXs9klSZr%#{NqacPNIK2b<q>g|w{<GCipeB!lE{_{R%d2&q
zn$-2axXcYi+0=yox~<|dWP906&U66Ay$&Q~gR|cvNPG_81ab67DfO@8E?;wdEry%!
z_JznW;^AP`N)dd{X!_TZlUCM&p`EYF>ALaIr-=4Agok-mJ}*ynsh9*7%AlsXu@{5+
z(pzHlrPspm7(Towpmr+%BxreW@y=s;YscyAm{nis{pudCU&ixe$yZRZEyMU2uEM`;
z4u9Fl5ncvvb5YrxxTeK@RTlP+GXX=-va*Pb2PSWV(|H#9zoP~0?0%V%-7MamNl!Z!
zHsVmwHde9t6dMfZ5@{TE8t;|rk7L&4nD&F}I|B~H$Tce>RP3*OaT)A<$)qyLr$YhL
z0iLYx?J<)FuWv3KS+drI<4m9rLg{x22q^|iM_akn9xWYCp3pKfIEnDMY;F&alCZnH
z?azdGn6v%DH`Ieiv+in*Sb4*A9~frHRH$sIrJGk*YeFVFGtJb>!YBe_S6CyKL~80^
z5Pj#XvYHV#>MP9zX8poZ*(6$hY0qpl?1Y%)^lw3;iTV^LOcoCoz(J$|<K}|{K#OaH
z$2`jl@t0<-Ob+=nl#xlMqND#BW#Wr#g8PI}rlvA<Kqo&&L%$<BN#8~8TM^Q8q<6P6
zuGm)@?_1tdFMoK&AYl}9jiOpfwT8jKw9EJQmU(&Q%enA5S#VC61uT67&!H*dkf12*
z$M?9r5FC<fD0F<RD5;-!o#ar%O39_B$>ZdkkZYd`k)ZeFLmA%f7j*|edaPx~1$P|d
zN~3<+RM$+t%Cw*DIgBl1RC@K%yka?(U<&;TsVvPk2m5zQoTyX~t)D+@(@*NJ8l<}6
zn%`31oa+cI5yCU<=uE29v>2dm)t9W1ad-S$g~@Mqvl#P!XT%cI$x%YiRhO}XrWMA>
zFOX4&W&J4Gjn1m55+h1ubT!*yJ6t7{H-Nq<^7<+qu|PkdEh(o>C#PNilbAlXEaZNN
z+RCF6lltldG|qvnw~($1Sq}SZX>IjGD7pe?c~I{H`6gN3B?}|g?md{9=%GLBG5Stq
z)XDMN$oi^p`LPh=bu_H)4Sy)?KpbvQ*R4Jvchz|JbhMLmsJ9C4R=(wm_v8yyV=^rx
z5jt^7`PM9y(e+AeYi0IM2%}TOqC9hwi?&dZ%iXSAUYnKxg<9iJBDJF4D;YV90xq@&
z^jw<*Zx6Iz(nbARPO`F|&Yp5pktaaKZVvcs*|Tn4#bvu)a@~WYpMX}Woy8#<_ByNM
za%>6RFiz?78QD07;+mXyt7T9p|9*VO*&g>6rY;`xFnJ4Rg{z~lj@X|khPF20Xm_x>
z{nL_{RYpZ~tXEn!zh`lyxbb^5<Z}B)yc|yUqj-NW#+?p5uYEniPKhxtlOHs9*LK!p
zpt~$XDe3bp6tJU0VYOo8=pM<W340$nkxYylWBIS09oudAtGE^c`o|I1#fX+iBbU{q
zmY-aOZzw?DDD%JG_|z_0WI)#~G(j{dNwg7|gVg*A`7f+U=zDXs)JA3wS!6F<Bc8__
z=*$M^4~f+nBcl5myiac^hp|mMDKR==GIa|tN!VITbdAoI&q#Oc=lc^R<lZct=#-IO
zqZzFnz^N2nqXOc${fRcb1$B#>l8G2uO^2<_Cf#2?o=Y4fcFC^uBb0j0`6o+<%d<I5
zT@q_l&NU1QRU}!O*aM%m*lIzAWSCxBF~zdsAO&r8NW1ZJ*<o!rD(%!my{`&Rqp-(1
zYMue5z6%{9_4ZWO0ZY5}G0M=5;uMiFazy&ugk}5g2qJY~xR^Ro<J0b|yp#dK6DsdA
z#{~xr;`bMa41!NI<n^MMVX_<HJi0$b*?;}`wqpQ2JkHiSo#U>qq8q+Z+%&{1=Cn&S
z+)^c_zUy`GbfJ|Worp#d9p{10K$KFROh6kV4QH1<&ra%PnYr2Fep%V6OF|RQ5Bl7z
zY8xaBihOR(`J;V{HA!`^Zx$~Jb5WuXaKHR;i#TOLqiQdzHERRoB<ZK(RB`wnD%zDi
zc|Tb9>lBGkhT^lRPT|+~auPmED8F#b^&oa^On?~Z3E@s><9Pkba)+bqR4mhMDotmf
zs0!Rd#rBEwV7oQ2U#hjWY;xMU_$Uj7W!V+)@-J<Eu?L1`Iu(oc{a1NZYzDPuE!>tG
zm&&Z*%aMwz8k+;AGfjMP0oX$iFQMEhc8tBOM=l#osnNJDy!o9^-Si_n+t;H`Jf#Af
z`ihso1SU0<9qb9Uf95uJUwSn0qyXYc%`&|<INHAMLd)a8Sb{LDW5}HFW4)aFjEH(W
zgae43AG;rIdhg$Nt?ghPUF@$~QI)%@rZn<^O51Hts3I43sx<0NXkC7T7^Ly3{w4dC
zdZBF_#QbQ2vB3aEN9T}U9f^LFW>M9o6x&|p-BT;;d^IP7uk|;I<qqW&Bx{@lR|_TR
z%{+|VjLO*|og=tDP948)vDk&@%0m%(FAF|fj9EP}tf?Xk#Iw(!b5H&H#Z0nyqZ$#p
zQ(f`()yfK2gd8+T85(lZwUE@JG*sLdwYy>}56yWBC00o<1XVak$-6bC!e5>T%3(#7
zJ&PMGGs{;GP*ARgJE3Y_Ufb#~+iv<ul(;D=w$6uuuRukU+_-I$4C37aHS9ZX9&(lI
znBKVxx6+|#n<&}uInLFrVx6fN*s$A1^j6QextO2B0Bf!9+#_JsuE$d$*2-WGyzkxx
zd?9i$862b5JVLs+I&Z+p_8F^Xl-*|84$^7o4jv-|By)EbBVwn<HktJq^u($}BM}}m
ziAW18zgfI2A-UWpiN&Bw1)1-ZTzfyMxx8xcadH_P*$(?;AE3-RE5hCmL!^wgaW_)R
zIzwx0$iN{6LYo9BUc=XtB}}PwjIMFNse9l|ws?oL_YI2=abtbda0kC8kH&%A8&~p?
zC&-mocYyP8E^9?UA?N>L?>oby+_H291Ov&0NCuHCpddLaN)D1^0g8Z<Gm=3>l$>*p
zl9ilMkyPXiMV4Fz6aocOq`ON!o}TXMp6NS%&V8Oc{l{OFRp0*hUVE)Ktkq~J>mL2h
z%%&#{WW@nWv{pDpeAE=J;)sTlcez{SPZflDv_{v&5l54+?I~HOMckH-GI)c@_#Qnm
z8+=J(XCLb63cSZLsh()%S6S1O-%^a7Cug-HyS_(B$^Q@~4UcJ6b#P9*e7d5`7r=)H
z8?!O7e7&DcqI{ENmJ+`;iGqc#Ue3+CN;aC61!sY)Xrjr$Q@IIGkU67U+`LhptkAsk
z1gxpuvqVX>$|XFVvUzx@SW(PKEKda?rfpLkYzm1)!}dv&8R6=N%Sp-4Dm^y#bB%YC
zR#oDBcx4UpRqYLwC39v!L@PUi^a?%9xs<?_!P;C3EPZfksQ5uFl{vI)6_?St#kenQ
zqU)A>-t9yeM-7spo{B0I*-f{NnpobG=ho<N^U-#y@Cre%!}rs=K|Ui=z67VCSA7CV
z*gAXzsr!jhhxoniA3h#&QNP>kK3W`W8tonXDxCS{<h;B`w0hHouRmHOzwvBZNL%Xj
z`;tNAH{qRBdtG{Oz5Meb9TR%fUCt9C+@!Bz9_k)BdLxyFxjPm)celw@$B4>JmMIOS
z{GJS58`eTLn7)5YYw@VAnbbIK$|=!uaaw?QWv1aWQ*bzg9I39G>c^?+s!2Ljh%oDX
zCmGz?wPbp<b2;^-&DFZ`{QUXN7;xIr83V5$&1b8~W&&D4*1yMcpza36uD&X|9@pM@
zsSu<!f;_4Hsh+!U^d_=BYK5N<<TwgF8+coDoS`(qrrTb)il3!ZVb*A77Q4g-tJ;ZP
zOt^ir(OV&k`oeJG&dBEp!J-EY-W<vu4E8jxH<~M|i!$VF&$YUVxqj~CE*^PN8#U4t
zdeNX;l)m1U?@NJ!%t1&|nS|UhZKKYnNkWpL@;U4a%zLNpZud#PX=8n-jAWCK8dMbF
zMlB)}cZ^Z3jHsoY+1qZdM|qrqNZJ{XDp|F9IV#%_Bk_|tyKj%Aps@y?DQGuM(s%*O
z#*oFlYwrbzCK`tJqp5T{stOwWjWH?9H?zw3paztDjkw@_3J)gSjkSFyet?{|{c_G&
zt#bYCzSdXV<`P}V!q<=UPAzNQTAGyBo`b+}>Sb@0;b2_BEbzpHkIg1&N53VR>IN<-
z2AA#bQQxZU?SjS=4Sm;Dmt>{uAIzQlK%g+l(v~~eC|**ZqTsa%!wc?J3@v&WiHVH|
zDw1l((kQ$-e8fbQGXf@|D6mhEd^Fokl4t!cB&=5j@0#QD;HNTVPu0attm?nEnh${d
zT|LT{8K;tKJO4ez==QP&7}{&MAwUWhQxaC+opz(45`P#xCjV$nJkci>`)m{ob|9%}
zMpO8Sr&;XahDhBL;fdFC^G{9$9gUk`o#c3GrbgO|Xr<|gW;gbwhg>ZpH(9fSn8!kl
zp;LP+h`nh(Ij_54URgCPEJSj3SJtY~iNVS(84EPM4BFLYyks(O;j9;uZ5y{y9cKiG
z4dy7ZmQy*-t(vAvduSZqP-UE=H}miR<fO?76?X$wqU*9<1;VxYN}C0qAxh{FBooo-
zwq#~UVqxig4fb1#`BREQ`i?d3N2u5bAp#wNwz$vbB7HPGu#5*@#-q#BpV`bSjAl8#
zdxt!0A(|U}SNN^pIKwfDPd{4s;Oe0=omQ?%cd{{TK>$tMDWYOvC9wKgb!WLU!L2Gs
z^kCQ#Wi4vFM3n&JnO`+cIm>%@+7{c`cxsV<sjpcgwy*tC1D4387K$2Mhc`hS;S~M!
z7Ykdg$}t(I`pa+mCthcCLB0uY^OKu&XRywGR-h%tv5b0NNNzfGaNbQ4smqny9hWup
zmZZ@9%VRT%SdJ;d)lS=Bi3S1CUi|Je-!%pW-2hiayz7D1fnpI#lK--b^)oeVH}qa7
zXBICfoQhI^dds#&vyAZCe}FEcqQ&o~*pSpwv{2w!zQ4URd1_n8RIMfd?DFF|d=GoD
zJFjBbo0!&PPzGL0&W^qTlQi`bcMTI2$15hV_NUD1VK050R??L1`tJI}{mcfJNS~G|
zzq8&Bf+way38L1SyTmCfN*+nHnyISz#IIV+u*D5)MF}jvL^Hu3iPXEl;SG&X+q7;v
zO5nmXSfj9OBq)ES`^a7**sXQQ4K+4I<ZqTM;W$*_9Ho}8rR}vna?q_~3{AN6ND>`A
zH#%bzjpUiT_LN7|Q#`Hf(ydf1v*l3@%Y-Mwx#J|Xqns4a6|#7ZQk|Jz%+cdzJFR)D
zSt0rOE9T+-WFDmIHZFBb7+W%l4#Nad`4YEyJRL<&<L7iy{8B34GeKaGy?~xqB~RnR
zVGvbaL$BunRaF-Dd(NE1ByRI`wGw@a04{|QP-w0_G?KCu)ZY)ENpi98^<?2*7jtkU
zW{2ExRv=Hb5}IMcY_&ju^RNmT4_J&lO{|yi9$7VM>wB!v_&w$mnq>2}tfDB{8ZJ;V
zX4B?BF>tL4Tns&yYYn2>sI%fSl2nZF*c}J6#e>494r+c&Q=e$VX8>#*daEiT<`QPF
zsmt0d3(Grnkg4mlW=QGZ^4~ZOxkoRzgSR7n#d@K&Gl1i>=9?0{6Q*0YWvp+G78boJ
zxnw}tL%MYVsIV}R(bXuTrqyV8C1YB1EYfABc>jxBZwD35k&snERakf8L0IFIxnZyo
zrJ1umYJ`cTiTi6AfGr|%c1zeoMJwecgURv_ET{65?^sUiSu6H6swRG-X85{=LCo+1
ze0VA7iX~2AUwgWJ=L}R96!+BuQ<&nua_pMDmG^!!cm8Abm-g>B{TgcuHybV5T~sXV
zitdSdMNy2L>>9*RdpwKM4Xkgw#-Nr>;ikvLrcs|*T%wN@W;YH~6I#Y~9?^9_vCGq|
zDdok6z-q&pGjsPIGC~CpsA;#6sfirCODx9sRbFMyJ|c+XY}(40967l<V{Cjw<<)gZ
z`DD-7n|gPYQu!<gRCEkr8mVIFvF5y%)mt7`o&c)W9$19Em{O&2bFT@a6#1;jdWZe{
zwyunI40}bG06(^vdBw9t((*0hDk<DLFTuJE=G3j;ThN*j0_K3qznT(wm|8&7DnCzn
ztH7>#H{LWgimn-5kg;P6O6X4Z2CLEi+w&Vyi=kJ#xG%?PkPh`YLW34XtQxYL4v*r{
zwe4<4K0_RlX1Rii`=j-YI#Ub7%8T9ChKnhncRpiMQFd(SNm2O_{`wS8W|T1=$_+|c
zVUA><Z<8O^o-p;!TUKabJPs8-7O!>Mra0Rj!UK0U?;Ki=g6-?zYIYM9Ojma8FVva5
z;kum<F&w^Dl_g)&RB|+>SD6En(&^q)6U$-eYn?WpCwDbiJGtiSUN%&xN)Rus+E%10
z1|(L)LsA#Qa@L0h*p=`VSWy`m0O^kw{wCoO|7dS&Zzy#gPGX|(`wq6RvF=?Ef<ZBy
z#R;cVOWgIarUwku)K8WY?Dmp&V&#KY>zGH3q-NN?rrZpUT9VQPCJwA)j&ZCNng~Bk
zq`+47*PoXh7xibT;~X*E7+k78N542{jO+EZdJdgpw<V@DTGFgq(lXBs`CjikDEEr$
zICS(dr}FgCr<U6z@ga7m(V+<|;l$9n17^0`3kD30@Z=-E7P|&>^DhPKSu&X~#st5r
zBiH6ALB2rbqX(|iFYnFdLB0TY*+|^>=6!$swaxX}z#8^UE6;ROdS27H{5T7}`RXOO
zmE8#0a?bHFN{%&UM0(HsOW!u2&g07%5sl<}llP0O>oW^=P(^zEjk8FX2O>%;qZrhS
zf(8#}@v@o->#Si~_aG%Ro6ig3IaVjW0B3-m3>zHY#K#lWUK4#ftAyQ!6w|)pg13BQ
z)ua-l@tj7hsdC8LM(Ycsj&X{IZNJdgT%cD%Fjt-=n{r)WFs10-nR?s#)~K2-BA3;f
zUeGthzg<1KII_VUnOTBMSl*pj5fjsm-^h~}6mevQ%ns(Aur`47h#?<83$N8rzlWRp
zmFXN#5&2}p-p!F$OpeDNeD^xbqdq#>LvLm4$J?pra-b_d!^Z`k8s+PSGV;-t;KnY>
zr^x0s4v6=fiHNc_XKRQ{u^D}8DXV<fcPUmczsaKjcHDI0&Z=qPmMs`9bJ-NSQMaDn
z8=bC(`>JZnL>I`aB<;S4DUK|{+X9HE<>C{I6_)2gnKPOSAcdE?4wF%^+qU0cW5I+o
zQ!?$_%y|rkzXH0D6Y8Dqq^ahgpk$_>H@{Ds67II77~3m$5<0E$-nnFAK*zB$r-);e
zL{+S7<C2*u%X|V?T|BP>mC9N1w4F<1%OwZUIAv$VnTI9*$dMz~BO!4z0jVtcRJiT|
z{A_~xFmj=+N7x`mwn1?EG_7OH5b@<CH5cPM$->6&@VzGKIyS+8^XUBMN}=3F!~Jw8
z;)kh5V#nn=ItCh>EobC-43sfBGC{R-kFQFR4v$AF?2X~!XJywa+X`RTQA90bW)E%;
z2jOFN$|Sm9^GH$6KutNdiQ7~m{D5>Smg_`g*y{$jLB>NuSHkkDJ*o_6tlr8%WHviT
zq)BY~!2CWM!D;*{tADGNqU4$CdhnDh^w<#&HwVREn804o&~J#^tv>Sk{4c^l%m&1T
zo*D~nlpaZM`EcLP2XczWn%6l=_ZIj#PqLV8<Y~6$QK2o{j<#dWBx+#l8tWVdMB9sT
zdox~AwR>wBodDD<X_9wDdXzl@g;8w~O}4+dwzhLL^_QC9D-gT+s1lu(aL$1_^xasS
z`iSCSYMIL+Bc9p-MrQpwtoOJEa~DY-D0D!;?Nf}oeex?aT8%O%bB|v+$(1zbUDG5X
z<6q!yNGx!nE|J+CR1%BPZ?Nu5tUa86=_R{IVb$+Ns<s4^ROscdTDb$|m&XxWdzaaj
zAZl>ZT{y}<wE()a4aK@TG^wjK8F+0+mm|k?V&j`4fh=-jAX8Iw@c#7R_nRr?@7zp~
zI3EojPtD~AEgQag$2UG49!EZiFtt&Purit0?0KRR!2oqnm%sLa>Mq#yLRMW1<sUT`
zqsNukvrLJMz1JL2i=`&r<dCQ+pIvKIh$5LZ-U>uXVaBW;us%eN)ALJ+#fG7KJh7R~
zIF>_=QSp1QAwJaxBd%pLd42A9sGGB&`u?Yo*@8aI_7`oaqs_06Er7Bag>dz{I@4+h
z(Gn>(Y-p2x=(<?1)WCI!rZ}v7Kt32!Bh?VG{^gZv!c7){^5UJ{X|jAx2?QjoOy@kU
zm@k_m8*%GiCCUb>*69?8Mdi)VlV*D|Jr72~_qzK&W)1>4hRQK+rUbs%9z0dT;=rUa
z=r0p_3%s4s60eN6;`w{rT;JB9Z}SNXmYz<&tI-?DN$vnsxOhl|d@3Ke$YwZkY6^LC
zYVm94^fHgFe;C@%f%BNmODcsYJ5Mt}C=W%78YykZNxBC{<-Pz6qXdBm!_;BMS&b}A
zpFbwAG6f|wx~;1Vd6aNHW}B}NU{oZ}>|SI<Dh!7_05U!$s~S}A$#MvK;x-Uy(L&Y>
zqH1b&hRs|x^?1Z!j@4?&ggHxJ`@M7THtbaC9c<-DcWmT{xyc=F-<Xu{ZziOAktrTa
z8y?Yp*#Nc8)QDbATzFlAUd9tREB-+NyN3K}CT0^lFOnoLX5dpiGwc=Jiz1)~e-=J8
zlM1^0<?>0~y6^i{V<L7aGpM<|M5W^PM@6CaFK!cycO8ipTi&*<n3);*DkSpe%y6lX
zC8pO~GP+P}y7Nq2yWM9(|Jm`Z_$eIAlqKLH681SZ_zqwk-Zu4I_UB33ZXVykwwCym
zthPSnIugIU-z5T{h=4leccnu4Z9lf;ni5niAe;tfGZ;n7UU6Bw?|S7~yHDHs^1ez)
z47$AvD7j~Y*(`jk5of4Jb5A_?{f0tZ8x-Cv4s&=&oCzLScFuLWrY6+wN{oVnW@Cim
zQ%+MNmPsn3(Qh=@3wJ*S_PQ33x@_>UkL&wTRd80^(qvRdv8&s^#XUMXTIQ}1K&_7%
zcpbG|L8z_vzdsswUDmOGgsJqLI4Id!ZPExH-lY#7Z&6>rpWD^Bbju>u6@8n`X<1yg
zP!&n!l-WuUDMjNp=6tl084^uVhmu7SJ>&314U^iL&rp}b>#P-&1=V}`-<>3vwo$vG
zm!e#!O;bGXNrsSLhmI|Y3>8;^hft)j9xkqe-fa7k_9P4HF_|Virtr2TFsU{X$8Z|3
zUfy8+CSna$cO896Rw`u{3;X2cr!F)`L~fINXxx@CJ>hUf-B7%@E<amf*wGbV@i1Sr
zgswpIgw_(K|2QvP`$^Y{pNC?C&`|LgxV@~$tLMb1I<KX*JXcdY>l#7LR%n5cLF#eC
zTPSGv##z#ET$*HaD8rgK?X#OPM6{?`2?o=aa6Yq5KYrm`{IH$ac&UM*g6(+&edsQb
zCU|Ym1*nOmd4Y}=dA>$StOb+?klTHt$DirB9uLhDJfGH#GSMTr^47};GPzRdkT>vk
zDWxjA@vLJZa$BSOGAf`Js9FUfe5039)^)9fiP<M2*`lFs3fJgDh2bZAcZ=7ROP+wu
z&#HawhYI2F3ulS9+hHc#7<YXTYw>c+jY?#zQ)qO$k3myqzd*_zr8M$c^9aEN*zz7i
z3{%c`E(t?jHA#`wuWybt@^v7r>vdMd!KrAT&gErTaZ#nA$|UFBP}DwdPc=|{=&Nci
zM|sEaCFQ#lpH==CR!!UY{YL(9KGuBq&9g!wvqzQn=t=Xbd`m&m+{Z0&LRD2&>#my}
z-?0)?!1MhD?tJ?E)@iiY6!Y}SibI%Mu}%l<wosqW`}-VEJf$Q_;gbCRfEs~ra`1lo
zO#YCu7bt7>n_Tb5bK8qVJ+eCyJd>l}cI2fYVO+d^r7DFh0`vxzhMrP~i0&_B-tQIz
zh{#Nk$WC9gYT!4qCoKWaWum1zU8CbAA%$R0<NZ{o3Gw_Kr*xsicl4^Qql8=iQfwY|
zJy#vUSTVOwgS}}f(W5n0%O|Rguunu4omm6cb?cRbc*Ut+$9eDaqd;Mko#YKW+WCM(
zG|)7mQF7eao;zMKVzsrNZyivW>FGsj*FIMpg5Hwq%Q9H#cBy|WDnul_X*kY`(hfuL
zN3Uvlv=)Dx6|vk9IVjv#ZG{!P4w;;Ru|#h4FHMGu>9as;9nYig!?_PPn?u4tz08Zk
zjZ@l*<-W%g_HeNpyPm-^P2sGPWEp&0gREl4Wtn~7V;xC0+I;0ZiqrnlKX>Vqmwig^
zBUrB0@!5A9P#VN7k#xChIvt}ALKn!SR<R%%59KzfcceosZFMALzx2uN>VGMy*=A@&
zn=8J1U9$A@jV!pUQ_kHFZhKW@Jz-fH9gtUTZG)3Ao4HYEO*L*DtFzTJVZB62iq9Ql
z=v7(IwL=|)o=8Pg%mQd@b;7V+LyX24140Co{09)?mwqC3a<T88P>Z-ObAmK!+)Vg8
zzs7St>ER>@yyv9&G<;x@0j>sawUBdwmVrL3JK7yKwl(wL)oV;rCf{rUlnW;wY#@!r
zs7nm++WV#{a-k~`_}PcUcS8@~6AfOjeVHEZ4%v}Tv5lhcV>r*V;RF7+Q&=D*V=wxP
zW2lhNxBh;R4i#)Fu!1}Yv38F;M72*D7Yx-19wUpa7yS0EJ4?ihyJv8sB2qH!I2b~g
zCvVNIC*2@8`{M_n@=>|>!6c2HL4ug43%sjqPbD7Z+L6(JsO?m^+uy<t>1$>e>3Z7N
z5@tjHfSAwWYzQ{w#r^i*o)`SW=jT3?7@#Vj3AKrvXWk<_O*>2f0ei%s{yjm`WeIaj
zEkM<nKZulmG_>zAYg@6nFd}6fw3^H$*3SqF!e6YXWnH!lVc(i>7UB}LdinFA(~>TK
z5T~%hHcTUI3xpX5ewWqU|9i3;I^yr^^!)|QGI;xp$oblX-1+{wci!E^p8U)HWvdS`
zzvAhQRLSHSsZ{4MN=N;vAS}=Ae&Vg!*QVUiPPe;iJ&Vb@L(BfoYIc(V<^t;uc9aW~
z&A=O`P87uL89~+VDhFuaZW4e0lBPF+z~Ymrh1Eh%YdJ5TW$hjAW9a=*=HO4QeJZ-o
z*nx#^)6XH0+RvM1?y&>QBditbpR0{^mS2$;1ID&JIrFo&I*UJcD3ATuzw+AC=4Y3q
z?W^_QTAuwd5k~9xYdZ*ehkpF67r=#g7hkh|2=p0|j4j=|=j|AqD4Q9mTbt&u>l)Xe
z7DzWI89;5da)A=J_VgPJ`|)!}UD&+znynFTIp`DuKI+E>5)3JC+(Kfh$7K9WuSQ_+
z0QNBwz!?7N?KZ&P_yscTh(_@%2(g}1T*~^s%0D(HFE+R$Zuh}fR5bL#v9(iu_V<#S
zivY;^_3irD;Gi{F!g|0*-#)~{I{WSHJ8#sS^i7=Q&wV-+8UT#e>A#_J&C$~+jgU!7
zt!K_Py^`*fwZw}nzgAKFgCuS7DNZ~c3J4U6k5P)S2LC;!$i3eeU;Kj{SpEDeg$V)h
zQ4%Ov4;rki??frz7|$kM(=l%bq>T<+!u|7^J%Hw(TX+o>(BmB9Jw0nF9d_^M5eLsc
zcJ?#LYzx@#a@sC*n3IzIuRbY{MlTyz9XUg<4f4?((GrI|=gq9IC%wO@H(m3<!}GZm
zLz~C16-{%$@O=|hx_6PL3@CzKkSr$?n;|E|HjAVYITY6GNDpL_y%K~YGC9y3ga;uw
z2P(^74@2PtN{!0O24iDDsb)$NV$}D0<FYL-!}-Hmk6X@{T20le+}6j_7R4N=&<&d&
zV$;Du%m(R`77Z3`y509`kdbxSrs3hl1@9`lyXSvDi-z<UFejxbn8SF{4|9a0CI5Rz
z_=2YU@I=mfy&A>S6WdQ>*%Ai@*^($K6~>_e;F7uu2F4gX84(#=m@_6GPvOg4%U6Uf
z><sqwFjtXSOxMeh^N931Kl?QHtQ1jPw-0?0-#Nh(3vNReh+eiV$?Bk+_mIe@VV*`&
z0>{j|xuz|E+e3>yYCDnUUP`0vMNF8nnl)vlPz_!6==5e}7^(h~*bf8w+2nlSsJ=b(
zUFyR;eeEe>@WSAa6Jq%Xoe;SqpWTR@SlNP@*ohRGSa#jU`>i1~$}5icbGwZaS^5o`
z@|EpsWDY=4;a~uU*igr?s#k7B<8oWVcq4}knnqhDEUOyi6K+X>O!8u3&NgDSB(|Wq
z;hshjdc?J%{EGf_Pl;z<i|VD%1{t6AeWO%fG71@x^TxICEcdnd<WJPc$UR<3Zao{?
z2U@2jUS$D)gdgnHsd~b{-b9$I!_t9;jT1z~n!G!;)!F#2)!F`JgtgZ$S!J!vy(0Rk
zoF*4`*5xnu9w%n+P4ikVXAg+$)~GPlcpW#ZutZydF2k<~>Lm1CP!9w^(v!Wc;DIVG
zhOWU%9qGXkW1h-o#n|Eeih{NBL5@}T&8&O*hJXum^`9UX)uZEcXo6`jrniL3_?;(t
zvM5CZOn%7y;`pwvan;38u@S`DaB>}{<9SK%%=393G7+md3s|)bta6=}Db*o?!)rg9
zbg}ZdDsDo~SkMK4;+RyaHL*k%DascOH8t$>x@3rTz!Z3+cQ)z9R97VlSfO~m2-Y{>
z&w}cWKk6)yKTYH_XJ=2W>hB%&61N7p8E00iB}M~jBso>I9V*hOCmBK=(Rg)n0hEUw
z(Lhg8rSH|O4r4ZlDc5yOyY)U!rn+tRP8cNgODgHB06vigXB@PGZH(<Ke!5h^=elrX
z+&T3~rLMv%27nilgcQe!I(;23A!L1^e4?->an(eyW`{qU7&E(sX_DUsLoD61adClj
zl-zwcyIH`2C=(C(YWHKOoc-f=ijYOSR-W7JU6>&(?W+J;FOT!?^>NPw_!bBYvImN|
zk`qC)0#|>PPZ}O<n&sB3b%-=yqUdyA$<@;0DZx%D8n2Z)>aL-}n#is=*Hn(iy+&;=
zw;l(BXzpHqsp1AS9>mEg6rmynYeay*(;L`P5lBCNv(;T?(77cQBU>QH87s0krYrhw
zQ)H&N1iCUY2Q5$$+8K$otQ^<yJbYH+4&XrN$(P}n0BTq!=+%!Kynu1#PB~4`tD6=b
zE^nVi-kyKe={Pz`J6u&l2N2nCP(Z<4t*eSf7NR11`|3_ApAO&3R7@5;Bkk{`*->1#
z&M};CRfH(|HVYvWvyCbQij7QBTm~h~fxYAX=N?!<7>TG9j1+_U<po*m(d=9)<~y(J
zp3Hb4+Dn>_uXl4=hS`dYzL-a(-e_>$=^yqFy~YeA@o~rzZbdOE3R(4ZuC073BcLPE
z1~tjFX77^_;V;aqUb-Jcsy)!Cuu*-l7QKPh6t|I>H}g5G+kl1`%F#0L6F2GezG$~X
z=ieE_uDcU`o`iK}=K$Fh34;9SGW1XgwIKj-%!&_F*D=8^h0h@M(P2Xa@&Xvg@-_&a
z$ZHt^)EBE;xcJM!Vi?H{fBOP=kA3)v9gr+JicOuGxsC-+1Ld|K$J|L(;)C;c>zoib
zQayHMHZSd8V*G&3D~A2yyM!8(DoD`p-+>>tf>FzfZ<Cr)_beq&O}{z~(5)W{(gknt
zU~xSxeS&h{+Nfw!?83T9HFC)00Pe4wm``QLM#6uVxsO5mrSM;TEEc5v>eh*s+bYk}
z8un6JGMv<p79v9zY7s&v!lUa)cygd>kHOd^TY`I_)hXsax8eB^<wV{l+Iij*vK_Hh
zFGjaDWnI=>f*fdHtx0z;m%}%zEg&4uLJI9A;b+^oAsiY#+D5ied<NMid6BH@`Ry6F
zoeuHc?(l*n=rx=o7R`CJ`ERqnd&bc6H?B8TbGxFO*0fYZS65A`mDYvpREUIj&I)W)
zU*56&4WdX03*@l4p{d`my-d>NA1ihP8s@fk8?_h~r9DdNNA@&SY5ny?ft10NLD^N(
z4shM_RY?~?oT6ErXEL`jG67NpSH;FdIKIHwmyyOL4Q7a~F9|7w$+nl+K$iCY%gyrJ
z{G=c+#m8uC?t@(Md;XzgdsXLJw0%0EUAi>(CdVaWQXm)mnZVaDeNRCwYf@zw$uTL&
zqSQZ`f{;H&rdFxtYZNg8T91uym-$wfE6v7I%2C#_?FpbB`8xdwdp7l<`-f?@XFB^n
z8aW&tEOp0d?_F6VKv<?75LUIzFr|E9hw{@1dA_^}Zt&Qur_+);cg%}=bt|pnxW<b+
z-Zm}xv^kD%Nu4klwG#DKZ?JEYKTUPnl_BFQY}zZ;vv=eZKm^%4j!yv}3J&pfYU2i#
z+lfyVRE|@mqy$5MT9kG3CQM-zANj~eg&BM8M5lr3M;|xdgH@LzN~Lv#Q_=zf(|f&%
z3JJ8n<4=Xl?6K`-NoaE?wX8vt`Qc6!mJ4UHW*r_IJ-ffqX{`@SQuzP<vgChUis&;E
zg2^j8;UHkB-NadcE5ro#JXq(X;IoWqRp{w|c3~ECZ)=;T<Oa^T9yq$dSKAhsQ@vt<
z+%=q@s3f<O&*Gc4*&Yo4!FqK<luzZmWG5ztIJ!DyWA5~usz-3LsPwU4)Z;jS`?LTn
z%*bOl6y|2aF=Whnbbz}mmR6NltZJ;Iv1IIsspFr!%_N=41|9mjp0-<VO>Qe8YM0tT
z>cANgFDRe71j7U;qZ56D(68zKS9M$xYqR#5Fd?FAE{UcmhZHCmiqgZ~$-h@Jxe9++
zC4(OgF<)nlWa=K#v=FLuwa(Mai?FEjKt<W^GFiW$96&e;Y>dr2j(?WP1TNGwm$>^_
zBdvT}m%pJk<AH-I78=cFzP-_wTG&;szxTnnVjR`5HyxAc>KKig6osA^6d$D!eH<pd
zKa|<%RtogjL=`|6rcchpe(S0m#aoOtz-H!BUex0pfIqEa#6n8K`>ziV7D*e_1)PIU
zfwcK7_Me$HXZtuEH^@Cf6jjA2i5+Pbufyo(Yk+=^S?XvV>AE}&w7}7}BDx>fJ^ZB`
zT%|g|O_DWitiaXvetbi7bl9qJdr35_KomVzIz&_=f$AyO)SFh0b*zWm?QeDVqH6Y)
z-#=z>vFWE5G@qCo9^zh2!=hj4lOR$ed%{gvK3p&wCQx?XDUt_;F9)1ja?fV+g00=B
z+?>JzN7d#m$BVPRMz+^UB(z4WB(hyiK%sB=8O0L@eVc6JPe93H<~}X4-dA@Rp3P-D
zaLxMmatKJZ5^3mW|GZ7*l6R+1@uz@wf1^%)U>AB7WLof^H>ES42b}=qyWXwC+g`1&
z_Hj3F>Pht1a&Sm6?ixFgGzH}AFI2SP(_E~OSQkPzGKg3=iW<X3B*6>FLaq*$_}A~E
z*%}X=XDo^1@7U&WQ2YptpPfbGSfJtvp3UQLgJunb=9`|8Co7r6i@>fD8>u9yV6`$L
zM>=C??hGbnjmncGUj>@LpB5$vGJs7N=#?8$Qxsjy^T-FJyb-=|>Ikl>jkw18FTQ&V
zz@(tCY%g*fzfcdM%1P-1b6d~0{&pD1`Dsde{o(0Z%JZ7<+1REJc()Sw8-hi7wjkCq
z+mA237HmTBOiP)q)mTa*%^MFP(^{L_k}fWsuc0;d_JQcbyVEqqhs<WGzd$2^b3DWY
zm>2*Ebn%$Zghp{=UEVWph~_S>SGyluZ`f0Fd8Zu+Vc0U{^leSo2}DY-vxc8vQMo?0
z`a8Z6MUDYU%0z6ydmy6V(tuMx4?D!L`$IeRL8eI}Mn1g8o?yn%K%)^N2=Rc#p<#m&
z3}4}Pj0W<njy9T-a*Y|Qx^-2dypRFOi4N5^)3`^&3UbuX^=1x+217gE37wJcP7vw{
z%G+BlbpuRn&EC~GW5>I2|IrUHM2yvg1pQ$V;ItTaG@A9;YpBYWDk;u?+b*$ABxE~z
z2Vx3H2QKSlkw!H58*7A+*0Bcisdfciw<g0wZpMQ#(<!+~FRyfDeXpV^@iC@?;@ax@
z`k2w9bA-^iJAr2vQIiyhtHI%zcR5A8kM>F<?nb-csU-XKD+W{;xtF_eS;ZAh)a;fV
z@e*M*^<rDFW4N%;P2*tCASLpvf_x}?Hco34j%;EZ!7)l>zbb0Qv3Od3G8Pr1doKf&
zpASBC_ivuO`3peoui**z;gQO!LN)TI6Z#`}$$6jVr)E0OYyhg-Ya=SZD-IJ<M^k>g
zh+P7OOH{H0x|*!>rg?TJ)MuoDNdBt!$;StwvMm85MLGT3y>(iGl}(Z}UVBkrUHvtq
zwSNkKP}D{Q)AcT8cb+-<@Fra4@wNcsUR5L}gH>#pIr9Q_X3ap;3HHns<L7eZgKH0c
zQ$r8-ipdu6D!5M}%X&SzOcriHDh=oK;zf<NPBsc|;FAg$)+ogDDqm$!LDuy?F_BMX
z;yF=K<+T{2Rp1a%;<bW3;gCUStb?g&OM+sLhYVc~-$)IN^0T;L-!$CL#QIL^WjqJS
z_QS|-X(YU!IWy?R%IS<ABz|2Aa~-e;OSa9p@AwMyXUuN1%|9040DGR2o^2$vxlZd_
zHQ6sPF3RNx5E!$c_X+3fU2jLti#D>GmujPE-Q`AC9{GF`zgWvp`@;0>%AC(!A4@I&
z4Lph8;cX%e7MZZ#FPjZyXfFj%rv1zN?T^qXJImPJ45!2?P}y;Lu3f?Sq*j)#1}ozW
z^^ZIf?)nBMw&yXW(&4M(^)jWp-ho&t!pg0f6v#>9`27j$AmFXB*mop^kU3VZZI61O
zDu7-%*U2K89;1DL4-3hnC%MEajH6|C21bGxKr57C6tKV1<z}^}g&23nwvT<K-*EvB
z%l1V}7-G9>#zl3AsC+!c0uKhd=_sOi8YTF)LD|v4UgZSlfE_=ifb{au>#YvW>2&v*
zZ>|q#hEf`w-0%qHV%)1K%EiD^M8avs(_brPql<QUN_=)dZBxh|u$4q8<e6FyEl{T3
z9yuV;bcA1DPV(^Ka0NyZW1zx-Nf*lZO85sUB1XREgRyO#Vtdn2mvfgf_W{;l-v^{7
zX^^9q-crNa$PVKADAa{$dlol&(^vS`rdfuxzwp8jGCy9IAPc82^fJIsU9hQ2DICt7
zyEzA63BNV_x;s<uzRkI*SJdZx*iFh-ROG!Ufd=R&WC-QQfHvc|qGfSFOP-%1t6N9z
z6ns`guhdmHx7awLmPgjNwUZO5j8488HQX_CO+h9=Z%VI=>H>X<vdN&Fj$RZ{-##o`
zQsi3P5P*f573WPE4HFeF#qqcWOvZAJBxFhklXH1M8y*L}&2NO!Rf5hOwE<j{P7RHj
zfLcyX&^@nE2BK4NgY^by+i`<uE#a^MfO~el@;5O#Vb5qerp-|%0waYqkw3C`H?v4o
z*;6~7`6e#`tPxpnxQ+LwcEhTsJteF*Jbd#a!jAy~%i_EJ<aVU4`oms?<-z;5*v|HT
z39gOoG{9N{Cc*2klVOls55FE~;8(4Bo5Zb~af1|lv&Zj}<FDdRe4oMav0(v@wcmNU
z(>Rt|kB2zrzN2G||0Fs#B3?k9^T;=606oCw-l}cfu2;E67tjApzID4NNmME7&30L@
zXt=pb-H2-_P%Nm{>N`hrB-kV6<GGz*?b)R-W0K&v5Z#kn=Z}izIbUkQaGb8{M<Wo6
z=r=$i+h3}SVe$)?9@dTSu8gZAbIhRuvIjG~YM>&wR*9n<n=Ej8-EdgSHkboZFD7UM
zTKV_DqmtM-Go-!>vKZ!O|Db4{3MU0pw)u5>AP?;kMYuyu2+Ds$j$)_A<^{Fif0^15
zsl04VN!{mFz1DQ%BRXGbc2cvP8uQ4RNP7Kw-MAB*F@rP)%$WUQQ~r}`Y|Atr;w*yH
zGc*owG5WwQj~FVdC>O`>gcnm9-AA@r!0jv(e-8nzoUmX+f@z3{jk|k=-TBF8h!K(d
zm9p`&Gah>i4HV`hi2=%w0Qnk=L;RKvOn1$8uY)HRva1*Aup9RkF=3?p$kzp1d%e2(
zNNzkGV?m9jd5}&$NT{#~t5C4^)2UlyJy>`4cHbZNTIl3#`oNFyn;#SSv(x9!mp&uA
zhEXj_fEX0n4zgEST5Mie)YOk4)put+R(#ff4s(If<NUlpjM8}SL@51WOv>N<fs9Ff
zv^TKH6iGjd2Mi;xSj4A44~MY_5DsgU_Bq3}ipMOZewfGS{{Hw|RhNk(jdVtCj|c4(
z_XKi5nO`f?eusoYT>h|n4=`7Sr}NeFt`9QK6qHPHJJ$-=uhE%{obRLtILUthm7e`M
z3s-^NA^OGk)`K_;Nx|iq#VtgrIX9H$wdBvA=ln<hyuTsVfLNC}*j=Mhf8Q6Sf4=!L
z$g2T!WJL9!Qk?%|Ea5+=HE#iKFXr=4Ztun)xl{j!1qXN<iQHp9<z)a|*+kr5q%0;i
zqre7T7^Ht;Ri{o{oc?lt^Kn{5e|BO01;eSuoPm`uF&ry%G1Mk^Rvt@NhiCXx2%eVm
z;kbK!;V(W`e;SB&T_?(ujnXQV(+RLIY+f|PLNteK;q|;puiypdtpJAiKdD@qKZvOM
z&#7F%xwk}U0p=gW9o_hY7y&>#sWJPWI_(Y+E40mx7$5t`Pm2h_T0E91y!8W|jre20
z*&jjS?kQ|h5Dz{0FLizpxLrQ-3eeZ@Z)gDens37;U})0(45E4iUf-^xpMsxh$I;sr
zu)Vg)K_s&AJEd=&`U534_A1_d>37+1N}WG3qW%R3gNzs$|JnZJ%e`~8)oGtnjl@I6
zw5uInad6~))cTcXc)MXXfQcK|Z&t($AO^&r{!Y~51C08*7+~+F9=ZG8JM-Fy_cDN?
z;@OoW@UfmR-+LqYD=SPp1bO%eU4T^s`ZLP1YD&=)*pZSL6;N=VCsVbKrH`7u?DLhf
z2V^iZgWB|efz05)e;(Ooa4d^->SO~=EEm3^nV^@IM1h!&+}KUcAfD?}iYt`N?(2hK
z<It(SDBv{v3L!QruFoh-a)QUhgmr;je7yQuWa06g8ySCAs{7$rsG(!c=HV;5edBe|
zO_3E1!<Z~Zk6fXqsU8u^u`dRcFwaPy@uxmxca@I@nJQ@4@IDDMa=4SDVjy&PK{d2v
z^CHgR{w!!ndM2x@vS<+~cEbT+hv?L;v<S!N5EaqlNu~h_6{Y7`_-g&${V5@b=Uy&L
z<GBMZQq;Cl7?EvH!IWtg%#1BhEiYpFO{Gg`VEO)tn#TNlGMjG4fdNpl#U={=xo@;P
z*Jl?4n9urT-e12?AsoQfM?@v8LzM3(y?GU&KyDa<2cT*@A_ZQ0>_^BIb^}jTO_ED%
z%|NjwlX6}E@m44Kv;O=?wNoGS(EeE)ZpenJ#T<PIilZC@-VM?<TPY=4a+(h+lJi+`
z1YYfpWf^45K`v+QT*QP{lRr1KZa+&CX*_;20LTwZ_oJ;&&V`Q*_=`Zdurp6$oR)kW
zC7P#g&ji}EHPr8HZI{}2Cs*`WFypLmrq3^Yz=1=Tx)ZZy%J3Hef1P`q9H)@Ax&o=N
zg{CNho2w#IGM!tf1P_T^(D6(T;~#`JqMC_B?p?i^#5QOuuNZ7(8qezz!i%*h9d9wC
z5N|0U%ZU-pnEC%J1T)v37HM5#3;KSWNB$%3n=cg)2CLYM8B`L{U78Wo1kr``NQ;==
zQyz(@3*h<(Wg}a2P?9a+Q(tkbo$1q66#Tky-8l_nGoyl$YJg)ayE;%5Nj&E?Vad5S
zU8WU#gqS;nDU#9d1E1qd53JnUf0%BFS4)+h6{C)JCk&R@<Jf>xA*P?6siW~=Ew^nT
z*MQid?ujhT_a%7sXD@-yggt2YL^vHA=(7u8BRJ$Sjn|ipWVg+1-ksAfH;h-yQ)w}M
zxjt%|Mv1Cw>IC-PaPzwI*kmV|c56sN;l!%*L3c(_)l}_n7$F6(bf5+yCN`6;t30gz
zuE65_S17Rl``5N{zqoETRD;ELt(knnW80*&&@IQ9R!yjnRbmb3vQ=x)FgBE9#lhO=
zuY(njoB(6%YO3e>2nDCfg7|B2S#RL546bW%IUSzWu5_1?OuP~$iXlmd2>vOO^uM}?
zF)}ile~|53Yv1V`0df-gc!$tdUNCA~`<;yy-Y0GDrOptc!v~GWOKi_(-aDevm~KcE
z#Yh$*q@EnF)g&`bvAY2t0i12rd6lJ&%B|l0Ys>P$D!g+LCBQQEz0#-o=PLdGc`oA#
z<W?vk_m4^UZF>!iu7n)O84o+p!19$f&VM%^-1&2N2oQx(JT>jrqQzKXgsY#Vcf|_<
zd}8!_&xh&s-J+_Qu=n#)?I6Hea2d0617p2T`1v;%-ZqTt*G}~|eY+mM`|J)mmcyG?
z_Pn}2dX~}_b5ck^8|Ow{KfP7P*K*RKMbK%gW$;$f@0zx=QRlwH=O2HmxNmzg8_p%H
zJ@K|Lb@wd-8{(1-FU=2HPVT?h8CF$OyLL#CK%Pn${3U3Yb|m+Op5zAU%9+Mmcl0<D
z2Bst%Rk)itg0bi=Z6QjUr2nF8z*4EAW)WJW`031mW{i33VV&40dMGefyie=0HKP1#
z^r_nW46$7vE8zsAUn&DQS{SY&k5(>n_EziQ!#~Z?&0m)j`aMOn07AdUgkZe?V9UGZ
z6-Fl>Ml%cCtH7jj3G+}qr|so3?RttF&2Z0s5c(Ts0oHWs(=_!YYMsM4wYLxNQvZlR
z??{tH4a#R9<pDa+<tSKl5lHNf^)zvL%r|ZhGWLdp)(^6w`jEw}%Sz#xzDOfQy0Nvn
zb&Z}zRf*XEpZhK_*x^>vnn>@1d_To_fAT5j>Eoyd&^*g7*bvef*D{@2>$u<cNj70+
zC(Ti85Sh@V^VE~pprjiIYh?zoCqj?E@sBqtLbOXA-peQ5k<_H%vdN-!-+WYRv44pS
zkWw|#<x$@Yv4?+dw$PdH<FvL?w^-taWJ~0;j(HW_8xx$!n|+)2rwMrZfVf^A^jp~9
z;jy=ac9=>7$<PzfReJ!qPa6=0&+LKjXlt|7-(eUNu9!}?9WV*u6VU9Zdp#@rB}NG0
zckiDPLQsOZa^4sST0&3ZYte*!=CV;FD5`iwP_A+F4GB<H1HH1$rGHS&>uL~|V;p@u
zs~-N6do84?ofQzFtgd$_(Y{22YIxJOxoX8~G9$$hHibk3!)7*sk+G^5Xbjdt^QVl5
zZ4vB8i^#U2*uV7naSCm0lGgmxZ9!T?2P80gtj@nQk40t>fbMbZ;bJ3}(iUCW@8{ko
z$<3G5-ZFV!mxgWhyQX>Ld+`LGQMTrsQErF6+puC_HR#v|Oy72bVt~a3d(2i4DS~M$
zLTP(nq-JqsWA#hsu~X0vf?ImI35}M^i{Tm@0dh3Z)%F3#Ee0f-ypY()KO#HFJk?J$
zM&hv%M=+t(q8@qbu;1<G30#tEIKOmAHb91irLRd)9xC?rb<i~)ex}(e>lJpU<maWl
z#rig1SN*0{-#>m(Q?qPo*VW$^AjsE-Mj?zBR_HKViNuVgLEfSXnfX`Upp*7_bP8~u
zb$|?QAzX^4r-qQV7W2M@be>DS;Ls;$@Cu=3DDkm8z4ACy#m;y|*={WmP6i3cXy*Bi
zc>vuLG0cPX<DYFzya6cRd*g@d4VXtS?aTbYAb0)|vcvuir)YgVg1G?VW<BmvC9(j#
ze-SgI$NGgFmD8@~0t>Uvm<}OOP)@K@s50t={J*JpG0JucC@s*IcMEv`sY&YpK(GBj
zjS>HHAH$}0ky2O_byXlLfz|!#LfIAyN^`!U$Ik|koItg^KlcNMQ(ms9N&TIB7f-Xe
z{6kQ0(R(?i_$j!{0+v)&H2br&+9wVk5DUdda6E{O(D*PT=K9U0Izoa}Gs=+i*DVda
zn%}8=s^4zuzc6^<;uO(^r~Z@-rvAS{rT(jI_+M|T_;1&U|3B?L8zAz*$Da;&PWd+G
z%IP<E?*8{n@_oo3NRa#u?989&vs;l((_SE_sfEnGCG7LVt}yby42m`O)SRjf(BnNk
zyw|qV*KWFqh!(rz+90g|`csXtT>v6}j*3(U_PZp(IPxbRYwx+KRs-;&Xo_6-(R;D(
zmpN<2c9;{CWFQ~_T(?G&imd6$)?R_g>R_RNw^vz#@BtJJEWf#`#etO4^wJO2FmR2$
zIm}XC+S@p@c7xPG;C&w!xX<oi_Omx(i&~I9HC+>tLH+9jW={P<39zSb`{#0ezYgO6
zmDd3mhJ=ZwKfk=$VB`NMS*(6WgMWYZzZd*Fh4BYD`To7l{(Y|h1jFdRx7q)~Z3d)g
zsR{cD?%xKM-vrm(;idGmf99^J*-BvjH<bX!AYGfsnF+<Tvj+u7C8@(XxtrtYmGGN0
zZ;LYJ)a*JY{i!=_*sTgyRP<g<{%&Q5@_sLOnIHZAa<>Z!<cOm&p0p(#knq$q%nS|p
z=k#Q$yE`6znvl`HcI8(dVe{%oLem3Uz{+}`LKI)}PLYURiNMJc*0>ug{E4War1qtE
zw156e_?h;Lwc@d7`>Jt&*LTu?uW0C+|FfPLpfwmLk{RO@e;%A+Lo|c$eC<!wHT?K$
zf&ZOfy>o_8_tYsqHktc()&A5Km@FKPS260f930i~KxYoY_BdA$&E>?xG-HdUmjzg;
zeSW-_C1rkpq@NJMpVK+uCvO#nk(<<0{`;$cK@z91|Cm+{f69V)g6>^F4UFknHo?7A
zWP#CFR+x`sC~>=uGP7YbmG_TvwX3WkJ$nx?V()*qXny|TzXI0v`<??owxZ=fIv+8T
zprvh`DG>1+1H*hIrjyhw?#x106uDqdEfBtN7b`z>`cAOQ{d4r0T!qgr4b!2jV0n{{
znc57U@x3Bupxfxj8qwa9kMxffdEz#GuQQ~?D`Il2NHcwO*l%>^`2(w_%&L+e(0-84
z!*zzP!fc%}noV<LG>UB3k2E#<VkX`JJV8F1Rb6F|AguNb^-VBxaIl57@8B;Q8Stsg
zS?U0jQoN8`x<!S$IvLOhbY~8U65x>jjXLPZf#Ll}2SyGU^nurRAVZr%0O%ODK1YT^
zU)D*EQ>({52zJqTd0>ihpH#S1Vr)RRgN)io&3jxn?I&f<Og5Sd2Q+P7RX)|MYAP$!
zfe|k4VTdhf2wglmPwpMs>tw70v=3yn?_N@PeP;?UI;e(YG%7J&SvmYd#wDeilQNBw
z_j{s<)n~|E(O%c2-fh>ZU48S^hFw7<((}jwbh#2c*olc|i#63lmde3p5CyQn+7vYC
z(jPof=FF$vfSwQP9Z=rEeZFDGEn#QNM!IFgM$AoNcl(l+MMrZm<%=@f*tD~jzm1VT
zg;gT1hbWl7ZF%sZ(t8&w*_{of36;n!;Ob0eZ<ZqJ*?YbzzMZ2fGtZ`by3S)Am<42G
zb%k;cLWFitue$Atvnba;ukEcXvzj8W$;tEzfwNa+(vWk)3C~qFSx!{Sv?*$Kz9KXj
zBO;9#tq7ZHgh-8t>ueTJq&dB<+PWIg882~p5sO#o(R>n>sXfX0r@{A~DwQ`dWByDp
zw+I}n^EaQJwY)KQ-TM@nXN>u0?DQ9%*={f+mQ}t1%!0DBU6)%-^JUFxg2{1;ar)xz
zDOEKHDUS*tpr~#zQF=u<zujqc)&6wki-vyEG*H}2c6dy<3VN|x6~ta!s~FW+5w74Z
z*iF1sr$;)IKuqKEgvT7KSfHo!>DkT6MH9t^FB%*Ra~jkpybF(SOpZnPQwW?ky~}a;
zBJ8(8^QW-&eX2(^8;oGPflt8C(n>~m={4}zdK@^B-P)vfL9CCW9-CK9xUGT_Teu@8
z?1;|28S7FHWKbhVa$UzvuZRJudrt~C{d_fCt8_<Vf7HArD^w(j^`%JGR(kEx(BNfb
zbdYJ5`@V0M+h~d%7^}N_Oh-%<wrmiWD!PnD2zEXo)z6p+yxKrd9CD3Ws1gZUL<_dp
zEFVhjHSLce26B<ftM&n3dgA&+J3r=CZE?6FEm!-ucQd|`#Fa^TpV1<gd{M{G^xB*(
z0b2)O_60<F1DR>25pJ(L((bH*?9yhn?$wS!e$^Ac&>}#Z`~}_fyp5rQ|F;GBfK;U|
z#+|mf+D8pJx>i$i^6<#q;G>$8I&hqHt2QLfPJ0R&c)$Ca7(Bp->NG%z>e7=A)oQ^i
zYcz%?o({vT2Ct$9RBJd<`$nqE9^d93*EG199$kfXM4GIwd;2)&23nSw4Qr4OnP-fe
z(@+VqdWZ@=Q1V{p;Nzwzt+JyduG+d)Mn_6N*BT={*-pogZ+9-BPx9B0_s#R4D;nWc
zgOvt1@Si5$v0~{?C?A-~wQi!`YV|r!KDP4O-=5>LSfQ^iI<KjYh1fVmH7#Qa99Lgn
z1Wtm;r6M@#b0`=R9j;8@3h!;G-^3;3e`|nFdfXDwG1Sou_tQl&ju%Yu$<ZVVx`eDX
zIJ4{vqPU-ELZ<kqN}Q-Expat5Ixpr`RUBVOQ4ELI*Qa{41<GdL^YeYO7ANCc3lDC9
zcQ+i8SYlBdmPOL^jN9^Rp1az|;pyp@WaFuBuQgKgO~-`DlV{4rwD)wz<V@~}fR5Qv
zUJB9=Opnic^Cd~(yht6J_uhu=SApLSHZ316=9rjZtsC?T3!&`1^)vJp-&sxR#0$73
zIMnYlQq2~Fq3wk(M73ToDb<T=_3<sozNzf5=31^&v|Ra+A5!N!#ew8-)unM;3ui*<
z+9GKjLhDO6A558!IOfVH-k5I<4Yyll%^G1$9eVHqqWYkcCM&>lpRE>K*tsU2s-`*`
z-=#X*Kc2AW+Bv?;g*i#0kJ@2!4`1^BJjb-&-kP+<D0O69<<WI*aUq)zHhG>y{k0#;
zt$bl*Gv)*HgV_$NTwD9gh^(UuA$&`2(JL$0l3f!m7KbLDj21)aNA+g}ZSItfzkS60
zY`i{LwC^|}W@{ha>rMloDr*|zUvxN<oajVA(n7(7qTedETRyF6UFdPxVcTfW@m5_|
z5aJcMQCEQoE`8E*rg8pbYjkizr*__hb(DcS$98HWJ(!UcBSE|$c@wgmjw~vHGYtur
zBjQ{okR7GSMz1LA#wlhtjhoRIi3$6~tgljPR&X|zHzw`v>8Rul(B<`7L@SNDUvHKq
zh@h~pegKW)V2jKZUUj1=aSj3pKWBPLmu;T#;u1G}c~G!?o%xJr{>|*&X(=zOjsfB)
z3vbg)9T6Jaw=0RxZJtU@zGc%BQdV;ww_NhN&;;`yA8z?v*_$tv$E-<@PH*yFvbZSz
z+lIHmwq@TmDf0&2E3uCKWyp<Q`Q#g7hno$@I%OupB{O)523VFuJiRPRz5Pu$D(x2S
zYVtZOMDJCk><?WQ@?uy6bJ<a~>F5tD%9pe3%o<dR%zKjg<WjkJe3b1zUsP8`L`OdP
z^!fH`?3McM4P9{WXwFpM2}n8B3$Zeh<gi-2M{TwE$V7re@>4LoOLe$}&DDiVSJH!j
z3*fY~B(KdqhJ|u0o20Myi3+06<!OC21Xg3hfgH$S5E3;z>%X|!96A(OuaGd>&2NQx
zZujL5i)v2cO%S&r?zPCqgPduVhkCr$#~*iXA<{aCLm1kUAXeYjv(;3m@+n&|`JMhF
z&8+iJtB_-KOvzdj=-u&sNxh2a1y^kwyr!#QL=<1WIRa4B#2W>v{HkJ(In!s;kB52_
z@|sE-(JDGsQ!bXM<e@||AeYS!bvYTYv`loUn>W#ZZx>&syRpF|t|%(7%~a-`)hO}x
zOAE@hn}W)n=@@n^a0X0Ah-qsTSvz<=+Tu(*{7^DkHE<D3QlJ#RUl)e^+`C)x6u)WP
zxSk)j4t;pCWz<0;Hf(eJzAcd#NzX0p=M?8Ee~YRhjrFO%`n*hA-28wVm!wY;vYjO0
z;o~W{hR-R=<m*2jYrDFty0mKWZR_f%gxIU@?;kZd)aErraT?rxMNF01w(0@e6Q8#p
z_L@wMjb&2M9qQg&#3CcjY}Up~shbRXr8f!n6P|=NcfHaJdP$+XWkc^jd$XN^`5pz<
zZ&Bm}+l5hdzO(#<XZX!Db!(c3f$20}_4lmm_Y;DUj?TyfFfl?gdVQj*lLW=t1>V#x
z{8F*wZ(wYp@DZLaN}ys4-6Lcz+jQWX>#1lVg;ui<2H~$|_v&PzxdG!S#6I)*kdUu3
zayYf{l6C5O5wI=BT;U-`nX-uvpAkNZ!`2zho}NapCJdK4tV(UIj47*JS6@SqWkv#>
zD0KDugyz-8FxTxhJ503BHt8<gc}BtK$zBB0d-f`<le2(xy|_`aDtcyezs%w823c-0
zOIuEWW4D1PZuxYoi}~b^-FT^EpuhuGYKM2i==RICMS2Ea^9H3GWfgY2+RM;K{_6cl
z@b0U1x;shKamk;-3sgwbGB~xo#-CX5P~7}RX<4wH7nry$n#kNUSMrHW@{~3G$E&}u
zALE5l>=FcSx$=mxT+Ad}1(6`IIg9Mu#((=fMsTkT@314cU;(YTzGI8p9apArTYaI8
zQo-83hgH!!UMYbeFT9$Xmod@s<Xihk;6Ppjy=9qQzsFaye>%Q8Zc&cAAyqK3&dz)^
z`9c0Pr?XVmw4F(JQ}%g%ukcRz$QCu!d8S^5u8G)vdtI_7U%^Nu2i=8(BPCstKaA2P
zAm?qoF<*Wnv@Bdx(MeU?bdU^r^7Q~IGssv3Y_~DBCEA^?ptn{|(6-6RHtrOk*T*t0
zi*IQ`^V3AuSnDABion7-a3$^}9CZ%IH-{7+P`fx}9ojDq?R=fEs!{C`I6&4;Rh>XE
z&9hgJ!1e#e^`N-aJXXhHdUKI<)xP+97BI1IGI4nRsXu|Mbck?iLZMEDilF00n5gD@
zx!Je|`N)h*<DTir(0hMX{24INDh@V`TfW5f#o^4!mD*Fp@5bN!U%kHJlE6FzGF2~d
z?Om)GxptVye@rG|c!IOIjY@svO6Ie#YF=73IjO*^_V%qo+B=JVsR87)zTLLMRMrxi
zS2U>M+ABt@cxg;^!7c*Hx%fYooHuo1M$)=L!DVh*h5vLo(O{T@P)&KGYQ}^9#C84u
zu=k#EO}5$AxS&`-Y=B5t5fN#E(yO9?BB1mhkxnSmdjJclG^vq}(z_6P3l<2y_bwd*
zgx&(=y@KL1^Sm?jKfZI$bN(OZi{J2f=f3x~_u6Z%y)O!<`TSR450ITnYeqf{>iNaR
zaP|t7n69rqTZ+ee6rwq_-(u#2Sfnk1In1(;ZnwoTRcq@}`8%y_-Fe%k><FdM>+V5;
zU+LRdG#7WYs07X8LfAD`V&317-6&s*b(a~22~A}SDd4U#D3@jInGxlsEw0Zn8_n{G
z4G6^r*mp4Ot;PCql-<ojW+5!Xp%G)=^cwe?_;(+Qpwtmbwd-_34VMZ|9mm(PGrw2I
z6vWY-arx>DcwmXE(A`!o>MO8ZaAEP7Us<J~!zZ$axBoDaJ>+0jbz>7Mz?~C*_(wv!
zhyt((!u~ptP$S?`u{DMMSar6r$YpR(C_G2+>P#$Af7#YClYu#6w}C{$K9H*t0T`)p
zO0V`!T}izA=3EfSq^x2(F;->Uk5SW4yHAU0u@yRC*pj>WC7cI4<=rh>MqDNm;gp+A
zEGZscWgpg)V+-!@O4_+jrFm^{<$;<THd^I_)|+KV%r=&BR;)(tOf`1j6qWZDBAg_!
z?_H)?csT38PZousxlWYVyXOBRy~O|X^ukG$M?~2oDhhiGhD-^#ZPsr&S+^aTaUC<a
z9zWZ;>O-_w>KJ&EL4bdaVPS<~u75$X8|%1Gr*ntSD|yeIp=$44If*sXkBkqaaI~3}
z$~7M17C!R}Pn=mifd|ku9c|Zwi1M0+c{JC1jTqGPO%rWr2QH04*A{vqrcu@<Iv2}7
z?!BTyeYIbmzbP&!nB#@<E7(}4VFPC2=NxjG{UaZJFL55=F64q2FJL*66*k^_S=*tZ
zw!=Jhn)M}iP}eCilA~oP=PtL=JG3~9eU`S=Ps>eWTpz;1Dla#%#oIgL^m%<MHamE|
zyI{EyQ((bYE5%Tb!5ZHt$_ogHjnGILg6QaMK0isDhd9&CC!Y3U=$23%?#$zrmA%x<
z!&}Xbfsf<8ol1Kh?s~kMojc-bV;|M1d@YXWTyL*rF_I;YG**^;YEkw3Nk)&tz$ZSx
zaLW_2*HF*yHA1jsE(SZVs)4)w-a1m)An4)yq7_wSnSU^SEJvaYJWx4ZEKH6se}jH`
zzHmPySzewM>#}UmN_|MncMo8S32XysiEBFNBe%AV$w@&J=fcUr*G5b}*suOD0%GG`
z`n*3rfjz#3(RgPBs<0bC<M@6T+=FG&;`8w{r@&8GX0S4eQMB~Uq!Feq8T_!jW^EE3
zJ*L$=&J9YO%q;uS!g{f$QgIwxPoip6ESI5=VdeyA_w8^LYaH+9h3pgFI?D$SiC{Y2
zz;)K44nuDB4muMLylVgmw2gIU1$TrZ+)yw4v?*E^Kv%@=)W+sk$2V-zVd+d7W7!8_
zaIkw*)b**DmD9zEG7f`oQ`&{KE;u)o>s@f0mAK|wO}zeMT;R5iY9Ul*q&XpVbPQjg
zrBuaKkaS<Pi~;1G=;{{=pR}-SyfbSNTX{_4gp$DAjomFCXt$SOz-e!?N`a{E7+8rR
zVpbvT&YRU6=%HPWQzD73CFLfA=hbf+*p)Okfu+dBNSxNn#mBgM3?`Vbf_zPE4@UNS
zbf>>}?iIyx=ar=OPtRTH4=VJg8_Bo)O0@GnAXdK_(~b0B1MAmoM?P#A44iCFZs<fB
zuPuBmoXFBCG@@0do29I(_IFaiIjePdaGFKitPf9&_Q7id#P;3`PVu_!ba6OLL%x-`
zw}>p)eWA=8n@bC}Lut=kacA2c2;HHu*&v>>7YyTTnY7q(wE<@??h%nndBN?jvbE4p
z6&fjA&#ZnyF9AHMK(hVxUap7zh{tz@-IVx=pUH%~B7UnjtGSzUXGLdrJdC}sF5D=J
z31YUX<vi>rRqa?f+$Yhr*I!)mv{#Ze@_zlK`KpmQQM`janvn+@GvNX?FSedA*wK?m
z+r+%TrE^szAEDNz)uLJ1x7)-~%I2&*HJ9e0LKn+5F97JBBG<+5Pal)i5bdTGe)Xs3
zQgJu?G8RxfZWOZ^otsYBCtAJ`tSBd{Y`?~PY^|&JT$Rl9fYRCAEuo^POjOI2(p-FQ
zh_E&N_9WTKMGJHFnj!Y28iuDI1i7_S$gECP<)avqJnREbNRXbH*h})@CC}M=_Vf6i
zSvB<RuK9HDptCvih|n+-I;QHf&ahXkBTi%2Xj9j2vl{sn&JMY*Z81MxYVsg#Kqg6K
zC4=KrG;&0pir4iWrpV+Z4Y$VLGMw=ndG9IuTX)jv)wK<q!vpscS=XRyC|a8`n7XI4
z$?YDoF1oL8tFT)mHmYUuHzQO%2sN^gV)u_^FL|5?Z)Beq$wA~?6C||C%s#*B2RI+|
z$aF#J@)EyQ2XvrwaOKB)$Z{5C3O#?S-6GL~#ZI_>Wn~2sm2@)NGLXcyv%o)DFxL60
zr0M6<JebYxuhsDBW;#GSQE^XSDo2iNIdR+e>^cwc=$-fAv)Iwl$S-cQt^Zkny6z|{
zUf2P{^3veXX79AGz6pzdPHfy5>5SVz;%4~PU=(T@*(&)Z_%2{?cRSsA70?tjTd814
zyBj08x_wn!nO!pdp2-@YLEjZBKG>9eIzHVdC4vs<tsNj&9waq8Ry)L)_%aBo*U_oT
zEiW%8d=Ir-)pTm)QvNoOa+_>W$ujDZWz0x39l;9jTHK9my$_$sb@A~#k1bG2_e$X2
zFX-&-5DR?YNt;>UrhwEpd=|oC^h$!GYX||aq==?v=b2S%-iY`w@=7}0B*x0l06=?-
zZNA>wlJ`bap6P%-3$)B^!7e|q*u@0#4LP!pUERVK=O@TaWjSZ&nD~@9&v*F>jDEPp
z?J(2?nJSr>w6I>lMRSrs+ywGfTpg<UZHw3|ZQzkx?|d|i-+5~~z3+YJ6ZlL|hTdZQ
zOw_AdgNd{N1JpX?xwi@9FY0l;2v3$0ah<Ov)L6UPVH6XQ=pF&>FEDSLNm~Cn#H(3i
zOGPEH^B9i{*ETFVlXA=kHkJG07AQz3$~wNx<|%nj$#8N?Z=~O8J9gB+Wgc|0a^PBp
zk3J8Sb&X?ncEPv-bXxE89d%33SwL9M-cwU{?L%knZJTGzCP>lKvEZTvlw-5^9{ZG-
zTB+_fMv7@RXr7+!E(JZSX*QM;iHk|$YdOEF`iNlOB)KajMr5J&E3jCrFO;Eq@!czj
zZKg8%X>oxBv-xzi-bR+lM7B{(eDmX1wIWzs8TO}`ckyY;-Iis_mhO+-hY0)XIZ~PD
z`|U#LgzTkvz4G0B2DiT=_u7~GA`{l{!DqX`!mDs=`ZSU^%B?HAhv^?q*~_B3zz$Gq
zOzIqEu7{IHq6cs9#r^OQB+9!TsNesS+dcQsxm|WZa)8fW4uwOzvjXL!g%aNCx`)LF
zfIT$BD;_#u2TJVHZ<*$T?N-LZps9I`{$}c?oQX(7mM+Y(Cdb+*xvsWitu+fHZHK=t
zHBZ~2l4D}71&9gAZ7j*Ro*gN!Z_KEv%G9d)nkn31R#PQil*4qI&-!@NbFJr>^ZuYw
z%JApg8I?CriT~R7vgV(~cNA~tt~&HpxRt^X=`)UCFIS@cu#l{xrI8#YjzrRZ+a$8X
zQVHeIP+F6IDy6U>4Jo$s{j_uXc_>&_`9+mhW5pL)M>n{gAchc87S|9~7Kb)Ht}0^J
z<m<3}-0~t}k43W}!`Ee%h3i$ytT|#<qe{`zQrX?qw}}tJm@cNC*k8Jx97m{OXAvN@
zT}PE18%{5&E#KHIghE>wGY-2W@4F{G4A14>%Nd?bo-AOr^LH-I0J8<+Le3pWQnhBz
zY+*+4SxW_ImNBf%GdPMDD|xQGUv2JAeKCu5M#1)8ZE=r(Ca733Ca=IZO0~b&C|N$f
z7Ux$oxz)0mW8I^x+~)e3X9xhT+Bt!nZK!e~QZ!#6nY^$%@>b<)H~++~nZXsE!JWAk
zJB91YPc*Z%oXYq53M6cH8CD{jbJ?l)yIiv0>vA>4(<>f=Je**#lJ52jk#^BWXLhQ%
zW7Krf@=H<e$G7~d*?Vdh(&hQQo85W$Sxq|PQZ2zp*#7M8qgYksFda)k5@XZAg_3FR
zh$P+HMD4bDcL>z0vIS=iTDFN@3KLyK`)fR^zzrQsR7jidAkR&c7<MgvTw;&T7*3)Q
zMs+RpPwjQ|Tgji*y!~loWtKE2Gusr-(Wi{+c)FU_$(q<tr@gv0)C{(&5O5m<zEf>!
z#J2EynVZFDgmvpH__U~^xaNm1x4G>bt_(UryJ-w+gHE?i_1G(Ye}=4hkzm>x@A?X1
zy5nBH{`RD6Tx|A85ARX8Udj<5piKTAt)$Ho=k~p7N`J8hYX(u?xTn6Ngq%#&dGxF=
z)o7ZM;r-{%Z2weTjZP+|*Dka(H}h6XH-Gs;8jJ_}P2z<jG}7klsj4ZuGvG9No?%nG
zNJ;YGl6|1mrBTdi+juTX)E)l2;68u~8u%6Xp!g``0jDK?3c#%jjWfD|9C17lISN<$
z;BAv^3RZZnD#XpCBvUj0U8zZXQ(>lt*t=Oa)vV`uW;z3c>$NC9q2d=0<CuFnCLiQC
z?8=_5lG$Ks3_)sK%+lFa>t$6|+WveDvo&Oa#y)xIx4X`oiR?Ct%?#$`&ER~dv=%M*
zpuFmPJtv>>u}&2+zofl~1m;sTmT>nd2T!x1o$^~2DutC?<qRo~EuR6$*{MGWwxok*
zge7Wil)s?)u$evKX91z6$?N1T)Nkg@;s=JwTfCaDzO~s*f97?zvS0ddK*}f3E>&vw
z5aktM3eqc5pfSp6JNI#QomdP`wZLpJH(iF@(G2X^4b%$|xU^>dB6i|yNB!9j8Olx8
zi2bOi`K_oQzDJNb@6$?&^vLvBf3A_QSXGazkF+emgoC;1?ob-sWj=zZ9Z&vVeE4V(
zWHvq*J@S!waezXZqj#l-NqzWJe6W;S&YWwER_<6?sp_SG!O*&esT!uzAuZBhxXAPe
zE-Gh<W0!tCW<sDzV7`4(2nofj8)TgO>c$6;E@^!unu)zr=UXhc7NoYu_OJ=eWjlWI
z6Nx7<N&R!uv$8A7JYRDsSVwA}9~x2@pFH;~gwCD^T^O9O@3Je|jWv<;BgN2w6J%5#
zTIY2Ags(Z>O_Eu?Ykfb2Z*^q+Yy=xC^E(-p_r=E#G>1p}`~ClM55m6ZFZpB615hU$
zXd@(CX~=9Hg%~r-x<il|SkuH?w@b$sH~49mCe?A%bLK=gWGTOacE_}&@f2v&Dvo^|
z=<bbS?3VZiOs@&!xmxg(%T5+se<xWSP~N2KF%;+E4gG><4ETZ=?hLIpP!;SIlcewE
z8;)iTs$aOaM0J4mFFNc$mGrxxPjyW_H^G-~CB#CE%Ot8Hnvd1ZH+r~mKP6NC7WD|Y
z0bcEG>w9>uEcoj0Xl3#QnX<1$kAU8P@eq1UIs@z($?NiDiObKu(nYn8(_LvFM}397
zy6JmpNb))R!3*~AkOf+x4zaO$$?C*gyd-c{_ID(KSVE0RVz=WLN61D9x=?{?;Fb*I
z%)^S}P=os!H|us~3CuV7Kk|DciH$B0l=&UeJa~nN2qML`NXp1t`fO+FDe%0|!-#*#
z3;h#<TNJ!0itRJvmCTigGXfZMz&4pyjblk3U3EcfMn713tAD}LgBLT?24~$rzPEno
z__~2Nb$#`chlf0nVHu>Jl17om=bswT)z^mLo=XjdXw1vWZ)E-ozaI@QpeQWq|2cq4
z^yo^Gfn@FL*KNP0UxS~K+TsmXynw^%M*D{6nVfHz;0>ZYm9TGuKXP6G<3G=NG9YH)
z6<YfcE1~vxAQt$(iXToB9C0NSuH5E72L;!YWZFF;HqK;wWA}rSVUYUglnfli42N6s
zWjvn0AN-H-JW=tHd&Ym@ct`wkTk|*RPX=%54g=xwO^_njtgdu{l{OmaO7a#B^>b+7
zAIzKozhvJ2bGrUZ^3nglPS-<%%uuGBrXM2e*z12TqAG|(+Y>oekKp-wli%X&K^{_?
z2IV0ZByCauZ`AzEl2AGzXR*pWjRs9HNp>oWyXXf6XE_-N_HJ72+LW!!?%QmG$r06d
zbNjm=`Nz&{AHq!AN4+^9AIG2nNN<y02ERBo0P{oEjy`c=tQK*%n4{hD@wY{-S1I|d
zZy+w7X8hh21~T7^-hH<W{+}#7f2+~5@zJB;;w67@42aa#OOB~st2wut4gcW5TRH?D
zsa`OaJv1#$Ufy<Tg?0SpN_tX1c}o&Yo6zH^c4h>b#vx3Le$*eGaLCWc=`jBaCk2^?
z;*eFseGdO4OXyqw<;LnirygHZUl8Tl(C@%IW>yPVjrg*5<&sw2Sq`io0A=z8{AB^k
zuO^OlEG%v-b2lG0VyLhv$(Cg-5&u#BhW=CS@n>mYlmBn7_W$eo2=BH-o&67>03dc>
z<M|Ju_^&#6{sY(XaQ%P%0ArpI%-53*huUaH1;vati%r({a3KD-kOX*^pPkEw?9O*|
z61J~+==Eq6+R$ZrcWH=Br0JKQ1H<91Y6{|5EK+sTYYVi^p-5R>`b+RH9nEFDPWll=
zEfO3Y35)%-HDi1v@b#Li#9Qx44qDBTn0+?h?Iy7?$+=N}!sCy`BNJUbUOi{KjdP|V
zHb$W7el)6*|0!MnGo`EXf+NQ5L7nmoj{6%^=JmnJE@GUG*lxLv)M)SQ$OUNoYmOh9
zUYWyR)V=ljda|mra>9pf?MvLhrdjHLX2b!6%YF_g_XEZV{8deS<AwKxeJ6vy2?4_{
zKyd*~e^K9TUJd$J!*^GP&i)8~w!bR)Zyp8W?Taf*{y+LEy?<p+P4_6kTYJBr9`3Jr
zP~ql+(SGoj0{dcTb1YyBcD2D1@VD%mg%)6|eedHDli5CC3k+$DbicNUaE+S=jO2u&
z{lCj=@ah46;imLC%<CV0e%L?n^DTkx#gCdd7*7@}2^LwWohf)fJ~2_-mmdpugca5%
z$wrz%WGFM&=UU~{80>sQt}8!qzsiX*QqOk|9q3%)#hVP*%60@<RR!-luNO&OSIM}-
z^dO{#L6N8!2isMq5?-zFZTA=5=AUUT4+vpVRAIo*B%5<vcRT_&WK403%1E_R;)Sb|
zzs0KH#10)ggu_|AMA9Byp*uHtVuy5X54999VU(I7cJ}_+kN12m^7c|671{<fm0pqQ
zE7EuuWUZNSEr?0I?ds$2hN+Q}=h-z<YG8~q>(Q_<TzIQPLqqsjl)z-viU@LLTZF#b
z6*=5nvEmvqJl3>oQm6P)Km2P@W$awAOr+FsK2(aZ`OAm1;uix6jg&K=((iRM$&fik
z_=@p1)s_;~DYG+?mTH?sKl}QYo!g~DwQV~Uoyir?^$|@j6)U$xxHK@#XNOb(TNe$Y
zZP!z>6LnBB85OM;8IO5?8=Dg*6cHnI#I`>D#RFbkIU*;Rn&Q+N$+u^vMH!p2k#62U
za0yuc7o#-gnqrrmk1gQmXN0<9Z57T^Z7uV&Xym=u)3RHi?`L)x?7z)xrk3sHUo5;4
zMcsyb;~69d5pACD%Gi=E8R#6+a2P$oT!+q<4cpmTsrNj5tN}-HT}k>BgDBgEJ!bB`
z<wTvbL2oWoSH-P1ML@cW*f3I-g8_x|<wsyZf$0M(NO-m8vj~Z`l~0S*FY@>k$&oc!
zC+r~@79ch*SGxdsgHpg7*!z9Uw~~v>#MY3vl-xTv954m!5nb*aOZ-?d5|?WPWuZr8
z{-8fOJ>zs1uYUAce_M}}cNX1D5tyeFDyT=sz#hVIZuxo8_S>`CF5?gm?NWO`+Y&_d
zSlhxvpLQ1XS-imd?#9YQ75r%3=flS)*87EIqSLduP{_SW8K*LL1{5q%knv7cQF0io
zWflxfv*?3;QPQajiHQ!)71pz<$>C!!AhZ`5+=ScBhTBrY2Vj~;y`>J>1AWU3*3&Jw
zskTS235=~iSgwM{)&<LN+$>DjnKyG<55EMiP~t{>>Y^PF$Ri&qmTB&(xtFa~BatoK
zVODeR{&dcj(<0W-nxAV8TweV{mz^WLT@J}-Xit|V$b=K?0jl^6po%{Semd23BA!$T
zu$8)3PB6Uw@v_+dKVH@h^RYKeYuyswr|$cx@YOGflxE6Ix1+66wXxO++>>kzu)LNe
z(+(pS#X&@JJ_zjesxzmH&>WK-tNP5Cs8DsYQIFTc{>24Ij!2jM)-r|uri@;L?4;{<
z&PmsW`_Pp#r<J-=G90_Qy82|dnUJliK^D5TJh>xNQ63BmgzunJD<*ryEKJ$xglt18
zK4eb}^=AeP@ahg+VbLjj>3YLF*OzuJ$WDuTh8eJ%G2wweI>4=<<CFs23PCM;_vxL-
zM`DPIi|$ST!EW{tJ$FW$iY2K=5^8W#R0B@?65zC7FzV7pkxA0ngS7Wm`kd&Q=H0=)
zVwyzp?`%*DOR>Gcf$iyhm0@GwX~C-2=2bc2rf>^;;qHKqrRf~b1IYCb3;yrVk*^8+
z_?RCCUcUFX?)fV*X^f}{t!@ZgAp00f?iR|>{g#Bzh2@OirX~)iF&(#lGa86b^kTId
zB6BYVf^jb1Sim+e92UU@-}8Yfqzl6vBMO2FGA;SK?Pl9ly0Wl?Ioiky`TLDN9Dy&6
zovstJNVUu=om!x8iyIoQ+S~?LZipEB=bLouSeSQdoM+!tr+1vzDb5_EYa0(cpKCL9
z%A~a<aO}M;*lP_=AQ%z)jT6XAl&5pu7trw%fQ~;V^+k}M*_U??R8+6PE3Ow~u%#<E
zro^VBTF??EyB&eJkdz1zZx2Rmxap0i&Q5OuB{1N8|F2oKaON`|Btv(}Tjbm@jJ3hc
z0S)g3WW7$&ke_c#C`^|5aOc(dR4iqUM0sf>nv)+1h#yyv-i7|`<ObXV4GOl-S$E25
z#wlC?TB288YBMadAyW>`hJW=wE%P-p8kd`pW8Tl}AdR@n-Y{r!ilT-7I7M69<-x<p
zPDyvW2-f)1^&9lGv_2)@g>g?YQVH!*P_5L_JazqCU}QWb_G+?O-Wee7L?hVvM^%pT
z532O0yyG9Qtf~ch(+d=V5jTso+XtfCAwql4xS{O6fSFE^f@EHC9Xaz1xOved(rU-1
zUbcDxYP0V~(96@`Y=9XaEf(e&wHy0NB;?T0gXc^KvE$(Z7k|X*NcLD9J2bA2&#PP3
zLq^Nl$=hDC!<%gxOI5w3G+i>@a+wWl?#R8XGkp`Hi21duo{S8(aBdT?V%T!Xo8{S_
zv%0AK)55J7s^Z1xK1|G0@+KYMwm4;|`+J)mn%(GtafiZCcMd%^%!7=9n(2`bQ@^UL
zRyFN+FuoM<szO6Ebu`@2D*N$xz5Mq6&-ePPf4-3OI9eg8f#pZ2_H99MHBF-Gk^#<x
zY@Y_poPzU8cU4xF!5j-Sxc-=@KeKP>a(|)a>C!n9jJuhCW7MuC758fKr?qv@sbdva
zl+%@h%Uw1ev`_N&sfN$vN@q=-;!s}=OC4hAbDw-aZCGmD`m_!Gp+X^XSv`nT=|~xD
zSJ271a!diNJ_T^YDCHubltzJxK0V)D+{uJ!AlW%fN^&@ZDIVvE4`7Pt!JPmmr|G~K
zF6YNb&wmIwAfzuop*%jjo3{I2#~c(bC4ABH21V<X|4X}Pau>{dfL2J#cz;t|7(c4C
zr}qZci&O8BI5CoWMeW!5IPQ4j$l7zhvqX8Phj6d8><s8^`V^Dp1J5#gN6ZH?<xYSk
zo8Y)~&Tx2hHhpPLb&R=}D6e|Q*NIweolwK3a!pD_g&=%$68n_R`xMQUn}%{W=C}E@
zfxo`(rhs)T7=CSGJ<UU7{rH?STdhO@?EvB;W#MtRKZ<6l_#=$!JZjYxL~Y`i3xvn{
zfe>W(>`KN9n=i&+L0@lv;r^Fnqj*#B8iR~*(_Zrz`Ui(BnLeL8kh{ezWiF;rmc6+a
z$F5cM$(L?7EXr~8{$z(AXX_r-wl&ng)(n*hrYVGHHogUBSI%mQ_a}FcDU_~H<T|fe
zT2BqmCyvo+PgqiRhk;?@TAWH|&}~j(MsQcEy_RMM-5L(7HyAVjoFe5}pUEVFyJopy
z&taRqv2z#UW1}RlM$5;eZoNAkBy-W%lkTN3Vf@Ke@dYiIcJ8f~F`FB|ey8W^dGM`F
zZxMlszY{sY{Caoy1tGl_naj-)FwKH(1$-v-N-|wDkXJKtW}{Z??&sGZ5jwJ-2>T-e
z=zy|2B72u0lWW*|qOP8#`7~wx`>s8NS?@VuV|iE$=Zx(^%JolACbfNVqqJ$~aL9-A
zKw${XRi~B7;L}MB+^DOvFvV(rm#UnhL8tB7+tv#LJXe^NiuzM(?G`!}kV9+Mn8A(6
zF>Oq-Hn<DbUAO<j;m-7E_GZzWcku|z!Pb<$oPL%S4D;EUxr|g2m^irH>;+~lJ>f9_
zZQO2-Sv~J(k|Gl5bFsrxzEU1qqmN|<M8^a9`^N;hi)jON7O_E6i%GX>Tcb&EwA{y)
z{XGwYd7K`f-XzIDs~B+xeO4UU1Fj4no@J<6e136hguLbIP>-9JBYrA*@NFx0iC;?W
zy5`+;l|n%$$NqRjUi;}ySv*}K%~6sm6@tU$x^#1Fts><0yPLGZt!{U1);@jbtO2I5
zO0({=Y0I{3OuJ#JB{GH^S8CaDsllK)H@U9n`&i?8i|z~k>IM`4wFS8iEPW6(E6ehH
z1#j7w#)hd$ds_KGUq-$FY=wPoqVn?#{A(hsmJJ%Ml6hZMVIzjkKIv%s$*F<TOPCe!
zU1FxEIims5I)EE7s3(sgKp$TPV_&Oa0Bp5RqR~q$<R!h#atq_J4Yryp_B#xJL^sEo
z4y-bktGtiA#X0qc*CE1FKpLi_J%JvHy3zOPu+;T9^VLUm0y&$loS3p!qolckTxK)(
zqdO$~r67{l2xp{wn(0ilTjsjKFEQ)lPaH8#sNrxfKy2Mt%l3Pf;b+r!P0N#Rm)7NN
zg6HNGxEDGL8`sg6{=t01f(mTu>)AG)Jl5_3LxzPvQ=4h%RIYlvN?XC&{A9@~I?Y-y
zu`Zzk^iTLEU_1S8pd%$lFM2i)>f(LNeBh4#!oVeV4ZfhT#{LKO=jR);$EYE-JTU5E
z>-0R!Zm^FRt1W0}l5TGheibPBGgRco(_n~oI@CLYwD{Tyk+AU(Ql}Qwfn)Tg=pR*0
z`y%Ku*7cn8L5@(+JxOqc7Kqq_{O7tp3+U$Q9`jcc*UZ*qXHiT|$lvYwY-2DVB&!lD
zx!>84w`_0t|BJ*JPLxMFJA83tU`>9-+LyD28WNO`E8AFjSQ{&bH0$}KBM1N`gz50H
zlcA<Y%6ud`k-V1Iup1bg3<rnns#(`x#Jcp-#_YD9<f^y;#f7h~+p;L7yu;tl*Ea}D
zcMAm&O;o+QY}sqPF;dleeSt%4w@lmunTZ$xFy0ln>*_R~bF6XRRNFdLc=;LbHR^=W
zjl&uz0BBIA?b5HQ`q=XEHoeBTGrT9PPcYt}IpmZOA~srE%XFEP^^e(wJ9xbA=XIaJ
z{MMx|Mh_1#1QZo{Xlk6F#t0lYr>@zDpvNO`xnAA_U*bo>Yzu5jM&|!qXoxH?lNggw
za<G9t5P^vFXvVdyayf7>h^5XQIXVAZmUcF3XUzf@L=r8c86hw7DSOhg%czBDATc}@
z;^{DsvQJ3^T}kl*qRtJ^c+5B;bZcHA9NLojtkNvn4H1nNLb1Jen`=#O$R44l@uL=b
zID{L~M!_VfwmdoScV6!tFU253!7a))TJG~aqzV1yr|X8wT@p=JXc}|8UDkqSppZ*o
z-+!Qm$igkuCZijWjN5Lq{<S3t%!U|@9}!4=sE%3%<I!Z>AJJk4^<9nrR`H4%YFt!8
z+w8S<*PmnwfrFvG6Tt})MYxZQ+@9HM=E$|~Bt}^7a9M9UvZ$^rA%;KbvGy*aoT1wD
z8t~e$<@9i2r{(v0)q7iaAR)@T_`MGO>#~j6eHuc$oi~VWgoa@7RmVjR#FMTIqDwEy
zCe}_UUU4@T6>?a3*Qm)`OO>q3y>Vf=ZH3#WYZbX}7|4M?U*Z29=L?WdzE{2<-jAW}
z04Dk$3CE)_=*b`HW`t=Uho5ipcXf&iA*Co>7%G>6L9nH+TN6gyCd-jJa6Lb&dwI>G
zyB~{VuiNsdP!ko3xY)t-(Xhe-9_n(J_0W2b@(0$|dm%}ML)Rn&Gj^xu5Y53AZrk;5
zm}B%wX&?#OxvSleE?E|~zy!J+*+}EBZG1RJPfD?6s2<t8XY5sWV_ZF5{(mbn8fmus
z(w8WD9bvw1>B>S<#4jr(vF-9=FDa_~0@M?vA0wnU)TXYheR|iyk0D%1&jABH2+Trh
zG@qrY06JrKlG28fWAnB>rgt8DVJ^-aj}m`&o(lcU0Ug^?f<nc2gYGx-J0(<$^r_b}
z?bp#C6o+TS5BPEK0DinY)-yhEgr6DJ%TGd-SBp?FdW&z@Rc5Lxd{F}H@rXptLzaIA
zYM^xhqtLOO=0|MtWC2R)<wjLR)t6ziM#3$q;NOAxKOsz5C%R{yi`aOc8rZul6+vew
zA69wH>QvONQ394YKk4946hFg<@t=neu(XxiQq_~=ODC|F{rja8Obts0Eqd;wie1#X
z00a*4$@^TT=KW81e=$Rg=Z?=30TZ82iLU|POy>;DbpMUWyik?Eyxc!O;bCG>muvE=
z7*;6UEO$G6=ru~9z0rSadr6dDWc`;~V~xZE9I$d?cY|2<f;zCE)bOTiNpPfgoEGDA
zdKo!=;|_;l!ZX`b<5nGalFt`Uha9!JeehFO$?ym?k2U@$!V(9Q)J?J;Hr7#o2%y^t
zL+z6G-$ba+T)ktIo|vF!3DKhcpINf!K$$JQKL3ym&lY{F{VUlbFo>F1ua*R?E{R5M
ze-~~4(;YLw6>SD=iu)zS<S#8L0Q1dohq3JE>RbN}SSZU8rk*-nT)<N?2^Z6Eg028I
zS3@C5;Xc%LcBDAhzV<4}kg%Ue!UZ)phhv-jaAZ;C9NQoCU)d4BKmn&AoI@`h@A!)W
zj=$gF#Du!ZTh6npJS?yrUa<44KrK(zGc!jy2F>-HZCLW>@qA81avxk>t&bThNA>yI
z9Zyj50Lf}`EQ;1>jE!>mk+$j3qej8+&jZ5ho(I4mi$mWW8UD#Np86MD<Ntf~$e{`Q
zSUGTFGXpagEGl`9DaU!TX+>St@K`pxTvSptimMat%;-<Sp`}J&h77>xZ?3l*ezAbl
ztOd80j8}a)Y_R7r?6`nkZsD@7V=)lvPW`;@koOK$@w6;`1B3g+QZXT>M$zoAi0K4W
z0Y{$ubb{C^5A!0|rP%`7Z)*<Fq5M$P4RvDjYuB1ZH#oOO>x*ZcSsH|{R30|7wm2LW
zJZ2X4im(q9xSLgY1}J^?DWrOg7Tem}#_m!0XS7U-cj+pd7)9(SG`ZhNX!CjOapn2y
zP<#{A%@eK%I{x4fUyt6?vV>SI*CrZ_*N-)RQNb3Ki<qw7aKgQCn3phgsY^I5fu%T3
zQ+PVBw7eLg-&R_|nS{$9Z2W?O_|eOk(}!K34=!DpzevNIQCQuUW7Y0gD4p!@Q2Y7C
zvBby0Xo;$tW9>`a?^hrI*<YPfsT2@ss#d=iCmWM5sJPE>Jm6e65N^t0h-M!obS(Wd
z8H*2B?NIw9Ja9G|{jJ;~2j>2Fww7y4F|OCP?$iTnug1d@7i3wn+qUCumhDY{6FF<@
z>Q|uLU!ALmvd>1_`})y}>ePjbbkbsN7nr%78x~t&LgSN>)H40NbXVkKgeSX=BMY~^
z=Xw#S98AZCD0erfdWqV3_U+yrIlF3kN9A?Qu#r9Hr#8^Lw};(Y9+f#fG2;2c8ap4I
z*reS3ehlKik|;cc4CoVKhiCgnT}%eU*~7TSOyRbT4|!!rue#xnP5k*cX5XWvwWo4e
z;_RHS#8dtt81(-I!2qnwGVq*-z(Oq3obX%uJvxji5A5p+RblT7?{3G{O6d=&Le#od
zmV6&@kH30sh>H&}svDs^riLz~uJVDuJ27@OJl*$smlVBAOHQvM&RM5PXv5WJt~ME4
zO9_FQX7W{B#de`F;k$S~h5=_3md~LuHu$DJ@yX{qV9AAKai)X~%8>IEJxl2I7?bm8
zybdrvzB8j1%Rx8hQ=zBh)E;FKaBLw60%wzhr`~Kn4x&fW<AmddDUaI$R{X@q0iMBe
z%0H0D>HitzVY0th=~1e^iXEad4}|j9EOg@u#RTcVkGb~q)HAkIfp_{p`R!2~Kf)a?
zp2~8MC<jfBbOm-#6P1+DQLIGoRD={*uZ|oW_baT{M5n8Ysm8c%6CsAnrBu~R=2W54
zs*FOVA-*na<~E(0mdLAQLl@9J8L)En#84@Q4@E!i1ex|J5EJMs6)NO~vcn<Hi5Z$m
z6~m?o4s(q{_;PX#hmZSi?^35~d`qDXs`L(Iy8MwG|M$B<GexkGx^ZnJ!jIL1UTe^s
z2a7ZAQOnBGl&|xuXef2S&~FV}rt8<pG}pRq3~=7_ArF2NJoK(v6qh|!AyTptQern7
z4#AoCPKJFl$G5}Lm?9ZD7EL)~3N|x~LgOWQu$+WM7qUs(AMP1~Urs@5|5v6mwm3SG
zWjhwdN%F0+08(ogRG4n}+GyNaJTco_Y~!70Jb2Bl+%4|TtM<gMVUC;LL)ekQPuUeZ
z-6N94rBDZ(U6BpDkkE7$wbJg=b!S9e$AufjPJW!#hDNb$;3B2Gf*d}MeN|znhSCbV
zj%HawVyi1O>fqTIze1?>{7HehfVkF`<C(s)8vJ5>z{a%Z`&aKq9;fATE;tR}-lchr
zv2KCSdG@Q>{>~D_6xYZ5H1&ro+}hCJ-MuLGM3;IF6)%2?(Cudsc6_uvQE%igAF-3<
zOSkc$hqt;CC>)VfU_HXeGC}*7dXWX@3-1hN{Tmu{E_Vo=5rl2fJJi*M)(@snC#&I0
z?2*3^3*vKyW%*vr1&FeCg=^}-Ml%O^^>>j*<6lTP!thD9(U0b3=Elv%ol1CuX{c$g
zJ5CgA1v!e!T7TMt+bvL#6Ul!*ewyMvHBlzu=7Wu5vGARu5f^AI65<|gJ8vD^i|I(r
z%+TH_&2KUWHMTb7{>=ui>`_Hj^#}j!amr&Z>lYwzwOM>9ahKy!C;6t9XQ%lR_1~D;
z$l-QZ$6DY<@EWJ77|whs#A2bqY2~Vk12%K^%yIz8<ET^GjTPTFzBi;kB_HqF?oYIq
zOHotZy?Z^boNe{qz>o;T&F1d12{HYRm_buY7R7CHDv?<`L~L*{BcuuYuxqD6Bde^;
zKgwQ%$VNEqqY>KUR?t;^B~P)E^G8^nCpHc?%4{OvPu6WdZd3s_b5ce!g@=azEC}fU
z>lRcsG1_DwAoBkfKy1(TSU*Un#;x+p;?0aisp~#2MXF-OdFvEFH@;My`d9>e9Wozj
zQFc$zuB?7w>PHF>a1~LZ8~=>O)+noXDQh=R{A5cfOTZ=s{IY{a`}Bgsmv7Aqz2|Sv
z?*=sHgd=e55?-Q|1w*1wIOBHlb@9m)cdTjgPgSuo2S2BZ{lGbw#(*8bimjzIL~axp
zn~p{*PP`<OyD=|lZ^1~jr<QFW*xxsJN!CJOd96p9C=c*!>iEQh-+tjz>QJ!GLp|R&
zbV-(mp%;fwTi!R5G|*BfX=tvCi#E>DKuCFsO}1LW!o{9(eb2vXeXb%m9E#Ht6Lbq%
zI~Q_wtImgu%(A9-=Y)l%Dz#C^3OZ(GXy?|>8aaQ>wn=iK!>o<Dl|7&PCB=+e;I)4R
z@yJpPS=K@i_!@Nm%*xPOCgtU!DW=nwaHW7CnKZIzF|oo?^d+k`_uyCFA3Gp0<C5_j
zNW8Xo7F*o>AR=4KenuGu7Iu92GQ++4O7)86P}%6-gY-M)Amf-k!qupnxN9v&H*8^0
zxj=n1v9(bYKvut+G!zhUe}Fj8_hzZ8^DbCcw%xW+14rEldnOt=mxkI_o!ccE2a76n
zC3JX75n|hqbS`i|0(b0P%?^kKnih7JWCl0RXli3)Le5T8RbL&TN|5>35xY*qARQy@
zG(JNRP;V5A>mE?qwbFh;Q+4AetV5u)WO;&BI#Y&&XNuo$R$t)RVw^^m!ePKq2a^#t
z)mrg3-61ev&gcx^8N&060`4-%rak|rE(?OP!9N=cMgZ{0dLY!k-(*?+Zj<#vq0I4w
zlfkzmczTugB!%@*YjHjp{r5(NUEW%m2o8QrPD;^aVV8kv$DT;lMswSkZPrj4^sR1?
zsfa_#XLwDm%g1&kr^+3S9_;OGHI5E~HLEW(v+cWj4Rg@VVw~^1ogLsl(5@g9y<6MB
zLh)_+dS)9#q4hT^VB+~v>5uFrt(&uZNL`&szpcOh3Z$lCldFQe6exhpvGRsszSiAj
zIHbT3k6@Y4{B4=rDhKM8vh`jVEP9tNI`e-3z&Z>?Tzy4C8AibxR$D$O<gKmxQ{U%8
zmO0yu9o0n#@H`=Z<L@*<iZ|mF_f}5Dgb2jKTr;$VyQv_0(VLS>HiL5khA%4?w==d3
z`cBQ4zSq-UFy(}H?M(LYSq`}_e-2TfeBVu}Lr3E+C@&@;-6WDMnIg_x=F#;YN0Uvr
z6_Md0=HNcx$I~{`WbeNv(vu#!vs`}%mDEaX%<Su;`j(Q@!kNlKN30rdcubh5XIZ)b
z0%STGNbg{E(p}P=4r%<Uefg(T3#82lO~Y;32xL4W{~vNzKw3+0Yr3`18b$pUYXq<x
zb~c4C0dJH;G0=>!`?CY|_G-$zKHNwp5V&}xS5*AIbV*UyMDk^yWZ+f7gZ=^ixgynX
z*Yy21rpjv(4V)buJ2O%<Yl~tM_sZRaVQ#U!r@IRw^5M8aK7R?CDLMhyG67!Oo{QmJ
zHW7G_K?b3Q3jro9GqRDhyktXlH&MntbVJNhbymyHZ(umSP+(xH_1J_r!&JI#!$c0T
zak`SI%ux}(hJh>zluGXRfHi-&LAv<G4F*1*u-VS06BL7CpHw(Cb`ZjgE#)d=U0%+W
zZ|z(PR+t}s&ued>gK3uc4f~tT%N#O-Xrc0#sPbiemc-T&lcln`+og@xO{5eF#=T!m
z)nM=Q6bdqX&DTu6agJ>4ap>&bEsnc?5B*Z8Yd$nK87C<j_S)fVHe%!P1wZA=`CW8S
zV$MRH{U72S)kQ!70}k)zh~f8hjKnD$6~dPHt~{tEw!VMD<y&x&)ZK`Xtc&oFW$)-H
z;V;s87cNq=KYj9R>e!=TU&XNZ{2N5wi*%2@WnnMT!y|Wrua>P&t8~F(rX$h3XIuL4
zY*Dpye4K5^G$YXmoqk|73v7WaLEZrty@oaW6bY*r&wBX!ULa?8(-uaGdvPoI%1;!%
z@+=!EAUEWSmd?o#tSI-$2U-`3&6#IiK!qSPM~7l@Z*_%mrnj_|%eH}G4E+fY<ScH&
zzNB+6MR(KnGo*X0FQH-r!7?^A;AG>Z6U?`sOBSqFwOW~~x120+X>NU<r&t#f`nmZu
znO%FKsf&-<aE12#`E~`7Cslb|G+XDNQ6AqCJtXuE+%@>{p{Lnh0`rT$6{kiw@a8kh
z?ED;v5mbuW>O@ib*0B;Ru3WN%Lh=qu)KQw%NQ2|gf+l#Z7j5<kG!k{VKw=74iGzTv
zi<3aa=<6`q-<Wa!q@r)6>!1n(5)BCE=L_w^G^u%RW{(A;=tD3_vF${q_zNqcfn*JK
zu}!;okDi>fL=L^4*EziwTF+TprzJMk9$+wHBQH6ilDYY$&Wx)<1Fd|^d5n}#1}?Yp
zK9c%Xk>u^HrIn%5n@sL|J2BW4!Xdopt9_ER@s6TR@^SaOtZ~YaSrOOGPg{vYep&D}
zysttbQ7(+LA_^Mwx#+wetlAn~zz$ZFDx$(!RfHA2PSTtBQ$Z$qDq5gBc#7nz{C3Mu
z-@-K4R|8;>dq1`yR_zylt(OVG#LO%eG35M$mfx|ZFTp%gC_z2=yrFvwNplSf7jBRl
zALxuPTEPVSMaz1Lv@>y%v@?T@W79a5ZPPKl1Fa@gr*z%KPo7R#wTq)y|KJp;=7-#x
zvrn}9LdsfDGxr!07|1j_xQL!}BbU^ps1#CRDFCjFA1(lHMZ8S`ID;p5zbZ5A_t!$6
zznhPst|!)_3zH&V#o!qemr}cPV^GAsx8$L^5>hg6My1}y_6-h!wX8$N+79uNk#(JR
zv$f-oJf}dd(j3D(+}sB`dggG8V-9T~jbzxNOiw!LhA0Wg2Nl=m&0t<t^lW>X^_HmP
z^}5yhl?3%`Q1Ukg7X51W^L-{3-SIB+sWcHUmTu}z-U2%c-}PF!)@Qa=Xfq?qL798%
z>dD(DpGVk-)Yj767G36CxdD1aV(so1xwgI8h998i&hBs_p<yU>ABn5W#vChL+d1J~
z&$WjOSVvAE7RN;?=SOT+^=D)dPA<(6<?#(V`q<7o!f8)xL&uW3g^2a$yPtJO4~}o6
zsUsvnE2ZH@>i(JS3h&#PSh~fJp_=g0zWN9rWUoVF^wWJ1;xSm<VN%7E{s@Nth7MEs
zW}<tf1uPsmbT`)f)9`T4Tto)gV!$N-E;v{IHGg81+cEw2S@W~q=z=fV2#Xc@!mW{L
zi#J@50~^Q1V!Q<dEYvA3w&E?vBbEQ#+#+p?9S_vNNgFZ4rMZ3o@C07iPhUylpz*1`
zH`u!+TKpZur{3)VToi~W%A~HljqqhhoM;-9qmxo^12fF*7diL@M7JhSwcc*=RE0lY
zA+%Y+%ks`0G={g+`i3{1Gpru2t@OQYUA9m8q_Rs6Sk-EOn2ge;w4Cy#S3Ry<%i)n1
zhzbXBy;XwVea%p+OpmUfsX%Y648Uyp_IyonW_kJ*_v(=X^Zo?1NMSuNtTmdy1?}dT
zj)<U`p2aZ<>^Kezn-yOt><j#glEK>}0!S+0-VDVM^K%7k>X(I-Mt0uX+0f8j=!S}|
zOEENueC9lLydUn_L5y$b-6x{lV7da?3*r93d&PWG)vNC(FT|4}4-w@p^;eZ9mmu|a
z<vFg#d#q>lQ6$LqM?B^<>3nX-ZL?XH(m(Ub6JkU+8P#M{DHPqVw{TEP#7FTSNErh2
zQN-xUZD2-EGy=Z4-*C{$^%H80J+(0Dc-U94Fmf%5hnU-_;r(^6Z2v^*(2^eW+sEGk
zY_=|DUhUKvLpczb8;j|=uPK5JIb0Qe&ebzg6?fCCHx>q2C3L8-#WqF9du1d(zKfk}
z=X}uns5SL*LmJFCyL)}Eb8sgji(05F7dO^iM>GYwvi|%@_PihGw*q8lymB7i8%LY1
zR{YReWZ>(-a0O&(lxe(}KqB#BxMGHG{Gxr=oO`_;sl_dn62W{eGdzqdyUfI2q-8}^
zJ#U&B%8>2#n14qfH<j=p6hZq6QN1LF-9ds<#w-CT6B*BE)ng$CduaqV>$Y;6jP84W
zQP*XT-tT0-z>U8?8NC2b!l}HmfqR3)f)p*h(+ZkRDUW%RSZP}A9z5(%bY?_0rN&s6
z#4=!P<=<`nisUyGKNPVyjc?-7_zhk$Tkn30|IY;5Q;DdEVvPWm6~=*8=C#<7Aa&vJ
z8||F$4{$Z_w0XgQ43V3A=iZ0T@o!{uArP4QwbG3_f52Zl7HZ_%B#5V^tR~08ZXm0v
z?UKiOMiPSG)~G9|*J6;_fon8f_e2yvKYw+HsD!eP!QJcz@-=jIIGTTOK%Sz-9*MbB
zJUP3a3++B-GL-hXL$8nT8fec2RvOZBCpU1l5j^QEQTb!WU6bI&d0v|m9Bf(>zC@H4
z!)8UQAWlQsZ#AE=U>QwpY&i={49Qfuo`iOeZ+_TYY#{%zKgk;Z%A%ka{Cq>jm+oZ|
z9GG~dqkiaivRaa~>hAm2pVz;Y`HMe#bfLdoAknD=a~pu#lc=hns_h<b2<EKVxwRQ=
zeU}}$=49ng)(I#O%u@!Ruls^ylWEeo-okU_u*%uJu3`^+^mg>}R17UyvVQU9Am!<4
zcwBp;$6&V2GUnxgon)DfYK#`?0hBnC_v4941*!bua{KH8kQ0B`iqoJ7p0~?J;;2nD
zFecW%Q4#=drD!p?99JQ?$JSSa>zmJ|daUPOow}bGF_D=bdlOc%BZ%R{OHc%M?r1G>
zA(xJB(2X0eTt?evFd1AA&Eo(g{65dUWGgXl=KY~p51!XU{OECDWCTlTP8O*beR~a_
z_+G;O8GtQW+<R(k8GY~i5LmZfJ_<cIuKU=y^CD&D=o9XPeBxpM16t~mw@8vbEoTxZ
z$h;S5MT+lYi>-mXVQDCk*chs%sBWsISru{UUj6whE4~h3)tk3cq+dA%iw<zQp&|*&
z{q?gn_%W~j|CfsWC*0lUt=sgO0&Kdb$8UY}eY@8r%e&A}CctFZYi(>t>P>v5QWPoF
zyRm^^NFVhu^d?c>n+^OERxjL4!D=QG_BDN_7Dy8K(Cw`f%h{qqe#`&T$VP=|^#`?A
z2Tr?-??`^8PmVHyqJ;OrtNAwkdMZtjj6!jIjIZ#=bBX$g|BT6PtPg6SxXZp#uk_L1
zTM4{u_MUHzzZFV%iFud(!8!LEk2Ha~mKiEPczBp`A}uV)YcMOXsrV<eaw7LrDEN+W
z$tXe?2F)-3)#Bh=93nKi{^P~9uO5BU=ZRlza9nTX*d=)7{Q$JbxRsXciT-e{bCNXO
zp0$h|1urpoIZiN79y$1XaSi+^2M;wNQC{myH9*h+>);Ii4IOfFPWO*mEeRi|sDPTQ
z{{{*+{S@{1Lz$7BU%=9|fc|V7S0i0crhi~t`ET?cTxbH1<J)ZoCIIMY@6T-Rihu)9
zP|XvXSe>t&A;2K7D*%bhzhLr>1$;ICm0NSb?)USTy-WIuJ!CBpCDFYG%AMzpqp&m9
zC!$u1PD#_Fs^FiZYngQOtmxhgk3N;zlp7Cv_Ehd58jmOB?~_cI9*NV)zFs?iv69j_
z*!J`VPGXQCPVoW@h*d#s6~^ZV@Mt*a6z&S5VEP5C=PLX6o#qFNi18*K@HRrP)j!;y
z7U}pcedzC}MZTviCXAo3uHG_8966z$>n`t~v27I%%!{a%3tk|uV{Un#1{s&%q~q}R
zu1L@<*n}7n#T;rHR+t5C+T2=3mknoBWRW79N_3=38b~m<_uo4GvNflk{ZXS*YXcCo
zmq3mB>8B6uSg&Qw-wSM#;|SDOxG6`UY87CwV*TdoH|K-+zKFmNZ&1qy680J2$p9ll
z72-5gB9FL~_%)F>^PkFpnly-M_;ko=(>?5eqLoj(7Zy1|;&4Zd4SvP=d{Uxp=_*Rf
z?I<dEYuCGy%o%2x%$d7g!n-4gcBY%*<}7PxVwwEqk4ljI(HkUP6>CcSH?2J&npfyk
z`qwX~YG7ACmBSmbv98>ErJt<E?tKP)K{xy06^4@$GzAQY_lT~=ty$Waxoo<fl_W5C
z9fd`Y36Z$4{G++1|9AQP@5dEh7uzUquqK*?D(Lo0U4O|F1x)H=4{9n6WT7=qcFlSI
zBJO>c)mOK!-|x=$*P#4p^%a9TOKdzw(*Dm6=#VXY96K1+G3zhr^tn2!2C6?GO@(tE
zFhj5VQz-E6=h3RS^?+09JX5cA4G&p91pN+V`O_HBBv?VlrO4za;lPWKa$~1aF#{>s
z^FBDuLDPhN(kRs<Ga3))yVbQh>o<=q`ZxQPA9yi6AL0Yk62Psl;#umMjwKEjg@lyx
z+F&WX5fU^@K_@JILrvO;SA0cTS!F;Em7pYqHp7#e#j=0$1)yNy`mo@=fYTvwjg+`i
zr|AT*APjMuV7O(x$6sy%EC!Tmru{b#=vf<-c0#JXa2KVqOtkvlCUeJ<zK$H<yjVR(
zL9P=;2w)w(S}@jEgTVw!6J_0|D3BDaD5;5SiuZ?SBtoY28(9luj$sBO*t&m}o+FGP
zfehKQ#PJXtS(Yq?y><lPnep&Z(eG;RZTIi#1M@%vn3eFi>g+AFj2*DEJl6Y3x15^0
zkW)3QOg*X;+AW7r>sAx^Nw#FpUsvMS1`Z2W0Re%o3x2Enrlf{{V}$MJZ}wF>4&{%1
zT$;BfmY?ZHWg>><&C?@$W+XviZf1c(go2V5NUZhZx|yG?tDWENXel~QbwF*`MyOhd
zoE|FXQP29dr1<#$$)0&6u9>vT0y?+A(N4U&g*0-#h;d)c+Sx6M98dD{yTY38@n-wy
zv>W?KX{kLNO+8?|j>N$#$~N1?1sq4>24F5mTos1Uor7M{u>V?~+gN_BVd*X%JJ_Qy
zmLP%UXaoNLT)Y1BCScilaTEXWH@;!YF?1e#|E;iH>_+(5P9SU_&Qbk7ocrahe!5WP
zbF0%okXV=02$Tbbr|<<cP)9Nft!$A<sml~aN0oc1XEq;PPFYDAV}j0f3#hNuWlnt-
zD!f{6cj=%eea0g;K01J<!4z3vo~h**x1ZB?uX;AaG!xxQ<qUDd46ut|y^v2bT^vSj
zS%5pztS|4e1-fN`nveRI^8Xnq{}R(Ox$bpUJkVOb0MVIiVaoUNCBH8K74bc4`X}cP
z?q=gFURhvVv8IiZ>)ZE{Dg9R8_~%qM#?huEq#&MtMWN6Z9~`5IMXbve1yAUsSDAtS
z*;k$m1_<ip0$M+qCwst|zRU)it3`QG(9ihdA$I!*kAkTe0d*8`T<nSN^#a3O1GFIt
zmwSclGMLda#CbCygGB>GpA;YvGPOmj!@T{L<+~9N9rZGLRopwW9m)q>Hg*j+JYzO$
zKi&hE4e@Y<xQlQ-0(8x#Mok{>Zv4GVk`=-nN>3sg{UWrO|2)ot*VInca+B^)?A-cY
z+2wC0cD@amY~6KZ337Ydv%Wv9=LSYN5`vQlDUH)1Ft3iXoD!n^#o&qMDj^bl;f6t&
z`KZc*(T%;olA|qfD1zij-g2O?-~9NU(YprlQtDQn2h$qvqX~QlJJ9U+^CV5#EV~R0
zPYMo%^*)sG{?$9kTh+8QKdjDy*`3soOdeQ_Ye{SacJ`*z_;==U{HTu~4elM@f(1+{
z_d(nJZI?;QhIvm~2;ZFf`u;vp|23Dv<sf)kXqkyTn@-X;`W&y>k353>6#BtaY-6(K
zJ$-wb3fH6}SZp5qgurZJV?#QD^V`uigC0;f;2KE^1s!O|H?t2CzBoV+%TmLldBW}c
z<PKx<{QTeiYQgXSs3L$%G@y7_i`mg!9<OBtOR$4s@~dHq^{`N43ORU%TTBSIfgD$3
zKbSNCo~v3j-0pT{0u+vIuutYNH<&LOrYk-W#&c>FuhymONxh#3!zvdkb=2C;7zAyl
zmnR#c1;<Xh-np)v#wKfFatUuIKcC5ngmXEJ1mx}4nD_ryzGVgzC}ZDrUKMi5zb0h|
zw=S^1P2kztqkp3`@_=AIhj9h%Iv1bA8*ymp2b}+bhV=`6o}Dh~Z9ExBlp}dIa|r=d
zIDCre<=u0fU*lR{|8_zJY2ahumg}U67*3mK&jl9(LZeL|y5RH>0ygVNgPNA9hJwd8
zpyWe3R$I9HU>wu{>p#zJ*l=8ZbA=E;tZ8`Lym@GFBKc8l>?&9QAk%#E-zurhz2b(~
z*$;LB5am%cbFwN!V>yV3jlyjP@|_CVq7Zj@Gl$NvMBOxy06u`&JWy;7T#pgcKV6R}
zi1N<AF#>AK)a?tt>W47zQ+v)FkPS7`cr7{!INl!j2#&uBw03^=R@ccAKda(Z!R-RZ
z!J*n^M0s5VT7Hzr0zw{8G>2?~&Gc^AHQUU@$gKV1K>KeMhb!RbvnMIW1qQgIDoYs=
z<CBk;<`R-cA8UuXp8!td9nH@GGu)+Y0e~ThMUh2w)~@WXoxxz6?DFThViicY7sN<A
zn^Al6l|#vuD&Yg;sb|MQy^!bseuQfK3#$TH_D+WFX7VwZs54Lia@GWx2)Ky?8-Cd~
z2D)3f+sxh(<=LS-g6Ric9)Ka0JhOIbj?&c!c*&eaC*!5rK;CUhq~PTR&bBn%aBM{B
zYlI5_{4KKYg`Mf2Tcka-ZV@xyqWHfi7@tio1959X_HPEh^*`-*S7$-Pvfo`@oMj+i
z9GS%!zE1Wiu#V1E*n2+rnwh%Q?(LM|hWo-$#p49Gxqf{OaP`<Y^L`E>?2ZGC2B?`{
zgc?krm(}onu^yd|-T$HOt;4EZxAxH`f{K_RARr+rt)w(6oze{|-3`)Upn!Bqx8$Tl
zS_SE@DHE6|U6Y0hOyWEf1oz%&eZO<Qz0Ub#T^GyCc;DxJ#u)b)_Zas$&1?U{sFX+N
z2mncpfb0C=@{7QvbLW#n<Y&7cj5Lu0i&aW|Y2iJb#Df}VGnlgn*uVzSQx`D2Y^Ua?
zQ8L2~X1@VVndE-oFlsn~V^@}lZyCR=t*E1ofdX&bUGD?Bha-KnH6sJea|Ky`=n9t?
zqSbSsKhpc4d{i&A<b8!2tQb@ej|jI5%fgt#jl7pl5+bfxsV_)W*(ehkakZ6-zN1cl
zqU){KwfVRZ(le*74eB7MK@*AN+KK>LA_$~YH{{PD-pVpa6|K{W@$09*P`_+K73Pwk
z>^&4tlk$3j{9)4`29u%>BUWj1P;0?PQE(H?1mmSR-V5*-oK#pshSBM;>^lrt^t+(Y
zez{zVI4;YG5nhh#IG!yyY3UP0kp{oXB72X{fJ54YJweN}NKvGBI_UQx?Y`6ToL^4=
ze@ul=AGDTG>(#llnQy;a-;0|}pFQu9?z&}9I;)B*9?(0UY^VGOlkFX(I+snx=h&5;
ztcLM6YS^D2n|m=Z_gg(p(V=>?J6+#&|8~?B+yOqrzIQW(&!SoN7?1}WEoz1cTKP>k
zF_xO2FL(fh#sLNu?Nywd=!uXEBj74Hcx*tZz89O-^Q!4kA(3;IPHxEgyEp`g$*LOd
zfF+JHP9l0ih76K}bguQL=|-OiQ~%7e`Qd1W&S|?fWuwNh+}cdJ8x}3*dW@Uo{t0f%
zR$3^X==-cT_I@M?@j!NarPDT#JAU#21L2~k76sD$*@uY>GAB%1dKJ?XbPeZ-3qY$k
z7_c3-^~F2m8b74}c8(c<$<xWQZBU-CD6eT{QZ0)En=}-pqFSOnP}`E>TGoZCwf`}}
z7f2H5bKX~~tRyF{*$h^bvNT@bT?C(#xy>yJ+7j-bPDJZfa@IM4ECgLU4z2V6UFw|$
zeZ-_HHRk#MpF~5YOzlC%zQU2nn-yCOW}NYp%*l>~Bry3UM;6qcjD-^LodXAlWVYk|
zID(oCID)#gocY;IocWL!I$!qZ1Expj1M)oc0s)dhMc>mBvHFa>JQ&%TThR)<Z_)ol
z@c~>aH!%Dwec%d>>%sBbQy_DzsnA%B1u6k9t3HBu!x?HZi*-l8v|Q3xo~Tlsbaw{1
z<D;zytV^M=*O}C^irhx<##m0amoyQYj0rJom4<^s&$ceGKtgm8+&`ef!DiTZ#lGLE
zf;+l1j=Swh$FYpRXYzS#>#h<pCl8xAvS@CR5uKm|b&dbUOu>I7=%3_LfoWaEU$wl9
zzh3Dz`rUhb3v|4529<(p1GnVndthYCZoFWW-B)}uGydqAqX?AV&xm(<66GkkjAyiS
zZnbNb#Jl}WASU%R^aK{v1d(sZ&6yW|myHB65ba4`%h4EEm!&|DRL6tK#S#RJJABN|
zNy`qMoEN2yhoQ;LA1P1XHU8k%%UT`UK{rV`92pa8RGPgVt~f$B%}<BI<v~+I9g|on
zWRD0mghVj9nPolW5?9UBW{K?1dqHM>=&T1;z|{^IG4+d}J<scZ;(25e(EVWyzUaF}
zM`TKl;))pp6^va!)PcZ6T_zaFVrH-JDk6=9P-6cimGnK^i1gRFC%<EmxwiGMZ*Mci
zD|8iehYVGF^B!2;YCHt}mqhmq>z95Mjor4}zkM>!2d4dMb6#lazXnS-q`P&;j)CWh
z_+kXTy+1#yBS5iOq`YiC=Lix)c70Ue6CX;P9!h{lAw+op1cfYsK!c~$#+3?QY}3;#
z82qoE*#Duxg$7Jx$=a3cia?$MtqibUKduT>69w8SMG#fQ9r_!4#0YtzgJ+%|ToX+X
z^0J=(asZk-{>3J1ti`sI<PVm<((<CYNPPy%f8-oN9w{S3KLQk9ruxAL0VO3(q`>{z
zvK50)R+2mSAxTy6UUGmW(hBsO3rd2ZA#(QL_!9bF<ex$X;q_yQm>^Kph0c7aR6*aD
zaGHM*sbmsf;+Px_<rK%iv`cwE`|+e3lHTIrchT+&3HOB=c|E3aIlZY$7Nv`0-@|{`
z#iEFz%HTiMBK5+OdqLH|K(<p1*gt`1^?*JA!+^Dz`*5gk^D|Ic_zf5+ke5$*oKd%6
z8^c~SIbjvy&)h<TzYy9jNfv6USm~>+m`(0!wSI}a_xT%b2MHgZGty-b{9#W{82%{^
z`{EVG801C)*608t&oSN-NL(EcJ25GqgH%%t!0rwtUmD1_O-F1ieh&v(s}>gL1XA=i
zAg5bVjzKF-ONN(j(Yw4Fu=dKHVhxesUK(SRo;i^BOhA&H?cN3zdi9gi{19bEs1FAJ
z>;e(*Kf1Y}1CB=dI*EjY@_O2AK+S<U@*|M%_OlfjQb2qEBT~)PUPX=7wc;;zxOe8s
z3iZwd(!ji@9Oo8OJX*`^?r<i4h3{@OKGS95(@XIeh8J4t15EE(Wy=t(q6F`TL&97T
zQ(-cQxmn8KIkD^?ue23Y$adqWZVuB%nzztI?!}*NZS2uQkJ$I-NBm1syjkEU%b`8_
zx7?n#mkOZrt;O)*K;nBi=mB{EZ&Em@yJUYv3XHGZVxPC!Nx9q(hht7#tLtHXp8gJs
zsJ;zKzCUq0?e!mi;~3C^-infyG?{wWMEk9p^Zz8XRBG1QpN0EjXjVwrp#Xq@jy#M*
zyZ!nn+4sN%(@I&G%Dwh)#3TB#OXG3+TaFexjzeq24oUsLF$f`7C%F+zXaW3)$0Gjh
zdj93p@tgjRal39ieK=0{Eb7iVxDa(S&rnH-c%EYGSdezuA}PXR>Za^H&c#+5&gFRg
z(?2djc*30l4&_7z#GSD25$yyx#<)gJ;p&|Y6-C54d)`?6$I_<+hsH63YFC{fWf5~n
z>CP4xbT^idm;?Pa!v_CO#ls~w#mr7og4P_YMT41Dmt#ExPrWylN7u43U<)br*Ey~8
ztYi&-(X~$pI1{KJsFQ>)pF<sP@eYNtMM`NtQM%Y2StiY;;Xz8`nc!G+Az@ZI-;Cb$
z2STd(7SdvvE~&m+xEwN0uQi0Q$@~BPGqvVs4cg@QBea`8iS<4UG|yGn*F_OAj(ztY
zx|Y%u=5iD+-{fUX-nLUdB8}e@l^wyn#jE>bH&3fdQt&nhbfN#f-WR|VAjj{5jrYo8
z=vM_kz#N*aQ)m-ax->3)`AyWq?9ZfkQ_ZcpQ_<vJk?{u?r@K8|y;9UW<NgRF3EQ2_
zHd@-PPcXS&-tkCEo>iHu(*UAhF=79u=+~#9>YeV|aJ9R6zwTI{vqa5WIoxs_?iRn9
zr86nPr?_VD^n1)NV}r(%=f7;CU;XaHV%RWaH**+)EjvHk=l3XEQm+t?0z2i-L7w<t
zJ57VUz3-lIa+OJJU>;aopr7uaIC@g&wIsL9WE>N|>*iB}ZwJA4hSWl0u#MrCq&c8B
zCJy;-Ih=!_Rysz4y{LKI67;T5<CIEP3zP~ejByc44ob^Acl3Xzb1vXD2vQJUOiuY@
z->b*kQ}oHxQEdk2>R0gCh8bd@axAR_L7pt@@BhxncUPXK{^t&kIXQ$BfF{RO-3_v5
z2jiHIBfkC+GjitgHtYlA+LFtp2i=}-_&tgCx}230T?;|sL|B?=a2)7@FwS!zJg>?3
z2E5C^!@yRS<b<BZhWi+3O*S^WpTFCXg3R?c+R52w%XaN%Vj??i0bk4SaGKMe!#w;w
z6+WsM!}JsB@t9VNW&_qr69en*7A5NqR4l@(On)q}&eKX&EXx25k!IN9;XeIj$zX^Z
z-R@8ShoNq=z5W@8gV3u^Do4lD*D+lMXQ;K~*9K5o%yQhqvU?QnKlH;FU&{bkKKK@t
zUpYs2JIJ=mOm%*j3mqx_gPHv&t$y=(Q)rkYJ+q{OPO}O}@D-C+d%e!RK$h3CA-;Ea
zvJ!wqf(MDA=6~vZ8_~QBa7vTC#z~`Kq&GiN@}KZy;KmF0AJAwNe3Jp!IrXYRT9o`i
zH03azW^*jtv!Eq-mD;`JG6@W8aHYV2fcwoIbgYdjQv3R}*J2XxNLtVMp}?=3csJ5Q
zr=nj3v?;MKW96R-KD}2vAxoR${z6S(I0qtyOz1x;*g68n)Q_Hq1Rq3t;48k^E@RgU
za)6k@tB!#HkBF;$&T^O`qhqmU*jX6V=8SZdW}gS<mG?eHdV3Ut`RSC@g|MNXQ)L;w
zW>CK(EqD~o!+9F;c=hBo@3qes6g7eOzGrd<S1!Fo=M^9(U)T0!6GNMC8tp$Z-vk4K
zo+_NjfvnU<_`G{bB;2(8sf!UGXA(xZb5052cI9KF(~HUV6NzkDBj{1Rf-g999bXvc
z<zxkCw&rJRzvG|bT`m_F3!+Tl&|Razk93S)+Qw%g@?$vakbR~UM5}c~sc6tVF!Z0v
ze+>QSZ`)u|uOgyB-zD4s)p+>-EtPwURT}UZOUn_aZIEDp!nX70T63K0mIhj?7kytF
zl+nk+Dy3Y0tdGMq0Ln=Dp&!f9(H^4-i<~(Ui<}i_Y-CumV3KBt`Zob?zNL~TSx^<`
zp=mo<7L{{}D+&X4idMHzdX&aAgiRp>>A#>F;il%CSCK2q`gU5-m56y(cLFYXw8OZ4
z+8Kd)qwqJpB4OzKfcKL}t-Ix)6pEGTvM@B$p550hO0ND9fT6kaepJpZcWh+4Ey8%_
z<CuB?`(PcDJ|U=yOaW{@hE;6#Dd*BqtuDSoF5&|XR;g29hY88sZCSE9&C9n0_wcPJ
zbK&6^_tosSXWpQDK*YYC+CGIh*cWx&m<)SrY83B1j>IOq7?FxY8-44m_(NtF5pT)0
z`<3Yr|ANl9HejVnMr(6mzcM|$!m%fads^YN@(I=l)nlXk3Zmu&MzKmS9`RFasUjlC
z4^g=m>P5r+0szTMg90#`)NlWWCiPou-CR5>Ujk?Y8Na#A2x88E>R+LK6C$UST^4O3
zc>gHEC2V((&F#GU6%Cr?GGx0-wzu}WyP#Ej80cXJbCOBvVt1dRiHFN#-#6N&4!X)9
zlNP(<EW3`|E5+`+m(4$bt|iJ<UvRbjn38qMo+WTBt3a!oAdAjzn}mWTdpTbTO(I2%
zm=?<`C319Kt0rH}%4<;v2<lDWE^!9NZ{8zz+7Eui26QT+jlY8FKnC|1ky|LbK&HZ^
z4p!~M#XtL9qnb*6a#?&<m`t46!7MaD&h$RvX__P~bb=(=PLbpehUFckH`I%)Zc7Qu
z7sPR_-ix7mQT!*V^P`#A6|UBW6)qrn^0^dw4vo!c%YLS17(H@f673R|N~B;$aj(X|
zSKzN+6>3Kh!9ljfiuOQ1yN1VLvbU<_)Zw&78KXo(IVUM$)o<kpQvGGn2k}2oBzlh1
z8N|xx<VR~O(yVysuCF>tZr!U)=RG&O+uAUnA|0&lAo<GW>>|0IT%^I%izIvwypS+I
z(BFdTvKSArSSEDdyFFTHmy71dIA^w|VRkCgZ}HD3Di;^VtJf5kjaSQiP{yfRm+Zy-
zupu-6!+4|BUqB~Ld+boi#zLa0tfB`tM-)h=$FUbFQhe8(=Rmpa+hNyJFhSXt=ak*=
z&sQg5p<TPCGND0L9~NKB)7+Tsz5S6t?@SGbP4~o7jP@ZBy?>!!kV6%hHBme4J!wOB
z3)O}6TNaO5=!J!v=vyamKcv?dWub4J9XL(Fgo%N-2ia-HX?A+@ieRz&*xQtVCr6cQ
zxP}2zF;X;;n6ohh_M%@-Ac?AU_8BL9ek#K(Yxg@1NI~(AI4e{-hCF=@R9P+{UcD_z
zw_T}Hq(+J0P#Nn5Y4BG&j>(xbDZU16DgW7w4*J-mQ1szg`*rdy2Dt{he3jHne0!BG
zR8<NL<rLA%S>l3pE+XZU)5La?8G^HC_jVJlItg@SK&p1C)c0`NN1339STCQ`{|XQq
zxS&>n5LGPOo*(*Ie3Ty@C|%JG<^=PK)cx5Zfu=j)u2TX#(yJM2@=Sn`vX}OPisuXW
zq92DF)9G)E-4BUTPa8o?+D%jSGkHLY8>fg%E`|vmRObItP(e5FJfLx;0;bX3uht&q
z=my#s6fc7^(dUiz4J_D3em+w)ClBjHB$1v0*JZlFZZ!M?r>+duRIT5?lI^1Jm|K6w
zW(R>bG+x~&#WPcf3}v>ulQ{5kIjvh8w*at+@xOYCVtqc`I_XLyazWYjdSS1|=gvZe
z|2N_r|Dp5wk@pdP56j+!m)&9-RC9LU-a6>R{DaN~lB>=)Z|fyHuBrpurv+4@tRnHr
zs{xVCL%v^iU(|6-`qu&)Jrl;bV)_bxYr;(0RpgJ;_v`I+JRpF8D%7!9-0v_EbK1>{
z5^USdodw~I@4x6~{X>#FzG6t$SzTiT8opaW_CaXHV`oAf&}8<rh<EuFfQ`(t=^TIt
zww)CPJvR?_9fJ^AmFBtVSq<9jddz?>)gX*2VHKynzEd#u=8y(UNC-&z_5Pa*`N@pH
z%ov~cngT$H!J2ael!OU=H~wFXfrC5vuTsPVa$rK3|7c^iV!Kwg_%bQ;4`PzNuq98e
zBGuRB(d}SzPOF*w^7GfA#hLR(V&1-Og5#2mMXA@anE2OGXKP5vLA9L$P^cyl=k>H5
zh^?8q3YulW6=8i^-?f%N<AG$j%@Aw(197=k5b}AF@>Bgz3>yDFAdm(umwLpH3#Vm-
z7VY2D#+Aq$YI4t$^O1k8kZ(%)^8a^Ak_vpGmrYLltGBri+1HOnr~ot^vUCeohImvt
z#_#qMyuIwWAq`UVJEU=S>U9ZqEepmk8V*!`vg+*)8UT#W<NO+g#bzbpkz{F0o;0!H
z_k`tUUwNDNz9$ugSwHcz9u=Bbe~N$(dvsRT>Q%_jA*VCMz4VBo=KEdRx2i5q?1GLm
zGS2NY!74WK-`=)Mpdr#1XEmP0Dz)KK<y^?OUY?L<1)K!UsZ=H6eH<d!3|j}TeE}Y`
zM`vwU!W7!*iq$W1r=X|8i<>|$4TB5}-nu5=(Z2`E{<?2{4H=>UPK*S~w=5yl&Y-Tg
zR#m{A_u~%3<L)R|Qr04)daHTb-Df@80Beq-cvXFQn*<GWBZ_?op@|Tmdg7w^_FDNI
zlxKpHz_>x;(P`eOl>f0_tnOoJ&x4uFC+8p_IXzSFVml^qLDL4jwgI0U|0fSJ>#ZEK
zT`&FB%jdVGCg&`6-0TJ(zawy&3wgYAr-f$p&CSzr|Cdi1x<y^URb+(#s}#=iffArL
zprS@1cBK>Gzc^$*>-V-KlZ5BMMSZ__+X7hC(8u1}=qm9F3jxP=n)lEn1E+gv@?!=~
ze&`}OLH3Eav3Td;eWiYYVkUlcQ|$sTixHR+U^Aam3oGGnez5$%cmb3D{sm+~jwmd(
zPP;t8lV)SJR$4a01j-!GJ84PlADYSPZu|yYW5q_*5lng=xRW@g1fuyC=vpU0Eg={w
z8GEh6(fS14Ryq|*SHG8~dvmdHIXymwS!};sYmGXX8{WEJ0wtZFwwHWyDTG<Dg$071
zgf-j#q_I)6lccb^^Nu$7VNX~gP9^oZ7^O2{V#;((U}K&V*q5#s9$JBN!GQ~nzIlO+
z>b`NBiy7$D2=zW<eSQaQZAF<ki1}CmOA)C7Rc@-jDSv!Wl%;Q4`3uz@53LL5thXq<
z{vF78|DT?7Rk!cF=<B<7y%d-uw^|x}QxwAgqaEQt6uIgb94%0wa_w{#1_b%(f!;iw
zbmOCf7oEdtbz!cg=8|Y&aq#I>Vy@E-8vSBgzH|>=sc-TsM#DxeeKCDNgay^9r96-E
zr@4dm`gh~9-BPq9X@Lxgk;|kYYkUv&u-x}}Kh5|R#Gk0&L?e#b#)2i=e71aE-S2Q1
zVqcYKdi8kr>j}%Dd!#!b^T+XbAgwl;KRet@pMQ&q;Y3-9p(CR4=szJ(VA;Q8S=m^u
z-eCw&L1%Ea_qH!8KLj`PR#6brD$CniDJw+&;3Yn>5q=vhNGj90LQl&ro}W0uD|$?T
zSov}c3MxaK1F86hnYu$f=j*$=YVFm!52}BBt^%W;@7Gv4Ft<RAd>VG=B5=z)Ufav(
zWz2HSfA08XIAfl}SGbA)^ad6_-}b9O_#@#*x9BNV=4<_KDclrE=T^WZS@o->c!4G2
zPswnvcCvVN8t#F|R>B@0L!(r@(Y;agX*42kytAuaz<%b~=~I|r{*3>V#)r#XkbG3-
zCB~+GgT4QjZmD$M_a}P6+m{e{1&S~l-F2S=X*WzKKcp&*2G0Ct>kN1_64)@-EjUC|
z_wZsX1pS3k1Ec+BoUGY-S+UH>W%1s|)+%%mLT#8ERbF1;?oqbCKCNml@Z(ac92Img
zxSS_#w)%NspQ+A6Y=Zp}kwD=}<FN-Gv!LIi9P=B|*Z?f%?R!kht8Wase7Kz9@$0K|
zDEEbO*lo+w1rL1p@?o`(dIc1heGI0i(l@P*iCKbB6yF#{<%ij?@ruEp+DNDb!v?6b
zXFl~Oh6}sF-o&3;?v0i{3@faclF6NY!Pwlh6gN!yzy5N#RZT5i{TXw<&(!34G=+}f
zRm23_oM~dv_Cwh(_ekZcMX;m#&*lI$M7}_Fa_}x<m&!ek0PS<wr8fo7AGXFC+38M?
zv`J2nuoicfyUx4r8qH@z--ipE_kOOsktKWW!0EBxJ4{Vz<@v<>eZuNScqZoqx%M0U
z1Dh`Os9ns9hM61&UV!;v!h{+8YGr8@a;Ju0h~Yv!G<lbmhBuJsP@npBX??a!v3bs&
zmi<C9utqPhhJgiH<akzHk0|<HzG|4i=OpRvWQ*OG(ceSH@~Fz481~(;r=On`VH@kM
zz#H%6hs%_C7C(yLduy$!&|SkdNqBP)P}8_3RPGlrXv}jk1;LMR9Bh%omX9$Y0bicS
zGk}L?!ZT5mJ5nu&jNM#ikx0JU64pavZR(Vv?T&B}bliXOHMrPxiz~^}DlbHM(U)@e
ztdvol@2z!C7uTd@nf+S=4~_`2yp150+vmIB*i+`<JSNwXOk@0bh>1@#^GN~Q4?P-8
z;(eU_d>LlX@}%OR<0rlOpHCVlOma81z51dV9<GUwnA1a@bf3a!*rlS~4EH$sMxW_e
zLdo3>zxG^*Y;}APu3m~PFl?UD8RA*Op$1i3T(8PL$n;cIRiryZ)v!eT!Kg%XV3P=j
zC5JK(-PtKSVxF9`V<Pr4wVjW|BzCBt4;34gaJ7LLvukq?S#OCz0((D8X4>pwQRzF>
zC#(2SC)+2X_Gd0hLk)dr!f*WBo$(3dY>-U0<SUBmjx^eIS1TA_o8we0ULsN*9_jX?
z^s@Y63c1LeZ!r8qupsXU1x+Y^*+Dn-ptbzQJ)#ofav;&v|EZJUq7}j0MV!zJ-!RHz
zVy1{0vbSEfcZczfs8%f0TOx$k57w^=N>-@;IwFur-XdI^ab2?ykVr_Z*irWE-afzn
zHNAj(OCqP+sX|pE*-<)d<IgiIeS!SNie0L)vHLUs8{T`4#2avp;Y9~5ljweY2jojw
zgN}Sfmss^@n)xmllk3iR#sqN?6Xo}2&!*FhqmDlrKKhfTYU_Tsc@A3e^&$$s&EI?|
zaE`Yybe9I)t)qJh7oAAMG-`$3FNqcRz<t6VNG1nbo)_Qa!OiOYCYgM78#$ZgU|#Qr
z3+P?Ac2@#-CI^{A^c367OoS_kO4J9G%rykh3oAPhISj~Rdi<ZRMMbo&htmTWvdkYQ
z;Ks#c*SI^rHe8Y^5&BIO2q}HBzSXLDT?uzwCVlM<^(X&%NI%PiX{Vaoh+h)7qDf7n
zKNnuCy@$9NL7R_NDy_X+3D(h_oKMIqhShhq1gi*4O}dnO5#u%ooqgr9ZuHt&?{D7d
zVxf~yj5vRByL~f8X?hF^5Bi3$@6`r$j9Shkp;3sDqbMhYR#P2@cCQNh7;G;{|IBsQ
z;>mVLi4L`@vg)voGwB#ZE)q+s;`<W&l>a2!b?E!(686L`xFz)$<5rH>x1a67tZdHG
zRW8W}GPoxCsM{jPrv*NtRf$AGLib#tzydK<Hvzj?a+y41rWfPL&~l-*od<B3P)VM<
zXRncgzS^{|7>G{pF@^+Q2b^kz@0CTm+`8R9n2>Q-d|w6f2ECW0D0<BaJTZ1J$pT)i
zvA2n!eRqw#cv}U>O!(EK^J1-7v(bYi^6?Mvk~6u9)5_eLEFovqctW9ps`P`qmP)@U
zyMYK*M?4?$b$UR9t1st9EylM4edV-9_?+}K0TKSf@>A7)(6dXpox10OqTfXMg{?TL
z656kLQsZu3l2MnoyArmdrn>cn=`ib8CpHvrO%D{^NIp*zv(DUE5D}1@WK6pG{S~<(
zn6}3a#DtZwvaleXt9q-3f;y`WhZ*(e9dS*V3D)HEm8gO)NF}R?|8#2W?97l5633<S
zDStFRLSvk$lonezWaxK?FKmG}Fn88}V0bW~dENjzn9CGtRoOGUAjEW};;CNLYplfq
z>?QC&9n?9vh<tMGVpr_?6rTLsF`I)6n_<?fnawO{k<D=3c-ps@@vpty?@be*_PYi#
zYz{)GR>F>!N~9MbVP7NTrvTfC`V0%YU#iS>CYd7CK6SXPBgefY&CDjYf916m-%zF?
zLRCI`fScv*B$?cFKj*O<wW{04vJ@Q|zs8UKWPZKZ4$G2t_C?jtx{PiV;(W%}D@$VU
zVZ$!<QBEyo7MJp8ia*Lvzr8Wp9Nhk1;dNjyL0w2&WR67l^1<dM95W6WZRcXk;Q=aD
zIbbend%aDq<)=^D=G)lvEJiovvfrU-<zr>6xi4Z(Bur}s4&TER(}p95S`QB$GnvRX
z{L08IFkxm$m5_C4k~IQZ85)9`Jj$T+4HY&odZT^Gz+B$Fgj@y#qSH`24G#a+0ckez
zTQjO7%<Vzxq1LKy&v4B#bBRMrm-FxtsVpw>immax1DARZQMBJ&)4Tkh&h}?F&<wUq
z1kR{<$UQ&0>m&c@mg-UxRd#dVRDGKJ19B`Qxw9d-m#V;tS*OzV7<DI7;xlLy7bjFX
zd#HBZ)09zuY%z9$6XG!<1lL%uTNJFVGwL)WLVmj^$(KkA(JYH3<{tZ0;Z?hULv(*m
zqc#uM(pc8(32TLWdgwlCMX0Z8T3>MyOr;vHSeXu`CbG20ut#^q9YkgInv!tmQZ)yW
z4vy>wBQe7uNsEyLsXDm1879GvX4gx&N(1OaZ`;GD9>BiV6O;zjUs^mZ=Yfqp=PD+0
zx9u-z()w_PNJW%$n*Gp@<uFU>7BrEt-d)e_hA?KU1qG6${B`x}COlj`M=#}enBz3O
z`w%M43SsivFH(V(T^EGqLzfw27Nsw86%SpH+EFXEcu+ann+pkl8z)R+Hl+znp(_N0
zK;J1p$>-@wR9_E+lntNI^jzTU61q9$*^ds6H6_~nqm)gTM!6;OYcj<y36>(?GZ7(U
z(wj^op5dC*Zqz(gI!z`i$k479PrzrWwcMapk<CzXucgqMS@&LnOpFO>u?<|YHGwa9
zX>_-Mf3zy4Oo#b{n`c-=?a#*vm|B^hvij7+N9me_=IMG#cLiIEjT9log+Ehxo#*ZO
zN6eFz>t}c;!Ua>|+I}2~KRc^8bs?tFjb`jHsv=lJ-c`g4De9*9ZHW&~s|8qy3D$4C
zr|!+$TL&F?58{2IKp08K&9F=plL=XmR_^%<*K}NIwTT>NCzw|YI@p48nf9{?^l~-G
z9gQSov{Stc95nC$Bp*d${aG|WOHl>rAhOmbA}H&v_P_IPR+(GhimcI^=)et&ilX%*
zp7nBTC0SpiV}y7t;h13#1JBjAJF7!6Tx=L_>17o@Z2w7ekg*_2Dq4rdyiSW*DO0wX
z`~`DvFRAiRKDX^9HmCi28s+;sxiZYavQf=^t)kOy0j{DWU{qzgTj(exnl>;TqUD7g
zj*e`+34ET07N+!1DjzO3ac(57&yZ|qM*?GCcjz-O@r4E8J*{6$B)m?dFOs$+kt|_w
zDgPKMVxANggi_w#_xMsrp94IsSY&kg+3ZImp$+4g#Vt%&UG2qomBE}vksq#CS1QC_
zGppu(mT_~;x0>a#&ussoQLtOOo8UZ3MG6ywR5&7f6^0-v$qsHkQvT0+#9Y}K?OlS^
zr82Izu{Z5yBf$wrU7lt{?>-T&onH*)k~M4=8u93A_piVV%Sc*;sNPHgR`LD6u!`(Z
zf`RuqNBbpDGzDM}8&sMCT{J*^rMq}-DOyan|NIvsr@iqDk?y?4GjXo6f%zd+;@8Zf
zhv$<*RmR=3p;`i?s%Fp}>&Rh3!Ci+8pas@bC%G_aO5GV(Hsn_#h}GopIvpeRVXVe5
z++l8@sb0MRS^yP^<+h~RzDeFes^abT?C9p+of$5acA#L2Sjsagesmx&lPqi$0=U`U
z!Q4911i3o534N4f|B1LjJ!!<N@(14d67+Ipyy<xGbPFcs!5!>v=k$EyoWNJ4gl3qq
z%JWedNs9)KK360ii5$WT*^A?Xf5Ag}n+whIbr<r>2dDSjyVrSU32{6lWOFNaEdsXv
z5A3P8)MNLJ-Rth3jlh9z*XYb{%MQcRbF%rcB=GhpfBKvX+w2Ov7^TSe+_vO%^VYu>
zM(W??9Xds7q|atZM~6o1e$0t(u3wF>IeN5bQnt{HG9zZotGDfv&p@)DcYL*6e{@L2
zOm0fe{)ssRy&>*}{$D<l1vSaYX(2eiM3iSfRP())WFA490B){82dszXlgNt>)8Iyv
zi$|J0EQgeNXP52L53EuD0$4YZNenvIQGk8I)m52T{3Kg1)tpJzZWHNq@Qx&{MHT0x
z`$Bz*fRAcq_S6u9?=T98qqXf|r%e~sA4OCz=h4dxu0;qsK$msayQ%}WT5!t9bIb?Q
zLg0c1>O#Bw0rH!6*<r@5Q<ChP#e3bxNnT9g22kTO>e510>%U65UyT&b6$^ZtCcbmA
zad3C0TZ0k|^$t4jETaa|D@=*LBFxhtzioH;mQRfTxHd<2?7Y$o>>i)MJb_m<tD;ms
z+Za?nOLA199q~>UaOQU1U8#bhrI)X7F{|`2g^9@TmoO}>e;Xzw<QB`R>E+EeH2`t%
za^TyitufmN>OnFTzwI?A1(vn;g)ie-(Z1?5L7+PQyX`xnr{UAGg0*9Ao=>x?_5-G7
zwb%<LwW_jsZMBLpc|$G|zmg;p?9!q{5c{ZmnlzIZ&#r(U>$9eDCnCRuOm-I@pYq9Y
z`F7HZ%z8g*nu;81HTx=L;>D@8X5NKCu3%2+noNmIr~OO^eE>mCCU<R-Nn*_&tlib+
zS^Z7B@AxWP#k;S)%Gh2E2n#%XGzJU&Mw~31<b6b4BMdO}oB9+c#YZrjBI2-ZiM;Lm
z=1;0W;`%+v6u?a*-8X+!y%SIfN&~;6+cV&0>db_UlMQiA&S#65#u1a=1;BjIQGcOK
z|FEB30JSKhg1_UDJVbi<U2t(56E<mT+E=b)KU~y+bTkMcWbT(Ncz2yVYA<lPBB&dL
z+nNVQqzR=tVJcdsX36coSBRM-8C81Qf%Izlbv2ffAcaTs=RDpm>c67tiK4epl(}=1
zBRJznM;<y}VO11V5e?BO(R4*F8by|wk0_YIQQo@7w=@H2QV0OJ8M^Zo_vkT*h|=rI
zYWcs>xhl<Xbe;*#9n7OpF^{Tf^He{~-7kERri;{^NOHtuVZ|&dqpKTcC1T*|uOn{{
z#YRK(r4<PsPGyp^ggL%f)iHM#kDLt(YAb_1;wqQQ>eD0=I#HW#qem+mgKi)xD|T4Q
zw5`NK&0fMTwKc_HIqRvRE=6b21++ag5|W`<8}MH1uFD+B!jodm>9!3sRafIU3YdY0
zS9?#QG+Z;KqPBjCRKUbrv(@T@Q7*2v_2)w)fa436M(X81$$4ma?(bfV;dO~(S?SF!
z**C~zchRHBMcUWG9-|Tao&Pmr@8inEgy{<GwK+oJ>Ehvm)ILLk7_T)PIdc|Up6hQd
zXax}ZOUabUPd3%$i5nEsEyhwcE{|1<16*l7uEW~>8{UJD6}vTFYaGqt^|`KlZTpQL
zr{Xe|Wvu2jLkiLd)sL4bh+5JY2+LP#dHnbi+8~Ku(Hw>flf<NHxuNJrA7DVVibE6V
zPVEcC!;0Vmo}C!n0%}l7>U-Iv6W0DQPHCZ6S%YnvU7)S7k~zvABvIL&WoO-3E7)ik
zYKCD6)-Yx~I@rAZ%$X`>%eel{PzP<#1vlI#0U^mYU7HlN3*AJFQ~j{AKz<ZfU7mH#
zqj%4duHLa}^mx1d-VF~k?=J*y2#pnqY4GRXcQyABxMA-epP{CCv@7I&6ehe#J@vw+
z6xU?7EADQ;vD{X+X*+>sx*TFN)R5a6ey{nEZ$?SC*nplV&E!EXM4?}Eugu80zEV5*
zK57t})c)mbt;e<+qa1eWLZsQkpjpXG4NHlUe7ntldbDnINjI;!wY;osq~oGjl)Mm1
zB8u5dZGcy4;&P9VtToAzNQaG<#j^Kwm@Bo4f1=7$GpEmY^BOv+<;(1|LfH@G3Cu7x
zk37O1$J__21=c#PekH}5vg-4AVgRS737lUB;|)o0`t81Zd~8T;2j@eoo(r&dmTP#0
zLWFBsZx8I>+yrf47}|KJxt@f@xeAOLUD;$#uRLq7^HH_mM`e<0Gnz>IGVHID>RXKF
zMLm%C8i<D1is?2AyUw%MV%8VhKS-E2BYW6vTN^EyfX{)w{V#kD5r--^gp{|U(<buJ
z<DC>5m7&w1CyvW)Pp!tEk@s>w#X!7I>6ZTPAG!1nQ)d~LmbSmvyuyY?5=lt79wi=a
zP-~%A7A9=Os#b~Dc`0AK8v<SR<Z)Uu@tqu$C^1tWwVP(yrdLY)d04Y8KF^)3_GQxD
z$%uvp!{J%~FngS^xqKH6_gXL}Y))XoD69w^sb`tZNQ>u{_Flq5Iw{`~F}HH^kPLmH
z!AM4(qVxe1C&MrPup_Yp=d9kmoQQn&Z(i(+*c8tWnVU-(w!1+|Y;qV^`>e5ALgx5%
z!HLc;qo)0w5*!*n#NC$?RNuDp6;s5{hiD0Ysu0>1ksdC$%<UEg<&c&MQSv!U9Qa4(
z0@=7FC9C|bkCQdS)<i-}-5L6^G+j)0w-z}c1VDB}o*ztYunHCpX{`GGh5in7|K)cW
z$t~yz!=;gG6FOQ7Q4QwmvWYC}uB9f_eHnV^1WQJyjMjan_i^g+4pp39-xNuSBrhl=
zkA3d4U><JJoj4{Y>>9(OMD;C*REVL$GX>X#F33xzErO@}wu%$P0dZ*HtB)X&in>R$
zwZIhyMveV7yP}xmSOkG2U@1u9z_N`Wb#ChIMi&|L5{9vTWG>&LPteO5sHI3v3ntx>
zulrd1m3PM137=Yg`4%W#f7>o|Gd#FB;$VBozR{v0+lDnVXpEA#K4RhHChZw%8+<4&
zr6x&k3Ny~6)>FuD<No1bxfnp>{8js_|1jA_pGlCN_7g%i)UH(oI$6S4h3XOxu`CiF
z^JKW@O6S>s#Cdlpz>sTX#i7RDA+4vN-8QDp(BQ<?sP+Y3z6SAI8T1-n&0V=LbmpNj
z!!$u^TR@0sk|`etWb)(hiU-{Z1+X1w=Z<piI>Y?9^GBA&-zcx!b3s;hAyCy!QD|FD
zXzx0Qz=*xKa)D><1K}^KrqH^KnysdbVPRpZ;ZDZH)~yS@TN>F<f3XdhI9G6(E3o#^
zKenP;zWpzr>kH?(iQIezJIXUxCVdIi863Y+_zX$5d|y|fqLtW{W|&h@T^uNg`PFd>
z8}+=7=q<_26Hh+wcJEMd`|Iliz3(`zRJG6>DunoduBT$H5K(bXMQqjQg=bcmbr;GP
zV#2<?#cA(=j`yID^H7~Soef!E{f+5%Iv2ay$Wpv!!|^&LM|6gHh3uhJb=GU$7=8t~
ztJ`zm$po$&El#+pqgQ<-@Jv+Jm!en?*CdCSREpkf+gSRAV8=3~SVKamvS((L54-vl
z_rJY*6mG5ZDn%-uGu&#>mf`toYFu~N3qk@m`S4BqNQa8$*FvH$SaIJ>)1EaKk9nNi
za^7sNs5TslO&DrzFijKo5@*P+QGQD~G#(0@g$5r+)s9@#nBCU<xzeIXeYlAFu&wCV
zn{pU5sUnS0vlcd6b(;GNzc_~NnivR>fk}_UUpuBTx$Ec4ByiC`JCDz(s{N^!S1meQ
z1UhWr7jD>@U_R;)$3K=4t&7;QAl&`cywX8wuAAa6iXQfg=XX&gGwoNlPFio1;Yp05
zEn9>`#-mj7e#A66&dg0;G#h(PO0tY$+ia8Z<NB#v21VJ4+|1eL-m^zi#Y2-kQ=m#4
z9uhDOA+usEGarN+FO3z%<!O|_c->AB_Fi+6`#mbLtHo^?%nxaLRC8SeHy7DO$gB27
z3NoyZ5{cxL3goCXY79c<=2YG)(RN0J(MZpGmq=9!*gUIu{2-N=z>Ts@cvkJwPCMU|
z9jLOsqfa^wcO$#RlPZGDubplpF`Lupb#~GA9NP(Stf~4`RUTWnw}(UYa7QEe1J>y^
zJmY!L%tOt+pQ_$abL>)9d3V_^o>^^4_AvEDuFvv{N=G;_cWV}RJ-exvyL?U-(L<K8
zJ4?pb#B3%SvGs3_pdhzDdC=Jlzp99435%wa4Z-PRWt?oTo7nIz04r7&6-)<hkwOmD
z2R2csgxKjJo=_eXkB%ez7#X_a&k~i}t2*25qNUukJ=dGYi>(sKrB(RsZp_2y{+^JS
zD(wK(tA@~guP3_0^ggPj7PO5y)6<ObXj?q7`A`DoVygnOgLI2wJHfA0aaMVE#}bzz
zPSIc>kZ8*sU62c9_a_Ly+0g9ID<^x1t;A!db*cqWI@40R!s;g8B!3%%Tsx8nG0mW{
zXLf7G>*%0a;s)8h#i0UxNAj^ib6s0e6`fCF=})PY{xy?4l~n=kui<e}0d>>0CR=^o
zq0a4HLh^PH51w#6kM0tfiXxs*`&NfM#ErRc`vG1rhq%yJEV_4nXRxINjUKXX(+K)L
zKerdSB%JoC%%O-FQ@GYpTGr^p)=ZpLWWG*fuU}2s0z9pK=lW^7@aNw~|3qDm<`Oci
z0jQL0nO=9Y<df=jBQNZ7-QTelXnR%pYf(k7#rshgRiQ6n{B&b*43;)nrGp}FdAM#d
zux|-PeleHpH<k&l+%S&GU7vW9ZMR%$nCE!3myO|uftZdg2>E(meEuL#NL!B%u6Yr~
z{DExumA0L&i+QeVWUK~v*@GSlyrC|pGkWCIM$qZa&%3`52d%uVd{0lIA}r<$aZc-H
zu-dXfHb%c@iy;~=8_1PA5lw#-V4Sn_d^VFToVnhz%O;k+o9S+?+trBHg1UPQtwZs&
zwVPG(9z#50-z;*1^rNa*DLv|*S<kZt>;K85{_SY|sL*xu`5;jH$Mt{gg3#Q`aOocs
z^ebVwy$^S@ZkG;kdgmw#UJ{TIhRZcX=Yo|U%{@90Z`*BJY%ex!H$vF2{`8FDwJfeV
z`l@Iir}?zC>;QEooIxdja~No=lLy{3XAJ`y*E`fb*T~t#SZYg)_jhN>`?lBKd352M
zOoL3ajkIFi66<@Xhv#siu5aKRtC@o)?cduZsPcP58L>-&f_^kl3B2#Y_p9~!(V2;!
zlzFtuYwe*8O|2SYeYpaj+3=9TG-G20>s5aP294r~4|fFR>Q&nLmn+7B{&T*3Tamta
zr)<anV1GU*_D6}fKLsXMpopcMXA`quwHE!6Iw*?KxhP9`8|El9fAjX^u~?~e6-TB1
zy)B^tsnrB?%r6_Wtj}nAa@10p<H7uTl}dq{Qh^4Jvm*8vkY9!-@EviAh5VROPqOK5
z_x#s;aQ0oOUmYiE)IEv$mHuGD28{Z#iKQLPXRbK#uRC;UfWp4rp$lP4)t0$FuA4wY
zl^xUHU;7;p6ZEzO%$qoIP1s`#Y2JH#VL+r_S&pqgIM6J^#!JH6^5^{flfH4omhnp*
z6Lu*-``<nzXws%f-yD9uLLThWuLeI7AAJ$>;cB>MamL#I0UPL_n8BBe#?&Oc_qQMR
zh6ES7bS-Cf+z?=e9U^S5P<VDA|7teE5@>4ywP%A*XH?z4|C7bZ$HXD=G1psxDHiPh
z2#w^%4+=HK0?A%j8lS14{`;SEKcT}H7u$&c{x}Uhj-OHSv}xgQ4@LwXHli_MmwpZZ
zVW<8ru<)~@4-WekAph>R{rv^}%jeR`!;swNul`f}`qy*to;}I_098&c!t?hJOmQRS
zggB>qW9<C*=e}BVd{~!GiSfVvU6i*#g;yHG^3Cef|KLW@HQ>4h%ts*9-<bZ}bD{7S
zesj`15qKkU?C)Ru%f>M;N`ZDpsdxT8CY~MP`==+&^3880e1HGiFLjT5EHF>`^1uCE
zH_><rG_X8=>GX&0`nL<wjpn`_U!gJSdmuLYK33QV18aKqSA*Szh~_|k=smhFuw@~?
zEtE=Ju3Boi#5j6?7pKMNJc^2!5Ps7(VY{pKCt}7vfr>_Sov3>YP-2wD@)wNp8f8~T
zD>vS=2|4V9xa<|qynOe43MSV&g&-!TJ8Kfdl{k4z?13z0ns)4-m9`)0R!!vZ^^G<I
z9RlJIH|NVb4|e$;(8zU;SrAU7W@@unPZ_!0;O?|wG~n;*bZULMy;{Dyi=T++_NTJP
zaO~_4PtMl|lkgt!j2u=!9_LqYi|y85k8TZM4R*{cx~vU%Z6{stdF?nIUm`6HsX{&^
zo2+jDl^JTC>dp1>rIJHLtO}crjdhZxagt-uCPF}6DvDnk;GvXuWySefJ$Fj|rfbMy
z?we|qYb-idA2#QPw4{=hnyR3nDz`ooCCldU(rb9Fd;7iB8XCr1R=~5vjY|yMX&1Ds
zoemkFh;K#*l5k`46T)MVT#r~m)Zj4dkzrw<@z`^WCimR$VrsjO%yF(sG{+ZS+}<ov
ztW?BT@R8(9cxd~0duf<?lJ-N`;CO!9vplYsgTpm3FI{H4qxGts7pWpys<rKAI<j-a
zjogFwx1dRE7L9-HdMpx@_zT+C$RF7^Vv_Ri@Su6?T3DJI-L7GSYe`G2+t^6eO@co@
zt?{_MfnUat<%XmXw1#jZ{FBJ$OlT>NZO2^MYnPdq<?l4!8N9cTMG`Ob>mtJPY!xz{
z{M6j2%|{2a1v=JWmIb(YpyGFObY2^t8Xd*r@s$gsJh^hXPlag&1zvjTR3Z~m86tjR
zs#k@yE49UfiOe7<)(8-WLM=wL^J^v;7*jTYWTV~DlM2+z!e@BtT0>ut1j7~1?8amk
zouoo11?=~)F9h|ak!g}x;s9B$$mT>7(~+>-0WoX&w*8iU)7gosxH{)$86*omn#Bzk
zhsMw28~@-k=rKt!_?YtLM>5Q2YVHx5qw?@y6a0QN+c}g{G($3tzz(cMoO@%qA#-q1
zkP6NFYj4H4b@IWxw_=Q=LL^!1tZ3}^o*i0GN7Ca>L%!p9_}9!>s0za2-~AKl!}Su$
z2DCha999N3hVl=3^NJHEJ^ZOa=}k%e6YH4gh)!Sj6K-?+0^@1}i56r|g`?8HAgCRX
zG6Dl0dKVdqd9y`ENKGYS$H0N)K0D&^9d=jCuuF*0E4Ez{TKD0IFbi<_+kVb&)LOp}
zzal{6`hOli4<@>tW*U0pP_b#BqSGNkhrBEW;{D90*rinOg2OLQvu+8A(CHb``jku0
zCfZ2{j)(^8em0noBkIcK%F{Y3ao-yjR~>F=mFuU1=Ula)k&70!?uwrHE-g_&<}n>_
z-!+I55VCs1q_<Y*C{shoHmQTg@`o_@g!DXjqmFn6>2VKfMMb+7JOpp+Rp@x0wRz?P
z*QEvs2`@ZVDvOxQ-~-$m&=zbhw+Ed^lC-9~_?9EZHOu-Xs}{<TfpLS|Jiul)tcKDv
zII_kEn)|e|BZU`fRzzOr(*bZuCaF5?x!?MZ&2Ryz6CQcG%=z&4)o7R>Xy?B9?kh_c
z0VG7?WGQs*xEK>I!JW7{{nx*7&$J}gx}{qoeC;N$a+V^2i^~8-M5D5;QO`R`Bb2{9
ztxy!ijJxa8;V}jEzrw%Vx#u$!06#>w{ozu-(4U0uL^ebE2bgUA-71`Pf<$B6?K0Ij
znm_2qQG;fLC-Llk1Tt@&BtL!5QbK`W`7vp$Az-yIKxX7ZSsI{0XfNkJ81d{Z1W`vH
z$1VVF(CudwUop{cjOtfulAQZkIpVrT&D7O|i0m991|KI_u6>4j(S+URoB|N)?Vgg+
z=Xku;_NgOCI9E43Rrh?I^NOx1EHx-C%=PLIX;zs*6lDM9+YiJ7jl5zs=ULG}jtN$z
zUtMa|-^dVvd~8&+IAleAz2c>a+QD1Gq-f`Hw~<*cG!3+XFWYwb73RF4HiTOGS;6Ky
zg=5$HeR|7tix|!dX#KM7r%(l`l2VfA*z^eJ_?%%4=j%iHbU4V%EI;sTJ)wJ7po0tt
zjWWHr*LV(yu15(ka<04-f|^YQ5cLzxZEKVmm2ECNn<>kc_3pbXv_J9Piteu8QD^pt
z#ye&N9yN{tMLhl{<0VC%gcUD!s_sosSYB*mFyQ>PZ9Fw<N0WQc+s&=st^I(c{{%WH
z<Va)cI844sWZUgV3dSAanba;I?3MEVK#hO3vm3{D7KgSo*8kehT#oI`?~k3K@hl4B
z+`j*|L^O~f>r=(JcE0%aE0Mw@Am;<_msjHe!Qk<Mh#x0X*bSP%nE~=cUKd1}Y511y
zj2A6YT5F<*lPOr32<glBkhZt)aXE06O?T;6t*YtN??f|xo5K}e<0*<;ZMlwpsZtEG
z5%lcv1JpJ4<>{Q{)>e6;K_#<M_v*UuL&033q(>Ie_OCUB9XbqP>0u~{LK2xQ2zL{7
z6OO&nr{KT#0byu3A+7Jo1JC?Oxur_QI1BoU;4Vl@DpQ_LDNkkNE2kfALBng^FVlf)
z7_YulwR&d39Ppv9Hy84T`wfQTp<Bh!_)e5xMTM)t%rhz<C0W**hfTNFoHKN}j+ClZ
zJxsT3z%C?fVb)!vEj3pnYb6QlW8diiBWX6t>+sRhOVLQ=+@OXh+fZj~F5KuK<_}af
z_zl^_w8|URDA*6QRrDvqdo3$EP6Cu9WvMt@BM+73*OwL2#ot8}V03UqsD-Uk=Jx&e
z$uSlqfexNE6{S~az%s=B7@AG}hGy3<y$Kgy^dk91-ID{v){?V7q51lO0p&%Gl27$_
zL8DR>Cy?-~ML9tWGP@E5L_vSjGlah0+|E?LT{8lSDa&99U%HvC$L&Eq`0m3oS-0JQ
zXExlbMbjNsn;gHyjT=9HMBy<Yj=FkfjvGX|)Yv;hp4wzN_R%W0I^5P$4O7MDb=JJd
zTRs*wKn^<JisHcg(~vn+b9D!9bDb~acqv0&lX%%YTKCJ!G;yMY<M3<rceQi>8s${e
z$@Cf5uIbsa*kvU}c^%cF@=@srlL=d}a8mL}kXR43YkVE9=~Z`)gI?jP2sRkYGG$(D
zCVH8K+rBg_0m=d~0vpT%3!jOfdo<-i)1_xOyG@TUVR=&?Qb9Cl!MyT!d+lg<sM<0-
zJBegY@V)#6MO)`MCE)WMpd<4ZMON33_Nb-f`;Y1phV+M78buQ{8(hBJt`MqtJa~_2
z;#11<xGq6^Js!%@uK>oWem3$JCV$)#dglb<{ycXsGsrwy>k^%?WgV{JY?s&cuc50R
za{9EEWT0zN0#h~;?697<i!`Wq-GZ_iyz~-q&2;Jca@a8K&oJnastpj{$2iDtEs~!i
zSZGM0U<7X_j}+JBE<4<4OU2l$EAP9j$gmz)UNk@x_XDUyoV(&H4SHWWZwcDZc81Ke
zXKJG2aEvAp*7ep=+oWWJacgo=zkv~svhD_KCS$A>bwQ}pxNv)Spz9-+x~!Tzd``*>
z0|lmtF#Pz=ILTWpB>D9kiOcIBvg+|8e-2m4;+6Qna_0R$?;Zqzqj*FSF``xnrD~^8
zDgBDJ$B4#y@$QSWBu>KaB(l)%zMcvl>6Q_S-Z9uD;bup?7-Hx<yl*R`#InO5g}9kT
z(26^I#bG6-{Cl;|lB2Zm=d1(I^UQQoZq(AF98XCwVFU$Eck76=IDedJ+*1c1N0<jE
z5$4NzjF|b)zIe&16^X2Rf<V^J<^tA6EYan|is#5gopqaBUol(+cJ22o`&n;BKry}D
z<_EenQYVm_g>%cbJYXMeIU?GYjJP^e>-E{L@&g$=N2=LX;`@(tv~^X;*?;$Fc?2Pm
zEC86x#BeCBY`{uei+=_V3!-u(=lf@*dnt`uewV@X+t=ib{Rj9C?u{S$;;DCCh8MZ#
zd%X34l6@{HFLmJ%D01KRM^5kBQst2rzbbKIU)v<(vB;Zhjg#*ZK=LO%%w0$qyS_41
zl4dcsSFIuXl`ny^B#8?2xzV<1%C6K@tJBtTs9I&)iua)Jb^=SY*PpcQxTm?jWD3it
zW7FPGUaZ~_v@jb%C=u83nmMLlb?Xn4`Iv<=*>(vd$;`BBM!x516*r1@qONiU8@o~K
zk8-H<?N|qkSKrXvvc?)Z{d;|;j!VYW;wO3JOJNFjQmD=O0Us-LJ87zzKqtBnY`9uW
z@L-8*cc~<JdLp1*8nCRQfn3R-c5#f`OQCd&hMA4Y=u&5noLO5AcIozCKbn*BB5tN#
zSU_FfN;1JpT)URBtTiL{Y#0X~vwKHDF~$X)n>-|2?W62%K8<4IZkB2%L<9kZIG%wc
zYUhq^^N58xU;ZAyVv_VW_DY9auJOy6MVzg<C3MFSXm^|=kBA4|!-Rt3OWoJo|D?Z^
z$HM~Crt7b~hoK*)F3vX6rHvQIm=dbwb~L)Z*XOM;W*VV-Y8gh;MKlM0Vj19EomEAn
zq|KqMl~oK92p3B?(h}Fv0ndVzDA_oPLoeL~R`w&W)F7(5oLe9N<RWO?Dv73nK_P$)
z#OUTN2aEw)$)Xp=#FAD=vAM3gdFr-+tS?_4&AEA%gv&+3T7Fw3FGo$6=3wtiq{VP?
zYyMbuy5XWy+Q!~rdypG1yR^SBmB2msT{$%{+QAvw_E&=a&}_TYL}6e-lccnCxHya}
z5?u(+l-#+~Iy(FQdTJ56sgbv+q|Y!~+7FjzYc>pKJT2aCIAEVCHrT|s0Y{LpFgcG$
z3c_3~5)%wSZP1ZDL^zk|Pti7n<D^0$8!O(_&m9}{8Dp(=j@!iuMpLpzHu13wLDar|
zNjc8I&;CLc^6ALL7)vVw;nhKc9HvA>=!cWwr9Z~fs3z+&bNUs8?T&LQMRe&Gr1AU|
zAu&O@B<B{Mam*~%%7Lci>jPC!R=6x$ZdWe#wS~pTGJr~Q!ml2_mCxe5rCyrWUi+=8
zf(19b3+>~%MHY0*EqI97%~I3T(_7Xin==rT%m$zl_xYG8C=P6y)SJz^;25<p_V<f#
zmXY(jHBly9srb!GuzcgQhdZg+^TdC#Q(X<3wzq`E+H=Nk4YZb|KTY}O+Mm_?#9+Fa
zvEzk#BHAzdWmafh<m`@SO}awPs|vO@=b?$21;9WAk@Dp@f911JqB3g?A#9TE^=sAh
z+>N<H3~Q#m9w{6bSpy+4`X3x*aA{JmRlu=}>~p#sL^Q_bXXu7m6@GT8!z``0PY?BZ
z0kB$G1oDm<PZZ*@JEyYr(?7oP-_SSkjiFB3gUq7r!egM7y|UhjnHl;UYR-=qRgXF?
zCh$I5JbY)>oeay9ls0`@pAA2Jir}06`~br+RW9^pl8X^`%;v;m7`w6D!QOKISW*Ot
zIKgv69gC2i`s)TAKYkGf>6HG|ncT0O0?1hcAZP%=VvySxuhA98<JWY~GR3RiuUylP
z>snBeVU-1}jo{*)+IfHz4Zo6<biPP(QMKW+zNZVH*+OiD(MYvMs2MHD7RV&tv#zau
z$~u`)*&Q0K7f(AIucJwlLoN%B``d(^WNV7Ji5f{qG1z%2t{clCD1C60?%41r6O}|4
zr9s7y+AD<L4i&m-->F3@XeuRQO(t3W`R2-lf@rW5Ei;P4;{_>T-Xoc8<u*JU5}I>$
z!Z=wL23Xe2f`zxFd_S8eqpp=QA0P8moWiT8)h`LT<D#SMNzu{!A|~bh=hzB+-g65x
zon)cr1(mx07kh6R7gf8y4J(L<C?QA)NGgH~($XL)-8~@P&Cnf!(k(f3mo!7ENOvnR
zAPqBw#L)4s!TWY^_jB*(_q^ZU_<yr-t#w^zpT}{YwcAJ1C%B#+e7PLkvo&=yt|E6K
zM&D16$&!0{rTYS<l-4x77dsSw$nWXsz_?fhIHr)>q7?k)hW4#V?eK@d;MP0ckXGMX
z1+}@73&w>;%@;0(-lfe_O`9V~EXbnj!Uoyi+%PRg3jhcr71Xb0>O9Ty=44ykM7Jsl
z{N;DN%VbyoZrYC55i!T9=gF{#vi4O0Zb$j!e#^r9qLDILOs{o;b9WL5%qL}h$nk!O
zUXxjp?#0q*JgeuDP;;2eih#sQzqfYe1|opmpq+hCYL?n2@n1dS!oP?#Dv{x)wwyEG
zW#>2F$xm@)Rgv4Ea>$6*OHD)A!;4AzgqQi3Uc9BhPB>X|Qy574IppFyfwfXca0Zuz
zzYV9K(N)!QN%FV1nTaSqSCgX`f@PkMI;>J0u8ktMCS@l|G_3_|`jU?G3NjEtwJ%4v
z?bJ!L!GXAUFI#V{w>P1c-mo)rpSwfm9<0VPzuIj4Q~tAIwJ$pZ(J=;LYcHjNrN(8&
zg6@4Uj_r)y{k3uq+4N_g0wsK7u!H?3)a5j6z*4?msT@na99x|LCDFDJJ2W5$<((L;
zaoGCaT(08-lTG#nY=hC*8ui7Q00I@CW@@;rmuS2ezvHE==MJ=HSiM$Msvfv|tJc5)
z;>8;PbN)e<rYia80AQWnVaBsf$JLpaK1Hg{S^!uzhwCXKJjFX6MJE9@Ui2#g>3aX~
zbUmu%FGD;*-=%#>AtyL_84)6X5?bH-P!1Kl&hdXEMV&QL^6#_G2E}kQ{ogw4)QI9s
z>p+5xmg79_T%fkFJKRZm(xi005Zcr0n5{dMKhx+^F5|iGhC*Y8O)BMg`Fe}w_AIM{
zlYFu^ip5`<qnwOc39STfOr)S@p`J0Ud{Cib_r1jliN|h&Pa1(SKe;X2y6U)F&sd_-
zaLOJ<F=gL$`piKmrFO2!YHbWaNKq-UOS(gGmRdk{2&}o!_0B%^D)Xzum3SNfX7+*?
zh^o{&U17jAAhSy;6EP_ZvKv}YFSOli<<)&od=a`XoVJV!vlfBhxd8N|;M0+j5u;)4
zy`^xmJ!B;L7O>jQd@Q3O`e%~54=0zkqQt@Gw5i(Y-e8Rz?Z<u2a#AyI>2O{keRv2h
zkSHJ69UT-r+DK4Mw}qq_VEop9gTKPt9g(F>ZQT61Wgp(J^ygwTdbs(Z5JTwp!;LUh
z8sYvsjR3sjLt@#S11g|$@*uy*@Z7}#-qRxeRo#nU<6rD5=v8D(|2wjschWhxrA@tt
zoYAy>eQ}22q%<B-v&||lBwHnyea}}#VmwtYov)A>sL|%FGG<oUj|O{+OP6~0gLh>H
zuN!PR&PXmvvD|Cy1ILF=HyQKuj}*Dhil*|q%>kBwq`~m8q9`5ZT*DNN#|e8*+p(0F
zXB>MqR{6Zo>X*8r+q8VlM_e^4_hl_X&wp&TWvYKc)>4w%y!nnmg|(`09CosPN*H-p
zE@oFQ*Y!g+o3^Y3v_I~vO{!omf*Sb@b#({FS8I=ti#hvJ`DIN8-C(AaO<pherA!1Q
z`l?=HxK_Qdb8G$G@VnA|R8ON)@bzrHPrkQJMkAE~sbo9MS`H{6j)H9StJ<^qH^5SW
zgrBFkX+{_~;t_*wqBUxRi)1T1Wz)3jydpK~q$}L<_3l1ybN-$7p_s9H;1TM-<Bd1Y
zI_hV0n5-rnKPxQA<$SfmS&PL}RNs|asJy!BY%8_e7(ztl;-hlK$H-o+k@7<`FInL6
zFTEfXIRuXVtl+-4dOpz)n|VlSi}R9G2%NW;yiToMUgzV$z7(}e1$q?>fZXR4W*IB;
zVj|0noWmd1O!6J0SVBPPzce~1z{+*pw{tKbW!JnZ@g2R_>+~=RD2-PVpFZ>W&YLg@
z{_3|NXKmD*Ae&H=nAV>Xl3V8{%Q51zDhJCoi)QPSbuaV&`SVMtVc2lT<)CR}gMS@E
zw7_8BYKYrS58pb=LwaKv04R*+7`#0@(f_Zm9bLn(=2PsM@NU;8FVYbmc5|m&h;hrt
z(Sms4!<IX5+Vh8-`sK=%U%7!0W5D6rbWnYPW9ZjP00K_uI5Wm>m)w~RLK}Z~WI=Vm
z_IDTKPda4O651o_gcu6m+F+F@Y8x^QOAEUw+LKnc=v%%|Px^p_L8VMZ%z1N`A%)A<
zX^P*xr)`Hxd4-Srw8U|#ld?5YBp5fyIKbsio?R0<C8_(<*%pD9r|zO2{oUI9kY(mV
zDsIP>7%;+n!EuS5>}xk~RsO0YU6lhlFu~zhkVyxSOHuSxf_&M+*Pb`Nth?Yt!n~#f
zN148|7)~<HS4)^!h<MVlS>#7#g5)&mzQia4jhb-zr`$EtCYJ51>L$xCaenJN`IWzS
z5&i#gEA5Xq+i%5r^~=zS-x~bASM~1`{#A|q;dXU2c>mLX{qtOaKKcI-`mg^ZG{0Nm
z|I@VpKW*CoKSF3|;8@kBgv`|6E8mgxI0*q^)Vd1ge?xv;m&Z0@L(4keBW7R7q-k`y
zaMU_{<%z65dP(xPi}>@S_#Xc-0T5gh+37;s^=qUt09lROVJRvnH<x=n`1g|3-?H=T
zhd+&?F)%R1aM^lu1M%0!bk%9~R?rdLe8>L9KcXdWxypR%KPnn6mEiZ|v~BT>VfMNH
zn$5pmBI2QQ5$=COeE8;L0Q;Kg85p>ier5(ZEd5+>7kyXmexjJM`*(TfPfG^iRZ;+)
zo;2_jHPuh#kEow-)}I~Dv2fcj1n!)$E}k39{PPd`3K8Kcl;7`7=Wkr<iPxqdgtDBJ
zbieweUHGq-7V1};id4xv;|jXKxByiVIMEXo4FJ7>U&IvmJI?rzC#4fBbXQ>>ZpT(v
zv#SG#RrEA0^~Qg>5~?50o*ZM(JAtB8iLX0Mqin`)|JI!j-#h>H^%L+Em}f?8fABb~
zM34)R$9vGUJh-nW_nW-)=gZp@g@}1_3_b5)_v2K+_*cF9&wuqFAMnR-g`Qym4D?*i
z$=`^Rzq8_h{-l5V+mJ?JYKgrq8sk6Wv;Mr$|M(|((!h+6Kd3T)d;kBC&;Rwe3rs?2
z)-x%-xBt(-@$Xmps^oiPO2fkO`Tz05{{C9Odh946vctz2|Ev`M+gJHWNae?wFs1Xa
z31I*0NB#YrKhK<M3k{&;HDeY0{Q>{m=lsvL{=es1S!6T%Q<x!3J!ujE#6z;y%D&a*
zKh-D-%P*E*Y-A*&*QYb0C%P?|&Hm=9$eJJz*+<Mj#4u_NZJ&~$IjDg0&p#$X`?w}}
z6FT~VZYVD&N7C<A&?A7{;RpZ3`5y-rc^lPH#o3xOr5np@aKPNB1nDo){V7jhu!ekO
z>K|vm`ty%p-L8lE+yTb|*7Lc}{+%?w6cf*nCwlNJOP#91(Dt8(E}fvuq)CYmpsU9`
zRkt~Ri$DGjR%crG^icS6_`bND{~w}G7kKTwGtlfN<G-eDq6`VZ8f8C?%(M{z{3*O9
z<#?AEFP_h1$;?T2lN5fF;dgE0msW+O3jrlBr+b_8BAClv^P`BpVV^KvUVD>2P661&
zu}`@OL(`%BLkEAp^-VdK$mfl4M=RxaABv_8*73;AAC*PTs`~enz$5dEizDn#;cBgC
zx&8dS^IJ8k`tNapSMRYvEp*B95dJUv+LZ(TnSS;EH%0=(Q%KvTLw20yxt-R0fr|4;
zp#W+w)W1K)RZ^%~?vc-hzqpUQ(cyrPT=B|2rF>{)z~61Nt5^36B+9t_Fw`%y{D)QX
z3&gjpx?FQoR+P_p?reeu3J$<L<Q)(C&&U85z&9vJPP$LF<|hhCUk(R^%g6uu|KGZ?
zCMfRP{(Gy-)jJB^!>%9qaiaOFz4GUyqtI-?Z-Che-7>#t#$0_FkjR}xrrW-<`O_kX
zyz|ut4!!5EPS(Glvo8wv%Tw_Wu-~6e*Ulvdxv07RJhQLBoUMy&W#iZX041f$@zti#
zxMwE9svPp?LF@WnWUr<~k^LEA8PNPtyBsd8{HMGVPw7)B4giy;PGa~yZ0hO|_?U$*
zhxcT=?*3`KS@7+OFV|Ew{|Rq<3qVw3Cft~c>LdI;FYM|N(up%J*Nz`A-Td=-Kionc
zeG%~VU$eyiU1kCa?TXQX@|L8@?LThu`XKg@&%P&t1NxuGD|2H8F36*r@K2y*K-tIr
z0H`b-ThJdr1VE721l?P(8valnA*#n{Hb}}eM(Ka5U{GVsz&`;~w_=ih^H{Hh0D%7P
zQ}WLR&irv9RCol}>rNu&;sKoB6$tm=FUIeG#Or^=>q;Q89x2q@;TO6MqN}B~Xr9*q
zn{%3L2GIV}hpzw}9HpWkZF$T7)OR2-yfA!L(?Im^nnU#ibR}~@4EAd_;jKUhyYBY;
zOR0`h+8)JU2Y{v3nurT*Mtp!St*)8Eb#@Yp+VieuN?q{@ISHfVZ#=BIt?u3Q3dJ@k
zHFc(zPj7O7)o^J9+X6TXV8!QWE!<j#7Edu$1=4BfP_QH#7*26>1{s#szVw#NCSh-&
zQRqDpx5&k@Y2(?!DbcarGAlq3*7#)j?brMJssq{zXb~_OC_nuc6`o9nLoTCI(@_%i
z=*Q=PU1Sln|7Ont2{w=lN!tLteMs@vY_oI=(7AwEe^xs?{b|uEc=3%97)SHy8?}|o
zYoVGH3qg*}={j{apGL;DBvr`im&)amU0~eFBLL!1H=%i@cOk8STRy70&LMQoZwc=S
zu-8^cb@Ktj#OLBz;=8^lS9@GN8frp@Dx)65YPv@{s-#?N^_>pkqxsZw@|>=)u<-g*
z-AYl0hW!z#>%C**;F*<vvgN_nS`3)P{jXVbVDok<C4i?6ij1X~@9BwD3rWUIzI~tZ
z*?5tz^?mD^dg0oOoyNazR><MX{Ehqtmc|pJlJQG?-10bgkb81U8*GujG1j4VsOS3Q
zVrpb1n!co8&l?G}$VWO+7bOI+<;#oIKqm(etw2trd3w2v%8{Cg&qPE69uf|#1Erx5
z5AP3WbHTly&d*ih&(^1wNgIx`cA-@WWwVlkh|H5++ph(F4o5%rFAe^Julx-B<yQEI
zXH<aIApW<O`jV7qKU|g#ww`L&nbYt(|HLrHtNdW2Cg@Gh;n_6Eq3Tm&6OgQbUhq+(
zPJr~D-FPI;w2SN4)zp%D=8C1#`xCFnaTO3_t&_laknq{X>F5Fj|M%*#vX=skx3v(z
zTF_th03kk`_I&^_EF5k*!G~mRS~r;xCX=O?no#HMH>FikFVS3Pyd$g4E<y-dZtC4;
zrvSn}lm4W~dn<!I3NvNan1ycJ0i?C3whHHZNRc`7QTkqwZRQ>31daVhT?mi-z{~6p
z;LTudj<~eOi<*f|Y}^@B&&Z3l!tLSlPpZI}vg++GtSB84x_5OaS^st?*Dr5qfxiJ5
zJ>&LEFT9_3h5=?dFyd?^#~vF2U8Lu`nii*ZxciFcZ{laHz{%!L^`cVo08F4YP9<CZ
zE`a|7lJj{<Z(vn$T1BJR>0HEVCHgO=efRj6(-gJTgaa!-qHm3rjw(E~xhNQ<rYzH8
z0;YK&zjsJ^-arE=S;>8=$mG6sUf4$^M(!zcjPV)N2v8d6o`z>M8I1SG#+5a327(jk
zyC`a=-x}7l4~?Q@)5QI+A1M@3W}gF%g_XxESX4iaPMI7gDL(tqnUyc-`J6LYPjS@Q
z#@G><ZDOA94dS?+bx#0bV|+`;XD1-KA+4ETcNGYD_{-sShkr9Icu)M)z^}+Syq^3p
z;{*=JD+kOAfU==#{q(Zl!bGj-Z)>)egG8k=C^(O}8#XF?IaZUm)ugvuV9%x&+6Uqa
zl}%2=1afby`o027st&zs_HGxT;C9e>z)|>!ku(wOmv3gqx^m$Y(xq}Be4$TzKgQKf
zUIYD8FHTB+ca=yxcvW<K{jD3)8Gkjfsf^Obil2?&s=gq=s=lBZ){JZ?ZWu1)Hocnt
zd5aE+X`^mWqrwpvj1BZp-v;@-I*M6cE@Vz0CoDc0s#nA|pBdt!R#TO@3w7LRHB>54
z(C?03;FXMYC&+WB&Er0%A1d0W9+k^UYLAKGf7EsuU1Zl*j#w_tmk<B>Ak>=}t6Ht<
zS1$=K?<y?p{R=P**t<NT3_z&XCW~95t_P&|+Ytfuwy3}wYDHi~C;;99M$rH@CkE&&
zz;ca&OkSA5+5+ukm(TW?DkfBe!C$_z>|S6>BRR+Ct*3Hw3lxhsM*k)t+ZvGm6-*QV
zil4r4aoiWZ=0|naWMYT~cGhv5Nm8Olsri$4uV`QaN2WSyJ6#rZc05^|q3U+gK%6@h
zL~Qzm-j5UgwF>9gh0vJ-mDJd)fbIri#wAHqP&goFzQt&N@d^6vfNi9g@xj`s-puj(
z^qgNssfL93fS&RIXsSE2E!c@-Oo-3=q1&si*75}TG#+Q0rzxDaW7B5@W^-QK)^79d
zt6m3!h!V#f<=`?0z=8@)cScY?0#FIXb?sSmVrZqff={mmTmMQqp@hHVMg7~T*AI3<
zd{+ec7u~Be(Eyy+sK2<pMXe{kS+bI}SMcH}O>RO)Ru;)^TBv0D`oi-#Jf}|_#RDj*
zY?q#my8m>ROI(1zsFm=U<CYr=y8~*u{N#NMC`yUfxIa%YPh#@H*7Q>g(TArh0MmiN
z-UQ2XG+~aj_Z<O!3D{8>{FSL8$G<@CM~5sK3f9v#+w9S|aL3W3xet+UN|!n7wD>&6
z`K<n#4!inTxrvAKwk1X5?&5t`i+wzxRUF3z5_eebF}9vIAM=6OQ)cEB7pW!!lgP9i
zt)}*iojl<zmN1|B77xm}&MD`il<}^Q01)4HGpj{IRj*<yUue*mu?`|pS}Z!P1>VB3
zB-HZYC6||uo%5N?@)2`i&y5ElvZ_dCmDZzOwqsy&-*_RL%)z4S{L1r`eaB33b!frN
zqg~V#6_+`ml==Gi_nBkg-)D;b67;@{nQUU+3jjVx=?h-oEeh~1wBK+uW{N_`JnZcV
zZ|wmHq{mG(9hW3EWxBCNTkBa4#L}P9f|d?TwT;f15k}LsrGCzddxOlDXIY$$Ow(1S
zksGsBPuskWnV*<y<l5E>Qhwy@R$$>oWf%|dU&(8!1m(4&@M~zmC=~gI+>XubkH%V)
z8l9{mnSB?wBLN+2tN>qqup;uZRsNE_MW(9NV3?08#wR;?beqR{<Aa+8zaTIprciCu
zVo}21co}zbZk{a6gSE9}?>oz<_fTCVd{R1soI6}#p7FT-sICcqsH0JvT60({czNq+
zg{UUrfqlN#_`c<~V1@hy$$5`mxi#pM#;tgv)9(DI#z$R#2e49O<U!Q2<1EfggGgmG
zYm;eXfXxEkE-3@$_QWfFJTsmG45(mjizLU>0#6j9gL`#jB<tj(AjyuukQbGsk7L<M
zKZ;2^vYPsIy6)0?AEDMeA?VE&%GNi?Zg4FqOv5+1@7pVYp|m`qy%j|h6xxH?kyv)%
z?OI_91xO$r7h)xQ!4@8l`DUKc#WRegws8!nt*drbJIi}euwbxp{?u~M)1vjjKz<Jw
zGFq;48br8Zn_G&E{^D$TsdqrC^?sz!*}BK^MX)XMsgtS?x8CgjBqDj!cDB{)p^YbM
z6bs51W}!+a)kK*Bx2U4VZ;ZJxVy`w6RN!WBaSY+!8gJbUO;ha4QaBetCdgiP&qDY-
zmn1)JLul69jt|}1&eNsFMZC(@3xKh=m2R;pX3@qGy&+_(^`b|dLj5A<{qFR3it#v?
zUN=B26h*p)5<M?+QSUA;iX^mpp93M@Ah$Rj1-ZWtPqC?T#)_ZeGg#A5oaD%NnbS6)
z>y8*M2B7=No#77zbPvP(!Q&F!qvgT6;o_~mO%dFY;%L@6b5;g-<^G-pK%ER`Sxxdv
zP;sa_DXZ41v2?mT2RQTaR?KldzSRxK{q^vn;2oHydsdYj|LIJrX}7oBl?N>W-1Fsd
zchKK?rQZt-U@TVAfcm0Ijn@F74Vrav@bvpBE}%js&{=#R8Mz}Y;;!9YjJ?8ykHp=3
zqnsRVbo>T@3HAqVYp?RYp&R0~fS>lZn|j=hf=}v{%L4}A#{9sJAEJ!2#?^OJxyEQY
zy|}4;>^Xe!109@Wz8L(-cGh!3V8vgmn*3#b-Jn^iNm8?8o-Tz_g^;kK9!-*Re*V<E
z2j3Y~(5wRh-UzU5eudioq9^X%?!-cn!1S3qjckV3PEesk*-lV)aspX*_h2NMe%kJO
zewf^Le?Ct$qnpM!|2KAzjufSeH^RlP05@bg&4pMS2q)tL9z;*3q8NK;{?#cQjAaey
z0D*KQTYdFT8vEs<p4X<a`S+~w`znfh=|#01^zj<g7drz=pUj9aUweHoj|n`FEgknx
z)X@>9CrmwW#mPR`K(-$Pkugd3o<QO}wj;7V<HUFq<}#N!f1d+R&iLWQMbL2N$+YSO
z18Ty_o=K~9Ddx#5?MKF~Z^H1b<lxf1>4SW^>W0P!x+y4jN0jQXTp~p^{ni#b0KnD&
z;D5u!z1g-pkBE!B<#!fL;b5fgEcC9$$(e^ba$4oGKXojU)^fagTBl~^LNBJ7-Ms0U
z=1HDvdeW64QSu_;D7;XmT?EJYon*r$A_;U|nby{zaLjo0le>vC4UXDKRqW1iN{J$$
z%i@+$?*3!|u+#4b(;0U}PDEUY&nZ80D`L*uh-FO^*i%j7@=5S=>{<pGc#Qh>a_1iC
z56e$#?~<`&YY-K*W;*l1oE5#|Xgd;z)%8^Q+rU0--k(m4@;N&qwWNF2q6tL3hBpPh
z0Jyz(Zob1VM5VDnpjavd2~j~?8=HKLu^}k$W8Jb7v`cz|hYa)CS<V-Dy$H8vgm;#&
z5N;%SpVzpZ^qM;g#@7RQIuY3eQ%)7_LPyl37^ZU1ATSgdv(b&&J0hW?L>8Y2y<|+(
zGY5Ds8kfCVq{x{lU%d~-hAI#ip9{1Dk^M^O+%dL^v1>#>1%Rsjph$osb*?<-SGTTy
zGjC-mS~xXf8gf~z(vME_4mYXu1&Ww_PZ0?3X=-nSUtRMnp;KtpH8h{Ct^rE}SWT_V
zC&M#%YnXvv=@c8ImkO7)X`Ei~-9plfDcfX$xtlecQ9B|-H^V8bC)h@VLzj3-k!gzC
zrZ?e!&S$3~MfVsL?Y|a$zK*G<czU?W|F!dTNj==BkWK~(N=WucaswniwsL$k0bq8O
zz+7DroD8IY=4+cV+{#JMVK<Ns4F4-e#S4M5_f22WBhz$&IVAf<Dd$XkXBUoK1ZHe|
z6j_?U^4f$k?y+exZFYd)SMtg$|6<*g@;HoS=4ALWX-p%`JE8B?098~q61&Q}IsYv*
z{s9pxZn^Q%<;Sc}lh9*%ZVpECmsr)$lWP*(!DPWDep0@w<=ToAP$2525AzZmdy=-2
z)AB^6GbL6^NabC~N=}TA>b(l?epjzd4ui1EM1zag5A2aUkm6yZabm}V?pf|CTdqW2
zCksouv2+S{KecluWzd{JA#=|dv5A~A9UyRiP6uIPYNxd}hECpA*<#<l#=wxxQH~#y
zWhQB7)0*LGB{7O=k1s#HDmWkC`<Cy6%dZvN02$pmU=A2hoPdW)p0Zh|ccvCIYkTmI
zibXP7+9>Pk;5>N2x@2#mhtx{u+#KOOUHSM~H`XE{We*5uIbyn7hl(xsml~?%A5l(k
zf1a5W^gE!ZeK|r4z*ODBxa%OyRgYI1KA>vEny-IVHZ<1@f9T>#KJ+UthpL_M@peJ=
zk;d;Hs8;Ep=S^_NlNZH^ZjL@>Zr<7p_-w-;#+687YgQo-gvqAO{G#V6x=2``qA%;|
z_ORUvNW1RhvB=HHiR{8}2m-SPm)0$T^E)+zn{}{96p#)0H{2J4#83R3HyoL}gNSvF
zw(i+ooCB*_lV;^HpY6@90aqq&u9|%(X>@4*e3{KKQ2nwy{b!;0C5pKL);qZHbJMAw
zYUgWBzC51fOcSzf(d^JQVY(FbSiMd!7Ja^B%F}-9ao=?U6P8r>^mJ3S`_ZYfM%}lh
z2DnWX{FlhXL)Q6d)45Y=p1fb3yS9@0$>-9dG%v3%-^01K&b0AB-Fs%etZ1v~q{T#F
z@1)rsH)6uBp0gJ`smn|;1qQF$)+Tj&E5^!VYE_jB=vFxgsT8>y_K0hB-DDlX7|zX*
zM)=FNs9LJ1;J*W>&E+5W<*}I{5dP$5_*j+)VL=RzW0Oe`*Fk&fP<IAWCmZuADGQZe
zwr43`&7Iye_`_!YdwgwAAg^~EGmtG@KN};Dy}QcOz;r@rbP77R6nvgB#r)ut^u1yA
z=!MI{h$k5jewWzg!yq}$<_RQ2Z}4->)?BdPfS+WIiSW+{R+VGzDb%cF6imvz_x%xJ
z6#U~gvT$x!!H=9T0~hK(GT9}hx~-z!&ybkJ@H$y1{|<Ls@7S5DY^qh;23Pcd#<@#x
z95>kdjS0wu)H*TjGmt#OBAun0`IS(4757A_X0o6n&yb0s$k*!Id(Y-iGVX|)9TJtJ
zTaOLKxbUUNUc-v=wZ4%xLfKY7<i{C?H~rf8h9s2;nl7dm$u-2}bgs^qZ{M?2MO+d!
zKcGLqqfIfL{{SuX=jTs>U61l;7Y!o?pDofy#AQZgFW^g%FIQ8>-FrvWC<F|H^;o_!
zovW>VpJE~`gUw{)g<n>ve@OX@rDWsbg@#I_?`WzR%U1nG!81FuZ8%{$CWO>F*K%<O
z>M-M(HW{5yW<k)}`2OvdZ25MTff=dA46pnI#^;X+EkM=&-U+ep_D4}4x0;47;Fio!
zS5;wLYgJS@)v{!DDvj9of{reEEv=;U#9-AT5JDVl!mDo(d!SYF<^kor8a0PZ=tN`K
zrcJ;q6)Y4(6#dmOe#O4=Y(rk7?%`y|o1BAGR&$g0XD>P;1<$E4DKvN<Eo|0WLta-U
zG^V!blLtks5I4CBX{A;gNA?|Nq2C0?ZEdN5ng<0h&aLKJWLq3*+|quCM!^gt`S+iz
z-grs^Qfy+T*ncoHFd$5bQyrvlFc8#<l9o5veg%XYJVR5vqIMK?3YE90ZWlzT1jHLI
z&ed*0a;=~NRVIshHOik{v(e09;x4;9o-M06AGXJGYb==hwufc*%TgHCW8Y8ai5s1t
zAj)qPK8tpr9h1l;qxw?D^g@n?rkryCegg468GdKfn25kDLF}x9Gd5w48B&hrr$UrR
z9q(MR`9F;@4+#Ks9_Tk$Zo)V=^AqV=_0JaH7thpK&7MUF>2YF{Q|8MyOqaUve+*uN
z7c)X9U6J7h%V_79lX^Z_PDd(M8IHUInRz;P&$Au?b1#(pTQ}w<x}J5qjco*2;!~UI
znbKyd`{=-%&^6YYu!kP?`8gvW&{vkk?vD3$RO+{}0dz${FKlBgF1C)d!%{At?DFaE
z)lZ%#=V9Mh9tq=A12KjCyO$W^lCq6;i{IY6FgzwxuAMcLC&7KYBA*ss-6dlP&o{Fi
z-AafnP$%e|dqf}4ODb#Qr|%P7g;f(Lzw&U8ADihXyt4q?LoiU_*)Lti0(7-3X1)of
zt5iQ~cGl-=W^YviGs={rS^GIsl2kLEsuU}}#(OD7TuxC9>LjWJBTkFBwNbhn?}E;_
za=4yP`Bb}LATD$D_@LvmXA{N?SB|e4aXJ%2ce-w5I|GoXl=rVyyMZIVthv=g^gi?6
zXp$ak-%j(h!9IN!g1&ioQa!rX+8N^~%jR3fb&&90c#q#iG3~rt*Vnfp4fj_x{dF<V
z2cD6Tak{peVx7xiPGz|!^fmnaa0B(yba?R>Bpq*Ys`UfE$)N!sMSAZiV?+qmRK>+}
zMp#Y@#vQggp0|W?RG3<}fy(<_X*xUTUK<|@%S33sQ)#72W);6@9hWNANXhEt^@M3E
zFVCK;A(Z2b><3C7ZE@4k32Ta*!z#U`EU?DBj#^7cYQ5OVdmbg~Joa*50YcQ7W41J>
z0BQSzu$;VM>$bg!k5(G#AMc2d4b#%+k|Z?W&MZuw_qJ;}2kz{2q?h@JiWq70Pyf(8
zu?!H@N?!m|-f;lF5G4p$Esndv(uvG*L7^)-Gv_Tek<i;*x=bpi>8mqIBi%2B;WEk(
z=e!Qn#w<0)*XDiJygvG>6r|Z$F1Az@xWd9mTC9m(nCg3dg`1b!6VuhX_H`qB4rixJ
zbd!JN-X<@{zuv3EeDdL~7hmz{<3Y8zO4XTbU9#WWxjj0vnxs~l?;vX6YR=i%9Og5x
zEXE5~YiXs_Q)*?$k6*4H3n1fmZOBLhIBuuss`gUKur#?KW`#LzJc}jC&9aRam_jhG
zbeZ&*E^8gUvE!ywK)bckd^jtGI}+hC$4k}%=j=Lt?lZaXW`Um3aV_n(`+KHY%a1#F
z?rBW31&?F%BVv)bf*HwG=iw2dY{QK!1G+0Oiymg=XVE0lR6f348UM_gvuC}Ft3ae$
zj-*(jsdX<ie;<x8Dzam>&JfDqfEm7dpKic2<jxi<#2mO-VdCPIo00=7b&GbkYh`YA
zN{zLB4VDvcu5+a@i>}@O+13l?VcfTPiPol36sm4&F;!C5*UT$_DMo1>HgTRE*Lx!I
zFs@s<qe#0g+GXa0`Ejbwu<6PEyPkq@$yY9eI;jhNSf(~PEMlZ=4wb%sOc0+IP{r%}
zgU{YKC=#yz7zVi1T(^r|tk?F=eA2=D`*-1>ucwq&(ai@lZ0++Ta-#tMF0iZ!V82RR
zhm5VZiQkDbg?LCo^3K^In&m9h9*R-u&-W$I8b{mDxYjuWzhrnjA`vQ+z$THd<NHh_
ziQSe1Ca_t#JW|55X~_JUc5t>oQ{IL9?(2M>VN(}l+E<iDi^6IT37c>~2pG$~x01!2
z`qDzF6z~%lE9x2+AsgBlWoVMnONx6`*NbntR*A|rI%e_JZ|TN^jK)IVZE4MU*~U7x
zY^oiSWAbmU(Mvur@BP|sxD+ihS*UDlNAZmo!BLVobvwJw4a_t%WEtyb+iPM>pcKIE
zlTl0+6*?h2$b0A+kEK|b!V@reb5LE^O)=^<1_mPe#l-+2e|ytIuO_HM9w)0#O4-?7
zkEIHoG7P8r?uj<%BV|mj8;PXbYw;^4>Q?vCUYJ)u;ACumYIawVd&tC6Bv9a1vqGXj
zpLD&+NMK{m%)3TT2?G&}X`Fu0sb`8BMb2(`;Q?sWul7m$qh=!S7?gi6z4GrzfB1KA
zoN8@BS3RQV8k?fuyQK^Lv}KbxbsuW^_++44x81DE$vNGZjvpx!;|1gL^NVJP(P_oK
zz|`8;{J1Z`HS(^Z4eurw34T8s2HIO%(X#cC!bSpn`oWMufx8bT6{3BcZWk5uAv``;
z1X7gbeJ;|EO)e82P#Jh(V%kYcsF={_@O`dK(mo^TGftuL!T0>Q>ASbF<4j4k*q$fx
z3>momNK@V;H(}}IK^7N)irmR_hD4K9K|cbu@-O;N*f;YVoXZ{3w`jIQgMiemYY`yE
z<Tf4#VTPpyyxmvxYMMOF6-0{b?25B|376wOW+xSNPUhY6(RCdl&5m>}Kc9L>GCt&{
z>vX*s%MieSRJfTxn-?lxT?rpzbKg+tOggdmDx}hy<WN_27|e%p3yYCQ@Ss_b$;@Ew
z0nw4~jc2rY@o3VRTD=eNFa_U`y5{E&e(*ZrL>3k=aMs0>#QunR)3~OnCg=FM^-Qg4
zx|fnQr{mL9^l}mEtTBUZ>YgudPjj8tS>fN#D7MbitZNGg1|UwY!^1Z4hwJ-HRwaBJ
zLv7=mEiO*USh3=ThUcb7L-r1}u^6JnC8U-TETcgSz<i3w-RHQo0U~wP7VB$O@h;rh
zDLB=$)eyu(C@{Ml@<TTiT{H*-6ZEChI|DN5M+C)p+Vl2$yEfgmkh`bKt^@k$-p(^w
zf7DHXnSaMHuf>#SNSuLqt=dkP1G}=B3K7cW?bYNS=L|h~&`9kv%B?mxY8l8*!QcG0
zMYAfucgjN@E)5$D+EdRpA{&+~a;3D}PL|N=G=HgvkfGUXH^=ES<&@FGamWbT$Oz8z
zy*_LD$sR;(MI^9QPcXJlxf@(<Ij6%-Pb)PF?7=8#>;_fk)pxk77@)Jwwyo_hNMG7>
zmLI6(>tfz)mEoTCDbGW<)}O;&=iZ4$-N1W->+s0-*AG&$uj1D}S;M3LVrvhLd~;$^
zGR{WoDu1R~S!3Il<K+D{uM~>|9?w^a{>=orFL-nwJ2QT}ggUQNH*#NQHdU=#YkstN
z$1~y6SCfhJ{pB0lrX>UVCko{tVZT1v@)NC>-(MY$*6Jv)J}F7h@BHbl)-rEmKI*O>
zH#0fss_Kqhhi@hfHvk8`O;~H?HrPzW`MnMIDZ=P2-<Q(1>*;>Z5qtTwB@g0f<5@#i
z=@>D!%C}Mq?|ytScrU@=rotDuSQD^Ho)S5N750&uR{0&%lwWN@`XhcEK~y0ANexYL
zJyPFu4cMI?vWfCDQPkH3F||a$?T9A_eR&H?l4QP4uL0^aE1jjhc&f&f;KRRDuvH`=
z&%MmP+*kB;vIIn3wK`KM$7Y{F0dyBtUT&j}Q%c>t6XCJl9I2E6-lrQw7*brHl(E(q
zm)iW+lA;xxj=REV``OA1?(J+g$MNWX0q0s~Kw+x&^g)t?KbZM!?-N1@VI5pKS7IDM
zNc*8Ka?ULery6F1SkB8~56?YGe<4!_YSx7mCE{`*RGbITaWYcdq6$K}FpA0!z1{Vm
zeHb<d>)ASKI}Rl2%;hLL7OGaYw4_ZP^E#i|9qLfZfU}0+rtRcy><U@irgHD4n>5_M
zejk5NSh0S4#66h-{DaWfhZaHUt)T0M6wCc~3L>jPFQpv)!n%{fg#d&@l4|`%meQMb
zp_F}kzdd@t7>PHtu-+Tdf?)I6BEOUVP)AX)-;UCy+*_twwCS2n>ja6V8g$r1v(GUp
zRJ4e=BSN4b7@lCCdax5TOGk#vmn;S@_HsuAbrwHK@z`ugBnaPo#XTSBU{jY=mEX;O
zxY9q#{w=S!YaYzUNnzH^BYK#g1~X%F7kc?zglnulthxx%1OXB%>kRhMxMWQwrpwd#
zk@JI=E$bh*&Z-x0-0d_0$-wdpmi@!C?Qq7$Y<0#~kM_l*$D<XRCk?V0vrgQ5xlJMT
zZEwTC#nE^3E<Zhl&p2hYH~Oa(=`J3y;WlYnS1UIp=9413n`XDad78)?*6PgxQQvkW
zk!V+t&24_={B&evzGkq`;ET63?xQRcl*OEnDc#rf9om;Kof_9ovF}UvzTYo_I;~Hs
zakidD2&h7In_*5F$bp88?O>&w3s_f<lK|y7-%-813ph^1t+UOM-dy#_>swIHmc0b0
z#_Rx(E!a#hQob(0vBGIsi~j!k^`f3J{pQxH8f7XTBJtqfuX4GM4bQlL_@Xb1N>B!g
zEMyLJ$bb9x#&LX4d~ynDqx9Lf3A);RSe`)2mjA$|mzN!>aix2Swi$v?n{cZ0svMw}
zBjX+vW~0cx36H8o@mv?TPL{!Jhm8J-w`KzvofvKjP3|d4;EASkb<D9#wfAsM*3K0c
z)cb#vq+&d03A;;S)^_V-8p@Ec(nSsU5hZ#kyL?gD{~|q@56(b7&}U2XC!MDw02HlE
z_y!p$s_aION$-la>V29ngUR_M)6~)dFx`NMn&3uWAp2eCJP{@)64oY&)wiEv(1|nU
z9Vl6@NMjR4ae>dmTx9nL`!*F~W$xYyzk}}li$~cV8}F%%A}E|v3(+@wj1L=!ZDd#V
z_GVXbzEZViwXCdVM<@=42po!Aj3Z|UWdMEIW7$sYM!q0v8`6w25T~@6sIE~dSDQX`
zAbARL$r}GsaJrrk$=Ua7`&80MRIeD*FaAQTdaCBI1Q`3m|6xIfEEq7JNgpide;vXr
zDn^V1oa$OWd>u@zxI1Vj&bLdxIkk-4Xd1AcEqL-`U$}Ebu9oLCWU`CPVgHRAe4T#G
z`j<Ljqf<Zf(x#^wa2x25<`?9+4iN+l^ZSc=t7MT0eA}I}L8lCk@<ZLkt(h?2l(I;`
zE-HpXXJ>WS+f9trDOkqCvTjKHu;5_q9*$_s8Ibh1N2N3g*iL)VZ7yO997y}-6%?!e
z92$-+9H~iQ(tDySvFYSq#g*N&3b9Sh>qiuw8pDM=?2<%`E@qau$Sdsc4SxD@oi^8h
z(X~_>;$2t#jOK)IZS+bB<~VfQT8^!BTtByuv~DZRt&-x~&lj|OefR1PriQI>PS#3Y
zwKMCkic|JIkJB~BQNIaGsxr^LacIivI>*;!AX)bkT*CQ+4oLgGC*n5>1c_+%?HB<&
ztcFh_Xp&5I6v34D@Ewos4Vl&wqS-gxF8gbAw$0~xQ{+We((d57FKc#5-wOBLGvur7
zDx2Q0X=@DQRO|A~Vq)*=LI(UMJem)AS{+BlS0*E%Ps{7IehigJ^O(xO9`0)@U}|;Q
z_KfYIrHwoTGQ$=A=1$%70`n^9?lJLnGi;2za)QbuoGFijPn#^OMV)gnhU*i7)sKoG
z4{09YNZk{f7WY!GvP2+Q0kXuPf6o$c0d9HTzGL5wLHxnX2;JjI&|3mFw9U%)!!GaB
zO~`zg8>}xaC+X#odp32c3psvonq5q>PFu!7*5Z<f_G*(E+Y2SwaCY{mYbBwDo*wu8
zr=c|jBwkI+<;0-m7#ad|Hq5*0rO>1v&03slyRs%&(rQPzty?e--{4ojgC@tpMCt(X
z;!`tp#*RHAwto7lqDiQ(_c>DCmh12=Mmm*{Rjx=9R6VQ%$v^D_cJ{6BTZz~8FS(cR
zu)uWs+#T<XO%^H2Kj4kF3JBZcVU2NvpyTpM=3e-*uz>tnYJpOb4g2&<AU}H(W5ZuU
zfBhbnU(US{DZgBFYbD6Ffs`9kkFS^SphK^Z2qzl@iKQbKRhD<}>Gtic++^dvf^MaY
zYBrVoTh}G}u@<+T0G%YoXfE9Pr2>dC<(}TP=vbu{n}P2hC4j*v<&N@0Q*>*7lm=AD
zDqrXjRa03oXVGKaFGt_Rq_k3m22Q%|teajuCwLq#*FBI$`;jK*iIX1aO7x|@F{eP#
z>U4P?OfBYZ%t_eO(XG@1X6a-0@VPnf)9^7{6;O>STqty)%9JUlGMI9HmKdkHYD;U)
zN*pFJ9>o0_N_^q=MxaW6(tY_2&(MPNkC3~cT<K%V-k`IPd)BnHZnvEBY&)$;ua6jy
zfMS$vd4`xY>&3-5USZA*GCPzXlCo2nVV`<GF*e|%MxB(wE8i1C7W^Ce!a#}Y{&lM(
zEnvC>A@3b>?q&>pu70%B+fKBgh?fhJ$Y~HnaA(P|(xiWva5^IizpCOYyz0x<8rK?l
zTg&OLl?j>ha~5iycbLcU0iPajP0RlDnA0BN9&$%wZ-c#8b;*+SAhA7Zsb5rV`SuZH
zYOCOk^ZDRy3{EwW^VST*be(N%>E)@=#pxW^(z3elkSqg45e{PD;*`sB$Y_6F^^tl3
zY6W>D%KbK=fhm#?D)(4!HvW<Lq{rqm5V9-sOS|j*_aq3YEY*umbEc_`B|6oyQ2@JD
zbm2J^+<lwx*HVE!d87P?yspk|qpYS|cgEx1p+DzIUi@TUW%Zr*#!dM+8yIg_o-CPi
z7PWpvqK;>hMezLU3VafakeRT2$8{)5;MkctOD{epl_KD|^CpSs*z3ewi*)Y`Q;iWq
zp{Hj@i;+sL`W$|-mU)i=N0U=2DkV)w5k0wm@mRfD#Lu55zO34IT8vS(WP>xM@d-={
z5`c0AHx-nz2AAAzr6?=TS5nG7O{$7-S0Xk^$okP1jdBr;y&RJ&af^|>!;^TBfwgdA
ztns3W1fcfW#le?+cyYW6$uUXe^R|CEB;Nj22R-tt+WQ~TlGvw4d#2cNk;o$LOA}yi
z0Oicq?AU?b5n`yU*z(8|S(6yg25HHtXq5m;6-|oFtw#%v!tkT;?WWSKHujP^cClc<
z%6-T#^l_ynSm$u1;0d4^^4{&fT<;z69!Pgg6w<rP2!umyUk3YlSBpa$>mR02s+WV9
zz?NK2wv)M*+TYK%c%>)<bqhk*g|x>U7{bs?x#EkHu*AzTAa;bHmL-9@9w%R>5cE>@
z7CWhnQ{zj!?Gz@Z$m!3HZv>Qw_KMZY*VaEG#>kLvUvd<8*9;LZ;G?};WSURs6jbGy
zee%{MwM^(mzrU(}PPl!F^Kyp<iNI#I!F$02Bqu6?Ag|_iAzqKSi!vKcmO#G%->i9?
z`1XmnWMr@Wl_!uxc>;QKJ0`#r)Z+O@sMX13qcL|@%fdtZ=Ptgf)Xg88VhjX8+0As?
zJ`#A9$}2kwsSt^xq8|)?<L?U|APQ1LDvz)Hhh<8d!WGf?zw<;mSMtNND9m`lYmX;&
zt1P!n-cZ4aA?xI3*u|?!h95dBlIGL=nRuNyqKY^ep(#gB%@?AzQDS@Q*p=ThJdc-&
zN8l43@NWpA#;wd#Blte(yR=IFoeRRC*=34}VoGz+^fd0OZ0aYz8jA^+ls;b>n_Nc)
zJTe3Q^ha!6_d0x5zSE<y8!IYf_P_kcuB`9<zbjk&oiCm_W!$Cx>WupSt|%d(7m#Jk
zr0d&7i+MCVtfC|<A?vioo6*>`+Y{O{d8}#z7n*KZ+;r$4kKcu%-4qd(6-#2Z&r7v?
z)!^wRBl6&Z<wU_#pjz*ATB=i{vN8Z!Pe-7a&v!c|_kE2*$VOjB-ygz1&(%&$mt#*+
zawi$a_n&zm6#!Hqx@>`-fez+khEuF0gZ~%}^o{B2^XKsOQBO#oK|}|2+ey#^pJC=$
zV(i&CK9jG-GG(|9t{vo+&m|-Mohm{GO0e(vJ=fZ1RYJJ$5j1A+l&HFpTl9z2x=&V2
z{s<-Jcs{+<EIM>3><%f6HCb17+v}gqk=ULdb7M-XCs??SiX!Qvgj8-nqc9_Q;whJO
zL+Z)(@=;6S7bRL%eXz5Fa_vTo=8Xo^Src(lEY@r^B-s${qgOKeK-+vBgqg@Kx-tkV
z%YTfjW&+{?gYmt)DS9D1Mg({REm3|(RSUiGI3~y7$<HHB8A0gu-jmrmq2CH0U?0(U
z`AwuexVLEGwP@M-VrGa1FZ+#%G3u@or1i<oqGuh3&s3Q{0-!8;9w(b+)Olu?Carg{
zX9ah+GoQpiM2CQEZJD>N+^0)!^XXRFS@$#&THiTrG|Q|S7#VN}n@_hSc>-nLld;3S
z4~7x3CbHUCtSf8&9BPHmrS3P?nHuN3=6p|pk!d}q(*on5+?jXuy*XGe4Xb(Rn?Exb
zmo};fz|&`Uz6#@`{7DzZhpWn{LKvziCjRAz3J`9WP+z0Kf$9i{axG$&9l|~A6ktA=
zeAAD;F=?~%G=X}Wu|e$46lHUY3`-(IM8AZo{pW@W(jv7&hKeM(f4Ci+iQIVpR=#;Y
zTa_-M+MpxmPwp4sXY48NHFc-)>N?NuK8+b8CJu9fVm+Ll5jdNP#uwi|ql@3(2!IL^
zMZMEopEQ+xA5m*Ceh<JLBw7z{C%?GTfip4<s97m*Ndv=VsS^(1poo^Mj3NdNQSx39
zE~Ii|NJ7jr^cLTM7bO8kl2m<uM0MPUski+J?|Qcbc@ks(x_2P$``71C+0<KQ*-Flj
z+$qfPlZeE%Y`GW1s*J{do|%*NuN93Kk2~LaUC1DAPq~dFUe0ol;T8O4bbOzGTJ$%?
z!n<u|qlHiH$W6M$D9h2G(|ivj;pj@-T>B`pJSQ&@(fdmJ1G;rP!p12}Xqj6x8DIX~
z#&eB2xO=8CF^@erRyg<ol)F&FRqu7Kt5zSLj=mj=k@G{8QLbu#n^&cR6Vyi$J&VA+
z1AoNavfl*M37X%20)h-#(n0)p6VF0)W*SB*SWRc|2s<$nmS@WIHoy^h&z;v7JapRF
zoxjl(v5b^G)2)!!7k65ksN)<?ER-)_u*#$2aOqAKm-hmm_ST<gi0JLRbo5{43r;je
zh6<;Qn$7MX?vkH$(Fi(W4D@ME?;C|)_5t;AlfxN4A!q!TGjIbQBRCX@39+-1Ttm(4
zN3Da-`5)xDxMdd|t!I0A;3kA#o^bK!5{ghN!6?CFW#JAkgU!-vybOZ<4%({^9mWOA
z!Nq_EmCx_BoKALu*z)VWkk?cBKkD19?*>5`e~uPcB_sUHpeD;AElI3>{h5I87kf?&
zoN*QehkS<DxF1+xWj~9*F(p)QH%y*5$X`q;r%B1_W>A%{*|edb8W?@Aoqg*q_fS^r
zp>Bc5G0^(SRfDDM%CVmD>d!cFALl5;X65<M1F0P1>QeRQX-L`M1ZrE07b71GO!7Om
z62zM~O%r44u4-QuQ<Xc}w+op&s=`dQh=FP?tQ53#BIQP^JajQvHygFZ&x<I7?|s2$
zO1OUhwgC))LF1;O%f?#_8>iHVd3=CS0&$usDo(q1GyfG3r(s;TrMmyke#_@gVm8Dj
zdQw-p8yq4wee{lY`C})gbE6yAkA}Mgeua(e?%TGP{#SWPlcG`cVdsj(+EZY`=diK^
z5X!p8K?Kk`C9Pi00Nu+mWZpwv4gSHjs6oHUo%<0z6-mjYmixv)1K?ROrLG!;k%A1$
z`TkHq_q5bQu}hfHUA+r$Av`Wj5*lt>n6}MoRRn6X3nv@9MZp6$e-7YS>l8S@e&Lh;
z5Ku_A(BxKplkq851bC-MYWj2NuI7m0-c@bypW0eoUjcRVXTcPwuw|hz%Uq&1&QqHh
zB9<!!3cf^7Y@SH^guvd~=>*P~i*zQSiQq_~mYe_^58)&}cpNJSTNKKvR^Y{{ak(7Y
z)rTf56!PaIni;mM(>C!gbJIq;k9Bje;TuB_*Gg7`;zA^IUHgVRp_5iX#f#libB-UE
zZ7C~z((eFR3>nK}xOYbul=h_hvT66hp|_oQ&_WO)n?BIfobbFJ#RSXc7T-=sUmlUZ
zuu&^?dT6<&Nu9!Jt%7eBCD$1y8ZeOO$GU6)ApjJUgax0Jc<}aZnpdB{nGh-4%p%Uo
z&Fo9Lyq=C!9Kc6q1su|O2}PYK;3Q`|GZ$xjg9BxgD^mJR^CyhJCVBdCOdq_Odh1}5
zEjG`o!u;a256}S8W0J;~$Ow~aTrw7+bgwN27zc!fNZgSmSW%71<I_8w>d0wgW^5A}
zKPcCreJ|ii7f&)F&;2n!qDiCP8<UlQX^Zj=|5ZG*Tpaz(5$)@BqlxF9cW@gu9@*x|
z{g<XR%UMiQKeGq%{V<|6n%c(*`fI<OJ-j>G__NV_zA1jiE{m&8xZHBM#QMDm6;HBz
zSi>=%^$#|SK0LosTBkuR4g{)FKD<OUdJ7v=*GX|c!>QA1fn?=s!%_lGIHrnPju+&g
z7+H|t0pk1crf55bU?7q!r*TKu2YNy$#JM_6Z|49j<DQm)uUWrmZ9OAdl*T(dZ&Xki
zVqD-~Gg;!8UEB(M(nK*X{L~~%9?^0#N=8kBbR~Xa40lCt<D7tU-^b^Idk+}MocnJ<
zXTy_Seb7YmX0N^XfrO+QU+{`?5*Tr?&<+_`St+FR+CIivh8LH`%2C+J53@we5pBOw
zz~Np}NaFP{m*Pz&-AZNAtkJW(5F05U9Ev+c)kA<nb)oQ4@KvFj6ji8}p-RO8_MI$X
zxmxoNTDxk!#o2~9gJd7n*&!L6PCmUenYtJ>%R9*emQ7>%AAM*qrd+QDY6r6or{4>k
z6h$&2;EfTfsBt_+7kw9`$%xgroIFn;Tef&FO)eqB){C9`VtZ{^ah*qk+&(9al$*Q#
zcmk*o-o2f@YA)^#ajmN`yMPl?-1z*iBaE!9GUk=(XK0k)s1D`Q8<X~s9zV|8&Aqm1
zCa_@%3fhYN6iyx^Nm8Jkg$Qx)ST}uL{t#Ws2yL2nUl~+cLrrv``QV#RpiuBA#-KrB
zS>0{4>!0(!kGdt=mzg?NJ7=_Wh#{Y?AOHOCstib5;hoHqByrL^^BiFlh2ugGIII#_
zdE#hDjO}ri8-((KAg<8k$2YR(8{m2(e1YPLZ^n2c{3CY^CR3Q!@<$2b(C=&%V#hy0
z?^&J8)rvJ=b2UQp)0K2P!e7gJ`JbNe_6}Aa&YtG<kq*R^k{gb#>RGvzqm<YX5TOrm
z5}({LgdQ<mK>N=CAw!BwiLt9Z5fR4N4O+m)csaU2Y|gQ!1t=(tIHK)|NseBsho)=!
zp$Cf};-{w!xsU1lGX>lr@L=;n->UEVPg;c0NE{2CRN|}to@V>rHS|Y!wpXyRXSUlD
zFKE$kBEM!jt&f37X~w%DK0ikm0N{O`2rln4W0@HOW|0<qrQ$4C+PN$oFNMB_g4?U|
zoH*6rS%(dGf1Tf7ji%}JJ7vK)Ht2?cYI!G?)1<giPOwDsQ3h+qoSlUHY4P;3AhVSM
z86E8Q>L(e}Ld0k;l=%uE!c^WywSw+7GP6{;8X|9dgR0!`o|hdzP4mh5V=fA_VVA#(
z9d>I(I+uv@R>?x8LLQ>9_ee4|$21)nHXo)w&{ewYT~DqU#LF$02Mq)wqg<Wa2qA0=
zFp$V#;B=Yz0T6}0IPCrWd0NaoD}!eR=+BM93+h(9SePzKf6U1UhaSR$S{^zgBm6j<
z>OQ@l0tympF8y`u#COd)Pu~UL3eYVJ6qK*>sXytO3AiI*f;Ga@zt&OTVQC}=8bam)
zT2Hicj#p-SRh?K62fUtr?5$N1pc&$XHhVYaFQ8DYv*xVI{*kp-t0FRPZU9Io<KEu2
zdEJ2NUsP?LsFlxaR18Fy`Tns8phybOoRMGipS>mw#V4is+4!Knv0M4@wM+A)U+oL`
z^oLJj^qedPY}tCR^AUX?I8?WqZPkf73&_n_f}iX&wbpz9>tfo#h;nF=6hk2H`-qnB
zQ+NQN<JdatYwDXs<dhLo2k1Cwc_!?;p3wom`ug-O(Oki|_L=C`B-FJi(3Q~J8?4}r
z_Dwv}T(4;+2A2b#p{$Sc<-))ofyCVXy>y|>4=>DBq}=b5M5;Y&mgk;wKUHrzhQ~4H
zxQHf8fCP@-gjR2lDM5+`fiPVfY0;=;hC=H&txs^~Mhf^Tg`2(dzWEG>`Bt8Unk7M#
zm1XHB_t1i_cTZ<lyQ6V;CB}-vaYO*Q*-p$g#4A5^Q())XE@)f*I_7XUfyphU+PC*f
zO!UcvzoeV*v}oLd;@lQ=7EXREwT%QaQhPnos&+>_I`w@I01=eBYR`_N$_<cHRO#r;
z+v;s5AprCUimNo1@rL{*=?7kJu-^76F!$g1_<g$#m<MBG^9OfV2jI`U65g4*reC$F
z@Big<+7~~GMfoCc$Vj|;=G-CE=?cDNT8yW>_HynsmOL?udIf_bS%|`RzrlQ>mXcoN
zpp{RgNtVm8bq{;z!9&}bqXZ|!?B~+A+3QsFSvEZAG1EJP=s=9;1Z<bf?~0aqxVf3^
zfU`O{O%59yb5!CXp$Ei!4eI(C9(Om%j>Zc}g8wh}-U6!Xt?L`56p$7Pr9oOiLAph{
zTN*_gq`N^vY1n{tcS(0B3ew#r(hVDshHq{3JkL32yx+Lrci-<m_ueti7+c2P=y0$9
zS~Grg&flDCwgHHEhJj*d_D7J!AfhBW-e%`Y#bui6@m<TCgOsk=g|Gh1DQGBf`7oZ)
z5wwJ~Q~yCOzn*zmo)1@<wpS^v<mI@~wJ1_1sQEw1W>gxKvt?ZrGDc^3p$E!B%f&VG
zDzhIY2_k(zA8LBYTiHL<7PN$JK~SXXOXqVzy4<52q@10+#v)-tQUWMSJyl3t0ykAo
z84@fU8PF=oZU4?mHkDSKcTmVd!);e8p53ipK=r5S#C_RB?5V;2QkbNh<(fH}8`I);
z$$E;MkGX7%i6DnZ+V$supB~o&Brs98YS)zGInUJ?t6B}snvIChQ>A1Zq#hPc<*13<
zfHEkS?i6n)?G#cJJ10@>>5-nuq`{+y&wHJi{TN_40clSn;@&!!a6q!G#9OXdB1v4m
zNfsdb<bh-X{-2Wtt%vz`OA`iRc5aCcM6*(h`csgG<ywPqCv$y>pG}|EccBSzsW1ID
zp=%F<-zEqxW8OuJcWYTK-*@P7B>Z`HbU&*9-59VqZ8+${^*!;tBH2`+K*o0%(e`?0
zR(h6!jXzh*l(_XBp26Z=j%_G&P<g_ezMQD*N#j(h12v40h82>lqYUZMCWkga6?on*
zOPDS{nmfKga7RsN)&CQg;8ny>Ki__ijEC{?bXPi_M-SuyqdJp=a$v%EF0a@~ay=;T
z$8?RVoMBo4HqF^HwG!<IX4c2Lfp&m_V91EyDa)xQ{mwPG$_v`r(e>eSyJkLXCg*(H
zV;S0_w?1~X?$iLgF@2}*7)~+h{Fo>w#ZI||aIu@EC4${t{iK;s_)aqXrOoXADSDVS
zq36ZEI1;bXrPACpoTfS{47}noVq7~BhTe52+1NNemruN^+{;VDNpym3$|3V>Z=Z;T
zk!GY&c(jb`dWmLdiMnaaJjMrgaZv7h{;Sf%!H=hnhB_hHS}3?sV_o$ihII-Bc`@@o
zzr#cjJUx!UK9S?ageh~ajMA*}0TDlL6I!%4^VD{=?kTG{dFGcrMMTvEX?~51z7oJI
z1(m@M(?Ks6mp`^)%IAwe=)G<}3g}|aAOgj?dQzhMINJm`O1%ikq88tXpH_xD9}!oi
zx@;{sj7lm`^+o55j8I>O<mig8G3~Z6lJM4W1S)ojQV>|Z)o!UQnxj*+TkXHM_R&Z<
zAjU`Tz4G3k*u4NhMvk<(>+k$4)EmxMNy{Y%3@PU_#3rT98$2;O&*v>Jsj#}1=nalc
z)lyXpN9;MaIV4YOvaH@7KfLyY+QhS3CcPIb-0YQKTWhMvvJR=jgU%vux-RyPtBB!c
z`LUx>;vKDX(@{GxOzkJ>E8BsDaIzO8a&6oPdIQCG-(HB^4vk{#=c8TbN2OdY(QHy_
z;v6722S$Qv`dH+w`NqKe{D39RZ6c9YVM%i|c;ybat^Gj5i!YJs(jo)IYl8Jc{pLeO
zu(IkztK-E!ZGpjsT8ZxFS!GMbk^imHg*&gJ^K}ZFM@pw3&Wp)TNTdSrZaR3O#*a~T
ze<zGIdB%=-W~efzoHJh0ysX3lYnFCg$IZ`8Pf!PY+&FV}p<bp-a#=2xqnNiq=Fya6
zc4-^2;Kd$dM>YF|(}780>^3pcYlm5Wy#T_RbU0-H(FWH0cO17$bX-@uZ~K~;8Lf%7
ziKEMOzTRlEs=m?hkE-)?Rq6uCcdHH8W;zJ3V2t3Rbh=b(7OET8u+R|djY|V`p+8*O
z6AC#0by#&IQk<BYh_i`W*C1^EsZB3fSR@E1<(eIbrdtmBw9-wPE_aka)JMznsD_4r
zE8gW%RC9Pc_<4q{&%D>3RAD0G^OI?I{Z*O}2nbAL`vvEB_9j&5TmX5^0ZHTeDEH+d
z+cGCD#<F>7Q&i-WmNc0%w$r6(c~!ZYAdVPQdT<w6(lQ~s)6Pu35{l(~GgGGY{-acz
zGY#8`^uX@iX@N*4tvOXwjyC4oXwS{2PCMjaS-y%`oe3_J{#Z$xV<WPgH1EzYr=&GQ
z-Fphm@jYV%(IdBeL_gB>$fLh)S~V)^liXJ1?dM;0Hw<xK3{@X(Zx;?jTm=L*TN~Hp
zce4S4Sl@-v_+O=ZNTG7H8Wu*o>=JdjD0Wi6uZv@Hd+XZ2H@(|}TAuN`Ak~n^5s2MV
zz-D3XY?&l}qG2YT_1mxKVFqE`YE8S&=iAq3Z@SPQp!MUW$huR$e-bh@aPD^}<r7<S
z(9k)Lm}1B&s0#YkpH~al__JMsvP6vBcCXUm$gn)!V(so%IYW-!z@gdTBbbejKm$d5
zJK<ylnCBI0M0&3jC}K^?_45@QHAm~GIh6=s8QNU#pJUe^m8x@g7P22U3zo6!YxeAD
z9Eq;^=ot91T>DTv;-WLd1;o~AtgJ3d^#$q}6xVd(dr0`?`Su@H8CleRZJ+jqSXc)6
zd&KG=i@r8!%=E^9I?<X8MERS~_QnjbSe1C{d}q^C=~ogyDPw_IE3m&XvWt1vza$C{
z6=H&LUHgN<bgn4$)kl{DURGz5`B!aJ$%vL^@#M51@d2Jk;S~T^twTQ5U-($H>42wP
zM$&)#K+v)N(F<p%=0|we#7VGF?OvZ5JEOlCYdLYeLw6g<&K8d<zA4ME2De;|6|+U(
z`t<H%Cq6h?w%4jVV&M|1Q?9>rhhBL_zlK!9F~Ty?|E88oEp$1k)@iGA^S$n<`nang
zW@6N-uj-Ba`o-Mb?Mkp8pHWMHKU<U4IKZSOl!!gr6VWwKqJzdCR^P4Xjx==;26u>r
zny)F})TKZ!Q5eQaurT>|b`iE0$_TpIy5ea}Im649FiHy`ozeUvoduKKWe!D>Nc(~<
zbV$l22QE9k0{QDTkSyx&MAn*D*PzCZwD0FXws&#A*uR!6)FNtF<&)s>sp#WTXXd)5
ztoykkCHFIib>|g6OEODvT#sG9^w6ig1>9wHS~I3Q#P1??@gvJ4_H$fEr)<CbAlGqW
zm*u^=EVvbxvpMH|lhTcV0}_Nw{!lLRW?_^Hg<|}sL$&^zgQapS?Z%vZ)GRF*zPK)q
zWWpRlu<Bm9CYM<AMHd>q11K?K3&jrF7~~XSd<tSdhcdEsNwZvwH=pllola-RbyE}Q
z#g=P0&x#y(kE}1EhQq!=A`Sb7!k8n3JoWgQ1+1QXlK_+Q#;p9R@;C_}CO#0MU&%%$
zA1tgm8DND;;IoF3xOV#P(N5Y2&y*PiR+`KzR9nr*mY{9oKL7rmHSpU-UH3sRq1Z-(
z!y9xNt@vHaU<Uj?t@s}@#FbCQQZX{xIKVe)f&6u)XcXW|fNy!|CzPt|2Qe_9sqlCM
zN`v;!*E03x@~96LPTLEHa#RCD)O4dNKE6f@N`@^QbW*@%x^3`Zy%n&h`EVCl%_n&1
zxuP%urv6<{kpAA*Mh#+v7m{#c5CbvU*fuPdL`M%;5g25FC3L+OM=L!hA|4?C?q*Qe
zu$O-SU6N0x$Fojx0!_EO^;qg377GEwxl??Ner%CO1EnPy2Uu`~HxsB<O;Jjg_`$X^
zN(4^Pgox8D<u1uc68~W=xK{TWND8RE;=GFIb52TWty@)z06ak+oRDL=Y1DY<+ZgLi
zdhYu!Qvw#SO$XJV5Lh;R!sOo&5B!oY2Ptij>N1}hk;HJz53BlL(j6gW@ym)5C4S?=
zhV9^&XWzRROJdPj8ehoqRy9KC?LN9+Umk;2OS0}@x%X``g|Y3d$e4G@d=N3Y6jpjP
zGtl4hI_^aD3!JO8%M;TRaW>=4KYYJ0VVq)9t!;BExO_O=51|U@lJW#qu*vF6HkaL|
zURJk09VqBA##@}UGlOX>HVH_?43;h391Gz6&{}`N5$^&NPl#P#33&&pTjQb(BeZVu
z`^lg<S=Z;UcB95CP6qu^GWsnZ$I*qQC3JXTWQ!bw(|ZVms#NpU8RO|mbhsgq)6Rg^
zRQgWm+MC)~5aecevi{B31K<6pm(TCr2#OE=^RHp=Bb;Gc#qx~#M%`i3^T+EI1&qSM
zq45_J0Xy4YFCp?@-1FP7jHv$j-5-DXFa_?Y<4bS^+ONa=_fMY}HzBDkAOii-J@A(W
zVFRiZj3wmrVN&8RPXPYaJ6fU3C;OC32>)8)?>FT5H{u=*cox4w!5{1RwN#|vBn)yR
z4w&=#^9v-$6ue{_QR?7sl>3*8-~0^nzuD5)>;ED_{%JqKYW~?$7_a4@E&WGI|Ey5|
z`-)Gcaz^>bEP&sp;2$FZ>(BeguKvX{{Nt+raaI3#|9=40AL#TK_WK8;f}rUCR~S{`
z?aw(kvPqBQ*`?f6PpIip=@fWx*mC(Z4pivIS`f`)?9e~IT9sfScAaAy6G*Ya3edNr
z?jCmV|D4bPIqMDt9rYQWI1n7&#9?)I#x{u$U{$(5qjh~8c&)>Ztl*_IKg=l5o<$R7
z_}ZL`f3MYV>3p}v>2QGLem@lv5%U|;WmmS8N4$TF67Idf2?ZV&Ii~S%<QXhYnKN{1
z7^g6HkhmqeA8d0D704Rs(YS3_#R0yPOjoL7z*a@SKtaD%%O!)>+&tyw**t~d#fjgp
z15;v6449-L$KAhEJ^coH9!3KFx;kxmlIH{6X-IT0-7nOxx`6L6bqaTv<xM*GI9*<a
zPHmQc3(*)xvb)1*oMcmtPV!XK+OjENl(n8_E9H-@#J>U;AA4A+XSV>m;hHVq-GJQ(
zk>0)@3|kYi%+W5hEh~Ca^~I_4eAmm{zNINV$z#l=91PSf5E!_Xj)+OdEz}HXwey?y
z%dpNLb?qy8dc7-j?u;$P@`ck}!=BoOdhWyF5i;YR1P0LZ$8wn9SmPLLUQ&{E<^htK
zLzON%#|fK^vkxt&?Ui_5gYw=?Xu4*NJ?{f#aKMS~KPPFSYm1x9DQ@cbnfPvMlz)o5
zd=8PKiUf1?R9Q8zJSPRS914Hh4)|n~BrfepU5o0c-3nfLou%%o9v>QdXcec+Y^muK
zF@zkWXxGaB^4$GRTLr5P)Wq0ewSVsALoK2=Bb&XPPt^X5PQm+o^srLVM@h|1A+2IF
zCR5PV!s=~?5`?1CFeiI9a`|@O4m2qECWm=0gPX8p9Z3>-+ds)GCj?^LXMF5_hDWF)
z9!^3jFL3l$&#t-teAnfXUUCh>?Jl(%j#x0})Fn}=FA$TIYBfb!Sm5e}D%UF-!jbZ~
zHAD!Fzz%8AF)f+hAbqjb^|dB(Y4gwW!*wS&Dc-}5TXu20w;NlsMmBM|hB&MyTWvCC
zOA2S?3F+L92<hUqFF0#3kxN_l3l2Ai*|V9~zKoEi=W<w$lIJy;X;s)J^BS+!vTx3;
z=?)j0vw&;s3P)X1J)OQ4mNsRDmDXNJ)n#hw)#%kD_M{soiiPMVVq$OpP3N=`BuB|+
zZ#_IrliLm$%KOA*YJ5F#c5c{Jxo<k%gfTfG!Ryr6HaVd&=*D<_0dyz^<Q5C`MeA8_
z_I>nVf%b24w);&g&By}8jHxMpOHtCy%I1Mon~B#RI&+hUvG0GJbuqdG2;s_{SL<Xc
zeeEi^vmKoi7D>{w8)4L|*&z1ix^XWFHe<DEtB9>X5~mG%ual+u;#mOtHY3^Pd?0KL
zu0*g=4MWGQRdP_x5s|7>DJlTb1IL0Bl#JIQwr?fG#7SH#wNJy%vjCTVWcg+LAph}%
zh+6TB)hz5;k(^m>MN(}itAUReRR7YZUvGS#;esxXP|&9{f>`5u()=E-0gPm@{dDT(
zkkS3qfh`*S{+v9Ag>$>%Q};D4TIg2Y#s!$?8GVYj8w)0Qiay{pqsUFx)E!;)+~%pY
zF8u^=Uo}|~`;7vbEMo)b<*K3h^~};*0a1#VoV9F@=w^7mSE6IhH*qqLJoy8U&qAmo
z+044gQ=kijVtd*l(z4H}7j(&Qype;<=wMc236}Q_=Ig0hW=m}|(h_@RM2BW)yq^i~
z5+~JJeUA2EQMdc1ljz?`82Gz;R1wcF2dzjX3)n0J!PJz7kOyoky3YIDcn|Z8kKv`R
z{rRhe7at%@8@=dk7js>>MbPc-*)~#)vu85%b^-b$xW5}GjHFU8m7<IEeLL;drHNDk
zzOqyQNC451Yn$`On<lq^8}T%go2*Z7ALuqAeAE$^QZROTx;mXLUdjy3k5*&NBfngp
zbK9j_v&t#^!X8c26Jbl6l0~^blIM{rMdj-n;!_4|%K+{BkSL`r(`bC93Rix6kmIiB
z6&oZNwHY9@g!5SViot4az3Z+sUgR#3O(!f8V>X@>x~1HtX^H1Tpcq~-UIeMuYleRT
zYGr?R4nhbTu>24>UdOLP=P?Jglrtli3QUH}oa*@$5~A;*pq%mT+o0d9W3k}by7pNL
zFR{lKXt}5x{|<ND=AoEIh3Uxg^7A{6#Ec_x4<=&wg|)<z8FtGOVvobJHx=VPW0rfw
zA3#G=n16JUhMc|qa%Wgy2y|IpPXdft=`|vS5i|b$5)wd=93eYkqI`*Ww80U3`v}Ua
zhIxN%eDcd_QG+k8JRNN`ZJ)|&xIncojm(4P>TKR`?P5HxU!H>sRRvO5J(DIoq`!K*
z>&)dFMPOHBLtOp>c4b~CQ-i&9u^+(~*bxoe==1;WO9#Owc%dg|J788S)AZU?E<kX%
z(kw<QW8IHuYkbgUvMtujZ<Sl`&p@s~4Y0}HVqSK1b}loz5!m$&=jC$bk+2@8`Pqlb
z4RZ;$7(?$K=~SwXQXo8{{1kv^2`9TMWG*(kJ&|2yF$pc%W!g=tdx0s~SX5y*GLLhd
zs;<k(UN9ajLSkrNGwT>v+I*&zVvqhAlnD-+$Qb`-oFvFWF8GdxHfH675Gob%`&1w7
zL9?+U%~IB23s0v^&`a7Un&wbb!`Vz-<FxyIY%$HL-^X^H+DqMG!uzzFMX=Cd#>zia
zWT$Fe7rIY-O<O$mRPAW;YS7Mm!3KQ2@;cM7Wg6es$2P+-+*5qf<71wI&x-hoLSFOx
z4WQjLvjWF1aD!|`C|C|{wHPv#-JQp+a>RvEnD}eX!=De65Gg80@PV@Y*1`ux<*W<S
z+(Ox;Q8V3CD-vn^l1Nyp8RjKS9n4cQEt}=UL^(K=_{HjF677sxVnnd`9~p*CPFZK_
zmX_I*{tc9TxoIl3=u+bzAaxjd!fN1}Lbc{AYWI2)>MymxsGJkxezKsZhrgQa=7WA8
zQj=H?8hD{#9!l0B@5+b8rM`SSmD#2I#n+c@E@ESD<9w72yUh)JKTq0NJ%4<Im|JI1
zwg2#}wR$mld%!-dlt-2hJ!RBPMWtPGmp|NgD5<B`uDRf+UHK^Qv!?Nd3&7%v($XC1
z=Rt^?=hqPbtBNVG!fIvhpsgm`R(E7_RnM6twYe6+y)G#AG5tcZZiV(vid!7xx9s3C
zl(F+Rta<6=GtP!1t^uM4Ugz7K`75uH2ET@Q4mTPi;+f{c#{BdNI(C6ePwi_$1gox2
z`f@@U*zPbVJ+Uj8al77dKVEaxlCOi3jpw;q!113hDSzD*a+8i$>l5qdDZp9@Jq06F
zgwW)^`#a1GQL^9$*MIQ(x3&6(JzE2Xh7QG3sUMb@fkACb)mu2_mea;VMTVE|2dPi5
znCaDbUgJUXblXPInNE3l@qkZc)OE@vUgKJS<8nRgUi~5@-C-N6`c33d60L%l6;%sj
zO}gy&uV8etKfQvIZ?NT;V%xN0m9lbJ^HuR_q&S&v$XoS76v4cSI=fu=y-)b-ljj_;
zt|)D0PHjEWsp|EtKAc-9gWf&9D8kkOqJsg$O+U|qmE+>-@5<F%j~(Iv;(HGs{Cv`1
z1wR6KEV<tkMmO(JE@U9h?uNbbi1ESg`-qV^^3<v{1C`x!=-H^p<<Yp@$Yh716D`6v
zUfi`ZCf^>p>h)0fwM~+TTaI=I?q608o&p6%6eNm6w489=;LT^+<fUg;tZXZ6&M`i|
zg3a1c$n92Vj--}e?F9FVFXwcrW*Z(<7hDwst~sx(<5=9cG<d4zi#r4bL6z37{0AWw
zhFG)=OkKOYj^C8!`I*7h$JXb8Bqo<Qm=$=XO~TlUoXHgT>KW}{Jiq&lp{Jsshx0D-
z6kr#Thd$s?R}6WqSIiRFn|w2|;7=BwI?>zm%;0WTzGdugQ;i1C>=?~F1R0B%9+XxT
z43CR8koHj-L|;<z@6;|DPAxTzehf|uiI<LDxrNr%9uS=Pyl##h|L>rHPV=VbP*K_C
zQ?1(VsFZDc)XGjZB<I)8KBJP5^RiNSaRb`RIlt7POGG;^2u+hoVO856`m!SmsXH+0
z>>71hf82{k(4$3RC`FcJ<0{ABj@jXS2FN*iS`?qR1<tn?=kWWQW_Q-e=RFg>!q&1d
zG9Ulw(|g?AgozwY+Y^B+&nG$hsSaPRn$8+qj6pH$-sOG=S+-+Sq6+`@pG^?#y-*Ge
za0dH<PEjXinm(ob;ulKNlv5i^sBAI1C;}5j?_?;ZD1H`}wm>kGHS2f?&SX+q#l!f2
zauMe+1z}FtZ5EqO_ueiRd?r5Idn#{LYcafof4Y{5HCr;St)s}})F_fnW!H5SQ$QCu
zZb3P4^>eyZ?)B9CXwwxmuH{>b+s=B}K~IHz7x1HaXf;tc_1r%l(ZlZ|tu&W|#x7sW
z%|@ZfBkkQa^Pb9Yb|VQ?z9pIbX115u*E5WkuqQ%EsG=+(97+?k1buq>tWElUrc@mP
zr(jZPflWo(!jI2%<B3>sjDJ(;S2qpG94`xrO^|<*F%u+Rt5+EjKE??(K1#sr3+vR&
z_L_fbyFtIKI*ltYKx5F3soXJ1r>Dpm_#ueHyFfDg^k7N(I_k+{0PmfxFn4}?Gua{{
zxsQUEhssi9B>N~am&iXQB*T@`Ki^W?`4YVhP7(sfVn}qsiqC&l9G}O(16u!uH=i0~
zY`vq^?gli(78AiN8kFh!7r<>_EfoLS`l;zwyl7AP>xBmn@*~3PT3gSHJ*;OvY!3%J
zzJ2_Z8Iz7}DH3oTjX{+1>81YQ*&^<>r;1Tu3Jvf~QL~QIvK)NZMd$!LG&#b;nj#u&
z&tkO$*FjV63Y#<ss|{{%OrFi1b=&@?LOv!w>c21a0?A^K?4Y#hWb7?B<mbkq-j(Az
z9yb{3!D<3Ya@x6dXYO~8(2j2pP?g|J?NZ+Rq<@pXFLF0jgCD?C$;Cfamg8zp(mV)>
zSB^m}M%4#w-q#>BbP5S<;cjn}DxfD?E~Fzdfx+yeCffeJwF$xH0TImT1CreD(A?yb
zm0%OG(1a1zxa=@mZXBa-@Q2fKj;_YRJg)RI1C7NdDJZc1C@AZ&tB|D&5o?ZW*X!fg
z;?<iDx<9Y$9;le!u_z%ikxjPUI$7wu-6npJE;JS$%QVFhsLIvWy!Ydv{2-jfHa)Xu
zyX6|5;lVbj&Kd&ex>IGYUaXFzg;NYVzVV?8fm*X1YjL18I&Y`Ou)ATXOxnDLY1YRv
z?RTZ#i*per$+M8Rp1GYHhAH}r8ZGF5gSTv@SCpUM0P^*O#pxMQX+Ay0)Q+M!DO23_
zr4&0R!@>y~vOfM_g$Gz&O8wv~!pim^WBA!3rVx&y*xu=`UR5(XZF#{1tNTyP6z<ep
zSk%@ELpEjOvE~1+2h=xJT~nY34w^k=o+r8+fZI7gHC?k!8N;BacBERUmrHp^wNO(!
zVSY$#)MZ#F!}fUgI08U~qAB$fT}r#vUL~<X;HnGiml@-}UEHb|DLWMxC!B&_xeb-s
zF;;XQzaSFA$w$EnZp_vg9#aAcTs8ENL82l9Eu@kV3nviU5=AlaqD!!(R;u29BPGfV
z_cG#+VSABjh`=Ut=*>*aKN*Mgn~VnNjdlJmk#9ZcZ&n<%^?r-Y)3CS8p&YOeBLP*5
zxmT0Jn(gftAat-g3|VmhoLGb)nvXuf8>QVTb3AJEU90{h!fu}K1JK1*;_~OTRhDPw
z#_3cOp6=y7h)AOa_z%!S*+^!0QqI*RYf74y0A)Zej^mA{R`bOM+8~Z8P?}^emk>Va
z8qcoEb6%2N>m;W#Mc_wnX8ZkV%?~5OyfMxU>Z|a^&+w#o<CL<cB<p1pdD>QYTdtW0
z4E^p{L@7>4EO4PAYu<b9X*zf3%%MOaJ`{uCIM}wSmh6T|`EPj@dh;uQngf%3l2@pb
zeUXt>xH2+Kj3<8&m`vX|!`h-?X}a(QGlj5Kk=tb;^uz7lBAdJF9mmBUD%?c^zmT1T
zs`1sJ*eD=$DxP7iz2P_|b;C%TlY0yrKi>Z<(qRtrv_Ft#hl=9Z@)9CH-q1bjH&4DU
zjaHTukfrabcL9-ruY}|zWLS=$I<ebX_6fE1Oj$=kJQ&w^jW>MXR@0wC=oCLd*R~`(
zDVnO#!bs}WNQ8-dT%ox$QuU?LM$7?kA_u{WBX<i2!z~VV%*tdQ`)KphI$axgz>mx_
z-ko-jPjLl}X`Ds{W(U)a&KEYcT_c??M2~t$q8~GV{&w<djA^LZpxgbJl-r^)$z_F`
zeo_hQz{+rOC~iqUQ@zdBQC8Djq;VRtxYnTF^+9w&$gOu2FWatzcVsIdl#s4p;5h5a
za1Um_yiq$neN*GSm1I2UYW#ipE>1Q%$!*b78dcl)-b83`h_aHKVzXq7w$Z`QuDCM;
z(i-jc@Oa5$=c9VJl~>#sd*vBNqPtr(VGYW1JnQ#Pug<Nq-}sr$t+=oHS4Cc3mU~Hr
z^Fmoa=*w8h!5s8KXml|K=f+V2ZswKQkVIeEvD;H_wpAHf1W2YN)oBOB7-|@Vrw|6o
zBthEJ^go`bKI-UMGLJ#D1Z+yA^{0y1Rmg*GJ%ICr46=Kws;b#j4t;X%B({IVdiA2x
zE1gl<E`8-^JkPg;mq;PH9`!u*jC!gajB)(r=UWxwjTNSu_DxO61;bw0p(aP~kz@R}
ze~;eV$f->Aysc1CaUa!bcqP<Ut47CwS*No7NjoVW4^ys7vVcHs55>k_!)}XRNO{YK
zS-!#o!u<)Wx45QGPT5IgB~H=PY7vMGA-B?1FV0<C6oRiqxZ8ZO)7;UXG1hs|uP${l
zN5?BS$16y^A?xC-D`))H(`1{2kSNYVa9e?m`ZW)-I@9!-0}<L;W~JHi3xTVpYy0T4
zr$-!Y?~D6l5&Y6p`y5tBxNUo$baa9_pws}t%GBk~ze~L`*=YC%QED*acc53&r^KU?
zQsf#);5m3Do~paGHhPO`gcePz$ocr#vjuN=($?`7H4stAi}Ew&=FTW}VPomPeA<j*
zIqKl^ts5XiV`%s><kgc$52kYrFURS5#y+UB>ftQ*KTwkbvn?QDXgZul_dt@Q{l0N`
zQ2HW7=kBDUX62ha`<E?GexZK5HzRto4?4MjdWO>&uO#J5dfPrVeR%x=D$|T!hR_vh
zTj}SmQ@D54kahJT-W@~&{N3*+*gn6T@k2nQK=(J&cx>elq4%&BxMj0la0JWOb{VI7
z6ezv@Fm6JPW-4Mf+9atH?3kQ$_h>ZvX-o_6I)ekC_4+)0Ga-|V`71Xi#+eQHtKJF8
zn<E7*Fu1IGJlCRW)YB8}iX>_`vWHr56^nnQl7M@_Lrk?Xuz|M;5!r<ePsB`Cq9T=j
z;1vg9bSkeeg7&Jrv8=kFK1|btdw3aKiS(X1lUlj?{!1x$+Ai*WN_1_wWuhS3{ZNS2
z577^U2o}+HN>l@s8;>&jGsy4C7jlFu+4Gh@?p@=wTj`BZEj-{b*zh#EmwXG&xVs!L
zSXKEqAvMonI2{iUnbbL=^~F2cP*0+#qoOH-o@Z2)Gq5=#>mK#z@`9I3Yh^J<rjc9&
zVWiv|V8lYegG}l1>T-YuXZD>HSWzc_UaGNXfAAcISh;d=R4O!cNIbcGKsSGAVPTT)
zZW;0FjD3P;K5HX<om%BWD<T<JgGccUvsOgcWtrM(NF2hiWYqg2uP@boLyr~o5(2+2
zT+N|mL7dEL8cV)OQ~s{na{keLyUOl|$q87P?j*-2PYOTXEFMkkV`3!3E!I|6JL3-p
zvzh5;_~<%5?=v#1D~Ej*y*t>`#^E9cnsWxLx_t11M<YF~8}$c?HLBgyS)c#hn$u%$
zTH4Kv4J6Z`jm`;C>^K>&lEyk+jTtXE2ppSdQO;TBUKq>M6@OzoBsEF}eMC91VLRv_
zCvn{@GP-_!b)0U$HKZx($PY3?uWKvp?sn<buRS{>UCHI}Za$qK*Xfw&Pjb@+V9s{C
zYP=h@BQ*~_-RojMaAt!JLgsOpUhls4{fX@kH{LTR{|yO|T9km9bJ7=uD}hhJy)hxG
zA&u>-cAk998b}uB&zLlZ(Day=iTb_;kU}ajlw?|NcX9F)5oyxt5oHlJ-=1C~22r9h
z5(QTqxJW^JUE`bXP@^iMkK8?#kK8zsj%kH2ahHQ45ns0*^cP5fOt;g&UVt^y<=H)t
z5`C_5?=?Ma{9~03?)VYefR3))CEhY0@5?Rw7%AM#-(C*^6ES#<OwZZI51n{sdYjkr
zP=$MY1iDj~KcAtr=^q4DuIMYt6B%$zzs^vx;|K!riPgr*`|eT*Z~c*K2S7AY;$&VD
zB)eK>dih|qD>R(3BnsqTWJd9xU#k-Ag;#+G^{h}+&|nUM_TJTg#+>PnOPTj5SMt;d
zm6;+=u^AOdC3d({wi#sZD(>l&)uFpG*ehAgycL)Lh{#Z#4~!l&oPta;oM6*TXKCo1
z{s`XQX)IJNrdH?vIXr5v{;eg&`AczsyV!e_8W@%=ciXW({PD)g{+kJ+5eLVN#rP(3
z1o9Zp$8EO}9(coA@~$T$3aIO1E;P>-D2B6$Mc}Bj;%#Mu(pZynETJJFmDgsRjJW-d
z781Q527edFP!XHL5hS<lGWS~Z)LUMTLh_y=lh{Y}BsZztXFp=MR`FN7ck6Z^b4?Y_
zb1U}X^`gQv?gr|kTCNtm_SbduHY&YYCWt04^w{3xB-yKTM;bnnf1V}!ddmJ*`vPEY
z)|)>Q{OD6&)E)8CLuawHWYM_uq5d?1StsPxnW}R0`sBpOGw$h!y%*-`?gwmT`2o->
z$%OUsSBXiPpb}!Aro&|w6P;0R?@Do>iBX*ehbtnZ)uvLUVR}X_CiKf7nXJyhRw=Jq
z^S%+74eVE#_=9K7zFwcrFkDyX(DZxm7+Di$B_4w|xgT<f()hDn%YoW}R_+&ZpScD$
z+)g|`pSZXkhn1Tih_x7v#XLr+_GpQDyzkE(2gMMDtYJc|GQJY<xO8#eQ_SF1Xnu#U
zx3**%ZFTpkLxF-it*yA2w=<M;$x!T*Jr4ZXh{5&2XFFCCiBw3;Ov4I}q4>peTxz!1
zwoc;X!TdCiq2{K*Z(qHdo-SXl%T+gCr`SS4+Y>m!vBWn5Me+hS=7A-0OHGK|sH3=6
zSJVYxz4M-hF2vxIGv4?d#K0y-#_^zBHU&oEeOhdn_SF}Qd+G6gc6VP0;O{qh5@NxI
zC#(zR<yxsw(CKH2%S2Iy^G&gv{P+QD6LLM=`jPkysV}$54Kpg3xsmHD4qgK%t;_>z
zSa{%c@zL*mOdx@^WGCEZ(KFQ@>cu)&w|X8nl!rD{OpbwyUOH;7yUX=uXF#?&RU(wt
zxm5y>0!8j?{r9WjxW4F7^Vm%W&sb})h3T=@HY-{J%ZXU;V(=gpF|Qm5L{IDKiulsp
zi|?5?i%!z4=G~j%A~7Lgc~MN+x`G=f|MdawRNof2Q$16hwr#w<*}N=vamS+|eYf$R
zPT0VlUbEv9kPnjT-$Be$$ya(qk|a;|!YO>}-nv=<vB~8im|@f%%dE)=t6w&PNe=5v
z7D(*D9M;c}ADJL&9td!?2lRl!<BD?^yF?(3DFNWvZljK~?z0<D@a*dc$4Q8l=2Nw&
z3e9RkPqr!P<||E#Ou%}v4W>kaCwRCKZt5TX@%98B5vN7U4=yyKMG>soTwes2I5w{x
zTW)}Tx;Q33z0)+0^_`M9Ke|up)kMdJJoP)xSKnr6(DwD~EuB(ca;zdM{psU82ZSzb
zVTeIM+TEd0C{WL5Ig;D~a8eR%%O9|X4Y_2em+k|SZ9u;ivSyRX^8@bHq&rZM|Kv3l
z;-E)NeItF0>R;-9%C^iR_a0=E+}Wv>EbGk`yk=}Vx)s9?wu!77X+UXNL}C2f)DFn0
zXP>#B#t>wuMk7>`FT<K*J|UBBSx+WKg=Lc;>+89JeegFc%_`Trznn-?lcgidO)LBA
zRwB!?)?;1CP1#c#*;kXj;~d=LH|g5M<Rzt2U#czB+?0jaXA?SL{xqY34mM_qak4|0
zd+ib8d~ZU2=3WR=lxS=9Zq4gKma|EvX3>7GI4Xtax-7jz1LePbnx>hLDiFlKjE*`*
z0X;U6Y;uC#WjM`LVBQv5BX(cmyn6*>#XG&#T8k`@_C_n$Z8<7qJ_V+iRJQqfxfcBL
z2a=i}u6WBD+SJM)T@=G^Evjm}0e`B>I@#O(+n-iW`EXe5OIle?W%)w{*7P-+9Kn2<
zg|RG_zylVs8-FEc68u$#ZvGWT0A(uDvi4Gt9S_`cqVk2P0N1kCQc&<$xav-B5SW+(
zp8t=RKOO?=Jg~dx#UB=WPwnaElY-MEXaRVnpG%rgg7(&-ythYySVjKmJ?*uO2Cy+n
zP$>yC25<ot36JH1zpB&k8f5NNPI3GeZJR~BO|C!AU~%pQJ9Zkw-`r}@MF7($A)MRH
z@lcE}2C`Jk7NK+=1kX;-UX|rUL94_dK4@jKeK&JWFx)LBBoN+_1M$+LOzYs1?BW!g
z;3j+z?S(%i49s#jc$@5(PB%|16mBCiy(E44q&+ZD1auP7-7H9@OexG!G6h;Gk^-Sx
zHbI7OP<uJu(hcjMq#yp(FOY_G_v1EN71I01)}0V5a#HgL^v34T*Bh|A#tDMiV<4sM
z8R*(UmbPIxqwT&Mw29r7KmulM{w_R!yQEU{lh1vh6d+cZU~LbViKw=S(M3;J;9NsQ
zrfBpw!k-B65x+;05Q4d~%B=S>ww2OQNG=I9i<n-V7iFUA&h(WI3>itrWB%fZQ-ixA
z^zx_`-ug)AxFhbr7?$AHqLP~TS7>g2QIwzMUW{Y-{TaZSH`9?2$%r_jgeXw}@{2`T
zdm<MF4aIT949IY|gX3?fpr0pvxvEds#fdy%Ks>~8s^k^2zp$VH>VfaQE$1_-Rf`~*
zI#IcN+Yz+O65Lb5ttF}xKX+L{r;JS3@6H1{pBowS0Z5k>Al;4xv98Gnif7Dkp+{d|
z$x<(yhteSu{Bmo6I({<oF%s#nFibn1gY$@jScQDFdwg#>5pnGarsQcm3NNyVVl%fl
z>0(56CkQV?u&@Ft;qNNIWS%MiRW|W<6yLIGARoPW*B~Z>WAW!|uQ-@rPy+KFU|e@0
z)Eh60dhg};DEfIJzOkoDePcmGP85(*7JPFCdOh>!_iM3l5STRbRBJ~-=)(vUAO|hf
z2(BT~f0dQLh!KD?BV-2d&Rq9EF9#(MH4{lZ#$}VZC3<<@B}r}|L)ah9@v1KyU{E8P
z_4jB~DbRD?tRS6+f*2=rdizINPNZ$M7^E33-QA<?g|g(SCRJCf{{+l0zzD7a92O6K
zo?`>mV!|0PNcyX+{6&niETP#~go|x$=^&eR59UFo3trHRH$0SgnWB*YBZB(4J#Pq_
zL_R=%bM_SwVCGH}L6orebr&agID06hf<5C<2W5FP_-lex*Z2d)+st2XjNOnA$6nb>
zD%6L*Kn|?lf%ACy7g_nM7~QBjAsHzq=%h&lqQ<YO^i_&`irS@X7}G`RkJ#PvnmH5P
zaFPWEF2dS}eC|rLR<n%UrTg3p0wy2lBGas-Vw~*VXLNdckH%D#n#Y1zttoCS53B(q
z9D_)b90$mOr!>+bA?;sf<u77nn&_S{*nYBSO$RcCFhe{T#h~{8A(Mme|00}kdBDBq
z5}IkX6qoARt)5zVr|XIOQm~PBSA|J!yN7z$lQ%y^*+`dPJk_>yQ2*r=X|Vp|)=`XU
zOsicjwgoc9IB)6YkYr47tf6O-WJ2HJPAO%7YdPLzzb-nLSm)k5fiz-Vre^o(nj4&U
zD&)ejCbS9vSs5Gw4p0I5VHMyL7_hYZ>5R3g6Kj~e;-FQDLY*&?Ew94>;svEp))cRj
zp*JvHoMbBYEe(S*aaBCj5k94n)V!6-xU6MuBw6nZm5r*rBLFr;`m*eMKU^s&y3rBC
z<R49(>S!ZVj$h@?hP#Vdw$0D>mbqwS^~N_NOFI#^JtXHDgz?ZvcMA6BqisV{T@*tk
zxbeZQw6nv%+@$2&|G05ge9zwFQ_Urso=uzyao^b$by?B9t=Qvj8{+$FXIGdT_NlM+
z*YckH=gk}B75{lb^s*IuzoXUZC4peq-1(*G&naX1nw@v2ES<bW0`~oO4no{3@7)JO
zq+Rea#%p(_xZ7nLP1-Ywg9FS<cFYp_VEVo!{2$kMy05Map}F0+IAfixPKOYQM$0q;
z=_*sNcZpQP7iEd6yUt5Je(2(k!!HvOtUI@-^DQoDk7O!@iOO=NoGXXzTZft7`=xX3
zssAs?#c03J&*ar=sY?pHVN68YDQ=xz`DtAh42XeZWN)tregBMgxT{Ln6SIuEI<n;t
zL_4DF1;1k4MKJH=KWtm+zHY1vo&P|z>J}tQWy#gGb)QP#N!)|DH?AL4Zi@~I{nE2&
zD9}MV@f_mJtoQ~u#jrX9y?a#CH2pA~1*Rn347L2vL5WbMA}~P(i_2Lre{|Js(ma*l
zBQO)Om<3-A-y7~)2Om!D$&M5^zQMvheKUvwygqeW;jazGCHaqg_RM?cfF{P@p574)
zGsMcwg)U*l?mfcwn!v(ld>4*II@x8Fw*I=s+Ew-e^<nqALYRgxV@}-Uug$gj-SqnZ
zJc!-6p5(>iVl1e*7KFsm_<B>K&@sFh`=}44eSrQ#NYq^f=hi)JqMr}6T5n4|LgBbq
zl;*4SoSuP0BB=gd8Ul^VI{YUcq*#V+ul|Vp$9;Xt@ou|p%X|k7yR<t!No=|9EvrdR
zSO;6$*l_TE-jxmz<wAA1VvTXpnyL&}*^LjmC}~v^-^tYxKE%~U1&@2|5weigRo^DH
zqbBG-&pKV25_Fw>23Jf#k>w|ZfGVM-fSWf^)xEd*UR;KfFIaJX0_Vix3*`#s#e2o|
zDIC+3I*yMhX$~YD0Ln9=NNCMhdXv7QTHt&>funM(1xE<0OzH#!#}P^OlNHi{NRd*4
z-WHh%F<;&tB%xMva!Zoskqu7oYT16}^@&*V7vSnzPtx9V_jeAY?eKg7!rYBK-`V)a
zgvXG=g@-UoEu7KA9SGSa4?3&74qt`CX|g<%K=whp8&RD`qmXVMw=j+u{^7YZe&$da
z)!t^1XpiU#Ugl60)exVZr9O_(CXWR`v6|Qs)y<~x{9nXATLpcj%Ddx91(qDMM?|@W
zQs6s}k{0+P`)SLBU;vl10v?LDx3JI@Pgnk^6<qPWdy-{E+^uj&O4ro3+_|fsv9?Uf
zXS=C;c{PG=o7u3vo8q4A#}P88^|b@rA61?9%#;WIM0S<p2t6e`VRoM7#9wa`DQb|{
z^x%UzVldp)>kzL)B@TGgO|6OQji*JDOw1-y;wdUD#T!vSid7n2?KZrKhD!>gU1c%p
z?PPUMJkRcGau^pIXqFHxaH`w7&LFqAI(JpY>?JaC^Y8fS@$)TDNtt?<dG$Cv{4RhE
z=c5gdP~2|$yM5|>>x-7tq>b<Ox5Kp`E-GTWx3`Hj7khWOqqZ-4I)?-zm#9hHZ0wKV
z|Hj7pqc$nUAZ%D~lI1xv1jQ~MbpO<OT0j4ED*mkV$VZPkYX1?k=i<75q3T|@C~L}c
zs}*09b(IuMEb7E=cfrGB?@5CV-vC4o=qX0XQDVP*a@~qghj!=J1A&u}+&BxZTj7&;
zgN?zGbK|tNsC#M0uLgr@5los;C`gd*N(fE)CJ6bL=mhAg^S!z&+n;!RnKYJ*QOH>)
zASBO7Oq-7L_>x(>lB<$OQPCOcJ15_m;@HDpw(;Be@Rf>TQX?1$d`MZvR(vW+(%j`P
z`~|}w17h;}>U@oRpBaZF$fBXCC*-<ZznyQyX|IPn39U+LBtmX+p$c(;-y<^Tcj1(S
zJ<0*;T{<`<A#!Pip|Qb74Z8`mR{BNr?j<qH@hIUg2qBZ(d-vHWxH*tX?T`p6roTTi
zdIq%!dzz|!F3wVfl6FM-)*f^-!keO*A>h?J-uKkm50d0tyim?JoxTksaer2i1kOw3
zGuxRN)^QtQGK3EuXSH3~*?Wm-?3X){EAcSd(!6YE)kH^d1WVv_yRPj^Om;v|p3A<k
zZgam|L#5U?C;W`Yz_l86FOlg<6SS>Vx4GPs>B2}_ru1U3Fs{@>i?NsGXZU0o+!8W8
z_P01-N}lSGX73&o5pHtot(Vt@FGMDqR4#uquDqx-3lwLL8jM8@AB3)!=p@LOTxJp&
zBMrFXJmW!m7~x%ci{0mrP6K*NiSw6-j&+L`1s;dO_s=t%yQ*HdRfnug1aZRmEIOZe
z);R1XvIz6<#QlB*{&p5kRD?IM19{`oOS_#ht*O{V<G_kv=4gW>`+#*=s&x2cPGk!Z
zxy=L@g+|xRBPQHYbJgrIeytCZhd}lYr%05G4&1T6bL#o-H<NiTZqv?>eX?psTJ#XS
zXrGpEE{<LyIPY*5N7{isW-RP6r>`28!DG5<cZ-?2$?gb_*_&s^-wvliy)U?cOKON6
zF^JY9exI~g_eNiyp1wYN2R9}2+8T(T3{3p=W5RR-^~4|jVAgfj(<&HD(`@&YCFO}8
zd&JQ7A?&R)ZYy6{O{%*Va?9!6kwwqnHgweBA|r<UyO_|_*~-|s`_K%631`vVYoz`i
znOiL@(DefqWQIKL!Fq?!Y3nMLW|<Bt{qPqnA}m+OpRF!PmWQ96^ako)?E252@OI_;
z4_&;v{?KpI+C&bAPzNkt*ve<}VSZ0UlT9+MK%SYYE{66i@l>^E-pG4|<TEJm1Nu?Y
zkQJ!;Zo{$rQZ76}Sc6xizfmnT?*EBu;RrE`WgCb;4ksxKszYgcrBd(sJi)jG;}L?1
zP9VlzVIedic{OQi(}*Uc({57lYjUq@Vq*I>%$pQB;?AZI`C`H>UEVruZsntyjE$VO
z*SU&VR#b%LOktR5u5ai|7tHxzYp<V*JMJY0$j+c%yjM;bqd1Xmqu4?6{7Nso838lW
zIqP3hQM`pvfP`cweZv;&mc%tQ6oETnCDPpQMGN0|h?edC{sesJXS{iuZsPy`({Q&?
ze7+h@Xvvy;tyO7;t6HEGX~rpo1umVJ_mKWN^;IxiNB3k@ied6&Z|&_CQ<E>rt)*Pq
zrX;@ePl<oXeOFH!s>GB$2);B(&`t7&LwPF%b1?7F;VYA#DynfHJ!Yv$$D425Bh=%Z
ztVAaTAFdmR+-<kXntCX_$AYnkgvou7vY7HvRo12qPaM8d(UcwQv1Cah<Gr|?tTIsF
zFxU11Q+|Z3RDJyhQ1nRy19+m|f9Jfrm9Eb4+s>t9iK?I=Y{ArO%lk@QKLWlorr@5!
z?k9qBcAX|XC;RL0Q0VtK4D&~5zVk24UYg&#C{GVD6y76}X0iy40tzEuo$li+1c&4f
zd~ev<R&}Wbuv-48@d)JJF8AR^P~N}o_?J9=ro3^DuJpqHHLUni)y9)^WH>v7p>mw3
zImV7Oph;KB*UC4hl(;L_R%)f9X$<*o4~hfXA7CNehWSecO+WNBRm<wQR4c)rOT>#6
zY1X;pHmk<VrD>j%-Z=fn-N5-9i*ln0yFsm&Kocfm%Qc$zs=3%ctIncI9Iq&M=WC3J
z?bR?(PDDNmFBTzrV`-R@1G3OTG#K%w$$>U-;V%_1OEFIX@`zynWDsHB#z;ikW<Vk)
z`|D69sQ&9i!GW)QrNZNgbTEMv{2_P`=!&^`mdnaiE2a0C!vsjtR08<pfp*9B7~V49
zb=ypBKl5BRGYVrGX01lrdJoR71df>Q;dS53Cbeh2F!NVUbv1w~NIF1qkWO>m6Wa@L
zOTy`0U%lv{p42_Y;lfGA6L!gO7pN_)O$kjmr!@S?(-%mXC``gSd#^g;R><V1HuHu*
z(l|8NggVqYkBU7IG^zjZpe>{U00bv+dJM!Ly<+}cN*Gf@@`nQ&f9dxed%)Mb@`#CU
z?dSY>pq}89hyoRI%XN9lK@LXi>O%*IBGRA)E7F45j{y!vL-=?lY3rHIKu&xqPW(<8
zU%V+W-$QFDNBy>wTzMLNnYp$9e$GdT7=~%M@1J9&sX7Eyh4+TA%kus)3t&Xhx#zi9
z|K?tPE~i`J!l2yqemm!pVXYiBX&AWa`O@7O2B#T~1lyMvFf~%^u-3=+o_~#wbT0V1
zNUPpwgH*M9!#$^kvYPcf`54mUaD!sn-S$sbb0}4GLca}M6=Ac<LzG$|P0e+V9O2K;
zcQ=J^4XjK(KOeVCup;oC*M7HQLw2#TKtHbb*{WpeuolbnXb)n}n0@;7>dAPd_c_oV
zTWWxRdt>~DJph2t@HKyl-P(xmXS?UnYOoj5mIqJTmPV{g@=MCl$^UC98@v)C1%fv6
zfaDWj?DFs&(Mc6<qzm(JJ!kFUb&Yv+V}`dTz4XGh;EFeDl!+EN^Kfv&Z5KF6Nqx<3
zUECJsAYJ}!#m9#<dIts_(ao~bK=j}v12d}eXYt(*NCPX+FpjOk`j*lNJ?`%jHX(-L
zw^AX0J%LdCGOO7C6SKOF)d2Go#e+aVGz7MreDrv6;#Ys;aYnnwO!ZDmm>P7YTpk~B
z-5$_&pVv?+6vjaFIl~X$u>WY&Y(4mDlLvDNyY(VwaVVd5Z}YimAN$G8dzfagy}myV
z_R{wuES7lf52q=YK*vY~f}6>K_g1>jA*G2HnzzHj2QOVyfx4gJx+~a1o1!S|<Pky$
zL-->|4EEcs7xh1IqD{QWK|t}uEHq4?v>R%=i*Yga?i=49KqP*Vq)7_@#_s&wYANk_
z;$5vXA8Y^mz!l$@rK3MnPc4qE4*>s{I1b*Yj8ew&eXUmaA7(JOmeM5~@=(E$l;OQa
z1mLP#Z(LRFf5TO6V=et}?P<!`m9yDkbH2a6;=&zG<rlA#fXVtyxdC^e4(Ve}_L*mu
zc&_8Er^wT7F9rjz-E{4@!0~(EXqk;6uF&*qKBkI7U54uArjty1^0br2sxVor!NA)#
zCNhDxWfB$3J;HmF*4_Rc)-K38iN9d%&i@3)RtiRl!xa-&i2>wbcv^XU+jIN*>lEpO
zo+=+vxZ<AuFkR~48;juvEXE?Ckk<7C&&a}<8on=xh$=6-DW@u3i7wsd5dPPtB1RU@
zlEa02+9dYY{~ZuFMfQ!#TP^n0|C$7=6(|WcA?v-k{i$75Ydu+*EUqpL?F_f|Vst)T
z3+wxMXxNqMUSW$!4XFgc0GWxFSw3(mNH;-dCtYINgay>Ldhih%sq9@=&(E}cUF77M
z1Rug#`4XBUR-(<XO`x5JxbT(n-@XH6{Q-uoKQWLrV77$4_@V>0R&VdCt(j|kq?(|y
zypB*sPG3!*O&S4wk3o~W;k4#SZ|sMZ)9hbfNUeWAM9ojg6lNZVJQn$?ubW9b;50|)
zNfD<8eX0s$*Uy&H*-U#gGGH-=6~c!W*Yg82{tH)}Azl*Cqo1pzt}ttH$Qou3V%<03
zzfqJEm_+(&6dhL)YNWAe5*4wJE3lw=8~%P%t2<<2aLfNjGNR>kQc==+pWhxACjWE;
zWYpFt9AHU>os3JLiy3(W<paBf7njfBiv6E;BlZ|DRh_<hdT}O}?I89CRCaxlxlgVS
z3*>KQk6xX-Y9pG+n|tw9nao$B2e=G-rLlDMGTD(39MX877S;%sj<uB%P&5rMs9SmI
z7RSNx3(KMe!2926U}j?}T2{g0|A2t>xy+nox!PNFQ>}d)=^sj6wi_F2T$kQ6DjQOG
z#<Oxrq!g_vi;46b1#kp@daETwZUjSN!V6Vk_s8L;q*U*O%;N%#-f@yVxTL7m7$bIk
zJ;C=?o&xEymw!;t0LDo#oY*(R6Ff>*5zZ`_H}Nykz73C!5(3Nh;Hq#4mrX7$TV!hB
z^CdideeqV_86qqs#`2iV(D|v`FJrwFy$-@<w#ZKo*b<LnF{ZC7k0XgEfbk8#jG)GQ
z?p2%Luq4d;y}D)AzF!V+&cZ8eB(BTb<5G|$7Wm&M(d+bj!4o?u<wj#OU>f^C$o!|?
zt)ZW!?&&UO7sRtx4`M7PVjVGPU12&fovOaMFdiH+x4w6CF48a^h_lJ^gF~^#1=!3M
z+DSvlk=U4I`Lx?tJo;@&>K<x1E6TUETPvC9;YKVs391BlRv;agG_19l2&mu$g=IfV
zb(FM~QsLVW{4$QxPgeP=!|{0YYmx0HrWqHKhD(u1mCnh3`$Z*jzO$HzH-2$u(hGTb
z!KuX2Lu)9q*XwfZ#+<vPvY_6<=?e9RTe(SF-SrfCOCqegM+AR}T?l~%jM&In1qkri
zk3q^yoV&^h_nw>P`C`84d5+pqMJ{uihVrV`{}Cg}wOZy;G$FZ;-Sg6_VrMnU)4`ac
z?(z=@>N1jPB}sAPKoc*W9+P;knmLX=v3HF#!jICc-p$BRO$@PfXw0*|#gtevCe`8N
z3B>5gE><>pfs;t{Y}sG$GRbiG)lI^vT>uI&ku@w<w0-=fTL`XL5<#$y2H<&)ef<r;
z4*l8y9R|JtS-y$0Uui-`V8;>DrD7PAPoc{u=RdbG^ZVku;#lNI3rHlWsS}ggzB8bh
zJO>eR0nV91!kw0M{jkQn=ZG#y17am_tKgFkCIr;BFh(gpw9OgK_H$ou^gXjZ|HC>#
z^Tg+)o`GN(AHsRQtIu=Mr`n{Zx*_mUN9-X(kfVKzX(ihcE*U?n{?*2MuT|l~I14@h
z!Kc!cxr=H|m>auHz~aygeZX!qoO9`g9%CiT!$-BeW!2nh?R9eFgOPClufs)cN(7Sz
zr%h1;ryZk@A5N~E9~`xJ8`j>tcW(gkk}Nx?BUvbhQJrJRY5UASmRU>cSkRila<;mv
zhkxVqsJgDaaq8$8N(z&D3Gwz^Md15j&kW&k!ROMkk8B$|)_=S$Q&tvk!0URrEg4hu
zQUs?r{+ub)*@ZBl!^K06EB!t{bPqRcXWLOjT<_R9=H20I99X8aJH^RrVLUN%hnqo_
zK5fpAMP~Chg2}M8iPvZD@a<1Tj$AxQK<bOmxpVbqH6-4&Jnh#edVw?`MS8TRr3A~-
z`a+GaNo3;Y>zLiv+zTAPU3qcZy<&4&lhLfm`$msC{*)Y;O`j~j1e6w+*5U7JC!<12
zq_Q`1&v#oSrRHiOL~y8Td`5yDvmoA;Mk56@AQ?9ju7%d<W?~5@Bsr{~@=+BlW#4hw
zaYn7Obn_VuAbL~JU~pM8V^3Rkwa9&cSoJewX_JI<PIFvrU_*<k|KfAT8xL}VlD3@n
zuDqPW+a(^O_+-Vu<D|Yb$8hfh_^=uS^MGrHa_(^36oJH2r6JDU6DSOX!vd$?DIRaE
zAH*SI70FTQ5=w%rajCZJUCIqQFzXjq7)@vE$$F*R`^Awlb5?rg<Qj}p@?=+W{g8*|
zjr$(6)LkV(uZ&C98EnQ&bnJT__`wCGV+|`FuUn(-l@63mdJ{(TFPgLuC~=UI!1gI5
zpM6*|-(&nA#JzV^Q){<99GW01s7R5ns3?d?S2`#~X@Y<lnu_!ik=_!pfDKR)k&e=9
z1VfRoC@8%ILJx@aUP4Xa_v`@Yp7*`yyx$r3eq-D}9m7A!-p{kvTyxGfHy%l{n7kHb
zY<!c;w9u6*+Ze9d&}4hZG+NG$q9IBeFI^L0Mh)(-oM)A`a>OkLpAt9u(WOi=+HuES
zSUJweL(-rm!^*~~iihJ1GPo_7$-B~@HHKaoS#8seRv=!!6r6H0S@jSP=-LhBYB0nf
z@k6k3E#yh>OhwY9rK?w{plCm_1#@Pp_v5jnZPR-{%kvp1Wt&QyURC4idxU-d6ssn;
zQu-@{B&?i=O9X)v$bgWGBSxtwCZp&nk=9eu9Tz=N*$<o(PJ+Mabn2rSs%||(cYD_H
z_QGdx96GIHBjhh+ljgA>{H{;xbv8u~v?vSzg2}7cobY_4c9i-qLAkpW(hqL3@F;G4
zbwTS^1qPpG(5AphnV~phaZX#&>*XYONx4O07{+>qd!lU=ZU<8AtIM|5*9E;jZz*KP
zFrnIFHrK~CgYV7<-eF%=N5M(>aO`sLzOf8>+|lUrhG;3>l{%T5D@9!IC@^(zg_Gx*
zs@ZM|8fK{zCb^u529|xrK}T`=2WP`^OFxYCztc0@d@W*3SDqOC$Qqx*C?E4iMEI~G
zFB8=FQjn(z(!^RRfcw`%K94xZ21=wamN}lirLbkBOv_`~Cw+sqnA#;t0=~#}t|H3f
zAl`SU?J+AXwS1x8#vhtE7<{<!PBQ({Vj~F=DVJl(CtWanh$ZDCPXe5I$p0~HM0j6y
zCktgou0d7n`Blp=Y(2{4&P{x8xZX85(^oP+&(HH7ZS7}SdSa}<gh#wQ@_HFtnp#t1
zQk<i=-+ez->6z&>N&T|+Tb?w{<;x3fdcvCBMb3Pr>Dfl%6YCD^H5k|N!-+OCo83Ln
zT}b4fbl~nMDHWIyzt@|`US}-!SMotnGLyA+<RswB>+;56-OtZWUB;RCU1Fz7g>{2(
z%Y$X3@bt7X{t3U~WZSj)qtXvT?0m(i`${6DJsjh`_e}|_t`G3X>5wE;t`Dt$j{rF&
zG9E@Ngc&!32{ix8R`PG~jdv})uT0(5I@eo!nvrsuFS*(0B1F4Rg={^cr>B20$?7JH
zODoh&!9LdJD$$GY$F<JL`J`QsSQH&`DQ3kfR)R53Nn+!1{Kno&H1U=H_KV4FGfMZ-
z&ldNmOVFx1RJ%6<e~tb5)%&M*+xbPtGre?_x#T`b?;y!|=AqrCbHm-F3|KedfsIsz
z;!ED9lo{E?4k-##x>tDTb7vEd!z#=kEoldtmyx{k&7gi!_F^&BqXffG7%SM~5Tupw
zj;G&ROE$PN#25O(Iv)A+!q(C!Tk)mHnrw_FEx1~-#QxOkeNT}6MFH{~zU=vOqm)BE
zN@bKb4V68p%}GJ_xgTg@nOdy;%%)WaEsg;GJg(sr@eTc$`74C9>3pH=3Ea7JAFf=o
zg8vhwaEHn!^M=BcezuEoSo5Rjj4s4SaeI`0`MSw`BHteO{uR31BB_kj$gwmshHHD5
zFSp`byjCp}Y>z4*Wr<SQ@)`0Z%3Kew_+gTF_fVgAjhpQXr{^s<?~Ux07xoheK2B(T
zG~+?Tx{)jLnnK2Lw~x3iI^y6c6<gtz_6XIs_dy+6q~SCdUZ?1eQN2-Z({$|&{BUh}
zYCNhR<oMR?XP2`|Dmxv+|1TrSWm8xBXC{T1cTw?e-zNC`_glViUhuc)mI-DC7(n4f
z5m6P-gsBYn-|0}r!R$!^{@i3ltlKnl%<`J!k7Sb)^NrcC+X{*e$&5w(ViYC#`irkV
z@KLO`w?u78R-sXb(j(;7G^aKg7OG$^%WojOccOEcD0+ZxapbaIlL0R4rWVemP@%a%
zGewUTTqp0gV2|dFu<EwjaKRU?*u|TKm<~bzWs--2WVx41>l+W-ZyHSzc25_Nd7xtL
zzZk@lZ&a7{C#hiXE!xnSkwoEr@`)amEtH;r5F(8%+v?e!vy%QDy`1S%xn}*D`_dcY
z*E_**BA-rkz}Iuj{JQ*Hvz+)wG`j7bgiZ4kGv7^#q3%yj3My^#adw<KQLB5yh0Wy&
ztgm_6UZ(PBl&HnNL%c8;PQPC!Z$^Q6$nEtkD%SIGI{Mmp=jYh@z?(jipzMK`$7yNe
zPM;^SbsUR~m&O;(TNnSznCakfk6jpm--mium_?(x&LED5Kh~vd>yQN?TOYyTvB7U0
zWpJ|Y?1FR&LUl4zf+ol+C#i|LklhzzB^C0LgZdW`)z(>#3^{P??P(7*sm<TW)=&2L
zW-LFSecJb-5<5e-_7pPTPL_T03JfWC$TpS&ncp$m<w+h7^&8^`!w(^JL0xWHCrqX_
zwfEJ%*{Xjz=!(^?xpw8J)r9-a8qx9PeI`xnB<kk3!sY>|w1}NH54>-`@^;p3h@x%l
z$Trq%68Gqewu*6C!Q~z{!9F7oJ4i{N>l=%YK5qFR=DygVX3pZPI_sZEGxtMDWL<PX
z#G5uoh&(foeK)!bo91bfeZJ{iWB#JNVyX5c)?7@RS4^>;ThZss8fy!|4<WK()>g=$
zeRBgZZbd^wqk2B8cy;Dm?$X3$ReHjJKQ^B+*mw4YUs%7VJ<8v4oTHt?rajsw0&R3v
zs^8ab{6vk#C%<K>nhrGHzu2|-4L15-drfv}$;_0Fb%C8Db(Ps$diHaq@z!(>P%*=u
zZHKCZ(+eAs+QZio338tdIEE&5^}kLbHpA(c%L<nqFKC~JdX%z+)s!UB>N4M{FPouk
zbP3Ff9TRjruPpz(ntSE2R31aZ9rN9(vI94#bn4&}2{NYm_{mHCs6NO2Gq|7VGGR1c
z<gvSx2ZPm*WbIxiZVLX2!S;}-2d7{aN=zXIzN^7+QO)_#KxWa*m*TKCB38$PG}0{W
z?Jv{}q+pa&O^xwopYAV<-hAWzG_)sZ@o0KHth-fMT0mg^r{^;K^L@+2r@)e(>QP;;
zGKA*}>$uyvnZo>n$&pMXsdTQmIH3;OqT)bR*Jk=DxNlJ}(B<EO1FNEOx}GJdN>5c^
z+K;2zMX2<rDKLE{gby<j%i<RZV_i=r9lP}dBfVxZI`RqD@f;4s@RapQ6@r)F?>b9K
ztBG|EzM7UV681+aJ`0@3O<Hv1@)N3iL8oHxYUglj&`Kyyc;GWzI(e$Q^s@tpK{5S=
z0S7L3sHQnh%FHk#tLf7vwQEDwY8;~iMTTY0hJO0~b44C0dJvH4DR9K*8`BO+Z-zNQ
z<l)_(vpqhmLUotBnKu;f@cJ7@-9Db<H6?C%P?3Y=Ik>>#r_)R+MY-!fkhFWbhtiu2
z8kEYsvoo-M1L%Og#?J~{j7h09y39V2+DPHzZ02@*y_yXBh2}_%mF_FI5Gp^q3v2DE
z1e<hLidDk#BoArg#B@_8fy{nd#whrG?MzRKi*JnIk|V9fk%XBAOzX^N{GK533yc_#
zS+nA_q0h--wVat!UH9eq2!PJZ8$ODi?GLKMBrZKh({Cw-?)R=N{?=uld5zOX3z7=X
zQ2hfj>gm1&zp;P{z310a8esTK1UX?bNRz^jTetS4Rm=HzXm#SPwNv@y+23?m&YTI;
zD)TZd3os-Y(|pOOC_YQ_TK!TphP|#Wc1{kI#Pq@jq~po>`&ai#XUvOWZddJzk{@CM
z6yIy$26zx<64odeWDY(lo+C}8lCuM}-CUNjG~)IXzLT7^-iHRFYP2nq4M`J#sjQ?F
z1(pLyfRnCKnxifv?!oI}Uo!qdT3G83njL&X3*C`}`qLE;ACo%beAj>fF5KaC4Rgg*
z8&V!W7R+|x9J^Hc6D^;urcp*$`QJ$-;<y<_@=D(#EOv84%;Kn`&-$!!OCM@RhgnaU
z5?(w-yZ-C>(WTifUxaVf$Qt-w`2FG9qm@n-i+kW0&j9E8E^{QuX%Twz=o9!)Mjw4x
zHvK_^fDaR5^JUIUwf4er67HnG`}bPQrTz`37w(yI=CR#D&FQI|ArL-ro*oV67+Wx7
zH71EN#$749y_|;SuxcN<=6HBI9v|27ntN>PiJKRgkH&juty-{*{i&995pbL{3|QMS
zG|Yx=dn*yrj8CnXX%{@HvSsT`7CUXTPQ#P&%Fm^qJXSy!5d-n}vF{H2@ocS*922Jd
z76uVQbhXR)FRqLUayvuAKIToMCgt~i6eDQ&+C01SM61UdCG~Tev3XhSXQ5f<=D79G
z`lHv_mpN>-VENaZG@d_4iRuK$JHq2NJbK+jor!%hUD#QWJ7xh&i@}rK(sGvxl#Qzt
z1i(2Nkc4|YTI@YEa~mJZ``0Aw4KkMZ4Xl$%>mCp}oj3S)U+CZhL$Tzx7SQ{ByW#XB
zC*?BW`2vo;t74`dnHq4s7)`S~vF*F-FtcB9sUM=~fgxHObtzE5qxD;8@Y4Kj$a|bx
zxh5^QQD2&dDW?o_f3WwEC12SRs=D;ztBe~8KUVF3L?g;lTwf36c9o;8nOiSWZR(xU
z0gzWOHN-S{a$?c|i_3b))6Q)Wzb;r85W1ZD6@|1tl}sWIMOwEw7WQf}3mR&cnCaz3
zs+P*`N5lhhaEb|ZggnQ$({jYOmdB@`kpg5XZIX|UY+RyE&HZ3=%wMuw<e{51eDiku
zt^{;DSP@G_`2`RM<uppQn=<caC@?ko4wtii3O-)j1;#O%v{?ev{#c!j(T#Bpo30oV
zp3_pN%1a!uMTvvlhS_r*EaNs40eG9DAcIV@IZEO_GTXYh=Xx68f1u%`c&)%5rL~H0
zxx~2ts$a?Itj)?y-%@JhbZt^ZdF9#**Wa15*QUGO#=vOZ#(cv~&@_0~g5Y43f2Hig
zSgpM`+luot&g0Tckq$C9^YPQ(1OtLqbo{66xgS@=*7F9$ylFXw{M8tqwM0;aw#W=P
z1Z?XJ)psau5T%=v(&)a;3eWBm58>&qPcqrFG&HnqqgLG+27<v_cc2=@C^vV5Z#p1o
z=6x65H`d*p<Q>%ZgjMY*E{;R;k$hCa7CP-z#Y+02kLz8d5c*oFAQUVGGu5EfGa3=)
zu_`MHo*qz_2O#-bI{K8?Y#%A0RBTJ+A-B&Re}l&M8>Tv2xc6eyow*N-O<MblXI!t9
z`+7-dHhfOs%1=I3!)fjCuE7@pu726Yb+<+F%=i)N`iWC_LxciU4{)$M8h^GkaOimw
zIIImrx>%>y#Y%AKCx(@X7etkKO}lrOx(iBN$PaOI^cwWm+p1F2q1?WT$7$O$?*yzl
z5k<R;yffWG9uDliw|1aBIqet^rF+vpR-wk!q93!vknSvbKimdJ_gkxyxI)o~%P&<b
zI>IaDFL@oMKj#o+yrr1W(NV8%QJvO>`FNfb+9hVCsyqNr0F@f2EzKOqnaxVUAbjN^
zHFyB|1SrIq`PqtddE1!6E0A1-&&58Gdt^!2=dMdFS~hiW8(eKeLo8dTS&QOc-KTCY
zpX;^9e!R`sUG67i>N~zU`mL8F)Q57Be_I|nw952xOU8s~%xSjI81H=tZYdVHxqcXp
zd9)RKHyWS*!UX-rBIoxnFCO3OHjRSp2Q>~)zl$lzf`8;>=WSp~_;E<tlLfa~Ui#j7
z350vz4OI5huLIw)lh1Oh%_TDqM6H)fSe*#=@<Dyfip(WMTDQe|^jgRC<7OG6WM*Z^
z!%;e@&6s;Fl*L0$Qt!Hg;|1<5_c`;hQ55X*OYq{hr#E1Z<5Gj?;HCbch~uR3Nc%ez
zXhFsgIttOMm*Ty8(>*iX?l}&5|9pG6JAaZ@u<1-HCLw5MOEA5%+p(uW7w5#4g>hi`
zc)LE(khs{*id`*a6RHn{5v?w1G?i*Ay`oEKZv)>8c4@ExS9$`XxfcdaMi)4=?R7PB
zsHfs`1Nw9hQ(!)aobIKioIiGJbHjgT68`eC7){KcoBTJrw2{;1L+KMya&GcmU8QmM
zb6MA;Aqu~X=WJ!PZS26KdksGkbnPFWy`-x|s3-7c>_PHT^62Ha67S2wzHhc{!F(6y
zN7KfgYuXxPWzt-5dBVTETz-3I++4f`|Fm4;s)dh>qj4c4iA=Kxu4BjC#-9ssjjSF{
zc!ds5?#{QnuG^x6-Kf<FE^t{X6hHXiUh$^`PZ}hFJ~i+v%xcN<i}e!21vo5}^GKpF
z6*m~Fx+qI@`nF=@0Mqx~NE7DRcZo4kI*2nWw<1(d`kVTOx8bp1)CyO(o}RLx;W@FK
zGO63_23bZT)01-b59+nvdb>;mZsNRTguwJ?YqJmFTPx471Z~sC#6F+pcZJt*&wZ{n
z)vdFQQqlJ5Jbr9$WE;s)N@*kfxk$zo*%e+5@<U5C_{_ZfFUSu*vRYbAcwe2n?#)Dy
z;9u5JQc@B~Sh>WP;L){^?Aj)DBh}K&>c>54kna1!o^=!7Wovuk$|;IP9+<1SdYElf
z32tt(L4Ac2G|$PmP6^3)VgwSO9NC`VYMyCl`Yk|`x@ZKD8@dM}&%qs$9Rl_*FpDQF
zswwSj8Sg<xNVMQh>qgNUmlQ!3m7|vprYx-%?6=sPd<8ZwH_ovG#bsKP^o`$yGLjhB
zLyu)SLa}<_nS*TYW4xy)T?R9R8`-exKTVu=o6&v}Pw8{O%oT*MeJm!74Ie_VkD}r)
z#&V<XCxpKp_n(B2KD=GBy;?4P^rLBs>0P;01IJ9`mGj<StI^eqO<wq>_dZ+qOIq#%
zuH%>g<T_bIcwIO<9B8i4lJDt*T<rSt_E)wzqFPVjDoOY5H6G9X&m6>uzgmm;ezt$C
z=JcWE4Q*)4J;n^f?ao{Z?y|QVcK<b!P4^LRr_Rk=@WnV8r;?y<j6CjwP;CF_wv(<Z
zX!{qF6Ahmx4q!$`3sduxXxA0)#N@#9Uptjg!-pDjYIsn`4|xARlVS8;*%09>(X&FT
z7;QD@L3N%kRL*!IhD4o;^_f{qztvY=z2_dj+|RWy*w2PAK{7|I{P5==PZ~+}+%y<_
z!m6rAT0ijOKHhVYIZBowm*`iqrscx^#@h$&P31U_mJ-=`8vhgGuC!9V*Ovw2>m8Dk
zI(dF%!n!}l3%z$iZ^pK(#B#S92UiEEZ1W!mdns*%u&+4ptpz8|r(vab@e@Jr(aS^B
zcL3^LXQ8%%gb$Ka+|SwXE3qp1?ARYq?5ifUmcFlkR`s6VBQd_Dhw2@5W!ijF_w?!<
zP88IAE9}8N;C(;5@9I{GaGk13y9seyRcsRDZu%Mek=12#U7jpO5HG&gVgF+ES$ihW
z<*GQJ#|$~2w?fB#2%q0PdydL;npsT+yZqS2HV-_9TAQ`+9n(>7)d_xoL-6LC?Axus
zd|eZt`u-kt{?}Nk7u?F1_9!6ys74<$;?+J`ZMFS~utx<)&-1(@H}lt16uDh{n%_EU
zGz&Wg)U;v<3V}K#t_<#fBPB&CZLUAE!=@>rD;6Y~k8s|a(?f(C1Y`*K8~9;+ED<GT
z!s&&DZ#PSKddXxf;7)_3x}sRkIOor5U7^WXUjwYLnU}%bq|A^iN0<J~nMc@YO9Pp9
z4%_x<TQNU)%(`)L1)k3^USGalhxvj%a?cLW=k+Z9U!_Fd9VziDy5%T&sMDvRO9*za
z2QRFEHLdUYE=A%U%n6+GL@?vxAMiQ>Sw$H(?JUHhI~ga$>6|`rlMvX~ig=R^ELWzk
z#)6Q8b3P7oi~xzzS+nZ<0Nt(4JvEXHC#w*gXQ^>}Ru6<Ya$bE4NsKnC?QXb!<!Rxf
z9~r%ynv3S<C>2J=DeL6ShgX;sMB?~ndOtsesM)vG^DnSEu<VSb9jY#WqEG=(Y(kB+
zn6C8Of&Xu^9&HHIz6?-c$o<-%fS{TT<u9YWw`eOP3ml}#m9N&snBT3(J?kICi8BE;
zs~3N!s%#sN-kmz<?><2rHuiW>Ct~o!1Dp8ONiltN|6p~rS;Kw~<hc}|nX-me4b8=<
zwd*wTo5TG<<AtfD3XGyY0T&HAV$A0JcYJ+ToC1HviY>fs<bc4-8{viS(<oc@jC#vD
z<oU1{Xk%UTOCKnGW!x?*Fdr<bx#}Wq)0}YVfajb@#`V#cm}334L_GJES#8cqSB@O8
z*ZU_w@#PcS_KZgz80~xHo++RVb7Y@s)&Y}A|2_S8%)2+M!H(^i7~Qwm<jLd*m`qMk
zHw$QIm=mHoUk7T^G@M(vQ-RMpzyr5pV|E-f;o?3Mlu;6H<p5UQ11~DD>S6|bKuTa?
z5WBBp@Los;3q*0fusiW;-XwR_@<vM8eswtu;#lI(Bs2QETQ9u*vgQMC5F8d#u*UWp
zs0(qgq9`zvICP@?4G&>c-)`q{0fVsu<CzcmLWl5WUl*N>=?N88;WE*)LKR-E=@vI?
zQz}OMR?mb&bXVK80t!s9PKKHz_?rBD=rN#P+N!zVd>0`~{Q9rt{(S(6%M{;@+g0H(
z<A^bTY>y2HYnI`=(5~sS(UsP6NMC{3R|e6~*<B2(xM6|#qVTzjHFuW2t%1Iq;XV#w
zDf*d)Lh#bN&fU1&y9RWk&w*1-iCIvfCgckuWI(*Qf$TbC|GC(uzkM~BfT`;GWyLNq
zX=7!N)Lq{7$wlsAdqxpJN4^}2w%~GHg*nP+VJ~$S;0iF$nx8&xx1peYS3!BA*p&i&
zVUbS#fjPxt(_&s|7(ADE=_&*|qz6}-t~b%Kw(2Nkdt@7w`2#^$E63}rud4Uu#A?^o
z!2{PF%?G;NKeco%;Yw*0EXk+58#?7##?$ugsUV1>UZYxvx;bUA^65T`dJWbK>?gk@
zs^*zQ(TAS9C$9OLEGs4hRAu()PE3CZ&OrZ@s*v|enTO4AEwhNznWz*Fz{O=a5g$4U
z6ZdFcSYMcCj6bBvQN}dG0uG(eTp+vP#6uX|$)YQ~W>~5O{z?WAMB7Uz9LwsL{dg;N
zKtZq8vDu1-Ybe~so-q<XU9pVUc)snepbg-$EIvqAi`EENr+)<_2GYqq$QY2K96JU~
z*x*qdW8l`Op(Gn#Lhjo&NceX+Tq<9Q9$sDB8;U$V9!4uqa31c^^K?y2)M1yM7^>CL
z*tXo}UiwSR?d1=oNu5z-@w*P8jmXBbbq~WWS8sKM1UoGYMUIyPqdpM-A75ytI#=<^
zoig0#@XH<hZPWXQ`*{!gkTHmV4=_%Qdo1#j0@ns4=+K92_qU>{<%?G+kZw|A{m50f
z(L|pNXi}JvKi+~o*i1geb&3SILHb6eyP@+A@pW?)$?&ze=1U?E-}>(W9Y2%L`A4|>
z#>T?-gsvAYwCQc*fvLZC?Y(*egCAlymH8qOy0hL8X@G0(%1rP6Vlcl4{#;$0)&!Yo
zD`!X0*gcY@5Z>QZ0jrR8lSYZ10@J8J&1j~!60LfYqu`=-b-N-|kRM1$KK_bu(5G%a
zxO#xv-hn<GD#)Gtg~X|;4_|^PvXdbe2s?bufePgD8;iAXs6s7Y+W1k(=XY33aB~YC
zf%8-*cC6Qmn?bt}7DulY>;r386kpEJ`NLiTT19)8R-sD>w~;8*A&+ucxeQ65<2wf-
ztB0kQ0u#Sx(WyhWxOQMRgtyya{Aw7$c&lS*!Rr*6sh_Sa<1wR2ut4-i1uok_TLUcA
z$dI5nN|-vGNTv0%u>wPV^cAkmqhUdfNfOVWWw~%t>+q^qd@1CX@I2&iF0AaGT7~Z4
zEQJd<AYQM8n&rG=pyWNcACi7qPllA8p|ttza01O)uW__-@DQ~1(7w-h@inBsAB8T;
zOW?gBBc23h+_@^WAoroCV0xK+OVS)QBgtf<r2VwA+HE+EwjnOC^gh0r2OTIk81u$)
zvT`R`3+pa+V@w3h?uRxM{+WFI=H9aN#PJvBCUG(`ITbU8(gjzpL%a<5LPF@(tCDSx
zp3XKu^1%P}jE|g)#*3#qMVM&wry#-Smixp#`aP^(qvM&XwUZZy1=+mRN{O<5t1Wk%
zHk{P+S7JUji7hyGV_tcid!@TIK}_7_M!&Mp^3?k}A9IH#m6LJzl*PP%5AtXECNsKE
zcdJZxWGCw=#H-HgL|v2KTeFuRa@i>J*IcUQ?H*38=Oq<P_Ph>pFl(}_exdux_V(aa
zKtq0EqH9IWWvd-9qaOGdmy_V_t+C<#<G_MG5B#oN!yoE$A$2w)_;>h2uQOE_Wxpow
zr_A#{=4b{P{m=fjr~G)!nbV+19mm3B$!sSL1%_qh2Ln*iIw<s~wh>9^M=G0r^z>s}
z(ys6KHO?vqal>)<rTnT>#XW!UPL?hy5hiF`GKGUr5vmPSo9a>Z2{mzS*G{EdH9SmL
zD>QSp%9Pa4?hY_q2Yi*Xd6NL9k;JL#wIwFlQ|zYD3PkmfjbdDyoLk2re0E}1y-cLA
z?&NfKmPfxcPrm%3!%!)n<k8~cV#QGdWDhNmzAk)i#JFPq;6!=E&~$zz?BrB2L=F0J
z0-4q(B3|_2lKobn>kgBv(4fqHic)Fa((d@PpATWg5el7$#)CJgu6T*-Mwy$ggnFI+
zmJJ@_A+lF&@ONkQasRh<stdJWO5Y4}azkdrn`JL0g&{iNEm-*b3#0EV8`PZaO51lJ
ze;u;R-o^|MVDNn|cR{J(n}i80tB^~D13;2BQgQ*@980bfS~<gY7hLuw7<~C;^>O-5
z`fSTsp;`<0_U5IPenP^$B;26Wk2It1lQ}gkmy@7TY-X6k?RE?ggBz&gIdT%(GsP;B
z=VLzgv}8-+lk?ble74704n$FK#}+0Im{&eV3NcS@*u$o4;(gU!MvxXs2I+d?A+jGt
zV*Lzd1YfR(=_n+n#{0Dvv(o+q?bvVM*AxGB7P)bGhw^8-zS>nUe73jke%?h22yhc)
zxPSa$5<Z6gQMA$CN@2mqPUbxox!1pT^V%ZadKL2MRc?bv`JVhJDgH-~a_q>Fr~lwF
zrf!up_jxou#31nH`g7v~QR2g<#e>Dh2T+leHueDTBZ9qgKg5O*@vUJxr1iIOLSUCJ
zI#`18zQOrSdOHb)385STHn*lYxuy6ud|Rufh907P+Tnx?bu$YKQV9(52*VpAqjR^>
zZG%Blm>jTilug~EG!BC^b7nrctAS#dl8=hxlKxtR863Sc(N$tUewUN~4H*aq|JOOp
z6k}DGa{a-SWX`oNToybh*mIuv6|GI}+N&_}jn$Ec;^1iw*cK}9ER)+~3&ubg+`6D>
zLJPLo8vTml;(#u#M!(}DHH514@V4kUeDLqfB+&8RcT7-|b-eruT*4lHPP=vq3#<d&
z=-pa&prI<~$3p`PbsfA%j?iu6*V}uVCGA|PV_iDD#GSsf37qM2@Qecv1pOS7i?v4-
zdvY9oipK+cf=eToSD75U^j=HK?~x~7i1pRm2XUgN*m)DdY^_O`G<ZJM_(Mki)Yj#f
zM@utBe={j&K0q1xc%)Lg0Q}vQhRaw&(FSqeKV1fVCPVf02*w11fIL%aH;wR5(KDr!
zR*AtAd(bd=_-Mncp(`|unUcix>&9+-;~#;8R8I3gZ0MNf!RdwTRxgo)JN7jD>L?YJ
zYOnc;V9Z#2W|~cVHO4h&?l4`eFhWBYehw^Qvf8cpQdN+57+Z-GMX37k95Y}Q^a+q`
zKsUPiKkY_;e#{xKM@GeSAzp09ob}&?A@GQ$*B0p$B=9Hf8DC1&6&JZkO|&lx3}JdK
zxw0!w#QKOonH5U_LnuAdnWCBtkwl))b8ZH$EjISdCU>A@Yc7}qcLkSAeePYxgt8Af
z2`r!~RO3R@6?;uf+>h2EDQ#*(A~g*%4U^-MaGe__?G0Hh3QS;WaGmAR)jyi|M!tft
zP+to0yNeIDjAL9jHYGA#*+abOsHY=R!%v^QLHTd%zR6QOE`+DhPRUo$rnrWW|Hzff
zpB)6`%d1Q;%i4e%QFTl?EFM1jiJdW&g+7~cK-b>Sl3f_u-N@a4x`&3kx!Zr>2(_ZW
z9^>E&t+tQ}hV26NVSn=gJx9~~^v{45`@rjw)NR6992$fD|78sBETU~T^JxgizV}nR
zg!Zn=qE8Yc*>)}LpYWKis!m3(;8pMqk*3mJ(j)W<vEcUGfe>&I)MmNE9G4gbd7XDA
z2I*hB2UgWTMLm-`a{UvN&Yispa_MVlT-Pjb=(P=nNM(3?{4(+;5C*OCS0itcQK<fX
z*`)m+Op&$wyJvSc-0wQjmvbHCV}JW7fs`kH`0;N|z^ALGeh;3@e4G-)ai#(NhGfyG
z?92z2F~%T%!UT44ImIt-LXjq15U%A-3ON%%YT=WGzf<9?Or;BcBKYe4A@0YX;w8r%
z{f4_0{@#78%NqOOI9ScND$=7`4OB8c=t-5{iVb;-G6KRnfO5e;u<7*F7*$4v)psJA
zab7c5)>p$A+X6Mm3(FWdT@{#Fkgwi4#oeQ6*53F{B@nS*Q7{^ZIMTNgC<th&a4QMd
z#;)nHj_6s@#voY|TP&(yMYYoY93r7Fe=-6aZR^2d$#t)iLO=Hxno+HMbzyd?lZmR9
z`iSv?FG?SP4Fvz-WzGCc(I@U}XT)qOc66X0oo|L+z(=@P_lc$O9aErG+Gs$#70H-`
zQzrby6VF&NzZ`~`Oj--iL)GI1p*2}LGM0bNS<{c*RC~DtFpHwz88XPG3^s34%je&)
zafSV}cKmNW<bwbN6{TN8P*I#ae0|&GB?(k3W<mXgr%WljpYIR9C@ku~w-}Cb>I)5A
zITu^3J8O31ro}*Dbj}B6!HAoqz$ip%V@;gC?mZrUduimyUe##e<vMx57gJ%-zQg9}
z1)wXg)tnn`6T1}HrmMyk*2ZCzt?Wn(N!bzRegXaQ;$PlAXiFjw3WF`&CyIfKT8oFE
zb<iL;;%Fd#B0ocqAZ-v_kU7*!kze6}S3xKD+dR@aPyKa{L$gjdgNJf%GU#==*T4;P
z4<!5?bnFs&Jbq9CkPWf8y5};0-h2G%{riyBbzlB!A64kQ%WIA210t+;^JQw}CF%%~
zzg(ied;-Ye$Ndc-!84i2mon|@K}GxbA;10W5GR7wlFRp!2M2K4vJd<I{N6XdP?sZa
zG7Fr1K%jriAeZFS&2iJ<mkL);O8<}Injh9%j5lD@Hy&>#sO^zcY+~S23g+O^Dp{F&
z4|sF2erg|(65VPq94eBrx#NMe?fit+OH@_+eMC{lubLmAZ_dP0`gFx#>jZ{WLzInH
z1~)+$(PMz<`%Vk)7($6He~UqKn@vHIpWx%2J(Cq$YzBkh_7Y}Yztj<R2fQoA+xZg*
zzY~M`_eN$vFpo5AFuSrSXt`yx{zV5YCasbY%ON$G5bKpUVPK%IGfDeC%kB9hKFkD8
z9s2p&^I5rV^6JH3FU%eXTXV>n)aQHugr!vsAQ0$w0s?`yvH}DxG6>9Kpuk*RF!fj#
zd!Po)J`GKA`g0Qt!y4mbiP3BUS*QtYho-<{81Rlw-h8~&>|b%M?ydE;3LhTH39s?t
z+e@3j_qvX9t>{jQHA&_WruxDqi6)vO9JU@)ol2(XY!UgB&&+VwMztf@M!Bw26qUG7
zi-t5gv`e?+NC=GIdKdpVfPI)55ym*5k(1I3PZHG$=6#tDp3Pq&XGR>91m*?s8)Fy7
zS*22~97763)6rC>C9C{HzM}=En6!H*r!~tWS>lPnKRnWOzVT!wB4+wGUUIb|{&tMU
z%aI$kn<9-CdmO1K4yr?)Lu=M_#u_Z=#B$Bl$HPV}H}?-+qm-@wqP*$oUqd`vold<y
zj)(lsI1ctlW{)Tum)h|K^N5>XMum0mB@;wP0Q;gUlL01`o_*MvZGfG1jsjDQQ2IiF
zO(Ar-`nKVl3-Jvf(DW5aYP9mUF^DcbWq@U_SKqGWQp^-!Us*nq0UYJo<`p69CVjEM
zQhK_*ni5`q=S-jHV!NvG1G)sc(J6P=$p(+3!wT!Tps_mirW2?2B9DvwT^GiM>IlWe
zzyrb6*(Uh{<-sqCEY%8R-(a`un-;zjk~UMT_~|R!8PYW?rkyoaWsOnYO6C>$CoH57
z6PccTMQ?Q+vn~fX<xd#`UE~xA{BgcAbMO%Lo}_Vtyaz$bkqViya->zeEl(tvKd27p
zQLBP&^z)eaEc-*>|6<4z_1wST@dOQd8FlG(z+Wb9Jh_~j@B<PK>h{FOcT^1GbTnmZ
zp33itMMr?UXxeCCfx}VwS_$hmI+Uhq?&jh#EaWZ|Cmzs4B=4vu2Ypy3WuL&h%W=Jz
zSqtzy7#VjW+eCMAv@RZqAnzb%_Qen{rA@oBQ+tn7yY*5}qRrB~SJlpvTOy;EBv*J5
zzI!{VWPkOvj==+A-BVp#gT+H2UXcDM!enmVZhc;X1GJ1UJQVfjs2JA<nu_A6MV!+r
zq2>zC#J!@J*8fVE!i02Ov(rKK;}nZ{E?0Af&wa=I-$tLVtqTOlOA_-dnw5KK@>KNO
zFBae*@i(@s-o^h-)oYjVFYqQj9E&_wHU9DvLo$&4n!iVwsF%2tUOUTzr4OHhfOgyZ
zXr^G8*{5HCT4?(oVP+Gj2jIGn?6Si|b_qY5Td#W!0ps~oIa8kV#I~2^Ibe*fws-0n
zKL{*~CN9`pTg@6>nKxwb+p^fOjIqALD^PJ$lBvt(1gzrXgSOw2tL>NdLmJ+YZ<$(b
z(E)HkD9M%o(f^|Ick`TUBDsnj`~R%|?I-;UeAgCKKTd(1ZuN%fSY_+{ixC3)om*Dl
zR`_)iBFwl)q*=hVF<@pu{_=t_tzqA?)Zhq{;>P-qi1D^21<~3Zc(OpgeNWt`=g3X{
z)W&1g`MV-^vGYq4G6d5EVkDp$6>1@FI-diJ5tUNdV1tAXY4fFaddP)!LHJC+YTam7
zGPFB7eqj!5<pEuElyffgliX}U6<Uff)<qqv@M(+hlzWtTZOO1~6YR*U93K9y3@#98
zi6yk$L!&1mSiV@C!~XIK-FAOi{PmWpdg(6xB`nsz8fds>&1EV%<~tcB&4wg>!??tZ
zT>>&(&qFEwkNNAoz&4W$e3ad03GTw%w5{7V@>~KUV4FD9H_dnmhs$J~9lG68!xAWM
zbS@^-0C~bWvDR;6SvNE;)^>43%aCbdZ$du3^M%eZ@5!0?+44vhA+v#(&or*^k>~Yz
zu%QJusa3lgTg<M`X9SBQn_a=VDFLg^ZUKC}dyzEiuH%%%;>trWPms}q|NF=1{1xv&
z=Ht)bxOPT-0VlA<8zn!%G1=P`K=Q(F?`R%ZD71>D<^H6~GRZL@*5U0d#lY>C_{>e!
z^F@AK76<=!l*fs`+|oXNczWyB{7;Ro4{jRI0et;Bvk7RCAxSx%WD8^N+ppH_h_V@m
zpMW|ibi4%;EK>++?K>NQ&U+I`Q;VUtKiWbqv0h*IHjK?HU9tt%AAJ*(%Nh|v?{TW-
zm+d>U8a;K!AGK0o7-d}<8#YHKTYtvYgyA>d00XufV40GF_7G1BZS^3^)PScd7P)#`
zr0>2D9)n?x^8sHSaJVevK9z7T0#n$UGv;={ZN~MfbAN7~7sej9DJ2=#l_AmRW{naw
zAE#nIJ;<@Vn+0&b)Ney_eG|X9-_W?=%^U4%=LcjZ;+icZ5g03+-arE?cW6w+G7H@2
zijsV3KJMfo=i-eA-|PMSfrfh`sS-{7JQA!8LL-Bfg*r5n0wn;9q~;-I=_D`xmp<n`
ze~a>j-X9R-=3a25ksZ-E&%IJ*AuD??UwJzQ$NX<<S@+f#N`OBwDQ*uSLwtB~Frz9E
zuBPW8;p$J8I$hdktD%p+YxKa&8Ry`nWOfiFZ9&Gx)(gOn-EvOBvbq5sn_R|dp0cUv
z&_Aj%72zBgpx8^avN?5bR2|Gd)Tuum=Q5wBaYmnMKpb8Py_iws2#6o@dcUU8kMj81
z;ZT|BCN^;0EY*+~fuO`$^{;{wc=dmgu0%dJpo1NPw@Cv6KDL@3u-Dhr?tdMYdR?8U
zhu^j&PaIL4G?o;7p!k(Me>DFwe}o|0aUq6i(*_&z9u<i7$;$b?z?{_4uvhj;BA(ig
zE~{>igRR@>$o`7l=7UCj<eiz1?;ku+f>Db?4g;$(tBwdTyDeMq2bcwZ=?<c@^v!$j
ze>Qj6Y|-um*%i%E9orD)pkg!#N&$O5e;PYjC@|$g2f^R&Kt4CHhTYj|25A6ugf_oS
zZ*JQ#Y-5KiV-<Tz#f9AI|IYpX+lK4>U}to9ya+EKE<=d-&kI{#2vmcXbPa`*8Z<y~
zQiSC{J27B|A_YMHNB;u(!3zECu}3d>4;qtev!ct+c>JOS4_1rQRtEO96^jzrpW2RI
z_^HV|gA^;|Jc9(rR-UWtBLU`qeQUO#A<1SvH$)a3kr;9vcDS(fh==p|Dj+=|<R9t*
z%cze)NTSOIt|Q2t3+QUwG`@?#7ky<&HyyDnkWKo~9pj_>29lQmE!@0I$GOe*SSZR!
ze{?s<lwsPVmHNSe1DJ8|o=SL#ug_L{_E%PDPKaLbCI893|3Cf7-?<fK5bKOf!$qHM
z2}380C{2(L9Zz0uir7{EM`ZHuDbQVp)IAnz-CYJpdNqG5M21Y~6}9TD9FA9`t#}&o
zh8DKkKoz&A@GE-H>jj$+(1RWkVY?>?hzM=y&%UU1ujnZxE1>|Urw~7P@o;6S>$eYm
zDxO&FNQ;MqEr*^Lux<-`d%=tTi-<lT?D3pEs3@px59i;u7BR>A5N5O1J9amXF3`on
zBJcyo&)64^?e0&ly%6Z#M>$W<qj?~(!zycX5xduZF@7b!>x2IMO`nG`?v!)({KqFb
zkx*^}IVxg0&>0eq#K|>Lc%$ETo5v?+Ju6hOP=q-et{#p(3Vi;^fAjgP{?or6SXvKw
zjPaWwFCi`n)IZyO>{b#lULK{sbA|la@BY_gcl6bhv-5G($do~D@=g`K4IcXuHql05
zK%cdNRZ13MPIs@0vc+Mq0Mw?(7?E7oWk_3Ld3WFe0?g_h;ct%)-q3I?=MaK4*Yb8g
zz!1T}qTu9dCYE2F(SPVYtu<BqY`bFeJ1&k=$lh;#QGRyyML&hwzJXT{?<`qXS^z(r
zF)z8{J{S3$!U=dHoRCn;KgRa}<*;7_QHRjz3uMcf9ga1H0hx)*xY|csu-Fz`x<JhH
zV+}_Ab^(w}2z~#T>n8@}&^L|3f=aYgb)LO2(W*wHuotp_rS;HV_EAzqk-;b*C&<DV
zB`(u)lU}#-@%T;*{>%)Y8&gpab@jwnh2agaZl?kU{q3xx4(jMN`|Uo){Ev)HW9NC!
z-!C+0t=OU6?t4^ddMTBgrfXUrGim;gpgVopkfP#vK0Nk;`M$?Ls34ogk&BuwXSO$6
zPO~}yN?7eEa)T-qd1d?+qdZ~mcl%Y(rQ=Cz(z4(OAVAO#w23<Zcl!7BYXA$Wq~&in
zu4ft46d0BXbx2BU_0*q;-aTjQ+{!<|W+7Q`p>%!6$o9Dh{oH&5_vF6I`MPK+as;2r
zqW(sF@oGD_>t!x~{FBNceIa5Xwe$x&a=-cz@W_swa{+ip0nn>BEmx-*W!Fz8tI4l|
zr+Y(iu;uwn?(w;_ApVN%H)JEicgBAv9Aq2@Nm-zvf>H246x7@Dw|+ZSoI_56bV<i^
z3gLDVX@mQK8P5^pFaw9nTWi5LK~g{pRA24M?h>@4Z7kZ<<Z@VGJ*Lr3q4_&{CMMBN
zfvBn?ALBhJ#o4IaejK_Wy1^%~`zRqTifdT(XRg%n=_&+jpapE<FMLVmjw^-l4FwyP
z>OpF9vTKgX+i)HEH*g)S2?CCpF5hscYK4QiBW13i6cKoJ_Ry<-OuGgI{3W`hO1uT2
zSR$1C85Sw{JT}5+3dy@Pw@Spbs?hQ8+;bMMw2~&K8g+UGaf~PZ7Aw)^GenFDITFA~
zjT>Z@Xp_&q<p0^Z=RrR8-fyEu+mU1UKK8tgcek-!HuV9<fg6`>Z;Bs9e)3Pg4OZ^2
z!CAD(KCrXD`9O<+?Sm@OzBl^E{xAOS-C=-PZl|kBhb~eO59jY_;H^nv3YjfO83v@N
z*p5XE-gxq3f1f{o|E)(R&@WIsM#a<zqX;GsGR-d375Co^7Ank*MZDo&8@SG>W0w6$
z4cHNqsuH>5hy{AvxLM(EP!M1~!CvojAu)hKKC8IB=I15rRv<5RTx3`}RtcfdXCM4w
z-8MCp5qKM)fbOzw4+UtKxF1T=bl>91Fyj}rn6h5RiL5J6w%wVhmf!1@8Mb4j`ZDO<
zr#rdEdYlF$Of9nLAK{J0Zz1**^Z0@d0?6js%)!Ui{@`N~&|H?}{J;A-W+JP~(g{}s
z+9RHZHYH>$AarO{HWe~_^o1siwHYU}Rfj5h!OsG*4)LW+!il~RkJkJzJQ~PbEK_9w
zseqg0YjLn}iy@_Lc6d%he<wMqqxtli{;SWgmMM9z_44@9e$J5U%2=?IO0x}5Wyrwg
zyk0lY$Jmej{D9V@C_&88PGu|%;*!oT@)K*9?3U?~Ac+Wd70PL;cYbCTpcn(Nu-a#%
zc%-w7UB`$`X3>tDF&8)mz_n#O`P=!pzt{L>l?wa0w0N;pma0T1W<T_HXs_tAzwRR6
z?1S7iCu^ctkTxKlO7g(-4t|rxqPjB2H1{fVo(>(q5uWscNvgR$-A~kLBk)g30w(1C
zc(XN?N}_Z&AVv{jFtBQ{M@gboR4{qdDA!{ml%-Ez;0H(<l@xqV{}Kq9$y?1WSL+9F
zk+&T5o1GX`F7!WG`y(rOH#eBvaKyx04jpU`gv@vQWNZ45P+&|XU*BLDN!~v?M+c?S
zOgzSTK~cncFaG*hU4{mXvF_~w19-eSC@?uo4|RSoaQJHIUXtJ4*_4deee9#eyS?{(
zZP-)&=;adPo4pkqXH0kE&=h`9{`^ytt}QYHw0)?4#IY-QOm|MNO7=>pD}1nbR%#Qa
zC^N{^f6sNY#HJC?niQT*51itsvmIi_)Ii{uf^`>$4f*MPvbh=b6S0W>AHMS@$Uvnf
zg7JSUvu0R;)iAm;)$QV~1an*(0#nJ7oYKDDKi*MKni4zR7>Kz7@5pTzu+5dkx9)gl
ziM(}!I^%$gT7qBue5YeL{0Jf$<R`tRFE-#Iu=HA4bA`EGv}a*%0er`&az?3dK_HsP
z*Mz#|@almFcD}Xb4e-?$LKtdlC^bg9b~xAq0S?<aj-P_Gf3a!$cL?<QwWJ9)01d_@
z{+MYKc>w-QoZSlt*{nPHe|@S4S``&{%=o)A)+4<6nRNdS5YKomSzj?@&DK}1EURC$
zB-xWA`zA5$&;WehF)u@w`6GPY0(IV0S}1F1FUVCYZ;{Me*VTcNc@~FQS4sw@W&#)N
z<H^&36!$$TFdZyI(?J*0z4C|9bdXvfSL|=46+3HkJMPAyh>pKV375RZsS`CLl@=ib
zcicH-t2Nc*8eWmX#AD{a2NM~9J!5{48{76F0I?Do1K6E%ewzS5a_j_qb4aLDQGlxk
zq{D>9o$;3mS#~D9uno-aLPCl3AqI#rA$Y#Xw6`R`z_r3UKWivG%*utszJI4O+!kVb
z{1}`*C~Fx@U7>r85v>iKzWs=)gi}D!AwfUS#0;P#z>DU+DkTraLH}$hhT1_0M24Cr
zZcAZ+&0BW{6vTR50u2Zb-bvha#PS}XUfP~;q<1HrRl=n+MY0pwg?7Xv`Z;4pPw88Q
zNV<q04ND+LRmxAqodHBwSy|e4CQ!6HTniRxKZh^@c|E{~|FJcq$yB4w>?~$GUd{ZE
zcr~-N<hAgRsIwsPhs)haZhgKcAJ|^x?G?EIJI{smyaX>N(hBrnb1<!;0B;sU{^{cX
zCqG@@OCL7%ioe~(mv80++VG{fnA3P@ADX^%+84ngSSOrLME8k&C#Tp<AqjSJ@JSUI
zvW#v#7HF9>8#VYsB2_*Sm3kdyEP()%J*@@PJ!yBoQx<3Fm}h|95XieL0LD&eiG22j
z&-3M(zRVTa<w+$)7`faW{-2kdKOb9~^q{GTUX(U_*0xS^<s-E3+jI3z++T*2(S6uu
z7`D;jg|+EL{UD4~zc!nA>@!10Y+=}5r_W({>Y;-;w^im;@$5^$ky4719sbRNO<l>y
z7R|Q=0?VSu2M|Tm0=d1kxr6~HMOhbHyg6cwZlUGTD##gx!oS(cF!LFJYt+s6yVT7f
zW-aC)GHYN!G^l|Fd2|ct9x=9ACX!=BaU*g7$|?vzspNP@zp!ni1SFN$0m0t=l)2>N
zP5H+F503X0ye!xU8*(FeyL-vyv6}blVu`2Nf{H*~8k9-=dgR6^X~>+1OPPN&<s#&>
zG|Yx872>_9!UfGk%)G#YpFWAVJI``ogZZ4Cgv|Wi43p2I*`^!j#UsULs+;2J7XT?r
z7f$YxaU>7Y4jjA5i~{M|*kbE_lW{7K1#Q;T5LqsbRGz<+j{4o4JGz@6I#%ajGsbnV
zKye%MS<F*lCNlLTorqn}FTuT`JQ`oSsuIAlV<w&WhwCCz?b;cVUcYW|>H@3uP>_Fu
z-5){z83N>?j_>ec#e9>+3vEWA5y4vXPQR{0uoxV-r{1jvk`KN-5m54v1VAwOXs9md
zpQ^$3<3hZlUkE5F|Gi}MIm}!R9%8tD3|0Yb*3oKY3t~7!+GPuToF=n?egevm#H<y!
z!0jhxElHZM|1=I6fy#VVT0wY+7^OXGrKc_3r!Y=+zyU2E(HwZ-doG8+gdH|PD_Sxa
zBUo>p^jWsbAoll^@ILV)hXtT(!73Y4X1kj!r3K$*7hS-v41dE|-Ge6ZxG*s8i>Fo1
z_sD{{i%&G$Qa9W4{Rz`vH+hOb`l&%WDM%%2>`chG)#*H>)>gFFf-^D=ZQzx#m55y`
zVtP?QZxHGJuaRZ#^W~Z7(zr(X%<Mz5nG@Y*){M-oq{|PvQBU5Uz4_ZSwCy{{2ugY2
zF8Jn3cbEX8D)4xe*orax{KEM}Elbg^b1^#xTJ^r3>AaBgnOx?8Hpml}aLU9wa;6Hz
zq5e8|mptcjw(q_ljK$+R1g1=J+HCjjblCsq<)Z$zO{h8l0TjqiiWp)y&y$E5Q=pw-
ze8KR#9kQM6dN{;Fz49kwfArH+!@GnxxU|J6hu&2iZ}%}e3v90+K6_~v)g%@|n-W(O
z>)V=+L6W44i)V+cKV2l;kC!szv6fAo+N$hZn)di~N2Gi6UNz5nx4lymJ8iqBT-aHJ
ztb&2?9`B)S+*lR(9CKf_Z``X4>!Mg0GiApfvs<MxW59h<YlO;ay7ze_IyXT5i5&TL
z-UC8`Uj>M~I484E2f0+){*9jg4icSYe`!f)IhDO2Z8|kdf&F%c)MOqI&ci<cRb6^4
zf!!9@5XL3r-h4pH{K{kp$;M0+xwGebzguGQvY%hwUq_jxqrJzkD3CDy60>|%aY<oO
z@ybAokt}DgmJkCUmkR)UH0|%7KP{)OSRhz$znPW)*_#nv%b(>a^<ITO_AtB11Le7!
z-F(G;JU|n9$$>J1{w0jKhfZpbipFB*<Yw+qk(!p5U#eala(2VVVZbU-aA8Y`m&<X3
zY<RG|I!ywD&+W8VW+jG>>}%adL#sJHPAOaUTOPmp#$V?|KsEPAXGmy@*89=G13%w6
z>HHuZO{ce;ZXMT?ULQN9>YpocgB)|_v@Gyq(IkHGKFEx5E=mIt1>kyl{>QF!Qy(@R
zjKiyr=9e^&Ej|mc8~d5Mr{x)QUE25bio}wwUcC3GsY<1l>$eA4S)yB4{5GZ?yhqmf
zZJTD~u&GV?SZPAL;6!41$nanQDa%KjsO7RgnYbbK`g=Os?C3v=Gu!gfaQgm?IUQM6
zl}_MkdJi1(Voo=dN^h98@mc6HUpMCxyWJa9o#NN|T&IneN4xeN>t5cMPobTt>k47s
zT*%?*LWN%6#eT+MZ4g@<;zMp9WQ`M`qCaVzz@8v+AGrAE$<Fo%7yh*lMiRIA&bYP5
zG?Cu2AWow+Qj#f#F2{O-L+Sc8OBirNz|uqnzz1D`ExY}?@X*m%`nLvn)r+<Z)a<0?
z({>Twr#w|=?SrL0_ajFMm{k;B)9dGVxv>Rop=CzIv`P1n4#sWrt-6~2xOGs8$7~94
zK0hjtBZSYtPVkvUHhUs7y1Nstt@WBD%j7}c78h`U4E0=^9xee%+Y9?6N-CC@f0-zd
zn=I9TY_fT2Fu2Q5zGdAAHV|V0$8XJkXiO@<dfCrv(_)X@@;8_ul%WFo5kZvAQ}Tv@
zDVJ>6y7b#bJ@dLekfAcso9{Ov^s$0%{9(LjT!>6Tx-;pQhD<Zqkj~ohUMUtJ;KDYx
z^cFU0XHyX6giSjZu|F(9MwXGZAVuKvgy2=|=!cL|c0!bGGRl3TGkiTsa&pIHRre0P
zBzIvC1(?M4Wt5?=C<K|W@$r%y+HlcmR81r#t|fATfTqN08oQN0I=>ko?Ktm2h{!GE
zee%a3Vy^IJsUhqq+WU0>$O4P&t?7)LZZkuJk1-C7-B~kABLj4I7dT9UPhZreoZ~n(
zJvRwp0FIPMAH%ggl?iR>^Zjt0DV-f#O{sVfw%A{Kw`j*>IrQ6m^h(UT!;n634e6!k
zVj%HqmaV%UKs9&TO}(|d9ttX0CKb=L&f_g&Yi-NwkHoRARCCcr1(E~%0lyJvL7_IK
zoF;X!2bg}ypSW0kV5w`gEp7TDD;u6+f<-a9PR!)b>%*@`|D(GfEC^@7jPjrA@uVJz
zTeq(Q*1)42pT29bG&_3q-ui98(E~-IaaQa^q6J$lDmXUD#XFVHYY#0ot@J7{j-n8p
zp(yK&dDch`J(QOBBo{6cto_?PBrY4z9<BMiP_)+8WDU;ezJ%nK>J-`Qe;tUXLvtjQ
zTdXx#)<p9Zl;R{RWHlo}w6fwmd6N82li5<RJoDlr(x2|N{3?|Wx6J|<R5;5EUq380
z8<^m)xNYE5fjK5rF+6^#c$!S@C=UHW4M1>&pQ8eNwV@dx_{0%wu1jDnxi_`6^EHhS
z+afmk00*EXOJm;&Q*3__A%YC{cp7cA3j2MnC)RE;+c!^LDQg~CV-0Ktw@(q;mzI+r
zxH9zk!o+%8ll+x<ovqGVj`lAgS4~YTRHona3S^m#u&sWFjdp|L=sNyEw3_5~m?OC@
z8fQ#izyjO7+Zzq4|465t74TpFuy3WpZ8_c?W$Re334<)txfZ85Qo$0a2D)6n_k#Rd
z5{vlUAPJ?lR(WZq83emZB1DjqyP;~UU8C_IY<XrGTVuuNnFP$seJ6xZD5M<IQF!Yf
zDlLL%%dEXV?Cl3O|7qnGjsReLVrbG#+TF>z^md1t)owOOMC=2Hh6=iTd}^bV6EQNU
zD5HcBXqqZp^p+C}fcpJz5qBN3JB^w|LeAgJPwh(uE)7GPkk&a~S|vZUz~Nq^Ywo^_
zZX`>bANBGcR3qP4wtu^?Xnb|Le>b!l3Cr5$-<=N%1^ALwd%S^b?vLTCaifNc;etOI
zqSPB&w+s>(r6?7w8#Y<}=2}j4=UULldQTw6L10*`j>=?k1WD6##c_Q&f`oTCI(*vK
z@|&@K;mmCa08O~Kt%z#vW*DR;-4$~yIZNV@ue+;lIsg{FnH8fap<5{}QYitLRKWX<
zxlCz+%~MN0ui;x}wf7i8=T1NL&oWbwj)1;hR0nOIN_Wc<+D}Z_U&oHtX8JT26BO8M
zSYuF!Oz|r$L#t8ca<&cKTkJI>C@2#0mXVv&o_>}ioG*))-@h7;%|*0wAf_2VO3dmi
z{I`U)Ax#PlVNxpLT<p1%gi|I2XTjMVnT=G*>FnTJops)BS29yIQk}41fwMY4m_sV1
zUwY$WxK3HXa=oGB3$&W<-cJ>4Hv~FY`Y{{#UTcygyx{e{_Nxu`s#mY3Bmf=js>lne
z=30^QUZ$+JMw2Ad@SV*^TRtw*mE!<G7$0P~xZ}I{N><H(;t)G4jkYjgxEGn`<Zn6j
z1BY-GQft^%)?ba>SRo~Pe-5FS%)U8vt2;0G1VK4|7~{AhY2n|VV-T(1Y<*>7{lVj{
z_h730erF)E=`3o;10(9lKG$sFTKhA#1xgClNsm}9^1BfK%A4E;Z{){*s&G2{GG%*H
z!s|bxn~UI^B*E-lN=<U4y!q-*w@GA@AbR|^^BFFqo<wW@ZcO@=RmXm(*thHJ;s2Jb
zCcfDxV(2yU<=?~A-j}ypjyA@sy65jjn|#i5%cP$vTg-_Tbt*ErhVCv3;Zg`xEt}7C
zi<kBUINT24@u4XC90Np*0S_~;>`ZLBey%c2cYz~^+jPg5qL8f<(GZa7lB`?iM%IbG
za!uB*io&k-OBzNLIQ42X@kHMyf4txWi2^6vc*G%C3ee$~|05kf`Y$yzs0tCEDt%39
z_!-M1K)zjX$p{9@!3Vy|L8;=7L@QyS1FNXdx{}!`l&m(J4A{`l&|KV7@WD}-spJ+Y
zPzF%bQ9n@RT{@m{>q{m@9Zk|0jegRT|3}+fheh?aU7*Y`z|h^@4I&^N(t?uG4I&_o
zfOI!fQlgZSQbVH%3@HdmN_PuGcY8MI?|Z-Zt8@N2f9~t@5_t9<Ypr|T&!&rHljn-`
z)W(y0SELKUPh=R@5Y?2!L&+x#U?)gch2nV!OGD9_THw_#LSJ9@r@p*Dz2<u<{yn{p
zf4*^dD}!Hb*Z=FO+S%^(7uB$2oko5eVS(rXB*&T0p!iz54}AydglcuACrYu9n%1pF
zf)M?aaWtgIdraWQAGxJUzv#A@JE1<x!}xtpuZRYfe=S<)Ko{J}*(`Rr;>8=1(xl5|
zXprUmW>>wIlSVIwA_aF)YUId7t;Z}Pqd7n#!NRq=+14Gp#Y!!Z>NATk!pU0+kQ&XI
z`E}m+4_dmiU*nThjQdqZt?MrZovi(M{}K9tpI=M+d4~^e+w7}Z#sX~0o4N&ulUE|Y
z%fC{{9KR4;ygEOuFki-X6-AXH1<kSi9JCq^7)Uhz{dw<=@_eaqk{gZx+mrVbO)Rq%
zGDb~RuDU|~b2yiTao=6AJkdZT<1UHa&cFETVv9#!qOE#QD1yo`NTwON&T40E?C+UD
zJeSi)!6Ya(AY5i~5WX`ta1Ks7NUy;Loa&vT`gAQz7x`U6<zo8x+6!<<uBs{_c9mez
z$~eZ;SuIwltAh&vQiFU7akj?A#4QN|ML}~Ej25-Fo2hbRu@8ZJCtW)O;;bFx?fc7$
z#(W8{A^9QmG^nwZ5=8gGQ_>d*4De8-FJsHJ_&X=*n@@or75IJAjK3s4X`yMEcYc0S
z`uOQ+h<NeBo-gG5NIc8}EkSW55f^f{iQ+WQTymU?-#de8!>alg70~HPUC6{70lSVd
ztgXWVJeAuO*K**L7Wn`J;lM`t5_87yv`Kw^tifVxp0r=K-de2qLYjdPf?GX`f?JJ-
zvlB8t@A;kex9Mp|d&P&`Rkx+6SL?LXX2-AQ+Y(opM5vJ?ksb!tqZ8|EGX`E2?=NsG
z%$KTT*ieca5mE@im|uBaZu(U?9Gi&5fp&pI6CI=EWXo~);Hp>{pQJHEJjYvzwbsGZ
zBN}{1E}@5t?<{n8&N)vov2^3+A*{H0217)LqKT$!2@S<EBv*4I4Lkz&#)>=RJJ=EC
zh>vo>|GSQ7)(U$$X4$I%rGqO#y~MJG{F|Enx2~QFeZH={P_JGq!=v|f=VlW=V5hVH
z^(6BFzD}tD>JM6fh<DSV+TO_psqamvXX~c{@-8$w44YA+oIsseMYayl_lo*1;a~$D
zB@2mGy1;R(dqrP%saA&kG9Z@t2V__;b|fN%B=yT^W672cq{Up%BAmxFznJI>-87mU
z%_$=f??lDzUA^?{TxsT&Kx1crq2_CDj$+<f<!*7alyBPJr*A5=zofDEqjA+@s;$$s
zeM`i2c(iT&Wm=S477Miq7OZ(}nl)QBL45G0nHv-y?;Ft{o+WY7lC&)vwXt%{u_DMh
z{BVnYI}zog=rls6&B-vIYjhn>`vMjD0*(@fvD%~%OQfU*hiJhwLg%ctZNfZ4>(K>k
zCXcoy4iGWuYV6)0m52rp+67_|dQPP|fn$@EZNaA2K7nQL9|j6#>2sTDNZUO>G9#C3
znT75>fa?c&q$P6Ga}>NaI=-T}qrbi)7TH-tIzT-4IB=rG^e>sk$K<~3=>3*Q4M#F0
z*(F)FT2hu7731jk>S@WQ#A!`5E=+zz_WU&xra$@n&`~})q;o510cOcktSK*y_PwA3
zXyDWrUpbYHJubPl^f4Plq|Nu683FU`?dcSi9P@S`^Ir@2!4-9QS7#%lWKxTaU5cY0
zopc^Pd&b1XOdYI?cC=q<eOAFYsP4R$l$3<5R^zmq1bb}uMNt${f`Uh=rQrMW*GpdU
zGJ6FqwCV^I)n}8Yw7K_MlYqZ2zKQ{aQd64H;SKozV7+GQFXu(Nb1#L_zcH-vk^P+U
z!Ey4fGLWL+`&JfM_nXs6I%X|C`g;C)ormnGAK_nV<9P}<JFCF$Xf$u158oE^*G(zG
zGsG`Y&EhV2k|BW8Z2DCh3ue@8VuY8}x%*j7>S?AdLoW#o-(*^o%wuZ?b+`F6RZTL}
zj46kkNxZee*S0+2)yP`x-r{eC9_<8HeOjk!nyRX*oOZ3URkwhkii&%5m{-rA7|L)j
zZs=8+rN%jt^aXu6v{oJpl+4Gxmy=XcVTWI2^y!VwG;sZ>u^l4?i8#31X>Y=7vG3Ps
z3uo(y7ge9qRIS=fOJ36Ad~$n*)iG<V(66E@jJbk~yG#EkU1Lo?Yoqjh+xNoVDY}2p
z0v!yL$c}rZ$?RZ(flFMfX9n=uluCn^kAY*3YZVf5ffC^1YY=R}ZY%M7Nn$69m5IYi
zc!H_Ve%)6=k}HK29t>lJ4NRw+3-^Wb+zQ@@+cPbu`V1Xq>X#&JROCBJesqg$TS6KU
z15xw|Ey446f#0i*<@_a7GTGa`mdAS$U5~Q;fHgYZprhUmz_iLB>~}%b$g!nJ!mcSt
zGDyO11o1xlh2mgXAJW(N_}9djSoW+kuA|YKbM-oV5n-PbtfQ^b&caV>Qt4QLP8!^s
z#`|!+eB1Y61ES-TrvRQZJ9XAS)twC3@P1lgK5-2lJYAe|s+1sk09=u$E!(<<Ja~yk
zs&(INeTlKyTVFmwQAepEmu6*zS{x|;D|~Qh!?N$n5Vd$kRq)yf;&kJ-JnXG%N>8tD
zSbtDi-?5laif3u<g`Es{1c^^7k=U%fJw4_+yLfL@S?VT}6hRX%go;Cw8xnyP+A$jt
zx!8%RBP%Bd*^;WjMZGy?{`C3mQE0UasUItb{rJruweJI$QjU4k4khW5qfnoP1xe5A
z*v1F&^!mqp(T3o$-=B33AB_#?TXa1C{!vow@|}H~@hid5#a(|SIXxfX?vY<dZiXVf
z2}nF-$Pat3tv1j{uSs&lg6IOTP=ixXdxnKL)uj;<I6w6I{?=~6_F#7_y*;~3cRhYi
zh)tFY=zR<qhK+vgy;3xMXB^PRP2l*tASb>Ys4V4|#q9aRz|rGr_h+1JG+F{u1uKY|
zqZ%wFwO#>jMS~s`+JSmz$h0LS(ebfS%_q?#4CY-?^iS-h+VV=*9fZ7IoRON4$BoA(
zKl(IM1fw%VJ^P&!e=d{Ki|i+J#1q4dmHCz^APJ`9>gG}Ojr+YXkbmwRTUJ_hcGhbV
zI8`UH1Yp3g4hW6<KVxCSP0;0INK#O0p5b+T(+T`!y0Rm5vN?jSnyoSLJr#>6Q(5Z9
zhT-RzS{|dOcPQIp=b}sLVs?CTifO?~g{soK&0j7{L`Oj-5}J%4hYFw1rI#fgG7U5-
zwqzbs;3GfbQ$zdsFt(gpG;8}#DX^#UMOUZYr|#TwvO_1{gI~0yu!3P<?`uhk+xDD2
zgKiTwuD|4$O11K+XU^~I!~SDLgD{tA6$u702gJHRBYfTGm3B%BiN28I3|<z211As9
zqaZ+lcsR;28k8qBxrnb#nJMZKwli=<gdi7OGgeZX_*gu08wZz9yLbk-)7Lw-bW05|
zv<m%r!V#k-xU{k4yy4#wPx><tkD175Xn3IB<B`F0jNc#aDF@W%c(#3JS8wuuQW^Ik
zUW&_q2|lPG-2hrRjuNQR|G6V^P!fxcEAkAveA^DU$5`YqxFU1fbADno*qEA8?{_RY
zQRfY#>I!^?XXZkUh)uEnCSDA-REAp>3oDe$2cp2o3?gf*rT?^*?Kvc?R_3uFC>{6(
z#Pj|9&n8PkSr9iRRVB#@w4%YE@|8W(@%u3|C%Un>ypVE}o^VEV>xK1I_<9MA_+;ko
zKbf5rtBD3WeS?3gF+%5TW%<!k;MUnw%I>}%KfU(sz*OO~a~;nTCj9AUK~JQsW8IIr
z$X~4ECHJ0vRsD!9JMTm2u`|Ont<`MA<tyS|PWIbs1oiCKvW9DxPT(lbr^LY28rnV@
z9>mRy#lVd@0OWWj6CZGm6&y*ne+v0jVKKv^!&1EYkVf0tQ!?1sJ4>b#xtsBz8x8Dx
z99)lha|?p4${{r?+BCaOVhTnHCJk;HMD1_JbIGWY(HgOzysyEF@q>F1Kh6+P#i|cD
zVE5daoU?fAnZ-<FlfV2IaCQFLU+!8M1^LMhl)EG5a4Z!9z+o69SlziLOgYzDdU64K
zL(s~(U>WLDA#W&f<L^^Egbv}QJFqO`xxbo~@W%Bq7jWrFm$PEXSFCJ|%!^L0B6WII
zaqIq>jSAOe*P-TVM>`}-g;-*V!G=}s`yUg}1~h;dqE3x65*Et{=V1!_@aX6V2GQVs
z$hf?A<>$ELZx|RhnauA|;Qc2^hC(4oPU6*f)xYmo>;1^UulNfN{?%XylK06v6IKPP
zE8|$obKLFG^9+fL>TvxhL+!-`u_ft~&Ii&Qcre)T!=776mrNqwyksr`7SV;Zw<RKO
zaRq|1oy1-qC?0ktLlbXp0X#llg6R4jonm&7m(Jh>!}i6;p%$eJzecy&wQ&Y+h&z|!
zgImLRKDN{HEe*mM<QdF{gg85!T1rc~JdbPVmYOY|K1F{k;3AqF&BJYQVn5KIkea$a
z+c--|{UN;~puz2&VWMImZPFX)1JCbB5bCt)mk_cA9MIgFh7P1s@BQ#47F&*0C(iHV
z1^4f0UH{YTere5(Z^CD>Ginf%=8w&9?Z>{PRrT!ATajx@C@wG8w<ukGhNsM69alWu
zI%Jbw%nqNDgENaItfHr%sxp$3k{G?KQV3YouCa8`WwiMtm~sR;R61aoBtJ-F@Dq0k
zTC2G#lRWd7vutZ|7<l|&b=!PV%cI(0^}^5*RcMkTBJiK)kl*JI1>S-TwmHYO2le?e
zCZ<r--79pJEh}c^Dz|K^9B%lHtX}M!JhRrb|Gp#EQ3QmX%Fq&Qs)F6olTOz{IZ#Sc
z0sN)+8!HIpT5jWEz7#2`lO><nBmEQMxnRhfSG~fWu+#+|%trw-Mw%yMXFclM{n2<d
z8cK+#k4f?LgqT5bTdpVCOG*$QNJfMI<SE4NC<4jp%G>=~@3XTx-DLt$jl(hn>?2m^
zd4j2fS;tWh;lv{aej@12#$O=C+9jati=&7Jcc&1$@p5#hdVAz??78HP_*Y}LyciE^
zZw4$~Ymc(leqY~kz9tit>t_uj?)Aqz#fO>v2tLU)C^^vEN_>Yui25~x@^OGRbq7@U
z55$Y;oJyXvmIiTidYr+~U@DTr3N(p|l6VUxq>aXDrDO35TrZh(GNr89liAGs4O{Oo
z+J4{QXX!mlK$-Y0`4*|Nl2~31rupq0KC-a=5V?buFJE9IDN=2oTmXFIKH$ee&*A0$
z@+vgm>@YPu|6_PIXBtemmNQd2v@x$)t5CH?_(MOVB94mw5<;ijPARhG^gB*GM(_l}
zH483nWMoBlJ{O^0(8pa|r*wS?Pe%b(oQ_^m6ok=%8=n->D}8WGOEfk16wiJ%Un&hM
zTW3F>2DohHoSy9vLXu5aV*C)ohlEn&Z(G5YhyqU~k09ok{RheS+DDqpM+REnA$br}
z%oAnKt@~Q62X?5;yQzy|rd4BnFYy)~N5w2|5x$zs68q^&t2nN&B+6qZIRLn6@0KFv
zQD4x3$5y0Ni^W@0KM`SvG5&}Nc+|w_(%jGV(SpG}tYcbtH^iajbeP3_W*NHYdhMNo
z+S|8&hwpvd0zgwzllpFLFNHVgm{@7?=bR^v+{&vRrk$LPJbjq(2j2)OlCY^GrJ^%T
zZ<wxb%NsmUdaQE=l<dLl^mXn2z;2r5(|H(Vi6~O?`G65LU!^nBCkX~Mu}eXVk<ff3
z4cxaxPM76f8)tUn{Kz=yM7PB6@u}pUh(Tsv`G6Vj_4V}&=J&~2si4D%@}y-hplGWI
zWWq4d-LjBLNa*6Z)ZLnKR))NA^bA@kvv1>p42TE8&C+z=s)Z7*^#^QRp1IeD15$D>
z#p#C}y5(SE$o@7UoY5^Sho@^D7_XJs9)7T&bZsLnpI(?fox><<o~qrH-WbkbT=)=D
zJYETTicYdd0!S859iuR+EW4c&TD(>SBs89dMA*rMtkte$Efl0<g{_0{QZ*QCU>yO$
z^v~P|)j6Vq<~*O*2FioV(uYE<@IbEsjo|7z$`scF_OgoJ$C=$Q^5jNC)bnGWSKg_F
z1C37_gpy<QHi#cPLXhhi1IJ<83DZ+_Ko)vkd&Vr}6lj+`7_7V=S)!zkBBWwSW>$Qz
z!;+vbCznSypYmDDt?uQ{j6UB^LBP;ZevZlPbeKfjwb?UTAjcX#HO76vo+yRPwqxhP
z8>l-U4=@07MNc$T$4*P<nCuwSOF*XE@VvXQ{%p94#OtTbH^YtY-1@WoRjGd{v$HIy
z3}1$)e|LWi6VJFxfXlcUDUMof(?VrP07l<39l9xaRaQrOUQ1zajTk4C2l$1)qh4MA
zUl?ljU1!0)azSWMXCDjbIe$fjDG7qgI|>4bHCy=L3cHs>7}JTSoa*jsz}fhGHnT<F
zx1aV`*ZR_9mp*yVa)ATT4<zwg5NWtHwcf3ia1&FhR4#JtCp6w<G`<z+$-JbT&E!c?
zvG0kQncR_2cw0^pI_>>Zb?rCTJ~cL-ZgNQY75I1kVX)HReN}N+k!g1>zRX;YqGVHN
zT54@~F3J5lWknj`A+fe`|NDz;n@~y&n^?RyUpYF+U6p=_;r{jY)n?oB`C|zUCJY-1
zHQ3Cblzs>*!>VNjkz9#d2tS~}12^vXy#U34rvk(ANfaPPQAkdQ?}_QAYroipZFj?n
ziy8`nb}M02Q5Tx^Y7JK(b7LJ=;fRWOi3e)*r-saj7kDkFMI2iKY~p9Bh9S`aL40*$
zVxsf*reOE??<C?wCPDC<DeR535eG8r2?#?V^zAL``T02eNAiaNM%9h_zCK$?E4|TW
zExwdMam_$a@n~P~jFx~t#s6ACa|6eq^nHpD8N6F%4lfTd?RCR=#Ipu|-o41fqaNxz
zkVs54*rP5+0O&W2;g-1|`hPkPwhfuNxm-)ipGs9_{60o!BJRo{sMu#y&VRNY#ZHBW
za*wWKjDu14tD`cQYSLXf&N7f2tX!J^E=Dd~HeH!Hzi9L2Z&=p>w++j<lU$Uuu+Pv{
z$&woNW9`YsXL4<&7Tb+3%3F`rzJk+2;p$>Mn0`9ZGhXkr0X)fNP($XnIU!FKCsk^S
z%&MB#Ez2)1ZiF|m)&hv<s{&Yb;K)E9yafjut1zyTTJ{p}*B4>p6!a@)zAGb!zP9=?
z;xFiz%iLCm41LM<d;e6C&maDOKNE^SpgEyrw%ME3-mpnG?vN~!!<eXe4j)rKI{eaY
zcQeIa>B*O0NhS;hY;x!UJ-HQhzRbsRokUtJ{Me?wec>s~Lb99tm=8x)I=;k<|3*rN
zkx~zy+sgRl&6dbqw$jL*DaV*RGOnz31i8+G;ur8InilWb8z-~r0EK94^w=_%qSmbM
zmzta^i|+}a{oKLJJ;-u;Boc!e=UokMv8;Vyr5&#UPf%nGZA^*x^^W1?wo6pxe%1(F
zMFu=D+Wirbp+ZE16!f9zk<w70u!K?s6K#5spO1!h9j4!DR^C}AUy%PPkmN5E0ae1i
z!`WVd?q9+!HY3+-;0xM7b_#Jy*ZsFr;PAa{Kjp)t({R_?j>BKkF7H=9uUu=Xp0Orm
zrYtjVa%r(sSlE3#BQ6+Tr|e83RJ;7C)=v-IzeRLk)VPmz=?TMF9xg0ODC(_y@6xQR
zP|byW;{<^QZ%K&bcy{F58fJ_)yQM8P4my4dU$V|+$D*@r{zO;fYHHQqtsaph4LbAa
zBzXJ4k6@r3_c9#n90p`G8>g#Y*%SRy%b&a}Lr{9BRmSYOC6!)-6%9;sr+mivxuxE2
zgSoS3wf+Ka*eEp$P;*HJykH<vK7`YSH5e=SyD#qh7G$vzpwwg)>h2)@RrYkkrxF3t
zjhc^&5*zwY7jckohhj2<%jE*=&wpSfY)={0w0Zp1un!P4JbH#QkWbraf>y@dNf(iU
zhcBMT8Ijrr6&dlN;(>4(D*mJ%hUZ<@U}0j0@JeQbh&el2KaH@OcXYp6@a*BkjpGs^
z$A?M)AW~7Eult2VPccodKYctP)N<0EACZ_Ej4{L;bbE4AdjSs$V+Y?@Zz-}PTaKU%
z^bkJ?5BTNK1tIJ|x9=a6V8*ZWAIl}O<s6GQxuWSAb$MH&pw!&|83)nZLqsl4*hoY7
zzVVl!0D=TEg@PU#zBBWko*ZaDzV?y0juEbtvzY~`$*0cdVa!J}mhzN();!>KEgp=I
z3-+|anqfzFx(CCS5T`0_%8rZVUbVK>8qSYhnoXjSLX%5;^2gB=S*+%3xVa2i5<63K
zl}MC%Unc(~8!1W+g|KL)f5tsWjHfUYLdUsAbTJP{ev(0q)#j^B%vc(;`#?#Z2t&H*
zKaLl;zH|nt@eL+L9?&#$$ak7?V=sDrBu&zM@4Xghi1(#y(dG60%A>z6MNtV19T-FJ
z(c(iN-ZC@U1esYLMtH-Xr(}{pw`EUOb%jg6N2Te%4uvfzWzo$TVBF;hB8rv23{A8W
zv?+_j0+cT4W}tNW_mYxPumZiKXvnwuP2#+7>-t4fqUpF+GB2_imM@vbi{x%yY7?>a
z$oo;Jsuz*bQK3a|E!^(s6<R?9(j_-+*+~~xf}X-Z>SecqSi~PJJd7;UW@)MRjj_(?
z4c7AEX^F@5KmL)Y8A+E?V<=kAltSp4Y?i^XAiJz^PesCiNWG8JGsZXj;rzIYsyK=r
zE2}dr*}=huOY0S}da2&rmCNy__UuD1LPwbh)iU>9GZx_R^y2RhkMFMLUKysRMT@VQ
zx5`4#SAyghc3yGNmO|z*8)=Zc`hHmN{fQ&%|22+wZH-AO>dF~U8C|X)DqZa-kO3ng
zteExNszNl_@QMr=Q8YEl_A>oPMHz;+s>!u{y=zLXp|?%R<Uq~fpSuA5bAt*aPMsOw
zQZ1S;W*~~<*wSiB9oL+qWD(&L<3v-X5=OHP7QQbPk#(v)tN>Kof@0Q>x(tp_qypr%
zB_&2D2un605e#yD246LZi##Hx2+MTf<yIG6EN>C@{?+fKcd*$c8ec?3qKnJ**`|_4
zEFAe(A2q!bSQOP0e~$dB4FX8%q<z0hFi5y;yi3t>Y(7}7KPc$6e0YmiP=m~xS<5Or
zBx;A}MGA2W+JMRze1EW9kmrDmNTOT<{oIXP5JVm>jtWV$!(@yv&u3w4_q-eGK_CCG
zHTgF9!U{wI#kioWr<wbEg~O;x<uysuPKfKMN^e~$75vdmLNeh!Gxl5g_@{Jf2Kqm6
z#(<?Alk*{jO8%}0-TQAvsI;OZ_KG0L@oD<U;++@ha@t|{mO=t4&yV>C2(j?#EY@f&
zM=ewiL>=bNjt?&OThZQ0>jmAD<;e$kAa4WHMJ0_ZIS3vo;;vtV7y+p=C(?Zd4b;eU
z7?S1FFHbYuF7MCvkOp|V>|c#l(?KXQ7N|?xh2pI-g6SiXoCse)HH)ULR&+^e2CRoa
zDji89yp*p!0z2JHg>(RQl+<IIK!4BfedUDu;D3~#5E@NS28IQSKinCZBkJTtyH`mg
z!Awcm8tQRY#+zm;DzMJ2f<B6E{yKkT2#sfBqO6wNlcpr}iXod1SjfrPSw$+RZR(?$
zii3I*g08ZTR)Koo{MIbG37EXv^3LhhhKn17l{OtS#GfoVxZC}Omty}1ynJTV<T{u)
zJ?lz)c&JSCg#b%9_@4$bhHtQ{pufkd8x9(0_y>o%ZzssN<AFwQLq2`S6A48_ni5G*
z@23uA@1mC2ahg)r-yvdV3^mczaIvnYvI|ulT3OrE?NIvu4N@3?OpFVF?<yieh2!z~
z_=)QIuG(y-k|fHhTqx@U*&(tKxNRFFg+IeBu<)fJREkJ&RzG%t)AF*swcrI5)Tx+y
z?K1j!9eO*brtaJ(Ps3RXU;r}}AkaqrfAqa7qhm6gA%w}7c%Te^*faW%*R+)Yz|3li
zma!jy1rAlGz;}x{y|-ZQmLNJ^G-2}qRlIdE+*&^#$pk)Tx%CXQ8<zCTaQ?x8oy0ef
z+QHA3$VKxt;WINQqnC8oW^sQ?2AT7VYcdiN)F1C_L&bJ%pnQB*IdV~N@W}Ov?%y9?
zocU7iytsrS?CC7!TmL+4%Iq~g@FOju3#WO!M~zUMTxHTQptmf#P7y0f1$5TuzFjha
z>^1x^X?T;1|Mq{aY5!k(W2qKp4k$4q3?C#X4GhlLgl79u)1$ysbV2PST#7(|_R@RQ
z0F!KuGj1oU^I9s4X^NuxQWk+7byG)Pk$obj-^ncBG^9D(8Bj9}q?!j0<v*X!DX7!e
zeVob(un=;Z3$3;uXu*~8$HgS+4|y--bjBSKb&CLL!DkX1F}33;HS!GY9{?d)`f<L^
zmzThdw+&FCR)kS!fcuitcGkK|-Me%3^Ja{3yxfGOf(*I<0DVFm>kLd3@MYe{Lqq>1
zg)sY%+#h&2in{98!@`;s4vYqThxuA5p}(RSG^7#Oz}SM_xa)jUc!-kI18VafyS(^S
zhfMOG+voJ<TPQr|&cT$$VBHEMe_Z*x`cLlO9#4N9sy#LS0_GiboB(JTagjwP*DXy%
ziQXwgK6mF8;^LC^*U$MCCwhhc?gS>uO_7#;DZTT{xSZI;M5@mI270t}d|ysZu5GkL
ze=h*e+R`d}Nq;@e%tmgEQLJ5tb9z&fxRCgOfXAc(s*=hRnBPnC8Qs4I1t0ndvgb3L
z<`FP2#Q6<{RkGGDwq#`=5ZDIud}OoZ95R}yPgtoAA9X=a>2p>_{Kh`WKgXA*`N6Qd
z<Jz73^&I`D=wEb*|KGEO<w_wL8gZ6Y|031!{&VDL8^Ix$SK)VHac7MO524pL;%yn`
zDf(&dp6UZz#L{fVWudHVhJ2tu^M`cNk&*jmH-qlaqrDrjF#RR4r6b7({z`?|iI_-V
zzYE@`QR#OESlZV8;uIrpuOBOoAM92?Pa}83rpbG<{kolQ_J9ur{O6~U$(5jG8q4W3
z!6?sB#<}B0e^0OLv(64!j%GfG^CP@2)$4<o!mca#G9+H10@F{(ki7;Qp%!W}2E!CE
z3zts6UoUN7zyVD4P|8i=JML41{&FoNKyp2!@mujJa5H+u#(0(Jb2RL-X~yCCNLppr
zN$GmxFF}f4DvZHzK@4}UK+Gr($dL4Sc%sD{-e%A}UjEYv*ns)>e{BS9PNQd4OW8UP
zjm!X=cjI<Z@NnrOB;m}md=EJCo%MmzFs?OQKxAE5d^ecm#XU*IxfZ$}`Xi^U?MH)j
zygJ@l^@5PPQDx)xe{_p&+L#Fjh8Bw3fEzojI67#bdcc274}Y$H;7GnQ{&gn3lIoA_
zN(Y}??ayA7kg~;G#1HeWQkO0X@7OtJ+~@dec7p-M#3byfCNy6yUUddW0JR#wJKjC8
z#X&~HBCzzkkiZ1E>_6Fv3uI$@41W`Aj+~Sfcq%UBebh&zPm(1&i=1A*_AMcJh9$3m
z=3S*{`*)|9wU9uPeW!-$9suLt?p)@IDHHYs8?lwt2i<>iQyPFy|1~$!;cPjhVcjF?
zN7#5ogWm5{pDgR&hF2#Ji2K@r^+&%Zd80jv#;m5i{$5Ej9wWd)?i>feXvlqaK{^)?
z6o0F3eS3#PG+3oTgs_YPYBJZ5o2hX(>{8g=7XP4^;K@4T#niQ95w&S&7oN#ZlqaAr
zmppeM6FR|6Oe<^<#~~+A^AmnUfI-TGr9$G5hJry9xX6gszB}!oRJBKV+jgXZw)67g
z_{$fGw2SQA&ucd?mA^C276_Eeta5v31~grLS{doRhPqD!BC!GzFyD#S<h_GK8f}UQ
zLX;YVZZlB^ytX?6b}z;MtLj-kN)0*b{SSI>c}9{zy)4blpzGpWpoSdDCH@K;6BDP<
z@3F`Nd@!m|o2ZHDd5z^P;nAySqd$ZK9K=$-1)CPycX|9^{HFyAN`+T2F)ZlZ0tvlk
zfC`L7TKI7RL7T?>Zl?tE+?|${i(AHD|Ko<Qu||GO8>8Q{_S{vZcH<1;{^mvHi_y({
z`y;kXNE_2Iw7d-AauGcX<*t@K7)c~}D(&(#cx8p@N7dWgLEIQ);CvF&%GdnfBAs_;
z>+9TZHE&0YcR88ky>UbfjtmPX)%u)q!OD`emc#}GY~XIooX9WL;s?J}O@eEq|EPL<
z|3i^RhaXStgukU=UU9vwW0K9hEa}<561U~h4F)OV4c-Yt_{v<i$(`b5LOL0EgZ<Ps
z-*|Pny=T!@i_=mMOB>EvgcgDU@@hPYEzpYe4|y$XZE3ZaYeBxnCY9k-fO7-C^Fogy
zaGX~~U{;s(03oTWXApW-B{$;dzW)uTdy7HvE6i@{)ho>CfpICAHl7k$Uq4+Exxm>|
zxbdQga&Tq-$0G0r;law6l%GAe->Hc_mIjdH<t=i=MiueqewUeo{HcpKQaiuED0I8z
zq;0fs%d8l+9^EGG^(5UXcM;CwqdLGSl+S(7a1MH4BhpbPfTt|}22J@^f*B9pZM;VB
zvTq&VQTPL>Bhmg1Q1@_#S#ikA0_{wD_NzBD<(pTT!AFO>Pd9p?i>Ku{qdCuv_(ak@
z{q2E?E7dJo0W{)2Vo03olaN2j^#nZi*YI|q1W~}$f^VL+d~VjtJ8-r)Ec91A=H_Lj
zy2S6fJGiwsb2Ud(Q<&#g5)3oiv<C<tNj<}mt15+`#z6hqSqiBYY}`kz9xo@fGSb~N
zU!s`X<JeDK@l%P{(8ke9VWbU@e6V@O)X}LOE?Pepf<|itUJOn+84vw&&%5v5m@F6}
z3&9IQ0+db~?21bZ7tZmI9+)<_UHkIk6G3xmm;~fUzYiNSOa(VF-;(2?2stjIN+znS
z4kiIz5lf^(BZzAYpA-}CNEXrhs|-o}`=K$0$%&WL3uj0@D=Uah-HQPm&?w3~W&_#A
zma`i1isZ0nPOs8HS_RI-u`I*Fb?KaI8eCe}>6DAZTD35~$YXZM@-Gt_nYbPV-&y3Y
zk1f`@j=ZTYyV;cWzy8psMsd)Kn|9+Je03okmMyT7M$2=3916^z8~sZ)nn>KX54dJ7
zVG6fpS4l-B>@c7ZJ<Fy#$9b_$oufe@ncENtgNO~OP&GT0j}|8)FHiQyrc>Y_`FO}I
zr`nbKMSb7{>Kjysz+urk*c{rl&hBW>H@CFgfKrL<E+p@^lmxkb-}umBnf++{+0Q7_
zDRN}p?=DpVW$Q(%JiiW*{`ixI0L$8c(hI!u5=fed{AL<Fg|=?K|Be-D<HfMC?Kq1X
zu?+DfRlVYS#g!A7N}Kg3eqIc5_*L&b9`-sjpK|g?ubLu($BJfj2b)HG4gB%`@AMvM
ziWYlj_;M|)f0FP04Rt7ujXvY+<5hrH`QI|B0eSz~0S$jHxj#><v8FH>ZB%646GYeI
z%{N@Yu%)5FRYD~{IXPM3)vIuJJAC(h|NGLo=YUKBNIJw_#Gvy1iI)#Y+BU;YAFyOS
zbZ`I#?#=S|s6w;t6$qf-zXCEoU(5^rC&vn(ddG~u<WtW)I3_x!)&)1=qeStMf<mj7
z9+&qL+<AYvU2X~Pzu}?-CG(M;SF+n@9Pf-rd>Y>DsbJdF!=^B?r+=m(7^Se*aE)32
zDc=Cg#feu)t$JH{{4IL)qqcVtFr5)x<~q|JkK_~j7i(I!k$;aD)N(7cV3wYK%ioxP
z2tf94SSk|{Ko2`H-<DJ9h7lG`kFy-u(T=IsbWp;@OKCZu7D45d4D*yAPfPL8fN!&g
z9<C3xM<ua4i%3x8&`2V&vv*~X@l4z*A!m2Wyc#KXQmIkQ6n9Q+u{QKh%t$XSv9w!l
zj(gAK?U2d+im3x2QU?!(4<g0A(Lonq6DB0J0FJ3$@D}*O^WWTR{3)1H_Gk9Vk#Hpk
zFj_RC$1)HZ>e~?&&3PVa?#l6c=SRlXatd@C%Hu}j=wxVGFD$Eq+yH(NNW}`;u%*;y
zP%w%QyaSTug#$G~cK`@DoROz`nhC%hk}N#szWjg8A>H1ZTSW#k-USb8VzUOKHdbOK
z?Ksj|*RLD)^~}rx`=FOX<JD-yRYMH!*x24TUNuA)7zIPx?Yqq_fG&UbtR*ZapuN^^
zTn`siiVO7dgWG9{%{}MAOOW?vWYCz}u6{Wc99@-03A=`({eU2zcq#X(YPgbVa<G9W
z{*DVp+lD77YTz0TN7NCM0uS)TS?*1I+2~VWOuXS?qDt5;EgF{B&ic{h0Z*k-xue!f
z%W_>B(khI>E<oBM-JT75K4~tyPyZi#@hc}`EJIS}9v7>?z3G+O>6AzJUJX)sKJUvd
z7BDgb%({<5PgEZ_V(!kq;hKsE8w?EE*s#TTy)$8ADwl#rNzo8YD}c)AQBp|&o|=zp
zvHJLLS^5g8(a>O~lei`z<nj8%#8pZc8WGVB@QOw^^vgwHECgU~b2$*Vom{14Ds<r(
zfJLXHVOI_DgsCL-e-IN;!fTIn;rK(PwwOgco;g20XW*FfzGWo+WLQWeeq^RK@zn{}
z{@R^?W#w6~7ujvsTmRGb9(hZ(^n#}h4bybJGMJYN6)zqH??uYo7dVV4Jw8Izuf{o3
zwIJT$x+W^F45>f|=fgTY4yZLhjByvE@s(RWZ^vroFVn@HD_6PIRV4onPIJT)4TB9B
zeC>dKHly8CXaR+D{UL{&)RlO|T2CE+|6yquq=okxPEdYT?zh+c4&i@f`w;{<t>V#2
z3@!N7Mq(ghC^e&@BDq%Cp5!bCcrD*VrdL1T$J2#T32b=OXXFXNzlVv_0H@kT4@E!p
zx;1u>DT5q<uOu%nKIf*d^F;x0bI8_~y|Dik8<yYhlh2;}ALm`hf2RoLe22fk{E<XZ
zIPey$M29!+Bgk*8TpLZ2ieFW@5Q&PwWdD4=-bB#dAKrZZLH=+iBKzj%QvB9pxF>$_
zV(3dXiR=fNFYnPu3e<vk$4c=AzTT?;tI1y&cxVF-B(JV|)m;5lNXkiuF?(Ftov$z4
z7m4#fRdBknKE8H+6UgeV|E2={SnZY;_<jsb75u12s{&{*R#63)n=<~hUFa$?38tww
z4KN-+{c5|=up=Vk(t~CphA4MzJ$Yv|3%D}GUZGwzA7vO_4Jl4Z!`4lMM+(*2cBcbE
z$oUI<{-<|+vAs-Jpjm^3j4zdV(+SMj3M;p=jo4A&0+p6oOPIO@%gYVRy8t@^Bfjk7
z8vs`-Ikv{0JPLgK*(N10m1wW3TI7y_KE>Z<1xkQaju`<1-X@Uj9}c=%x!<@cORIEL
z8!OZXx3v|*L%0meJfFnC>+W%rg1qg4PBf6%YLNw~h~GrS=&T0F@$Z#L3=Rt+l9!C%
zRjL#DS1+V}!(ZO{YicMX81&dZ0lRJP)yxM;hi1cmpIQNAu|n<UtkP8a$Gcj;;S}_j
zYd-=}FxNSf9!Esw2pV{fvWlo?iGrFgJ%rqMa_YlduVZQ7^fq748CC#7smKoRU>V}&
z-qS+sl~R$Hh3&!ehn=2RezE4=3yBtI5yy55z~WkJZ`s9(qDUz*oyE!=uLtRa_<<M1
ztw(q=fQlI_=nj}?V%f&J2!L(~AoJ#i1k+QOwqb^qJJ22@<UiZ&|C18rU{D{jp0$l4
zA59bl2qnN<Au#JGqCa3iot=iF!mnxYJ~(_!!FnrUEn0fBV<<ukxa}Dhuz-xuZOu`d
zPqJpemw!r8Iz^f6nU@LdglH|tVdwadP;l6I{C0y5Yw|?n1e9aULH3<V!35cWS=TMi
zoTZfBVmrF_5Hh`zd{o0(A+`86s`{K`$%^LOf+3&@otS20mou2+T#`w#eayW>Z6jNI
z-b(XY$N%qOX6@g^rxZnu%f~MYH%agx)%|jZWfZJ`NZeE5<ypruKpuGg{n&y<+hXn0
zJHus8*`yupd@Wx|Tqde8?CMu%d6vQM&_SsyKxw5OQyuHOqeQ@Jz#C&EVBkHCY(ES9
zowoyTyRg8Mpv&LbPVn<`rQUoMQu8CU-PS0=uEj~mfnF0MwXDbZkeq=Fb)n^6Sdgc6
zlk;NmLdqyS;iwB6LC3z4Fz`hIy~(Eu5?|}3$&*S8+71f2TsRgod4o70eS7Eg(a`MI
z#IT7{oC96Y6C9|t6cS2?9|o*@!&t+ZLEFHdgI?o`-M;TqXPu0_{E(Ov@PUZV8h&fl
z_QR&H(dJjAQ+J*0Ilu=0Zw~T)JYHcdN$6EFFD>RX2a#QbzVq4M!-@KUcwd9>Z-(|@
zK06`(nGI2^VEy&)DP~AOUweDI1ww%(-H2%u)t+6ROB=KoIU~f&&c_hvABl&7`-*;H
z6!E4xHMyvO8cz4R_6MGFumkL%Xa&3dLpATD)iagFvYyVT$%G(>r;nL_#=$-+vu4@G
zL!FFHmRhIXZw(0@%>SksuO_x#L2aB$OwnjOE6XuR7;+r$tVK;V8IEh8D4OKKpOn<P
zIfX(&1-Ckz>`)S`mb39w@)$3JyA=ZcD*Zi#J#K|N|6f6k7(9hLM~hZJKX$imr1r{B
z<_OH>BJgYw8W|5aecdebOK_svx;~lNpXcH^v7CZJo73-8&ev3#>)J}%Y>`S~7%um$
zh99%3=LGtC&{3AupcyQk7rjjD()LT@Bmv+0B7a{lXju`kq0|&(aWDYpTI>8p#`zDf
zpj7S~nzr_r^9p-<Ur8AHCByE~=iS0G%O^CzAb>IYxKa*KJnstV%D7)fMGf@)uC@aE
z2tqL0;|W$L+;skziJ#*P8|>-((ocyK>RkrW^w(=`uOUYp$5o#tH^*`rjT$|Jc*1XC
z!JQcdK=Zk#hD|Of9?$3QZ#1FuU&gc^1?`bh>tgL}sXvjtZd@?;7`l{-a`A5BCM5u?
ze6tUH`fw&P!Uu0}(|toNun;ij)3r=Du;C96m=1BSO^U+~e(ASx-xmkKt>6QQDnkzQ
zJZ(pH&4Jm*Cu4mWwfSGkkLJHXTl(wO=B?b=!JQv0uDURE7(+Ura|)F%>W-a9;R_cp
zmJRW%d)q=R;HlS`>FQjfnvOWYG?l0h<rgI}AXPm0<=_x`$I5{u<;;|fty~x{)O>uq
z3-wQ8BEIy}aTG(Cc5aYSamkA)FabkW%T_vOXASLG0B*MbiInzDy~;Q`Y>o@csly%i
zX+%<Yb(QtL-=;WSmLWese;D?--AC&QGf0h`FlUtWvHjEN$f$aKSKw6wGP>DB!jQ!U
zsg`6|)8&CU8#%g73d0Jp<bmEp37fcgvkds5fX>)4Na<~2$WIS1RSf+Kur=U|Aa-^M
zrel!}C6X)S#=aGG;XuW0^#8eB{ycW--c1s32LrHH9->vK_JV|$z46*|XN!5s+hH(a
z-28OM_?;CWGLU(tih%h=fUM)!HBu^rE+>M;FZQpOf|w&E;#YJhU4v%UskHZ#*}qc(
zTscG1-SAl{lp9p`?C5(z<lvQt*PrlF#@l|j4FjcCTCULXXi52-MVdw#_?y{jc>Bl5
z2MdG}&ftC+4c+(9s1GfS`%mXA?I~#mx=*1ZHlVUJnBm=<J)+N61}uvxPz6A>r*ku^
z@kzG>D6M$6B>$R*cG|5t6Rm>J39Q_`E;+JL;Wc8W+#3;v0Iw0iIhC4;1z}@j`jLWw
z`??d?w5f851?0dMX9%pVky-0S)cz|^Q+mf^-lxvPj8O<#V-M*)_Jc?9@bN(b*C|jZ
zY#O@th%ofFNh?IhS>E^TwpVsKNc+Oci7u0{H2QP75NQBVeYoV8=+x{e+2-VJqW?*W
z-3n-2^^6wr&&IWaNewR8G?~C8e$@n#&K|qX@Epg?=?(_qH%#dnT{s+QCK_Q?%S0;C
z3E<SVWXhrDzaT6MxTKcuXxyHv56(c0ufF8Nd-tc*0z&KmYpM0#;*=OXA*G=a&&cEM
z;4tMOY0ePUEiIq#l~|nE&-K=}q`93bzy3oUhAu%S1cRGiS4XVQ4T8=0pEgy4pE}@i
z%DMv!DfVxhWaBJbydXE%9q=60USW86hIj(Tv)2vVMJ&)Sh9^;JKN`3q{Z3h_Lf$Gf
zYcD_H*;5N#zjn<qwXJI+$3>yp@TnruG5{O!n%3Wu2{xDV<0!BJ_p^J{_)zoPxxQEK
z8~=t_Pe0?6MFmAj%~9~B?jm}>0`+EZ0>Y~;1=Bnb*tlU;265YVmkz%Bq@hRt5^|^4
zcfJ6XnM~ibVAQ(w2Ac*5Tf94jCIi+?Kp&Qq<<RbF68Vf6hZ~&>_~qCDi#i7MImSGm
ziQG({iPwVW{I6;F`wH!<n+=dUkP+$pg^TBN#;aGKKlj`_KP0yh7d)mS;-z86aCijX
zr}}EPD6ZFdWcQ^p9m#eb@HxuE>fR^<^Q}|}cMh|~C=8yCJ=-A3`asJ5Y`Vg)YnMYS
zQZFsi<NN+xWb5AC*WH-KD-0XXr;#BzY98UK+^)1s%98IOyznWNQp(?94**HJU_i>R
zddyD9GSSq}zbPx`$~*I+-zD(i+xX7|um<!4q3FjFD&*B?1Ocva3a1teh(IUo0_$@Q
zqv20APpoTyhVRQJBqd=}i`D-amwoGYO{NIQP%U?&0u>19BCAmsIARKe$<wV;sx$us
zm~=<#(ZlStJ6q_QB%4}V=VyMX8_f)X^0!ql!h*85QqQ>avUPn5^Lr<#3ni#HP51rP
z5Dn5NV|kaqm8U&v0)*il=_iiDM1cH2%2e0gH2L=P8+E-s^%C($-`PLl>5XZCInm&S
zEXoL85FSuo&{Kp&H+Wwy9Un*7!qZ6<s*a>pct1z!Rm;PCv=i*S+O&z=p!|?47grYc
zC*@K<LnB?gL@+CE<p<^1a2F0fU)LpeJu#6W@@Q{|OFO2Y-?%aTuNNb2`{|`at7E6e
z(GI9pX}O$qM%<^#t!o2oWq@xfZHlw$mW$^Vng$nU+ZF~hv#gQ4m2}8rt9Sy)R@Od}
z%<ElU^SH98u?fpJV1tiF0alNutg}@^UTBwKzAq9Ptes9uaA8J1V9aT9Sw^kdJ))&E
zal^!5SPY3cX$=hG{q!#T7F6Mx(0VVnq5S&oO-mPS?h4_^Y2t}=hnX~SWT`Yx62O{<
zA2zNx@2_z>Zw$+`qf5z>fv#vqShGzAJ_PE}^7hq|0@!)Gb9!ei!SpMBeZ9oWxJl!-
zW9(fe7g(xu+SSc@f?y3S?ew2dMe5RuYwg4gkiA&#Rj;w(V`FYK&a>!LcAjsF4HYz?
zKQq6kI6JD2k1g)>z3tLuK;IZLTll#9y}FUr)@l}rgiSGh6({11i#!@Q9rL;Gu+yPi
zF5O7iFFa+>=V!U<Td9qgF>d4faT*OfX3Ix<rgsi^(balU@2mX=)40PD(+i0-G7NEo
zL>~Y*gO|RQjC23d;}QX~|DW}^+yoP@7w9(DI7X}ExtXbfCs_~NKlEQ~TYc_sdwHrh
z1^d8&vJnQxu(3L$!aQ4spwz?-nd`UTNh+G<-mjIh1`H-XjMqsG0#Xew@#8}<xWn#B
zqAj@5BbVdd8X$Y<@4Z<-R4N=o(w<k`CA{BZ?1#O<kSB60I^`y)S_P^^?YE6ObYBay
z3(M~~10b$ven1x5=(kv!(E1y(r$hy}`=^F=_Mz~TEB2qGL^OVR+(c~Z(&D=Sat=mD
zJB>1L3W%?Hfy{eKNk?*i6|-Nlc9~)!42+ThCL=S=`mR0lR5JAIZUdT9Mr0_jsVXU=
zTo)$kEAYILEbBM0@n&_XFj?Z512(86hz)?-Pa)9;+*g>8YcAISC&{9NNZ?wY-(pM#
zDsM8a1U<T8qfjwJsRIPpjZQt_1dXkzK4ygXFFCm*0BvIpFpQ<S1Ph;h_sGnVKUC}#
zTukZXOz>Kb-m5St2_@wL)<|Py_#P^$#Q9yGwg9V_!Gx@Fl-e=pw{vN}J3iGiYOb!e
zD0nz@@Cm?UgT&cAC{G|Zu#D#?q)(o5l6<-yf$KD$A6O`(UR8NUn8K>vGLIxfvnCQH
zNteeMr7<556dHvN2a_soObGjkZK(;f$Q$oJnl5GS*#Z0=DMAKKRpq~o5)>A$D43ji
z#JGt(u@t0x555ko_Wa$MNB(zVn=<Su9N6;t2Yt^Nm$4qw_!r~<yn5yJW#+HRX1|sI
z``!4PkrY^F0^uj5rZYeYLP<c@2*?1oc|i<Zj&J?}aC||iqty%JIp}?LWFY=F{qLcp
zgmuzA&DEMetFwW94;`otBO{~v+L2R^UgZ))a|hve?UsEcJ9Tc`drw>n$pdO_iYPqZ
zT3g!}i7!W3xXl&<>pQCgwx)1o=ln+2#jU`T(wVHD!Q4-a@R(?y1gDw)AlzJ2lvbIt
zIXr7uFEhYCv%h*;`6yrMEabGSb-P{=uZgjC_a{a1(@z-7UH<f`m`|mBjwbN+Zng>b
zjXqNIFfO>B&YsF-8X}@?15AZ+XS251!uL&WfH{@r#nlKxglKScIqb^`pi97-Jf~+V
z4(x=MPU<4A0O!bT88Gt!_}25!v9V=PZW>3Fl``gM#zf@$PyJi&8|v8s7WRin;$H!!
z<?3AbV>(AA)_(>AZBnTw$2J;o(y!&K{c;ehz)Gy0wG*GaDEHRvo#Qq1u!?=po=q<P
z(S66{IePs#Mv_^2r*u1B=urML;N*BK<W@#>e4cl@P;;{Fr+TD!3-TBrx6i0ARBF$A
z7ERIVAcKB?H)(SG^YW#7y*{z!{AdTu0wKAFd%Nt>h_B-G8I>c)Vf5O+h{9ASocWJY
zO<f&q;O)W>h>NXu`6Bc%dn7=bk>>4=EFwp#c}(viZ*^BHmL7n%wc6ids%?h%P8?q3
zmH&K5a;5CPSl9$5io%Mx`0)ZNbm58;c4P4S(oNLp>l<$S3i;?s#QGKL`kUV;x<9pS
z|3n3P0x?HNYhm`|RF||C3AbN?Y?9o16?AN2g__NC>q3XAvcM9%^ID&+XY(uFrjL6c
z=$<ug)6yee^15lDyXr%29xVg#f-cgpw}rU%QlqeNS|*VJzv9>X6g<E*0|XF#r0;J`
z<@lN)44YcWHwm93e2IJblsA_i0TaND6$BlOq4+Jke0~QT$5a?L$NOzYKEU|%t{Y&V
z*HXIpOw0ah6u^quHbRmA>WxtPQ&O5|Tqcdep%H`w)t#ZWdZ;s>{i*L)m$%TE8@p``
zGxKYklizj%&|N2>%RN1mc_?kT9j9kA$!ZebYlm=}bjCqGYQkUg^T=Ls(AjV}lWx<P
zxaSj*+XTOZhq+)PlATM^D6YJNrHl+uj4@T!!J7EFkmXV2`~9$YvMpNV;s;76h+>R+
z<Y7Uh0?kMJ1~{Q)sWhX=wnA{Lzr!ru|CaM3sc(?RN}Y*OY8qpq?g770$bl;f&h`i_
z`P2}x#3d*-1F;Ud26<d$l{8iS)q)#*VsKlXg-R@vEAP_YEFoQj{x`bOiSKQ1a2PUX
z>s(=1>awvEqn#E3EIT2TB0^W0OP>UQ8y89-H3YzTS0^Hs`!_Oq8gD!Ad!d%qquzTy
zYchO3!z*fwUj;eyfc+)Y#~C2tj*{@d>(tNB#VBS_auxl#)~&5gliHc^XiW58&o_Dz
zy1G_{!4VC|iESZs6sV^{{z~HUo;l2lUs*-l4hN2j+jnEhxT3AZ+&v9m!yoL)(^;5v
zLTbVw`}+s^hz^ej4s%f28>c)noRw^WT@+WGRCiu*3a2(fte6LtsWu`$|L@MaD~Z?j
zN`I%~%KzyrxttV$-zr{Tzc-wCSzQ-RqjLZ@tTyNEciv@+#I0;VwhKoFy3MyD4z2y^
zj*0_QPslzy8Dm^EUcJ&%Pw=Ue2yKF{wrUEOmXfvy(MtpR%V)3Y&8ESVTC~;Z3=;7X
zu>E9309b*>b>rGM_rUGiBx?C;lepk$dnHlvg5sxQO90UD{_?j0R}&5lo5PA0JmBYE
z0hU}s4yTS`(-UAs8N1kWDeDMMj^kv{@(hT$C}yPtTz0})Cc+_|;tpYfIwB;@RNw9F
z0VyEy;}WZ1b(|+`ObqaSMBuE6#I{J3A)qGKwPDqO=YZbjnqIh3Lf#7aS=!Fs_&~6@
z%KnBZG@jDW_>D^>FnXeI0vodG(S{MYmq<NxnmBd#*W_#c*^ja@s-JU(z8&UEc;}7d
zEj~ZVYO3scRe3UqIQQ55`LmEIdX!^JO`4KK2QQV!1X*s-dv6d}H+w*$oXm#4{#!L<
zM?y48Tc19MdAnRMl`}`e*_pQS=9`MabGrhSdAoNg_u93fgJ4`Wa;K2WRfN23W~z&;
zO5v#yQWfY|3iA0ehF0rj)D>#Pd)<B+|E9L5&K?Z#*2T4yY8(G19wf_J(2LWHA<ku#
z?OQLWDJ1U_$0S?I&*!;hSTpN@rjqimVHFY8&?Q*_6gTJQWQ4XrZ0^s}`BNVFvp!TM
z34c(e@WDxe;G(MmDjsf#t~-@)H>+hJK+^q1w;eoA!<lTPiayOKG_?G<`taqHYE_OB
zIacgJ;KdU=n>w4L7q2cF{_Z*y>1XTmJNqAVynON1YbEjKM*VccsLz%jF2d=jvVUhg
z=GELJA{s2-Zy^I-H}p>WR^Ye}F(ep#6Q*z+?nPN?z_VH_J~)Qg@4)nvo>~F+Ehl@X
zufHc8rF~pB$q}2r+(iEq#lmq4kt-TC4w(c9;EECGRYhJThXPH`>TxM%;(#bFo@`v`
zgf%FH0HQ$-6CN>Y^I1s2Wd5f*-he_U(V<;ls<RFUU>QM2KQ7Fq%qcUd3)eOAHWpa8
ztSvEH%5&kc1Q;=CPg+bEBKULN$VhxEFjaE(2jtDgUiOzCq=Uc}mjlN4er3*huYjYa
zfikb2ubfr?NIsR!_cSvR@M*hf{JH?HrvUBCeYGBNY<SDDqb99_fkiG(u(WGe$|3f0
zEUm(GW8C5$AOaSOdIUKRi1UuYEk-rpif+Huz9d7JfaqPRE|Lp+OLVzf4&lrsn2M=;
zlw+@qi)?M%ke}BgTdhw?`)9V##iat<OQWbonFvKO&u<U#Kyodj0Bu$bc^KWyO3MMX
zMB30unvpouP@Y_a?@k1NUF8sD&MZPEu)(Q9DOF+6JLP!l)$`|a?l+BF<z)4b^s!0J
zGfcnaB&zr&%n913)(R{J#dNlXkeZ0yn(u+D8$AEr(9)=(#LK}1a`<OeZ|8+Whvbc`
z7M)3a-m>oEcjYBwUiDV0>-OJ&N9bl_IG_Bk`e?z_p@n>w9IN|}#tVq#-!$HC$8)qD
zutXJGyw;0Gx}5_Gvvn!w9D+9Nfh$%7!$QYH3+t`1jF>I|AHu#esIIkLG7tzP1a~Ju
za0wRNA%x(B;O-8=H}3B4?(PmdNN{&|m*CEZS>&AW&b?DpGe0SQP}F+X`*!!!-AiZ{
z<|PRhh68M{n!kiriTwJ?Awfj-fyn5_Qhde&@D@L<SJ}K~WoAYzR;qx#I#_x`pUe-9
zNwdZ06q}ZYnAXCVh1Q35nC?=~UJK;R$HxE=+?m_I`GI;LrMr6xdb7tJ=_N=B0uJc+
zi}lYG{wK{PA1?Q15YQZ-p(c$au_i;GhSTa`vU76Qw~ElmTC5y%HgwzLJwG#)GfO_X
z`m4jCKG&bz7VhaJkOPqKVOJ~Yv_p)nyBXn~rsav%B}%RF8I=NNcZbMVNnbEy`x3gm
ze0cw{9trE;n|)>fDs`q=3XHXD6Q#9V*^pzfHH#FRW(GJdkzBY{zqlU@%r|{@`uqIj
z4#jrodg1{c?AN=O=l}Y5;L0d>h7BrK+w=F#Y2)|?n>2|NZgST;Vh4-G920~zK^N4I
zW~VW5qk@aGL<*Q`fKg;L<x&CmQzr&gGIl?8Y<#bFeppIr=!!7e=lnb%=fwvinXbgT
zZ)PEDW-FcYgB5afxBu`_FsYj?;!=|p<mpW?%WRuz>Z3d^7>--nT9~)?k6W<)f37#J
zFg_o<vjdttsiOqiuVl<}hkx~i!59%+uXj6p#7}@nnYxNi;Q99ZXLmMUwZ^yAnn}LU
zs+f2yVF1nF{|#ovMp1xHL+;~r){EMbsQ7ZO1Uzq;xK<xnFsM!^5EFXKr9!-+h0Sk6
zgrmjLmicJe8KYXN^&A11iX>nv6wawi%<s1PF`QgZ53_HS44N^XOcz|K)ap|){P5W=
z1(cN&2`JNbR|zhY2{O1qpA`bjsCqI^rZGoSdFgjeV3pq)i{nogjJ)3XkU#*ok^ua3
ztEgRDTJA8lHXrf4{#}r<*)Va&qP(EA`m!bEDXSzYhV#KUVhuCikIiwopB+Ac&8_Xs
z==&<vl63U2tsbivUe(z^`usUdVF9Ui$@@iv%WRx@0G0Z=Dwf;sy9I=8KKlaO`DB03
z`mk2|lZ7~Q;`P{ZHBKq^Kv<~{0w*%4I{2u0rg<sFu|KmO7lgq5af!R4AJS1vv-rSx
z>zi?|M4((Sf9xzVWI3~UQnEvE>Ib@uyR-dV+KZtW$o2974C#NT6ctveay=>~vVq*$
zc~5QA(-{9#U}O@34kzsTQHMmO?L|g$@Yw6JcSxgO0M$*^_AS&$SttwK4g?#Q4*Y66
zln);`JIOlp$RjO1fvhx5JCXPRi2?R|C4{y-p8d(AM~b+cdrAcNws5bMBTDu}{HFqj
zNEr{Y%ubaez~K1pYaxHx(yNz#hCs~jGQhUD-rbLWdRUR7b2d>i{YI8)qs~F#nLSJH
z(I-3M2X%^*gGQY*r(_DB_%}3uI56*fJcM+Wnwkp1-hzd`bgdtLg@NRmygxTMF861B
z2Cj(R^wzYE&&RrS4O4n;`SYTmL6=N>vkhRJ<C||X91cf?v9NV!(_S)sPwJtxuoXXO
zlzc|{ALJ#U|7G^)oG&@{D~$mXBBPq>>b2N4PRAwRh_$|`E_p0>e~uUFj{nsje(j#u
z|69FLvG7!Fa<5I%Gk>vdl#2c;2h}bRR$04DCiA6nestnlrf}l3KY%xYDg(C{6c`i|
zV2Zb*Kov}?i`Sn%iJ!=bKZw<$Q}?r!p*xMOM8rw!4lM|utkb}{8Xj7^aJK9yHEgcg
zKR9j4o!paIC7T1bA?k(PyM6_o1dNS;UQ_4)k?x?e!k7qoR{+R?$RWAM)B;${_9qqZ
zUhF?Qy#=2Qs1o7!{GL|}CUvd~Qhqy->&&coi5EM_36ywu)u00IvKe(Dfwu|*5)q=L
zTO%U_UX9KM2BH6U%>|K)Y#&CEpG?~b@<Rd29~5j1otS5+8SgqBlc(#=@%<T!{$m<$
zCGP|e#At)BG0K)~?PA#hx&*c~4nMQomhOxM|42|IA20)XzsPG%wnl6vLBTX1g6%FQ
z;|;d~-=@>67pa72Y&cU&1j=G;Y(3~RU>K`FB;lTeIX@)1{mdHnxbUjlN9wev0(&L`
zX(CLD42U1V!YeaHpoyXW)(ak(K|3>t7`AVy6nWZts0T0JiLZihg5gvbaK%QZ4=e9N
z+Mqz0c@NUvH3_3eLgw_(BWUo9(l!RWjn>uls&f<|C%Z{r^o1Vn?g~OUcAtr#9}NoI
zsJdgqW`REfHf8ne$0Gej7U4Ym33wIZ%CN!c{}^Z^jG_bn4{1zR;?hv@bOvNCL4~U%
z=`V`579SkuJyXF)QcwU?iiPx=M{e4AYIgs%%y<X(l@i*y;UE)0-S?)+2U5MQkp+-*
z`CsH*#+DHI1m{dR>3tu|Yqb8@AM)bG#+B}GNnUA;L--Cn4tY=QDS4Q_uz45NS+9k#
zV&nQ4;`LI6B379kPemc}o5^obWz8S|rZs-RSKg-S##vYvCTNO@gQJ$TQ*iMkwOFV?
z4e!qnHU11Khd(9@_O}>BYMs~^_1LW38q`4r17tJ@?j>LXbmU#}e5*Jd%KVope)=8@
z!u>~uu3i4OP73O+@!Q1OzyWyenOmGX?BF|A%4m+b6*HUj=J9GKl=eM04veuk-bC?r
z=uk7OF%Apm)A1{8k{)2HLyim^xsR?l3vFr>*#CGh&W{)Y;O9}OjYo>I@ecr{gy^Zg
zTtltAERS+j4idia2M^w+te<?}*X2Pu$-P8`2GTl_3s@vFEbK2~51DglNi=dDEI^2K
zYJ3M=M;Z8wZ{CUd4>r<080Q>`P9C|ErX5-Fk$}EI9sgU$cPT*Ym4DIit(A7bB=P!1
zW;)O8ocSGeUY9KwSEO%}4p^M<7?xiB*z{r&`4s}#^b`5aE>9>bmVHItukNm#8O{&w
z-&`GwxnG@~{pSauJVFsav(bHum_0EBFe-!KE7QgHT@FF?CIK%NqfoDsS_I`py*jG#
zVtWR9>vxI*ix)BVKpP1aiSI{2BLPZKu65G4@v%a;m6dFL2cUS0<c6yJo!<0-PwnbU
z8$i&YiIVopSe<U_PO3UPVDSwGCBU9^Y)KU=E>hy=Q?|zp;JE#BnUC5|38pG(3=g5o
zNUYeS^|dF>BF|iu%$`{fJdt*~TM2hCNdje75pO*#Ibg&b($2+|C{BCGcoR_Mj<Rn&
zqFW?gI1*TVUx8Yx&ztS#`zmT_BR~Bk6zc^3A8$kCQwJX)^HhZx!dj{B#(V?x-m-C_
z)!0app<L|fPrx0&vN2U!_agT+{Q{oG{Nlf>NDNqJtWknHeAUZlCFz*-g?w!KZ=?M-
zIy9a{#?%6z1~8!Zd%Ra@XZkokYR-(3=P{Y7B^Llknm-1+z_gS0d(=}>Xgc=-r>a#$
zi+qnRAkI%`qdbE2lKT2@fIR9Stp1-_-|Zo<4~2I^go?i~uH)9t0_<2)@YOXo+Fhj<
z*?lKb?O_U?!$1;R=>Cp2c~><~=Zb5p_}*mQYGGZX(q+5K6Y%+j2gP#4xFL`Zm`^|O
z0hM72BdY8lJ7ldXu&-r31ADkyCndMlMNQfXZ>aWoNli`y=LG*u-=L&|jR_sz&Kv(s
zliw;aNCDg3FJunVp{~HB&;**cxmKoXwT1dj)=ysKO%RcaXz|=rE}syuI8CJ(k(<{N
zm6KeMppr=h*n~$<EIsxAgAQ6>^7>h?E+pdV-eNQE@WG<56)6*-S|h$lbLCL+Q6E&Z
z*=xMn%PxXIUhu|hS78Cgh`QUF7O6F_<*!q{bn{5FmQ$p*>?kve<HFWh1wyc1Y^5#@
z<RNWwzA6Cmk8yqRCaY^Z@I{T~SqY$y&TXAiX69La0%~h|rfK1%nwRO>;2f68qws4v
zfpVS{scU`PEkkvPA)7BaIhp-^8Oq2vZSf1%cg7z@Z1{h^RtSUZL4jf<eUV2?$5SXB
z%%%6$Fq9e2@o_XYX~Q0!!>WEAiMqe;8Z^s`(yCy>N^JXEnuakO(X<)3-L9{!jDta|
zNH8(U2+R641Utf;R;m0~82;>QF2=;pj?0FxQSk5xw6Btqk~&y}cC9^M4T55?sl<Kl
zqp3dsIJFkLHX%n&x&)RDH4R-)zIyd!rhgytzH<!v2=v{e$C|bP&O|D;O#Di!*hz!<
z{y;U4?_&FP=54${S^L}vj2u7rOZSNQLaFL`qz}!wXKDHoE0oJh&84${-i}|#a17o}
zYe5nXk)YZ@;Zxd|kS_cP!*U(fL(&gYM46eyv1iFjz{v|l<6}8y?g8S4#SE3pZ~Y9;
zk~vAp(hoA$fx>zN1k^CF6J9J~Y^xQl8k4{dBuif1fPdR6ID4r}JV5)PHpqJC$b{cu
zN*rkGTt94*$g*B1Jq1_g=m2nR3igvf{2pM=@GYMFA!BF~v|_w&+I&hAawj}{cPV%1
zD*p)uioWfX(wnoNMT_L>7ANp+KI+(}0Gc5%P^_uxG<|^6DFs0p-gq>l8AhgUQQePL
zMSG0BEjB&ohaYB?z_DEFK|cwQubTgv68f1eb+|E-+DV=dCZM4}*)Z<!-Gs<w>G@Y&
zSQ7=pVv-qb_YIM=pCuyyA1hOUIvZ0}5UU(Zd?Txvy@0F%&PUNRb1!IElHGgzuM)g)
zdVF|D0Z4?A!9{$u-HN_C!eYWrHdV5PvVTg(g9PG^#KIpgg@33}PyAzxoW4N-fUWI)
zXn&>Yl?^qG`<uzt(^Kn?_M5DcvMUl&QlU~x?gu<_LUC`$fVQ`|O3Vrt+P+pW$|E_W
zZ&#QQ5Ri8y0@C5coguriR5A5F|4xbz=Ges5*QF>KKzF^73Gj4yjG}OY)u3~NyE>Q4
zmuF>tlp!pnagzG%qWm$_VkxWLSWH2ZiTL~8*;fM1$a7UVP}@C_7pSdH%1uFCO|l4F
z8T^qhcB7HB8}|tqA6hquoHXan&^ZY$cKuLxOD$quUyu-&O}S=3E+KWL)afr8UL4YG
z(DCFDTj|xZz;*RLuN}r17dNyrAO<*ly&TZ*&od4#-`gGDry3TW%$9ox#q^l$(6ann
zM?@9l+9{Iy(0_}p-PLo&2O9A0UEulaKb!RvwQNC(SU8_5sCIkrf)DkWwQ2dZ$9UA_
zGt>7b1+{$V#<hs)J^%-JpY@L(rv9B7KE5OKpqC{MHVln&-l6IzU0!{J3Yar?%5elV
z08@q&U_IW?1XII6op-Z?u7bh%_T;Nb>vSdo1QR@A&<pB3xzAaxP&7K88G)X&fBE*C
z{Z%2&MLNO%&yAba?5^L$DE?*TA*V;k=ic$2&{tpP+(S>S1Bg`@pId>;phEHPm@sIR
zW#bq`0Y)#ln&5gP-5UXcHk~P@$GmtDPerF!=1>|z$Om_m{h4Ak6bwT9xa}P4^-{{V
zKfSv?gsT@II&ksnNCW1aB?1jq*L)a<N}iRV&urO@y_od1&ZVlOYOHt&y7=-B{Mdv;
zGB3N19C|axI>id0%q-*joy*?tWMnl9n>KPSEAqEr|CR<r|7;!;MiHZpI4-#fmg{^=
zy~!q+6eaeJnW*8d8@Z-Q9GqDe4!!>OdeP3OKOrc5x-{D(>zJm?+0JQPpbKhL-Wr~0
zbQ$4dlH_=#1;hJ=xPc@HxvdxwLEm^1IlgV>?ABTxp4pGLxl7Voo`B;%Ceib<LzZ6p
zPZvPoLce3MU1g%4@$f6uA)4Ogi8H*W_U2I2JZBt{YCqRE%nT5>h%}TP37cUKP-2t+
zK67-NKGG3KBW`T?-~%DGo6=VU;41ppp!c^iXriAIq3dJFjDX-e3ne8S-@Oy-WBakv
z&n(WpvYT#7y#9@9vzzOeZF*X=O$|8|JxIuQBUh%o8(Q|2Wm6vA<6-(kre@m`rA1#%
zhDJI_$dxcyF;7c64Po1_fY0%%3eg|QMWO^JpA6a^@JR?=Es94_L=*qmf(x_LH!|q*
zUI%$Qd+4$im0pS?EXP7G{hRKW5EVS>eFYJI4_L>{>tQb&V_$B!x-cX)e88Q37?uH8
zKJq|$%W6`YKqM{{5rhW@l#}UUfb|ZX_5tli193V6e>JUknV{bJHnnIAVab2c2#*2)
zN2p%l$UoMQj34+R_hr?CqVDrL`#s5#TI|)GBNST+gz=W8Z}05MXphVR;~sz&vl`v?
z+Ze@tD~Ve(4q>Q{UGYNkcroOq348!U;A_T9SJXgu)oSp3-eOEK6t5^sfnq5NWxiXD
zHWHm$JN!T_HNs0DH^92kCVORW;a_T0?N>q>!B{sujOvZA_@B>nXk>yP8+8cD-&$>v
zi&aA0npR&q<^Cu~vD_Uw{<MA(vF<!#zc*il%nI7msrvK$08zqWG7ZG(@pvRdIpQh)
zSRRFv!+S5jKT*IhmrpKjzHn?Ahoi(5;EHxqU{>(hBUveqAom(ojQV)uom$;U-pz++
zWmg!6Tzwe2%<0XaJHLKd|3J}?_Q8^*evlAJ0qpp3gESXQc=<P;u?~ht+rP5q_=ELA
z87RZ#4DKF%_s;}p^LBr$(EQuQst~MtUgY|l_ZT)I?#9@eZbvE6>@5nEBHqy>o;Hg*
z2Bq#K5W!kgYW%hX0ZM`3czee#K8`z$Z8$LpM8QFYmW$VHMn74~MR(u3d{Jpgs+>1V
zOn?5mtdEp?rv8sN!XV#7DR%w1`K79c6z;{DxWC1}+{A6?cCS*^{cmCQ_QcB$YLqXH
zqNg7^iVh<TNnGI2is{=31XvaqDwg>x55p0Mc@C?&U#opYU5XZ^;(V#WT^HNp18;vq
zMI8eS*KdE6WN1njcqnIxb0PCfK1lruj`Ez@dlY!#^zZsN$(i!)pW!kU?x^M&ct4b@
z!@q_i6R;%-!V(va{xk?Q=eBa9R6;p<>%srE*2omiQ5i!HUfVp!%1{ghJ;U^QS3olJ
zZJ5v2nvS}{beC3Bh4|?Kc7@CJ0?V4JQII1~+9*1Qjp-w5{!4{ZxJ)*uRDU^vRoM=*
z8lj56ywVHwy!m_nBJHP4Nw3PzG|aGL-(CIoEx_1Hp#1Fi0A$N_JHNj>A4E@ScU%8&
zlgxSTk<nFFcL;A))d~f8n*2(XYPO)}Hs`T3yJBQQ&Ky@=5P$}03jfUwny#%;qrmkr
zZ}{uYs*}N8Uq8Q&XunlKC#S}}<*OHS7Y~~9<uFZPXsGY%(}@xe=Yn!8p1DT?ojRgu
zu!w-^0q5SCt5F;xx^LUeL8m6|zU_l_*$1FHn1-0ll@yrWZwSW5c0=%{%5R?o;S@+u
z5qc14mXT*%92CoJO<I5p9BpL}f)f2jBv-4gJsRe>u*~}}@5m80it4-r2WSJpd=mAv
zzq2oK;zS(e=O5iCHicERUMPT5=`$Qn?Dpk>Z2X{%GBsZAqMrSU|4M;UJ#Of+NTAl$
z$U7QA3RIVq=PN36jaKeNn%8`kb9ZcO{u~@xK9vc0WJg7&guXS}ZM2TK^YV4bUwrqs
zEJC}BqU^q2O&a960y12qtMuuDhVrT5;R(s6wg0K7_xFH#v$<6tbP)lGj0`QWnq`ht
z2aT7S?=#Pr%iiw%-&)}E#zxcGb-9datx=6PKptle&{X#zy5(at1(Bp3Uj-!6gIxiQ
z?JU$viO$Ppl9GC41ObWQ^fRl)MCZx(tXvEb@3#zWP4Dw6Op@%cxyqI&?fg2xn$^B-
zVW-aX!^+E%yB)-MA5fP9Q~T{KpMRV{Wofem35s`|)I=1`a2#57%byTVdZrslM_8p(
zRp?BxlL@v@d9;Cw#2fs9v`eXiLTiVZZ>at_1tCyi`um%xPz!s?*8=#8ssT>`p7#G-
z0m@gl5n}`%gnJCSo~K~X_fM?lIcVp}h9?0b8l@ld{x_m58#InEOl!m|_lSMludAL0
zb#HT4X<F3($0;lHKMvr(1P~8UJ7ylDL$FJ+R`Wr7V^B^OYazvgYOPKft}IqfiPy`?
zm>Wc-K|rw@W;6ffcgd6G2JTcId!hFd&;H2xuMtn$vC9#xCS4!<<K?Sw?~W(zH`I9l
ztuQVhxWIm!4}Nh3&nO{u9|Srs0X^r%#g_9Ma!yy<?A^7`?aRd1e<0uEB2f8I;T?#k
z(c#i$n&3lLp8HWM6@g4NG({J>-8*v1chDpKUI-i}A85<~oGzxV=$beAgDC_nWgD=n
z=n3FuwgpdEL0uUUqc))G;BfYt%?1@Jo@*agw0<|aB-$|Om;nh-Yj%8GG&Wa`KrXv~
z-NX>YzWa|cUnqKhh(GQ@T5-8W2UMoeLWZS!9W>kBK^(Cq<t7(Pxe63icn#5a5CLXz
zb9_ynh#^W}tG6dWaHf#PI^U71H&c_-19X|ri0U<=sT>5)Ds}s(c)2iG9TpU+4Se^3
zMoirBcZFSwP2Mw%@yP@Xy0>6dHYj_sM5+2Wh&3@lc<(y)XAK~;t@&O;M9bqSmhovy
zd|!Kia_dSZEM{%^^6ygXR_G<J&vggL`aU+>16}hqMwvi$F5gGW&=lzDl3Cx&ONrA<
zmcOm&WKhSO5p@BYqc`X>_<#xMC8bH+H{tELU+s4~Jw#n>*zD*6#RV+&<0wRJe19Lk
z((!WL>eG3#^kKXt2-A&oJ(MSbcj>3T`>2wx_%oG!@JZ;A?2OO)8p@{)`4?jJnZtG2
z9ScYhoZwMF*l9EKuu*|rT_+Ia5{3WIrzE<>VMv+cz7<>ISYlw|1HbMwsD(B>9_Lz>
z*r&U_lJ`(q__p%}P*zQ7O<dkRGKBs<^02h4Hs_CQ&IRGY)|yTUy-?&=07X9e>mVXX
zZu2V93bAeKtFWD09A`c^gBuvB^Lpe8Xd|R213P3MspJ3U$E*NBF1`7vME3yI2~$zU
z|5S_A<944lN}^SN>oT5lbWI5Es$91Uxr1ndUaPWtV7zpHS!5Xhu?@E&K7T7HAaPC9
zj|!~L73l`uNYXhjKV&cM?a4<*{Zz45h^76KLkr+z$CYuEFJXOdv{Y3|bLBj-M0WfS
zkLb!RmUYbdU8$rfLp<L?sDt{b&U%GOg+x9jJ@$%!U(w!w*k$b&38ZbqN^W<QPWX7H
zy+Tv?QTtNK<CDpydmOpIyL^Ui&P$@6p0g(J8(^P86O!~Uq?5kmJ0+@av=99BW001(
zR-f8su1_F_L~mSdHeW_J2nCg<`54|8y`(ol5#ptp;M=8!*~yQUNSoFcc^|kJNdOFZ
z)-Gm^kmxwo0kH*H9OC61`HE>=r?>&ApQVU-*qlR_Xn5xE%I1rvW{@$b6bj>{-dL!S
zt;ZaIB5((5BUe^IaA+`cdq;$Pn$3A;9jlz=VMBSmFvzt7KCT(myAs=tq<Y{k?qR^x
z@^KdG%ysx&2j>2M%tl+lLyQ&-PIka9PrBu)V%jgMmKkVop&$AeDx<$-SpcXkqZv*4
z37MD=9-?(}_}ymf6nVXz`@}0XmB1<6jW)xTOHks)nFh(|UEeQg7R(azvpY0f+7rZi
zymr~>tOLR&AAmmBCCR4hZJqmCkZvm77Z0hq_tcc(T|PJLUf<$qLiP=Rx7+05tN{&!
zz?6T@#^#ZJYYc%<O`wmxdC-fX{G)v1_as<=K_6ZJS4CAJI|;uBc1M@G-#~~ln#q`@
z6Co&hVk&@<KYfpZY{@*hEN&O`GQi{+&M11~y%(EVgpMc?6#y}i?P7|8^v|TyF{WL-
z6X1;;-?BHcJdNltI8?^{)qkep{Wsne;z0pg^$O6V)O*R9>%ncZ{A;@6ca!@6ZI}Mv
zrMs7tJN_YhecexIeuHh}mu96k!%z}?mr<m|@yEYLzT=NO5-u6@^RvHJ7df9V_VmUo
ztURiYXdx~gfOC|o6r(&pKOOx>iHwxAyA|*WDOXw((P`e-;UqkXAH!86mzb|+1S|pS
zK-TJNh}5mE2zgythU<rynLg>D5@qws&e`^hhfk<ySSUk7M2+xzHvO(NIl0p_zo_HU
zS>-7?hW6==LXfnM^9i$ZX`phQ9AJ}~jigN(j__1eks;AhJ>5G|C(B9#+m=e_@XCB6
z<@7jKb<6O+CZ_{^LELG+H1cqtaCV<iv@b(NB|h^N*J7c&Y1(gV((XkbPT?oWeHy#K
z)%ZMT7C*K5hG_qZgRo#%WPxY{)wyb|BNhG&B#1TdTx9PVXv8@e#*%La%ar{Tjre)5
zZW3yoCX<k`VMpALLyGLfinU|CFY7Eddq_z=dX7hSH9i|K15sLNsheQo>?gDJlE;ud
zh~N2y=5Y9*@D=ty1FKbS&4xjZ_Mv^nr*+4NZv~f?0Pi>dE1>@0vv;8`v&L;B+B2S~
zP8=&_3&=se0zy&)2EZOpd$01jbH&YNi`78;agH(5aCjjy)(&2ia7-)-cGSTGimQI~
zitphLdsAolhIadrI>u1wcW_)c$636DZ>^Ir!;6~9!z9k=bZsH-Z&7kRpuu|n`0Y6{
z3$}4fOzO)2r;VGc%s9@paL7)rdu$(~4v99*9<lqkand5mzbCi0G4D_47yH6{Sm4~&
zvdSU|*)HxC2+_P5NQ{QX;FJ}h72aS6h8T=#oA}jI8>o8^--(&b9o&NQSyejz8D_1R
zE%-wBXg@?h;0EJon!*4In-lSi8+<qNiSVSZ4(+^Tv|`p4kStjWt@zJNA|n3lhrgR-
z#NStBgKpyI{!$z3aRfl;`aYTF$9-EvdT;shycffQKzHF5@PUBQEQd0#4L-x(5z|pU
z^5<1#HlJrC*8muu(@3w##s_330%8yT_qeP=@68}&;T~Tia4C%7CRZ6`_z^U?b{7`v
z9%8J|Hbk5Fs4EW^iGQyx5V!k`QiR7vpT+3GcqfVNKdeZXEgN&kdXv}0j_V4{Y!Ew-
zeo|&4qOZ+;*!A^{pA$G4o^Yt@i7Dq#bRxMSf~Lj~rN7jSCC33~^nJctn{915VwqiA
z^U#jTy3Vz05dr;Ia+iA%-|{67GEHL{LLSQS_0DG}t@sfo_nlsJhIOWF5e|J!AbPSI
zLQ~?W(9uPcR3mgu!c%*MUNLWxr##gsL5Dg%LY#cqp;aQJx+lYv?{Vc^juqP89%oPW
zJDZo!98om;-QYanc}BTyA?e-s1cN-fN{`13Vi&5&n^sI7_L{$@UOCdax$W_~3f+=k
z@N^`*7y8Yu{Os$Z$>MF&#EN+8kHvQOaH}I5M!cXMbbkTQ^MHxr1w4mgS^nqCR+XNL
z1>zh(nPFG(F7ebGPa9;avPDBWz3*s6#*hEyc#3hL+#mQ(0GDPu{!h^MqCX}B$isfE
zwcj4dJE#5el+kwhsv&uxIb}qchy+<7a>vsXR(2e<DpXkj?zd1?Ce_@pU=6u$?>S={
zpF(AU4(QKQxWByh1fQy)N2my)Iyzq$A?HHoJGMUV<}EM9q--t4o%p!e9ITk7r9O-d
z4}_~g1+@wZ)WQDvc;3x#Q!2!EJt-qVYk4jLWhuK}aw`@^)s46i@oi~q0sBl0{U-xX
zCmp=8?XaX}PfV3`NXlg;wCY&^jF|{veeD{C!+rF}=j1KB?U!-i>pG4TK6>lHer7i9
zEy5ArWviFw?>Q6h&bRWaj?9yVB+?z`ly_%1tFa&k^1A9~Z$80$^@vH*26>IW|482o
z|8|(Di~Q!5d(4pZb$wA!MJayfU86@VNQ;>U>iB0bkxau9t8B)tA{0GX@M0zfPTubw
zrtw*{=;gc-@wmtH4I!bUIULtj?Btb8%F@gCq_gi3+{YFJ&ak0X3Ar9ANl*+4F@L8j
zcEpUi<rYY96z^KO_F~n|jC!stnAMkUaFT6gYPDo;Z}4`#{FCW^_O4j#^bqTtl%t(t
zEp7S%@npABu!n{lUHFd5GAV{+wx=RSL=&u}Zb0{5uI9LDmnZ#svOZMV&$N)6Hhmkq
zji~)AbL%yIvJgo4$@EO&#%=$`w|1)uMFdG*-uIfNAi;^&cA^P;{^DtC<lY0#PSM^s
z@AQMgkhA1IT|+)aQ*T2ui$)q7lP&xV_a&#Y4p+vo!4SMD=H^L$6}o1H5S&3d>pKod
z0kPuw%vfPCCu2E&PZuHY$)SRw+g9Bq*D41zqnLAjaGSw1AC2z8ZUmC|pa*HYdYLjh
zHkkMPJ34<tew9JMT?^%Bz1Q#Q%%1nyF<@%l;X$zh^Nk=ou`e*H;mi+PlQ~1hetv#-
z0)sxRUS=-9*FbrW=c;_}HKx@(HYQ7RKQgrM$sagegMbebV;wBy)YN^Ixj0m&0H24q
zb8f#6XC9PscjwUKf~<P*F@7h;y$kU)MKDE6ay_i_DH5++_K5VYvZ9SE0CAg6?3v(S
z@!N#)DNEXIM{(~nZnNX5lxKuEDi#D3Sk~1Utsl}CC}g<}TIJK!PS%yxc|L&b<=B#$
zcMw=o9-6AZ+ndViXso#p^?cR${dKPqw>L;AdU+e;5S9302xtv%E9VStW?T7cKVUIz
zOrW5M?KRy}JZ8jwogZKc>E78|3kc8cqQ&?gX45f4lOD1(`d#Kp`yCdo34RU!A4@SY
zrQ5urRNIu6&t!CzN~<pK?MtuClHBQjL=LgQ+_qR>jnF8xme7<Hd{bzxp@GzvIB)pX
zypihRLWC;w>iaY5+6rYV_R2_r1Ol(kzdxLHOV)fu9M~oX!~-7<BXpu&UV+68DP0zS
zSzY5$G{K#w=sQ$5NU^yaEWaA=h2#u9L^olL;VB8p$!X9qJPmV9^K%n;FfThnES&Eb
z=e5Su9G9~Tx^5Am$`BX6$|&=6dGVEYN)kniauT<l+T(i3D)dxx1d>6jeu?sgLKGA2
z72^A(YN>~ssJ>QTuaj@+(1n9fKhfjq7vT&n^vHx7l;M-p2ZwaR8z=RKuw_+DRvG^0
zO3oTC%JyD{p5cJ0Rcz6JS5pcZkTlZGdH=Lzjt#2&((~R{qd5%y^Xf5svgGNYow<rz
z%hhI`W@VXwqN@64XE_2~ovC>5CHF5(|4)ZrW=7Q1)+tJsJ2j_wvF*o&4nE1@KOVa?
zn9J8CVQVe<f;ZeK1C$jsnp6#VzlO^(s5PEAxZ!LX+*7|P+PuEtf0lc;9H^~OpOWdk
zr<s&dc@X1IA<4WF?#pqV7(9^`6ojJJY>g~$dkSV|JHfqtRmXc&QS0{Lz*SSit6-lr
zpz04~2Ep!xX&&qI2E_zU+O*EMUQy0Z{LgHDUm`$Lio3smR>+m9*6rm)@MmUq`Ogi6
zqKC5%x=j`8Xt_36EPk2H2TSOsJ1-RmkMev0j#joH1w-0QHdnkS4@~3pl8~_P%^TT}
zz3iC|--;#UrPTAwt;Ua8i};AEkRrTg{zsS1SgxnGx65uD3>O4J#;Dq;Dj8LWCjB=p
z8SUHS?{(s-G9kSh!~0{&fc16o>%FrPszpM|&f@zFu38oCv(oX%UEN-8rLlVc4CO7?
z3irk*6CaO!DKm*s26g_7wgS$&((tCkcPQ^9VHC^er5{fYf2$dH1oQ9h)^Qtm4Db(~
z=aPro<3X!(lifMJo(g|8;wf;C`pbPHMYw@Du}$q`0mdUmKnN8b6j&}ZIhC)&%BC@}
z6YUfqwzz-)`+uL#=@RUTLG+a=%KMTSt?V<#P<obqEoV8GV@n-GUfrWQ2;=M^F#)qT
z5?>+PncMH0<}~?ysoofwJhO^+@lo)3GGDFve1yRPhe0L1`6MIwQ8Gb&<$DEM&uY!c
zk#xf4pOS`?5?C_TD%~WD#`A63u~>Eo@H^1?A>;VP=D@v$nJ2muOm|`aOz;<SE;CIE
z6D)MLam^z2Jk^hCHDxIcs9>7~=i4CrTec}d-vl~=V(_yiDno>o+XbfBV9F=!Wc#_)
z{NL<o!9Muj9Aw}aif+@1=JcPcJ1nKL<&t6^hJ7eju=`}xs{tFS=x2^y)CqUHtFz-2
znb*#QE+|J`3xB2^(QYw3a+owt7$wvXd{gLjGSv7Vxt!e#f9-2C-RFKFJ`k;T<vI5i
z-ix$+;6yaq>DRO!3P(@wa|pBEoEg>td^BZYi5@-EgvJ@KC32?jMUk*72rs-akJs@k
zsQT!#Gpu_RXiSx3q)$9bP5jNX?DKJw{hi1~G@DG(W<Ba@-yYH~emIP*^SG>m0}4uf
zd4Ot4XVT-k*_F$~3b1U(;0WXQi}7_mR;bCR+Mk=wTn)P_1_Qs}^Fz_kX54ljHs97c
zNik_mwFJ!nei~LC3)IQEx{zQv6bC=v*Qo5ot_>gKYBV22S(r^POqQNQke~BXtlDOH
zkdr?#{K~wNW1NR)HJy`Xx1K-W?*GjCdxqCW3W|-PPZR!n1$leF4tG(Cy!=ox2&u58
zi|0ndwY`)y%%wp=VG5EvV7Kv<2f3?bA4n)K`HCz}cf4D=Nh4q2<Bb3cb3er;@;W0v
z$xeEv$E2UF(9$|F-yVpomp*AMe8)CKdS6w>l1k+#uu6F}dz9$DEqr&=J(b4#Afw^_
z`uL`YyT#>(<*_V{b(K$wu$K@75-nEku*}gD)rW?{hKa9O5&exHsA!yVQOnu8&$a+=
zMAA!p(pmquQ0`{mOUU^_jX>W*`{L}4as6BlFUnUu=$@0;CR(%Eozur~JB2+l%Z#^i
zVaC<>ufhEr!u4!xN}sd)50D=zLXhWY3VRr@Bi4-qj~=3dq7Odc1ApOsx7J)?PM2BC
z{%uTmTHRI+kM}8z`{gZG(}NY@KZ;yuzTvfIvkY92p_qZ%rb;6#u7X}z=cgni$0_#<
zcn9!Ckld(Tmw#AcZmw^0Mho{l100V<A_tgdmOVkYN5Pw=FIsLI_d7fzrCL^6&Za|7
zZLU*$sI2x2+|FEk9z9n$we7`MrY04jYcxrV)n*?)w`|tEZ}}Vq<2AU)at+0LHJGbd
zlbsQY`v#aL3a6p2eQ{V%4@NZLW`PQ;rJF5>nWw|g^to>W{$PzBVER3~Kdqizc3ol$
zS^klpSM2FNrqZlU-)YyN!QyX!?y&q}GHIo@7xETCW3US&@Iq%fSn6_kYhsO8@c#XT
znEW3tc9RC|GyY9wu0y2_4{@$;&eQR}6Q1G0+IAzOcp*m3m|q1cZgT4#V+6%PQf8)R
zg+E<OG-$zQvy%C}a&D@!ad>&ixTp5Rv+TsJhEo=*T{GM9R~};rqWFQcMttGTxtu?!
zOU-Ah>e*RdlOu7}Q%_s8xP)yVm<#_d-p;!u)V>u_?2q4!C&ZuYE`5Y_tqNPhA!s#)
z{R~`v`=x!>C`I~VG96BVspPiIEIaH`qh%vyTH!}ZOn}*{(j)Jo9S)>f!$sPnbIV}R
zYclZ&{l*OP;C1NN=AYIR8An-OVe*`&IrB7*tOaijK{=-)zCWcho!@x1&}@%je>~nK
zIgH&aHAC9@N1Rp(B9d@({3Bm|2%a>P?H;4I_2y5&UZpT{18)-b^{AW?tzu!}VvC9G
ze!?lA%WO_mmzbH1!=ER#<M~5#)dtJ7xupvN{4X+2@=8<;g+;a`ux|#@#@t)<vBQ#7
zX_8xO#5hf56&OB2Unu>_Ubl*?2d{_POtre7UiS!mOm?`wH~Qvh;U+^Z7I2gR;{W1t
zJ468Wmj=iQxO{JTH&tp$y_*!_i&acYA|dc_humVk6uN9%+RG$DS$mE(rV87jIp>dg
z>3kK$O!5nUXtEtaMM14K-M9&>@1bDBrWRy&d6-)zEi7P`5r8tbaP|uq<ty3Wx9M4j
zf#&E#X4pHGOWM~^>R@JBNlW52_NJx2%J+{00!&SAg*_EN8H;Zlj=I0RPy;tDn{(O|
z`RU>xbpg&EnfO-i0}iN_*4J0!fc{@Ux$;2C%V(OXxsu}|b6_t>%zKP6wmY(TlIL(7
zo}b3;D4$Rx{rN#(?oiYICV$lMDMd5&wl&F$yodLO26LJrd%DCUCxnqxX%uPGN=}Xt
z@8*cs`Qa^NSWbfG3Vl3V59d=O`hGq>++M-!Kdn(aLy#G&cb6vW5neR3>f#tETuld*
zbGD{kAVHBT|1sJ?Lb{#%?agH<3uOV?VE3h?${qYp5;M*6NxD-DCuNHis^Q8Gn&7L>
zh(r3@n_^jAUOl=38C;=4uH?YGwMqPxW$qyB7@KF+R7Zc3Ay&Q}-${bg7NQ)qQ0KP~
z(Z327m%`p5r{fKWSBN1ZQ8OEf&s}{~!#8;QKFv45#S~hn<m;TwD^u^RucT_`EE;;u
zWhXE-=n<O8Z=CM>X5EC3xd&-j4c0$b9Inbdi(~(+8LLmDfMyRbJ8T%=9UWnju6e>B
z?q+(j?5o$K^!oI0okyX)ntc};E3B?H`NZ8;3dtenM;W{SuqC&$yFt5mRO2A#Md)-x
ze>u#ql~kt^%XM9ZeRUDRpCpKkOlTh8^zjj<_ThLomI(hWw_Qb}-4*w$rMY1R6KuI<
ze@s0Vj7c-bG8&e}zLL7d;ahdLHCt@QUr=*gG^&ZM`Hi<Zt)OAEK=RJyI{`o^&Rz>F
zV9R6T@??v$;knofPuBU-Hps88=gG9S^Vb%s^aSaZYkbB3oWQrfoGtgm`Ko*ZagT9<
zw%i5jZrq$@$N$Y#sr&w<XaZk#YI|bCJY53?pPQ=(4ILF`k4EOzMa>K`G5Q<U{5CTs
z){>jX8?odD^PBHhh7@QjA7sIWXpqA!@Z3Fz?HbyGa<y9DQt7_C^L(eMgt`4ns}+B-
z<+@ZVS^WTqI2|<e%>KNd1Utpio;W)_Gh|t;#a(NvTyInPM{AmNQ(f&+->%G0jdjjG
z+bHCp^f<RiG{ss4%vXo<_nW_N_svWmFWH>k8lI6%R0V_|j>C(G?04u_zw!Q2IZ))i
zx?{eT;)RDIShKfY<%%mTyI!8Fmc!h*z(SM&cR|~&tNQISdGwB`C}evyK&l<Mhi4|3
zk%4Q@=2~c>-YsFMTyI}u=FMkfE6*MwoHwx0sHC1JOjg#vXWj1F(1u$YmH@`Sq?bO3
z+F`{oJ_1o*W4}q<wGlZ@k*Kxhk2ihPea3M|>ThS{Jg6!t65j;x>CV=)r0KR;8DkD0
zxvw!KvmLT5pBfG)Pxk4^?CsyIWPFR@dkP%>ARMcv-kQvCU>mN|b0c}TvX4YhY7ueK
zyw~9#+Szuq641kUm+k&+`^T|n|C-x!ETr@PVaIH;Q1^FmxM0A0IR*sRmJFBXVWci1
z*LyOOcD$q;wlW#xFLn4+toQ)aMOWqYr~?tPerOL~C|dU4kgCmU^gS@H@GMuC#q)~N
z%Hw&yAl~25Y01ICw=govCcvtHl&c)Sn%?=MaW?6+d^r=n1+Q0Z%ooCkSMe45EC!-#
zj!Mjzz+@O1AQf}&Mzz4@*h8AkX%ddkTD9f3p0n$gR_H9pHn|eyD4m07mU@Dm5(iB#
zQW`qjYCB1Ox^G9%>#@mQe;6|BX=LTZ?b*;#?4*NM8n9efj$`5Ry1wcS%(1X~Z&&&J
zvL#PcFx|N2-9u)jF|z4mQ=Un1oFmKk_3pbH`zfYR>aNFLxV6qrE-)%N>1Rp%1pT$`
zOyO4--L~P`h8~N(L&^MyV#!QTW*6#`eTn?@BRb<0hoD%uli7UDB=E;zHuqJcJL-?y
zR(|BA6^eY-QiBWp_w!ItWyC^6+dqmG^28azQrm+G1@vn5V=n+cXBZ1>CUZO|J&V_D
zdPYraYFGV*i{=z8i~4&yOy-B#{f@&<xl*g=iIjeLNU}Tau&|4w!{&hu89SQ|m^r60
z6r@QdXgS2S?;kBd6c*pi9*Ib(Pgn4#IS=eR&nRg<2LQB7VU_3H|0*hgnC1A`<%iV^
z;;*Bg0Qm#TL9yv&Q_za??Etj$=3HiwM|hK=*H2UT=DOW?*{>Rg^Zv-(^Vmv|akYZ>
zX>s51KC`%8FH>lw_LE8-u1`nQ5ltk0I6cUu_*^wdR`K|4vV9K1XCs^l^n|gjbFi4n
zawov|DHpWOK+9F$Z$F|nZ|U5C5%c+`Vh=Fmf_Ff?+FtGUQo63nm2N%bY<oMl-?Xe)
zA%lpQr-Lh~V&QyF$j!SO6JaSCyiHrA!BzUF_<kBD`!S-+^mqz0zZb-6OTRprcB&pe
z4)q{oO`k7m=DIOF?jx(VnwH$1e$9vA9kRmII&6_-)@^zLn%S4Xnptuvz{A7>>oFd`
zgjg-L`K&hL20FN&;?uYPyg_o`G$dI#`?0AsgE;28#P8q62%1S+-uK;<$)Bxz#lynq
zJepc5Mz9k82C-F(fA<&ftfmL7#o{#_q4lqh%U_VLE0<`X)?x;xqUD4h5Ai>2;RSv=
z>(6Q5-^N5-y5u>oUU@#%OO_k8MfC5sF*c_*r?;ueK6JI7)VaixnVfC-DJUo;e0l!>
zH@#we^ZLedmD>~eG|+S7TfeKDo<pFKI2r6JnRbm7hQ});b8%}9M@#^UCmY*<5AdXt
z)Tz=42w9MCgB&IjN_*H~(I>SH0E`0Vw+DU*`(!j{N#PGTmshw|{3T;`-&Y-`a_xC*
z-hmbG*^j5U;p{E7(U+1jpCqk`ZTXaq4Qpf_i*|(NVVLrDRI^7<CyV5#Cswx*JM?I!
z`j*<&Xlsfy;0H<*MTNHLLXFu2U(o@4j`?vI+Hy5NyO9>2SPr7N{@YCc7GstLD>{AU
zSs8to<TfepHF@i&w_{7Cqzi-zp4UrIgcjq5xcpcYj;+~gCMD+YhhJD+e2U~O4zBG%
zA39Q&aC6)N_ag_oXlIY3EJdt-NX)FV-1YEgaH1^{|1XwJSjTau+5YLM*sCA$;OgrL
z_iF)x!+=N`5SX?+XT;+~cV?m8t>sA}C+aMNk*~l7Zq+2!*&X2Nqu*4s8jD;2R9_6B
z`()l-{ARs1sq$ga1*h|rGBX9X(o#9^et(o%*d_!yf4r}k=(F@$QUQEneP;2O94duP
z_*%NXw=|zzJe+Kc)pAnbhKy^5a_m$5V#B*WmhWW>*3a+c&f#}84F3g7d18W2s_LR#
z-WLAY#o4mw=dnOGCL~}cO5J9HdswT4u`gM%sW!44;+$SvK$*$XzWfy;1`*LEw+KG~
zZKBiiE?yrfr#Rcw9X|(A|7JD(wlj{v11Bz<_1+zQOPW-Yx>V6i)pXoM4JXP}MZY9X
zjjYH>Z?9p2$57{((X7EF%Cun*T8)gfQ4NeT#zhtr!7h*%CBT64l@a=u=wgSVI7NOX
zXMh$Kd|oN3E3?KPRN7bb_Hm$#If&P5mAsmClw$gp?T;Mh^A1Fyj@bLI+2g&fmdybE
z$v*UKnOcMFEK!=p7$4ICr|Dc}R1)RNF2Tjr=H*C>Rq}SKv7^3A^X9e7RbZ9t$PFH?
zafkmv+@jm+`pv3Gfo5CFVU$JF636@XvY#Vz+MHjbem<Uf*zU(KKHwMJ8{v4E&6J9d
z@?S6mr>M$_Pp?jul^_2}Ky};f>R3WNorXC+0%ZpZ%5M;zb=oIuRa_?Vxj-M?Xa7Jk
z*OUO`vL93n*&1YA?MiA@-;!+qEOIE*aobKTi3A%U;+JJux(r?~t1Wi-=zuE2w-ZJb
zj<%;V`WVH~(;sw-5|b9mw;yEv!O}Q=1L%Glf;*mzt^+d^QA&quPSKr4H&B#w*+wjy
zGkZlnc(L?YUtHw2h$y_Pa5&i|W7VVZ3(Q6;=MTSQ(AdDNc5=DM&MtB%4nK{NI`J25
z?+$*@jV@~BoMii=e$!>0ROI<tjTpob7*)X%Hg(9Bp+C1f&7Tm2d}ytSbJUb}L`HpB
zLI>7ACWah&dCnkbz1lX)nD%kjunv;q7)+@s`o2oBqWp%}iAAYETBG;iv3qx+&dg*9
zL2rMR*u!|HNX?Pa+44x@{%*KILu}RKIqk0mu@TwPW&8|LoAa${1zOE&JSNB1g$K-y
z)9wY+7yiz9PrTZelAQMEbx2*f9HCZo2`AxPA<)4RL!qv>E|c%wgcP7y5T$f%)@c^F
z=DncvS%j1o`my=kgZC19_By2j&Av%5s*C_y6`!DpHwsvNm<3f~eWIE#hm-z=<m!Ma
zmDH5p4H_ivVu4%mThVpF+H>G(9UIy)9%O89nBh^P|KOuF{V8aGI6dNFrbxs>?I>Jf
z5LyjuW`M)V^5Qi^h|*J*Xvs9`Z259|keS3#`G-ultjdq)S8oatVNzdt#ge^XFX)_R
z>TTZQR{2v}<U#Ul826aIV4jp;6+Cn?bLh8Hq_pSe@?lyk>;e~{=fr(CaWc=*=#L?L
zc*hpWGd{4TbpE^>r(_noitZN_a7*hh0n)u*aP`@Oj!5~u*M*i?HDB$Yyg_!0o=>Xe
zi`5k^j8s&ahZQY;;iitI)b-mv+_f&nbQ9Z!b<$$_Pd3DK*=}1My@lymo_#3SHc!cQ
zzwH)}XAi9~wrvSIP}TzTMG;N+;}AmLnOEe0_ASY#8tOy-EM!8@enyPY<HY}?MR0gx
zz$3qO+=x>GBO%Tt(*On)ldDeRTRK%D^J9?SXj0MK;M*<|2g-k^S3jl~H94iWsKW7s
zW=_x2>48@3A7$Bg0K6&RHric(OJ*O0Ao^)SoX?Um_(bt@u*L=w`I+xgIFXrUM9R}<
zRE6ni-r=Yyr*s>yWXsH_&zdL?QV@M6V(!mf?Od4Nd+bOXqHyH}zFM}-gN?pHutW8W
zb~k~KgmlJ{i~nd((N1L4&@gH>kre#q#1IY&jrqs{|BJtyr5pa8rALBq$Likq86)`_
zC6%YX7u59n1vTNu&KB2E5*D`2=y!C2F4f{?M&1x!-yd4$q08)j#b+-suyskttWDCi
zI%&Jk%9l!+49;-R#iWfF=14(xHdRuz5d0BF-_TcabG;I<KwKNJU!L;I{3{qzWV<*~
z(A+DdC9zphkyR5>Ca#n&ckfI{rkXpS6={v$5#)fA&6&k1{qZlpN!Mj8p^6Uh^;ASV
zWpX6bON*z@G~nnCtXB-=$i6CSV8};IaRf}fz4et?lj7|2ek=7t$NI|P`>A{ruOwj2
zJh&eMN*T7DMq|GHff%FyFewxws|GI2u5VY&i%%}B&%0KU;f~m76bd2dKlDh+-s388
z8(8?YbAdRPiss+pDc}pg<}!r8MCCznO{5}CeH-VaC+`9U7B~13uCb<s6fS-Y3nYhe
zIUR~#^f8+q*qi8nH*u`ka<zsL+tV*$c!yT4soajAEfxrl8iHwl6w4nf2FRWzPuDtC
z@v7#|YKP$;i#_~Vlx-=v7hZEIPP#P<9fn?yr$^2nQ1#3@X@5|Rh&PK}XTgEami=zd
z2I*I+)xV~R{;;>v-X@|!r$}w8tSF$?>Z*aO6W@4Kz0mfu-C)gS)sCy9qc>siusP8w
zkTXD}+=RbSwaBp;lZkrR*alA;slur6;T)1=b4D>zLdnawBa8l2TN-DBkTP)VP}|UI
zI_iSvKwEzy1X<PjBmIO(WKWgd2u<>5!}y=cR|QUOzCqTsIml5LpMcUtZjnDm(#gUl
zbyuDdnTJ9%+P!05*c3^LF+r~sy1Dw;7#BKcH_sr*^#(0Lx(0#1AQD`M#rIDa-4b)h
z3j8TNJ>HN)g}Te94<3|~?a#ssl@#p{bK)vmH61exih$;{Q1BhV43rA;v9o7e-`U13
zY41m|Ym9exi3|E{5|i~|6x3v6LhW%Dn`<isZ?1}rKBwKSO4-fY^21>zF3-Do9Jt#R
zd0vOf%#8D|sFt-6@m?t9hIlt2_&<K_y8k2LGRpuV%j#|8pJ+8ulXQuS4EcqsIwg{h
zY}v^GZ@j&c7Q3QfI#~@{OAwd5tE(fpf8Xg;<#fHC;69!+igz2-Y4tN5?<#bZ{bVts
zSnb|`>CeDMwH#gOy~%TIht&ep*J4QP&bjlVJo;R9UwqDVur1&B#SfWvWN)C#2$55v
zyjcIz)S2x2pK~q>pu9CDqImJ6w~rK2n4r&IS|DYLD$3Io5yh?fTs&~KrKj#Ql~s5a
zCCQq<Cl!WWv5^QS#-TqZ<^YO)Rhs$edO_V(&bH!YHt|JOQ?3ZMtvl<V5`k>#HaVeZ
zTQrlZz7t(30W;nu7}*)F`Fv5e?kDfo_=m>_t_4zj?mF>_8y$*`&#1`ryV<W4j#l4F
zRE1~2vxhcD_nxBJQToaJ97e5rd)P7;@smN5(FAKO_@amA^R@G>H<&oz1X)WT@8k5Z
zPyHFpw+7G5Dth{lGkvpqvQTAo#J@S2zq_33{t4(H?y*UMt3I+l)EZi?km5aX66IF=
zjBrND|EViJVK64Qw4&NI{=ejZStOWq6sTz|g=s4Nvyr(J{AA0s!>k9>@x$)E>|XVj
zvCwN{#ThiCjJeP^X-XYK8?)l8x7`EG&`TsydZJK7ixZ{okm*?qhBTvaKaorLz|_D_
zk)P?F8GD>Tx-b9&oK@eq6Zx?0I-;4s|D8`w=5>aeLAp^2N-xpn<LKqQ;~zQtbBmRM
zHFmY|F+L7xziAp{RMQe!wc`iSYW6n;u;oX9shM=^gVPm)3hB&Vhu~+rv%J|BAh~-v
zK2peV`AuCSP%Nl#!?0ExUEsh!Sx}B|*Vt8EH~$bm_6!TuZkD_pALAp~mq;-Bq-&Hz
zDcpLfKNSQw`$SIlYEk)f=2(jA!<h}GQLi};*7hM0Y#)Yy<Z3YCWtsfScw15^O~*3g
zGn7VthSROt)lkU)+pLF6lVW2i{l-4~Ky<ovc-T%EwFp~UeEmCySF-eT68yi<uVp3x
z(Qe&iHy#f;&nk7>0iY`5OA%O;rc$xJ0aSAcHevgS^v^-=0sF!j#A;P&Ir?h;pJM?3
z!saKBnFwbQ+Zv&F=-I1Blc8r?Mn^$T8ZM%7#||!VYExSz*`RTfcA|)V$5%f}<%>Ts
z5k;aN4xkk}4-@|!k{mIZPv}p~W?XW3+QqwJ)E{x9*leDb8n{0&)XKkmVG^4{0Fyu&
z@Dd;*&0O#<CiVMYl)ZISmERUMEQeIOy96mgx?2g6mTu`15J`yxh)9D-cXu3VQQ&}d
zcMBY81f=@_-*ZrZ_ulv3_Z{Q=^9&t>=Xv(tYt1>=Tx&0F4GAA?g(Fj>R=jTSGOy5k
zkzqiX9%U<sYhrlOHN<IOr=ePYl|)G~-42mP5%>K%o((n%E1RDiH5ug0R-`eu>T6S|
z!2s62)IXtPpugI=-=I0(>wERMP=|FG-iJyR?}2zO{9@jK-2|7@oDAk2TLE%OUyjJk
z=1#GCrr&zigkbf7DX<l$P_RO$@rod!wg!A9IkLs&C9-AZk1raSYKWuh7VFJY88iB3
zTOLcL%D9^n;&o#o`9!~2j_<*REr@q$+ygJSitFUQT{NVp9uk5H(tLN}XFD4p9^H?~
zrGQRLcJfAZvEg+SA#vxh*IPS}_o6~KjU05F8v3_Fzv2o7*a;Td;;cS6<9>KIl;uRJ
zq&yeRB1b5uLu4SDtx1PW4$t~1eX}s}>~$d1b*j*-FV=}UoGLLcvF*7wkksM+F<XV8
z9M7m+Ari=0`Zddp<Gn|LI2~piy{N>+*Vk^v<xDGlQJ-8C+IxBd3hAo9g#|t5?H93f
z*o|{<3qsvvzjhHRd#t2hW=&inQtQ@>`H;t=5i9$6WL|&fUFukEQI(?AE>7oiaA~YE
zdrrFNdX1($Mq(?rd2EkI_MFe_Z_^ynkgg|RcjWmg<HG9a*P2-fNN5Y3DWCKw2E|W1
zO*e3y#BRPR1S;tYTch<)T`r?L{bUcVR*fIV#vSu(V9oyo6rL}~PAh-{PZyv{cLzlY
zkpYyuh@L6=78PILvu%68eNdYCD*oK}nB?-|r0N%2br?onXA*oS-xvETerHn5-s{_?
z{pOEEzgjDLYHpBm&QtY}4Sv=80)+F{q5ctWUMmxq&x4<oq$Y?R^g{S{!m%&jjDz&m
zeIx;;q{6;q1btWf)UYwy)>@+9fE=FUPamU;qPeU$iADmNZCBAFLqh>EWX)cXOz-;>
z^PVG#y+{-;M+3Xu^B6=&h6)FZ6(YY~O#7C8*xKSWNI$d*G>nE{nX44yq9KE_@$qtp
z&_b=)etDFcm1MmS@%?<)^X*C3v8I7M_M&WAgwHZ>MA4v4>LxR0f>4g-kIWd}tsN)e
zf`+?Fvf1;UO9OnSuo@mF#!z{DZ}P*Mh&Ci%i;(s9YzvIx_U`s2ijRyE!Z{DahlEAS
zoL^3~rzt{>$V1NtLV59B+HkfC>7^3r#fZ8v3CeXNeC%r@$Clh+?@B)loE_6AFkcy>
z32x_}QExwJcTG`EUTXgv-Oq_EaM1Q2_J7A2g_uwqOP+mgy`aOdze|We?Zgf}U@V7#
z>(E#efv`@AiKy!S6V{1Yfr(2w(Z=7j)=p`C`_$(tR{O1}^2aHD#9+=EiVU%zKKndV
zRpKdnJd!h1!M?CIL1p<7A1^3$vO5EB_!*jL=Pw{T8@oKPL)yWgE&bKC@O@b3)kzM)
z7j=W+w5TEnXA0h5V&w479puhac`5!3ONSTqS;v{8MMx+gqx|i*QeQU4y2f%uIKc$5
z>^5zY!DDS&WQwg$WaFb_Xz+sIQm%v&M1VH6LYlo3@STC~m(kl0Q(1Lvd761O!yHQJ
zvv9-9e3I75UA!PE<8O-4=7`r5lj?1p>Mtw-<CC-y@6X=rev4}qV$lbo@*|S!LM)W3
zkn48)PCPxY+Wm)^y`j^%m`ganhLwgYa%8JGM(@v31hYgb5@f!QY`ECwg}at$*5(LP
zL0ope*5|D4JY#s88kF#^k|xaFfvnPpENTb}$z}ampJd4t*e_0V8rLj80~Zt>CNTA>
ztcw=qsK7Rz`k^G0P>Hs8%yQ3W{^d}+0H?&aerd2;+os5mqB$zx)M&0NubE^8a!H{U
zmliMIE_^+`+G8yMd_^lF3Vx4;@w%TNPMKET-rLyIywstYzKPlZ;CWejr$iHYp&pqA
zQ8+I(*|M%I2i#}Bx^L3{OqTOpnR>o!P<T|_c>F-rcA<(RYMFsoAEi+y25(p{-1m`p
z;%(F|k}c(+(8|}@WxJw(ky~f=iqWAkcOfJG<rblQukU_St%_EBPi!lM=LO4lh@IGN
zWG&sx3$}j~c)NT{?X;uIjXfltf_s!`wMR8b(9Iug5&8eIoLbAImt9=dcO3kse&OSx
z3d8kxu<ZrBDegB<>XmI1OAi%2jG~nJU|HjKsp&w?4=0j+EGOaTI9HX<^qrf(PA9v5
zcOgaJ&BiWe<v|$X6<$z+9J9g_H><Zdz9@HZX@F5dCY8eel4;>g%DGYa_cef+6;(Y5
zE3HM2nPS|xt>q=Pb-wPufy;}7D%@Tga~fn0_md2ao?$CAHtPxrowfx{t~J|oAMi@<
zaXG_Wr`*kCOe=G`A-az;4!^JFDx_Z2)tX(G(b{&NK{|dG3zIhR3-yf$WZl==*I%u@
znW0=5bQKbR?j7syjeo-%6@REhC<(t$Gr%#@+0d_S^RSL^sN=ZL2`BWp<2nM${nm`R
zF466g+~g`aJn=>)mNtpr9%B)#X<%Xr2p#@`fY3o7ha4a#gD_gk-oq@_%2EhSQESS1
zK2rLlF!L<_ylF!wXV9UKQn}Y>@XVdznD$sB*~fyB7Ku}x5v8VQowF#2XVMnZKv3(S
zaFr%rC#&Y+aQw*ELfDsk=rUN}Ado1d8zva!xSrlqvJappOeBW|qkFG(rGZ_xXraNl
z73@0Wj=F;jN0VhsKW=dnd4p-ke})~VDY6x?=z2ghZZ~n(am~$gScHzU^hAni<<kT3
zl5oW`^QU|F=>q%{Vz9uk_?nr5$LpKCGJ;+mTG={<jJK;gQ|I`1E0R692bo84Rk)BK
z%Ds7y&(#Z)BZ_<TBW=?&**H9hW69ISnms2ub}eZ}VQGwyP5$nFJ-xH;6AX??-gjYU
zVBHuiCaUn9_Q;OZ<6yQDVxr;q69ya0Jth|t7W5ZA>r0I>!olgC;UcOeg3``+^@oO>
znrUQ_%1tP9#kS$gC(`S5H%6mwQs_e%-JOeMONPf@{%w2GCxtf1r$dj=$vIc#s48YJ
z*Z@Cc7caukm`#PTLJun8C}Pv-R;RKjio0j(r{5H*O#;lpPCmc#HpmHAWp`i}=nlq+
z&KW96^A5dFpQROKIhu)L;RJX;@n%^e4X^teyw$tfFbA4*bqRrb!1zA>9T&C4c7REr
z7_A$o6fjXPwiRcyJ$$0|Cy|vE5K|xr$k1htUUW(hPCBYpV^vTMnAVaA)AiGD1s`#l
z_u1qUKza7m%5nEfDRSNYS|HT86N4=fyNKB<^+=O#+8y{376v1Jz)KY2^ozP&rt+<Z
zFP4pOzZbt1s-VB`Qj)5WVYg+&)ZC?|6XDq7{yFrMY<5iQG^>IbTCFhqwGT(l?rd0C
z%~XIvbbhtY=6y{D3RkuL%G&5GTlMKRx1HCSIUJMDx-W$-+nEIdEI*#r%%+6bEQ)NB
zDrihPDc<jLoMJH_-8sRjJGYrm;)ph-o$f|eHSNUXKK|<Xy%P_LTYl_G{Q_Q}@G_Q3
z%8G`PN<TQ|%7J!EEnpO48>7{BtpeP>1B6P9+?_>(*)>Bvb0K|jcrJy;+#tumPsc@8
ztDq19m8k~jc^SUE8Hc*5{2BGf1PBQG3n7O817TBwiM+n_!+)vA+dLggk6NnL>X<9O
z6j!uuTcggn%Hm4K@I)+{GLyAw*~i<kXnOTiBeejvz*b$xcjuLj+ZTwcI9rVv$_t#0
zk4byi`d(+NCPvRDdJ<Y8A~r=^p?@Reue4z6^FS$zDZ%DSou;Cc$h-tUxqWBv<E-+7
zOlIl(ce}sz{NMvWIvDMCdh|-&5^JyYUhE*)-^AKbvj-Jg!nL^_j3|X}^z*(Bkot&+
z7xc;zUwZzfm9(aM+dM7<&3t+7POA*(eh3TMN8(VmTDNiR)4bJFa<GV2iT(wXGPnay
zn*s}uev`?`+Yu+-Q3M3aq5)H3;hW~DiWrjeDf2jYi;K%38_c<$m=8BB&R`5-1)uk;
ztS?2QsC<1mIcDSAOnqNTwU37^rLqd*v~B1)F3CPx30XQ$Ay$vKi$D6}AWEC%M{z^`
zO^sYE%>5I_C|)S#@`LkOT8iSsb&rgYSbB_sad2TUUYYN!cg|68wk_}2H)Z;{1hreS
zGZQwZxqoK?%stVgk~D?!mD-Z$%l?9Toq8`Vnw{_BLE3ap+M(P+6hb%HA5oAv=31vp
z$kOO3TPsPKCV9xG@@t`=#}KOw{_j<OxvCTK;%l=7^MFBJN45C9*hv3GmMWdD+40il
zi~?j;CDsCNjV14(Xj=>da)uX8QM`_D>p)DEg;+-kYtHI(V8l(XUt_Je#0pTR!19s7
z{Hoj0O)BZ9+syCu?uzG(c)#t<0iIf<wH_rfs3cZU#}pr+3jv1ZPMy)&ve?@rx@T73
zM`s=$r}Amfod>To=^wpia`<UbT}!L=(28oHWisHES)+<-w}7hU{0f(7zw><^_}VlF
z)+sXxrn6Ig2iyt)H0YglyD0$n*bV7;7NUUw=ux0eosu$WLD-~BwEQT&I;<cv+496e
zxtjo_cezqyw^g)Z@_Z;gXP3P0V8M4SPxxZNsBFCsqCyb8)F|*S^1a`TPt~i+Qj(pq
zooThkP$rzT3Q~^^H!^;wsp+!bC2kV7J|Ui~tH;1qb?ieY4?<PRJuPR^<)?}K#+D@3
z0IQc^d#<B>4jHyU865;DP`|{Dqx_~NxnJN$o!Dw#;KHF%mRrVY9Jr)widyqM`V8;w
zw4li@W$kg+GVxA-&L`XqGBJ`w_!_zF0@YK+S18}}7c2PIOKaI}^j9RFijwT8&>Un-
zG=C-`wRgfY5LsWB!LXSjH6EIg-)duoUv*7UER#-{?j;YTzRa!SP`a&nnLqijLyiR&
z|DoVZFMmw+W}>-(wwg44I8wE2d<f9TO%;3}ce?d|o2V2N<g5HN7;kvbMj8177ygG<
z$P76_sO(>Os=OT+WGY3+1!~Y=MEE3WEL#V-nzMnbe>?kHDo%q?JFRp_2=zcM3qz2s
zcT&Nt8jL84m;?qLcmXQz#5M}Fgxl^E9X`9Swu1#P=`5P3MP$p7K~BIKO90>>j+t$P
z#&^1nekqqf?q56)7XtYHyO;;h0PLf@l;&Ke5RtK|*~L2K&<sFULDSq=$>g=rsQ?Y{
zCmSq>`ovxMK>^^m(@G8s1erOz3c{r8$@Cc{x$f_YZNE4(NyyMInWkg%coMCr9A{%k
zP4<n*ltc3?#o-1N;XCE`Wx&%J9eFd?Xn+FFW=31?8&0+-9PP3HX)G=5sPU7TcJ32n
z%qXFqJE>=*EH0NdX6xErtR`sDDpwb)p)SLa>pG4(+ujgWn_8y0)wV4stX$6eV4jGB
zBA}_jiCFm1ll>?i-V)LMJ}P{ui0UIkNy7bi$}ujMH#}y!w{=(bCuS1@ixy-Uk0Fsy
zRZbZK6`pq@3GcAL=G;_)R`2}(#MIOgzQ>kyAD*JXCk3yalV$TdAHvF1bWMKP43Lhg
zNQ#BIS){vYA~PHWk1*c|88orz68Yvv&K1r@O4naFuV3y{*87r4ilVeQxt~2~;y+Us
zc``GD4z6zF+$_IErg=j`)95H6UiNS4z(G~c?;;&-YIY@H?|2|w0=;Kr8zw}C?}>q9
zw)Xd!z1jVKHAu)y;8)4%c)7y3&vK8lnz&a_n5g3&K#%;;i|hS116$wIDG_Bhm|E{h
z+K7y8sT&Gn#X#mf0ZcQ{$+#jKYMFlUZThExU%QX}BKwOpz?Z9G$QCH?TtSYjdM0b0
z@yB>ECbmDzjro}It<TNbl>~WSw2~5LRl$2|4YcUwGqZ8afTR7US&G6sRdsgzhc#(u
zSCRBCMm1Qe>d(`bzk4>5ICynp<{t{?;`p+4breSHWrrg`CYJxdgG_#0)+1MPxYxJX
zi^sPJvbb={RjSi%n_q_xs4GQ1pbuQs#p=o;r_Z7osuK8wH*CchsYZ^$NPx6;(FuW<
zEjCu{blRuC=XY4wW)`}@llRokk@e!jxpq!+QX<wzDK#U~$#oRSwAU`<^@9su{FquB
zNUiM`a=UW9z#p%zQhV{8g`|qm+iq2`QtsQQVGRGp;o<xo`ZHxz<?KilXm++DaQQO=
zauSc>$gK&3s@nC?BEb0k*p+dg>+d~8;pya;&;l4bbabx=^ces;$pzXK+M)V16VqCn
z55o@o-|OF35R+rg5(m;?olPqHwcTie#J&@Ir>P-t6+|o7@4ElUtA9KJpbN*Mwwn@d
zs`W;k>`D@Tub5Mls~CpE3=j1C(d8|SE_R;H1+MXUx_-_0GQSWIR>R-E16#z;{JKwF
ztxM#bib_u)S7QPxFv~M08KrbeW;5RZx^t=w0rRjPUP{!;p%3Pnkc(OIWYj*wj0vZh
zezVrl3DSVFw0w`IWdfUlOF7gFM2{V;FC|tgza6YvTc`P4%#aiq0&LLf<$tij!w-*D
z6I&t7V#S<C1hRnM<>jS}ZeiGE>|*)Nzq7_;Cv44A{MSS~LtkCe`cs*3e=KlrEnZWf
z)ZaK4&;4~69WR6w$=vs$oyLo=4TSkxlR9<ID{t3!C`56(Ml8-Jvdm;=mR2o0s-vhq
zEiPn5U)lBM%qu*RaAkY;GNX03@f?%Do&gIp`py}4v=N2=+eN-lL<@3zlr&%YYBUiT
zbc}23g}DR+-MwUs9fP!Y3}}Pz)fCDY6m@fEMeJY+ld2>W?w|KQ@u-JJihrF8EK^t-
z*_zl9%Pf>UradHHPTpG?=L~1)c$z5JZlJzFru}r&B6luH#jV3Fuptfb+-qp@aw_<w
z$UWeqmkV57Y-yir4PG^hnC`WIbYtc2bz`o~2>%?{${;Dm8TM8g*@r-m&&nC+f)7)3
z`*ip#%O3yByW?+2;$?nRj7*FQm)guG>2=!5W%79T+er1qcR*=BdxPng(Uso;<#Vc@
z+@P(fDUaq1dq4)<YH`Y#VM7;F5Y5a<1<;5YbV(Sc=Kg&lbdVICy6Rp4&N)WWNf0Y-
zw(IG}gRpo00`uSX%M+cc0j={iI6<PPf4Q!~HN(v_k3mif4T_%{^6LTJ-vjn6$#4UN
z(H?OJ;siLTv!KS``}s%9lnB%B6YS&e2Dz2Yyg$#i@GeT#sZ$YC`R;h<Ai7p^;3iTx
z&t5zyOvaR&A*{x3(M0`4+#1kvkuq~wPYu5?k6WXF2@Y(Z&s89_&I^|)3Mo1jl=dlB
zYld#;!!`xRZqUaQKuR>$;M}V11H?_o&m|d|d^EEACB!#~;+2JiinUkBeW@oczZkhz
z><dasvd4tr@1o?IvH&jd-e#)Um&q;iL}7XC(?i?L9IjUYYj(hm^4?!s57&q@jXLYG
zuXH~1Mehby*~`oTOH^irbD7&5KE)XJEYhbfnlAJHq+FhLVV%m<%Ar2rcRGBH^owv&
zRg!4u%b276^HXz@5$zIviuN!DR+l)#WEXjU2}C?wL;nw^_U37JVIORYFk_t5EA&1@
zBo`;$?d7J1a&+Ut!=|%^+40M?Xq;}~>O#JfXOIOgigbq`z2)N`XZNU8Fl?67wRp}V
zr;sCPP>?1(6KVs3`~|wVrK#yYyhQQzom+3wAFnb;)_D?%amVlFLc!Dz9U*-a*^OB>
z78s?1hMdp+V{|!FjI?{e;$J=ZoOoIYz&h6dhINTx6dC-FV^6|)8eIw4CPs3qCgz|~
zGvX*UOhiv@Fc^0(Ki&EOW3GM}JybVcgRt1t+&gREw^GTlCls+_$g7!k$dgqsOJteu
zbIg_8=e6|-J9)5b*q-pFt|E43@6pM?malqSO5Ifdp;+qWkH<Pf7W*t<W?l4^MSSM(
z+*&tRsu2<WOKt0XKYjvkz`Soc;{8^pIjv#1AIL^V22?oiR#wov*J~<hJtv7Sel5ae
z-XYv?<yj6f?bnRF?UZ5%q`W5>K(PfEU(G>!;K@C4BQ$8nUS9L3Px`1AN0n9uw3LeO
zqshpL8|!Ts6NLiGnEh3Xw0bHg{c|rf7-DEpER4DkC1hdWQRVO>7YrMRPb+X45~#2s
z74rW80G__0fbnED*HLRsqWMQPP{Kb<%dHGkoj4>sOMfIey1z!ah@}gdHD@vizk{1k
zC>~YP8azmQDlb*L%ei?czwyal>T8g1KRQ$b_(29QNRy&HL_h#}+HdMuC}uML3~dMY
zH4p7GJMrb-S=1a~5Ov6_xC!5<gsO<mJ*jo$GY}h{m9Q17YB}0)EbnWKnroQ~N$OdL
zr*`d=0=)%<_T(J_5|R`*#6Wsef^0qDTDdp54|1c)`bb86)bnuh)yq}JcKE^kF7*~g
z@}E;uu3}?F_$>UShh$j5X=<2B=9utp-%<<&pZlKhW$(9fa!wxy?^4aoABA)GJ;Rbd
z!A=0diKN;WK>N9u0vFYfHE~l>s3qsTsyzEAqkL>RCCb{thr8d!rYxyS_E`ZPBbeiV
zo(|ydx_JZwW0QvbdRMkJ?NA{lMY(Gj)8W);{K8f8ucWRIO%8lb_dyBetke2Orn=5a
zg-Id>l|BV`2uFh37;o~zdZJc|uiq-E_w@pB$zH^$Au_xmS=?`~6(T8TTak?jH3e@3
zzPV4}<H?qr%088Tb??6BYr-wm%|(5AfWZDVkjRf6%q6RgZ{VgutH_l-uDLfBcyKa{
z%&YVxi{&}-Wys?eQcbBo2xGmREcX3IRguj5&Ccnf0}o3%W-x4Iogc{?*2+1rI>RS_
z2zhP~Z*kczR2*TaYKsYp`z0{RP|>P{Y%pt*cJT~ez3Y@~$^&<{nm@1XjyGER(zC2j
zo6_BhGjSFNVAVFF|A|$j34$DRo?_U<XX$u6o^;z50B}*HM@9FNpfM-c7h2FC5v_c&
zUs@RNDGf+PwcnsT;yx&>)-TTm=vQ4dX^`bS&ka~yafyozf(cR{eOx4gGiBz!WWP<4
z)ydd4m?$~2S#vwoFY$SD@mBQ2_XyZ}e5mUHW=GuS^Q<tS>ld=htH`IRtU3r&<GX;d
zeygC`(oOuF0W5lanHn~}eQ{z2UlmH;zI|mWc@KL_1JSo3cgI=^Ii-Y)T5u_k8gGcE
zLP~j=hw>X}A7NRBVmUifiCxT4TU<9F)tRJvjqiuKJ9b2!t4q9G5_*A>?7T-7Kw13r
zBV@;M)<f=CGVnQBrvYsm*8$JfpYu=kzt2C5`UVq_?zHcExiJF=T*bvQbC!6s11VqC
z(UE0Fq06vZihA!kER-Fr0kbnsE&78g*N!cb)-^)>7Y8WaS;HuWSl>M(kJY-oe*T_J
zA<ExGL5it{axYcQj4>G%`~WF=*ijQ9E5B3WONu|m5W4#@2b_wr%Q|;zqkJg<u_p}P
z4@_dm;LY){Qj7vrt~$@WT3-rJqFkZij@cawSV%TUZT+1IN42r-l%P7r8ha~%G+Skq
zz0-KtPUkBL_^YEH8`#hB?b+4}4)TSI2!kr)JxClLou4pAo;Eb=ew{HcH0AhNA};j9
zy+6IO+rzk{gJHRKDpkv;d+J-GUf)Ka2h_ubRjpZL(Ggo1#1+lFb=m8XR&=<$#BB%t
zxFBf~*f<E}vJt-H=#LH;bKmRiGEH&+Y(v8T+cs3mdFqY@(tofqk^aGrT67@(NeapE
zF!)&cQ*)Zh<3zE>elhv`UMLp(luh|$^pt<k@a#(~;#m+-KY^Y0@+IR3zTTyla|Igt
zcR8794~22zB?A&?s8BnGtU8YpBjCK2h@1Q{^1{b6!G(;@$pE#lG10!NYB3J6FS6N|
zt;^Ps!AVr`41LVkNr3IE8lS(1#Mu5An~I6k*?42ZoQg5=Q{_W2OG_?s<xxSaxzBfD
zaZh#N_MjAi84k-8cNQZ0J+ct}9`At25{$6it<eW%JPI^X^^9Y2C6KK$|0gV+jdh(C
zetUbs#06Xn_;}!_4nPxS7&G3ngO@95a?$=_?bsrLYPc9e3@szxWig}?`aZE%wI^+<
z$1vvasWl5-Dfxv!^Lx&>S=2h6U1uc8t7flr5d+^SH4E{zp^F$cjev|=*X!5%BHmgX
zEM$}57!@245Y--_&sgY!z_G1QG`0N~i#{mJL1BXAVltLNw+#yuO43j%I#HB%bjIp8
z9G>n8-A?7RB5VNUJ4#}r=~z@G`+;35IQE`DbqwhwQ~P!M900E@EqHGP_yEw;>@eD1
z2;pUg!1zqUYZvbX%Cw+FvohbP9=4h{iq-uodhp(Vieh7c+!t!+(>p7vPxo30D9>YH
z@&rhMfhy<Ql*N|`$29PS4w>3C9d!O|6713>$7AZ|w<HzcpZ#t-No)qe#tlfvdYATo
z+zcRn=mrQ>#j>@dtxT}sBFAe}W=Aix{9l;&hu6}c&-quK)w+enw*SNRm>f&KWf9TC
zj%vIf4XjV)DU%6B0%d~Np{5j_AgJvN*2YMfpqRU@&0X+V%X3f4RwvKx(c$O(;7UKG
zwz9y;^ALYB+k>5$%)IOPakOXvRlYYlKe<ceGUOTm_SyJJ4RVo6U`hbmA|Okx4eA=M
z(K{A)!p82#AFT#-9XYRAaC^Eweo+5rY0*^dLVg)~kGR(GH|iq``kyQ|S0+1_<zP<s
z!O^waWvn7#J}G<$J>Nj2INJ&?pl;bIS_&Kx2r1b-?q7sA>9m$bh1fkY)?eqHL0XfJ
zFWcRe5MJ_;`-3HQ%^gA3&%03nhx;tRL|BNamh_gK7V~1euZn`2g43<$G|=9-dFXR#
z0GbZwuc{rC=qmikddWR<&g&{U^ysP&5%sitWSrMxB9fnm9a`?z)%WdF{#c+nx6KMB
zD5EL5JtD*mg@B!3rHBp}V?`KIfq0{0O@7+yME*3c?-hdbm68lpRhSnxe0wSlWNx4T
zmAMZX@3%m7*=DC`LfbYctY2P!$0a3zqVaCDN~TTV;H@t24WfUTOOo#DEyy@N_9-cM
znt|n*8SItbFU^+-SbWZ|sT5#BtjBSD7oK32ZT1YYteVaV-<XN<KARos2?%C19$?SC
zNl`@viGEpuy1=fN!-~cRd&y!d-*i!E+OiTF1z_CdY2&uK;X(us`6c;IL~Gp(5bR`W
z1AcCY;U~Y>a_>LNUjHZ(w`)lN1iT{tKLJntUhkMV>8^Pc|MFbqxZk+ynlQl#16}yy
z21f_R%s&LminnxF;1NoiF=WM3asOb^b~8=OSnH@N2d%b9A=Rt-IE}4LuX6AtmqNa%
z+*or!+ifmk=V%PRSmX)B1&JG$deeb59>~uXiF;eqm$3JKaWCt|Q6aMzR><hgAzWo=
zR4vD)0<ADocuA!H>_V~omDx?viBFKnri?#rw^-9nWx;-9VH)4clS8qcyAzWmHHY|<
z;5{;u28%l6%$}788l^4f1tAZrB|MdI0M(s8XW6^9mb~WmwH*h+4s)Ftgz$GR_!iNJ
z7)bEnFdIm-jJIjlPWgA5&379E{hV-Cbtz*mAR0?zEgf)S%#oKOfsPo2;a5rjrTqg|
z+Sv|<7#3_<k+XwZnA&4;_^p0wu@2FQYP`?r0_~ZyXyC$0pox>usPR4U*kD%u6>N$!
zvnKJj5^tLs^T|XO1-Mb;`{lD4veLS!-cDwYtAMT=F5-TbJ#wtVyeUw$f;CH$FN~W^
zrJ)3XllBwY#SWhvcu7Y36<l7vab*6DOW!BP-~yv9P$UBG;Bg@+1V8nY$MSdJC6f4Q
z2w+;$@wIGAH|=3y#!Yg{Bm{)y&_5<i0_FZ1@Wb~X3Er0pCyX#u>LW@Gm6rP`4EG45
z$~hn(aDR|SDNvLCwut^Yq<g8FRx8t};8j@CxbZD|$Q$IFjvvCHS~$OhXpXuo&2%5T
zTKz2{5Tx$D7kNI`VxG6R*66aA?9$CZjwdDuvL6&hjTR36?jcp^jYAuG6Sg*>zc#1+
zdk_C->Gt3D@DGmlU$Ww=Y>{*#7v&R27tC85SJ@}b@qoob^{(IH$X&fD=fy{EMJ9>&
z3BT=+P5rc$$>OIEeLx?+s2kCh6@dS@-hix1uc?Fwa-*2c0W3ofB!Dw%hRLk_xmxI~
zhm-8U9Dm&e=Ig4;>4ijt)ba;&8>Jq8SrdJJ9;F{+eI_RB)BF>1q+6WAy6>5?ona&C
zho$&062%aI)7+y3)e!OD77aD{&R^Iq(9y|>EH|wt?t&o^H^A5E#f!~mfN?)*Auy))
zVFGSYT?^>)mwM1h;i*I;?IW2z=TCUsvi4cBX7L8-2`k>+y}4av8_?!QKx{-Mvp^2;
zxt(v3+2DFW4HwDI(awlvdA;V5YSWL6tt78Q>{O`XXk-EK!bb>RsNxb7<L@u9a1I=8
z&!(0QFh)^lbs080KxKH*S8e6}JL;76r!ZI0FwGLdUq_kRvB$aAo&oWTyDj<ik5;E8
zmKZy{v-o?~OCre7&|H}kX_yXMTIiP2ZDRUP6eum_-_By~6b*l;J!n#n#q<AuOD1U_
z&VU=aQq5XE&n}<`@M!h}dHX5O_us_9wXLr^*nd(Alqq!wBME_LQljXy8Sa25GBH$g
zx`o4^+1NlY3J!nU;ZAV(odl%rt7CM3iArC)CwdRbq0zPPf0GFb5b#Pp@?!NQK=<TQ
z`qoH`Qw9Fejwej8-gDiHZ!gup-9<D50Y;MM&I3pMrSMP&p%4aQk{wfRU!b|Kd1Ro!
zm-T5;T~xuHgQrR;(J?I)28A$QfsK3|ESmgp<ObF-Zh;M7bjOhjeCoy0@^Tu<m3Caw
z2I~JGXB5b*L?m&A)lucPpp)*0(9!VSa{i&15E>*sxSSKKTsPX^JS&i@7gQ%jM-F_V
z<_E|VE4oPF*fv?B1ph@AHD#4dn4qwsjOpF8NYKQ}Q89u!GFdye641S%d)2W~9g%l^
zz7p>=Jvasi)WZ~aiEp#GG;Q}2``ux@$&D6v#Gd^`l@^oe(LF02pGtgBC&x>kXe?{q
zqyd)Bfi%9Z1nacli8Ua4jv1xKv73$-V}<)Ru`1=~Zo#JTN%DEpZz-`XcMoE1o~0IO
z6)TT{2tWNxw!jw$Rh>mHJdgN*{g?PT2vpy52$15zQ*-cDL@Vj31pPlpo&dmT@cY{b
zQvUcXWk!*MwBLJB%n{jV8`~*$osAL5q*^e>2wWI9mR*knvP5j3GE+i8m(uVvN29$Y
zLr1K>FNS{X2(`$$#1G7O{V+wabel35SM&?9!-WIpKq|CFTe6%PQ6RnkSB1=<^J%RD
zI@Ip4Z$bFhp%Ct&H&rR51KbKheU%Tk#IP~Xcm%xI3^vv-VD0(s^x5KdR>MMh?hjaf
z4DQhl6^FtE3tz4KaP6hKbi0Vqoei*l7pBF6uTdSO;S?d3Yt8lI1s5GGT<U7gZR6;=
zE9F?5LswZt?lY8Rx-2Q@9l*rGvJ&msJmc<JZ>I+gO|yP5yW<%LGT%=3@0w=a<Ij2~
z{otnn45b9f$z_-FJpx|dD}^;)=et%kQ(s?n7uT3?sa(JZgrh(P)vurZuJ!-RuKI5;
z=_XVo64_{HGB%QYGcN=2Ym9n-QtGtkD-3=2=*{PCLIo>SMuJHHvaPcak_nsb0c>Rx
zYfiS2u@EWy#{`OxNuZTv(bC8ae+5~zjK@V7C<FkR-!d=@i0a|mqa@rDrXYc@VQeJ5
zM}l%AW#*c;Iz{<M*^=FY!Gh3trUCw#AZjmaIUq0#D6RuE!z$utR!oOJdsd_b#BAzw
zC)!j^(UEd5+0c=v5=+eLt@i7!w_Pi*&1=h4+VtCFY#wTr+gLfVEXe$UOB}Sp9uoeu
z?vAzz5WUJMChYTJF;(-&KyhHm<6p&rJ=9`>O_+`Yct(_2eFbxD3P6f@$G?#x7Xm3-
z{4b;kFfkv5|L0@0ry~anw4p<E3Q#Nz88YVfTbvyC2aj!Ff>R;u?qavESAU3}i-g39
z(!Nn`IJM)}VtmEeqy#8ro1XHPw4M?7W;`!YGxuSSyfyb&C`UXmkfZluG*;szI}{^8
z!D=?8A`Pk^E^~R;`Do@4-6N-Ww$Rz<_!sWc>eofe!eTf=jB%m)7Yp{0E>RXa(@Hft
z8B`!TpYcfD=;i&HG^pz7#~}_sfB+b9^RX15%<$=u-9<>axWG=H!i@M8{LfAnbOBtC
zAEOcLcYr@s4yZ8y7C>pv1~?WPXt3dH6#L(!3U7C^`}GSxI#`fY{hX*;49P&hkY>np
zt247JpiEnPk)Ue3S41)g)4-N!W$@HQ4sd-l((G+-2LPRc4Fu4kO|75F8T#X4n}|@c
zxBrksh!`)G_%G3<g;vBa76&}Bme}M%AUkMW6XfOgea!Xxw$-uM4jAX;N>8^X;-2!*
zn<%c(>bNw?-|(XQ^@Z7j74UBx_#Zl)juOn?z5E9YRVQl!I?~4g#7pw1DMu0iM?Agz
zAEEZv^!j>@guTZJCGCEa^AS&!S-~t~XHrN?Um-<H$2^l4-%G~HfR~{}gE8`Rsl*Bb
znM>p6(bJ@W&iERu5!wfHap4kuH~=f1ZFwyO@Ny&~3#0%a`8y^b?1t{_l?p(&(_>ix
z^j_<kh!87??T_^2$_Mff$3dK^3xIltTCr9e`qzPGY(nzN7$30%iLzx=C}BDjaiQB7
zaHfwWwsHX`wrWgO411|h_4CN{5zF%|m0|+}<DFc~CNcET`syifryuo~Ax1$&5uImJ
zeHM)-S4QyEH*n~?IZa0hjQgIZ%ObO9zxdirRJUK>F(8H^e4XYx27++up~Z^|bG=y}
zL?r<ZOdb4VzeBvnzm^BVwswIt<XpjS*f2rjo1h-(FL3H2PXcYIr(&>r`*)+I_OL%T
zLdd0vqZInuM>}Bg?9)&O;I|`X=@LXci^RP&jKBiB1ibb!za8zfKky&|3k3@WXV*t6
zSqH8{0SAVB<gTT5BP_=>hdYE~B^^R%nt`f&7&H@7bm_(jCiP`up>^bpwg8gl2R#q^
zUk~rMQS|4;RQy%ra}jF%7GQ8Orat96%t(5!WL{8o%EmM%-9g9$S)MUB@XSF)DrXjp
zA?jTbBtRZ1Ci*KN>9dYurr!zB1yH(gIB`D;4i1>`X_!oG3q*#CaGLl`nU0k}83ZM0
zReGUwyR$&d<VwAwD7sQ}7wuM7<5iG_tAJ*oQ*TRWH3w>~1Qyz^mRwvZ)`w`BtPK4f
zhI<<zrQWJm^InYVq`5zxtBN@I@|jog<a0i!Ymfn0Ulq{@3I|};|G7R>dn!b-QJKvo
zAbn&iR0&Jtt|deK9|8W_GK?24$p8Z3ki!51_wSTO=`NQ|jrSB#cK}=^EkF)H4~sp#
zc;Kk8S;UTTo++c@s_P+va~}(kU)>U(o+O=5AdJ0Izc~P6AD==LV}pI38YtGWVuk_Y
zY?aKp5E_l|oo9O7XG-LzkJjGGlfHPKfK8(zm-NCh*f?1I&^>a%FiPU`@CFP#y9}c)
z2sHabD4PVY`ymP<QqLnIHTJFy!n%pZ1Bg70QJD?-_|yxHE%-^SndOB6L*=j8pIEtK
zbgu}CJREVU1CTJUqra6X!!Qj-(X9<vq`!L~1>W1rUEJiqn8(A=^=R)QdRN{Fpj`Dv
zP<=&k9eLqHP}3bGIy@>QfQ`a3O0@{Z-m2E(skKoWCc@OQQAT%VFMpL6uc}Ad4x(e)
zw!Pi?@+3qml^g<;``?q=AqO-{-9c<BUPKsf6IGWI^;W-IYpc)pvGFKo^{At9K+esl
z01GL3%K0kind>*xiQ=~GAORvPpXvY!xEDh?ySCtg|G*EFbl^Rt9b1Wz08rS8trqYi
z4HSSFeRs?eUF_-#P=jwdN=#>3@1M!bw?G)!doA9YSQfdu${>KdYaV$r0I_94fDmW%
zPVK=L`@JL^FCGCLA1f@q`;`7&GNT_W)nVM`-30SezggMS|BJGqM2}L_tG2m;QDH8x
z8`pyZ1%7P)wm6ea%qw;|EO#DfoMq!-+zD6#`d}^+4D*&NvEZG7-W77F(1yn%8O|+E
zVxQOTH1|>;<}H)UBc3n9n#NR<?!yp(Z==>80^gNmt+kNC=dJu+5gN$uP4=uCq9D`7
z^S=u+miJ_lcD}_M6zg5F75E{LNK7wE#j@ro$+XQLC0U84j^-cZnTB||sTkfc;y5Cg
zyQBQO^%Du|E~Y7peCtBGeWseja9*HM1CRoM{Or~KQ5fW@#KdV@4$3r*QPdXQOJbM!
zrjPs^NdE@?T_pdv=Ub#*Nc%a-vi=hnrKVyyFXzsbGn>sl2gWmOY@-s2l0OWsIHi+|
z1Vae%)z&sFXsq9w)b^l5fqjlLeu6UvoH0TWP!kH}n7)THE_G)y7P0-t4?t7-|NW(^
z4nVWOG#|BE@shEN<1P57Pw_es<EOyL3B(Yl>4PSf63yagz=)CDj~@vjb}Y!CP~bgL
z`S<<Tr=|8%&0EYVe&v5n84HL6N;Y?|yMsI2sD#@qaqfW4gCwm3OaDCah*E0`zy0VJ
zx8$AB+)9+DHDpA5IB(Hol6boaAa4_+y;O-oo=P$}0MaggzFj<WP6+L|jdV=gxfSdv
zpEwhOEJQBVf%L<SIb(oLQ{Ba-AnrfJSc$(tvPVYqm9Z8jTEUFL+dy+!1HfyzdJj-*
zP*G7``;<KpovC=?`sdRPF3jadU*FSE^2aq_Twux@{+yai1O{(po-BN&(JIqbhqReZ
zCujOSW}xxyu2jx{7GERqq{uQHx!7)E-W)NNgTuHg=@*47ro(JwPi1=28(2X3#<e#s
ze)aL8!(816C$uc*R5DG@N%_q{WmMA4Wlmpl-=_80kR&7rtaC~d?u>&XhEQUTT?KG4
zTb;lkB=Q!o#~U2p$Xg4>ZRY{4UohSG{jPNWTSC-gLA3<%_p*<ScK$Tq=)XBUOUk{G
z(=i0|Pn4-EdJk8N?abDO3%t}-<y7*Fy5>LLX+ahjIAFD#&Wd?*W%Px`V`M4lXnZVp
zBhkdqy(qBE2Qa-KbI=MO9RPl$?AU9by;Lwxlh_@o@kSmL3to`<gcJ8RnsL^tGZ7-`
zU795eWJ5dw;zb>a-f<?68olpAHwM~cB^)@r07dVca=KXTu>e0VpZ~5|Tg4F$PnLfr
z6+dqGG&3!o+dtyX?ZZ&V1!hWOH#@O7x9b<0cZ6AvpR#?$i_aaGIBpjzQO_;VAe^nT
z#58i-d6058aU-_`OcaKMg3(1z%m-GQA8mPOKf<V63*XdXYL@l3iSan^+>p#5V<lOp
z!tg}&(EZ$eNdpjgINjB!$;+`tocki5e`u$+J@lKC)3B<@<y>>9TU}-}!hngWkeVdx
zV}f~Q+0&2zSi$v$56{zRNQZ;OcP@48hcpVCp5)3!f3j*Q=#so)n^>ssu1&+#O%wH5
z3FKSOJr&=|=8{A((LUVCx88Tbf#&g@DKNpvGSqr<I9eB5B!8<Dg&wA3^=$<s&3hax
z+P~k|+4JEr4=W;UF`-Tw&LPpbM0(aN2MpQl4`}VexOJY&i{f}jkSrRWR#0RjsHGSS
zbCxeKL}ck{l@D+;36|Gd19uJh%1fkLQRk=Ij|Z9+hQdZZUXDY&Hiv7^_lILs@Z1+K
zu#en1p$DL*{WZoC4Qoz{S95f;9*gh2u7NQl1*eip1%>C(Qb=Ql%BE`y_!=1gHDZ24
z_Dr;HH%r2|B5OHXRDI}Xh%|GoDR6gu%=ktRwPtMbl5`;Bu-3RKD~p2Pwvjg7^D*;M
z_ZOeW(`)F)NLTPr+rpdK8i}}HQ|&E2hOg8GFRo5&RVF^5qZlG~x|<uHDrSol7!NmN
zVvQUQgev@Q++EGDQMav11K{h!C)p6?3sS9NiF&6+6<pk=%;vKLmn&?J`bDq$>op>h
z#*^&{t+|JgL+W9?;e$Cnxk#FdDNgy-5L#oz0EN)Sf^S_X)S?@3%)y$S>SGW*(E}lW
ztWpO^-~^h``ad_u0&A#bMW4f_(6i!50~g~6H_V%FUEoiI!m8z@PMU@61Ba!z5v$XQ
zW21!T-<9MaZKJzKj{iyc7m3&!*<Q$d<Y;^(N{#y80bD-#IcQeD_9PE67|_>BdaLED
zQ|0*$Fs`R~qSfK3ksf#939sahuBza$vApma?a<~XFiXq-Jr1Q=-Lj5R^T|)i<B&S4
ztK*M--YJ%lri({f#n0olA=i<QnpX^YGYR1-ebDVGP0}s*osr}^hs!qYM;W@PHSAHA
zF=fZos#{ym<*E|EO?L&xq^F-q=0<U`$)(Y4@!b+RP2{dB+@nP-?B5a6y^sb%^#srq
zM*)HfN){k_YNuN7VS*>*=p-98c0_)AZ!XXM78;t0*58nBQe)Hbe6YG&RH`1kN`VK_
z_#N3^rP1Q72FqOGJdx@%n>*wb`>N!&P<Q~2k4C3$PL#OXUbOs4#{j)O51c3PCRFG(
zS$+fBnKG~UbzR`U+ZAq&Abx}D45BC&yW!Q<Xyvg8-NS}}E3yr3j|~0iNaS6K+%|zk
z@xU&_9O`*p7`MpF<qf^xDC4u*GpV^^bL%f_C6un2yI(G~FMyex4%f8jQ@J)U>cHd1
zP+<07C};H4nE02|JY&+MkuhLWqbxA7(Zb$iC=0!4$J8&MT3;reckowHA~Eqqw)0SP
zPNA^bPB>v^eeI^_L9y%3gy7~I!9{m!-<vCsy4U;ds#1N&dQ|=QO{2D5)-v5gt~7yZ
zF@*4DMRvFw!BPUJNx-9DZmiUAEWEGy)7ZByk@nhkI>*ZNGDGKoh^ZpB|9}RC(L5To
zVwgqiPDXrAbp$W09*gmrrN2r3hO3+0pN>7Zbe;gr_Yz`Z`gKB5ej$ftj)e)fr=#Ic
zYNn>x`VFs9jTW5hhwGFcD8A41PgrbzJr;?4L;_@)$PBPmO+Noepa=+XQi<0atGs8&
zkD0G5VS-mwUT^Mzn}!wq$j_7|gN=cr7vOj|ewnL;2C6#k;CcC&b{~kHA{3k{`;j;_
z%WV>2F|F1_MQhEfdr98?xn%faashTez9qlQ$qdi#+EDV_Daq4}7@wXi?{ub<9UsT3
z6pl>j7()_GT;?rnEH=%=edqZFM|zmkpTQ~m#)ia-v8<XNHO6_limDD-|6s$^#kCzv
zKwJDOsy~$F?U)N`zWz2jNHKA;?}t@rJGNLGAI>a|QUhr|63{Bujs#!s==}8Ebo6cq
zV{vmqOAh-h(qDG)+l}WHc108-hNScfssNc>l5ZnpE>gp1?LWoFRi4)B*KxB{AgF*)
zoG22sSN-S4hri03kP%O>&sy=_n$v~LVF>j4vF{^MsM1`QoS1^&xgziECsXlskJdlK
zcM(H%M=cW#iv_=~H;ZnBb6STQ!Ni7ccRlZg&pax$8880}=uDa4x4ARW#3bao5fZ#0
zMZ#qHcGsKqs?#gp?s`7-0m9o|52B0gK-nY1+>XJ%C&3UXP)HrvmG+H#<^_zK$Hsh9
z_xG;v26p|{`u1M-P1f3FecqpuNCQ7l=MV9yy}Ex?;Co$z?MS~=?YepSKJm04a0$~l
zD1QFH%ltsIX#kke@oY%qCQmp+<C~(?T)}a+>krh#4fS`Q%XR#yh!b;{59~$G-O?wQ
zW6){yk#U4{hx8jQVzk$J?Y<Y?y*dub4cS>`2$|M_gxtg-Y71JnRgZ<x!B6}XzA?ds
zgYqn2@SF|YDI?NGg|aeoy!)rwEu@E$@6DTUshUk*^c?y%{uN)dA!^Sow*As+zOZZP
z^}Qk-J|IiK0i&gR3<hadn#taq%^V}^*1!a)lVI(1&jMgX5r41n3klAYoWAXV44pAg
zTA^ui`Z&|GAaE;>T?z-#G~$0~;yj_j&bO69AaCp>c~b_@2++jY1xn_>fXOXNq3!7Y
z9k_$t7BFnSrnw6kfoHTtXm<U$BIP9NM7`Lp$-d132=^!Wm#rn&<(xC~@POb#_B!t8
zL%9^*Qv;Ek#_$cei}&Umaqo2Ht;zC-W53etC58_Rnod={e8xZVtWIJ9&G!uJj&pTJ
zoE3%*RbbxHqRW~7=*?{TU%3F5rqEksmWNSaomF3)YfTwGlYC@gmf-vrwTV4${<E`q
z`dl^N=&&?;Z9(w+h~cd&r)`EP_-#Q4I>Wvte#Q|V8YT?Wlhs!A1wr$5i;_T4wkrKe
z=06t7x^2TAzV%w2#e85C%P24cOI~oX?owLKp4Q_#7?*nD7n!f>%xYO|xongz5Xzli
z{t)M-1tv7-zI_X-zE0pUuz_WzZeG$}Td&c_KyULWXY61`;J-Cap`W>R%ElZ1?x?yA
zCWB%OIy8u2a=`vX)tMd<Oh}`gqcLfgt)zaP!89IaI3J_YEI&5>^%<rP{5UQ6jcpq9
zRHWw0^ju2Rb=%ga2GhUtsc#8J<vg$G{x+%}9hHBu+Na^XZ}+8WNVx6<4AL+C%nw`>
zk?Nd4*la3%GQ+%4&I-|ctr&~!NGY=uEfV!75wdWc@g5(%6RdeE!*6pLMeQmLsYv<Y
z9;mmz604F=!EZPG7WL3I;FF%ej4=W=rX(_Y31Nf9Thxm%#2(5N1U`gKArS>twLl(Q
zczw?K<D2qQO7WKk3*L+LWsr<Z4)ve3Kg-mv$TD!+RfXO(PnJ^j9sowx$$GJDj!&sD
zK`zbWG7PYWg29X2R;L$5&-L)(1t05L<ZkC+1Qg46e8A{lAPwe29v}c(Ft%*oW(^dx
z!ng}x$xD!(MNloJVcnr|0lBOM`ge8H4{qN112`W4M5&QGq8zETzc5h&ZU!f)F4is=
zx808AL`>MV4Q8ThIts(ws9yxvPAI1MyLZa(+TNd>`4UOYrkQnde3EY-Eu8Ula$a#L
z6`1o$0dFx9pgn63;S$|n-RIlSced<>G+fC2bUj!+_G#9;SdLcQxVh$yT>zhAcVT?7
z6p@l!phJ8z!FE(vA~+ff+v-G%OYhwyZd&-oowx%tg!2<Q1@h;cp`}UDOjs<k@SVV@
zEKhn0<&zmmNk~SKfZ;z3H?zimy78xTR~0{%5!rcC`o1KBXZNX+%r~Jye@z#ufxucX
zM&{A?wxS~MJ%H(;lFa+6A<XXc4RWDWh&Z~c8)Uo$P#HHq74~H+O0mw+W_V?5p^wt?
z2EJHlz!x}oYcB9(Tm5$!6;ep|cVGF$Tx8lNX9@pOa6?@4JlxA%{H!*9C^EfBR=d2|
z8kbt&oy5f%vOTf*73>4P>z;JE?OdIMt9HFcZ=8qNx#pLXpQ%Uihmg%DeF;}jt<z`H
zA8pR-3~iOpGa3Q|Fw2e34~T7gDaVc*dmvDmp=e6`hoq`y>W;L&J}gZDR&HnG`#X8{
z@r$}x*-xF$OLwU^f!R|NhhH+iMI7e8bg)$U8Y6~nj&AZ@#ive!ntOyjyQSs@?IlLf
zLxJg<cHpXwU;JloU2^#Zdu0TvmcB?(OKx>mba+X7!B@_|KFQ0pyZStvs~$yJS^gxP
z#!rEnlCsHGr&wP8vot3<z}!O7^qE?X<k#G7c*7MY(5OM^-pk4)9I;Qt;_#NI;y0N$
zDUWlz#Pkbrcn%OTxgKsdv}mxm6|J6P@4v`bz3wD>cHG4>z~6FfeK$fVGe_%G{8dj7
zSX$J6Smf?4(?J>&dU+?>Ig4gK3C1h((q)F%v;V>DNF*u^fb*g<v~HPtboe-Mc^MT?
zZ(ky(s=1sbMBZstjO0_*hl$M>KUgu<Ja%Sf3p3w5Pi7-M*;ZaZ`YZ*E?c0v3F$ymm
zJNd-0ks*!y^G)EdhDZdZHxP}YxExQ~_gW|#VX*mG<MDEJNdXUOM}gTr=Xz=(N09me
zCeC+w7(L)9Cwa{dK#8R0n;(9zhvidA=PIFg6D1?b)~<!_`gvJ$k*B#~`f&ylx*xpP
zjRfsSoS<%YYsuDz{u%LV7%2XC@a}*BsSJ?(?x6VlGk^})IA8UvDi++<&}VqBx5o%=
zAx$R*CVp2z7l!WOWE@&*iT5c2^O*vUhN|l)Vx>wANk5pgRxb!mJdONb{T=K-9keTa
z65EWI4f^*#fN*fMTssRAO-rU|fbJq8&0Lz<pH4&dN2DnJJj3k+(QRV9xFL(6w?wUZ
zLQ5mdVL+9YyEhp(wXta}_x1khpJCfg@Q;07qnyy|m!;n8JEzaTy322Y#vWOxm;DPF
zGdJ=@8GF5{*PXQSggY~jDhuKatD=8@lM7+t5AmOzU6*la44wV#GhU__%M{^fq`K&K
zT7GmaX!6r`%P*cyE9cu!{-d(Rsq$J`NbS9MdSZPiR$edKl32}(a8dr_>pjD7L30-*
z`HZA5!u+iuqKOL{pJyLEX!+%h^LL99Eqm3a`VWQ+^*X?YWdQ#2#+ZXrrRqM_r2;;F
z8uIPu|7R^cP(Jy6kHkKS{^i2Bs0c)ga!<1xJ6U8~#3KFuUjcax{#WK)@8gJu7r<L|
zB44hYML@K^a3pMMfp)^kzax;{7QFq~#4pYm>MmkU-XxZ2mp|+1DBaAFSWmKaY8HrO
z(=K}og&*)5y?&z#P`1vsh}<vklBcdql%dA*z@B5k6<0y85mVb;yP$;Rp<=FYZa%y;
zmiLpa#f*=OvoTL!6H>a&jmkx;#~$r7_P!$aa{R7Q=jEi7@r=Fd>gsfH^KJN-+1^*6
ze?9r1m)(1O2j8Y?xW_>+GaQmtJv2*=>JFQ)9~NBnv84Dkv~X;*t-<+ooz{;hkcLKN
zn%zb5?5@q}9E4R|U`c^Zr-F*Zq&eckXnwBz;mZH<0fFy?aVf9#wg>^PqGpYc{*Sft
z_vZxx^2A_M;u;%sR@3&!hno?PzM^I=4qm7HYTR0T?j-)ab4$z}IJD7NluERI2l(-v
zCK<n)w~$1(hue-5s5%mIXDGTNrxxX?qZX-S+<`-C1KfV#r9M?Xl)XS|R8bfx=URKu
zCX-e$Vd3Ug$wITfH2=@>O5UrT&xA!P>0i7SfbO>9t~Z5Sw%5Dyp-v+--kOEByH~L^
zwEX@3^-R;GBt6<iY5{eCoX{pOA(aU};f|kjeC<B6w=}>=dvm#H_+|Cvda~f@f4{pJ
z{)gHCSrmHJBxGW3fRZyc!Rwkc=Mmb}+|6t8*_QwxqY(c|K3lEr(3BZ|kya|sc#-Oq
z`5(iT?QlIZPEL6@VS#gMvJRO&!Jn-K9x@>P*D{_FB5l)h6X)D25O&@plK*+&?|=p|
zfXRg-r^YFzasCOiIT{O|ka5w>asDYIImLuWllHZuRpRr`mrY*dRD;va=IC0(7t1Un
zKCdh$f%&I|@^So82+{R$sIg4evAoRMnH=+#US2Qysq+=K?*R9aQsPY+NI#Ly>jbBK
z2)HIBVU6=lTGDCkLhZ{<bGFx)sSa_QfmySuwLcVYh~3(IMzZbyYwx?ln%de1X#&cj
zsesZ20g)!s1O!4C5J7qeMY@1=fzU(+rT1QxUL##<u+e*qln|AkP$UpAfxzr|j_rK^
z%=~jTb1_`->}O~1cdhmIw%1Z`Y=V7&JK=FY_G}k_3e`WXNkkG1Od8l83fSY~6*}11
zLOthr{zK&e?QQg|e)NKZHTc#(O~?2(%puTvnVVAoHlH>QhXFo-Ao>$M6KX^U>J3=!
z=YCiBKWJ>9^d<T^072=7ft5joEN{~x<A`&@!&E`jdw0EoWUS*zPB_M~T8)?L?utmd
zdK2}k4q(K^Y6o=~N9EC<Yz-ju9mRAhRHi)vgv~J%f(QE8Pl^x=QCVtfN{;&-=V$?`
z-$+TfIh(!R5x@%=QLI`k$xEGmNu0s(m`uI49f-6fIhy;BlTgCWy)WDyLU`&s`TtEg
zP$vuV_Yc_HJ%$Q**XsgwAymROCmpaadVxJvi$!(h*k20-J5D@gdH&IHwo$<mNaKoc
zKB?K=ic>gCND}`Wt(U@y_Tua~71dM#>@um}V{bV@^3(Wy*K3^=K(<yr@6HW=;;Otl
z#eVE0yAtJ_H6kLZIt>*?gDP`2r4KGf<6k~dkxDGAHVK)ttE4nI)+2)UtJs4ib>9gB
zaf87#t3XU1u0mQphFuZJgPwUU<u<DsIJpeC=#F8GgTCX-+F`RVx&Cvx&qKePJtKpq
zLg3_?B%14=Y|Mb8IPrV45KkFZkw2$OpkF+}Or5?aP8CD6_u<70W#vB^fKGs*WrA-J
zHXzV_)L&sNQm7TM&l8&{>%99w`>$59H&buL|9pjr%s>@H*rUqK(1G%h<X`9^qFg6%
z)BxGPUji^q`6v`<m`9lW(=bo;AK3q@@;6|e^xOY7{6us&<Os!<T%~LO`CiY-@2lwg
zr-9~&{UQE2hfW~HPT1!_?vC1p|3E4y2Eb8zz^Tvw`5q@9K{Mda180eGC|v?Ri2UJ)
z{Crf03^)-7XoYxu{>gv*7&bw$e@Onvr2qL-HYX=gKyx6p0TOm*A^J7fe}?$3A%Vv5
zGxldm{^LizIDk#dO6X|*ey{Vm$q%uuXW+-t9r8f2OihvVwryX($;+<XyD#s;-YcEa
zrDIq>p_qJGn_dN^5^e%gRng5%EPckqrDn@+&R)Q~Et;ABzVs}ElV;#vcE6xlU7fzK
zgTv5z@FvIRuG|XVa&JEGpw){WL_|zR2O<hnA^TF!5l*f}>KadX@Z;|HpNPr8C%#;^
zamvTo+4GT5a)uK9_!sX_jO-pz?;!yA=h6QU>i-p7ar%Za3Yql*yH4BfENj<Tw@!(C
ztasAae&q&lspV&uynksht0`Wj!-QeYY?0-ez}Op)WtO#Pt`tcS>H?)GkL9`2>RXvh
zM{E!?jDO*1qSwXh8x-9cTYIxo^eNk!4K7?UVPI|#Rher;U~ajZjZgLHn2OM%uqj5~
zC`!&xbT?4=LD9&|md|z$n0yNTMG~*=2>JLP9tar<e`~w8QxyEy-Yr}t;o_!D`=^yC
zF~lc_9eJ**eFvoa*7c9iiAbgy02tz}cb{;_?Hq9VIK6P!GygJBGa<UORb$ZncIV4L
zQb65^RGE;+@(s%j1Lr5hXMnvtjcJ>Bs`g>8k=^;GV<47`?}N$yVsM0QqCAcEy%xXb
zv0i`%?(t{%t|WIRlt22MUJ#c?Q{tCk={Kz{<0~!wm35yu;&|~!vwf%TzI`{&1p*a>
zA+F5TxTd+UU*?WLaBj>5DFYdi!u>MdVW#7+Z8vkT&U*+7Bzm37+j48&5DurHNrU^s
z<=k66#(A;b2O()53+nyddEm3pb|1;7_0@D|=Vv*vh&ys3%>+_Kl02khQvDD?-8*KB
zs9rs9+f1xkI8b@w=*fT&rQ$u~xYei=rH&5yT#VmvV;SQg&%_%IAt_eFjI9L}J|2T^
zKZ(Z8wE5S8aci2*n6xuXlQ642Rt4$6+OzO<qmIEWi8Mu0^`4^xHqICpsi}q8<iNb6
zukVg~Vx%njjt@Tt4T~m0__Ri2oR&}$`5sbpf`MC@pmvw9Bf;n<zaz5;=_j#WhMi*|
zb2<?gx=2ILzJn~x`-z0q$Jn^r=%QG01)Y7$@c|e!l}{lL{jseXR!^ZTuL#C4-j{|O
z6^QxPRFndN-7Mv3H~9FJh{TjW5*_S3_$**D@yd#*X6!`K^5QbPMy9lx?Te%Oi+v$C
z1$2;u=(;-V3stOT0vr6v&}^evD{e>wZnVF%BZl0pmAs$woNzv~-7STNsKdiW{UX;{
zU+k!S>!MSJxW7d(y!}--d*E`WYhdpi3bs`DS97&?QQ0$}ukF7GL&*)x7`LosZXR|R
z*mj4y2={ZmWZvzvP`HiY5rK|2e%%TQ;bgM*&2<Gn&Ph#lKj4l_AvUI_pIk*^iZYjl
zp=dDnQ+P<ghVVy8-+_y8Z{t_oO^WUIyf>M-weqaLeAMosiG3-+yV$xAE2|MFHk`m6
zcg;-dhIu$!5dMlkHYKgnu$vnzbB)A!Y^Yf~tI-oyf3OpiVnx~!*tLOP{c<AKa&i6B
zrItkB4j^Tnu;vHst_%stV;8T7w&C~k*t|HcDbz<(>US{AA3eHrFX3@C16#}i8=;S^
zA70_HW_H{WtqBeFASr5tmTBm!Gcy&fglhJt$&4k9^~CTlYO$F%r>V^VBr*~<_gSh3
zq_1)l+-|RqUoCnoNk(_YGCz4M&H2_ug*}fsfjIVdrE0cHu@iaQ?ZRV2NdaQHg5yI8
zEwwV9yP2v&Q*l-_d#>UmGZH3hoi<@Xdq*A798#(i?)ojzLuN<5XsF@dbfEP<f6MvW
zWbzqed_>RaM%)>nrdDf(y&G?QCZ9qNF+x~8)$r0jT-vp`W1(v1%Ki(}+SLUA+MOX+
zyVXw#wWw;uL^s?MrH$SdgAV5DyHFJ^&ekr`Tt#*GxA2=SZFjB*F4gd{r?j-Fc~0}-
z7abJjG{uC6;c|O(@^DfOL(-ubTRzl+QKiKNTTegwqx}&1_%pG`&Dn^9)9}KIqrVPK
z9sE2kqQGpdxd7<`edBft&0)E@3p+0PJk~l_hXKTaVQl+REoX{wX1K$;s|)k8_ki5t
z*ysA8G1R&|4pHM=xi!DwZQAPV8qB_!U2>_#MyX>jd&07SNibUg2&2lp*Cs4uznKQ+
zY%y6^CW;06dJnt{W=BM@iDMbgpa*H~QA&08gZK9ERBY7aR@C*yi&~^rvWipmSCsRU
z_oXB}kvGK9RLrXUSUq*}vdlWfV{jR_z<$7$3)aYP<Pgk?PgkKUtKsBvFkI|qu*DMZ
z9X4XJtDL%h2W6Rzm~zw4sfpY^Wv1uLN7LiEF%Dn|)fsf*yr6>48PCG%%2-x-UFjrl
zbmNm%N!XOoTN#q4r&y1YxIL*$3cMFk&||!a=^^S#i-sOG3=-zMEJv$>nv(4Y+Fq85
zj{Oy97B{U*jusWm{PGQ(wv9r7Z@-7-lX6$QX(seSf)`@T_K^#zf<bD$x0tgO)Fnto
z9)9zHpF?kVb7<sI1upJS&M5I?eb>B;vjc~)na;?1^TlTfplM9feG{UJcOpx{tmWJq
z33&_m2z9X=dt6ov%MC;=46O#2gRx7vLwcnD#7-H6zJR<JP}eWhdX2@%j=CR%DXiqK
z`>jmxwP5iZ&^G?9_G7or*eT5M(<q6NM0cC|Skkc}Q@s5qsn`liwEYNIaTPq#*lJWB
zGj-5p#vZuf=)X;?HTg2W&Ytp6X9nvA4N98ZAL!n_cDx@0v-|k9g3Y$WwGWQYaSt(e
zNBJ&0)!J_`x8LlbDSj#7w1Sd&B?{AyC#Ajiv8Epma?$G$ACY-^_XM#mnWle;et1c&
zIIj{SEICocr%<HqwybtfnoO;y$g}T4Y0-%6b6U~Do4~OFgR!^-ax)0*#O(i}d{zPS
z$@rUm!u^g@S^WkyuDZWrz3rE#Zw(DtbP8&chLX?Jwd^NC+jp4!F%4-L=_%U0VCs6l
z+^<w?b7fg>)h+JJ-a)yTyjD-YB)DA~e9`(C2NG^Ryzb&P+Fk9i8*e2Sh{7{j&1uO4
zM}@F<$FfV`qLKa<(Nd-(;Xj2m=Euge``Zp}zIr)0Vr(s;GQ;7M&AZ{HNQ)&L!sA&3
zUQyUh7k3&{nGf1$Ta)^9TKz0g{7P=FLv39<{B|a4X-~Fz6~BnGx!iJBsRKDQN^o7e
z^S&8YYXs<boHGg+o&srgsB&ZG5`2e{h&_fh%c5?3ckd?hg945tm8Y~U1;!lNV*2da
zflw=62d$oC(GBoq9#889m~L4|@vW@v)^}e|x8KK?=yz9-9n3}TB1=(E`vf3Iw?&d5
zJd4Naz8#yR)5q-{m?;)qTHb_cc*I_slox6$O#?dyaw&StO=5pC8GTf24`OpNiv6Ib
zuh}t?@IicV)=dexNC~to%n`xZF4Y<u-;(`XVC7_y>Ist-PWe7iVH0&uDv}~F)L`eO
zm4pCX&$CciLO@x98IaAR=q;ZF-`t6;?Ry!%u@fni2?c?S4HgP5LUSnbkrq|pRb`Sp
z%#QH!ljEQYW*)<Lg*fELrHj+A?kFE!r5!T6B)k4q!XK{#>G_%vt^%KLz4NYR?zj-g
z6%rlvxlf=v6=+>)c1&`B)D5RqTOzma&s>0k2(HV)nnXKmGQ>F-zv;IZZ`k}4iI6u9
zF;<fO=u^<u517`=EK+XCG&wp0TbEO}zNqRf)!x4}e7LERaorAl^w8zb=pkaY^+bjJ
zdO`sOYH-nIO(o=}jP*Wc6~at^mLP%<b0J&+a0rqTQaysLngZMN<wW!TCWMt#e(k;f
zB3kPJ<!Wr<AJ%ppx4(N;S~i`l>SBibNawoWDTO+R?n9B;c=vdVZM@UcEa0jx4+I+^
zRIT7Ij>9Onl8Esr=vE7hqjp~!`OFsx&mN~uCTQd!3-+*#yWL=5jxiaKx{T&0Y=&dl
zmTpzHHO6Ota=qX(j)g(tfyu-HDaY#*af(W#`z0v=-OSk-sq06r>$1Z_%SaTrN~{)&
ztuT5Te&)J>iCkMgvp1bIG%6>I)M>imkJ4DyXg9So3U=VjC_r4BkVp1$zW8!5-d8h)
z>i+U<V(Uei<c&x?<vBsR-7X-{d*w-?PyZ&+CfM5?)FLZvD{&h*CqfvO-mGZWIH$N}
ztlbFdz$skyJ#-B6(?S)Z)Z@~^X|5YcdHSq-);35Vf7?mYNzxMO(1Xmfw4f;_z5=S$
z%mSH(n4@4q$@U#><UsoXN2kvBnQ=!9i#uP`vciiv|JBbF_omhZce>4~j21Q&j<C5F
z^ZO+28DOED)i{l1ltjywCw$m|Ue(!D-=V$H`Rg9#>)7`8rG62Z)=D+BXNzm)y6WNy
zeKdYrCoZvq;;%E9c?h%cfyGB|1t#>MzKYci0mK_p^~gR0d_$;~@Rkr_))w-Tx}J9l
z2r(Da&hc@^XM*^*+$R#sJ}_XPY4ySaP9tw<y`Ag6xP#HlkKNUK=59WNopDgYJHjFz
zrjrS@=^YPBsYe$D7luvY&F-;<RZ=CRgEiZot&l~Fj)RX{CK7KPi}td%+iT(1iu7=e
z^*i-(*#YC#^sdv%fHPUJv@9=E#p==??7i~S(49YhX(>kH=7loKi5xpvwWWFf9XW?L
zu~jTa!7WNd8*n+8N~@`RO)!xjb(4d)LeZ!Cg4pY7)x8q<QpgJ!O+4V5mprm{_6fJc
zuP2t+jV*d4oa?giOJaT4c>$L#Y8%n76#^dh=#WMDZgdEXZDv-*H3RB21NtC#;bFs7
zm*wlzPTfZ6&mqU$1O>Xqhaf2)VM!c-x#-?GrGv&KMl}j;WLJ&m`fBnue|>~g!<FP=
ztL6ZIXiE43fe25;cXA#qoOK$j&j9aaA;x0roWCO7zLG{*@N<B_4j)?dNa@h~Ux)$k
zPdg~wo-T)U=a~pLAw*SU-GGUan<b%(!X(jJ(P!vxXcJrwWY5Hx=ZEi$7G2~{0xtcX
zP1{6l0Kcw!K-v2yp$%|VhOUCy>23Mq3_vj2Oam;1VgS;pnl-%$n?hlFB*|(80jGl>
zQ||vPEwMm?3aO{Xh3~%TwVNq~DM`~@n;jb(XO_kk^W2`X&6L(NPEE~#nK~`rz^|q}
z_F|!~zePJm*OLt5cdxudr6Cg86~hwMLbV1&oe4S$=KRo*&(i*%pA^-u<OcRn%MG3J
zVbaG)0QM}y|Jb{ob>gGPBK?MHj7HEXsNy{On4ibmrxs5!Tr@0_ki~122eq$xqDe6R
zq8<qVpE0Yle&=$TrlOoW<`|qlKQ#NQB_TEzFcM7j3h?v#D{<e6LcK6We5WCIR^A2^
z44L2GuwHb5MK<0)uZ~wu1x`t+NGJ;_sN1s6-`YI>z*JGF4jIBRCH6VxYomiQ$!8oP
zBC%?m+F^S0h*IwHn}Rc5X^D`4r+OVBx7F49d1DKb09v<ABv@VEcGZ%#mN<j#{)YCp
z<{t!Ctu)3x!;MzoKB~35i9a`#h!f2|qkcg*3UKf9^dOo0n*2QK1Ps^J-n^;~$<Pl8
zC`;}T+PFU1QzoS~JS-zN$O^#dddUt1Qp}&zgtU;|59~cA;}nP0{?7AUG09Jsn({oQ
z5%tmsCE3hdX*X3Kd><a*(Cmj}g&)4y4289;Q?%!Fu~Fz3rs$#N7C*haHxcPEmaj-^
zTI2a78|E+z55?zZ)5_z$FV~6m0<i?>^IFmA<HmZgd5`X#d$=6h8%ey{_r{C0J&#o7
z?51mVSkEj4&Ag#^;u!=VWc$^))z5`MNeh7>4i{ui9o*}s)BirJ3Eq$m=2k^syS4@v
zf!0H_z3<}TI0~9IK6fbIL5`i-k*(&{BO($}O2F!>v7ILcE2UlHu}1bhe*5gR6G3`j
z|HLSO&)VG<y-XnL3E(-s)mTV~dWPd<N4gGVmYpfn2~IM=uP1w@yLAaM&n@LMQ;7qk
zE*%qjR+o$1wPb;SbgZr}FT)<Nzk3(^%x}r41Bmn=1+ff0E1<igN5COY34Lk$??CgL
z$x6{tWf!r+H4}u;#_lb?RTsoH-`e#9Jl^izQ|hs`=p?G#E#Mr(Q~_a@{3h$ErnrUS
zTTHALwk(Vy0h&@OLjIfQfl$_5%s}+%R<Iv!v;SLzvWki%Ab#)rkd`CB5psCD<{jIt
zdA%dQ7rRMe)1dhk<IOz75Q;koih#*4&1#rG?nV^3L!)+u(G66p=C`g|LlVl~diCTd
z1i*Z3t5edf{mVXGK?`v{Yr8O*Jqdri)g0Kk{^}iU_ch;A=H)cOpkf=EMGMgB0Od^V
z48?S%sn~giO-AfqQ%409nm39!z@qyxI68EL)_3SADafQq=izpoNME`KH#*#qy51PW
zQV5Iqt5tIzjEXswPeR9_q(E3AaSjnGN`sr6$b&5A$a3zuZ>B+P{$}dPp65@_yn9lx
ztOXD=;8EHQV8%|j|5iGK1l`|X^D$*?04C3iRBu%S_iHR`;a>|$A-i1}1uy6dk=#b;
zOtzI74{9km6LJbb*qVGV){5jG5{eC9!Yl_LOzo$5uYZ9XkL{x?B;FPo?^gGAB$nb8
zk$4~U``H~lH<M++t<@uXsIhsFrL=0t&IWFnr`22b!*=sx@WByip8_ztdT;CuLg=LB
zs}4fn&WAN-vl`;BVW!UGuvP(UPaX|(Q0#J4iZNfW4|%f^SG;%*wi0(jL=8sH>}bhZ
z$raBNR;sXC+H6=G-?sX;e<?W+hVXAZFfHi^GHQj#DdCGiLJCGLXT?#U3tzat7NABu
zIA62#tX9-7LZt(F;^pFOv9@{h&R)jYYY$s^=k*5<tg*AQAu%dWa)_<mAWdGK^VSbG
z-}=V^RywEc2q$p$t~Xvv4=rSKs{IX`W}K5vy<;=%3IFw8SQTTCTvhgD-lIH8jMelK
zODj@wxGm)Afc3R*FOtRe-qX%NGADq#+Hw}szuU?_(po&6&Kq~+9A?F9EmHMhHgRA-
zc6KX?kU68hi9bD%DwMSoURmK%xb+nxX>yPYMxJb5sGg0+Nefhyq|$<RM(aXBAIM&|
zK~2N+W9u&tghVI0v-&*6fF}}q+av|ukv;d?l7dqS7XBvhT0I(*$%ZLN)AR>MO2c`W
z8%@N`3YsY8n*kv5%)E-N8ZHj_M-#$Y>E>qjMDN(ml@+g>1Q*O{iQs~{ZPpctkCgAj
zT8rU%TO7^yBMb=#>T|>H*2X?d(Q`4`6EOI=yB}ECe_fRCe)|iA$DaOfEs_>F)lg!!
z8Q;opEwo3$ld+I9Zm)(r+-}m5&pkdIO=exd9oBsMusQ=Gt)hBtNLG81Zi#};#cJtn
zV*8N1b@1W4cS{98G0LY~b05}O0U3m+l(rX`8cB4QyFWsr4ygkBy7R7WMata&>WJNr
z3qihisXAzBXmMMr2;Ny-Hg^;3%im;|#SfW|wfR%ILTde&CKVXvIzGnwdxcaT541YB
zwFi7!ihXCWu>L55V;q`+Ueu54chz^FI_QPHIqSr;28M@I=|BA2zc!QBITw<(-VT!w
z=#27;N%mV|z8n>l;3b;zX+vW<a6~bp=L3_)3knI(-T1lvFUK<ErAK`43#jrYW^<46
zr<<L=ockWq-Vo4OJ{Sp)QpI<<eH0O}1?0IRbcuB26@(;KIUnc^+j8G?cx~U=;JHXY
zWH#J^aL<q#)8RV`y0cRh8;y{ECcv8m3A{Ct;Fj<ZM#v3{&a*~Y3K4wns3P5FU@ioK
z1{CW*0(}Rev$0cT)!>p|!z!tc)DuHrmV935<sBD}8yC`>4>0rZGIh6-U6jF&#?e65
zIuc*SqyciQwplD|blkIwicsC;xb3sV!?ZUk(gvgk0)vIitc;ObLG}{CZ!rO;L2i>3
z4({!9E05Su;1w^cS19zL$icYxmydN4rRA@$7$+!%7?@@z+gju)khfPl=2M@(t3X0d
zWumYu=)Vc18k--67X_UHsBUZ_37Qa^oP<S=hI{&P1x*G!W$biv-9|(MCvoyw4qrFi
znzfCS!?=E)?9<mdR&&EIsdP&ljW0iE=wAX-RBQ*%K_B{nyh`J3OUupJ@VX)&RE`8}
zuqistA#LI~|McWmBfsC8!g0I*j{O?At2Y+0w-(T4+N`#U<M4KS?NL}d+gc%ljwx^3
z_*S?B-y6Va5nM-~3RP<z?iIib@6n-E(4+P39do!hHn;$$xHZ&qy+bx>VE+Jtu<nY>
zsqEhQ+C~Tn4p?nv*GD+|BVABg_9cj<R?>|xI9VW43+ErxOvIKeK*#FK{75%0P;l@%
zc+2a@S=t?JB93+BajVeUyC1F=bkKGicA|+L3)A>1xOEdj>HAXqPs+IAT+7uFgf!&b
z;Ul$F?~cuFUG)~#FP1voKrsAJY`4`c5wOlUp4%BgfAfLzFFu&pfqNBM`9u{$*?HBG
zW4m6bm=(vQTe_9;YmEHvaxvHY%cSyxm!+;QN#Zo;$|9WF47MO*o55EQ3NLYynrj3u
z&|YvGRerd72h+UR9{ag;m`9xks_5PtsJ2N{-#E<Uo?#GT%Qwj(zSMX!c4rw#Ms$>A
zA!%hw{G_@&%uF?|szY(xBg(<)$A`D=R*(Ks0-~!J)gNvY=K!tD=I03hi*YjOb8B-o
zS%Q|h$^mO}sgP%K(59xFnP0WqkER{+dh2CNdZI!e%I`ZoLEYQ!sqy?o9I+a-sWyGS
znS8j>b#|?_;8q)!+!S|s8ebBrPQxKU!Qovh?|_p-W+C4mdev~A=C!U^GxUdhZL!s^
zj$*^SKcE|=tnnyoj-C`_OF<S%FwenyU0yVsn8pOHxeKg1#mymS`5_J3=fPtu4IlvT
ze0w$*$%^*rS2fp>S=kA+<|@gXGNnc993N!<#UXuVBD7cfto|ECjpd5XE3G#3XK?Kg
z0r#zW{~*F{lzRswQk4xHX+75N0<j>q*T=W-t$VfhtmK8{a)@A;`MHEHW<U^~KycA!
zG3g#Jf3N3N#o}Po`~y}u%?=NSS70J!WEun6WiGm9{2(4EB)HLg!QKIxX(zW}MQ$x%
zeh*6le%Y?(BV<h4uqXc35#eKzAt8xaTud%*R3{>ck~989*p;o4O@CcTi|Uv)Z4$SS
z6HfX>4CfjveBs5BcT{pyu6J%ql~fa4rTBWvdJbFhHae|ozREqb*j`E*6L<Zp$b*;V
zA%$8co9JvLt=Tno4hXXE$xg_^Hw(|tFa6CG($+a0d}sHX?+ts&$jYa+@xeM>FcjM9
z;=BkBap(81!6EVOYmyH_4Shk0(zwwwoCoOm4KDtT@&Ob0$Wb%aBj{+=;l&={CVnqM
zF;eb?#|D18bE>zwj-wYb)ULde<k|EFkqnJ?{-o<(I0XZGiFfaYlT+^&IKNu=@Kx`I
zYlURDrW}pDDfl2`Z(F@xBD_xxGcz81y|TMm?%w2Xnb!S@d<N)GwZdVl+)GcQf!_OY
z?>@MpQ4n@1@W6GyM+({;c;rb))BxvBF2S~5qa^*;x7Bx0&S5~h`-SnNBfJrp^}(mN
zjJb<0#!(&F_lC;j{k=aYy`Y$GLOekqDa?;|CwVzac83A%ko&EaJ1(^X!n}Mg94CK2
zNWoCnemH~Qiz9RC+SBjw5{H^T5@>Hx9oE<pigC`D;6c1TWy0(j)qeV8EC>u_Pu#7B
zRoK>w?k+dxg9UCo=&JMXo892HK3Fg1-eBGq;UmPAhXC0{d%=??r5xd>pZSH1VHsKE
zFt(!S8@WS4Mr4oXb=sE|+mS_yn~nLbWm@BdeCu^32?as-C-Qt_&}m78%HUz!bIS{*
z+vtzBx8jeCpKfui0ckP30j=CO#}0*6z%5@s2sg0ZkRW}ekd`gBAKV>3xnlJ0sYTlH
z;aG)2Da_wt;(mzkn6%8>nkq7hk<3JbC73DRY`#HS#Ye?L-}5vS6Fwvc4b*dM#uV#@
z)9BwQZyhLa9W3uM@?nzQhh@M6HDJOH(#!&eq;W0WGZ-n0iV)QMpxBlV2a$Jx^JUwn
z<b8%@kN2g{U#$$;yj8+dIe6WTfwIpSPc#8>f8DB8u4aOw;DmxFY3s|Uv9FXv3b#(*
ze^LW{%a)NC7=u6hP&CE+y_}>}RhR$?vH=R04p;AuTxxfk@KIg_3W1GVzJf`RaBe_(
zOREdtIIzCB1wGzB1ouem&<9-T1y?DS$u{k`dgia!+X}cO1sgy+ulmd^&bfQYqdvM-
z#Y1@Lk3?g@?P{>2(gie>Scc$k_FE%_uMIo~FA$mngd)?ZDc=jz?H(;-9uq<?dpD{+
zK+zA(y^Xyb1KzMLh^=>d56!;UF%h@D!sPwo;!Z;skkipH_zu`!^`FX9Pa=?>D}z~-
z8n+va!5NbQac;pr4%!p<tdEPqjRP^TXQIEJdupC>jeto^TDgKFI(hp<1e@Rbvjm*F
zjJN!4>xJcK`a6I#?^e4fVraZK48I5YxRN+5gwMf$J*>seIWIQYUOxyYr`<3f$16H5
zrqgyc+PLSp1Ad{ZLdZ?o?$`1m_1bVRAla_ND9IHHYW1~Fi&Hr2Vfr2%yB7xbs&fRT
zL!(}7oovpTbw{WKzd{h#ei>&#&j)Uivke`cI{CQQZyyfjL43mrqnESXdjPLqDdsU)
zS=8__{|YwsDkWM-waRlP-fQW;_G?ew4kTh>K5#=QhQ&2az;XUd(9GizuILMw5R_@2
zteMLP-WDeWsq15Jm@0C5k=!995X6{Vf;;a3b=LteJGTorJBn^z9?a9xJn!C+tK2b}
zc^}{Q2ymYVe2)~dsWPqNh`cfmE$x^cI#50<L0?W(EK%}#xupX_lhpe%+u>xAEk8_W
zXC+Io%Uo#1KztZao6I1PHg25Q8O3v{8`t8=;WT$`zj@JmK6<bDqBL*34PKvY$pi`7
zJ#f*K?lM#$AIu@2;k>ZN{i`p8aP{rfdqU9|)jx3SkM<DG9g>N-jJWudzx9y-&p)Gl
z4}hXh{r{kTYo+<WjjMXcQN1nen)?}B9*VN&O-=>0rtP?>eC6r5pDjS&i5{;A^a1_#
zv@8CPzM-(QWRCgT#5pA@zcmK|Z9<X4ofP?_gV#uZwG07QrK$i7vzs~6fAZ1j3CH{x
zx32TQw;cgv@>AA3c3^1g`}^BSH-^l&K&?+@M~dmVb)Nk(GXslIT+NsF*NK00EPbD@
zE(3}9h>>daO_D!n5KJsjRCN@cap8}r=^}_Qwye)B{x#iTVrIt*1zY>bKL>mQ+Ntu(
zw=`X5b2N8tC*5G)1er5HsCdKvc<l9wQVuv*<)2HXe0XvMg!*2F|BVNTh!@Dd5ly_l
zagOefY1tGKVG0szu3Y*<x;n1`(~60DOnf0URNp4bD@Eex&taJij`Ls&x&3dOpw@DG
zp^R&Pz|$QB<Z?1w*h~2bwU|K!Y`y0Nk-FYbwxA3%W6bYuNF8_B{6Pzl9toHzGg*8%
z{Ex-mGY`dy&SFIaehi)ONg|Fg8cG%5j@JgJSC_$3pvGw*7A@Xse=l7$;@#4(_OZrO
z;_mc2Y>viW6lPWyKL+{^9wc!}SHZ}(eBk6iRC6}!EX_48AlI)GImsIf$_9wqRo2@;
zcg2kJ#pd|q+%89F@`#@^)1@a+mr{U9^~d_Yk6L~U;1DF2ozjo7Kv<GzyB)mfi%aGY
zPLR>{P>q1HN^FS3oKIgWh-!$|uh58Z{-wIo`2b#CwtE}-YYBv_GXQ<HZ$1&d@SWd)
zf9Dw@8~7xrqU_El-{H1NC8DmkUwY$67s;usR^oELMD3i7X@tE^q}^a#(k~f$No8_k
zy>BT`MPb@kts-X@*)UmQJl$CPC(CgH$uEF%i5GW%a?Pm|(JqQHcAy%ILb@m+N=~{<
zHj{AzsVVzd+mSO8AIl6|pYOeEaC=9QuXy2=LO+S!;ST?TfkMqG%c(8?>ECd+Kw?A;
zlxt$3bm{Vca0?wL2!D>~z1t5G6A=r=-<Wmo)zL#gD~uu{p(m>ZYSuH9j;zl?S4nv4
zOH&^_4-&S^b%UPm|AA=&a|zopyaLE}tN+BWWdjHdD?gndTv>iC<F6m1#<zezn3-~0
zUK@K;mL*C=R?7t}NqoefN3_dyiR6Nri8AY#2!rLd;52)VAMXHoXJB|ma6Se420r{b
zzyOu5g1x*F?+*e|-qYl4oSGV8Iu&G7%z9ps#EH@b!%bc9w7Qc`d85a7Dn6oFQS16(
z(D|v~09{e)B=|rQTr}i=3ivqz5Z>{=_+Nkh&@iQ@VTtBe$~otd`I!w4Unsww{0=@?
zb6uHJGAv%G>H=-uQ-<vaC~@}R;P)hl8g^D&>}i-TxJ?#U$%kN&hIW<_zwyX-z8g53
zA1p4$r1s<|w|^3%E5l2C{nSa?M)Ago%-Nu`oWm)<YLtm+{FV}@N}x-m^27~g_SE-<
z4{3hUknA+mcXXX8SvmRJEC71kJPDxdvM@P7+JDIR=`<yrgaz5DOVO;>d6}ev`#U|R
zfHJH&J+QwKEEGOPr_658HpKno4FJ`KLUhK&vzf9ZMi|uN-k;L(9ppq@8~HCOD%arj
zrmEZu>yWK@7S+s2r@>i`6J6C{S)VAkR1G8s(#V%c_KdAKKk=}?nq{``c~|+)|2I36
zZ%+oatd?=OEc3im`F$z*YJh0Eh(9cj`LU9TNRW-deJsU9<i&9n&_!UFp2Y87h=WOI
z$<m}ln#5<i2$Kl(Z&C-+ruy#On2(Ea^ZsEAB>=fFA-y1``U|N-x>k_;pQbNy>taX<
zr59cC5%QBY3brKjt`PawiHoGZ4g+DIxqdPtXM8p&ictuYRAtgwS;^-LFODJ5U8Jvt
zhVNenBb^`MGJE0ZQ$M&2lwV5{w(&}p_EJkhE$K3n@*F3Sq$Iv@<+0$&Z}rgBMggrP
zhsxgsu<$aVzsk@%i@)9D3<cSfm2!xkVIcjbD@#K`HnR6eNuO_)c3x_}NMcVp0&-EK
ziGKSqY^=pLXy|Hi*I#r$r$IzKPB2>aD(7f_qdq04O)+4!GMcYk{)wKj#S>ujyHT5h
zE!^0XU!y4vOhU<LPLX<HE2+*pg$dP~4o*23Pl=vW_zh0ksd~qGJ%!`vOZ|P!>ZqLA
z)g5C9_GKmN!PVcM0#+270cb}1<+r83_-c&dt80`{OWkU$H{ZKDZn`8u6^kl*W;ma@
zG)8WIuP(EFxZ3&M9r@qzQOHHW(W{-p-|hi8S|;F#={%|0PkVAhx3h_-aX07WP-uw~
zr#xWl7U~u?4Y@y!o<i01W>yaiqv(E@ZV)GV*fPO)sU46VX`Bh5n30$ZlYDCMn(U8d
z*yI98^Ut`#^%H5tVke&O^)td>EPrktA9!~4GTC!V18q`Qz(#0>&q1{@#H*=7_2P`Z
zS%V!U>=2eX?I|9xuW7{B-*^}(ot+f#VE_+iHuOvea^+Q<7)=@aIm6XpaX`wbI9O0C
z@n33Y2Uzf6|6}@JVw*0aThAkjquJr>r=<UQIUlKxp-M;Ybf@$yl$C0Q=a@BAI6^<e
ze4Tk>m?aW@P*Xj{+F6%n&I?<)lBil`j!GJ{oZ3<Ri9b;1rLdNkr(=a0Ueom+1>mFU
z61$iU7un5=KFv4}e1M^Xn=r~OJNk#@{%wW<Yl<l_^}oXW6Fp(~PpWLC2?eM%@(ww=
z=;c=feaw=s!Yq?3ae391rHUU|9J3@{cn33^MmUPA&7qAilRkf$y!dI92UVjn__}A=
z`K^ucZ^S+)FjA<YUslnNAG^0%U4xpc7I4Yd&XPzeZf>0}x1YmUr}|aZlE3Z!?H$70
zY5*J4b*t|;)8?$3?`VF1mrbIyJGqW)q~1vkk6oCN08rMqmu=J*X7s|`?*+WxsQ`?b
zOsfU5y+^DLMpiLp(c=X?l5@odYUXS@NMZ}NGq#Ms#$uq;4UsIm^X}=`>+QXkhlWsm
zbNN8)u-Uu03w}&y7~`7;_}6zxF$GINlhUuZfCL)B;}$ILO8=oB!!Dk9?i<7_9eGne
ztt5LzO``p!>{V$$a?2bNBm8T)@2q@C<u2SI<sKJxJu<aL$oE_35na8^g00aL5_am0
zM(xHAZ}nq7p1$+=0xh+FI(?l3-EZSPX3!n1bLlWiad`+oyLT3`V1WPFwnQ@#*P*%o
zo8|_%p_UJXPj4SMC;DT$x&kCGX0(*q78wQBF7B&dZrnU)xt;P{PJu}+KRvXZ!x)0Q
z-Z;z=B^Ni73nXVGLW>78dwpl6M*S}J!Cyr}${8LsJfAUgjUpeCUtCpUW&A=%x-uO9
zODoV(^1b5OCxvt<uN$MhLL}`hUng;~Pu832JGHT4Y*i#_)PHd)a1{->C*qfB$bUJ$
zbc&n?F6O{CQG7ApuYB~l;;;!zOqC@<A8j^1(T9CJQHk5G5CIs_#TFV|L&ZA-GQUrE
zU!5}>^tjPr_C@1|2RiR=|Awqz9_D|21$s*on`+ptIRfHhWAzr@<JJ`e+~2926Q;S2
zj~Pt}5CwH|YyM>~{%cs@#R(KcdA9y7<NdGUk>0NmPd-L~v;hroen!;6Cz0OF#x-Jw
zu};RL>!;QHUx4~YJS7BmM^2f)dPB=M_9mF=E(c)zfk?uzJ8P-;$^GyKHhc2{^!xL&
zKWO~R{{2s{@=vf<y^2lY%)dcFVHu65G$;a;x8Zr0R6d3m)Kk8tuA==(4(tCXSPTm-
zV4JGZdr<14To`V-Qu`d_1Ni&qaIC$fFTJ@<6Fd8M<zN2kk_Ls^T93E?_iO$>_VTHb
zdegG|thKQWP=~*Q@)4>4HYb7D&fF)#-b0B#Q|vo7udR`FM;ko)c%9+Di2~3xi8vTX
zFXPQB@M0J(8y`eD5e*<f;!H!?8S3ddC)t5UM`YpYb4;gBa_*e{@1jBN)Z<NNp!VlM
z-S^^?$#&q=5el5;;~+|dCj{iu+ZyrF*Pfj4O?MToNQ%9-Ig{m~!uc<0_)U&}h9Ljk
zv#9{NN=C@oZ<z4!y`}Wgtx1}W1x*q-OX9Y@6W4_-CD({)#yauQNZYCyQ#F;(4}NO#
z-<*m6^4?v#(#_)A-RrCZA6Avv4A$>8asz?=F)fw6LsmgH!kh^B(@?#oQmth3=zjo<
C<ZwCw

literal 0
HcmV?d00001

diff --git a/docs/images/prometheus-dashboard1.png b/docs/images/prometheus-dashboard1.png
new file mode 100644
index 0000000000000000000000000000000000000000..86c76cbf272652bbbfea73cfe75e248a15692f9c
GIT binary patch
literal 387285
zcmbTd1yozXwm%Go;!cZOpg_@JMT0|uQlzE0dnp8$K(OKzZ;P~8fnvqo0>LRzph&Tx
z!QGv}m)`sS@4a>3THjjto^=j0nVCJZXJ*gdzdb~2YpM_v&=Fu@U=XXRD!s<Qz(-<W
zJgmpVL8t8b$vwirAbRVdsHm-`sK}!2?qcWQWQ&2J8l9|<`$ngqF3b31V&d-y<cSo1
zD&MKO0JV4zUO#+=uf~!SmPqzycQZG{k@{8X=8q__*Fzh=C{sghs5x)Z)16%Y54p!2
zPrmK6xi16_&s`l4$p*CuHwk0BJ$GaOX!3?I803~C!VgN50I(;k`4N!GJ^0#=ZQ$xF
zgwG=?N+3tOeb0a3EC+t7pZTc%PU6m7ITDz7gdsP^GQ2bh@g)<(40c&k`yP%#_88VP
zp%DFGB-}us04oeq_rRX(i2vcRHZm_%65q`!3W1@W=iW5Niy^WvpJmuR7~(A=BfrbK
z9@CBSR#JhXozne^jK|97*WjT3(u*i?P8+rr4e8<VWv|`j;;uarV#B>AqDrVj{uLp4
z|C6S<t$TZiyN1=Zfk=OYuIG<mupu8^b<r&h^e4Qr;O?GB#%|ImmjU)EkCMG`G4k=&
z$fI8bOhj>7cU@!Rbo2W=t3K&|P8J#Mk(c+z|9QdFSS&#kzD<!=08UJ+fGBEwo17!=
zOun&O@nm2vzs`VN@#Trh);II;3f$uirIdj?`kdgr>I8>Jgp?lv1#(V?PhNb8Fu=01
zH`Mh1{=)ucRU)JGcedm{E@VTPxF!n;soreg2cdjRH*QolXhyqjnkpxXvaA!AFdUzJ
z;M$_lcdp~olHVX*?$-;3YPLj;D7t}gARfN%db~7s6y=Jp_w|$T4!40OapjNnC1ZU<
z51W<=78tC23}3<C@n^lkqb?ki$>QRQ)zI#ZrndL!>*ZeQNDY13jspnBU#+wa_D>{M
zDw{u>KTLIhLgf1XkqsuM>uW(p;g7f~-G{WKA3B)H@PnNoW`|2f7?0%dP6SH)CEx$*
z7|rdVm005H_GO`1?OZ(WFhp9qs4d~!DBT|phsWWr425e5-W^;4&Uv~*UVi?NMCxnv
zj>LgNF&fZ~XGJqgBG!%NDhncz3AOO(X?4ra0kv&YW>L)IC*V!tGln5_l-S1(av5+X
zzo7(l`Gnfa9y$|){gyf!Wot?JR*2@v#FzJflM<4KWl6IP>h+Wr5u8XNf(Dn;8*;|j
zS`uF!<GGW~oZoz*JEvpn(tA{QS1&VQARMtX#Kd&9AbXR(ePYRc)yh$iCl!|2rD;W7
znP(tvVZ~XAQ~FS<puMYPr+;ai?wCr9MvJ7D?K)Dne4sG*qfn|*Du1fhK$SvAtwK+)
z^@e(Zy0T%X0taCrBlgSqw2j@Lo?dQV59N-^Ufl(>+7bmSlJ)jfn8;IN$k-<Sx*l-j
z!w^4ygmK+ck<mln2u{IrEsf($rQ(t>IbvxK!q;dVCwjCfXhC@5_AslR6#Kol09AJ|
zcH#q$E^fkQ$<&Zy3yw707xEGYB$L5s7Q)jw-tSwNSc-5}I@DaLOdf!jBpV6!wKyU8
ze(h4f6Ik%@a{!**7=p^BWVqdrkDfnB)P6z`t@t|8^9dn2o4XB%5HpvG9_vn0nJV$I
zusgOyw29no65^-gcS7G#e<i`sAGULQi=IgmoIN*u`{Zk|rb5l{2emY&!TicRqwhRP
zjUuy@fH_m6B&Y1NF_<qItu5@*DA(hvs%Us04|ac_b}A(*Y5!3bV8G@-qF+T)N`Dhf
z=_Wbcow-C1-%jbqWEMQqo4T}fWC~#nq=SEu?S>u#vFSRZmgElEUGXUK48w}UUMoDb
z#9bCxCYn>v4D(T9O_Hw#_;s|VDg5FXX5j}oKiTILB}YUjM7KVn=nr0%JLc?3Z2Ye9
zn#+OFfpiOdi=g<^L}5X>-H-JjR0SzNIP`d4m1rZ%yiN8#%nH{9R#VM<*j0}Qob-?P
z5B@~-$E^;oYP!oRr&}o=6+Y3f<~n(r{5jyW@Mq}fhVAX`^=+B$l|Rbc9)EcLkQQa@
z2Nm7D|Djk{SY7P!M#78Bi?c4;Fa0{@d7j~T$lKyth1u6e#CwnSFw3+;%a=<#Mwc9a
zjTVg+jW^~Vz4%n>kl#O+QEFIfnB%K@Qf=2jWjJUQQ`Yn6Yng7om(oswUWKSBwAMS;
zJL{ZcZ+@1#HhU-0v(!t$>r#@?vwkaM%=cyACY7gXrb@QfqNc3k!36vE?54YCjn|;p
z#diJn`R3MU(+>NV#(2q?RKZk7JIy2!30rDatXra6=#g945#A(TM^q2nd0e9qvh_|C
z#S-v7@XK8wYUi4nI1MKUM*@e3Xq$MS9vN{Su|ix(=PU%Wo|b;?^L<fu;b(OcuF8U-
zLfmc~GS-d;Ec{Mz`<bX9iC79vg|Lk69Jo^eU#MTy5bQqpeekn0odvg$DcG;`^r22d
zzty@B&zHh4(ss}7$nD%~%IwPQQ0t=W(d+E%H$w-;+PpA6AwE505#v*XuSW4T84iYy
zzI`8@*1+twMvh*?+pTqRUe#v`JAOMGqSvAf=~n4R>Ck!+gdE}l;vK@#TS>~Lg`p+R
z8+=~W8rk~0ZQ!mNYkO&n#eI77_r9v@soNtdJ*frHT*<184;k+=nIwfX@-oyjb~4T5
zsu_|c-}MxE<h3<I8dsa0e43<;>`$jh+4JaC;BIw3YfXAhW*&J>;Y~wsj;_$X{Uv_a
z#nr&U(0##S>l~GuK6@>oR`G_+2tQE0!n1<dOsv(b)w(qml6?WV#J>4;B(Z(cF*V-s
z`{LU{cA#dUL|_XlE1`;(jix5xmvxXwQ2D*yeLRMpoL_rNaJ*cNoU?`3QXWeTOW^PL
zZ}z-WdZLb`JGzzXl_Hm}htPT;l&Xabn-HIri_n4i555MGDf2bUFAy(Jsc0$Z9Gm}h
zhz>S@Rme)YTO(dDvafjgH1>>6%5ir~^_`9X>h({RSLd(BihA8P8>?3I;##P|kNM)u
z6EFoc(sTtctie`<RzZwf49rq(?{3E%N8N;1hI__W3cC;DgHp*dDtVWkbHTZwDhV}V
zF1})ptpIn`<AK$9{5+0dUtPI+1e8CICBAr}@nSw{R!Yzl`87Jzfyp7?L5ySO<yX<I
zPMfa&rcVhPqZyr<?oTrlvohMGP?Ta3#zT8UOEykFH<zn?9esgU^0$9(`QO7W@|O$?
zg4PFqZ5ZAemQ*)~z3(KjY>47B0{Ue#Cbdf31Zch-9?p0_w>pRNedoL7tI{orWH{RL
z|8(ncwMT)gR{TA$y}?35K0)Mlvtq<gj($1<ujQOJWoMpy`Mb)e--><|xx5>jP#mu<
zj4rHu*^u1^xvoK0BD3w5gdxIT?Y|CXh@C9+PL`I{B+by)q;DAfG88EEaK4-~J$ZWK
zzK+sEzOJrbt+?txp{J$+rnM{`kuJ+lq`dq5LfwV`)VR@?yiK*X$g2v0^ooIhJ{sgt
zY5A=GImoEf*!`$)R95d!yi&x&VMl1hHa&$hH70e@fV|Oa>cw7i4-az%UBeIOXC7WN
z+wjSkh8{VctyU*S14dV~@dHHz5nd@fDHS)hW{r1#x~_ljh@aC_xj^7a@S}l(ZyGnE
z^e+61w{9_S2g}Nqjdy;OmGIP)H#`PIo24CYnzCU*KV~c&^ZffZGLe~#ElBUo@}nQc
zGvHdNA)gUX#op|v`a-bF&xMEp&71mt`(2<c2FXuS*rfz&gC3WSRFwHxruKlk#9Wl2
zfSJEUal2sZY=Uq{itaVtY(lK`*xcq6<Whgb+=uCzl#$oVgX!v(&ntxSq!~|TMiEaO
zwq?F}9lM=;UT-Pn$Y}QVyWN@;PO=})CYFM3GwjSopWJOEm>ssduI66!T&riLZX1D&
zNbc8<5X*Walg)!>sr0k{vvi2QT4p!}WNr0NVu^i)Te)d7Q$Q=~IWo>zY~0y<4!P(T
zD0OkZBc<$feK6dr(x~rkz7yDkm52KWjzG1+yJ}XZyAmV$5|GUE0l%QP$I-j}g~JcE
z9JF|{zQ~mL?qA=&)i=;b#6$xn&0m<E`=s9Gp!y>8>nj4Ugf~Z0vhbxdEAlIF7kGUg
z54|_c_k*5Y^q$K=QZLHy0}Qj}7t2W(n1=&i-d&akZF7zl4vctb)5Dblo5T{u1Xz||
zG=-{Q5{ZfkQwEDkVSdYRufc*fyyD<K2nh{&dQcIHcgtA{1Co5;#E=TbP|YBedj!gJ
z3K=4>;@*9%av8=F+}uPgmi$v_-Xyuc=#WEclb#0RNQ6;L9y~Jk{{3AX7FKpcmxT+~
z?>FCIq1<732SmmhkBiDq9$%V$z8H6Lziq?)fH&81fr4XzD-yJ$Wv}qirpE_c12sDh
z4GeB{91jB<lMdq{I);h<WH9OfJN_K=DF)U*(jQ=8L^@z#|5q7Jbolp4M1Oy2{uyF@
zjKIJ}|Dr&DkZ%wEUuk^gH?02`e^`&s!;sfeR8vETI@a#Cw$2`JT|8+-C`ix=_^zsk
z9vB!@?0-K@wbxG$(e+O|yfN@J(0D0n?E>bvv~jVr<%fV>|JH*6f=HsHU|Ua176{nM
z*+UW{&H9fLlIZx~WFRZcKZ<xdO0ybhXtOA~xZARb@(b__u*wjyu&{vKZR{jpD?R@&
za`Z20*0-LXu985YkB<+(k1)TByFE})LP7#4AOsW=;zO6<^YC@{w1n_Ed$9eplK)qa
zlC6ieyMwEzgNrlE-+C>rT)aG`Sy}%!^xw}v`)Lbt_@9=XJ^pK0=m7%%<^Tox1%Uru
zH<}dmH&s&G0b=W9sN?`f^9<dFjG&095a=HS|0nBzn*3j+2LD4U^h{Xbf0O>NtbZld
z^{{nUbOECq^_2Oa3HvYN|DE|?gdpJGvHve#{FBlDNJVp6h5!Wo?^%-}kT5L&ik?UY
z2PLgH=n%ck{yq;7=s!>Y8KUD@;5y-qlRgX#ISe%=`8N>E-Ar8AAEnvIJ};D$BcdlF
zq%{V-2Y&UcD#xNPe)GpPlzP{6s_lbmmCr6QVRNokmo9JAH-pLYDAl7u;i>3@FX<W3
zeTk;j!Pfg!W-*C=8zEnzFE54eVFw~`_H`RpmIwdYt4p5tTmkl@(SePe4D&yE53!$g
z>nQ(cv}Et;@KmGpu|Qz%|FHWM$YPSHV7&k2l_N&?yaY2#^znZ*ZZb^#qc^xp-@?h$
z#2r4SgM6#gMI5Sc_8Jy%Z&z)&DgXUS-+n=N$nndDa{fDOY>t;1n;e=Mt7!vDa@haw
zTfqN-0;yrTp`H&`#y)fxv+Pv5*a^d5I5Fjs6k+`EZ?mhG3teAb@pxG%7#|x??8cF`
zo&J8Of-gs$JM`bKEJ`l!FXPF-iBiAsC1W|=y*z?T!j}90-9e(u8{wiS!Klx7;?>KC
z*u5yB1wi+w=zo7T)c$2xUHM6Ip2K@=4y~-+KsDHsMutf7!xT+rihqA1i;{!UuoA_@
zIjeR=`*$V(NKR0AE+3X!$-g~B3vNypz`~or2fDW@>KNn;Bhh#V4U2(}P2q3;6Mntp
zU;&s7;U&Mvo8XiapUv(=v1&oiM&CyN+ml!;`IlwQIzO=9;bW66YrF&@|C0_G$^M<d
zdx=SMQQ`M)YT~o_l$@d`W_42kz9f3jr7Wia<5D)e0ViXVE&Ycpf${IKGCj)Jz*Z07
zsPlCCn-g&{i7)@jCY&Wfk8O6iX);Mv@cj{7({&{XRTq7cyQ}=~Z|G_~B3hwtl+ZqP
z!@lg~kkS12L8DkQm-aHB#=b1b0Qe8MX7zqu!|ylWvlDXWI8WyI%b#Am0&ruiqaLGo
zf`mL%`sM+95p8!7^w+cW`y1Io-g(c1kSFVx_Fo-18pb{hwj}ErEYvw(G*sX01`VB+
z`&7&i6gX@rLpp98c1JW?(?8z!vB&k^Fb6Iz_?>_+&cqfQwPaBfRZhLM_O2&GV%awc
z^ZRW{zJ^$1rzB-m^~bm~#eZ9H8Iixo#KLJzjfCwcy#1rA?<I9US7n$`u8em?_FDSB
zGiVG8UVgu}<!}7e_qM-qybCOQ0CN74pZX%Gq2P;8Bz$AP^<KWOmcrOQy2o^cvHt8q
zk9a_lluq-oNTC?0+dDMNcT)QHr?p`GuSL8QNltF_J7M7ekF0(h_`td^-fR4&aNIp!
z)73?}^oRc|U*vW;ER-S3s_DkDVm;vydDX`lP7}5Pz-9tCV$AardQfP#EWSVaw3jf8
zv_ztU9-KB2x7VN{R_A5^g77HtC2Sd$0_kyl2jzOTw-7KAfR@wN7vXpnDi?h7?@G$Y
zrZwm@@7l3Q++AAFQqqI&uIA&!=6`SQ8E@mjZ;xXT-**byAjZx!LyZ1EI~-mOmZ?+L
zb<mc_B(bS9kM#PlLuNobr8Ui0lohEbzl0Ogy=NWhl~+G$$sA=d!>_LC#SptSO}-nM
zQ+&0*72*a~3bO;<58(H0HylT-SA`CDtLth?BNO9>c3<*eT`l!^bVrfz4+7gfKXGWe
zdyGgo0M)IJX=MXpQfsR^w}JO}7x0#S>1MGXL}h@Z!{sh?Z|62i^Hma<ob%xoZ%!-&
zF6Mol$G)rWy9DtZXw<DU+S+I<wf_967xV5(d!6X^$}8v9KDPN^!b7`MCU4~z0|hRh
z<;RL{t|Z8Mn+IOyr(0gr&dr_t+M_bGAs3tX9M>pj)rBoaGW$&vGl8ZHWp@v|<`_JF
zy*jENN;;e}4>}7F8a}v3E#5zCRG%e;5qMO56?e-ucI|j*8cD)fu-T+-JhtRek{Wyx
z=nnscI)1EY&;hR56FnPyx%Cj(c9{!xT?%cZX}#Fq+cDBfEiP(4MfasSLFW4B#m0Ju
zhi1d?PC|_%M|f1AWzwy&AHra@in}63dFf*e&@DUYt|@3(^0<i2SZ}#N+u`p4BXhf?
zcyUFYEtPfuwn5T+b94PGwETIpYQWFu%de3H_(Z-AQ7t$7Edkq%-g6zJE=iBogD<pC
zi3Jy=P*)>C<qcSMnP-V_-~X%Jt|fS2$O?0{7~<+p&s6~Nd`B)#nR%RXF<FUZgmFC!
zxPc!u3T6jn?YGrM9R=R`X0&XM@of8ctYoYlm0S0b6!%FfOvKYYn~f}G_bhwX`R9DW
zT1;$d5@8%m-Gkr%ZLiV17hxsZ4`MpB0z&pS91rx&ZIhK$Cl(^}l$|2`KscXeuWVv(
zMh1Z`g4yw0Tq7K&VlTRF=#zPQu2n{|q?#HcTlad@5~T0mj?QRR-I9GQYw9%$ypJll
zK9}a=Q*ZKe$Q2bmS&n3GPIqaZiOh;8&7{te_SxP_G4tDk=(aB6={m#r&cAC;g;&($
zlNp2IUFT}_W25}#VhO*I^$2GVm$oCjRxjRf3<&22F!Gsu@2@jU0MHYcm~NFRXxFU|
zL(2)h8{&7G)uuiuMRYAP?w7Zo8)f&b8$0b!nnCx(TlDVfJNUh@5$+{?^K_1-ul@+$
zU%>CZfUv_5YU6O~{h;gdY}h7c`5<3|iSCtN^Q)w@+_3;|Q(NpTziqCI>AW-PpRB)U
zec%DDEEUxmAJm>X&xv2OqevTb6eA}G6NS9gl@@p^VD7D6d=4G+KJ$AKM6}2l&r9;i
z7Vo{;x+tXE-lErr>3*Ep_I3Or=<2hirJfn4EaV=`XXx3KP5lM}++YeoF2Mrq`SguH
zD(6?*ni!+5&rhOLjoxuJAog2y>n()~{I0hO=kpRK&SEa+JhU37kulF^7Gi#=N9mCN
zV#`Q~BV|3m+gKnz&qVIMLzybUD<_3)z>BXDy`|Of40l*v*J<q~Wt56n+oqc1K{sy~
zd^Z>undO415ftjY%k>L(jzFW>sUG;B$k^yjpI6w!(i<ihfAr0-b}yg0-ea8uxgFO&
zkzJl6T;{!|%r@FCk%S{`73M|tI)9Y^^<*$&#^mWtw~U}=i2p1g@=RWM+{6mT#nJr<
z4+ytvcrLi`Wg{ay>Tp4e)Gz;W%0(6_qK@aFYO|!G%^OwG+Gd0JV)s>${5)3u#LDi4
zU$<gdBuxbuAJy{E(Uip8WVBDqnj{}$$$8P=F|CE?DEDGdY_Y&0-6)n5U{<UOe7M+Y
zzu$-=@j-X==5-cyK_Z?y<<IO*bmR!Sh31YS@{G?XMki-e<}HN7@OCKIz#vh_;}AL!
zjV&!J>`wpeBFm(DGSYS~@nW~t-dW~*%l+NWJYlFgUb>Cua{Z2T%eA)f7yLkT@x%A;
z_pdgxFW@8+t7He{B_`LCjpcZN1s)(Axeq%Tu7)%_P4{?hjpaLiHPWLp1is^ntmk7V
z%cjODB2UI92P=YA9GvU!trk<w+>38^Yeoj_Cd-V)8rF>*Q#3v`e6*H2`>cZ!^fvjH
zxAUh&-)!thYJ*Z0J~N96bf|7&M?+iyd$BOf``x9Xi=@-EfX{fGSpHx!>FoySVab|F
z7>G_dZpUe|K6$~qy1vYIrjJclvuEXg^Om$>!Efi!N7H4*izxjMwNcGV(Blfi`(zTE
znn*P7i&wD-L6~R(oHNAH%adzv@Zv|KIbRi+cYpJ<jyea6U_Z0{2HG~#Yz5y})q2Kz
z?<6Xca?w+WI4dF)n5#d341C6pdBbE8%1_@&EH+ok<s;T}ylzbm`)JLX<(Ye6FXm+#
z(Iz<or^g$C?z;4|r+T&=R6$!!OZG}5l?eY;v9|cZ(JoHT47bEPX!hRQE^oS~yNBMR
zZW>c5a4CVDqnuS{&~x`pNw4D*jWhcXct=k<9WOoWIRwoZ;!_T*!@huHrDZRBloEXu
z_c?T4M_qJjS$hoXb`x}tE`XNmMM~CEOegnh$4UBwr--(yBkT@8PRTmFUAVVU`s!Jj
zg%C4LGr~VA&;%^#MjON(GECP^nXc#=6*mjyRN=X_U9EdKmer*gdyXp4r{3R;LDipt
zj0HfmWsS%W%l48z>4ZQP`28Ie?sPt5?}GrtGfCNF#2(>*`eKVuE~A!0Qd@{V8mv6r
zeXMVi)P`X<@3&L2p&UWf2}7S5`%U)QCpqs7#Sl(4O?mM$+$ZdUW+~3Ju7v$CfI@pH
zqBbaN657D}#1OLFa@0$Ig9@uP)WMGM&)1mIk~sT}6Am@>eYrRI?lH1e>{j|<h}*Tj
z2EY`-q4jn5Fyg2KmpM##VFdsPj;YVxQ661$EV%*{NZvKBpqAOnS&3FV34yzcDM$e6
z$Qv3kDOlTMI@4!v%glG}F`TCy3MzSRPfjL%wyLuwNwGU+566)XuuJ|Tx;bqfe^!F`
zWk}9rbn;_2$HLCkc<5YS!lW;4O&`IEy8<i**gOp-vr8WmMf@sj9iDAtEZA$j^Lce`
zes@gmbBphF_H%vy(FtEGU)3I8spz8rNkO}|R~7{l^}f8QS;VRv&u0x@aY{QbyFFf*
zknUA)7*Hf8Q!keh{Vet3C+l^1Tf4?-A$wh%hG*13eK<v8+V}nLrN?Ac9fyH^sDSzz
zdk@IFLgwd<&Q3YuRPOh48`%Jd{@Sv0fI7>j$|s7YzzF?yhdYtDAeFK2Qt2UIA}<&p
zEuRW&j`;VzesgpftAUNp>e0;sFng&4|5qE}n-_&e?9$iO)-#46RLRalD-?-&pyQ*4
zWWZ94YEaG9Y23&{<G_s2bI%}+v1j?uTFA6mVFOzBj$|vX=}}LHK^q~b-%7}r!{e+g
z{46ELx!AkY(;&0g668(Kk^$d#pvT2BbG$clVN)#^`??4FNOgYo9thsmbr!@w4?7@v
z-#`IY&(}>DDnF5`Ol8<zGEkW5J^OJx6nR_TvVS~ys1*4db2O|Dtxe6(`wf-_k~0~^
z%dBrw<S>R%?iAa0#ff^-J5|0P>TEr;qqsg@Z~k3aI_-GS>i@-w)%h2m5PH$m!_$5z
zI+h!5$8j^=4jq5A>7i#(PZ1E<_2~@5-w#{SI+P`U%1ZGrMy~{I+YDjNrMpaq(+^8>
zl1g7DLeX16+6ZUme6vm^CoQI&I-IIJ&fZQ@wxVUf*?D|Oln)RxC9aS%dUv`v)nH?)
zb9;H$axhP8pOIu2uq2P$e7=V$gny}8&_A?8o6tAOr4_3x#uP}wC2zE$(KMR(yzuSe
z6Y<r2z(R?s1b_*V1?h|qZ1G+H()SOwn(5b^_YQc!Zp!RrFkbu^Ple{Rptd-NFNv(;
zobES6jzdhTde|rv2vR9~h@QR{Wol!Q@WU=r*~W1#srh>|yBXU#{+8X3<&HnTpck8l
zuIO<xSq0Y?_klZhXN|rwsRk4c9!bG0Ee%nDGW(JnyB@Dc8cu6AU3w<<ZW0A?QB?1Z
z@I_L|5)woz8gD<mc{`|LkSXQk9hTaQhEvX7zJva&(VQlU@1G{_7#$87@_jPIjXq2(
zjtafsQLh*tF)Y6&oeRqDRaC8y+R@DD|BT)yU!xoXY406PGCBhhiM3&Q($`U4?%^J|
zO#YDO#TfolkCrd|mjO7Ii|DgBHKG{&gRCx&92szTwXuIP0(V{cSTT+mni*b}CLYzz
ze?C2`CCj+drh5D(Fk)-oDu!>e=+Gdl;(0v7ma;`uuU(e!`kZM3qtxU-6hP^$*uM&(
zMtTED$78dp${uR-ISpCV>6R$*kbf$kn9Pk+EOpe7%nd{ITWd41J_ZkwTEph7#tr7c
z!<>uy+9d@-w4k5O-`OSF;?T(W454b7JUduitY}{S7^9N_5q^?8WT0x_&~OrFqQnph
z2-);;htGjs;C!^av_@hEAJ^oE+ZyM=7xO}jYsgpeo(7Xklzm-O>jqOA&DYe`cPgiS
zBv0+5H%l=v<0F}m`p)cXSVfR%>jss}YiXbwQz+WGW|i(#9nJR3JY{)i8Lc<CPvkYN
ze;q72Dg0tbckqX&yKbX#?`rw0oJ|Noh+wN}vh8|Np9E;=F(j?uIxh&(`YC2+v%=?!
z*0ahu<7??(ae$uRI((JAa!l}w3ZCw}Z@bQh$8&i!IdW@7MK*kRmG?Y<ZOPUz1@L{@
zpk`QltB*6MOG~nNUy?mxTvL{B{Dh_N4t|dsVZQea${HRLJ^+zu85mG$!C9|#JX`Uu
zL`6_Xear#A%VCA8;$19*WM6U8-Fj)eocceXhz8z5;IYk*jziS-r1M%=W~~_?<V$R1
z2v2p%n=uhZ#4}0HPLaYsJ_74iCVBB?`Rw~<0nQ$f5+~E0WjU@QT;Liz_DjiL8e#sp
zBrg?S$zH(jqYYw(dU|~~p|2NDucgsO8VDh7I(gtq@+Hgtm`etK!w#)AUYs!4FQ5vm
zrUFx@!$6JMuYuDe8GGxeSvA!IMiWBA9ftN<Yc(qjEZCiFc5kT%@Q=tWS$n&yadyfu
zxYR|q#C~1sfKh1_V0^Fen+FUIij56!@TfTNtd&m0UN9!s?Y6GI@t?((OU#X}f^`0c
zU-x##<<#3aH{Z&B&Z?~U_ABhGEe4*Hr3<))Ttp1Ea*c2wMcE_Rj{6-c>BoC}*DRU0
zP*0XSTSew@(-ouiZA`0ksX9m8NkU(7cH%xf&A$4b^Ll0B3=X{C2)x}=2_gk7{!Umn
zQ<|^6$W3%1M|CFZ=j&Y4go%7J$xsJjtsCkgRE^37ulr8nbZp!C_wvk%d&T-7ELY-(
zdTtV((ot)^UQ(y{)tA+#ji~}!##vMMRsnp^?}>mjrw<!t#LIsld^jPtwewwYn{nS@
zq(_L^!M~5}V2zc#Ig1ziOVBqso_>03e)M~;%DS&M`(;*@?H}K5#tWTGk%<vD_=|AJ
zL|*UdSxtO4h|aIz+soZZPZMFhg(iKG{0?5c-5FA5CEHdVn%i58i*_v1%iPsyk69yT
zp^Vhh=AX|_Mt>&w(|5PTmYzq7Sby}P0#P3(sWo|j46xmcbWGcLQ0}vjU+Z(^^?1Oc
zko{urIjCy}lvc6U#=N21?}D%k-#Du@o%HIH9Kd6{R;ZO;zG8EtE)Xa_yNZJ;Ak>+G
z2iHSV@s)g|RBs6@DK$ZW*23<-UCN0=dsPafD5${mAW?t+$U~~ZmdTn~%}ckD0#rVV
zBtSen>F)pf1Zu?}fI@RAt3=HyQc^CW3>9GRTVN*TUt;NGK&sbet?S!=VXqJ35qjBu
z6WqNw+a(qA%PRNe!#i`rS{h~_L>BT?O?;{~FVWI6PTfpWQx%6cy_0N+(d!rUt=~aY
zi*fmQbyLd^rKrAMm$qlT_&U(ck-}maQkS(Gy8gv}ZY|Yxxl84`GfmdmWxgv0cc2M-
z?ct1u*!-?F6j#d*5ED*qI1NVQj?R%8uA#6w*xfZfjO@dE3P(cT%3y@ol<Ax(!r7Yo
z<_c8B$g|>g!@1m|sj8%awoDb&WOzy&6{>G9s{yKH4o73hTTkZ9oE$4!>!p_3QK-Rg
zi0Ne<b#~1#sD;Vcj8#ax8R6Vg0F<AxLxAf&4q7kFreO=Gzn|0s6vQ2)zBfh-y4n#R
z*g&|ts=J9r%N|=E3C%=k*M@Sziln*7rPo_y;fEoFC^=H!Pq@AhrB+Ub$9~sGGJPdt
zwa5FdFnh?Fve@c(<{ksAf*9x`iwS({OUl}enumv3t_iK4*K=m`vc>XEVR*N{$Aw`2
z(75R5%x-MihYiB9>j!DSKf#{+74&5WdSq?7yEjO3y5c}8xQ@n}QvHGq0<YHQ<E4FG
z)+i^s_wD(7f6(cvEY!8MD2i~>K|bUx<uqZm+^G~E26Y`hU^pV^By?2gtNV=bOD_|~
zH2^bC|269u@2<rTxRR(BJ7}=io9Eb@`1gY8rUa*`u`r0HE3>EHa>h$s)4;{GTzk$G
zniPwEB&tNlGx|#jp>3v%pIr%;Jyj|!I~}D_e&pwwV#-9WXa=T0FbEy+*;{ol%3k2u
z(rhYxemvZ-DRr<a>9zexRITu0E+7HAm7jX+aty#0c`i+~{9_8$*DUksWZq|S@1cZD
z$3alz^M=j(@Ie9;{YFQVP0)l?tjB<b!)Wg}EgJtEjrJA8w~9_*s0>^&8xGoTL>r;o
z6jOUABeDlO8S@rvx_ak1BhIkp-j9x~y9u=$Ssvxgwf1cpk<WH|+)nsJeQK|gY0hYX
z&TG5BYVPo+o;Sa%Kp8l7%1I4Ymjh-?E@fVo$Ho~_he7Zpd=_jsJinDv0GMv%Pk+j>
zgS!O#m{xE_4Ts%a+tRA}wc6EZE$Su{)}7Qhh37L)v)^i2t+Z(r*&!y4M*TCg7KxhK
z^lG0^Llm0WRAb^u`QMH-!B=O}U0_>Gew%<unt8g=VRinx?{Hub)^Cv9#SUVGb0d)K
z!dP6zB<~(|5EMXnofc(UR`jh3T*^m(a{7KBesEVCK)B;zU%%kzc!9<hT2z>QCx8p+
zb<yf7@}29Qk&P*`O%572N;S&yunWPv_qcxaIepWan1O8RK<1c!feYoZyy{P{`u>9S
z%K!$SUAMNlIB8v~KR}`zr?(#tPlu%rUfv`Eq-{;@Gri_|O~v@P)N5p%>5EB6WKNv8
zqgaToB9iagK9a^+9FUh1J~w3#Yu;-K_i}<?Z<j!U6`y-%iTi6bETF#x`z~EGyiuf!
zoMuE?vhzR%vY)L_MfcsXm}xetFJ5*E^ETYNyM6o`sDr!Tav;<9jENrXo3KjzdqMc!
zUSC*%h&SA_rBMqtlQuGk#u~E-*40#upF=~nKegd{fld<?Wxj9K*;h~qIvS{m`(9T&
z!4Cp&u0>fPxkL`)Q&E@rHD7gII)#b$ko|=j45I3Ve-;i_R$Ml}gzS9Yu`@Vsdv9GG
zAs!L<v~T87Z=}nVDOyzdeX*qgX7&eg3_2Nio_&7Y*;aN2z~VHf-qJsMPa86B(Z>XJ
z>Q|w{qiWjdLCH4qxBeQt`;vS$y&L!!NQ$rD$xD#oR(o!`VA;nwH>M6Wt)9CpTBGG(
z)!7M<T^*m^iUGE5?zddXz-dcUHCWBDV=APsTR@@R8NLO1L$MDB&Ls+GH^gRt9a@gK
z5AtpJ?N10ls<3%?K#Ml^TY^-Sp_DS-Txw2%t_##=5X+kH^)oEpc@-hlp0h8ZjQXtI
zD*=?u8L*Q@pBJ;h1^D6UCU;5sYhyrN-M<2*QF6=J5GL3~7IZwJzmr6PW|kL_WlA-6
z;xyFgJ9+7#sxwq;7zU|Ie8CFq&HhpRD)wS}MXL$3VSbske%6C&Dih?c^CC*cz^HRv
zG~BSm<VL9pdP*LdGOv-Z021oZSx#I0(?N`XJFqWeZ>y*P!pSEQ|K|BybohgSKI+C?
zSBS=G+~jNbY1{EY$!@OS$vlN69zd&%n#GJ8ZDTC#?^(J`sk>0`&Ok@L$KIq8c~^qj
znU0!0w~)Av__|+hiSEpTy3YEk>lwGp)_b=2r4GJEsFkI%7zTgaU&j<{;sw5LnD>U#
zaq~JFr<65s|JXm~;a7({?Ju-O(jQr7e&cqe?*_Nf1DKYre2?P6^;dR*azaiQolDfP
zw{eRQ-!6o4){zx+m7+j5iKQGvg*)uFkB(q|K;6mA&f3_iD%{v{PqHHXRt9bP>yT5J
zRUqZn$FQZYi}JdhTB~sn44;T^E`_?|CUMiw0TN>Fypj})<b17?a9N{IMx<o<#I~%B
zgHUJV+B`d@E%D50gbrDO+YT3-d0tp3m^f*UahD%Y_e#likonO;^^KKOw+In~v2}~U
z+cDcN{{85_?8*}Lb#ev31m1>NX{`e280}q~QaAID^n6L%&X!={Z#mw561C~ve8d44
zXPU6jF=cicbiqj=D;WLKWwop{de(XHWP>ymAA&`Y+gxf>i%;Y<EpLR=5=zZ8&FC}d
z#-3%kYe5{+{1-xD{9U!P)Q%B!SeaONZ%Ucu0<y3>X*Z?~ZS;1XBsijRRk4^cSZS=r
zxh{wAU%yFw$(RqmLmPhq2nz9D<Nz!H;myHA?8Q(~nkU1wrq8BHywOolXmYX!I_yZp
zR4WAt)@YsHWcLyry=yuzn-257`y%g^Yh|1zFmlxsTJ+evsyxag?r^&<r^44wVVZdy
zt+nC#(#rLcz1XW6ky$vI_=Bp@Z1pK^xbq7<9OC3YDNMPRuOIr8!ouHtKI^Dn-f>yk
zn05G_29`Y|(CTIs*rx!JYRpK^vfah%P)lK9BjL(U#$E7!yHn~@<*on<Ln|eoI<psw
zn>FUysImI^fH#QVh+{*o2Fov*?t32D(6u%FTjXWn>+Wary~>m9vuZfwiY=rb`@)dV
zor9dcO{;X-UXzBX1DNcp*O4+c6lm`2Kt_k!=()eVrd_Ow*`{9KL-2EcW>jc&Px(_(
z1!n70$QB>bLjy&>5&~5d61gTm!S-sx$bl$Ma?J%D&WzPi)^p1t0v^L*;n%z2!+zeq
z&{s)W!Q91Ir;0^d^(J+v*5bqOE(YuCwc<Fn6|(JV0}^F!F4Sa%T3|}w?Z@5A4v8!g
ze3Q7ZD7*-OtIP?v)6RNA@b$0JD)W3T$-FBn5&$#43n=uKSXzgLidE!0Dy_gw{?kL)
z#H!&FnvKZ7*Ve@A0>lx)k6w{QkVTRvAIFkDdwWs^Bdwc#%`D_f;FTo#A_zp)Wei|q
zUg#M~17r*2Gv05=-19a~RrBvg+DpO8mIHW4j<GxHWV)*0Mh7>(w&gZWdpteNFJ^X}
z<DN~bE_&Fk#r(YZnHSIN+h>{G`XeB)#!3<g@YFg5Kof-aLj~$aSp;vijcZEt@%T2!
zCMX^i#5^9oU%ra*wi)fA(zxijB4)NltDJ1rILt3sX_<eNqG3hfk~))r1>KdteZdz<
zVUl5u@tHROm`!J0<g8^Vg?lDzrkg}j6Bhq?Y@_QZS0*t(!O>e|=>R>bDlvwZJ)`sT
zLpJL;ub?5OzrJB-ccI3qN8TsF#`Efm+c-OZPqK0)eas3g=cf}JO3Iq65ycxM;cFVt
z*TNvMO69jyv1AoQ+`oiJ<^tscERI=$5PL-n&*gCH2}*;d)}4t(^L;_N?$maFl%ycO
z>GMta4dsDe)Ow{%zZ?%%WXEAHwb{=h+51~FiwIYn=KJ*F*6V?iePlPK>GXL$!iDb$
zq+d)1+;tr9Zo%y&#ko{Txa*F2ixyMPt`7z0bWs&VYN*ecv6()zJ<uF0OcSz%L*yZ<
z+j?Fnx}6*H%DNIqFzbx2gK)fV^0o^~Ar|XJ89^k+HrBX1HfTD1-?WjrB0A@)2wx;;
zlR18OB(>kjcINMnb}SW`+l{1$Z4rqvVT-^(q*Ty}%1-V!_xjx~QOoPz9hXL9=O*^s
z(+A(k{H6%5^^C#KRHXZbZyuzj{(<NbQsER_##IJ;WZCOQQNvy9Lu5MljNI%qvNdA#
z38Yk&jBrE`FGB>s4Pht?gkeV=Lf*##L@#d!f-bC-6xv9j&@|FWx-nrs&Thi3Lz3=6
z=i`;2zK4?6x)7-qTj>av5cysbM#)R+86c_e%oP13fTi6Ud)xxuSPCD)!O+}=Ms>~c
z7=2CP+2i;l<X7tHNv8n(L5W3m-lj0-Fx1oH^eBQ*S3;mjlq^q`fhz^+ixo^vd6%E`
zq!1onc!=U9=r}J)#>stmh>J>d+QZbb^{LNGx7MZG4$2%NRwEpbkkl|;J;NR-OYPM>
zWF@W`;~@aA^F^$+3K2c*LvNowuDe2Dy(W@2qMm&Mu#KCw5fU5;u0ED)teF^7ztXmi
z`V&GO#qy2d=7;B3>h0vjaR&1R4B#HYSs9=v)b@LRK>K(fZ_t+>=*RC_xOV^`Pd8f_
z<J7a~#sk5IS<9v*z-)uLwsmlq`!*iJU9;la^t<NfkEM<fk5I8ri#n4VJtvA|MH_tT
zc$dqTE>s<J+V6c<zv?}e(GAJZp$<RO<*#|Q!~lGyZ?URDT}d2mq+xqVhqANK+pi^j
zRY<Ja#NkXSC}~M;-6^oM&PiG3RD&i~1;W^^Hm7q~9Wn$O|5e;zSpEz|9O0ep->A1)
zlSmo@R@$W5n-09$+t}!0KJRE{r#XAqq&euDpyNN+u7Z(cHhSNYXIcpYFa@w+W6il#
zE_n?sq&tGGB}B1Z@m_Sw=$SYuFK#TQp?xDFj{`2T`?DKciO)n!D?I5Mf|RG&_w&&+
z>Se@GzTz7ArO-t=eIe1%1#FUj3NBI!(>dD^r9k#6z;ds{iIYEFd!e1*<2L@<A^PIm
z<Yo!XzN<;KBuGJ;grW{)ebUNppX}W-m0_)>Q?TphTB<oo|IQywJ<w4%<yIu|;aV0k
z=lZgeDZv@<{yiYLlTyS^w)v3oqpY4yUv;B-ceQp9oyWapO9W9MUizU?#Axcb5jEMg
zHf)o|NXsaXP4#x5K^-d1=)&=#;OB55@NZkJhC>Cyn@R+!%%uhQ8)DmhaBe^bw7hA)
z&|2n<HQ99-xswbIdCKL)Tuz#$Rh)pQcql;agxISu+juVyI{01Q!-PIg7yJ6OXpghF
zN?9^@sDVSLxDF@9H>b%0VOOBMh=j+bOGBJRhoooNqjmzuaBEU)fJWL_!DzjuA#+kC
zjPDE}Va8h?gJ<P%Pqo=7cYL&^v{<e!tMV7cO!YEmUzquHJ?tSH;&lCH5=wtS-)L9b
zbJL;2zlW)_U+Bb~r2#4U-Zq`k^Z^o4a@OXOQ25ms;ls<>&E_&2wBQAJw37LldGFBD
zvC?_IIobd7$Fto((;E#&VUXIE3G&!GeMrUo%XsS!@u?hUy*KxL_D**q&!ebCS0o~Q
zTw(B)`9<_Cj;-ejbc}j8=g&S%nHJIhD+o;Xo=agV>B;f0y#5xWSRcwk_7$CuS<aEn
zHHGnbwFPr*s4%S<-pCBS&)#-3N0Ro3YL3UqdFZ{I&jHHIyzjB@l6ZDmGkCpzyWSVp
zsC>(mM6?<to-5L=F#6EgW;y&Lbq66;CKzy)`TIZwD8pLwNlS9rYc~-X%w-d)!}5ta
z@CPOISx-5zZB^*v4wub;5_cc&!rEO--_2!Z&isTan!kC~J^PPU4F4|4G~AP=b~0cU
z4eGIY%~*7u_G~ZrW4vP!jiC0Da)Mh+(l8XtdxqdPSU`qix|9Td)}XwlE}y_&LU)f;
zP*an<)86UL0;Rn0qXPPE{F*GkV=kYc0IvmHd|mr4gy{3Ah5(A$q`fW{tef@lz^OPf
zweY}-RvD21+Wu>{cyS@dRWp~?;r&~}VW8oN`cPhiWH0H1k6D<F>ikV<hAv@JQpZ2@
zZf}!R7?-_gi%$n_LGot{9>9^HaSgGfWu>6S39a(xA3<~x$Fn=-M_KK=*8(oMo>t5B
zo$NSyf@ZZyFxz?9qho--Hcg^6?ZR-U#r{fy^uD=&b%v`gk<B_S)|;^Ou2M+wqPHt2
z$ujyMF6-xbV_FX%CNcHB8BTwU$O@R8abO%FAhrv~p?CgFr0G<NneJ=71c>6Jy_K^e
zi%hS|;hA~L6cvX%giO8hg1QHO!+M2-wM|4v!73J5<<!c|`h9D<O0!*ssfvsg^T}BU
zotZdUGj@$RyoQ$wdA2#)McN&9`f`!}E~{nztK%&zwlvXos&F}_LO)LY_aOqx+rMsK
zKZ~EopcMA8=x|Eq$r$%On;k)0_R|Egu@$+he|ayb<-~~iN~~uk%@JqlVtu&{{w4A~
z!}gP$T`K_havJ$lizt)BOA6j$Hb*ka@5B#+4_n3@vLb2f8?a0PvM`mUq#lBCGA=f&
zrD+R>*ba|@$Gqpw{l^FJn}tlD1z+|MS)T41tQ0o{#WAr?*h?Z+%i7F1VuX4tv6Vx&
zmguU_H11h`ilZ!5x=rSIqh{}(qE5z+tG}gOLI)D9-Hrtv^-!BVVXn6w@cx|Y$VwCH
zD_<EY9wK5ueirKgHIL6yJN<?-;;>OGTP9HEwu24dOpJWq%|A+_GnmW4$ryGnsg^c2
zv?CkTdOX0hKP<I>YG~(so6D?9+c^0XK>#am$!K9QFho0f{eSLg%M=i0u!#^Ljd&_Y
zD3ETlEK1IYvt80*=cJ^d$#-CDaFI7oDpx8vPlBVnQQn}vZRJMo)s&LX1Uuq@aPCmD
zX0IOMC$DP|As%e4-2E`p;#4+NF3t8F7A}GZIhv$F&)Z`(gmJZ@p$L(hWMjf-E(<%Y
z#ezt$h_9T_)yGY^#0#G~cAY~gR`UR{u5Dpw#8ivG6&cE{M*XULi{(J3K#u^|05^C6
zDO0Q?APhx3h&;@!2Qpmnb&3Ab+-ps%W<-1T*++0|i6JkEtYD2nCSciuNz`oM>q&{V
zJFR<egOm$9=x`CK+tUMs&o<eS3T>i~L<Tj{?&Oc&yjoHEJE#RF*_$C~fkh_q#W0F(
zj?*yGP>_8A>*^3UCL0&kNpRO~^$MYBD_CoYl%OE}Xuw-kx8;PwA2jx09-CC2b)8MU
zoFOAYi`FUZ&fnAOX^-V>qxbg$HxrhUrU~}mqJe2?i1ixnp9P(N%39`a#X2412ILNR
z+dlH{!A&jl^m3)|((Luni7}r7XfQ00JpjxLl$3vkVs0^C2TMEsWMkTDs`rhETWp=S
zjyh;^;{3lC1Ji`C%eR8!ppFLfeHYYEG&8GzMdT2h9aoPrx*q}p1^p;tC)BnY+}()Q
zi#Fxt8YdZ@0eYhu1$G|hpyREGkB_PYyND-wo@D0=S8c%av+|4*nz+ItDog?X*T+Yt
z!kQXpcthItjdA!IQvCSE&<R1WP~lbeJ7uFRGE!3GR_MW+Pk80FIkl;QkT&gr9HgQQ
z>a-Gc{0CLmFi)Z9do*GTCzTUyN4qIo$GyC9MtrnnO?`-&((#ZAn}q2cj#<=gXq~*-
z{LiyjGTC0|UmU7?@s1*3x38tE2xylxw|W;9Z5KQar2D5<2(NCz3sKkyK}#}`VtLbt
zv6X*P=EteOj(~1n9*?<-X78@2yJ+GxjvSrzF$OtppK%Yf9r&Q(kAZfJn^@sro9G=*
zT05PZ%s>bnS)u+)`oxS7mz2rm^`jfBaX;NCbInwz&$lcY#K6@mi1q{lu0g_u5{%r4
zO^H9ps;gaQ2Qs78B*+uH{BUoyk6|x$167s#z4SecR9dXqx24SZTeLg1TBLRj5XpdC
z*90l|_F8ZwMa`<Mk1UD<e9enh3L(tP4aA?K^=Ue_acUGm<vN|CHnf&J%z>AdaPIRD
z7U7U8AGUProFf`Ci}peQ;QN`oJk#L}`a+@lES(ffTw(Z1yllCRobWEaC2o#a2pS3r
zdt?gilvydBC$+V;kZxO_#>v4q!>tsz5gBxvR+^=P>Eev?Vu^%(kL%$&k|W9G?>4Oh
zELk4P5~UfEe;o=vzSx@*TL7UnR0Y$-Cf_d7hE+e8sTEd?B&mx*f%=#V3&90^QG?>|
zCW^Y#H*Eu3c;)SX&Jj2n+R;w$M4d-^7iENF4!qcgW@xc1z#!?Ri}k;b>Rfs_CU9}e
zo;o_|Jz<2}b03@Z-IOUssn7>kVq!}DDm^-T1dgb?Ie^O&3-{Miz#6Dt$?iTg>z3|K
zK@10Fgh|0}j|Wk?)AS`8sbVe%g}w?f7<kVe8q{#18g_*zB%ow4!NX&B!t+t~JE7(8
zL$aFL?UE~9^a%n~iF$aL8|n57dcII&cH?lRkH!h)ZD#FcI)4&uM6;}y3XdGyE+@2R
zAGSm}b~34xd*NGBDfBM&B)a3obbUq6{KN5IveJgjWV?A|k?vB}bg{b<q!e`6sA^z<
z7Hu<rI_hwNS=-iZGz{vGcijCc@T!;IWfxD&w0NdIsky(Z*G}=gCqNG|TnZ0l9Yb7_
zCS?uT|NbU_7mAhA6QVyD-KGIask9P+?JgT8Tz~k+V`49A(y;dl5uh*S5-#i;fS(nv
zAdU~SbdNJADPY#w2?S?L+A$791PkERohVR8h_ddqG3{TiQpZeo$)ufY$)tr~Qpw7q
z)f9gu&fVvhMZ`)%g=0G3#e{XdOfN9kY;<aHyJQyJ3A!P@?W}%LFc%5FwB0$XGlzFW
zuZYGs>`vxt)WnCn(*Y@G9s0(5inGmcZzP*o221fa@^U0caAl&nt!pkq8GT-M(pFT$
zv|gVIo77#P8ewrLQ?zwU^)eF0qDRDZ?y%u-5ISQIOj)aITFYAesuQKJbkE7qk}0Ye
z)u2)#{X(Xfz}F29L!Bc~Bc<o8-^btlUlhO>-^8z<y}zZJ6r~wMfn0u6GIF<;*&(w2
zH2qB!X95I_V9N@F#5FzIDFnw>#+Ri_2B0X`f&G+7!yIbB^ZFUPow=8yv#u*|oX$IA
zLdWHYTKx|84)xy8`%W>+D5*Ge=$0;pul^{RAl_!Bf^8xt-%}eJRxtpGZ_qyf`B2k_
zU)6(+m{`u5Q!`(TKglnXiEe-3;rDSYHQbOVs`|;)a&fF?jrnap>#8l_CLdq}Y`J|M
zIYq-uaucKNRx>18wh`CGIeck7q9u_4p-oTW?M#1Yh93fnrk)GqHAP?ZWejaTXghKC
zbM}>BRw6rh^pQ$beX9(bU!%q9#@nidXn(SWiLX6;CxEj;KCuKQ0Gfqe=a$|+w~3ko
z4(_#!TAI?>0PVfM5dkonI!jIcw(@1V@%x-xF_SomCYA$ONce0|Dnl#L2#29%pOehm
zI_)Nnj6Z}sHcGm|0Kl}+LpE#k<*f4&Gz%?;6eyO-frF)TRdY*pmKAuWae^3)JLN6c
z9*i4TJsZ)~rG(pUi9hL=@DK)CDth9t(60KMn8Jxy-I)fzMhfaeZ+t`ZFXl2K7{0~B
zSW&I#R-}FabE(8}?fHf*%|lPh&hc3go{R44)RUZyqtEAQqL>wO9lK{kRef0>I_s#R
zr(GW8OtF>w^PjZq;W2><ZI<tFaST(?MoBDSL4UxI1}{H@7+-6}{{tEFndhEyl^Sn(
z-CC7xwDi=pr}Bu{lkSzv!`y+TAOWS7N#mJGV;55-c*<|Lib?uI5i=Tdbj{Ao!p)PG
zw+XZV$<mF#Q(b_*zh6X&XG0s@TRPq6N8nhB@d0LqHfl)~?5(5xycYv5C=#Rsm5&Q2
zMJMZ9>kr6|8+2}RLRzz@Me2T08>W(dF>||m?7&Q%CGVs`Yds=3nQp{uSNGrwH2Tn&
zwO4*3ESVDdXBK!W_4A4ndZ6gpjP}RexE4#Ke~$qp4EROt4vlDH*ukhu)<2%O@DUa|
z6;OPS@3eNO-XkgyKil*s+Lv;QMYSIe`OqB_SyXygtfjri3<Z93dA=w%(iurT(ZIVL
zXnifHygNlOioRwn#mp_vFU2g6U6JmK%y)IJ+22{t(rN=S+vEEhilJ{2?W5f~c9T6h
zPfH%7xd?CQTl_5?{#e?5WW(3HI6w7=LE;8!X@so&r7{&K`^e^ziiM~n%+5o@;{Rjs
zJENLvw{<@iDbhij)KEm}9qG~pq^Tgi7ZK?o5C}!2g^q<L5JZ|v?=AEW(xvwrdI%)}
zLb;3Y+;h*k`#WQQXYXJ4$Nj@#gpjQDu6NBf=QE$@nW^^&d%>Ed<B8b#Og_Dp4-)&<
zk*d*$LE)y?UAvQ#4-1xZYty&51In0bsZd1v+x{8W-^aM9mZz-aFm%&>$yxsBpXk#<
ziBK@gjq13*6o}<sZ2@m}_WYHfuj$GDRVSE0{`ycsTHv^8-4}CCc%>Fm*f4&t2*XsL
z+a#(Z5mbGJjio=FLTuvhBGS8fKfz}mf8-8TRHmn_A3(bvcTL%?lR|Yp?)m^-4g%-e
zHNA{A&k1v5{^*Fgi55J@G;js|Dh;vUevpWtW;Jisk!6Yj>VR8Os4eFtruW>E1<1v(
zR?IZvbq%79$yju%3*)UHUSzO-VBws`{JAIiyS6FKOk!oK_M&XLzqQ@!S_)@eQul8T
z!g9iHmCIawX!dQCI<C-R$fOW7^JVsFf4&#N3EOXKW5%5%JNMLrrwAr@_f7L~1O1wL
z=nC12Abz49{#S!IGLrIO{c$!mfZ}uC7P&KOb3vDw)|MK85lZGbvW$-)%XfjJo{X;t
z(A}~Q8E=7*P!p!KezhO}<I6(xIYF=`k3vNk;l2d}zXE=)Tk^|o-aL?tGTW1ASN!%8
zpvu@HUs~y<v&y-qyeoT$#4ep#2*}BL13@BWs3XfXu|+OKF-kGV5M(C({q^CU;5ME<
zh}wW;YSHXtnRy9h-8P??8!>_Geliu@p|dsO+g2#Q>HstS)(3W<3I6T(C!#Jxp~qmG
zZw-Xhg!fzBbG=wN`LnfEwGEI!pYGRHMevwdocmIyqO7up6If`A!K{RA^0{npL<?$B
zkp#VbXZz*N;eDXvnMS>`-d@jje7F34s7O$X{5g%ZiXjMgtTZ0~EPNlrnXb!uQ1puB
z^LFA5EgpUmrw8tp6OB}<iv*N$$v)Jr>}B(JCJ#nvO5q?7tPrna6Z(>jVkXG2S00Sf
z>hnBMzQY=6!0<xp!UC^<II)Cz`$NJ4EfHC-hjwQl?=fHBJ+}50$;TTf^AP0eP(O6_
zb>K2Kl4{vdP`%i!K}h+x;o6<P0y2Ic!qEZ&l%;8*6OTXbo{WJa>?Xk8Iu%&-=1)gm
zuz$`Qw<q_E@WLO4JTfQbsd)!b<mcdBL)=9*tjDwJ^osRR@t4MOR>(Fn8(RstQl}_u
zklBZeR`=+KZ3+5jo3E=2-FEpu`jM*{w^UlSJqUYS<-{|=f5%Ce=bKdRLeC~12s(DK
zhdIhGzzA|XmcKWaUT~A^+<zBk;10m{`(_ggbYhb%1WonBVX~SAiEA+foZk;fF<<t{
zDGXN`X|@&Q!h96UyLO-dXAn6!`(3pgDWmMpFd0f?veCBpN=8MO^(kxIaFz-rZt@r9
zozD>clKq_z7?5@)2KzKt?sH4z<2Iq(qoxhT1CT-@LO8W5@pM0v(q}TRzU)A02wFlO
zbvw+dmXvPGYWDJ#U^e42)1Znmn=HeUOwu8deeqI>DU7VxL~d-}7+?nrU%}M_l%?Co
zd>2T&UiMYI0GZV`D(tT_R&%4L@~08iRrlLh8f}m{=-FvfVlI@UbM+YfuZ`4E@^~_&
zcNN9Tm|0J*7&()Q-?{{%9?)VTNtsX_tiQ%z$;DhuX=<4%h=rQ^_1NxRkUlvn0N95M
z?V}T{w%(((abRZlB1!&h7--=?V4%RJG9Pg-TNqiKd{%hC)!BJwIP=kx+~I*NAl(=h
zhziLizIEYHRGNs<2*-TM!y6;uIymSy8lWi*XY{QJbW5w8=gSA6ZAf3a&pH8+-fv7`
zY%-3HMzs$!Id;9gVDX0GOuotHZ&#nIfJ+}64E7=OvF5w`a2i5FwOiG}B$7iQ>gYmM
z5R(t3kk{g^Ta5F{1)ylq4)d)LJ5GeeXG&66A{I-2qJS3iZ-fpTp`1&%nSJ*`8D4-s
z<LzA4&N^b38J7^>`^f{=?cq?G3Gi*Jq2v-%`5_uyE=8smW9p_pf))d2T)||{)g)q!
zJ>KwgiS<HY5|J*<4L4N+w*inynagDycZDH-Dnl{jsV*GLlg1-0=mP&xTOfkuad?V3
zJd<=(2T!nEmIVvyLG}3<lBgyVR+w?wCtYfV8V(MwfeGYM$IR=j7>2GyJ5re=fJB>O
zcd-Q)$o}s8q1q*J=FF5Y-IRv3d(so!-j<~yKwrnlL#QJaAB^bdts9F7X!DigIA?pW
z|7)BoRmB4zb<N&vc=ViP`qN6RR1v%Ml&Sapnpwc9tsdk#0qASjr3pel&NjsS{#^$F
zspfgRE7>0pqzkHbwuyn(=FT5lJn)hkVHZUw{T1aRV7u{N$C1_0`a4~=GIkW>sVgpT
z2(3OA$crj<Lf^k{en73yI(h%DodAv{G^OVg)&Yy&WrY2FPxV}`J6~e@<Foao%fpXN
z%&fn<%dRC`grh5Bb9V|4aO`Fs2$Y$oe-)hX3IRaTyiH$3@($XoF^w#)C1AkVPs7pN
zf!?8kb>!+R^GCa*1+veUKnQV3?d0SC#%I`ae|f0^J<omorCT&)LULNPK(UL&Il~|A
z=8A8*p{CuvZy|5d*$@HofZ=rl#Po02&`d`|onHCLry-Jt-zcUNW9prE#trS#KlVG#
zfB{tx!i~T5_&>b>e1{30bp7P;FS?`!6XpypdWB|+m&HNf$tl8IL&1>yGSpj)%&<j4
zA#hM7EV%c$%kO^7xi!)uW=dp`+al*8nH6muLDoNy_lA5KB~R#N4l}gWI2Y9Zvv~=G
ziG{=@(opdIEM$`HtRhNFa@(=|Rbi2R%CX7Jvy(TFrc&m+700qRuY>OaSX5I-xd5V`
zB5LOQQ}id!cJ5`mqH$~hN7wALFF=dg=cdI0>0krO12}mgrRc8`N8v@HCt(mig2Obw
z*O5~W53>oF%l7MQWxENmRhUX?d8^tg;Z^I5m3zMY0Qu&>DK<6<RH1gX>d|%<BJN&q
z?k>4O0WsKTdRJppD1cg+%pLDl8neYoOPwADn;)4`>l<16R1b%pE=TMXMwy-+)~x0)
z*p%cx+*!X-U6&LFUoPJ(9ZM|oK#a7&z!?A^`C8o>do>B@CU?BHY8BH=HJc7Yz<MU$
z$D;c63Hq0iy#VyW)gSy{Sc9l`J(2Tmfu8*bSMVdNsS@Gr(kGKs$CAa!P(L1X@P|;-
zBtBEPT^VpC$4Ct>*7$|%cdPSPhSLCLUD5Waom@3W4pXJfpMvPX)JE75@@Q9tcUx=>
zO~5CbKoJ`uN#o;MkCwp58_j&&Mo^lAS3}gr!Iby4_LsPVCkK3wpfYlX#dnC-g}$fS
ziD|r43=ZEp>|zc$%5;B~;z@l?a?YMwR@;y0+J+N2r-x{o*(SUk@of2YoA3Y^*HDE~
zYO`I^MbGfo59keMNX6dt3WIR76ED$MJ12+HDZih<Gql)uwSSSe;OeZp$(NK}xc|{7
z?0MASXwtTxiLx(u$wSW0QiKH2opKqy3bHsMkQaM_el1z6c>pR$>gxQ^pN{NQ$Ti*$
z{iy8^FI8h*fHG{WSvY}<YfnzHJ{3Yh3E%g)ZoopABSzhLg%-&a1j-xJ5cE><ijVA+
z)O=nQXI#q{LF+A!O#PsC$U%?N#(_cl5C^v(*)b|?+eKBzjg<&ieF2XZ!;6y1A_@p7
zfh-2$o!7au(jO4RnAIFZ!D&g9v2ra4a?-@p(Dk_E{i$bjBB?p$3HYct4FFZbCdt$r
zHJ>?hQ%P7a#34ng=gtM45}%=hG`$%YbxVkXK?`Xg?OS@G>;Vt09nVVWS&Qs7zAHCg
zBSyCoaCL#vA+@vgPegP+4FS(C)X3dd+=#WX0mL4M7ovN|(4+mY!G<6v1v8w6$)ft*
zEkK26FK51)VF2xFlsnsCLoOvqTams1Ef~!h#I8*{6dg|$*6JMyKCV6k9u@vm*3n2#
zkY?d1>()nNybLO<1PFfcw!Fol|7y8lhEJU8XE`)3QHJY4Uj)x?*PT+b>>p>LYv55>
z*}@W%7&FQuOElBYlnRtEF=T_0+smX9t+FZ8Ub6X3-71{;1cD0b%awPQ7%|KT%JFZI
zq8D0wh~fs85q^aHh~0FzT&bNTJZ9Z+qpKt!f+I;)Zirx$el+f(RZ{}~a3saD?Ob`Q
zoA6q2W*>h(Hh#cY%ElCyoIQ^9=ja-|v}R*}=t-nq?k8<?yKoloHQs^3ey7jNvs6j#
zxvrD1?@752eg)vaDjutv4=+$+!P9A<458?Ht-pU)5+m&)b@n^Wy!Gbjo=1a~@*UKF
zK(a{EpPh339PRl)b@BoPqY?$AWY#%D>wm3CVpyL=ki}tW{JO(XB(DMKNZ)K12#<L=
zY2_N5z}n^hc(o+b)4b#|=4j9_MzJCaoBqw!x}plu@Ep8PhP(3c{GBN-D@^N~a+>l}
zA`an2fpdKuZw|PuQr*-xatR{BKj)T+FWg%{GxrC0Z;hwZ^;xlxDt4TKWVFqADOtPg
z<o^(QZ4aGydVvlsY?|+>*{szy)OnBZA$K5-M~luEs@dK8!GOI`8ngXWq8i)Btbcs>
z`<nRdegkBJpia-oo&yLw0QuIs{t5scTMEn3bpg*k?x4&9caPb3CiViF=s7^&1|%>H
z#swdJlyEU~`Uu{=1^r7Y0`YpIp0fhxtS2#A3VEhU;2ZgbUA4_O32U&-HO1`qIs~Yv
zURD8<^34Xb7NOikLTEtsGGBYgFx1ufoKL)&e#B0*mdagtz0aP9Noif(rSYV*H}o0f
zrLz!ApwrwtzeH%5Ygr5Aabj21Vn@hDJM4==nBX7k_`e3_iV0tu6_Sz01><X#Oy2rx
zo_y|e2q@04$@7CiUDIj}a_<(xiu(S_eho4kzbsEQ9KL(Zjs8MiC2#Zik!Z4Ysq44z
z05LX6v~u}Y2nXb7nvL5~x$jzGi2*p(XB9-BZ_C4oIUIz`SnB{EpHacMnwV#wlN(5!
zn23RF?H5TaNyhWgz)L_$j*YitZ#s;XV!Y)z87sB7k*KYNEnV7$?nh>Q@*2Ju98n?q
zJHkSb_646!1=T}9a41>M1R{~ydB*>g1Y0tSw-?xatqJGn;yf>(ne^cv>LxsWxqS_o
ziWOw?;vJ6HzXUY5=fPU4I_<S2J{_aL32vieeHB#?cpyi^?Ci%n+7rg1c`u|Bak+m6
zhyaqI-ZW80DX)TJZ_ry|`&b$DBt@}uRV>1%op9c8QdV0dTzq8T?H$#!Od41t0HA$O
zR<!5mnm=o~4jRo(PJ!L5+h2ZG##9E6txe;jU9jA!i|p?X-=K9iicjrA@zxB;B!-I&
z`P+E96wNYZ{gXBO!}$1VNCFm{gXYVb=sOkQ>w7f0q2j{$k6+Wz2Vk9=K4TyFy`QQY
zj)b(H2@nG%3vLx_FI<+z#{hH(Rum__)g51%VT6>CfuN7xe-~fy6Gjy^e&24;cgesF
zB3f%E>uk8}+`i@<=9wLxN4~$Dgvcvem4|svB?oAbUn9wSpUL8^2M@n@NpjCd%#=xk
z%nGkdl8mwhVI^=e2Xi>;xgyysH{=>qH1R!=Zq)g2gSJ#QhW9V06K5dGJT^|-{@p-?
zMP~_5BE}3M%nx5c_1lF_ay&VH7v?5UZ%d#T4K_V#&P-4$vQ<c(-9!3|Rvj(b4rbrl
zI94RU7+nziP+|l!dw!8|B0c3zb^xUr9d`N0UU%{tfi6G-eE={Qo(Gnge!}PU8RrTC
zGo-bHee!B94}KVi(8P9z<(b-dtjz`aqY3hVeldI7L*=}&?Q-IjWMU=g{r1*!#ZRvh
zXiR`6eD++ZaZi2WiKE{05x0oyhEHedUr1a<*^~2ip?0?egntPHZ+nlRdi48*b#-%}
zQmzr83MPq2g|8Y9A~oEoZWgBd?(KM2&${>3(!11w=0vUH4hQlNZ7Tctq>_ks@*+N_
zq&nA4$y^+bIv-^BkZ6-KehQM8Ha11qa|U?~N_9EaEQNVd%DKplisq5U1^pV+Go4Gi
zL3-mBvtM)ghZsWWGuJ+6;~drw1fCoMuV1yxLLgX+$lcb5&SDM_-g}z+p+X1Ip)`0&
z+2smw!Yj{AW1zh)YifNdP}36SP2}Q%$LRNLUE<ZV^`lWO?a;?kXbl|Uo{6Jz$K<Y)
z+n%c8uYS?;KV1<&rX!CL#YOuJ$B+v>(&h=PIlNrxhyjpSV;Pq>ArlQ-z4?B!sOBH$
zCs+WWfL;_<O*6BqNx70K1Wh@m1d42uJ#!I^4G%Jb6B?AW;wI{Iw-fRsd)TN=N{HB$
z*jlLy(#Qr$_RiYZ<A~j8!h_OZC`d<!Cx18#_5_5?q_-X0)&w`S8P9>};dk${y)}Y$
zOZkh>Kr|zdU32^me(t;FskcF!KzV0gJa15}301C|36Sz0Pq91gr)!q?>$Qjxm5OgW
zkhc6ISkwe#GO=o_NIESIB*3@h;;V=fe$B-H)_dG>+~t{U>zYF{d8nS;(l549z+TJP
zZP$ToD)!wQ`S|D^3kSZK8Vw<;p!)%T0r@$8YVTdC<!&~HC3|{nJ*dizynjUDxWhuE
z<^$%|)`Iwq5SeyDN@@rj_p(V>7gYe>2ld3oHebA6ijolN<W46io;r}`^W&`AX^JhG
zU4|~J8L8OY<*>eGY!TIR2jY{HlW{^vq)77dnQbT-J?omWcG)Eny$gs1j$uZ%c|`!%
z^G9-9BzM6^YMj7cUH%>$&Ov0y=c?JUs?yAX;Y&u(qvx>!N{;3MDPXIMhO6E>fUfyl
z^tqC0*?er7^m3?mR9wUwcBek>+6hCELaq{#c-xREs8BUgq?9bqR{4k!;Escy<uT@H
zw&m+M7G$O8&RcLE12R3kna(#M;PEVd31no#ETYx3>VS(I8^`s)g=hW_B4wKnnS5!;
zep-_U!R%mP{rV=@R7l&9X1B@Qc+~<KS~n^)%b(I0y=MCuN3i6og3Mr?;?q*nFT+Uj
z&vq8NJU50wGPi*ylo1k>z#td8Xr@XZJ$&hLX;sc-<0RJ|_Bp2dAtv<_?;_ixir3B%
z_L!(e++WBs#Wu+e=m|z;AhbCqs5d9|9d;D;Sli1%);`*!9(gd9hozJBwjUIvy>z#Q
z(+auA<}vCdHId9fPLlO{OuA_bLv4tB(h8aps{(=M-MX0dk%piABDbzWghGFWfP+GE
z|1nh=k|faOYR_NYFpeRM3r?UdUecMrrvzqLt8ZKIu!DKX`!>r|FH~*0mWlo5rDO7M
z2RZj}P-`E;D1<|DIHa9)Qiwt7HQiYxaw7U7`VnNLZVQG87_t#?WiemXtaJX1UoOT4
zKe>ihi|d@>YFs$hCC&@0O_eT97vskpjh<X0Q8EZnn!E<}4*YQNc*(ZSC0B1hT;*#x
zvrjkacVa&ai{;awTA!Q$pi_`_SZx@T!yIP@8q5PV47%&F^ZwheKRT$c8sSQ_e>B}9
zm3}~6PYD^Au|=3NGVzyOUKG3M7t}>&kOtCP7zZ{G`@Np$i30-<ka8((fuy#d6cVn}
zv-qStc+)P!e;r>@ZR16Iboqc-zUgiOty9DCxCg!6_g~C_;DZ?!OH6*n0GTa4R=P26
z&GbzKw|e*MgJ4;rH+ZPw`>FRWp_iz*k7Wj#O#IVyB@rD@piuk_d~=?``cz`;yWwos
zQj@~8;UK2RcV8>xRPp${XUD~TbYDTzlEFJqD}DAoA@4>b7A=Jg4fQK{dCd+n*CQf7
z=&Yw}ov;7^lkA=YckA0XvLi4$6=bBvp};!8QyundX8|7OOTG3GmIV0=*Lk`jV=)wo
zB*w&}UR(B}z2SJ>_!wT^(Mk~eW87Ds3HlmEtAq_N$p$=uc(iuEI25@-Ed=1iAod76
z2?=L7fhDThfUNsP(<BK}0^gL(pY^i6Oj^Q_oYDS!oMRu0LkZY5S>Q9#2~N4s>KHaY
zF-Ww%Ge#8d;kh?E<?;$|OG0mpVb|2Lf*IPbklN$BM}v=J^_<QO2h~bRq^Hi?@Hy2j
zjE>PWt%?hZQ21g14bPLCPO$)V!x=R1!WJ};Po)zZ(||PmpuLc|vMDX@x*dsVVV>4g
zC^pVNp02i{Jcv<TE#;x+bOwU=j|qiw8n>bz&c62#xYVI`9Y&7Ed}*~*6k!)Op^iM?
z0^$S7oz!a2EZb^|E60tTqnwRH+MedgC%3)Nij$bGrnFq^V*6AAO#%!?*CV8PA-E>H
zGO5J74H*k)*yFhl?9=_<bdX*SnF;cn%dQRAGHSDu4oQe}Az7TKp01ktJK3)dd;kHa
zxbbXD1TG3{2S_j~uOWjH*tCz3r+#t|559b_<Qp~*05rz(2xQjL#7ZOO_9Oi~nEM-F
zW?MRpz}c<RsS<cae??}6N0a7df5V|O1*-(X4F_IzpcC2@@4q-q64xAJao;azH{a09
z@Y~G+4h88mlG4TBRWW1usK%3XLhqK_fzsl3J_!}Dv`2{s@f|`tfVRk6(VTG$d77C)
zS#6$4+I)&{k1wzNpzT}CnNmaRhB|}qM&>b$xgdNv+38Q(B7n(U<Ar`!r2>6S5FP?-
z`VpnzzyuIMO<uSF2t?&Pl3OC6*QQugR!nlS`PSC4PGNUHnqYrA9B;4lo`O=*a|g6+
z5|tIB3l>VL=pUz?>C`}K7(q7ZI~$EXPa~Y}zP!LDg~0iZ{!E<;G5*HLpD8X{AT!ZH
z7lu#ABX6({OW@ir*J6T1&q4Unh`P>=(&G@iDoZ1qtFCo!5G*It=N~hs*ZzPPAGe1V
zM`vI7sF4zQ2_J9PHypAPQAg9ovt6sm+PPg8U|>2dLcLTfb6SCeUCJxf)Qg_vW&+uu
zqV)^^51`xc1Dd!yzuzsb4ehGKECep>R&DQ@5p}w>%Uo*^NsZ6f>0LPZ6qr$&?FQBM
ztOc#*6t_sm$$}WYHkLNOIrmr`NNyKx=W33CtZL*4cEfA#ShM(aF?#PGg7+p%`j}f4
z6NPDsqpB%D9e|%y@|{1XzSf3<p>F8Oh9n5GL9&I|e3R`hAWTu7gOaM$aAx@SMiD)v
zZ>5mFZB)#Sxt}SoC5d9!gJ^q08T0|xtX%v6n#Kg2IT(KIf3|~=`6$4=Gi3+!#A9%^
zIN4N0gYelu<1yV14sBry=z`%GyuuqfX#gyAd<KZL*aX_x6!0y3&P=`LI0yvcMCHfP
zLE9`9)@0yqrz*7IEFF$TN$A5)iT1-FMh)VWB?1(nj5?4rjH@OHaU%Ly&QOd`bk71>
zN-N!eaQ80Z=zeQu=NE?)Km1yNq!fphJ}Ez?PR07B^Qpdq`J)XnL&2n{%BVl!n&C7z
zS|>t<raUc~K#Odoa?62w-0k#2Hc;y!+TcE}{DS2~lQ(MouPnZbhX@=Ke3S#~DOHt?
zdt2=QsRe;IMwd(&Y-%{)6M1(TWJSm{|A3H*8dYI1P!OJ1@YXeR7Nq-n9FPi_m6&rk
zf8$%R>>8JEC&3r7XA{_ZXeFg!b9uC)P0~X4zQjT=tyO5citOoNq^g8Cl;r(BCI6%R
zlxGuqN&wL1%1~vZSn<P!-Rw=UzQpvK){z&D7GiN>Az;f?qdc*5HXl%h!P^hYru7mt
zwakGh!wc3maX2k;bIdnGfPyM3L~grKMJiSHSGCK+d{k_!4>S~<UA~lR5lZ%EGbhn&
zC4dgG-`RUi#>2!w(ntR$P%V6sKjdVMNnT3p^(0wt^`B{&LM?5yvPiT5wvANwZE@43
zFIS?1W4RqtW?PVWhFYf5szgUys?rQCrpwG-n<&XU(c?y9?@hPp|7u9s>@AZ^^dGy|
zE;Xq8>R(v5RQ?Qw@{c@lUj{EdBy73&KCigxY+44jO1arAfpI9Zbr92_>m$EiT+<rq
zyyvryc9QFJuG_pXzEf!V>+F&M`<O`HIH*P<<P`?EE~sWch3vqKZPFkS1dcq@andE5
zPsld4b}qhAFwn~$9tR02eTQ~f)dIj$k@y++Qe(^z9l!PAFR3`@ck90RyWS66#xK|l
z@;!|lOqap??)UZ<W|OYXgQD6uqd>2gE+bB4vP*5}9n1US)n@h4Z<9=Y4X3-Rw_Bwz
zQfSP<!_|xcN;U#C%~vN29@JgCvyF}E5i9RoU9!B%OW#X_!f7<mmKZSCV95TLC6mtg
zdNX2rZ0%WO_&D}i0%&dKw8klso+hBvvps)`lzQkP`*tZfiKo2v!ML4|NbkXG)zp-+
zq=9J_K)F((d^c=}AWO^5iN9*n$}GC)m@#Cd06AWm+Qw~B@&+qdxd+_YM#Boy1K6@Y
zzHMrAKevTkS3aj1ItX{@^VeANdu$_wdfOL`A6M+m{bq-XU79M0vjclQZV%?qN`bWi
zN=A}GsYz47#q5!=M#d%IoBPi7C$2ZOyYP!GyG8F!+n+)3wXGfc{;Wgy6`~nhKVlmn
zyEm;^Cq8G6J3vTC>*G`@6Qa7S$L(qWVb0Rz&vY@M>Jkz|pT;=t)gqWMBY|5*#?u`0
z>TZpJOxW_kA|kUxwJ2Kxl;b1Rexv0j$szWV)Ar5NPk;J){Ixngxb}BlWKfOPXMW~D
zxfIG)0eWNjB-seQ0vIoLS@^3u<e78a3clrB-$v|T$S1<OEy>RBtR=DeDAh4?AP#Hm
zN1>3%7j2?*cQuDSd%XYFmO}l9t8Y<!%jjv3IFmuJq3z=#@3FCoI?|6VC=2{EGPGzY
zu$fAm^v!(6cBdQ$%j%yza^18|S`D+Pn4dWins%<=r9f(`fS*58JuGft84=YtrwkZR
zMeohc1a|aCu2V0UYKPc{tPw9+8&cCR9pMtyO!dzM%zu0dCsX-K3s3%BAR_mu2)K`O
z+Ube%ry6IdjmKxizXi_)VjeX==2}v0ZFZP{y!ll=_(f*&lxKq>t_nV0ie1QeNdRCT
zO}a4L1PeyL4lT2xyUE+yE97c2Kx@PC*_q+axU+SG#N?Wnto9$TWYz^#J1q=hZkNoe
zI62II`|@fO?YE%hsCFuNt}YM&Gb&8M;tFXW>>LV8pWK_SzHam^E*kQ3^D9YWIhM5t
z5-M3k!E7qAZ}m+Al)uQ_y6t~<q!x(iC$l2p=at{58{us@8Zmotj4r9x(f06ZjWF7}
zjV-r&9$+^{y2Wn=UnGcpYgn}stCozQy2L+plo1{AVj(F(wA`^XjGgEvBN>R?0HkZS
z{9lP#lMDRqP^CWCRxR>+3XZrpob?Rbgo?az+`wIgyGDted?PC|Q29*(XrEB>(uZR8
zB)&a>(5BHK32deA3<tiDL~AV1%&VDph)Jtd)zcYsB^y#X6B@7nb#hz<hd)to!0$%$
zcBhxQCCn>9@?}v2p?%aBG4^(AAl@Ss3?DV&dp^Qs#w<!oZhQ^iiokzU$h=dYSe5<p
z%(CO_679;vTUib0owe81)+=WB+H)-#tt9qZXcejf+dlZ}J%Y_-A$;|jd(zK4fd~;F
zh<|$!$)mVakC}(mPrbTg!*P@V8lx;Q1u#R=!gb?qcOM&mub{Xp#@5*J_xI;!uk|qb
zm*zz`LL%@BOA63smwIFTKXUj=_0O_qQ{QhCn5dB%vohSdDKs*oFAuej@lZM$(>Dv~
z;6s1oISa0Ua54lc0JMn03k8VwH!?To$TN9!R<x|ii^WyEi7uuF^aJv>>8esAK%Bmm
zMJzl2z|N3aeDa6^&&jd`{;V1l!n<kZ<}g|H{ozHDI)AMQRr~r{pRh$-AtXEBVY4e<
ztrBZH^EBkOG64!4o2gBKxp=4|Aj`8D{B82!e`ji!&!};_su#Q<(@A&wR_x7~Ikoh6
zk&_NKda{?YFzG{0Ie&jamI*C@yQjz1-giLjC~*ky#dBGr6F!nt{PGlSt+@CqqP{2p
ze@7GW&lIsFvSL8p92?<q1BuGKO7%?h3!#){@1<CtLTJ=qm_d*U0qvGaG!oji<Vb7i
zwD*Fwx17t>YGt|@@dXH{&cH9QY*U2)FHYG*@M}Niciudm4r;Igt_J~`YGIsA&?hmM
z?EU5b%gUB1?2g(FB^iNC2)??b1At8oRK0le^G~^p7A5a5OI`wG=O_LL5i|?eo@XDA
zp!=~B%R{SC19a+%+C9wBeX<qNoGG%(op6ClnW`<l5Al2b?ZQ2CnE8ybEL&{u9X0iN
z1N;xYEMvi>#0AE*7ycaNE5}V+Kb2MwGd_w64@#HM01~Hj7J*wQYecADV`|+`;0=at
zY&5KJ04N&a(?X!Ky_}X4mH?r<RuW19<{CLy?~(up8}{&<U+Xbi122|j!fv#W=^M8d
zvsHAW)Fvw}*2Y6cG*Bnrzdxv8l>x|Y!P#@gpDWuse*b6wSv>?<E6(#Yk4Sef9bRJs
z;2Wd102`VVJW&Tiy|V>8l)!o$!&&vr;Hvqm9W;Qlqd`w-HHge^1GPzo*k>v;x&!zW
z=zUADa-u8VAOqB#w#KQOYy>a}G~Elvs4Lq$0#)##1nyh>VBG=Qkd@>x62>nn(Mi9-
zcepuQ3F!}(&s%~>$0?OSlam&~#C`^1>(+|RsuE?=#2xl+E@tn9RmrLdZ$0s9mZKIo
zB-c{pukA@XYbAWU9_+R&h%b4lAza_bSO1H@lb*yX%R)~&Yy%qfLWv1=YG$9401t02
zD4s`+JYj69<MjL#w8o>j7{Wrb?d`s-%x1k9T^CoK$70ogK>IPl+u(_RUXdmSu?a_1
zkm>CMJ{xc2<j^(RVb5p=9~tU7HL&o9a1x!lk&yLLyprhKrxx9B3HmYFm)ml<nw#ou
z<j%X8iNl|=G&|C18{tr(B1=y(c8B`A9X>S^crnNq)ZS}4D8}wF|3{fj?6>tFq|icI
zo_58jj`;8ORL_{fbMh>Tkcf8=CeOBukz&&)q@+JBB~B@1X<V31IHA;vklxDo;$%GP
z&@T5Pd$?iazCt=}xNS?#lbXHW%BX~jCj7E}>0r$8Vqv`hWYCaNk^eU6)(1v2X(W7Q
zz}E`Fk!aBBlrXCkTq4Y1r=uO5M?H{#Omr8SR2Rgl(AS;2WW?DnIzRcEneWlnd)?3N
z4dFwO(lH~s?&3e=VUP;f^qW22@%?9^;a>qRy{Wbh?Z|NB%5CCe+ZOs*s^t%RSY#vS
zo9;BJ16Y;SWly{%c&8D&n@T771uJ9eXf1emqI;x|XLnG2r_$m41ocCIk;kRsbH}{Y
zDI;ML{Y>Y_a8Vo<AauGk$U8`ry7RK=W}3F%tCO4Y%Lj&Z@Re#0h-2{J3Bz6;Pv`-m
zgy&Uhkqcf11TDc|LAZGk`vF4f^ng`PDIpWtaqKZ$+T{b%o)2eQHFanb2w}Hr@?&on
zeka<C0tB^>q?Nn;@5Ry$mL6dgW|*sDW}a*_ie+2gn|?4p8up5grxvzy;gQ}-uMI|B
zuK3|&Xo@o79`Z96z1*Iysv%>u+o>a9v*mjh8MFBX!{aY-+v{4c%_#it)i0Eoa`<l<
z<IXO>xBCwG@MJ2b(H#&V-XnrX2Or7spmn&Pe#;PhJ;cHsHhz%Vz_ugo|Eb`RNr6j8
z?hL(c{4tRCx?QlaN3_%j@Uqrr=`PfIPS<Ks@0C@juT8R?N7xU+O^SDEA+N0Mpd~)I
zYw3!xVcd!iS)1=sD1VtK%0WJ`R1_WCBZSXt-FA^Ww!P{~%`9Q3%NITan2XICITR<n
zBx)*1{4;s04Si#A`{M1qnx)&@cTWM6i5zLnh^ztWkg{}B=yF@4n6u46i!m5x!w3uX
zVa9D@X;n$nT96YP;K1l&K`Qey59g~A7mldjSNrX8hd|;AO=jpujO3Y_A3CQT#tLRn
z{5Qk~pX*TuAcR4*x9OD}t^)V3Z!g&)*Cy2~uQgfWM_)gtJklsMofz^{r?$UL4zXJd
zb<#27>9jUK?4Ot~tlHu-ixvqKl3R%uX1C-Bbjx7R{B-h#iF`h<2VR*=y)@<jQfQE6
zHp$#?Ga!B6fkMn4y}IT%NAo+uQT<-c;mu_JmjvNcfWd5}A{Qvv;$7s$fDFcj!|WT^
zT%b;_^|RBckp9V1Iga4lfhb2>iyyxyFGsayJ$s;<tc@wf&zT}<PptMy8;K-4gJqYL
z9i_=&FU6Du{D}M2H9|~1I10!G+kIX+IV8EoN|>jK<7(4oJE^|2tF{AtwX6pL$LKA<
zc5U@C5xkboV@dW%D+7~y!#?&Qv~l{PFr9QvXeD}z)pF|*?4m@vn7ttQCGFd_+un(b
z(Qn1xPH9Q)uC{TN!Kqiy_sbZEi4btW2?@O9=T4NyjYCN!<Y6k7SBf;WOA*yqrRZ%%
zh57#aYVjb@fH^nh1q2{UT?|rcOAa&Z8_;Oe8}sj=e`{XqFH1yU2-LhI3#;ps=%Wan
zKF?2y!*i!)>3YBk+MSd`B*&ZcPQ50SpxzU&$i&AZ$V~7a*ew+x(@JlBjXVgUsz`t`
zNr;=&hbZ&gnQ(sIoN;ON9KG~0k`tIKwN^pOXU}>S5FS^3MAM*dbTxY>>sQ}{>>?84
zs-oazrL7N(FM4MJp7N4nZugRKPRs4_ChR-?JbSKg{KEd?>kgExR+g-Jb*`ywfbcl|
zuwS&@holvlvUG0G`QX~@%&|nXY9`EQi~qemIvm<iyQK@T9w)?azMQt*<4^dV<N8Zk
z+u?_L6;EbAYm@6j#BE2hhV;DH+oibv!EjkzC#QYMU~w7vR)X+|{tSP%vzy%O4Os!p
z){rBnp;^R7U*;_ehF7VcV&Z)T$Jo_1+RERafZjBsR4&GI^uqk$hSCVGs7j#Q)7|P>
zAN+6Z+_G!4qv#f>tn%{<__saGS}bRQ;%7}MDB{JLX}^;I(cl{}Zkm7W)J4~WeaGm^
zHCY>uv>Hy=VuWm$=PUz8YRhe7`|c^x1jC?Sf<U3DrjAUL+u)k-;=MOJ^^~y@*oViV
zjQ}q)t@2<9{f`Jc%gw@1k9F`-fPZh#@zz|vfW;^~|MxF?GP;(}gC9HOJEztH@>H`W
zy+ZCOXxx)JQWd{dnKs@J;41q<wDW=TY6FI}0Kv$Q1Yh^}%sCS^;BPB*f$<eM;<7$J
ze*b=wJYB!n$bYObl6)aJS#hW(rMs$JEO^RQh!1_-hEw3m$L*-z9aPc^_H8F)B;yii
z8e-v@nX=1BCwaW;110nk8xzrnPUvE}B^MUS!~IasqYV&@Z+*!;Ev*UbZxiD(cu-mu
zF!qpqK8p5Hs~6y_q!H&S_Sr(B6i`b}P{+PJ&f-n8Wwb8D*-!RpxlME8xG}nDFF`HJ
z7GDQg4xEQmu=7ml|E!drZWOwS?>Q)gnC+!NWJfkUM6f%IMwN$vo$je}OM;KdzpUG6
z_1Hb4AE^J5)h4yyh}|>p&!uw7LI7TY4>SM5+-%m>Sp1;E<QaGWIlf@0vs;}`%u)>}
z{MKBJgZ@P2cITMQr&`S@@@3mZEka|_8wx`t{=3BDA_Su%Vg#mAzHd$Oxf^3mzOI~;
zEX@JTmk)l1*lOxQOZRVf7Y|X96AWQp_3~=pv-9v|j6blD-kA4IpYTloB=7|M>v~9s
zh+NQias7P5;eb>?*II~&-@|#Jrq{LUqCtdIY}Y(i!OW~m4w8hFSz6#Z#3r2vsL%!G
zdV$OszL9lC@xY;M43seUN9IduZYT6k6(5WPgO7z(E9RB&b^nm67LyiKPc(5?s~%Dy
z^ojcd&i9cZ@4-VR7Yq_s_edIUvwb}qJ{$NE`yG5!?5+5`L=qscs$P6gSVw2~Wf-F4
zds&MZMcixm1)5zy45hQF0<#M_RrVZ0WD7d*v(%HH8p;B*9S)`{!bG>&?gmoltqRYg
zx)?KL^YlGzz$WX8^|>N4O`;s8YrKEW)?fTN%VADvF;O9^+<K64?q`0HkpbXSOBMEl
zuF~^n{~8s)>yvm)07U@0ko}w|)8R>=P$#Jc2)->42vMo|u9cqX8O2-o9S3~lOD?NG
zD1I8?R63tU&13=il0wUJXvG|p>0J-s={hDQfg?B)U8Q#6I?gpc@ZCrw*-Apx;{LuO
zX}ulHCs&@G-nk-k2FOqEX-rI0yk^PUi(V#10?e#^&_Z9jwF2+))>t2J-Q>5mkM^eA
z*Q?g6^_?V74d3syBWVxl#-cO1`gY%ul3msg%K1MSaNn#b+9ZeuTs@a|E2+0DOgQ<?
ziaFxO8w*3gg;=8exFHdQ_fwfRVunXUG3v6cMdSGL4Fh%Cy7fNFGn=P{tQt?*|GHv#
z@QG*znx%RlEI-pT^rV_7w;N<FdwLj8#;=@7NB%wLkLNJdPPn&p%Jmk<xk+RLb33EE
zL~J<}?1?SFm-e^iE>E)R0mHP}Yh)Pk<8Pa}Z)P<;I3Y_u<>kIzFj~QnQanA(6`u!Z
z(O>SlHl2Oe(RKr7K4_YaP&fD;Z4B>SVv*h<1B6Q|5BD{M`&ZYIz-$eN{>oVjb-v+m
zahX5vU;tO|dUd|WcDts_v+Zh$xOalrGdISFeSPDxK<cX=QiiW0>9w;Vre&hnwM4xl
zeN=x;@$BMt142(lkLX70pzPU3)?UB({97<3aTwI6sCM0*kRM)h?Nk2{9VGuCE|+yE
z4F}&-?aCwQHnl5cw?W@y&j|bG$xUDnk{S=XPH7yUC-y6=|D(4sFeiuehV+X6VSlyr
zFV2iQx2AJJm|4&8z@s*eqKorGj)B7U2fr!JCaeFW#rf=yAYcs3eVWsgo9-{DujBDE
z6$`78B0r$dMB<WE{!1vTL<AIsQo~-%VHSL}r9%cjMLcG@(Oz~vjRGSp1sG$mbBrE{
zJ$-zf6$1k^dUfEOyd#L42P#Qn?Lw=|NKylW>w{eMzCLtwsv{zOX`QtPf4T72-%JnO
zXm3{X3YEVy-2i;)4*s1<S5CpeJRYYN>Fo!pDb0f`0dAC^_SJ>{u@&<7BdmhPwSf^c
z<AJfBAv*7xS9?A&TETnNCOQ7xcYn2;{AaHKBSU~uJlnEOl64PNEnX~>BN6NxyDk(f
znl0sDO{4xgW8|N|@_3Xoo~(G2&Vke^`420&TLi5(3^nb_F_ihQepH3;^#q(Voq}6w
zBRKdv*uE3<xpt+`|BV#-Z`bS3-jahqLRaOt0>L7kOKW=sZ^c`##J@a<{`t89e|=ne
zjc_EURZ#|U;j;j6AGk~B`!v_0J>|cA5npFsgRq&LPdeT--~gzEI4~GXDIT+3T!>-u
z{MR?vP#BQ)PlRbzkyP4}H*?Sb`B@<ZByKQ`zvwLgcI=PE7CSKQ>9^0k?v~z@ckz{!
zoLcT0wtr2C{`M6e8sM(UEjr8@sk(8Kl2g<D6Q{P<r~8^{*g<j^<li~8ueKDx2D63H
zBs~4s&kHzl3og+0AS?H8x*GrTCA;2eL5XU>t(WLyrpxv3{r`^;AO`64M7$9EYk2&}
z=>h-Ug)+JiEUD4D&+{MulXw61J-HOXeWl64`LyHizdle5Sb_f<4)<>iBm@3G`6;kb
z#S_vVQ0e?z7x4dYfd9V%{-2BhCxPg_n<hWs5U-r5RF6Ewk9<GJi~E#~mqnG0`axv!
zgi<p#A$v~!ZFb#f0yhZn-X&6a93MZ>X1X9*&=2!}rRDzSq!<f+<$aEZ$#`V=oKoM!
zXL<L>Kl>4{hJ(Ls`;oB2lJ%dz@&Ep-jmC}lV7kM)G!d2KU-emQO)?OUs8e&JDq0CH
z+bEh3d%O2?*PN$l{@GXm-=C<I`G-9G0sMQ)=I5WDetKTalB_D$R_yAD6$C4cGQPTH
zulnxWMx}GDnEA5{ySWwo-HH9zr^ny8{X!I4jX2wGg}FB>n}=w~4flmQrhOpdeTKP&
zm3bnZ$th#i^IzQxynm!$>PSF0f7ntn&5M=);|31d<NwKzpa)beP?{VXvGO#%bgY@i
z1j{_s%v6|=sw?83uKs@=B=8%Z?mHGU+y(*8K1=d;DZ?TWM8xBDnnwo<T0LLH<7|39
zthB>4et|wD`?CVGO-g5M9sWma5dZ2X4r(O&3u7oHaEw}^_V_j=K|uGgdrt<k`djCl
z)Z;2-ag$AdUvW3gwvR()sr5yfztqF|ua^Y1s)F=+eZ$9Ws~efSA1j+rKd$`>=TM(_
z=d_s_hJWzKqSX=$3^}}uOj6Jyq|CBBhW!#7fg*puXhFaDACvKan0OW_U|t>2aDF)W
zs&=E5kX;)l9bxjRW0?{f#xnm!)PZCDwT53Fot;_ANDhbHK$_Q?495F|+?5f)7MWCj
zqgzaEXLvumvAJq@W-V4~W|EQE?@H#OewE`EQsfg-KKL2$Ohpo}aaA{EoGfdl!`QD?
zyStbB*1vo%Cx2Elm|m9e#6^5?G%V|WUj7=j-k&|oHpdPLy1AsUVX-ybR?q(G*!ZLE
zD2`z2=PZ@jr-`$MYpPWq9N0BQrLr|G3&MzuhF80i5fKs;cA>Mi?&=>{LmTX#r`;CX
z2%+NEf0_r8QlE$W<RGQ|SAPi)l&I8g^zrAY3?^km3Djem1Vt2?{C^E+2|1qNpY9wg
zA7GgSC#@O8eM3I;y#$1nE>EPszv4COiM_h~WOs$h28JGu(e3U(V*0!FebjRsf0^R|
z_r!0B)n_XOu`|M`DVi--XmsCQlR8S9r5q1M!X*8m`uBIng@<A3m`ez<+Xn%&M%b5F
zv~|Xe>}KNS$T!Ti@(s5CrkVtdszx@@>t38~VMHH=xjt*7NUrAUUZQvA*-j4-pS~$a
zW`iMgPPh6J`IE49Z!5z+6%)2|5QKxa6^hcJuJV~QL|n|5$^G=1uRZ;0MFoc0N5uN-
z5nZs)j==DPR~%c%`#;CZ0^gAKc=yM-uRe}Wc1(1tGZhRhGZlPNmga7@(@wcx-P>Q?
zS)X9l5vkTt=a~)A6<-v*9tJ0AZfOvg0>UTUdZQGf91aM2M{Q0iZA~Tm9@{Nk;;PYl
z*&)Mw;*J*Kaw$!ZVUQ(d`k_=|58t$7q1F%#9?{3=)}6lL-z-}#6>*>TP;kKQiIk|n
zKhJ~h%+>3gfzkH0r@8cO{M`(Hx8#pm7;%6glSG2}^rqf#IdHK18-HWP%*0S@wp*4a
z6&ro3YNbDnh+a#L4EbHH*hbWn_9A25;H}A(`bOR4>H73b9%F?kN0G!791~|lnTjte
zeGA!(Wxp=eyKAlWdda*8tF22dac4gvLrx(e-FbwvpMKuwIe-(yC>f7B+d~@8f1ca^
zl#m@dl{J1SGClBo&<?TOQ3ki=CK!kRwi`&vxudpcrOfV<hvo2Q&A5d{1hCg*8#!yE
zToO(CG3u^u)9Uu)>T>ZsxA~<k(+F;(W@AO}dVS-Lxj-SzM{@mD>Z2&B+~<x4<wmx1
z^c}w=d%Bp9-xsBTp!&s@lv9n?;U*r(FVX%Uz;%etm{7teYgfmii29qS&%4KU1lMnD
zxO`nC2g9a%g?qQ0BCwo-X+%M;^3pW9<q|4@GN$PK{gR|`j~4>GKV&K4cvId`)0aa(
zcE>G|&|8&L2ukCOmE4_cME2DXP&$oC6$a3lvq5Pxw5ETtL6gJ=Qr!6KHOP<%YTh+h
z>QC{9qQuMTdds>J9Olk~%-J8ywfuW#mYjRO@He^qSP2${c=gS<T&ykrvZwHvY!Bz&
z`JiLO5KRfVka~Su`$(#EC;fzFUPoK{zG$3hVBz4HsKa>o!CF%{M(&*DQ1<k<)TFpM
zM47K?=Y@+j$E_da?NM)~>13dYD?ZdyBup%tX452@$qb0~V4B>&d*}kD$Slw#=(d2*
zmWa<`p|=wEQo6sM^67G4u_Mj5>4euWzUXPs)OsY{<<cF(?fO`@7t461HjpOam;{M1
zMK+~Nap)JBe4IH?dTw090+SlQb>Ak>5}wvoC-nOrOpK;CDk4HqKAH7J_RzyJ$e`@$
zHnQJR5mFaRi1FFZ_!<eWYjEYwk(X}JM<W;bZ{N9#Uwv9Kica1;v(k7V_;5R9Zm2Y3
ztG+Gd*&$-kWv?L(#d}Xkdtwv|w`kE(%;kJ#a}{*UeKM_nPk2(~QH3?ut9&lIA&}y*
zQQeVD8<~~9?w=s#?Tnqj!;}>${g4XvvCQ;JcA0+M`P10pXLdmI>x8sP$6y8ndxa?5
zxht^D5}$d)yB6PrPY=Ez@@x4IZ2GuVxbzawO_@LJ1Qop@y=r{wh4IlWD>QqEjZH3k
ztx3j@rGu>CpvqDabL&}#>@zuS*{_$P8vJwKHot5?#6!KGNt4`F^l2D0_HqXuGSLga
zsaX}KI$#xTX!1f%v4s*+0VCqlVZT{mUbgif6Gb@H^v-z^#LKn*8$NY|pIm3ucPiRt
z55=5k*)@%4?Zu_uoZ!7Ea-3@4TMpq#np}|vNl8_aUogy++ZEsCGEps?e(S$n-Pkva
zH+`OA4}4Ji#$a1Jv#9#tZHDF^9^k1-uHU4X2U)9rnV)T%I{qT_eDffB)BQ#LeyW&{
zLVLV%R<8Ht<6)0MX$}eZ)%bu5yq>bPzJ`XE#a{Vuw<gV=-sRuZ91XH(9*A#I411dM
z)UJ;(SE>&PguNkZIyS`whW6a1KR;JE`RD!qY1kHvclG+~_XX@No1PJ*BgR{@X~#ZK
zZ7kL0vsmF?MHht$r%YF{yfnXn-Fx1=B%b@>8YPZxO*5K^@-FU`DdxlekPAE#wc-KZ
z>~-R#p5C$T>`_90+YADvt#}aaglQox)p){5icP<r+qCX;^gS7^M(ia7Vt6!d>bXYc
zj-2xjC2q6-YO`|^AvCYMF#1M)df<miPk~2Ht;)|CY=@RcYsSlby}o$MwuYi)&$04B
zN%bQ5vXBR|@(%su(UoMuLpH;MIqx!X&kIP?R)g<aLXvvIcJU`*MxpcoIeZdpdy1av
z7|C{194*`o6|&iIMZ!Jjib&s9QDq&$_T*ekex*naIx8+fXv|z2rH?F<9wCxuF{TRg
z@IvG2o)U64+un-Jc^?y>jy3l&D*bLJPX~3Fv=4mKe?CB8Hod92o=H;imfZA_<k>>K
z+Emfp<C}pM^^<hvvLA~ZFFSF=Jl*EJqols5tvn&l(X5XxgJ7I}mP_}{MEQt!s@{yw
zJD;Y@x^!>mB}J7d?ZwGG1R&Ye3YUq_u=u%~h0|W~z;s4!robceTJ)Fvxz+E!7nT>#
zeKs!=+-DGjPdkpI)?CqPx!gOGdnJ{uFkIBp)HmLwAHRIsb=&*Az3qzgjdmlww6DB5
zQhz|bn?rP+2yswHbP4_EhJFJ1@H)g>pYu-rwK6NaE<VW3%lr4CdG)8waOAQ7_uar;
z->(EoTL0+<U>0LNcDNH_9Z2nmu8pP@?F_iT#qMAHMm+zeOJh$X|6JMj)ur*?_W4%^
zfgl;oX%2GE<o@q``I%w1usUUB<P3`PeovYYb00GB+%j*w43XhoG&@{ipSI<<J(23<
z9YNem$|y8MxXW?3eH7Cfol?GvFxLZPznlE{I6L|yc;aP^_cH<__O+C}!QaktvP|O&
z-op0h$zZuuQFaNN4S^o#M)mK;HLe#b<%nb?-K||AYZa11S^kgiX?vfU!QWGN-6c=p
z?uS73zzZnb#Rf6lJO0bL*o@7D0oj>Z&aAbrjKrxa>tBK#x%6hlCUNxQ@}1H2NEyWj
zJA*dd7uE9C5V=iER;p(8!e!#UjPT1{;po53|Jm8&f6Bx2@v2GcuZpGGFNct?VAypn
zaoU5kKE=F{Xe6zfgw1TsUB`wIV%YwKg=oeL4s}&P|1fnCf(1=7z9W<s5tC!k{vtG{
zN#esBc(ysxgp>lk+&k(*G~QRuJB*~_exs-f;%21x8NsnX4`NC$ux#Notq%=hGWkOR
zk>S%x=M`wg!Jj1(NT%J!Gu^Snr!%()7uNdJGU%Pital0WZW_{dUmLKkhsjvI=egJ1
z_eC^nXD;xWnSV*b@A_k|Q`<2>!_|d#Z^n@%VU}eL{}p)8c^Dk+ES~h^eli<GOsW7o
z^a4WFml#jpP?vj0*_~_orD*1RZ5lsnG#HpNV6=&v75;c(;Q6?ED8IPr;i%oOw^^WK
zqZYSkSB++>95$~)J^+0WojuVTG*|vB=DLaj4Q77wk<<^DHT4$ei{bb0;Y9rQZQM_r
zeYSQMKXq^K>@3yA398a|ZwY<6d^p%^j6^2@g+NF_KAUgAt+NJtcb*>qg$|nbnQE7e
zS%;g-d@OgR<F|_%o*bQ*+4jA%YuL9cj(3*5=yL#<JP$tedhw!qdqFFE$@>gl9+c~P
zc<i%O^x<l%(rHHQ$3o2y)3spvi=5>YyH3No&=1J^`cJdN(q4w9-7oWe_foEUc<)20
zVw_IT+79+7**@+Lnbq2(X525zo>y^Cvl*6871>|NOUqn2u1|d%gr#}X8^i_+=T0Mr
z$PZ;vU-+R({WgapF!49$Omt<{@SUU`p|4w`?$1m2GrZ@;J_;<()1Y3qkM`SlRM5Np
zaIP*`lH8RYTUZY`k2u<xnvr{GGr3@k1q!OQfvVCQgYluUF+6EkrHqm`3UE^<ziz^=
zP-FCF9xQ&VdVab8AdpWRCZHEd#rp;UtPtdMY{E%(%t<LY;L>iO{0j2IxgqCgDkIY2
zMTSpPfdR;SVS-~>OfE&Zk8mK=`1Nj`=SZ2SlvKX=AkFHTLvc*`WH70BwLGAi_|AGZ
z`#bUX%3FG;;h%*C#!d5K>2rs@{i72=GG2D2y112J^jY70YpvgX@CYC~wiCXrPXV5g
z_GG%ZGMB#KDw?v)ToHNn!8QgJt4+<w|E@R>YQF=dmyh2xe{HEci^E-cLd58pH2#zS
z%-Xf)EAZSWl-;P&^YAI@yKtY%Ns83VIP+Ulpc8lvHPvlXllc|5Ue%kLviu(Gm3x{s
zR^^<pGvj5687*5w<84uK2mUYi-ZQMJFZ&<;S^y~#6cGibsDOZgN|P>Np`%EV5{lBh
zlu!ahK$=Ps1f&Q`FDBFwAV5SwIuQbdmLR=`5PA*wF#mh!H*<f_GtRuZ_szV^lbk2#
zoPG9Qd#z7d2U#K6?6V>>SN*Vs=5?jY(-QVfRHGaz!=-`V2Qb)}swgwLy>yTOk`<0i
zzgFMUDzBydB2;`%?a;=X-84m!KicqHZv!>;-Gv0V>HY)19KYzLnGlT`8!BE&BiF+w
z$AKVJ{$fD31~s=|?nw@kL7NE{1|HhzwZGZjS{W77Oe%?|(S#*++nNq*KNre2Y<}he
zmk0b6pJ%?kWpiOKIP4Cb458!j{q;N4>E+MVU$#dlAe9E47xkL-jpaA{pUp&Y!zvr^
zfl|_e+gRI5D{19ib05W(rqLoQ%QJ`-931G4_;)koaMPL2l7>6m&dY}uD2RyPH>fl!
zm5F05xbUKMM~rlReOdoELv4*@L6;CoOq;tn!QjE-_KIoVj{!fTzi8!GR*4&X&$lCT
zRl*p`19q`%{o>fLH`cX~g<A&2MC+srDR;eV+53H$KSbmr{9x5d!2X)UlVP~n_p*1T
z0O|187Q-`oUG&Vsaz$7MCc`Ire+AiTZ&YoPvOvT7++?FAIg7W$PAg6=4MHgnuAg?s
zyYgfxakTaGyp;+>NVxP3L2~Q&w#T(E`KAV}Ed;o^z#_wVGFs0=?uYuuz9+ghdE7Df
zY?CRrQzwY|cNRjaiRW$JhUqtZa+WH~gAP(5zvOWNK(g>KhK9m`lE0b89936_{uJQ<
zC1<+reD-Cl1=G!8FZ#)aMhD4CGT;DFJe8-LatT^DTM|SaJG$@eZcJW~Gaa)!IW;ql
zA2)1=9`23uRELj-GX+?5d=zz2wHy&C44+-8QIdMIbzF{LX6w+r_;RYKb^#FQK0|st
zkLwf>Oa>tN2Ti(4?Oz&IUH&r6d`x|*?#P1WX6Wyzf}0SnRJ)z<2ytwOk;|DUq4lgk
z-*22mZoR&CpuQ-st2EyK;<&c2QWZcCG@jZUc0}&^<$%Eg{ryjbcO5Qi7qji99Vsj`
zFY;~PBS<~tXvUG|>sKx3_NUF(FXvzt;MAob9j;1^c<e>d_@k6LxD@=}NT2@NH*2Ab
z2=jWApJ@yMnQ6O--ApT4(gPS*?cwU%Kkt1Hfig(mgd@peC?^HPPw<H?JZ)3khRZXk
zlX#Hhve-<~%TcqETRxg%K238<tv3CLZp|u`uH&+uerfT3sIQ5GW^rsyT!!cut3o+#
zpE!>4KG)%mR(qF`&!f=>#lsV#+v85E_aM_lnKgNxN}v<=NMX=Z>yNV`zWhk5Qyyq-
z$vPs~M1xRdG|~YX)@GA);SM^8mS3B_y)aypD^ckE*=J`|s~X|{^%?Ns@S12l;s=%d
z+2ls7cT#){WBb-;G#@NuEUy!@+&8h{W8MB%>4qC3y^6#9(YMHaD^?KH@l%f^C_vI-
z@CPx}$J<^2PIh*%yL!+4zAN0g^{lj;KY9#CCb+Wg?={6Lr7T7=k4^yPBcBdFhL@3>
z^RjHf8z!pdr>i&({}JRD%z`}l(dc`Jgqi+lI(G)>nbnXlThEE|WD%08&`Vs<@x?&=
z=ol8U8|vG*-RsQSv*33tJsW(-#~wcjx3vI=Nr8$KM?|*dy&rju`+NxT4SEdw-g5Ol
zq<&rnxvrRc?tFpYpqCY#?JTlyV!f4^?^^%S8Sip^XYq%)3Gxa0)22~Fzvb_jx>Vf;
za9uNEmbq+4RbIcDvFL3z53x7f1f`>eudK<PuQJF3nyyV>G`>E(K3jzyuXcKr5#Mr}
zvSu_U(8<XiZv;t7kc?Q@)M5Qm(S5q2Pdsw2=<`BZz*f7NX|8?*_&zyg9h(dcgv>Ox
zPc&)Nd)Yek*+`%_9WJcQiTZ1-lsD9w1>21?A}wx}NIE%(b;=?g_w1sSKFyRA%#Pc>
z5SrBfBw<XHN|Z$IV%1xZhU<)Nu_<<nAuk>X4_&<Z<i5aTXF<PNm$7Q~)T(NnE3|)=
z+4;NTWXwr%#q>Lx=6;7DId9@}ih0~qfoeaFptL*Q@uXQPzSe~dJ}N^7wdvKiS`JVi
zJL_R}@vpGnr1-!uyG$K+J*|?5UFZ@`qY_Q)Bk^03ip+!{zlVRskmIibl^qwHPZN_6
z!R6O4`Zdu*Bk7hy1X8%Zc9V1X_SmVs$xc!<XUp(g#?xVp0t-Jl-q+NaIM06{=gUxv
zWM7C_?tR&+j-j4%akpCAxkGG7L)zOkK{%Rwg`g(E{Mph#ZWn8SPOP6!XIPsCYv%+k
zOs?&ZXy5f8v@2gL0r5|lX+FaAY3qo@86~9&`8`uQG#TkH7RpZ+bPe?t;f6g!)K`|*
z9X5kKe*flOkoM0DsPYQ?c+;ck)_$Oivk#JgI{qm-4{nfME5GZzd^n47#cs|!6sPQl
zCJVz3wO4BA6wyNw&-m3FLt2}lu3&b@GZ2BrSvm{wZG<^Nwy%CvwQ)Erkyu%qDh0R9
zH;6d^i|VA@6U|9`j`~}*iYLyq=Kn|<wW#ihr+$ex?Ct9aqHY0cUVHxn_XtBU6>%<M
zzv115W=<umczd4`>f2A$sUf6Oaz6t9ONW8WE<m{sn9LZMbRAG)6?&UG8x@RvE=Z*v
zeVZtpi>v=kvOeAx%%2E($zN*5)tFos+y7ACH}&0JW@@S3LxTU^6)CI9=E~*S%O4+>
zw_6~^l3Z=5N%avGX+8F_VXI!J7OpgVl8qET4vXiH-u@Wg=T?gh*C{95rbDL;F6^b`
zWNJ6MCmq#a5sl1WdgMrbJ+M^La09T4)PVaj-OZ;dl|swn{FjQgL(u?KtyU_V2ENyo
z`B8pd?|k#9Lx!YxjDl0hS4+HzOTr_N%O+T1`QsHkjZj~}1(Z@padb{>y8XsVU}3wc
zsI`Ih;o{=R(dVusCe3JUQz>2hgFhpfCjd%^@>h+hJ@Vv}ai6_6w{{<8qK>OusW=I*
z)z@);vXdv3O$xPylfs-tZw_SniPvnepqH;vd59sgb8kS5JHl(-sfsPdzo*El+R~8r
z7WQEc`;q$jnz;;4J!7#kN=~Z;dovEPUn!Jfcr@DJ6w4I&^_^MZE56;m{lvbBn(gU=
zl%N4WI}J=e`A*^|kB)V6^oMPMp2U1PsSo?)Z%(y&V5ekZUk$~}BU2{?%`3kUh-(8*
zHmlRIHWNO=?{gP~`n>i(Nxo~a{qWXCvn|rR3@nl{?+HVZ_wTy?c)-bndu<rdO>?u!
z;BNn>#F@NC5qR8=9(L$<RPpPab)=A4bzZ0aI^E6>k$hY~#+I-rWi|p|3hnzsb@^}+
zl!CCj2N)js@?`icSrNPF%8dwHGZu2ptoFmE5NZ{KAnPz(`}wm((1x0zfsoYcrKG3}
zd+ICuqIxV?@9l5<+HErP7cE%C_(r{HsYbA{`lzW#5uk}ZVe4JhTc;@p@vkD9XeeHV
zw}w5`077IY%R94EbbU9@dtYkUt@dkl$&3`Z{O1LsTlroq{7M<7X0=^V!_Jg&M0}5O
zoexnQn--O@d?%2)Aa7dOKaMO8;z|;;5Z(CH{Rv8(udv*D?*LH%w{fQeYXmnJYv_E~
z?d7?DOge~;`H)6j&~xT>)`bKkjSycs$bkTS)Vq{z-|MAG;07T1N_;0)_XJV9_BKu^
z2VzG#P;VC(;{z&|8{1kGx&xHUxacNlOHk{jUu3XMzK0ETLr|vYBQ52J0&a>IS+P-z
zc7<Li2$=YlDJSGX{EozzffRw?>s#03KZeF@07CqZ2aw5eacX%~Y(_v~qX610&4G}6
z%zkEZ_lM_sgnt}jS?KfbDMQgn_QI3Nh<w5h@-6}A$Oz$;1%T7bGXCF44E>_+%eo7C
zxjEp`LA?rp=WQg_Z$V}mNX~&RsE$ka{Pjca-z#@n>-J|`EoKmNd+q0Bgp4wcp6-qC
zn4k4qi=J3(j9{GZ9YnP^kvQA282E>MC@2n|CpV&zpPaOxI{48^6miRMZMr;-wDtnF
zdk~R$xz=gKl{w`vv-;{2_t+QL#|1>wlRr7-4=nu%dw96CcxVQI=W^=8T@D7t%@XV*
zy+ZGS+LRrV*qw$_o3iy8@^i!N)`B7zBN-=mLknC_34$j1HUrrOBlF4Pff&9#nkE5J
z308#D$VX@Cv9g_}ni0ud4D=<c4pWq()U3jSr4NHeUuy151)DpjJ`+_`KwmLO8E)0B
z*IFBIg)U2DOYT?dtYhLwPY1`EyO&Kb^=X$UiwI~+izU;sZ%7PmoYc(sWFcqlqua2U
zZ)XatYu$U<*QRmUa5@I@0d5xEn~|tiuL>f-2~4ktz5C(3u#@xgG{sApV*^@}xqIbI
z1vg08C-6(f!ff3y%GF1gG=O=Nt6T>_Uyrx~Ck3I_+-WNg$bAQP72Jy1<Je1!SG_f2
z#DOE+v0miw*O=zL|HfdA)l?`-WD@*-h%Pjk0x71z-umt3n3TvrXP7EH2BE%DL$GkL
z_12hQUxm+Pts&!fcEx_#Jv}_qe^PYy*T&Y*zL^FnJdAO2q0KIj<AY%&W0hO-tq-mQ
zZd5{(w<gESAI`^ez=PGPySr<}B{surGerK3fN$vjqRXQ#U!?C`rJFoW(RwrUy|L-;
z>M(RB-V^&#3GWim`%LkJiyWjQTx8V7myFQkfteeZJ14&XT(7p`sIM*b*)NrpT9sXx
zZj@trLeP<FO4;|XsrK;mqXf(4+D|;2ssA9JL(Zx3aBQe6<GnnU+AB24#}_H>u%^GT
z-h<xisNWw<vnu%lfu$=zA?;2lL3W=F?kwMReWCWS?o9A~)VCvp&`h_6O`SS6ibQ|*
zc5M~?%g5>f)wS&INK1*|JKiv%{|{gF^#(~r*37e~<sBPi;TZehLKVn|i8=*aipD=E
zwxk`+gdN%xg?Lvc9P(a-vADIp-fkian-ppY8`7X<5CCxo&$?77-2VHH^-l`0qixj1
zaNXm9hBJRSO!)bB*K)JAXaHf4%(7eg+0AFMv=!g-Cco0AnTOaIN;i|lQN|`!Y=kz*
z2)euFX**Cf(AR)d*s2EX7*VBc?2_{-E$R7?!$5!`YJr?^9aOs+IhS#&mLgnIZHB0y
zbrgJ7TM6Gt74UI&!0}d@I0IYb*6(g^I8Qz}UDUM7>=+HHhk0kv4u>->iq*t|xlsYD
zl6=@YAWm%<Kg$og4(&ofP4FUc!+`<vHAL?8Jum=>MMZN;xu<QIgYU@?fy&TH6Ai3>
z!jCWQxC{vO3N?;AI=g>gN6bj7C*EXuwJJQC<n@1o+t1-UtbY^_1U~@qiFbc(epe+-
z?{f!Lf`>K(x8bFl3$eWx0lSGHUI&^l&co$?oi#k>pG_oZD37@*dFbFvxUh+6ls+n3
zSAp`$sIZ5-nG;}*?fKA_I9Cni$@hi}X^J*4+#%_&K)<|T2ZE-2<Sa(9IJHLjJ>k5@
zH<m2e>3h~#;;FuRZv}^eFGW75Edo(`vWiC;bz4t33%zkO#0`=h<Z{Hx@)dG--<PFM
zkM+d4b|=DUr=fTtnR-gE%KB;4of98K>uEc#Jp+rCEDRc=a|e#@da_{02}_T;brKJD
z*P;CFSKWCT;2rs2zgyx;iNHJMTqr+6XmpVk$wvnjW1}(<<9hbc#OvN)Q@Fd6lFj`@
zbe>~LVrKT&a{(r3uVI~T_<(RN=8~idEfdEzyG-vSCazy%YUjzmf6L{h`*e_5Uk#-;
zd`uTC1}!8zxL@pI&2Y8+W7%-*Qb~tRviYP%_gVDZW#zgl3F81ZN{lYsFvh)Md1=3j
zRAiX%WK`+50=@5HR5Ofu9?m%F@Or-`quz!nkU28d?^=pv$gcw4WuiW?h+KBp6S7@o
zpwLhb67A$Fovyo>qRRK(VN_zNaw^K%<*}|l3)aQd0*RjeFsq>G+<a3`MlW&zqoa}G
z2gK}!SM~;&vMGU~?cKm_ueI7-5JdfR{FGPYD8$7?6Z%YDdZ^Olvtg;+2j#j`vnFFE
z6)}W?cX{!v(FO?SmBE9lkjxxSe8lnGIxZ=umec9~sQtKq4N&%kDX$$pM-0G<#{D%v
z<vutt2nm@u&2HAqhBSRb;_4sYi10d82B%>d5`iK@^vU`->_{DrUMc%3OIkBT|L)HV
z4x`BobS-8Xkea|e)0Jt_@qwA0c^n$ZvD$f41W1#oWSv7i!x*L$&ThJW=wR#YK!Bk(
zBL^ijQ*Ozc6qS6n2wK#Lknj4%l%hw)_zqPUj<)eMY9c$GPF$94(9(!>hm2jOs7$$C
z0w}Gj<2|+^F)Yv21m2$$_`tS1t0V>R<uI2X^HwHE=W}!MI-j?`Iuoi4ggysWnZXFi
zSF>~i0k@s2nJ&wY>2OK;eo24zC@k(FzxEx29bydp$DE1}R2vm<!lrEsB+WC8qT3PQ
zvI#mw@9n^H*F*oB*~Q}NM503dZsFx-+~*rJ$6M<hd2REUa%o`)&tJuywU4vw8hVx0
zIFjaC$2%Rk65=~io1)VWQ9b)zda^dFU!B9Tw*J-i_GGb4c!nhKa;|f0hbM@ARF-!-
zUWufYh5n}|#NIJe9lA>YA=OxU$9y1u=VNp9X8l;dE!H^T_)V>TahnZBJF))^V_^Gu
zMaE+&(B`936g+ZH$(&RK@yRsm%DEMfaq<~ugTorm+Eu>wrS3lt%|G04cq!~yJGJ6P
zJ}iGRQz8|R%Ul0@bANWUC2OMO<St{Rp`UlRMO2wl>|AcgCcegat(6<*&qg*2lXlCy
ze947qdbr12nE;d*I0lp{$~BQ;rgQWylp44bT7XqJ{5Yn!X?wJMuL-D=cQK~#IjF%O
zg*j1+rs-E{`FAir_A^-2ILS%K()^lRJ;kvt9!UAP>doV8))lMR7%X5jxp5>%gIZe=
z)8V;}D5l8;9kailkTDJ9jWRH~_OnyV!@#o(N^!qtVd1$O>$goZ40_%g{i#e*Qv#|K
zt7U+qd0Au$s`9kOri<>b&4McQmv7+1Op&HV9pViLVE{}AVHEb-nySzZfP<+$OAPZd
z*&>kO`aAxeSUi9$v@lBUg!<OLru_z>x~3W*Z;E25RT@O@+iJ%IBpRXg=}Tg1<+Y?L
zVNr}$hX27GLA{*Ps}^M*x$;}hN6yGwpkezV{_ILi7Tscm!*)2wPdTsoNcs@#3f}ze
z+1KmSUAz%>3&!1d@5C#l(GR4g)W(PwFI|-YkJ^gkyiK&ao{H}mEV$mzw_SCXM13>v
ze!|Z@xv&X6>_%BHZZLa4sl3|<=fAJl<rQ0`9Q7f)wXK@IY~Xz81Up*glM<(t>qp2{
za@7e&AFR1=<8HazQIK(+Z<IX#y3_-9rbx$ox~l#ovfj%)l3K}058qw<Fn~F74GlDr
z)Jr=G8ld!_oviWv<$9OZfBYfCBuRQM=;#!46eR5vUY?F>S7hXfDv_;&5d2v~{B#>6
zrAG3!t_VDQccH9luhjt2X9bEjds#cym53XQm?dhqL%g9ABfK~l8`MgypE4Wx5on{<
z5$FCcBSH!m`LLB6$n$m=m)w^9915P7pu-t4`&2r=i5By%;jf*1QjyyjyUb*)qJ{mo
zOexGl?ETydn*zd$n`y1~#8pL)k4#q%f(b{}Pp>x{nDqzd`Dp3@NXBl#!mNSmMbGXg
z<i?pv03Pk3eYENO;zi7mqxZ<eVqz0VlDA9qug0tsda(Uz+%7Nnb&`)nMW?+_6?dAS
z$);W!rr7)HcnyFK6yl%Ixm-f62X41H<Z(U+**jJjRi)&AEnDwVc$^V%@RU<$)MhY6
z5*lMaV2nS&GQ$$<+gX2Vlx006y~ymc;KA0fX4S{ee!{xq_qMn#PgYEk3JgurJ$3BJ
zQCIknLAUSsdlA~mZiz$}UBM^c&$e#25?X7u^fLSeu0`hWI}cQa9w2R_&yM7Q&o~+V
zXiOTL>c^h7JF-Vb<N`t`sWwEShJ_yqv`fjiffxzMMoM?;>yiSO75na6JFOq)2ZXJa
zyOLy0Y21H)i>-Ucq}UX{?{`TXE5sb}NByFjbg({X60C5~HQClb&%!4XUOUs{-@4l2
zdV3maxs=E|6$KWx&b<+1&!UC?fm_uWNOS!-r~R70VfN&W+V>D$)89j}JED<36~jLd
zXfneHZ^H8`IWm;I0Mdj*zjx&k*qy)n1jw8K@VIT(poM4-@xipb(O>R8Ng}4p5`=NU
ziprm#C^#jOKs?pRlff0sIOSj|2zj3GSRnc{{8Nmsbg-;vy+lsFNOgvec-k)vBm)*C
zahf90yw-e_QFcN|LDPkU1^48gleZH-eue)u$2W~x098UxCK@)p?cd1opF$?*YAy5;
zulZlW%8xfe4Cb|&nB=W$?FKcXsY$8IbvX^>Yc!M%Uz96>-{&&xw&Gf5C}+@G*@|AV
zEeN384h_g-?<3HPJfNjkLl&(S2%+jnz2m&Pu(gQU#>2M2FKp+K=!qow=<q@#%R7wI
zV*=tx(SrbT8j`*PgrUoZ#RhmedDx7Yk)N(z!#0GQa|dU|Za+A|o(VH_t^4}+tZih{
z7>~IMT_%@u-J6)gZ}e@OQUfbGV(bliX+aJ1b6PohR#?Rn%w*u%+8HxR1!=@~GGhmb
zYFWT^Rk5#|p=Mh`zX4D<$Q_sDu(lzRT5-Q4iiAKq4CqM|eEO6$W=D)-n2gS}ug!;%
zeT{}43-gYr*;thez<G~_`Ff+Nc0Xhih5ZK3NmehJ1Yo^TS}G-h#5;{EFB{u_mz&T$
zM>h{#3<&3&TfaS$VW2Gb^H1Cx4+#(<(sUgX8p4)@#7e8bSsbCpdW)hzFOz=`(oiae
zdw|qxc=0)v8;KOIiQrnklD`-Sq+nkrkVgKUuY*HdENC9VnD9b=CedoA92)b!D#35f
zl(^<7rxt6YzJRs(uCZTWLL{3{O@#RR-x8IWQxg50Co<-@pUfz|Je~m_ANoI<x<w9G
z$^~6dwogFMgn-c&^8ijS-kcQzSG>RXQnPWti)NF4y+r`8H5GUrmvioy7ELYb`p#tN
zy2S1L#`sjpqE<-zQn$MA@7Bzqc<QN$H_p0bIg*|pT7}8zjt1KPs+?<G;WuQzsV=_e
zpj^}Ci=>%PEP}zbS}1zyNQzu6_j25b^=C|cJfFs!E7gpjY0+rymHib9AY3-_cP}gc
zFgS&q>UEEVU>0C*V6O?9JkFu2tVEF}Wc#!Hl*KnM>siKCnIRt@ffk|f_<hhs+G|Yq
z_TB@F19_%%1ih+d2fZxcSLmGeV+!5eMgm0-kCe7=`xUoZLc|cz-ibspjAN+u_Ba$J
z0gw%*ElYh;m)^cgtPa83&99!jyAx`arJT_~uCpnQU-((cIfLJ?<KsBZ2>>~qDqE2F
zo>QHJSCdv=Zl&4jX|;W@ZvQ)!0Bzf7j%fz?Ve+iq^yK8+4ahTk(K!UPng+QB4r7>c
zVP7@^d*?3n$x+u+?sz5@F772(Yb4id2bM^q>!Sc(?&dNQhgF2D%?bG~$}-NuzKK;i
zlsZor+%cbd_<5+>>eOgUxnUPBFY)E3UzT=pql3Xc7plg`z1{q;mI_?#8x@QxN*p%=
zTi@tob{3c7;);R>tDJB`PYFI~mjx$}48Jt$?qgRsVxOyRSDRJ)*_QoGBaXiYdE9f7
z(x>`e9DLv<bz6Bx!AAKGpD=0ktWNCBduEIcm?>!9(q5E9M7I*xrQ5!dMvcGV*_o^^
zrsIN}oYF|Vn3<)tOlCyy#y1bcx<84w?(ZEd9QmN^0l#=MsL$cr!j_~Rw}=bUO16&~
zngOCFl&;yZt`~76(H4jEdR4IGnCwq4N%A0PcBk>d8UpmH-JRKy^za0(_3Jbgz4hmP
z*CLZsTe%%Zp;~-(up@%dLk4yR&hV&8^PGhdg`99BiT+8lhh*QHYi&4hRq9(n;+3>f
zYX(`@+n1~%qjRn#H^gp}#_iBeU5Ua*S%w4KrL<aW)9tKx)Kb$)dp^|8w`_Txqo?wI
z*ec6ptN0z=l3Qk$j=8d>++1Y0r8u%y;^%td?N0jJ3d(I(iN8L|z1PiI*z4-EGxG?k
zvVy>V@WY4PA8>Ja-;eou<?OJnBMqfI)fKsK5NO^b=3&@Iy*m;~#O~GPWZnVtU5$Qk
zocD(8T-%2x^QGT14&SwkKQ7Fr6B!E!mV>rP$>;erZ(Nes>bjG&DUKbNB%8X`Io5VI
z+_)1V*e;_3FGBa4*&SZF`JzEHXJG%?(TUKYh~7hoxO;cTp$BKwcje!2XuXwC$W|;q
zn8V)wlN%u?7VseGdoZ(~(da__prM?vFt-JV^O)P#dt6?x2H1tpPj(5F+5Xws(YrPy
zUT8f4CXY0%z+HSPq>hjppzPHhX21;#4B-5++%M-S0#?BabTJ*csqKyqm}lB;;yJgl
zTgDaY*zm_Q@oV&S+4YG5r`{bI^T!5kmJjDGnT>Wye9c~8%M>gjY<!yTJclZNI=;x1
z(R>oY_#8efT>u-GU~K)|Je@B4r#s<^y9wmUQ7<(1RN6tO&oyh-dh6jM2jBXtdq@79
zIp#@d8DTAQ3f!PE1Nn6(<C-;moTyS}(Auj)bJC#wy%`C)2m;-MAQPVlXSrk@(cObr
zmprGlJce_gG*pA%2+V%3B9HTGN*!G(w_jPVna;{eocWl(tC}Ys@_od6$$BqB++}-c
zM6#rcs9+JdR8oKO&l2jtf|-t4utd=Z9;cK~Q}h->cBC{}uo35MLIJ7HL&hdRzmhwr
zDb~rr+Q3+)lGi!Hg;l!F4)(Qjzc_V<C$5pEfjVp2tKo|v0E}v1-2%z=;~(pZ`@mUw
zjs;ju?m-KXGngYvMDvxX4|i=e0O@`d`Gxy_%+)n=5{%Di#q3zr=_N<49JvDqV$w!?
zS>|*DIZOR9I*U-}S8=?-0ay*N8bxo}rFQrN`EpbqZrY6HUg2pfAec`QJ=D>WnYmE-
z<ZIo>TTdr*WMMiN|Cpe)F#+z4yG;gfCtu!(WN%?lex~|I#Qgt;oqpdq#}nxjZ#Mtl
zKNa|o#l(r~KLS#JzaE}4;JoLBTRaMnpNYZq;hTS)a(_3o<Q!XhB${oF{)kchBYfK{
z0GwzKA!zsJAHV(6U&MtUyIWY&z`TDy{hu`Fz~4W}1g>x%otJ*@-@hxK*Y`P&)kLb!
zkg)&c3RwbyE6gINdOZ5mz5LT1INSt=15`H5_8(p0#xYsa;M8&XKN^nzKCpj$H2-~I
z|1{<PKVD(h#>l<xY=>&4|7?}LzOR2g^@}>&+y9OA|38Q1Anzx2mefbR^>u*vQ2+h-
z2n6A*M}T;#-%La2^xvcAzY&^w6aZK@H$ry*!M}0v-w%o80Jig|o`N#x{sfTyqa-qT
z<JdjIwYbdsA6=m%aD@-MbEhBtN5j#l3JiyTL51#rbcF@L9>p%19MAgin=OHRQDX*%
zW8rI$;-9L}zYpN?u>ALd{nK##_ksQ6O#SZ)`==Q3-xc<c!H?&^A@QGv<Nt>}Okh~i
zf<#aSm>O5?-s)G?KI%%3K+0eF@BaN<y!Td|t#X|Z9xMz-j|tCoWX$>@z$hZ;7V{OL
z!9W#xh?i5^H9pKDfNxzf1;Ah2`B`^78s*zRTu1x#8yVC*eDMNkM@0LNBk@lG^?&~m
z-1WCpqUEX*Vn`+eosLJ;Q+Hh_t^H8rudU%&jRj#K$qzgnmiwoS>!0d?f6Ppef5<`H
z&pR_I6LM^VC&>~70L!y?g0D7R@CR<Dxbpl&%2vR5DB;){<v-O3?2^jo{s`6n&rR^8
zp6-*3%m@FXHBGu@9Fm~&Q}R8&(q=Ty;e8JLdq|BqpG89*Q3tI=sl2rl@IjjE3b1=$
zu)6Y3q2nJjkpJ~VmO2k1#McQAPyX3$+EUh)Dp{;ATbz{+qt<vl#_{te;>Uhme;k{D
zB0|Tb*HV8TS9h1v3IBdMb3goIo4az|7sJC^<V;~J_c>T@T__!MhqpBTjA(~1$1xgr
z-5wJ9?@yZ)6`m$Kiaw?6ajix|_@?UpOj56@ZFdIe-RKXMK>7kWjF)Ntexp2|^cRGl
zKZ$8>ZUgiV;`m_C%K!Hx{GaUe_><tpwhMret}`sND`~98(@#KtdrEhv&<^T5Wg=7J
zwV($%X!~&e?tJLP`IkYbg<<|OHFJn95C58Sz0%)>SpypY>2%9;HgFQY#9h7iwsX2_
z1ev3?5U*Eh|5VOtsmi7N)f7Lv$Bq%RD#iubdD|)a0qBh0pC(OeGA_58derOcGg{@y
ziwAomF9;jz1OBaBFe>s<Qowfo`?TA`TqUT!vf$%IBTaCxPj{(Z5&@Xd<>89QQf|a+
z&+@Qwu}WYTGkGHAnXbaa5#q2)kL;3`ph0=gbo*!1D%Vj_nA;G~x{~Ro-UrenWnd>@
zIYkhH(&Wf-$I6!dy|pDb>zR_`I?9YvNgS~F7NTJ_mKny<Xz3t>MAPM(*{+mlBS=?4
zqf5nE58tWjR2%}*l(s#Lbld9Fmw%h*OE)0*;YH&n17;XKy)HA%;r@0f|I}t{CafdQ
z>bgyu%=pfT-<)9*Cj!%BIz6R3*I6_G^PT!YyEs_HYtxxwYqu0A?K^)48hBmAqR#hD
zO{3XpXLo%T-Y|{GsB}=R)c`Kn4>}}O+vT|2R?xpsehN?b+n9fPSv)8{u;h(s<8y!d
zd1#q^?+?9#C%o-8#O=K+$DZs1s};XM{>M<KAn0|$CtqGGbh}*?`;eJ*cttYbtVe!(
zV;9T=3xevPyOD(Q8H?VPIfpY3(!O^~8-93emtm!=iNSXt%unyr@wRkt<AFvCpXU6O
z_v_uaR}{9;X#mhkR-#ARAALiBD{9jX^D1q2rm&d!1F!<G((Ltr8APm|gSA)zp|oRx
z{!LhIe$DcnMNVM;emw=Nn8D|_K27=QG~jfN8Pf3B(GW9`HcR^`=CYVu{U|ni1W&uU
zs4)j!IS(ps!EY@O3x|fEO$PYshi1-CFh0{+jM(kjZIV(Ol|>pdO(*3%+r0|1znSZ_
zEnq#oHuO3?W2v|vI`r39x3aiKn3P-6qiz$vOV%<ir|+BlQ)D>z)_f?O<#)u(eaPku
z(w3#~CBNQ>;r_~@<z*e+XdTKE8TEe`!8i%HgJ=5Y28dGW^CFin?LeCzIl#6L>BHx|
zkpA9I?WeX0tmIAH>p>6CaruM!XXR6vqm$5gS4o5^;~M0mHnC0+XRB6XWWN3LIw;^S
zw6>ta35Bx14ucynJ*qc4r0j(T2j*HwO%f~JPjOsY_H|=7Mp4P`71@wfT0v})Zyug)
z6PSK3pYGlf7%NmYbt`+tD$of#dK&fflzPMo(30cL-Sm#cIu^I;rlEQ$D&X#s_-^ZI
z+iWCKYGP)r=0)iA_|a;@E%QBao{|AzlI2l9H47NrJc3L&(E$xNCszHdH&Y;Mz`V*a
z=$s`+>88tf)7I6|(=%1N4D>M`!gdFw*Vf-A(trD~F^qH^6SC2L2O=Dyy^FOn_N@A(
z<LU8gUF&9;mkwuqw#H&@02}@}?A=tQ;!Uo>xq2tZtfSj%7PxY-SL1HhQK?#5I3XhX
zO2RxL)9(>Yp+61;@!MwBJP^+G(Xlx;7BA-jY+dKCbJ+(KmmmGle(}FQ>G&VdEa+5X
zM%KWD8Sb@SwyjU?Q+is;Y~WpsB7#SS^tciW(`5Z>SAt&gBgvy{^k>EP)|?i$hMrj!
z!%hR1o~xv-pCFYGlL^QdrGCkpY$RMt8qypWd4le!mQ(uhx^^mnq<>YVwi8PY!#O3r
z;-)*3@o7oFzP~rFnAyz`gTDJb&ttx{<uiIa6;qUfs`&mo1Md=@+QRu0`Ymmtw)&|(
zz9qQ(&HEK`gS8Q_>Q=)qj44)+^u!~5x($rlmc+K#LQXaY(zR~V{W2Q&HRabyxtPv|
zoFa{m2@Y3qmt<5QB(r4&ziqC3zc)qAO*XqR(~*SCF9qb^yDR(Lte&zd{wY85*1(7U
z-Zvu1CO>^t_Lfce2+V5)=3WO@ZDo15Sy7`m{C3)>ysvYGIJ<Dr`?-$9^&vaAixq|0
zYrW}y9>4D|8mje^X?E9UDk2*C^|KX*fAmDv*e)QofQB;DJ#wjj=uCN%>hAV9oan1^
z%EY0YMwMM`SEu2KlK;j~eeEFOPGtU3+n1-I{_)~=F%SG4kaK{>F6t7Zryz46O19?o
z#lC%AOl$T26Jf8VBRaLEyu>`QnjIDNXbzX^Oa(Tcv#8lHd=NVutQsD6h04bczG-B}
zWx8pK$#?t}7yd7IPj@pO+-XYq*=2zdmjb5|Hpk+v&tvxKJQ>p0yIw0r;-`j>Qi}Xg
zZ;Uk_2rJmH`xGx)JV9St9z&vG@mJ3RV$2Ak?d){X-$F0n6zk*<Jn%?i@S-j{*2Yld
zE(%uXDM|U%l9j=?avZ!d#yI|P_>cV7oNkyIH4%9p=wh^8mLTC<wu&1zPb_zDCH1Hq
z{VMV#kyn;oM4zA2E%vlWRZ{bm#`aD<r}{NAK&gJQ3NKWAK}`{>lcRa&ql@00k&wb!
zw?ejN9Mp(BVToHRB2c(wecK=kSG;;>$fUJWQp3G!*GfRKmE6dXWMW|Fdri2;x}STS
zQ?j}nGL?^CvM%`IHR52CV~aGMls7$_0%+}?d9RoHk!S7<Xs%DUU$sloK03HAZre@I
z>E6?|4Xp$e4L1kAsb}9~J4-@Jg8LkCacN6G$G{b;v%8A6W6k#lL^j1WP;(|G`sK^N
zsuH)2IYb8NKU>(s_#%@jh%XR1@KKd)yvUQ?J_T$yyGeVd5-gqUw)c6p*zMvdIkd5&
z19<R_Q(7xKyK|qfCtLVO9bVbDrReQ$q72#z`sH|_Rf@B$;lD(s^lrsDg!r!8YA1%|
zbCrCr_+1g!ci3(x|Jw4QytJxh_Qjn4rxyS^->lUALzl&B&A}?}uAt9|!*O?`5e5&F
z!lEN|nUy%Ij_O;GC{GMPmjDmGQ)kf81H6JZ<wzB}-}rkZd-l?7+Di%wP^xy1mcGi~
zASpesG|8+I)_xe3Atui%;5C<ok4rL4{Ur4=iL_Guq%ovwE$!&B7T7S<1y3+*g3s2U
z4LSnXtcI-Dy}J5qQK{ZMh`<POz#Diw8YXk_-<x9ID^#tJ8x4bVpe$Fq;uxTWOkb0W
zK<KqrqJB6&FYYzrCQiH5f0=;Ntz07#u8yd8%BA{$RYEy;R{5m3o;5;0-S;<a5r0s8
zxEmVGar=s#RXpj150K(#*#cq|38fqO7+g2`{4<ccsw*|gM7gfFiFR1jh|ti#9XgS{
z{HoSrZ)8aSvtQ+CDDQR(QF=42a#ieNV$<f*VA6T3+GTBLgBwTt*F;V#MAe@Wc*df8
z3ZRei@l?Agh+qBcyAtc}5pQ1Wy<7FmfJs*c7mZSyrT|ILFrrTNV$byTUO?CP+NQ>%
zY~bo<{PHMjJjmR2v_WB-!NE7bYS-))fwI`O33H1xu9yqI^_WHM%~TFIFEE*0PXuPn
z^?V+cD?P=3rG)M4CbSZ>a2M%hxUMqiO8h3XZe71iTyVR*Sup~8pAz^9;72hbSCsxm
z31e*=taT1B{!II)d{4#HkGj2PS~uumU~dLQhxHO}1Bx$Da1#;4CwivpJYGZ((8{Gn
z6XTPhVva2|QxD&ON$0G!A_(YQ$LLX&Bu2oq|Dx8&>DP43z1FNma-P;DHi7r~tsY0A
zvA)4FM`u%|TyGM%gT5=N7vUZ3g^O#VI7*=<SSQ#121n^CkgMCdsuBILwfxa1X_!5W
z(#0>MLs4fY9nR>ML>G6>Rl!RpVggrMGdrGPw^qgY6I!D`mgnsyVH6Gz-ra?+2vF6D
ztDOp&$wktH-_c92xk8WVX8IW>1IsL3)ogy8%Wmx$C2umzT$J`8NE)eU;>|s>t3oCR
zq{lc0J4|mTFx$IpqCGvoYSfFF%^RFD^PCOC<WX@w1xhQKTFP~@$RbUk*;##Ox%ZM(
zFHbJ5?sZ8}XVC|xI%%uE{<t~g9B=W?4SV`Y@7rKl?XMhKkMLLyPRht4)L2!%#$%>D
zS$!PWD9S_+bUK&2=Ms~^V?J_E03wDr^A0m}r&3^DU%xI=So52Axt7L>iOClH>=s_Z
z(&|mMdx5RvcNguDN0-F+Z!6bz1<}X^{Ubp3|0?U+x=vnJj5Mlt=iPPh8;V0{ZPFbI
zq58`ce_si@9f|Us6D>5%S8iU_E7aq&*=xSz>b*Y#`$hLE<RmZSrw`$qOC1TZ5XO|T
z+CxJ5B!0Zk;aL6Uh8zLaF+hnSt+ZUr0VQJ&Mc;Qv+j^&_;oHP*U53l%JMGS<%01cv
z3j@+Nef<lr{o$(;zh+aZuTAo;aQDDvwYz&9^3n<`POjfBw%!IB7lFha-JhUiqWga`
zao=LY$~UDQ;!}|x(05YA>TsXgp7hD+rSIQ)o2<Y8{>qCxxX!VhD);iO{Z13|a)oW@
zx`G8HJ04iMEf&p&%3gAgBjqkbj-jqpRsy$FV!lpAb_6r`hlpCGb0x{9VigUJGe3(<
z>V9xF7=|1`+VyH?i-cdcb_d=Y(ht`v;G1a;1bxo{5-dUef-fMol`*8Ll-uyFVi+@g
zZE8H9wxuJ}yho?cb$2lJONkUHHXU4+^-;*+2gDA}cGugO{rtdsUs3AFanfx8Ll2!@
z%EV|V-X;YB;&Hk8^1NaquH$2sGC!$&j|}3p>BJm8Vp60*eHfe?;dAJmMM2R6Uy_t=
zk-E=_KdJQ+EHqv6HNXP8P~OZ`p*+Mwl_pnlQneFa)Dunx99!$kq)k~zgDSTM@T4Kd
z9I0VZ7|)ke={L(RfsH=yIWu^9JDO8^SQJxFbLy1;p_x(d-a+raUXu-niKubb8^4$f
zrPycnQkYc7&y+9_pj`pFbvS2w=BGNAaCU7DIKCbUbbI7H;$0nX1IB&XntRvao^53z
zR{J}kX0fBQ-Y@&7&TVqA!j{RRWVai29gAN=?LTKnEta;wX>F1W#5(+bRuX!4N%EIt
z$sY9#ej~-AQq6guI?Gw?%WDB{H82^#%7G%CJn_aBhqxve)BFX6ubE>0%=1#$2#f-I
zfp9iHG4#fyT0~;Of+l8PIVtE!H7iM*6xMea&}WBf*cpBN5ymh)SD}~&*xRho=LY7W
zIflhQ;j_bB`@>h39p(G%-Y7oqDR^?+Q;FYCYo_`LvQo)*ZIjyB*3DfvupJyE2HN&x
zlaJsBExl7r1E)DRq*0wzh7o*Q6(-{_N5fiu!Cs-Xy_BrX(51l==_WeD>}248%lzJ+
zyx8+q{e79QSSpBK{)q4>p`sxJ9rSo0Z#&X(HU^M27J4PsFn7z2w3JX`$;jD*jrIH8
z38O&UKckq<|BXZa9i8|q_#>nB5FkV<IJ5+AXO|RR&)rQ}2-@64t=&hpjuixgXeo+R
zuV8t~#yW53&SS2n!2!tnVxEI^o`GxO!lS9cL+h=LI0i^#AWf+6Ubcn8Gmw~`Tz=p1
z-2gRv?@G(us^7J&kC@k0lx5u}rybVTmRixnAVW*&A>7Aic}KmmyZJJ+tfQKClOr{$
zkH@^!)as~;;67?7GEIf9cx0Emj6w=unO=80ph9IefUoOc9iBVPTlB7@sGV|IsZ*65
zA8k*oZ+hb)abv**5EnIkQfg%c-X3lHX(cujM)4hxLmee-BK>ebiBJugb>=?hAdbP0
zqodE=FhJyv(u&j0V>JHOi<3_#Qo~g-M-u|O)Yi<&E>Qrn7&8>uy8Kl+jkoEMMg@O#
zSM1!bN)n(!ejn&Yd@@rTw=nUjK>}MoqjWUc-G`80N)h#!yv>4GU|xTxC0!y6Gi7sy
z)aszO08_!idJiSW3aGs5OS7c!WCY7~DLnap`Ua9Tju|&J^?YYkvtlBXzcvi<0;>7E
z#hF&Ad*66z@e=ac1O;^7`Z1cp_@H)yiic_E_7!sXFmd`;7YA~dsAR9`qI_N^E_LtU
zi-560o~!zgAFgKC`%HF8u!aEf4zzd5it4=~pQn?VG9h%*@snC+C&IyqJT7X!_^7GD
zG4f%P$4E@-QH|y2@$1WPZ6_N;Bdq5mr|{2`aeu)L!Cu?y?%+TR#Pi)^k}OUM%bl^N
z%Y1g}Fq_(V|5F;5nR)9bTI2CE!C%NbQ~YnkyAMSq$MJ&nQ#Ls)8U8c`)=`m~iovBX
zc-7HKzVWcYm?Z^2r-8I(ag&HpZ89&2xVT;G9;|Uxe}QR|M(O$nH=TXhJy0roYK^R$
z>6w}O8&bMtcyxC`GT=CWhD19OSCWtFR2mNUINjtMf?qs*H!@dYI?EoYn~D{|%X-@{
z(emj@uN~*JW*(F<qWF;M#L#QnlleMn=P2CO^Dq2AOa67a5a_odwCg;<{=rrN8VF-E
zJ5*fnO^=;gRwdV)x;FF@BPLcrVC7Q*INPrB%!pS~ao<me_|pG%hx30{&j0?T_AuBB
zunfx7yw#(wcP0ww!*5Ioo!gyTC^du>+ZGjGmA_;Hx_*fVx?E_dDkMaM5?>2Fk;l<t
zOtgl-$TsLWj|*q=)fK%*HgkIlckC+|rf4WP@(>?;&H^UMjkP4^v-W_`09BJ`#RGr9
zZt=IGdg229K)LR2UTuFreKz6Nei2YA@O^kQGFpPUg*Uru8l{yyz<t7E`OvY=5ilNY
z`p<Z$ya>7<T|$Gl8(0c@iJVfF1Bp7m?v;eA6(rKLI&!3@D$VUQNDg@cXj|QYo^YhJ
z<NSS@QGEpp%BB;R<g<774ClpFF?LcD;Il|fYIqxmvkS65B^SLoZd?3&ewXeP^Muy<
zy;l~(i~Z8P(lB4)F^E?x#OR>?0IOn4r+P6B<$Pzr|82yr?Cb47E1wqBh-7huSKw8<
zsaF02n+zjQC3<-IC5Pe4RD^-Tda6^Qh~U8L7{x(NPk7W}6ys*0M#BemFUX`Bu9%Bt
zjRZRORh~4-rro>|Q8=0O1V_^TBrmBGc6>-v{M>%V?uV+&f<qI`84gCBGg`<dcU~S8
z7_=3gDe(}Jq7i+$5a~qFtBn6tRX@w&Fs~IWS=dcJ=Rg3A9GRKYhBcz*(kQs)P78O2
zN9P-;cQD$Lr%Rg|r2{m4tMs)H5O|;5tK#d(>7~>Q6!L0AIZp#k{cepRH*|3wX{=pJ
z?q>{FHpev^vAMtP-UNxspgj1FY^Ru<hIESy_%BGrR=g0>{q^0y#>1w*o=K8-AT;8d
z5yQqsd8sca?!l?~+QJ64LV2=W<90|z_B1KiOL{fW@$~qZPh>aouI(@YFr!a_HyXiL
zuLzbdSv)^F*ZPUVs`_I{5Uli-C&Lv}R>(0gG_w~gaPQmp_<Li|_ZIUqw8@Mytj&yX
zZ^!(rsy*lP{aU~f>YvKd-~{ur8})wf4va~OVLiW89jjSSH1^Y7(Hjp~zd6n&F>db-
zUC&F+*ge-RNzzzMGT9s}0Fax&eP)Kj{%H|kXCA;9wqCa~%hA}P^7ELrajl*3cS{8<
zW=v%ZDocYckn9CGi`9K}(*~-f!T1)l{6PUM9td5q`^(g3T>0<yhsS$QgV}BD8|fIj
z7nP<X0Oq^H9wq(_9HpJ+E3b8lX;NF7z~<zWKusF+?EjU$U#5Trbl{lzKvo1v+~AdA
z36-FqwmYb=lagHU-MX4&J?LP7K>yU2dj}HUY0~GYd$nC1&K4eX$)(ufp)7VMXbfNa
z-cZ$x_ZlI5Mf2226Dw^pAL(KbcZ|tSOLAWApc`@JfS1uN>+-ML`G(*779~wYTxK78
zK5PmDB#6P_<u36K=m5)R{UK23`W1`q@7fKQO)1GC*tiY{1}o!dGo7@glkYs9@xt*T
zxU!WV6ex?J5U574E30&Pi6MFNX<8b<wR9x7xNlf&vLgQVHmT^Bx1DK;t4PWDG|`fQ
zgsN20lSoFKyx-c8(1RMSOFxjCK$8`qdaHf9zo^80#02`{fC}c|z&pB8p&H3J?0M3Q
z!SNq7ScwN&t(6WqTh9Bkgg52~qkW<#kJAul;(9n9r>K|U(@U=k_tX6{`DJc+0Nz@S
z#%GMFP9H|i8GT|*qMXMY4k2Fo3k~b7Hl2i9l!(8)CtcSwaPF}U<jRnoy<K5V2O3d$
zbFOx1EYPBmWLWEwTT!>Ydv;x>vUkTx&R^nD!_Fe7DUHabGn(owVsIi}9oQ_ISu)H+
zzwAeyos_JG$6SyGf3D5Ly25n|6Yn73rqKo;ZpTrtGahPfp_*wa2TSvF$w9hf)eZ@y
zkjlsfewop-j=<V<uGY3YQwavUU6@Q(nXxQmR<Y88am>b!j{ZAxh3wF0ByAwdb(9~l
znhu+%-OWR9h2#ml;eUiREDa*8(AnOd^A#$^ZH}eJnKXNcdYK9ck=+&OF@{Gd$niRS
z6XHwVt$kLnB(YPNscKwqjWjSjOoVJwe=*eUr4Bt}5i8TX74ff@RJ!jm7K*cM1#c@@
z!n~MU<NASor)ZSZ4P#fl|7H~8Zh|y*O)?jgpVA%_;>8p637ooQ9`p54PIVLlTsNiO
z{@T#DwgQ|Vr+u0f542=r@S;EbQlONCP4_s67`J30<7BusPOzrSo+E8tba6KFs)Ylk
z=t32FWk@uKQT6jhgoAXQ37hLsTd&lOi>@j5sd*=4*x#-hW#OKfMO4A-ESvktFcwhU
z14qhXwZ&#0XAaQ9&bQc6QitT)Kd$i!ASc4St>i&}&Bu=KU9YJEm^I58k)y4#(xb=Q
zmNa~*_lDhlf#{1&wDVr1qzZ?G@QlaRagnA<a0^ME0(=J&%N{5wtSwo<IsoXY8}?>R
zjjIlPQ4OvZCdRs|H&$dFpF1sXOc~rJcu<$li*}s@Y=VJbz&{;*apR&5^Cw3SbJ8w;
zo6f@lJw^%Rmv9EvnDS!U*RF2;--}P@?&A<5z%1T=9j>1amy=SM+k_p7?8(5{j?7Aj
zyJI(s5*d+DJNz~8XMV(*xk%bBFz(m;hQ|lms_%WO>}L&>nb;BiGn<Ou!G@%8e@Y+u
zAg!#a@&0p<P+y0`1|6+SV%g!V7Zm3aWD03?ikY-8W)9~VsDp|RNxA?4!n+_JPi@tl
z?A9<tul~1wBB|pmH2L1faN-gSD*(`_K=YE9KU@5C=hw~2%y=p1F?-?68p=k{fNKHR
z#*rlJW5^TtDSir=tRol;P-pC2E9)aqy=~~sOmfHH%%>sY8;6}c=$nHY9(!Y3(t$w^
zG)5pBC)}4R!*Xwt+@*ab(~$9VJpdg+N*W_A#nC6k-sOFKL|LkH>Rw+7SReBg8S^<Q
zEjA_$^ivSh`j^V#zDGRZP+!sC=U4PMTMG$!{$aF@L~*v64atV2ejXzG`kb%Q-9-p1
zL&ENMAh9OVX8wB+@djwwEU*cHp#AA68;^BBAJQW)B07ohS(+KmF(1>5Ar8ghHV4ga
zU~94v*6^0V|2#TXr^AfjIP9JK9K?SsuB_-qnB3sB4sO*n@L6t~Bz(Dm?XB6mQC_d;
z^rL76t{$(>YCI5|w<Fvt83uRMpAj5+OB%V`kx&y5og*VHMe1-pRx6Y8v~6$V(ScIO
zV}{AkP#wM+>WEX_faG77M7#8B_0^v#FMFZKl+vW3t+Vh?I;Vh^zU5%WT7r|ocZ{^N
zd$wQ@Q1vwILe$le5=Un}(pFf+>UXZm3G&ZI2B4?WrH$h%G>jcU`z7CETC_P6Ev52B
zF61dEVgPO<bUQ_~5scec0iN)IvV5S$Qed4ASy6fv3X;{?cehP<Wv>szIeY;eXnBk?
zQ^EP}5oP20yZzhUdaR#t6KW!5KpG+M`zUM;A}*&rQ=o>Q=nxi7co%Dsbv!viJDD_v
zSDQ6sx4i?b>VWsW<D6K5B~m$E1wfSJ12u}Kl4pvo>MR*)GeQRx5&*<+doM>2r>ck>
zqe?IpS>0w=!NbyT1LUUI4k<~q1b>!f0yWqVGDXS~i(1tce(oq1i(xj-lhM0aVZ#Rp
zt<uz~b)ync_z%p^n$xadOUF@#54XFHK9sXH_U$$8haay=l`;yw^*Wam^?Hb<Y}>rl
z0!juigP*cI5e&I-PMJo|;K|bmH2SBN7oLBIW*B3a+m~;oE!*<m!mJ00rle>c+TKmT
z`)$D(mS5y*uxWo*fS?+;qC?g#C#MA)<y*k!!W8muFHc6%b+;Ou8B0@HrO6+J#<Z=>
zDYQ2TT{7TZX;-4S0#~u1pJdZ$X8Kp$`u!;SZ%CdDA-$^uBA5`pSFyKoJVZHFy0FBE
zN)o%piVYVOc<mh|+Z3POWkV1<GiQL$qN`H8am8X(x$gSeC2K^@TDdz+Vs&_@c~P0(
z&HuWM^ze;>^I0og1B$yF;-)Dg7`@2685I_{{!-~~+cbl|mDAc2?-$0qfH`GR>{@T|
zE7$6FLLiI(CP+Gh8LBB8IS2Wc2O_0=&N|p0?d_)unYvy!q`V^UmxOt{EMw6KkWVSw
z`zk_}ZRu!lkwj{N>+}e!leuQAY=S;;@Ri7LQy@*wg^wOCZKdaw@ma3&dy787g||~w
zY#f0x<L-NhXyV@H?hpXVlE%7m0@C90FAF2YSvNZ+RfB8~5sm^c+-A{AxK9zdGgIHv
z7kOyjVA&Lj*j1JfW51xU|5t5ww~`$#MpAxWwhxYDo-A}yHNa{N>UZm$5Hk`K-P;9@
z^j0olc~U-0r!^^r;WKsB)-k$`uz7bXL?}AU#fT8sDJ2@0?8;J7>QcRZSY#)wJ1N9~
zXy+l0?3uTQQ9Kmh<YP;7LVWkki#k&FgMt(eP1mVIuU0ArR~LO;u7bR5&o>L-`d*by
z@~8v<U+lekP?KBMK6)Gw0TGUhD9E55ML|GiQbth`6%iEzGK6`CFwa8}5J3@95rITN
zK&Au|WF{dXgQ7q{gb*Mk5s)y15as|O$$jbm?pLR~>z@AgKeuk(>OUwdsoItIU3=|k
zul?+`o&`4_Tcbj!$Q7Etm;4ol*NM$%?e3_^kf?FPp4?y!OR?_O+CovMa1vi54D-_B
zNUs`C0x|DyCv*OcOWm5!WtP?GBqy>-rX8q7o^7=OXUTa93Sn+HDR}!?lj%hOUs9;>
zIqENcXpL`>Bx}oSLLW&mv@u<Mvy72@LL80kBf3BIYKcoIik>QH9Ucr3MaK$<>QE+P
z{bCN?bPv12ZKEutoY?;h@Qt5dxRh3Jl(6K5AESO<Qa;sR(S5xkU%!vhXe6dmQ1rx?
zM#w;Uwih(C&c~|KA|VW>;pMoW5tigJU>{R8Q{-~cl`vKOEIA=~3SRMD^L&2d55dpV
z>x8DQ2+UEf`GTF1^Zag2*^AjnITU_ATHj-55f+_k(R(Iy9M-zO^qjTKKx+xys0Jtl
zm*nFc$k%UlvzyKe&}q54Cd12%s+7&4tzz5y>oJq;u?|aDO!<wKF6F?$q6e?n6i4LE
z%|a^-6Vpr+4sqlY$97)WWunJ&yhH$8;~Aj~$9}>rRCzCNI9qA1pDU=|n1=|TG`s9e
zZR`xUGDOJcV63Gs1ekRiZ-CDk>bdD9Sv*`HZ=b*npI<3zscouGfA?kN+1-W_vld?y
z>*FC<m|9BD4)LI8^JvUe6eDGaD<HHZ;43Bv2&O?kKNE}pS+8pW)(9PfYE>DhG_tQM
z0a8O1Ui3&t;^JU}XiizazIL`o)@~m%>jr&EVf^g(Aa9})>{vB=4tIk(<7`YeR`5m?
zMJAwDQ7#ACC6~Dm3(nhC7O|hlQBlT~pkcEX6>(S$1#x0EQs#Nrh|ejkMF->x@r|HZ
zCwysgjyK1$$@OnA?&6DS|4B>TvuHMBCT0TecU$ioZD^74Drt3am@@OvU@<qKqRJ6C
zBlGfJMyS6n09A&mE`OD)96K&hRtHQ>&h+mg4sut6mxpGOoPPY6Bhn2DI<-*vb)TZk
zYajZ_C6)j*l_Sh9v{CMqQGz<NreGd+hv#w>MrZcz2{@j_8cj=u;aG@+^T9Uam@)X#
zeb?i|a!oSbdvFUs-guocEqcB&je8}q?0leoS={Ul1A|l&xf;%0F+w-0=Zz=xC>YH~
zx{?+@p>LEM<Ba9nNcV&6C!Pqm&JQ2D8=2>(Tz9k8t1^*|_*4WDE8HNrZ0I*SAJ46a
ztcy$*>`;t>f}VO2mOc%gPphp9TYUXKStp_D0iOUT81>Boz+l9cTZwCo?pn3Fvq8ky
ze2Z_Dz;Dfgdv}DlhXlip>J3q_$IQ!^LR3Mby&|iBSSM0fU4mpdvbL4;_s9{P`MrTa
zBZakLoR14WlnSvRMK7&6)X1}Pu7VKS^g8$Rg%z_8wU}mI1Lal4_kX(wgw%?|p#vgo
zr`hN7W6y&FgBVY}Fs=&KzebR?0pka(_4{gqIgyMPPR5Nl$ZQb_Zzvn0KLTHCbK-`o
zTYXevh;cOv<P~P49(4VYM5Gg-e67X2@{3W6y&Y!y%YLzHs(zhMJ4i~78vAQ$iQg(e
zZaA|%>*kHUU1+Yx5?K<p3L$*OX?#)SEdZV|;`0H&9B!e17Ysyt&H!rrjtaqtL&JGF
zOw!piQGTRBpE~1Q;wFi`Iqs(o-vzWRDE)@{OER~6HvmpK^0qeN9;|ytEpOwsq&#dg
z%ElyL?EsOF>NwtP-K7gM3ZESoZ@o+m5jD{|Alx+*OXY~@9GG|V-;+;oqCK(h{(8S4
z4YkyE;UpyC<JR}<1+;P@;RB#@Oij4gm1e)}F373E!w{_}6CKk1pKT)gHpbQgnHVRl
zTDm*X9Te?nb$^di^RKIccQQ`48MyW4IK4RcLCA#<H;-E$^gAkiNG)l~e2FF*?af!)
z_)HtNMtkW%8`NU@`(`||2>y&fNvc4u89rAHq-~kme+00LMB=9ce?JX8pkXB+;=@Mt
zf<Kc0f&QuuSNJJ17>uOIupK&Y8{HCDYSGyG`9yxBbjkiSUc~jrH8ZF|qx)AyA4x$k
zHIIS!-+xPN_6AT0<txZ8@)Ue{#yyY5e@U&W34o0<)Y(Ual?H)TeKBInYC0n>{uq62
zK7X^)%8+uY8d$Z}%CP{Ujh13H;NmibILWLDv_6PFCDy)-Ry4T0UoR=^7T}==<wz*I
z9f5Dle`rKG&vwGU4W=<>I)b%E%&I}x34(N(RzE}zYvH9snDcGkU#qZ@A|x=fNqP?C
zIOHH?Yd!tn_xXM^({FMf>li<mdoD>_M}+gJI7WN;$lbl;!_<Af;UFm?YhDhP>AJrH
z1S5>23fS{ibsiNwXbXE&XWZiXzSB!0e{u6FTahCK0E;%L|ENa9^&!Qgp7_Osa#?{&
z^?yvB^=C@e?H=11Q#8oXf`2x8`#23i5b^T4qC^isi^;gtXFq{JT{zA$K1CwudWBM1
zFT<lh$!bV6HfcHfwQ8GabKZq>3oQ=N77cF$N*2$~I#H!^79Oc(Bf{j4kqAM}KS%vo
zW-eu`$FtiOr`ZAYpkEhUDUBOr+I_LVU)wVzXuLswKNGE&#QLNYnz;+6zF*w5FlSl0
zN&8r;<PqQ|=Y|;0CerCAoQ8^&2`Zp(A$9eFC$naEgjdF!X_Uu9GFtlH&W%BnY4~m*
z?EHZq-HqhZF~8AAm<wvP>wO3UvikrV$6Z3sw0L`+0C2-F_D%E}!V7Ch`QqL5nI_<H
zS|b%BXqFM%@B=gAw|tlv%wO;L`8FxqJNJ1=`TaIdywl*-816=K_)NM*+oX!X_}Slz
zzQ3gc+7&*BhdZxzy;T&t8lYf~Qtiq>-z@o>DZj1ECSKe1b&)GCw2$3^UZxSCzK@s7
zQuVc^8h5%gNHqdd`7L!p@nI0Fnmc>PW-w)uC=^xDgT8E*j_kBHs}<W=YNGq^IKa4B
z3+U6>x@V&d6vi87BEaI!L@qaD#qSm%5h=w8yNUH<HRo{4H<r<QfOS9Z3AuWd9eEQZ
z%B#^Y=>1}H?twugk#fWx%9}`?o;~=5BM%*(->L3!?dXg3bfZ=958uXCOptNt!Ef_~
zSp@6N!BnGl@OwSfcbTu}EGtzTL+Dsa*{z8MR-}z+FC)1rH+XHdZJ-jQDYg|#?!mHF
zVF>I({<hOj@t%ASS>-<*7{dX@TlzvD-c?`@BTc+lo9l&<7nwa;g#DCf*cY4h(@ElT
zU;nB**hA`eu$7~`-Vv#7FEK#X7&~@^yLKiJ5XCulC-9_&O~k92h=JdIRKp1I{Ri*r
zC^%RF5x_vO57ol<X4v~ue%Io6{-_PlO$`Ay@^`)yIn#^phh3%`6MbPt8zP>>(kr2P
zfNGNC00Him!1r_8X(5K$YR1RwmN9lkEkJYj^2z{?n#B_lU$wS{I_k$<7GtcDG*IHO
z2S?F5Mtr0@k#<+F_==bwpSVmtYkz-93s+#-s~u48$*aOJR!G8iqYh6}ZqD@#;$$ow
zm^9M-#cNMe{Hn^9(ZZ07yw$Z~1?~O8dh5N2nAXMVE32LxgdM@Q@`v7AG@pvBZ>Bb}
zGdZj-UXC7XyvsoF(7H(9g!ElDdt8JqGHDuYOjkZAg|aP2;LI7~L4+wv@)O+XO3f-_
z0e;mFl>%k%D)78EqptV0Xjz~90P}Vmp<YfOJGxF2T_(jP_<+WctwY7xQCBbJ$S1Lu
zdz%k!a<o=IOtii1*xG2$+7W_9r9Y9)X^OXofKFZdkRT)u%Z13QXVdtpzy)K~QOzxe
z-$%f81sRz6gp85%F1#JSuypmZqYy0V6C)N6=SxeAHso-g?%74&%#W?GU=Po`LPXD?
zzFj9Dz`m7Fnxgrm>8-301|1fbf^kE7jR3tVGACYK*3^D{ftjipV9<9*emr`8QO<R?
z8r{mc!LLpZG7bE(NN)YM>GTrl50Wt96?mojIH^|m%xD78*csj{cV}ORsqh(lH1jci
z#Ju^km}`jQFfO83$NN-mk@2Xv>u913Klx+g!Nwgt7z}s@#RL0hMT}SAR|qqsGCQZO
z@(?}|ie&(48Pm(c7Nz7+H_KMDGOnAlelkX?1ub;u3rxDJmD6&Q$DW7$972KPp2fk6
z&LiZnZl=iQpj-Y@RN&q{d))qUP{}<?BWLhR!IgCC+jC&gJ;KtS3J%dycPPOb+1+E=
zT3L$f)X`kUy~{zDw%n`y#+U;A1v@@=<VMtfia!^#gOP}d3^o?K0+R}=kW7gNS(FHR
zHxw!H=9_rO0W`J^T@|BM+?6^|G^1Z2AD0pl`h3G>9(_Z^nuW0LFc<f5Hrr_PMbrmx
zfQTDuabq3Qm|j)ydwLF=&zY`!$o)zcu^C5I+(!7J;UTb6;Akf3UlQ<cryA5W{f`8l
zqC44#cRQ^;&`7Vv_QFU53vNQv7=+fi`)AmzYy5}T%Rtc{-+$J{&AN+qW@xbIz{Kj0
zBBfo!{4@S|;E*8LRiTfT+x=S&(5yS!XFzS(qITRW9D7&im~N|XqmQ>j{03yQQx8(t
zC?&YNcPo6bX6)b#tuJqsEtG~Bz=;Lkgl3t9@3kI6_(Aus0TSsoI}()-zP+{PX9p%r
zg}6iOzRX?(fs0*7Dt~Xcw%>KfcS!X9eG*_)7{c0D>Riq_ce8<D@z92VwPiDdTjD-n
zKgj1?wawO&Ixv4#_2H}SHPSvKp*#5G^0*a1Mrhz0Z>N{Wh4l$W_pKW2I^4(D%zNcL
zrd-zp@DFMjxe^271kF+sohUWZ5+Z4-HngJ0+e)hxM39;*T|gU4moy|E=N^g!j@s?X
zNZG?R(Scv@SsQrfSR1q=5jmxsSyq+IM45KD>SuG!tup(<HepC824P0CLU=vF==*pw
zmA6kOfnC3rfMqfPEEDM9u;91{mD3qW#cxrbOK@yo?LP}-^{9qPknPEukwbyS_b**0
zG)VPS@8OTC0;vy-_M4vtokvy-0s<;kEZgAL;V;nj`wuP652lfkB8>04`{2c!;0ll7
zO8ro(&#pdp0z79{P2ziu*AR(ToEvku=4NYT>06V-0N;GKjwnV1v$Q3L%<pMi_Twm*
zJ143Z55C4**<+x^(!R_N)Y(fqe-yp0h@|3XS=IA-^SaWk%cAXpR)4LGvbd8TENb${
zY}^cr<Rd7f`B~+&363+*c9O}Tye(?t5EsjdNDxt<NIe0aof`&X%Za-$gkwr?cS_Zb
ziZ;K`mMDK|@jzdj@dz<W_G9oaa<>lss9*bH9lv0|a%H62(_^5<7h?>nGcUJ-T#MO=
zy`q;?yt+-h2$02HE9WJBac$=FlIim&F6-I3kfLY$Y9&pHy4;mOmBN?vj%v)O9l<J-
zos)br6Vm(TBJ0sECN=53>RjcD4WeBP$>*9~6*-q%SSMKBquz)C0#m+zP#<H$L{I2R
z^0D@+vD+56?tnk6&Gw@|sRv6vu)k+4(k&L3;ss@ue~Y`}-&J1fA;^#X@zN_0GGvi{
ztbiayW=D`iNHE&V5J)St;sugP-{oCbklZ$WQDA&SAL*>Gp0E!Sa{0v8yP7;RpdlN&
zViD^^A=+Q<$Gp%fN-lkvcl8pu<w17AHilEUwGngB)iwXbLs7~_Q5O_}fa>1Yn+_+5
z`JgOyq}jJ1dc>PZt$JxXcdQOS7y6OZXZR%TP!d<I2<gYCpIVh0FZ4!^4PBoyL|l0*
zGri?M=&j=DyrnkOtmGjF9LGF1Y!lZ{Y2SOTug$rCRn6Mc%y{YvMuWI|76k;}pF;2r
zrVE4lpOfR1u9Ks(0BQ5*J7Y9^^Nm597^!HpBi}9R(1<~pk>W@>7Uh9nmC0O+K(X2P
z4TJWl8V&aOKmbn#8T67B2vQKeNSP!rF6Ro94Ny<lu%Tp~_|F3_H7L427)WT~oHR_?
z55)q<D9EMlGoz3frCv||dl0z8OtCMx5ZlhZkVGXn(9V`g5gF5u*$*7RWeSf&x6dlF
z^@C`tULRdszp?dKxXi!a@BeSc+hAzys%}#8!S@tOWL8JSsNMUEwv}nu2#?Ip-pz}v
zf2#mEBD^&$mE?qM_QlnMQ?iQ|USS*w{-?c^^?238(RE-)s%_e~yGq0K{CcJM<R?DQ
zzsoL}z^wK}9>m;y-V<3M%nGg~SpM+Xj<YYb=K52vo<bSKhrv+4P2h=kX`(}c%N@Ac
zJXY2e_>lIo7m+dG?4tKh3@fcYSQ*w!-LR9i+@e}fCouaZxh4m<nVG((kM;T{Jx}LM
zR|>WZhXqzxHbo^^kCt@yv_PyA9fWaX(mh`FCHjpaYk|~0^PC{OT`~Nya7C%mm0-SU
z4ZdS$m%DT_Ehf7Gs+7@NIhZIWeQC0NqV@cnkej)EveuuwMT#1v$WAP9JZdj^RmwP3
zNNBw!xzH#hixO=Yh&;0}Yawp>+eAt%aP`Z5c&MkiqUC;K=zh$^ez}p@*0?a31=tSx
z4Ax^^W2`>hJ{?7=b+r{!H@5avK&;KPF?-s~B><if`p!N6IM+?BYtI1Xqkh3O?kX!g
zo>W^2&h(X(D9IlbQa%-Owmf))9HP9%3AL{AxZcXLQn)AH3bYzB%Qgd@;&j?<`W*9r
zSnMZ_FYdi5W>|nnf7z(RiSIk6`r!)5OmQO7qgpB2mvbA2_(0<RRR6+Mx9$RXjUP+6
zLI3in=CAb|A)aO?^~DOuwAafW1oG}?r*7)x$tR-lTU`F-7v-{ZRz>>S5VxVE&;y8a
z5J1nAn3vtIM@26)_DxtM2lW$aNNuyeAHf%p(ZD1$tcLZP7oI!fXr^Wddbo!EeRjXv
zruF4voRz*E9~7KSr)<4HjK?c!O(pz6j)IE%YVl!3eCU*m%e3CQnDc3N{#L%z(g^z^
zgcz0vH8~U-Uf$arvJUQ_)!`FPtq`lteuYvL^qSQUG)})BybrZmUL+?JgmD?SWsQ<U
zR!QfYk#_h3KMZ&Mcm&@3XG37entrfrof273EI){)rI9V0llD{WFV=%-lK4X>fHGF;
z(VOb_Q#L#Pf%LREVdAq?SZKSwX{qC9KQ)NfF(0%0C&@*kgz%|%4w}`z8P(XnX73Ce
z=1}6Ih~AoW?7TaNp-q|C(f=tjbNxzcM_l4ESDU*~1b?e0^ISsuu2qv`f=6G`wM)_(
zer!Au4oKxD_~L$GeJkw79)Epw)jndqVPZeYkn&9iB-W_KjQ$i7qjn+2@%3>&MO4$$
zgZ>uXb7n_A`}WCF>ibR}pm_{526sM_x5|)y`QpesD!8;&yqpxerjd5OO!kYxRIXI!
zbyf#{okivC7NG!LeC`*BnmQPhf6w*ped?ak?$a<F2)$@w7gLqR#n+u4$%afRb-?Vr
zU8>ysG1B!@Ayrk;FOLz+%ca8*Uf^K;qG!>i@=pzjIMj1?9*lbU+<BlA;$1Id!SR&o
zU0i_YAa@p|BUQl;K-cBBSr^w@8ZiNZA|0za@|COMio9dzJVntI-N>vbY`KuhGXBw7
z3@DvBAZ1%^ZBget+iBjS0%Dd{PQDdjvz|t0qI`-1%g_Fi_uFgV(&&K;NJQ^}NNr7)
zf(7No@rvT`*9mjLKEiN89#`{tLj{!#BAM(~DzCy}_*ral5LML#U`d)Xe2xk$S2-L4
z?*g+rttd5I^>r4Ukx%k1Jf2iM@ie5P#AE5+&;u}rx7;fqi5u<q_SCc6SchyqzU8{r
zevA9Teh6(oLopjN1V2GyZ>lBai+xyvw^nb?BO*za>VF)8jG%!gq;^N~iUp{|;1?^A
zPWBIVyqLJz!_%juO3693rOS2s9Nh0ZH_CfO#?y<KHC6K8h|_97?qt7bvsg97fz3Fu
zUw=oR%i1WY+8m?^HZZ_{U`60Yl#d^Q0ij&8Pd&pM<I(Wg9$s5;W!gyHEIXOShSZii
zXpT@n&u<oUK>f^tQ)_jd06F08(ua@ttm$LM&og&<e+TV{8ik+-S(DdE5F9m#`mkal
zlr2U5V?9NN{Dig|A10x<@!07gN}$rtxorrOYhKyBT373Ei5F;IvVcF{R_*@%88!;A
zqq=ChYKh0@ocJ*H*u{I(K<kDk`7;mS43@UFtc_R}e9FgAW+bc!xlpw8wJ;RcCgzL7
z$r}=!o)mRJ;^VKYbz`r`svT}O8uj)`JzG|E{;9mv^zokn$&lsi*8QAed#*0^!%xat
zzj_i%i(mh|&Lite=h6+wkqrI1WP|9vjjMy!!#<;)@McIxuB1<O-UbbR^k{;t(7elH
z(Lg1kV?f6>WtI@f|4F5p*B5mm*y<JQ7Tq+|#Tqnx@gY@1rAcV8`1?J7n7ljzSywmQ
z5CV~$9+KUAMSj2n2EQsQc&)xj*6MUe8A?v<(S2)=HWeMaa6-BKUKr+;JMldX^)gXD
zZ$>}V!8jJ)r2e>=+3aN?Jbw0*Xu15a!I@B_;@>O*rde>e^l0NeC~r>!?DQSj-08_t
zWb6HGt&qK~M`z|od-ZsZ6lpb0^*`XZL`^7yX2j|pug#3p8EYRM6vWTp5^HBqr<oWR
z>|uB8L654hG(??WyS5zM9a;~R*aVd!TuYTKCU#!vIkCC9y5fsxJ9QYy@lQlDL2{Rv
z1-=NO8DO&$yE7PSP6mJBlOYEz<$CM&N3iFl?)(U|5jDwUC>cs0hR*wh<C?x#SzIl|
z4f5BV*CL=Mdmq?`A<EY$EoN7MO}jxg8ZC4z>aE<HAW;))aImn1_?>6c&swc_dEc}F
zNpRl!h?-1M6Kg#Ks)|xLpN00(r3)&og0%QtZITbJkftiGX`Oyde89L%3H3*8tSm2n
ztU3jVW76C~jrC&ZD)ikFd<i(Tm1>d&nY(5hI)#ex9@QLG<--p!s(I|X`Yv%Gdavbl
ze)6#!w*@)WH0$VX%{KclpMn?BtK+%}Jo?+q!%^IzXy}CQ=8$<WeBNY#qQH2<p?&{Y
zocvE$W80!&j+U7~+l5od-_H*o@&on9GpB5$8m`p5Gb5EZ+u<Jjyp06ltK?px%T^*A
zy%wpnH|qwmF!2W-rdq2{8WA8r#B7)y_Z|OmR-aYi1B)y-52njLf4}H_Tt>rp1r)mj
z^x3qeAKkt@){&c8+TSGTW|5H~C|UxqcmICN7V$-GiF|=pM?L(w>(}g~tI81T8da?!
z`zj&qX9jZTo`M_Ax!;4Gf|_=DXS($2govC*A}B}>C8_6ueWS<34Sm)y%E(kBUUwo@
zccVK>hXa3aZC2+Szo$9<yKy1rPB2qAhAp*>EiWNrK*^8icak*;jCuYET~)mfvz7sE
zsM;6j^s!OQ3oY98dHaimCm+NHyKBr_%=c>zm|Oh_hapNmvoRzyLWdco4jg&`I1g*&
zZI;NZZ-ABQkp-gZ7_aA0ji9^J#~z5o1RW4F?4>y&9VZRsyfdiAJXVr*)a#48s7e1J
zO|wUrBxdhFx}9#+oVn?8m4!jPFM9SAs$fj@;?-B`l-+(NH$0yTj>PfaKi}zDoE!1r
z;jj_e_wKC+7tFxDhzA}v6{b`8?GyfSO_2Tz^=1UXyfzQ}m?S=~YEP)~@~KL>T=IE`
z02u1IgM1B|rA2%W_4N)D5wds_ziZPQD55#C+rNOS7ZVDa0g*3t1cT``g*n^u3g19d
zp=b4vLS0F49f1I;D@fgkAbDiZ`UKA<%3ulnXpC*OSKvKS%nGw1!gNi+g6pB1d;a*|
z#Z%|jsW<)KTBuDT)<nz(pzqYQ_HJ_OMjnfET9Pp1pi^Jm`=f6k*AKph<S6=>YSe6U
z-pq>pUM-by%&<vIbB&co;%~Mp*@^5u)zE|4`0K7(gBpPL0i7h*vv}gs71{R)h&8Cx
zQC-RO^t4hicWdLcQrIhqQg9wFR(QAk*8+QRWzp<C#OQ~_iNGnYmF#GmcY_Ta^*#;p
ztn@_cP8&hfGxbI9zbLQOAG&nrThVV%5ff*%^C1X9cTM1+4_Ax4Tamd_LeK?)DZ#jz
z9Vsp$Jo_=6YLjDFiyc1y6mxg50(NfT^LUW;(cpyDZy!o;yI+o^D1_!SpV+<nVVBy3
zB_Pa&5puKGyxB|x4^6p4ui2ri%`KP*<%ZxKy7q&Lz#N?U^f9H|3W`*E{;^1uVnOd!
z)^B`E-0Bt+ke+Rmc2(e@UJ<alM%saqvk|B(#VGyd7&bm+aw|15GCQ2GY7-j}oQ`7R
zzKFpH7l6R@`TOKqZ>i^~8o~Llxlrq@d*Fe?r`{Az5^8GVqGy#t^S~yj%K;pzRRn7h
zz&;5}llTXc<DlS&WI3b!85JaM;zdiaiS*{yK>50iy1OnJ3jKy^IQ3Dv>@UTp&XfZX
za+@yK<^MNHheMXKmZIpd3eNhwMb8j+0>n$<=BLY-{-W;aZ-=tIfVS}eV%1API51UZ
z$Bx|>x5XHq9$x-8lC1YMfzjzbz3By4x9gYBJOQ)-9e;j2vy;B9Te!M#ZR+J;UDX0Z
zl7Q~^$&b$ePk%#w?H=H}uh#+jtJ7B9|3;7G%FH3zBnwSFix+~xpeyf>>;$MN$IiEk
zl4WDr_no?d-pBW!*8mT*_f1Ib?R0tA8e?R4B2ecW1CRA>0*#1dP5fmV7jRt|n*_YZ
z-n|9?gx&w<qw}`T<3UB*zwcG|=Nn1c?NK{h{{wNz?foSSuwU2p<nVuE=Kno^|NR&L
z(dvJ7>Gdb=gDa;2f4kV{X#4M6>K}jX1TgA^?DK!)Nq_pC?L5$zPXWW<sm>JNp4opb
zjsJi6?!VLZCo}$cy8i4X|6N^wibnsty8etR{~rfK&z+Gu|F;&ve}VBI_k#a-r%rOq
z%i3AuKMV$BUlsvdnQC69@PD?IT>^q`|9_Kc{%3&un_*;)fl(e;FG&6$Zt4G1a^Vkb
z(c@;Be=SAwr>*60!>+)9Q9m9#s{eT{{rkOo98g64TzdXLw1z4WXBG;4_Wn1K*Pk$M
z`*GX1b!<%?B>ppNcx+2kAAC0aFV_7>-}|RmO*#nZw-vYkRZhk~joAM90|;R=P9LiJ
zKNn@&w!P@KzW3b(kN?aXAI<`!jL*3KyP)?U{Z#fY5RAVQ?ElZKanlqS1-sY%AG*{#
zV5wXZEBeo@@!tjZ503fY1@>nL{_g_&GbUd7|L+3xI+s+pkZRyM_^!c~8%M=giYau@
z5_n%2CL{goqkg+g^K33x1*dnqvLQ&gV%?B7!zJtY9lHm8cc2XEtf}6<laD@aDlBZw
z#TZk+@n9dRJTK@LIWy+jMr8GKjt=IUi_`v+n%K*(xx(FC5~PAV9`Fmm-z#TDf9l>B
z)V;nRU`+;vcA$v#&mG<R|9sl5xGPxpN|y4Wv>)GXsh57{9)sZpiwF)?=z~-Q>=u2<
z;;WY~XXhR_+}^eh8T@>99Emr|MJsjYdngAkaV24qT9C}Ot?s{d>3ylSb5t&1s><F3
z0OeS-oi=FGnFZ;8+2qO~u?IxPQ`p|GH-fpXKQD!r<8Z^ZH`J;u3k6-<gp*k>16F4V
zu8Xf-Tziz8VZN?Cf`fJtx}tH_p4GwHvn0dcVvmXajCfNZvk$x7rr}M+rwiz^iv@0n
z&=P?dY}of6$;>7>?>F;v-G8gye7S4;v3_2&7vFv?)!p^B#j)+@{$-D<Fz36inlvSE
z0y<~cqdHoL8g^X1eJY?L=A4zIZuTX@IdD_!y`$*sNtPZ0f`F(g$qZ>uc%x`tySuIx
z(ID-=A27OnEC^|yCF6#_SQ9eZ=UuUboLp3CMWk3C6jRARZT2Pk?-km=P`|OBj&i(*
zs($UPn&LPh%u(*0J~pQ}?$Ez#AuV`buEP_<c~&lLtthGCnSCKus?p|0kA*z#?p(!O
ze`x9PWM?4<mVTVS>YpSa+xNbCDC#>VliZyt(!me+CY0$vO;{McaP~QCzP>lE@2xR?
z+r>t4pS>>dp&DncR5o#}xEk%PPtiplX<t6uIQb}3im6^SF2BtFkfk?icU7lyBSW6f
zEj07EUU&7DkEzf&B6onEKHbT^Ixe%!I=iRdUeR`Ei3Ov&yI|5oom(81o$Ex3#)Xp<
z31@kbe1y9eoZbmhTf4i{E?S5DE@*aU#~0h++03cjXvEF)%{_3p7nj$rt9Y$>7XT$V
z#LY~+2DR)a-7#<Uz<ShLb5UC$a<KERuuk;JDqcw8f=9q%HEX-I=Npj(&#J{6k}&<c
zY-jnm3Y#*goCCp@+Skn!u6)@^)M3?z^OBkIlk=D9qWxjL3>8~`p%2QRqEAF4)pVxl
z%xH&*ee36k<^&+KSyh^9@=Hp<a07|})?R%cw5E45b6Hx#UUz+*-_)VsxH~Q5n8O;`
z1wKA!{==mzSm*Yn9y7I&_CbrCb$MAlOA2YBjzcqC)sYn*KceM(B!@L~f>;j5Q1hAj
zevGyZkv_^<sq}{g8fM^w8-iUoVG6{uJ1qFdKapbrhVR?s!cd!UFa_mUc8}Muq++Pf
z$>}0>IA~Eid`_T$Io-B}n;X=+NNZj0HD*7IV9mHmN7WmikLkF!{{kT13K{95{divd
z4*E8n7yq$ENoRGvpa=ptZ>Wy6q-GT7g!ha_GdV30CR(e`fn)-&Yg4_tRp8)hm=gJg
z2$B5pTIBNAYa)*)_BorpueM3mWk)q$X12~7#BGGlMY<NG1XLm0N3ioprTf=SzGQW#
zD<n>2?FTHE<pbX!HhyZqm4?3$P8C*f?CR0V`u!TexQAR$)a=o~UXI9<E=ow3F|FPQ
z+~&V$5FA@`U#-o<rAnT%?hCz`p{?6qu313r6M5&MKH}H*{H>*_3Q<Rq7s=934ZJh?
zZ1P#-j5iATRjVa#ue1KoIsQ$!ziG_A!GVd^o+3h%mWxAq*@>(x9t|co-<@7&T@3W8
zY`de$DSIJ|7l5#gH@PEG6B`b>aDH31>`+452*V9EH<<qwn}!b-3zwUV8?Lu7hAmcI
z9(&O==2Pukfox!oz8DKr=dawJZQk7X-tKGYDGuv2gDosqqYk#7&&IdyC8n282v|J)
z`U$pGCODk_U@^p_-gX(@v|xHclK8E)?sdcqn+DfHiV@|XDA%tpu?K|4Q=*toRnEf!
zRi_bSm+dXY&<_%piXh2zW)Li+2a8`;Zan0DqW>O{oTXXq#J{`{&uRdJi-A%j7wPuM
znMqsM`O!xH<KP#Xt#fABkl0?E^bD(7-AnJFUp$IoUMS3oV{WpMI}0ZxRw!&Ie5u<z
z&>xvI{ijLK0wu*ghF{yBfsZu+M*WZqUlq5LwbpNpjo$+|LVs-@)LZ`LR1}Pif7TpN
zk@(S|99E^0c`EjFYS~4qVnrd4F;6P(+(Ro6syg^c+6zf}xBT<b38~NR#mW~YGrsje
z4|(uEIQIt64;i+xcm}pDrfhOE5?ntGd9>(SAZ@-K^HsRr7hq>^%x6H!UBYcdZNB@>
znMbZw<DUmBu>5b^ix_o9=ab5D_yJ}N{^9gi8$2^m%WbMT+qrS^>fxJWkIy*w?eujE
z1oN5av^@46MVehkad<f*brGE{tN6)|V@F=N1<C?7pJv=^x|^LgtKAEJbuzf=^Zk{!
zEj;Lfo_o(@y`@q^@`ze#-RNdzfi+svuGvg0wc2wPZeB}O@)e5@F6F7(pf`-|)}Lmj
z(4EJuZ|NAKY^v7F-);tuga6@ZDVxD}`&^QS-@1EM#A-8bVNDVL#H&QGW0ru#e;RX|
zTT`zf;d^!k#f5zVIB^lT4{R6R`nEh8=_r-2su*#i#K$kPd4xFEMDn3k8e!p{AY>6%
zfYx<odkH=}*v_VPoh`bPb@6CPd4pxu(VQ+CX7Jr_*7ArewQ*qz7ARE_y`{|X(3K;B
ze%RU~cEXe!F3uUlO31gWuxb3HURQRJH$*M)DoFp>Y#7sYTx&=DxOO#s<xZ&Smk<st
zSrINWQrUpAsh025#c3^S1@@iv-IF|DZJhp|P0cS$bQvtWq8@*ubZsj~mzkC0YqHn%
ztWV8HGt#$J)@@*(fb6nl>@oYE>F=^~dPQdXNq0go0hk{|;%*INEJ{i3P^Y3ya2<KX
zCdkaxG&uPg*R@jpT{-=}JWr3e*`cjIeR7%di)jqs)PgVX_p)(JkE#mR-l;o>$)RC$
z#di;uA~H~=z4Bf%5&O|4|1&89Z_BqQ<+kqsOv;wZxYR#R3UPZ<h%wXHmX9*Sc?1cy
zuWKO!<G;5n+$L7<RvMfpHhoWVVPo!1@8Q9ZlSn}F2g$cC`>2ZNbqw}(|FVmUHUQR>
zsuEh_dz}@M>P}y3P%aagj3bpq^y~4-p<2!^`*hy@Z6wCMjxh*_kA>#e?n%x6rJnwG
zum2{s2m`C=H>%OI%gbF<&b;=_4XcM2n_A5ugo-ko0yQ(&ghP#17tsfqg@RX|BYp!`
zN)c&o%8ob>8pcRZK8vY+VVLUy)GP6p-Ri@37LG;WeK%WsV{Pj1(mK_Wsh$bB%H6Ts
zhwlI7KYk&AQ|eXSqj6!o7x#{fEuFIDr}Tu#Dv_`CY`?mgl8GqVui%F&Kalpe;_<fo
zqcb~}OoK~Qkq=8|mIn4CD*=Vb)hXED-(VJJ8%jBqR5u@G&dqUEIWvyd(Cls_Yrpyt
zkP9#hI&B9#0#BKJM3IpIM0Setfc4a)1oWe$epI_)E`cKMUKG?b4H(nRQXrm#BE_Ih
z=lTEqu(B_a08Jyf;XG(2%0xGF1u+*nvq&_4{FG7m-5M`AIE3<TpyWQ;yP{=J!ki0*
zR5jIo!7hfAlC|7#(()LlR`(H{Gw*438F@)D4G_O7w{ki3JX2*#PQ{lSW%|+4z_cJj
z&9v^WR27gB<5DeYXOipV+OyTtovlSQD|y&5Fzh5!)up5buXO1us>uQ38`9Ro#5t9=
zklz*H5U)X1EVBtY3?w6&hFo4BQ0dLWGI4rC0I=qG{}3MMaM?`SlpSqPS9W;MMhn#I
zS7(>98eYWx@Ez*c5aD7UcQAV_Q3hW**%jZH9g4{I^9D+12<IMFoDVZ$HvvgGd~H>(
zz3REpwFb+NjtM%3A?lHYawmDSlAq>B8<pzl?=%@kDihc&R{|ntCr>AYiucBp8jF7D
zbJlPe|M1C}eXp?dZLA%Kv!*8L+vqRh^|joxQYy)aHC>4#djnOMLtfow!+~*aLzMxO
zKQ#+pi7A-F&e}ye^k#b$Rc70Ibx7fXf-1*Opr`rZak@>`B001rye?u@9y^C>;f*%H
zy-)d%T?QL9ZAM@=dUDz}mCVrQ_yH8IK!-{{ZEbvB#|QlF@VZmq36=0A@$IB?b)Z&C
zg}|t}-C<MLlk@HH*&i!R*B;gW;uuNq;-$mZnc0jQTu)BqW9lhfbHHS73nmy(aW7~@
zo#O#f<1&z|<E_C&GOF9X3`bu~!x}sZv+uRS%H;^Sf-@|k=+h%I+exH<)Ejy{48hn&
zc`)rJJ0YGg^lGgy<x;4nA>~)mI^3G?%@mIfGet{L6Jmvj9aQXHFB~+|J%<Y=|Ew~0
z9k<RnTXo-$a+>6Gnnlka70)LTrZzb&J(wMI<FmIjHUlWW@$}n26M7YKIMkN2+^g4u
z)A!kY5i;kOw9%gvX~b|VDPpg_wf4#KtZBhTbGN8*;ahaW&V<2n_;8ecu_)z{srp3{
zNtQCEjJmDxJi|-B5wsSugn!rA>w7Q~g~UEk(}?a2ZQebhWlsGuXH)g8w9+zy$a7KP
zUDWI5=uGEB#$JoHM1+z<6imwlW>HJy($(d)V1XE&$fm4~uB$3cR$&nWY*;><Zk#QJ
z<YT{`%dHPS1rP13Os6Gh1>$>!4#OuEc>C7^`LQWFp(QZySI>*lwZsLx!{-EEOhiVW
zOYh83!&)B9${_y{Uf6EA%sszkhIG+OG&b#K_xmPyk57iPQl*d}^~p{e=LUNa`h_>t
zyV+K%2jjPskt{RH{aip65qh#}vf7z`XY%%BtAC9B%riawA-YQF*nwp%M;qyFtDD(O
z=^=d>m5Gs(7z|gN#5UYuUygZ&>m7m2JEYX1F$p*eh-kLXOnr}Kw%tf>iu&mJ^~R79
zS0hv8jahp7s0BCMLd<lk;4NW8ExIR4Ws#J-3k~-4abbDTcamj2W14f+s6HCZs{V~S
z(-iqzEbFP+xKrWHGhXJy-QMQMnHnsUW<~W)ZRq-H=yo9gT;6KlI?3s@{;Ou5rORm&
zlX1+e(Qi?(YSMM`4qhG(kI*8Xmn1R6syQAyE93`}YvsM&Nxe(+bbgH?!n?i;&5=LM
zrgC(9XR2aU^hi#oNQczWI!3MF3&qTe7o2T$2P!!}NBge4>Zv83&i2B5VY;I;HglW0
zW~%dTMbh|=A3kU6)7!E^W7|PRn$pzjfDA)V;(2ScJ6s;Hsw^rwyrqtCnqee)g8;4T
z^2PZ3<uJim%<xt-Go*4-5H1~xuB=P`X{F-vMVY3|wl4Q6pRMg0E_ZBh^Wo@mHxn(n
zZWLU8E$;AJ@}-Sv19EZCx<~BBXWMHE=?Y%VYt}Gw9a_S+ca>|mW|dDvrTb`oLm2{9
z@}AYr%|q-G6g_hO9^UL+-BatbPhRpdQap_{Oxf~>=eWB}$5b85e(lZji;<KVR=T1B
zUq^w9dNq&S&B^Iof?K6cN9WgfEVF-zwcu{jn}3e!w`}B%8F`EM8q??BxBP^jFeE;R
zHpftVa+=R%)&zVGD8lGS*8oLFlu~N1T0eAMt=@uZ&s@~}vcw}##b-U(Du^7aX2u9Z
zr`**q&oyxdZ;<W@%`?{?4%Ak$3ZJbtJ`}eCB5pT@q^Vr`R#7k4cXJ$APmwZU>t@1h
zaB7fF)&kzd^##rxVh0iGujMMyTPNe9|4{&Y5c9WfGw${N@w4jzB&pCW3-($v`C!7d
zbR$o?$`=>yNF}ysQDc1PaZG&`$6s0>m#ZQDom<RjU3VB(HI7teZ%0j_uvpc0Zlf}M
zX~wN>;b9OiF=WmjRloIG_PbbguZ+debW0-86XCO2Ou(hl`uo=cS=n`2j9Rk#JDP~Q
zT~7EsUtn*v$a>nrCnkEUhXM)d840oCJbXSNjWxNoYLHlL0zbCLZwn<zoo0EqPDM?E
zh%h2sWbff-&LI2_E_&_4R8Gt*;d}VI4-2mbutvkNmrGoP3eJC%+_eV=_r;yu+wn)Y
zyJ3&k)VaWoLUBX6#0kNz#!)(Gd3wU69r|KqkZ&s6>#pWl{hQ;tehHT^zGPgn!6c?L
z7_JIH81+*&a3kG<KQWJ4*knRh#*IFYl0zH$^VSb7HL_47V|F}g19<jkK%$~yJjOzf
z(<48+=AO!*()!+CQ6k6m(aIo+xo_vSz6}-yiE5aKA-lP&tmG!K=Z3_>D-P9Xlhzkb
zre;mq%^i(aIAS5ntTa+mSKO~HyT%EUn;nTFF+#I0Fk|l7{|*M)$uDl&OA5n|i9)G2
z_DQ`H^&@#vw-U#>H77Aw!K{#BC$!&Ed#~>PHtg7St$Xj-pUW((jJwqN`H}tM7iN}I
z@r4<@-hEK7l4gMdh|KrO;4tBcpA;;9EKv$}K2<OO`zTZx{$yEiaN>C2P4=%Tc(b=^
zl7{zJ*}yJHC@crPvg9W8q^8$mB=Y;y4jGG|I()QQjZUFEbbJ;y%F;e3e-xb@VCN?Z
z1!D5$d#Q#_&HS)pE|fh?4-f4xao}Dae@pOMX^h~-i*z$WDHFYpw$R0fpONPyx+7aw
zP=+!t^BB(H<M8~GZn>fQVda-*9#7znHEblaPZfWuTK&|MurO=hD<q<5>+wTyV$w>~
zME}_}RK)T1=Z6G0e=RQKC*pN$dF(T5f!KwlB3kveH4}+F_uey579E)_GEgyWW34~u
zR=IKU7i>q9jPM`bTj6;PB$UaHBzL4W64p>@EmTESQY-M~o9GK}NW^oyBR;JReM-f5
zos?ToYjfaRRMM=>x@?b@YV$BSdPK#esA25$EA=Dk;@!_s1zFJ#V|s_B9Ct}UGieD5
zsp`TZsXQDqI0wq4)6&pOP;p)8;u!4{&WjJeq?k_%nV6EHw7(-Ye3TTn6({vB_r=O&
zQ3_6<x)XYGQyW`T*=)!NDBT$+czY#0v@+ah+Rfo+OL-ekdbknQKwFQ0fSSU6Q(;W4
z-k;lezdDEQQZK@C8rP_bl<7~&xq^D}07Z0Yw}elOOVE*^Aa;Hry+>t)Uq4|oh6~9F
zr<*Q!zce9}1kkCrL75(wXnWC3%oIg^SBJ3>4Y&A9y=b*bD@%Hpt}42jWzf1L@v30U
z#2cH-(E<O2q@6o6-g|b!!q8aVM0n#5?HfFfA|z>T?ruuAe>we>_ceXQgfDZVS3>Jp
z==|AzrS?-L0xFIf9xkaHKMLUdJIaTS1_U_*q{TY%#dwghB!_Zl;muq`$jt(BH=(1p
zddK&rTYBVi8<7J2z0tloHN<phstFmbYGQLn5u-#l8HZiHsI!@B6hXe+WULc7_B;N;
zlb-QGdeH`PN+jZ)Q&2XxikP{RcnTkLeOZ%sI#TC;(xs6tPj4KG;kq_ldL!tq?5C(m
zbRVt2L+@~y$(T1d-kMog<q<@28e2;w2P1}igdW~N8>%790FFlekG;;<Ef8Ky*QR77
zB*#rA(SFv;$vOKhG*&l^S{-73a?VmEL5V+V&Wuzu=qBEfa`nCPgqi5<45nUCNNd?=
z9ckXB1Lnt$X05LnjQJLu<r3gBP!Cji$n}cqCX>4Cksh1HfqMndYWs>JJ0Qh%Mn~iN
zbmmYLr#n26ah^2{)hAa?Cfcw^_o~dL&9t1JzcgXr-!PNYhoAfv_V<mT!*}yF$Cw#I
zH1VvnTj0glD;qcv%f=~&#6jPh>DB3&HQn&RT^zi|TB@>5f6dw?GS$D}pX(SuZ1>dM
zY3Q5oENYTY@4>#0{E;}vMS)`&1lmBF$%-6bTW+*2<y{EvvcsdiPy2Yr_kJ5IoXSyW
z4?lCwss-wvx*#sKMoQQdQRj0#ISGu8{$5?*dCXLk8FDYBKO!f5=|aK19O|K>ORLYT
z()Pq{g^Qirh9E&R&!zZ-S!V6a8OwDCrPkV1XZ9>^i{$keQ|S)rxM@u_ZbYsvZCT);
z&?<I1Zu$A3I0Ug2G)W+4Y4D3YZ35YECADe6vCMk>n~#L7!GyQlFy8Tw!FYRJ6y0__
zyakchwj}-AA6n`O`l&iaUa@s{k+|j!sv1!&Q(9vzJtIfM82*Ru3NZ>AhU&P+f+s6A
zo%30I>|vrk*mi8R*0@zQWt}d;`&R$HGFLARLC+5Pa=F&gni9{?!%Z(Js-FpMUF^6a
zSFDDTU0jsQwwkWl7~`K;s~h^BhlE-JbynjPWkACxp&}=2c4nt^|7nx+p`*cdGpnA|
zpSZ#D{embWpX-)yE5B1mR+@>HN|bdMveI@t2iJ>KR1?1SEsp&QZPYTUWGFReaxnqW
z9FJ&L>WtRcTKno`GIVA0qyRh9`_~}cw;Hrph}+=@6oqz{`HuzhEgl|WyRwXwM9k5V
z^v5Q8``X6)AWF84?E|Fd`<E<P+4)<jy%rUF_Eau@Qj%y5#B#<`d9XISuSnU6A_F@>
zm4?VEai#5Nztja%;>RK(?&n6DD$=cb>In9)6YyIbt3NGvJau2*B_R01hWqRL^f|sS
zGEG0f%U%+VZnMj16$a#C<lkm5e}D8i@m61O{UZIYyV&lY(J%~JUDCy;dPk$P$S2Nf
z32dN0L&~G}BcXkZmgq6wdXL*Uyl=ep05x1h__^?<b<#k^&SV720$@`5>f+>eBR(<Z
z%f&KV;O|$pqx9XZJ>=0lU$WkY2Q0|Z?n^ow6_f4Tasa{-Y;VrfFQGLQPL=Fjt``vW
z-iKNJAp7opg&|_C{gh!QEs~LWK3S$6Tjmw0;y0I}pYZi@)`^pXCn;f-aVMW1hr8dq
zzC)wAG=Q+$+YF&>u6xA<%q`>@v(DFz*c%?TwzMcO5ee-e-9DqKXH)ZKC}sGm;4|&u
zncr(qP}RS=eruR1oYWn&)2b9}$8Nl-ZBbJsBo<vET8HLX$(q4a=y@`a@0F|=T3ZIZ
zD__Y%sEs&j^#kl~OT%>U6k0(7;kUdR;r6<rDs(n7pGGE_KZ=_DaS}fWmoqO6rQcee
zr6La@e$<=<X*F6(1$KEr;sK4+sM1z2%!EZN@SRUr-NzU#j9!R;1Y{sv91DCO?lUxX
zmdUOR?|bqU47yjBZN^PVu&RD>O9iSfH~Najv#t;R0u($yi}Uu}cC!F&u75j(YODa%
zE~noj2x4R8=c0p>xAZ;*kjy?4lVv22Nsb3DPlKiga%-2yHznGwNzHU4`J@it2;R9~
z8Kqg^KUNy&b|?hD6cclJQWsMTMQ+QoRr4y2dvLhRlKR?q@ecn;W7Pn`>45GjiFPeo
z{lS#D-%-KM3tO@eYxAOyEN`qYx-PtQ5O8?at0xWr?lQVvCZx_EdS`D$iTp?`UZjG2
z5Or}vck64tyvE2A>55b-75UoRuStpZL;#~S$N`a8SC4~?O&6|;A)%WyQ}!}jvmqm?
ztQ#peFCB)k7@;?^0(-FM9mK11-YV|jw-!D-;BiA=r#U6u?eQ>_&1k(PsC4GjPuMw$
zIXk`SA0dnRpItw_*T5Uf#EetaEo?$Q0#&Y6t^UI6El=;ng&_pjJ`XfDYd0;@NUgmF
zJDx_f%Ei5%+Jx0r6NBdunWq_P0OEP~(lMIHeo)NHF~Q&Y{LqvQF~wi=t=fq9L$$#Q
z1@lh{xMIX;Df=cdNZPx~SQt=8pak;bY2S)-1d2-?EhMdt?}Kfi5aMD_NuK~={m|T{
zsWO$;jlghOQfz%tsv3!;_*6DW>u|KP$j7mPC&FtYJKs*o-Bsmo6teV=EWZG*{qW=y
zH^A6=;`>{dP=WV$5Tn;9U1rtGCOn$;^4zlW>35NK(HAb{3ArlHB~G=b568Zc8iCXB
zu%lq0wU`#>%BM9>-$@~}p%tQ-@c0a7Xm#jd9P<U~MU#T!es3Sd@VqWza+!3}@YI~|
z{kR*m5*Pz|$QbKB=>h0d2*jG7cmiVBG0}wfv0Jfvpx@{{s=Ote)7*<OSM?l_oqhl&
z9!-drGs$tp1ZnBMQ?yLb#rrW<H4;D$Vryp8Dr6e};+D&y^N`Vsyy5(%!!#tiNPO?U
z{ZiVpdGG~b-VJbe;*(A9@67>H?h3Ibm5f;aWA@xi!Y;jad+%8JWHeA%8QU2K7403K
zjx0m{U?H$>-=!*dJ_TyTItPa3np=Mf_3CC<OZ@tI+;@03%VIaOe@b^Vdu)u;4LM1)
z?H7LN?S_SCa}tg38(38)2KPhpLSu?nM=fP9!n*XeV=Tm0JnGpYu5?BD-DLBoOHol*
zf6_i9F)&VO`HZsT-Nq{4@3><4P@g%@)Id5IS)^nM3cd?I(oi%j5D_+^q4)BqiLbBB
z4P<g%c+5E!r_<4HST{ByhV;CCDyRUpmqP>aqP@S(gMpR?R5YSNlUfPiba}2X!b4j_
z1v<7m)jFJyo!*@8vZQshDSq(1trB<^LToqDd^mc2g+44G_5(IB+@kH&76x5zQw0jx
zgg@?31YI_-i{*T|BVdkxG*BaV?2wPA2uU%I&NU&!r31Z~k6-4;#qkqJXQu;Jgy?95
zF?Xu8qDv)11|)kd-_t;c+JnAS!axWizXaEctj)wLL-)#Xz1#*s^m~%yi&z9`?^vZA
zMUVyBrD+JdwZM!qC&~7R+@LR#l6innxo89E4Ywf7*-Tym%`ROF6@=8=m##HDCA$SP
z5kB4=zrr}ff_Xp=#)}M09mEK&Ib}U>sx=LJxFg?PtpSL~TwYv0^KmKMLBBE48>9*1
z3p9SRbpJQk%`$4YJ3D((Pa!xfEFy7F%N)Y7wD$o7xUZpAp{I7YAsWNlcLc{da0-?O
zgTZA=XGCzc!pF?SeQ*M~FXU9ih&c(C{<EYv>KCq9eDC;Uh2D>`086}pmIBz2hSW~5
zGQnj7EtCP%Es&FY90Jl=ox8RiziFi;NxY`FcWli7tx2?IVylL~Q22wuDYngGBc?SP
z%^UP*Pvli|QD>)gGc8hVCp1&78FgtM_6j~dH63O27cnAztJB|%Ufe0UR5~f>#l>~v
zk#vs<ojMW3Ev{<J$8czv<B+0~_d7rdr<gIg@|;b*S#Q{NhZq#>q&r5+?LK4ej|VeH
zq0?%BtN^~49e-6q(3B3lxL$xhP+J(e9z7KjRK<@j-4YV2DOs|}fJdCNi4Wpwe}e9r
zeGN``5c7GqCqYPPyg{n_SJ*%b8j}oKRw$F-hf-=G3>f%ye2IKKbpz4cDbloCh!is#
zUB&fL!+%k~uG2^9VvjK2c}4Ibktr!5X;HpZ7T)OO5|5of58@w=Y}2hJxiVO6yQo~h
z+)%ngir8YnMrib{-HW4cr54bBw<(Qif0U(vvz|&rDyp37=}$bFZHgI0ZmyWCN1>Fy
zPH@)^mizuGHSPeAt9UBn&=G~wXJH6b;7@%>8$*Y+au5(19owz-{-sgkwbZ@H_XhDM
z;<izx;a<}Vey^bDrU&n_H-evr!OBIaM$XD*+xyhdOK89by%2yv$?iPCU>&=#+AD?C
zf4@6ix2wk$V2>R&GYdSJ-y)X4N0AuNJMLT@9<x4X*pDC|_xUKh_q4cLu*UGpCv%4+
z+MJ4s2<Dft8`t*}?~aK3pz4raOwKmz5xl+wTPz(jaOV2&#I217{}*HL9nSXKz5#ck
zwL4JMs_Ig-wQ5&YwN;~36b)K?@7Ph)Xtk8q-ilaB)CdyfYgNtIu@bdMB(@;J`|0<2
z-{W|m-(T<FdL*sh_jO<Ad0y9f`skF}a6Jzi0G*t$|M8{Ss95Qpk1?sHHwto}I^|{8
z9Mq4yh1M%!FZAlEu5~GXm(?2)r`EAnLTaH-$qttq`^L<#I-yQ`EDPGBYDi2QmjVKR
ztd%;DJ3(e{Hl4}hJiR1eozjm7jSa+_<S`d~J+|3b`Uz5qIx6Xixsn=^rF^jWZ6P!&
z;7ldc)R;WkcO=s5u+WJhlF812O-Anci!B)pX18<T9MB{8ijJKa9<}t7qMJc+s)sq)
zk`MY8GSPU9o|+edO+I4F0*JO;D3jJ@X_w7eU!Mk}BSq@|3LdN>q@K^sPgZt8$6n-&
zN}P<bIpiaNin*ATmxrV;gf#{H0K9v~YAsqBHipP`i0b}A*9s2DK~>hZ>!hq*A+s-U
zE%+C_)u$U9EZCa|`*+0n<IE>yEZ%&55&8h^2F8$+(z`tfo8roa%riE#P&oMjPg{~5
zCF2JQv~|8MFhvL+n18vV+WMF3@3~N4LR)}Dc{9V7m84h5x##e7U~f@mjA;#ndB_P8
z-)Q+-jE3!C3V?7j%EF=7R*1z1rEgZJm(Sd}gyIkJ;FaDch4g5i-V&eWlK*hyQ^Hxm
zvDQ<H|AIDbIrO8T0cOG1YQB)*V;eYF+#v`!er00ZpY>Iz2Nngtu2ktE!-TH%Zq>nK
z-8;eb=8am4A{WJAuP0*ZRq<?hEL)3>3@6*QoBBg*k+aNa{31uA4vkg59j6-`Sy9yF
zH$<>l1n{?gD}x2{=8`hUp~oMB_x+pR4U$KUTP&M(Ctlq<?GjN{i_o~pz5PVDVX^w|
zX#R<jO1UC#@>P%TY==G}+db~Z8+zcByKzE=w;VZf@HgNI@b*(8%3FCQOBT^!sUbwA
z(u9LZSNMzS{$X^=BNrwUpPju>qGW9J#!Dx=dUs0JXa699&EpB%tB7`^I|KF58nm|Y
zp^d4<?u*Ms`hP6f$v4tV<n;g4q+;*LWFmuaW#oG;!j<%%6-n|0bMnEvi#~y=JKC(0
z_7NV_4}9<><G9aRRvv)apR%)K%T=hM%`Xiy6tf0;lXKOGb1hu~n=0z&r|_mAETZJX
zvhlECn=-s5VpXOxES%Y9uZKhD7sI#7`s4}yId}e8Z}{Rcn8o|N0NXu*DO(G#9S;e@
zRRy{!z+xX&&w85Gy&#D4jL41Ez6jmAdeHE49?q}p_|0A7jYGKkqN<Fra{J6Fy|G%s
z1NF1Mcktt%3fjjdE9j_ZNP97<ruhkC2Rr|`l7up=dpU~~4`?L$DVozCy;jkkN^IOU
z&krn`5=4PV4hS<P{3CKZzPom}yhpLd4z@l!aEdn_Wxb!hFo&T<<QCUjnw7ZYGaK4d
z%-3G98t-GR%+7${MqOO}=QjTc<!H&0AA)09KvS7n0PjBPl4j;b1c@0#I{I^}3ylcg
z+}n3eY;wAN3^?k5VI0^-yJkCnJeS)WhJR|e2C$8e?VkdaO-GJdUq!q;Sya1#;~`M(
z*EJyr8Yg(Z`;ubJt&BSK6UlD^?G8WZ@MZBE>u)w~DRG_cB5_D~Pi>hwu*}RKtOcn3
zZS!fzqKivz2YKd|+l0=M;8!HmZ`k2Hyr|1@ojCe(MBD!zj80|YY!z?q=5Vnw5YQ>z
zISu|x8Vf?#8{M6<<FYwl*?L}V-1mGQx}HX)Z2-Q#ogqdej`$LrmDN;gxzluWgzfP!
zrrNeIXnEx-!<p01sJ1xc0A3@w;h+ZnV|MT*jD&p1Ht@Ku9i+RSE496KS;l!?xN;a|
zlvjH8ms=f~ed`_0xS3k0docN3%0l&W9O%R+7K2&_qXO*-qrr`!gJ~vp`N);4#zuuh
zozAbW7pcxijfBass$uD<e`K7;C%>d2VY>IzohzO_poF-lLKj@cmd{AaAk{1YlLY6f
z5NhTqg-=PSUu>25V0f|gpRBMzN1hDd*t+eR!xK{g_i2?CINkO~#fU%}EVbJkJ9F`v
zrZwHy61U11>Ev2}Wa_o~ao-4e=<nt5;NR|D;$NkHnG(Jb1Nq6vHq)?uD6O7YR_k;7
zcj?0{AObqWMiRR{<BocUS{Yka@K1aNnR1c;(P#Q*3rl0pzm>93W6vpN3h&OQMy9*T
zB1f6y5IP5k7c0kX6DRFEg|nIq5!$AJy-RYIhYpuAhuUqmd|AIg{L|I)uF#OQQ}#Wk
zRqUsSm}!mctA^)J-jc^6W|@3fuS6cnG+YBpGui?$<K@W;LDc2bA}H?6^{TtAhX0P!
z6^c)mQd)oLB%0|d&u?2+JZi9V8P+t4(5V3&fPm30_{-!vj~;BV4=JFkZWfi^GG+jP
z&Oj`Le*;PF2=mj3WY=CwGr_+zD*o&wN)&YHttL!hMriXq7tv1CaK94PQtB+_qpA6@
zztN7K4mG}(;_!no5c@OH<ww(mC4<7Q-rJKg_M-?~e*Il@Z?saGxA=73zBXW*Ig;7y
zRHamC&$-sE%cesWO>aYVa@gI{2b9s-=6&daOML1kVbb!AI)l;RC#R$E>Dm>y{)dlb
z9!w**P{u^rU}EMK-Gin6t+3lxu3<pkeY*0S--7)#Tggn$$|HdPzZOU?oc(gUy<p;!
zy}s~c9j-rl1i%-`8@<q0p7yG0GfSw@#8AC{_c&0sET>S?ScnAmdlaEqGZk_~k5d?9
zybG?aXoM#e<zzZBm)t5ZEWF#4F87d!Eu_xhXrtE$3v(&K7*|hc>*_7#JwWjNFpCO-
zI+zZ1g>aU<{}6VeA2kZ{atxThIBgABpgYF^)E8g&@$1VuF_Ei)Rd!6Qvt#ed&`orj
z<r}VgUCiRndV~Gt5spufTLhqOqDD94_57urNuUzP+wGGBN{4R%b9!N~p!9lXf@_wy
zAmymhI>LcSe^wJ+*AAhLHbIO9@Q3Ajs>dF28T`QeEgyn-Aud5ZcRU`CaCu|dc}%>i
zU*`A?+BXPS8uuZ>^xk}Rm$aP?SYi^X0yBhgorrb%E95OZV&3_P;Fst<7REBsu-ged
zyT4f^y5@#SakAA;&L)=9rR0b|%o7o43`7irxb(U&{m)cs0@zIkgVjUFJ}Gs-&f<G3
zdg3te2H=NZeQErYQ-y)$QTiA*!VSheb4w<lYIDg2D`9GDYQE|Hz=Uh!5P>(`2Y#fv
z*42N)v{qf|?ktQ!-5#eSeka;EW42%J5GNb}htN1Pk>$eX+r$~978gHQc64bUj%Wc#
z7&EK|THqyiy#@~Qat{VBwZ<GlacxsO02(<CV&Pwq56<dKJJ7Kha!T60Z$^CychWfm
z#Q+Z5`{<AGk>~$s{o`iZUs-PQIpDVn@Hm6DCNb`${+t(kPZB}_-RrKgxsS^_;*n`~
zu#8+s#;=<>Am8kRX<91i%5&~k!(?OHklQ5?<s;}av;5xFKY$12MKm^Wb3^L|M$Vt(
z5#3RTsm8@Bt2}WkLDt21nvKpyW!ybxw;#FYP%Av9c=$)JDsbWr>x^c2#*qgB(hgqO
z=Lux|Hgo$!o&T^65=}8OG?F%wH#BsA+VmK&V_UUia`ziGZi?>q?bnwV$Sf(pwS@)C
zfBQ`vRE-&c;(@`t^e^(g$doyusf&6lE|iAjT+0OXr{K9<ro);+K4_h>+Yd_G@Szt@
zVl_kv_kjG$3ka*OtzoWzf)tHY+tlw9K&1CuBwL)<%UuW`Ur?*%SMjVJdmA-({BolR
z(H;pNwKdomHwAl+ehp=~&4vyhcB<;M06;^94>p={gPG-KZ<@+Pm2;+rx;P?moa9zN
zwjEII_Rw=fljjU!{6IB=O)K1Qtx=_WwRV>MXUu++EQ1!;p0|V%C$g66RPzOxU^{BK
zo4J-gW#cOIfWicPqz<Vu;9-~C+xIe(tZIAk+(MdIGE>wK%WSB284JApecL~V^7nOo
zM}?>LxBCzXiCxp0fSK(V8h)k@2&Ro0bd1mCl~_ZLrQw-oKG()qNazltmT3kmJpDbK
z#BbyQ#1j0pKla*$w%ZFD1-zu@BKAp};eM6Q$q)fVC*aaO6nPc}3=#lZHEE-UdJZG>
zf~)X$xh3O8Nq^^PUWKCx%a2Q^-PK-PWJ}VN_c&-kGJ!W8&=y9$J;}P7^==^tJy$$}
zkEkX_Cx+?P72Is`4b;A|!cS~=H**H&4%=JSqtFqrs9!tMPPu=xTZmAQ7q^gG8hO2S
zFpQrmd8mnpS^n`e%Y7-qhu9GMK=kwE|Iuj<m|_~X8nt+J?Qu2cWv2_Z4%VqIG*vRc
zy6Q>lFBN+H85I5uIHQ-#+r;!DjQ9;14643pF$LLYT{-;7818tz#BrtuC@bt&<Rz9M
z#$9c}QS_Z#AIASoYPCFLcDP-ZN`hBS-Z*s9LN9pWA;*CijXQ?mX2;k)Rl7NQQ$!(K
z?at#$?H>5#gaft^{kJ`X>reOE`(_+P3JPt<`v>*4H(m3QSDcGAY_6gEXd=1rs`AaO
zd{mpeZdIq8Yr~Ei^T3qYkO7b^A^(LpDu4E<VP#}+T+I6%S*pr%!*g(E2G;zn--?Pf
zgVu_h{)Egm*ro6pZ64d-dNUnzdPUMKapR3PSF1MHhoMdAZ)MY4@`)iO!bHPezTN1C
zq~bP)3*qwhAr$D2%GT!Zb4}lCosvR=C3-jPPaoNRg$ombK~iS)V=DWtD?tlzy`C1g
z&n&;_v>%T)cW}MO!QXG+g+~~v=udg!^QhADDm)h2Ejwrc7#$W$`TgPsu<=Wz$#{%2
zp!v+X$pZZU6qAr@fU7g$DJf(4e=zZXmXiDifieTrxtWub6Xvu-oxol3nR{FK?8g)J
z<TC#JB^DAQkRq+8Mhhx03iE5Q=v_<efa5}pPW)4C4L*aW{y+lnGxm5Rs(7m0;X&Y=
z<ZsjI$81%u_@<!a7LKNrDT#a`{omKNFMvb5-w@O!fws3~Vq8o+i7{85E!$rgYJ7|I
zh;t3?gt!mO^fcIB5A%q~zm#O4&1LOh?S{>vsrM{K<#J1yI%6W8%R1CCfLr(r0(zg2
zQM*j>iDt99IRq<Y2CZbt;m!UnIc}&LezqAg(&htn$c-z$&X3xZuvdwVJG=Kvex;P{
ztN#o)McrL_qGV*ajt`z1>M4vATG_C_?6`$fsS#9DPVU|5z{WlnU;X#8t;Gsj^**2}
z*F2LB`Yl|k{;AW+80-bE#TBDhSdI6l9#&zNUWsT)TwtRlKIW7%qs9P@#00YOrp%e(
z$&auP1QRW_2_TU@B0}`X2;bjMWlqlj@WwOo6`icj2!*_^drgjccm&X%O8{EEPq{iR
zE+ktUbRLHs_iMA^N%z93c1Z}*R*ch~{Vlz=>fwz`X+o|1L)h%GQdck)v|1`O605XG
zFDZ#&Kv~I`Ctc^>{YUq$QpARwczOU+%!TGbK7fT!E~8a0z4WdmQ1`)BPsC?5#V_x7
z9dA#(^IA{DMSLq%4SDw9ihRy(WoBauv;7(q^o$-2i|zj47IHt1?eJ!b3MI5w=xH>F
zA!Z`-`0MeEBvXpCqRd&lE&M#w1~FZEFynYV$6Yl-Q|`qEKP{5yNhA<3la80I$rzV=
zBR6=G0hSSAZWL_)(dVTRKRyqTdhYh5ot@b?O0LrTmbIK!@ySHy%FHR@eqqg*8n2-R
z-(HCbFZ$Z89ZFuNcLoGZ0lkc59Ch+%n%SM{Vfm1wPRYV)$_CiISPAS?TFOnIJQOB|
z2I85+;?MDa{9F{M?c-I<O_m$w__Q}2Yrmsv#5m#AKF7shjg*Y$;jw(SIE_Hx0r|X;
z4UV!XS1nEpyM-v&%7knodhma_JDgRfq0%dD!3Pi`SEq|XPIJa_!>uyDSakf+Fr=oe
zu%x&oE3J%c{%_YZ(>uL{y5tTj$5r3LnO^}>|K+{+@tLA&_<PKeH=Ka+BHP~jwJ+=B
z^VAGmN7riq2j-*iLy*sn7(nKMnManjX!{5SwKEHdmNft0?H1{!S%TbmczCM*p0D?}
zCk2CSh#|%U`LERLYh6R>JNrgs6h&aMqj-ZdJyCr4gUWGCjkIX!;mD2<k7eBhkG0b&
z>qumqf}jfk><*oLtdlP+Y^jO&EHYUDvUlXZTA=UA8=Cv=9*0`KHQs>R)$`vLFVFof
z*Sw_3`s#(^tH*aa`Oh<)Ik#-UdWj*1Q~%6)hj@zXhvP#=JIdHtZ3BkT(9nR}+k^m7
zYPLjarOHX@n!mSyd6Tl-mO`aRySc-V$nuuygWT6!4W!^Kh6$*0x84U@wS08DT>y!i
z;<1;iT1~wZoc(xHfv*eaxIka}#8UE_@OA1khg;w-u(I`Eb?SFHFe#g$;M31KBeCyQ
zJUNzEFp-y0C(ef$L>#6O+#Bq>q=}TdEJyrHRr;Of<n9G@#~0t_A$37#!tJ_ulub+Z
z`ovO@_75k7SC_<|P12=XR}OfN7N9k*KH1)+fqwJjNfs%HfNIdOO5H&Tqie%0fw2mo
z(idqmnzlWu;%fAu6(me!IR5<K;<qZ&v-Wi5pi4Qcig5!3H<w^bzn1y_W{Ua$=LMiu
zNpb%L+@Y(vkA6%KohRRqXK#(bVB?7h-qt}$k!q*kL#(!(Qm>q1OsU3$jY)u5)Jc3%
zE}R89r?N#8nghn-F%pgp6UezRzmDpP!kskgc{g#(rZ7LNUtf|X30W*CGm*u>)4I9L
z>7mAMrB0zEN&(wN8UDHkG3xziXHv~WcSVMjxBTBSZpdt-_G<idLDk8r@C|<qOcqlx
zER2q<GgM3goLc!z=wWQOOZN(Z+)rg>CjH!v=;Q&r>7}2u`A*bDvW_28UOL*&+_?A1
z&!Pt;+CUg|%mJDG<HP8d+}C^P7o<aBQ6enPHTxB_O*;^PuTB(y`Lr=$2MSkh3+HXs
zrmzIK$$KsE%=ShezrhSs^4xY4s`F-ZBOh8sr-y!UM~9NFBUn^x9x*EVg<rA-+j6=!
zbA<ff(!idpc2ZCF4+pEW@Uc|cr0Lm7B-Vu-S^0`AdVjOOw86UrJ?R?h@a}vo|1td?
zCS8$GJlMsP{81`nrEuKthRVfc)wCf^5=L)Qm`$>11uynTZ%z4X#Ma_&S?Zy64q5}w
z<#^m9^$51@=)gogHOz(ZuT`&SLRO=L8Vk&Gbn3RcPvlb@>=`w?-P_Z2l;#gybC35r
z2@l`Lw}oe;R4Z>toL%e!Z>c0#+4@<L-Hx*-@z?xvZq=LSS=@e^b#cLGvPQ?y!Lx(6
zxS53-{39`adg&qXOD1yk2tR&6_y>U^ippPJJHKUOIWiv%O`&Ff&kG)CsLL>Jb9^G-
zEizhpyKiLy8o}Snzq^Bk7)P2;71$;6xM`;l$@YJ6s}QAEoVa=+e^S3gWdZIf!^U`{
zv}RShl|WW~U6y@vS#IQ<=?ohrgzc4G(QN-_Jo^mT%7;cz8>ah~H?gLrsn?5zxc$Uj
z^&Qcc)JM)gs(!pYbTJP3(H$!n?iW-TH-+2I&Em~%ZaHZDIOipkls()nZ0<?@;a9I#
zuJ>OP_rS(qJ+R8Jz3@3jy`E-Dl)(9{rFHW?i|LUR2#)~Ebj!J~Yu$G}Y|ZCVvEsYj
zN8yoraIEaxLFZ7uBOS8WpQ+pNv<NhKYWU*cB~hxT=a$Q}ke~dz!d=d(9nK!@thg6f
z<i{6ZpC%iY`+F@My{m!v{`n`=QuA=ZZdW*qs(f%#Oj@*#8=GLFay>>=AezM&1{_mA
zz(!F1Cl0%wXFqy-Qlw6pn30W5P7r(kp-gf#__6W*H8I;5ztc<{@yQm!64nh(+=co4
zx?aF;RSc1QhULX_@QZMhUe1+<LU;&BO}w~ErILU2sfv`r#nvsx+HU%NOhIs+uO7fs
z^ubpjurD~3h54a-hE#zo#C8L?FxYRu;^Mb(+KMn;m4(u=fgkd3F0Z2R<EgPzkVQhp
zAG{&KKb0_;Mi?Nv(|tBafIPj@Uu5qG7Ng6(Of0hnVjo~T*Bv?au(d)vgh&1kbF3=e
z<&i)+kS;?gYhUW*sgSJnk#uwNX=-NEz?upNw;yp<5G`4%&2(JGBqr6(3j7O?U+r7<
zB)J=JIGOaY4z^y6wmV3%SdCIVQMq#yHeA`}B&WT_qg7Wb!RK84*ru>?QY=@id+Wi<
z*n+3)eBVi)$~FzR7?Ww}dA@(|#+<2%!AWE?uQwa_B@=6(`9Ndjwb{OeBkcyTVC2?3
zaG>{QXRvf}7OP&Xo|WIC@<Z%DtPi-KeP8_GFVL>RDRqIWA$>L%40cM!=Q6sL#@jmi
z*n)||S^iV!j6!m3ItZ`^Qp&{r@GzpMVrH5!acK>jY%bbZSvttgEGx|G*f-+rq`Dnz
zc8wV3XM0)KtZ6u@@)6tk1-Gu`_HoTq!IZOqk2|c+#jRYwt6iHD$11b}?eSlG*^zxC
zIhIkN8$oUe;pFr#c<}n`St<!QA{(iy>k$Ggsps9)>z@XLM5B53Of4n<cSpk%u<hvh
zoeKX_aP4#Mu<Fr}^yWT~#hBUIORD$e;h`*SV~6+M8V~mdajsOjEiYNs024oy3vTbd
z@30Bmtwm)~-^KMws5n?&*UK`58)QHOe2NX~DjHlLsD&|XbdPvd36k?(g`dccj1qDY
zpL(IT6EiKxp&~3Wp=QM+fBH0$!lE&3CppL+gK&eyC}^jd556ujF1=pxJn?%N1M~CH
zQ~U5^mc27)r2{$F*0A`_#4iXBLRDAOA;`(NiIJ{Jh!@qm=1X~#AZsS);5VFD70q)-
zydMZ0GRQ)uEV3qw8&zQbf$Qhi6BG*@@yy(JgvU=!je5Y)?#$j&GA&xOT5;dgWTm`I
zSoio=Rr4Zx(A~nsy>s94t&&|`gZW(9Wv?hfC(ScN10lD}>uZP5MYcsVl>1&v(^aNL
z1ZtMCbg>On<$MKDqpt4MKh*&giEgqI)z_`2%Jw0yjn(Q}lDe{;ufah*WP}B{JE|;G
z&`P9zwA#?!x!LK>cWcSytBXSq%v3XFh!U<NHs;2zp(jKSv`%K0xu*KuZP~Q_`$19<
zxjf{>C#6=s+Z*22S4FN@^*&~s`BKriv__xep$BA)=NbQqDb+48&|Ia6v%I!A!Sg#^
zTaG*_K5heJ4{hX>KYdOVO%&mIrPL$IzuJCr4SIWuj_Nd@96xw;<S@(PUnwa)d3PBm
zwz;bH3|AsA#6n<R-<Z9zdQfSHyWLiXc;Ez*;&=89S`eyiW=&SP_YVa+V&cA$I$xHQ
z(D^hqZ)EGPg)1p$Bg3H2b6I&^+yv_q2kxdZ)bbWSll=1*8c#efw#`#l^wJlX9c-GQ
z7aO{6;<P8dF6nmNxlzUuwpgtj5ZQRVt&=Cglm?e@B-oz#H3oWswDr?9V;taCc*G{!
zxUXZ*D?2FZ3295Xzq`-v>QRY!jf(cwYe^d@-k+yH&+zrTTFH*W!l@1C@7%0_bh*}{
zx;Sgl=5YS8H5K1TyT@vkLe-}B-HFl|u20>!$MaHBzp&nj#@qB6Z>A16|6oUF<A`1b
zcH)iSqT;S3Pu5jTNS7u{NG3k#*^uCjGW@uiad%B%S)es$h~CHgXsGz*OGXq%VU8<b
zqLO&j{IsTf6&g2=yPElSWS(s%mHNqc$MN?(&mK{mz<kVq59vkjM1S=O;qX1XTgF@k
zbp&pDse>s@{ymA%I}n2EbWus@o{@;AZr+f#p4*Ptb&c|3vo`^2F|9QiEiz!REBDvF
zz6|pta(|BUt<#V!6Fl4+`gn1~>o7Ebv6ku;jTgx(yf_UNa8p-S9b{^3)=-fKK8~jt
z=Xhr0lm$!o|1PN-hy%7Pymj%}pOfqYx4pILbxX$L@4p{Pnd+HN1-&t-X<QxsIcQGp
zXcxLjSDSoGk7T?5cE;MDMxag_xjI6^>xqk8foQ!cdFy|o!dExGd#5jflEUIG)s@|}
zwOXRslLCB5AIj<|#|Uo>VwG53IT>Q1jR~qWb4}KaIWBJ(f|gf%uk=Y;tAujz3a#gE
z2hR>kU6MT^Z9C+C%cvsX;w9Vr3@F5a6qc$IT>~Vt*5!Z<lEWPw;`=z1bZs9ia`I5#
zY6f67hOQE)TcYMyw-TBi#(TU=1I?a~l$p@|R4+exZ5~Ya350s8*Cz)w2>TMD=@tSD
ztXrxB)m}{ge~v(u8K8OQmBuEIaHz~Anf>(sX^}idX_on%BJtfpc09Ngvc>CsH{9Cv
z7wZfEaKGGU$MhQKc=Qf`ZTh{gCoBH(<HA{E4Ddk}xWd|aq0StkhUiXJ5fd%6kiitP
zRqJ)AATxbh&dm_q2jQFT32I~`!I0JS{s$fHnZu_WA(Y)Reor6g%&=m>*?X+gSh9Za
z6-iT<T6JLVi!K=cbDWXg7}putKDPE0TQ~=Fqo|9&%xY-)GW?s!RfP<c%JU)NEZ!4N
zo*T;pr9M_2E)l`?Eo-H6&tix_$YcMx_$rhJQ`ZJ%Z}G3j)%-WjAmkd7Q%KY>*=9E1
zRqEe*#}PB~`-htj#FtD}*L#jSfxBJv@U~Vr$ghgo<(Zz@5Q|KT`iV83Kej0g4L97r
zcj1s1ikJh<zv&9qg*FZWQM%RAF3(zc7aFEOn{%DhFAf@9M;nd#e6Otb3ehIPo{$0q
z$cdL4qP?8<AsIHg=CY4xy}c$E4zvr%IzAd)$%~Oeq8CGycif`IC5x`ovugV#+#;Rc
z0dV3(VdPB>Hv09Rgp=7l)iHjUGjd3dO7Y*pOmR;$QFMZ%;kZ~KW+p^*`pgFL%JDbW
zqjy;iPaM&XyROoLu#58wZ;46+O28GM<??=5hfH5tGEGwqEEe#FB&8DWrTYN?r3=9~
z#=*Cl0znEi=f=Y8(KYYrkh<l%X;;~fh{>M2m558g`*}|qn#>cGeW0P+z-Vg<UyKZR
zk{U{Xn5`5>umIn+y7uGDhRkaiF7k9#+;|`|BtIvljMI6Y5!8^a5eDbs*!r(qS@Hkp
zRw}q;QiwDmZ|yHv<Q}gK=`u^yu_%iIDP<Sv0|ed-(EE&KcZ;4A5zv#WZo7KBCD}Uk
zH(5c2;VKA=q~k_Q*MCmDsGT@xB>5WHlB=63`L&5d`|Pfev!DiofpgP2MlJ-Djw4>%
zQJ}eMb&Mp&tLXfpf#ScICCbOha%rjmRC}zzx1XR=l^eQ;;$!fU5?AaFx6&m`NHI@m
zAn}mF6Np2vrSX!5i8MMf>DL!N^n|olw`JtmOm5QhXkGfmyxkg4;L|N7S9xQf_8t(w
zhL4i6WB2RjU1yF!6}QWs%5mf9cQF`>H%ae9{8OfxX4#M1kl9<&@=m)~>S#oo3$t5t
zig`A-gjvU`0<6(_*F4a4gcX+>YUQS)*kD5f6?=_wQLeh37%l5^KJV5N`NaU+G)xJw
z(9OJKmjOj92^61av!Nr^2WW(P9K-mpKO!0h)UIcQpfsR5`Bqx!WL_Q5bI4K0%r}y<
zXp@=%U^T$S0B3pofujYaj{gNdm_+-Pe&2KGa$pEk$X=tpd}A^1j7aq2s&DxsP|E73
zm;xnJ2s<lwYz@#bww3Yi1KYf8dGB@NvEjwmN|M80u<l#}hM}M}zEkGF+R*N9)mQ>t
zMfCLH(`6n=z*D|ogTm&f08?&!75Lg1b7^;3xSrE3v-%uC#MJuqP~B#4tI6)+f3PHp
zlqDvm*4K(;xBE3hpv`yMF)Dt$Urv`WSX^bMRGB0LmxXek-{&cFtj>ym+$$;LNwAcG
zC>_?FbY!?NI_!_>k*)FATk<F#UI6<hQCZeeYcJwcS&S#TvYq@BC!v}HLUFa?CZbwp
z0h0Gu&Rq(UHftSB>L_gV&NhiqY4l%ItwYm`)hPYExu-s$4@vvts}x_KH&JzTAulr<
z41%P;AGjqMctpn!CD^%^y2UXa{B&qnP2Hyz&kjl2R9DLh1hCUUzk1(T$5{k`{COv*
zL4nGB9Be}Nf2@ap3GBXeGcH=@Y8@<(hE!+BKhF7Sl<jeU4Y{)m4MZmEtDlz+Duxdd
z`v1IgS`H0LNVj9$Fntr8>s?1;#u_!2n^H)77G1#sZz|!E9EOAQ<rZxoGNJ%f-2h~&
ze_!h*v90|sc>cTMW_6?>Il%~HJ3M_@Vq<MxlOHme_O}v91u27n1!G6ekw3X4L+J5N
z<PH17f1hgj5D<SOxTTsaks15*)L^J7dC+xe2YoN<FB01`*VyaLSzN4^(>YCy>UQ<7
z4$8p^<Wi8mavAvVKwS!04X8WFbL=fqMcVS90(4fYmsxL}YfOO)1Yi>6volR=AkWIc
z7XzbInAp1nRMb2)4$+e|g;tENvd)cWx?)xsfLS@9K2ZU-`No`5<JrRoo@&gJ?HB%=
zL;_6RwB8G6iJqS`GSe$HJZ6@EnDe&wUN$SoSam6*CIwAX&8FD!^kzHx_AfaveCxNe
zX+mPhzg0`sJ$A*&y331?lYc;ti^3TxRX$<@-5@7##i8U`CJuoF1R<NprAaqRGE?zs
zbxD&MzMO?u?GXd;4})db4@wo=MB=XNedV*uwkZpCe0BP?gqg~pNRRE;+`ZYesFGQ>
zc9pH6ivzp;a?qV6R_WE8lQ}|mL00&|?Su3=q)peV4{>!u%eB4<OS<P$tZ&9SK%r)c
z@Tn_%Sp=vamrWA#>M9kojipoKvw(n>XZmKBhSYIAi`lxDT#WAat+yo)S~uq#N_5#9
zM|V_@UMh-xjf?RXmYk%={aaF~WMApICb_t=OSxfwrTDV=QvMsksfj=kfcTZZW3Yqw
zjuEt*NQ>s)BgI7|NZaYwI0IZ2_gypM5aO5Gk-cRfx9*f5NuZyC@Tr|Iw1vpycOPF?
z>!xBG;|gC~xe>v<AN6V*T42-D1f;qLNn4h|*--%TW-=*&A33TTR<pYs?iU|mo-Y>-
zqggXX(&{J8%*&hc<1^VrH)y*21iO(EEh_>48Zb2kP(o~by=0gQPj}KOp9XW4z~5kB
zM)tR)O5^ON-t{)SZ*$$!3265hE&x4(v!_-CLe}CPre4&@&k`al$$n6s9v(=%a@J$k
z88R_sbR}#jIC+_bH|=t0J6!W%io5b{K`Pc$!{9%Sf$8*wi`&;y$1G;+I{xw}M=BnV
z1OtNey1@Y}acbUUNFh}bg-ScGm{gxsfV;P3d{vc*=E$xaqaX&sW0(E$j>XQ!!wtFY
z@*_%S+uFzOk&RZ+uepQVqngz=YA(}KeU{LUg02RO_f9E#8g~@^u=X`}M^vjNW0w52
zQK3nb&@ex~r9sPV_FU6%=*9Van-ibDKor<qKCksRuRM`YR&hD%yE_L5@kA<71*_}=
zPm9~G8?c-qnHuBl095=5l~NSW+nhmPRNJ(iI=34{KY#o4-Vw}euAu`~R<-(A+}a;~
zzTyQ^IExYkDV|u&EmQ?Jtpo|k*cauVv+DyLR>`W_o#ndZA2@@%@4g}hd8q=sXkKf!
zox#9Y*kdMX2t67!&nN5#nDNLUP1fqXS0<by<W^L(wxLwWIr8^Gyv9giV-%PDKoZTn
z4<ugt{gz`~`&Qgzf87*n-L~s_Ts>;QQ%xqEGl0#Z{Ao*bou@SwlV49|ck6=uB?pLQ
zVoqec&xQ^~BTr@bXa}Q0<UEBkyT0@|b36LUx7>Ea))pEnrS;-4xoCNxUW<YK7AeAt
z%+TaUZx@*p&FCQen@;NdGSG2*b`qD_yaD7z(C>#QD8d)@PT%SkI=Qr%u*?D)r3!&5
ztf8vDAJAAuk^-`WVZ#*)t-WJWLy#oWDdO|J;-{H@SOL*{4Gyr$KC+b^p3IpCS%a!q
z-`}NahLb|z6W5WkX}4IC+}yjCqXD3SYkrXa^aIUDnPFq^h0x(Cj-Bpk8%|tM))QJ~
z+P>Q*`jt{DC*%K?r_dpm#}d)<`=z{~7#mQHxens&c!kM|uhM$jjWQ{p>mjm(N1FDP
z*V#_-Ja3ykDa86+6^UI&6u+%+5@P@Ag)4p=TsK40HfGCI-dnd)6{!zga}dF)P4s{*
zw0?c&mja_z7JFHSu6~6$O)UJpk#H(7+5BoYz>*-WP#Hg@W%E4%3`je}Cv&MtMEOQe
zF70Tr+fB?^@>mK#`AJ0-C=TO%S*XGVR=(f7He@RxsyxFaPyHcVb&$-pWu9<8;(#kP
zL;bW|%_MP>oCR9MZjF#Ub!MNqzSiq{alEVKpHKeQ>o_o5=Q^-S;ohy{?HiP2*7~yd
z`V+U#!KRi*A|X4ZiTn#!e2ov7&;FMUIqoHXK&{I!g;NXsHs1AKC*b|g&A`F5I2rqt
zA?7cUQB`7v6*hWaR3nYg*&+Lh${Vkge2FYL-{e5k$$8y&($l=jxbF9#vwoyb>1uQB
zw{{rj2e(V^qVX0JuZU1!%08g`ZaK=dka}C7ep=F{`X%N&5R1nWVsVW+i63WwqriU_
z$Yr;YO$lh)U#!~^Q1l*cjI(F)>|O6WP1RnEg_*8+E<`ZT1n=(ixOSPFHZIG4nIBFL
z*!LDFo$z0ypLD%z)Kwr8Bm<c|qqJU1TFC)N?)n$hT)LGp6c*LESXFHV)9g1C3&s=<
z`!|?FhZ}rX=z(+X8bPLQe>weXtk7@Fnpp5N1PLfHnX#=~S0&Wz0Vj*+vrcY(;0<1x
z*F`wQ5c|)wGnzC0@OGYFFZFCgJkkBzL}w-f7W$IBOK=baWk*;9$@VOoBFOteIiv!h
z(C(y5Ty_L2+W*#@V&Qdp0AIv<P97+y32Hz{G5cR|Vhn8q6&xGe1(||TV_&i(hh@AA
zL(kZazGbMc!WhD0US<j{v3N*-{Zm#7Z_6+)_{?uPz&$5(g}M<UA}@h2c_!iDi*a*u
z`u7qigG$W>j+}<I@p!3<0F>hrYOZk0TS@4(#GZo4jm$+h$a1}9cufrcA-w-{jp>_#
zoCF0w><M|ZpM##`_rFn)3ikgzKYeO}^JerS8LDe`r5?4L3e7$57Cf#9M$-77H3iiX
zbe0r?R~m4W|71yC9$%I#_IaXE(+w(}&m+Nw-w&!}F}6ke)PZ|%S~N@iIQjJm^uBkQ
z@`~qkWmt%v(M^YBg`>4|b@Th@UEdqpK}RXJ#V*y*rK;9K^+x0(d|d$+iVoMo0d<o4
zO&<R(>5CIOH}~R*-Le9xPhX>;HwS(a`nGyAv1@5u;g$YeHXKvnuqe{I0y(?(Bev$?
z!&`XI?<)VUeENH-Nl!xA*QZ{3Pg^I%Y|2T5i2(y9aZ8v;%Ia7JddKN$WqaRp9$1}}
zvqp6*`|6tW&v%SL#^-CDURQxGCmt=7rhazOv!DB#?5iX-Jzcw`J2hylhQ)$=lm;!H
zAnLDhg9>+O&1aKj`DowOJuHNjrW=!mPH03*s{W{_-5Ky74|_v9nT>&el&vp9*YBqs
z3mrR*S!xv7CHiLmMXG{qx13&&UD?hmlVDE6*)}jKfE%60{D7Bx-@z)l@NUZ<8p-!)
zg!a{+ShZtpr`Wd`t4}qC4_--NnMo!5aeTVna3lTMJrZ$I08nQJT>?%Q^g``91IbAQ
z)isW4v%j=gE6}@{NC{d1ps&a7VDI<^5)Uo1dvYh-@8@CJ6HY0?wSd)&|INc%TZa}g
zY&7meV^@{j^$}&hKQBqX62ATfLtXv02F<#`usNR?nT(GemD|x?1_9cF8eO>yrt8uH
zbIsJAU#;v-0OY@q5VoRe1+P9SgsgtT4ZQ&#6ZGMqrf|>VVVzRc**R98;W7ujafS6W
zrQh<ltA5$@M9IstXT5yB6+$P5`m~k}#B8>b;CXORs>YP6R98=rtBjqPk{~cQA<n^n
z&mdrXm29Xt|2%OnFOBCDM2iOGxbEK>{5m;w>!O%e>=o6m(+sjhwJ%#rAGcipn?2R8
zk=%3S5jlqoS>ah7-zk8EI<WKU7Wur?=|_hE?uvH7us1RQ1IFUj3#m$P0tVDSq8Jk;
zCW@s>XT^Y4>A}(uk<9^dqyokXtGIYChU@z4+I8P-_h?C)bLW|k^c!(F#f=B?H>sl1
z(Xd{=Zf3jR@uIK^&-|pg$DDekduC394utIMAo*^-ZMqFHXy2-%81&jZRr(rF>!4x=
zttb|cEz1IEDKpz6_mcT@FhQ`~Y&vq1ij`J-#i`fjXBIo?AF!sf^?9Wt5GRPG`Q^}u
zeIBtLbgwhURM)%0JPSU7Y7gYI%TXrDHJZw9EDol-00mUWEiV3Bj&xMgOT3$%w86M>
zb)){NHm4qSIWpaK2Xh@@dd;hBdj6}ZQM{(()RKO)$xkh4<l!*ll1M4O=n>lc{V{cx
zfNU#8scK-d8PAF$Rk7nBq^odB!{X3m#siZ@LWs>UyLe&(yT<T46YJgCXVX<xt6}>E
znIk_eB%`F~${TY=xJeZ@DqJZhb`gGveW})qB@r_4Kw8#m&$dCBY1i<wnreWl#cGpt
zbx$hn?a$2-9!w10d6!o4rt8eXqe<3lOP(+rK>?)MkG$2fkf$<zZ`si=!nJMBY9#;5
zo}dr=Yp!ENL^4OFn^$1Zb}HI5&FBX<V*$Q2beTy5AHYh93a~l#ai5U#zgC?199+EO
z&^EWZB_0EP3nP40v<OJ&3c#K)raEC*clMj>V{JSNxonj@S8MN>HgvFur}!-S<p^h?
zUVvaOA=!B=Ft{k#tAp3ox7_qk2Q<5*28-CfRjQh(&69{d8e6$I+4pE%tOW99Mc_KU
z_HmZLW;M>4-i#$GB$mxiNvIwF9I-Q@dx>|@^k^t{+TxVi9Hf+_?A1py>RQ2=OmXOr
z0{i}KaZ88W%rnc4X*5{V6PJemz%R?HjEZg@44PH*nl2)3S7d@b)rSYK#q5AAsvIlz
zzP?QU64)3qx8a@0f3wOXV1H)UX98scu3^y+4tZn8a3_-rs|35W>4ob8i^pg~NRmI&
z$quUAc)ioB8QA@;Y{a+l3fASK^qxvjQooG2K(t&U<3xS_?H!dDWQ(Y6GZCBP)0O}c
z93H@jl4h!ubOX+)glU5bWkt60O`BYOD>FY&XSNo|b(Dfnc<qQ*)T5Z#P#&5BP4?k1
z_nJ(!pmSf~@D0M+cTn&z42l@&;7Jv&r06$Q>mPMQn0oUE2%$@<_VU(tu6SPj-N~&H
zA;wAD>dBIDb7{5uo$|_2=$D}ldmCGpg5D?F`=$fT@{TEl{Z+0~;N1wXX*06JcH>n+
z;>ML_b{liq$)lBZ7U_yj?V>w%S-9<IzYYYywBxqXQ4V!>nllP3H`_KV0gR`WY5YHJ
zqVWAwFIi?J4y{tlj_krS%nQOYylks~ue#i?KHR`RH)%W&DmKV1d*j~A+wom@>>ZoE
z_tMa?)F^ieHygN~2C@(jGE%g>#}=!y;jJX^eWCoTtReP&2$d{9_vv^ab(lMUd=v<`
z*O%1iY%$A5b;96V1>R33qhU?&PYSVDVFX_wTwMex;Z)kQTjI`_?fdjUGTPLOoOUx|
zdjMTO!WcBZF%Z9k78<|*9o5L==!cz}7$7Pp0|~+>BRLq^lZ-6_35b~^5cN4#GV_rU
zk9#WPM?@|9Cx)%EuR;uq5oz^fo+-{omDoUh>?t)02$A}J(Wqx1FSPZHc_?K8)y$1k
zO6<>q4^OeMc{vEM-a)U2ZOxB6rHx8pmJc5`$w@2A+swSKBV~b3PATa&@HNw{NA-)%
z3CCmaMyf3-ID`DB=j~)^MpIP1YSQJAhBv3(+!~J3_%n8jZ>D~9nLtfQ5ETeEOyUUm
z`Q6o>1lpB##trX=|5pZJ1x2V>kp8k&uDrkr<H_Igj~@{xM#uk{tK%{EroPk|3#fPC
z{rmROV_LTqCl|w9^`=NJ*+GhPw1-{Gi{WoI7(X`R>NS9a7mC)&+S;NTR6I5)1rf<@
zB=4x=8*{V!HwJ8|6nLVMIi~k{+hfahs6%qX?T|{eyN_vU3{ZPDxW~zvC?dCWpVXd3
zg{fs=#S{z@{~sdk9*!VJHG6wP`ky(t8ELPm1#SQ@3lVRz1p{!>6d8G;K2&5)&Kv!a
z>vqu2w9}+i|LMeYGPnumS2_2oGG(_WsDkb-=R+G$;6ceUuP!?FNv@B)2KOsSoMB-0
zUOpJ_fivD{XaO|dXh!!8b(}+u`rsUYX&`ovk?dGu7Q;yKnU^^3s9~8eh;IyGos;-6
zIIcLwLY4hK`NYXxSD|4+cIf;{Kwm{brbCSXqOrtm*-B$1O|yvCl6fQ(0V;vtR?OvI
z^Czk9Imr*@fG;_Ax$BbLDeV4FWPTTgK3V(vM!)sox8!NnEpigxEJ_+KqU=&v?w1?X
zdxvTit_U|5Smco$IAzY{qVtT}#qZ}SF8u^OIsA{~y|q(Tx<PS&D@uK=;Z;fl&j(s#
zzsnhxndOS7lN=4|XW6RQ58h>gguH8OHZ&nI#kwqMy6SFVzL72VgRJ2`$b*(>gzswt
zG>cpJW%m6JmD28JhjTLyD&q+mC_lw_2X3k-UD>ppE@O<o#jGaj^>_&))s<BQ$xpl{
zsWH~TWXs-UjLgHynG%+QF&n$CU*tf7+Jm#(b)t2&QrC9gM+_|0pBXiF;`mRgz`Akf
zKY^wTO5emQ@&Yp;s@c9nd9lM4t3TvNerk*?NO#ec2Nh?00F)`4y{rcYZycqn4gs?e
z>*fA>nFFN-KoDya(J(jb2U_=zTIu;#7D!S`-2d1m=IaVOs@G>?sK2{SSXLW8X_orw
zI{BfS#8=F(X|nJ<&wLtPEmI`p-)XnGv3_0^Tohp3|8<~2!t80xg70<yKYgH22aOwr
zK}xfMWA*-(dPd_rbDBKhn*!r1F4gYFopz}Txjvt-$eKn5DR;AZrF6N~9w|D|?D>m9
z)t?lURy`^iiXVcP6uEjV)=PtAyi@FrlZfhZ^G6_w`CT)&_{q9pGp6k%LaoO)Rsp$3
zPrmSycpmkgAlmG#bQ<cR0PQ~=qNd>9rv;Uea=2Te-3~DrbS%cP-aLF@h1TOK8{e^6
zOQwxtcGkn;1%^@ih}R7?KF0vU!One;flIs_9XGSL-ZAENbLU;xyDZN4%A1jF;I}>M
zv6~Oc_Md>uE5!tv%RZp$Vh!P$RUr$v{HuC2RJ$@idd%K<4nq*g&&ZFq3(Tb+0Dr97
zMynwy1L4yX5g;h!u$43EJ<Il&D)V~zChkTj{iZ(2e!5xe*eia*W#_vdtaFg8G+s&^
zT4nTaz=^Au_LClBhK6#dhmAX#=(PRs!(S^<(Zz5##c2@iJw%-_&RhvSYBLr=sz@ut
zPTnVHZNYtMV<%-`l8ZZyNxoez94eeL-6VLaer{NA38fVET7JH=`2P0nG?aQyBA@!{
z#<=RcnqP~E@1Nr7G^*KJ!SrUXkJ{$=n>VDZ%R@)JSlUaViEusm%X$vX=@Af}nS}nk
z>5*mCJ2*$X>jX7!`az6^Qz%;3G>eB{&iVTR8v-Q{fBW0NGT2PXXZO}9sW(%p07UMZ
zY#SGYLv+%U-uBO^<&R0!Oc>dB1&lYFm%nZ6G|HQ{6Q~C(m3Bq&++Z*ONgWR&)1E3L
zTl^&-@Q=Kwmrsk57fYmZ{=+ATDiUdC*|HS&1M?ypR-Az28iWN)8r?RAfH+9Qte?^e
z22s_XSGdx!lzbV1LpStlKM%a}8GO^^Y6W==<eS8?oB6c_&CMP(Kz`&o8{05Y)MAOr
zdT61a&i|C6eVr`09W4Gw79fpOEux(S@OTyNtlHu%LRdPqDL)(nJcuNY@!4Ju>92Q5
z1g*yyv0z+@SNG?s%&U}ANW>W0K_VN$NQfATu92)XGlET?D@~s%_DcE$*|LW8EZ)I$
z|B=Zkgl`l;UZY&ow|VIe{9nCR`e#E9PzM9s1Jd~ue;hW)$_jS#j0Mq85S6DKi0Wp2
z{F}o;O4n?l9muB2T@XG;9*=y>^dy6Of$=rG6AW<`bCb<mbXaJX1-ZZdsdu*wPzMWo
zc9IXi<E3Z-#jnS=(SuaYWrKZ%90%0+2qH?Bg+BOpK0uD6hwhfnqmX5s(Z2eNg~?gB
zd`(5F?uZbt@*VIg1n08W?6xZvg-4#3UAKX#IV5392oGzz+KQzJH~5~j$V_f+Uasi^
zlb_ev?o@<+dX@}Cc&oVC7O9(A4{ZH_pKi4BDRoB86mU7kJPXK7B^;#j%b2;ba+eQn
z27D>f$$41D=ptCZdx6$aG+kgBj!N5`m+G>v+Q~9&bj6r;Pms$c`?!mLb-%vW0@shD
zrg+yeiVL9-#kXxftyo9$UI0`|^Y&X!c**ZV^^^;~iSASK=rG>9_c1Au+u9_$KIU2o
z89O4hhAm7|wjyZAzMyv&r9yE6Y*y8EjVPHCBf?lc&M5~S#C#~9n`;<s@#U!ZSRtR9
ziQzZ5KelLf6qAzGc!0YNGnbC0X6_sgC5>b>tzIQMf9W%!1P{|_p&DA`5rrN^Ieg53
z_LDk!cgz?`bo1R`DHEd5pLV6coo{qWdwx-Tb&)mqaEE9>-2lvVR3+BY(kh~S_m!;~
zes7t8FDXgj9L_f^R0VnooC@y!IJ7a!Uk-I1ZPY3}JcRjhfakm{WB>)dHxU{+pyu4C
zuBPO`v)RO0NeXar*vV{nI|~}h#2)vZFI74yOTZ6aEg54*xEj`Eo{xN7Yq6DTzDgm_
z(xrn<DJJnju`9Iupnr9c&a+gOT_8{4zvgM5y8VUI+y7*MiZ&N}M3dk6=>l^*!<<AZ
zEM0`gA^7RJlV7NA0_sk_#flTYG>ToI3iEC#>D_HmnWc|M$~H^;LlR>;O#O?j(-8`N
zsq;3M_;-%Wd1q0GUc7q;iaY_ABG!yzoyA|)*M7faa&_#kWs#y`<qOQlgmnZnl|rzq
z{vHp0ZX(h=(-vc5Q5CUQDDh9E%;z6FtCMwI?3_k$1BEfpY?Gc`jVPO)G+ED?RxCt5
zHuRK&?Y{jNlK&XS7a45sHQzmt*YT)ArH=&c1Wa0kwQ0NLN~(#O(9pWp6M+l+&`VN_
z*1%8($hUZ+plFyGT<2*s7__DUSxq5~!-(43^gz?p`?t_cA7(3@@RDP-4wVGDPkeL4
zeAQs*V`b|SYQ>jyxiRW}a>7Jlh<tccQ<z`x&npU^t(1}7rG6_=OpXoR^w6tQjG88h
zV{uXcsos(=m27JQj)`JUz2VEcT&H{iM{>_*IZz#~w}}a+XOy3k9nW*VRZ8=R#cbI>
zSlW3>tLP$d`eSRRz8B(UVt*CBGq4M&$~xaMvi>gY`>!wd_IetIbzauVn_?_X&eM0q
z()*-Fs~a0YPmA;$Ck+biPu>eZeXCgfwFzOdM~T|eZ*~0qt+@Wn!q+F2ayZL^o-aC`
zaNYTp={cmBbRlBv*~drw8j-zW!^r6-*>qpi(C}H<%FmTe)b=H3@LCX?#L|(y@DKM!
zWf7{Dnc#q=7Kf?CImf-n;U7YqzYtygU_R+9s~KI)BRlc3PMt?OIrwl&S8s4s8E)qW
z`470`>V8l&50U&UV4S}d)8i=H$Ll>+vpVj!w&u{rY>GE?wR`#4T(+oqhs0AoPIn%g
zVIX@Y4Rp$~T5Xs%5$=HSxVkU|V(}qHpXlsjh}0wtzH0e;O9iPe|COD^Pxmp8iUC!_
zOUl=T8m<GXJ+vS}3vto!7`7tnVX34@X#}+sJ|c_2eY!Iea?p6&K-gy*<BsC#xW5~0
zKGi+)RWxwqEA=^Bf-Ge(9<vW9v)aS-7Pv68XjGh_uTxK|sM&A3KSN{M1zZ0hS2xFv
z;E|WC?kxp-;F?-?8|N!jSr{CbWz%T6A-{8uNnd*cekn?bFijNlUSj5+<3PCv;1;0*
z1nGb54weoIt9QE(O(fuuvj1(mT1|yZfTl1ddr{)M!~|r#y?`*3ByRYenY+C4VMVj8
z1Mha%QUi_s_koVtD#gAUVIcPDc|(k}uKWWB1?Y(8iO}yX?rP8Lc%2?w2#cxLFRkfp
zqxxWL{2=*-@Kv@mj^KL%W`zsinY$0Cwd#&TqsYTD?^WD(<IZz56?$h6m>$KRKkodT
z2y6VV>jdtAPvw|$^LqKNa~CC;WzPdKb{l5^<?=qU-?~?2K_OlN7kE|BC$QAa4JK>g
z(zH!R!Aw7}dzX#d&=x_Z&WdLo>*V?re`df$deJUZzGkZ=TOT@M(veNJF9(h#j9cYT
zn9lU<;Nr93e2ll#+_$R4rg@@5?1Yk0XZC!uN7P&1&o)}z0hDEeY>I8-aE`+hzFG^r
z{K~e*|C`kERe>Q-u+<O*6DzU5U|g&Zl6-K(N1|WT3tPm0^306(d)mvOOpe_rLFi6h
zgl7Hcr2=?qu##0_mH)PfFI9`3|EiB84f1hG()t>hA?c|4MV0nJ4=AQeQF(vQYWH{<
zZFqj%@6P|j-djdxxvdMsf*{=jBHaxFN_TfD4G+@Y(%ndRhlqf5cXtZX-6`E2-~H%5
zd#|<Lwf5fY&l%$z<NSMa&Us&5^Sac(_nOnMh-{C`BSGSTfLU1qeEt^@N2%hWr-?HW
zt2LOoA`LVS0lPb?<lwa4P`>=AWz<^@D~)Q86vV3!#csE|lDUZ=O6z%A04L($Lt`l7
z-5s{GYy0rQ0rzBK_=5i(&W6;q4vPhZ^-#uRuLg$4$q!wwR0h`tNtUZ#kAgWJi;bZl
z{UD8};|G1i`KpSQ<jVM!8{<*RQ>%pT97{a2k7+7ul?Z2{?A9$qK}KQjqQ9Fmh00HK
z3foB*l$*-sco^k5X%%n5<<RFXlv|G}iBRF-9>XX{K&?<1^o~kJJs682HhxDHnB~eG
z_2e>3`a?NOYbJ$hh!fv%GCd(89$gFlomM5Sic#&V=lMpK03mx!W4Cwfq{ZA9y)Daf
zw=PLGuiS?0qLptqD_qp_pZM|i4D=mz9_nM5H!ovO#*$;o9TIwvAL}ipEcR!LhO;n3
zf;5#mLgsBeu=1364YVwC92yFN88ye`K&f5xkeK>Kz?QK3nJOCyO1*^@w8@~gRl_x_
zK0DL|bHBM{YM;AMCE^?8Fmg~6^=@cd&pu@Vu<F?K4V5wWoYGq^O_>^C*`_4Mk5O`m
z;v6Z4PPn-DL5pzPNeIK$f-Z-=HdzbkpE>wQ!|Ymy#EnASe_!thK+X=XlP)NsPL)Ib
zm%ePr5FaO6tUboaemix*3p)!BdURZh7xZUVz7*qyiSokul`q%cwbRd*N{A=+eb$SU
zn{mLB0r&I&o)Ex=QHnu<C*Efm-<4ONsnPeHXE0OFq;1=(JT<X7hwh7)8it&^#4Bw8
zz0o*AsN{Re>3Z0Qn>~rM0ZA`=<*YrVMZr^OY4jBOaL~5}NPC>LyCeBJXq&|w;Qdae
z|C(S&v;ka{QMBxS`Kv@<SbF(e%~D)iLt#!`;YuFRnGR?RPpa(bqWpS)*J^!3<yLaB
z(Rt%+tYF}JD~<ND(wJeU!bom-L3a)Uiq(9Yie9}sTC>hpGFuXJV~}O2bZA0LvC*mQ
zNp=!=>=4m1W+G54c2{j1!*hGXY19urA$y9Y^Ab2%P+jZE`JBNdp_#!%4t{z2%cbgD
zuXj{Rszb%9{X6;9eyMNkD&NsqyxC6?2*|*Cqz7WE@k+RbYh@37Kxp$Ft;Qg4I!ixx
z&0$klq4Fd1>8H#tAXD4FBf~|XwO<a@%}^(@C5(U7PqQn)<lY~>Y@{(DLkMFx+8prH
z6Z-={Jn^Oi+DwEnznb{Nw4i@Y4*0WIWYxg^>rUPlJpA9LBL3``zx|9q7HBdgf|I!O
zhtW2_F~9y~+90|HAZc_nw8N4A1gn31oPYj=s2@Q0XGH1q-`&Xgosa+9qy6KHkMsbq
zl?^kB{hST;&*2Gw^2^^Yi)sMSvcj_*m){zafAS>1drt38ETE6*^j1RFAMUpQ`#%Pi
z1CXbB`j+Q!0bUnCvee$`z{uYkQYfqjKt9$xkKmtB{Y!BF>kFbXa3`sY>y7Q-J??*6
z;xiop`To{-zqbhf1K=a40VJc}-r0WmEjs=q+7tlDV;j8B|9_a_-yKri96<6%cMlHE
zzlG)hW3S&3>i@CVZ-4>&f9&-e3GsjI^&4RD|L<xq??mWhWCBjQhKqv)p}>ggM?$^_
zt5}q<zo(~BgPQq)KCT+ohtXjg)nbpv(~!TV_WvNt0in%=736|yH8C4j?)V6CTY9qb
zjkL~gBNlI_LZaGyM%V2tj-4GYt5t>LUHi)kmQ9G#slOrh`F#+C-vn({`XwyDFJRI{
z%GquW#Vw~s@o@vCBW&5Ce?zDfMT66f_}m{<<BLE>hh}9Y&_(e_uq)Y{ooJm>VJ~<8
z^P~Rj;AI#=>Zn#7@%!cWw+tf(#t7Jhgbk#UrS!m3r5ODy|NUD0?QlSiT#fDivzeO5
zPtR!;drgrTjoRC~cD#V$)so5k|NT-=AoG46>$rTv_U@`hv0hlAFP>gw=OVnykB9&p
z;&0#;bqNeCpktfA`?`TtLXed=`w|y0B;3Pin&-cVdG8sZ=vVL10lmFN8MN@<TTI^4
zjDTG+#0co_|J(9kM%q7L{ci)7I}W|@e|iA`*4F>__W%FeGV(~E(SDb$_XLwxfALP+
z;4+=3-1U;+_6s(HrZ_w{4H@=SK6S223B$%fT-ZQ}HxWoP9m@g!-&wMMa4@W)(OH9P
zfOy5V%Z($mXIsfZTfoaapwtSeZjV!@DpCKc%cKodo^7t1qyCL$#iRHIpB;;aza(99
z<02J7m0bx?c@v5C?a-QH>^_bNRG$Iq@J}-Q!;${%Ei84UwLqinLV64^RX2cpdmSsD
zMoAI0zra$b%cLfY%1AM24)u4=SH%wm^ITd^k_%PqXeM5422T_y#aX6tC02|YqypzF
ztx)*y1r$G#xwjwOs!ZZ*5#HOo0WX+zMr}}C?WBmU=((w_%lVE&(gv+^FEHQP0DJ{%
zxwXw}7nm6F#&$r4?U^Q4K@!yQU3LTk56#l!QH=Rqv(`(^2R`bzIhCHon}0`cGogzI
z5iQ!%%3qEaxIc~7a*?2~1NyptaVpb=NU&Ne6Y7>pB(w8OBD8j%lHD&l0#$hp=rY9s
z9mG%mrvTWepxB(~DNN&*b`ZzE^wfWR#UBcVP7*YAc#mT6;G=!t8-V<BnT>Hg^p?PQ
ztp)(Zo9um3l<RL16No_EXY?sA9+~@1vkoKs;k=#xiC@`+f1>Yy^3H#AhE8#!4w&P~
zyC!AO_IWv>3UFI2t{bW3B8AYjyV5FW;49PGeK7Y@Q^>pGcOzCFbcU#%rz!+I4yhmZ
z9~zrJU1TTpQg#I1VCy3P9bHE1jY!y;a?_Q-?6LZsu=uk`i1_eUz0||qwc92oTbbu0
zgmbYG<4m1hg4~FPRkK2|nM>GkqpA$BdBP%)<v_&cRlL}rqny&3d&khUuKOqm#J~P~
zn$;zXT=8`(X}k!yt1_=cQMq@q&$cg!=RIvtd%>-rcz1P5m$7P;Zd3o^;3)Lhz9Dh1
z=l;$Xij?3j(ux=)*{l{<?anS2-4k8|5l-+PiA<+3*G`?3yj@ZW4CEzeE^S7jLW))L
zAjgw+3AGxJCOjS&X&PlJMh@HcAWVqAwePAr7@xD1?vluaynDX$TN~Kf`XAB3+fLV8
zq<q*rDU>^&ud^HQ^02xd44DuH3SxmK845S5^oR$G6+OI-A*LXrlID4hMW<5>92QF-
zJa+3=o;^c05F^lcgT@~L({>9Q_xd<DW5c!Jpv#l4tlbTFy^v)%@^qL><)Ho)S*^}A
z?t^P}Al}U(-VW=M^QnDbG<k@|!bc3s^**E70UvGb`qK|&xtP!PX0x+i*Wb`&Tuc8Q
z-Yk1A-b=K&ThdGh+z*h6TMNhM%GSy)=H11jc_+W<(G&qjStoPQ)a?c@vs15phERcg
zbK_lwW!f;e(P!Ii$&-!oK5*rPQT*`kV$<!HOWKltApYvU$%S!!vJrE#(XXb3z-VVU
zQ-ZKH9Ona#P<#6Nh3e@l=RqaM$vB3^#>eW2<cb%6C+wk11EvS>`W*KwZ)L^Yi|jm~
zR34*Zw^znN!}VL~Z-r)g&TId1?i%1~WzxewA`YvYA0Sivw@~M}?>@aNP#1Xs%I3~?
z`C7Fmo1`e~S|*wfDp@{j%~X4oh8fek4#_vED^a`7nv}cuAOn@Q8AIlm=b11E3BVO_
z@%w?Dy3<s&g%ZAax-v?zgakx~egsCRouAVmL)3rGO5SJay?`QBDJ*{Xs9rta159Vz
z9dN&_JW9eo=={DyYOr}JvBIQPViF^2dt1a7s39Ue(8Ubg*SxA2ZXqHS3oE0n5@}@0
z3XsZ+CQs{9#x85=w{TpvkkeK!DMrM#rFp)ERVvyomr91u<yc{4f?v{dQLg!}B1c1i
zBY$GFS<gtV@(RUqaWBL0#=J*s8HeM;cIi0#<2x;=V{UfoKc;j3I)cSN2+iyUbWp=#
zF}Ug-;k5?v9*3R2OVJgAd76|l?^iv3;WoSo=of*E&qar3CRL-#Q(!Iy?lH5utiP&T
zUsd-AbRF3Lwo&8XGN<)qIORTO>7-kx#8G1+<>ES5vB~943v+|Re)OZ(Oz#Qrdq&cr
zEwN6-ztV)>P#9Ncw|!7tB*-v71)29CrM2NPUDDwv4qfn{y!F8cwpzGBIx&yHzDGVA
zl``!kMd4Xy;~NjXEIN?gdSG5E5sxrxkjxIoyxZ*26?K6*j(@BZFE<)KaQvE9?~ni#
z70sTiFkS*<sem$V+sQiYS)e^bUQ*-5j+DnP7fWTx46plADJ9%02hAU+HT{c0$-onE
zg?TFQu)!jq-w<#n5|V~kdx8PA<HralbC<98i;wb~j8_wfUju)uzS!v(=5LhZgK>V~
zbPfPBQRyBmK&?$4D_x5xWfNf~$iQu^lMUK0efDg#1Dy88lqh`Dvjiw-Yg`2)9WVqQ
z;~=2*T_o!1Z$13q(JHzG5NIVylL?0g!;q)~9vB5(Xq3JN&Rz*3kO`w&T?faVfHgXS
z30Tv)*zbq~N(Yi*spZk@j@z|5^d$@L@`>Z(HYqd$7Gf<O77L3ms?}J|H^svfT8s2R
zf?91(M{~kh)4NWI(K0(WR}O*3PttUMW@r8UOdJ((nBZ(lIDR7DTN)e|f1BZf42}fD
z(nO*HS=#!jtnOa6r6E|SPa+{$Q7?_s$bkx^=$CJX$_MDw%HJuMTx-PBY0+>w9>CWw
zz6rza$FEsHw^l1OH0&f=?2Dn?XiQG%^?nNT1uWTs+lgc<#hMU(>U?KGgNfHoO`${}
zeiFmK<P5S%0Gm*pNqF!-v6+JjVADj72PPbh&FA8YMCk+uxt7CVw^fM1S`s^+rzrGw
z!wM(ZCZpDRL$Uz?NDc+a1JCudjkQ!D9W>?oe>j{~11A1%>M@&livJj?sNsqrN|$Pb
z{VNlJ-v>aH)OU;lou6TKeHs90Njo3xO2PCs4G9NaNX|OA?>8&g-N-M6Xs5qYO@SFB
z4^2?;buycJAVqq~YU4c2b%|#(awkizQe221e+LYZnU6n86@)s*g9H6#ngm@5pqJ0-
zYT*b!>4gPoGc_P>l%fX~i0#<owZOyQ_({B72ZR@*b{kb*(UQ!=hkPbVlh-`$PC)78
z{z8Ks*4<43Ad~q$G_D%lm#tcklT%%XI27{~MO<B$n%$W%6Rw%T4XUgjAYB)C-9b@y
zLwUr2i7eAz-rXIRK?N}8WfHb2i9D*+?FBxw>wzX%?KkX1b%?Fc5b*5(pnXu$PG*&X
zzxy%xStPi3W75qE!Oapn^j{qL$5)ZEfR{fCm;UV+)=>ojc%pTFp#k%RHxxQ^Q0|ry
zm=UTb-t62#w*=VNTh<omy*Bw!wf-$drJm=~$9%e$dfBB6c?}TWmy=xg>uDbM_u&nK
z*C))Ub0!ye4^Mexo2?o*R4BBY-O8;W@LG=MqWKae17)=~fZN1(lRswbd^ghM>iMQR
zKv+~kQ^k5lNw2Tpw%Es{FxgI{=DocgT@Nn%v;5*OhW1VbNFs!q4fj`wf`|rqqR;J;
z*<gwYz!sk-O1CovTdnbT*SU9P`gwbc6=DvDi=-TOn~~+YX%rj%=@bS<kF+ZJWI*AN
zqjH&si>p;DzvC<y`oJp?VDxCq+^TbaIG}(*#yjFz*RV9DC~3Nh=CPWcS`v4qRo$Yu
zE1IBLXs~KpsYvH2vzT)z7+8+0_MFI%%QlUpiRN*2z&UE;|8aVg;xJOj_eex8`J7E9
zMu${XG9taneUqF`p-@!;hwla>Pqj?YRzwZVPk+SIFZIMP4J3NHVpGC?<&;n{0c<Jg
zWGjNP)qz0fhRRrFB;KGE7Wnhrc~z1FF2hYnpF>}8^cSzzINN;z3NlUd!tMW(%29*N
zfF*6*U8Xs}ngk$iaQp`g!yl|xq$vTB)JYuytWE-RjEv7o_t<b^I#Z^X>yD*Nr?od#
zWf3&iLGtU5e<paDQvm^j=-5B4^XoTvP(Z)Us8>(H9MuZe4TA=#G@&YuPE0>;CHw1T
zWDM;*LNMM0)!5Im{s7uuT(1t8TrjcKuG-?<t=xL_4F9E$gn;_@@*TAkVPB6C39Gvy
zziq=-E@V?@Jo1JFhv%nV?R=MKwAZQyB&V~be~gwdm_k^cZhqsX!srQ$M;PK8HX^|I
z3;Y0xBLla|7Us&rL;0oho&%4CGtAi&3jPip7;`3V@M8;glqd>WA7MoasB_o}F*qYy
zOy_akXb&-ifo9L`o;jJsEs==pkMoV!`8R>Tk0iiy3PWT)KgZ5TCIPfzuvsx&22Lxt
z0dJsdjx|2(G%~GG_9q#oGN4q}Pgyy?Hq<{ON>2tF;mV!#ZI1x5SDC|R)$d&iNG4yY
zh(xJCISwpEY&QpSkT`dKKbiNpI3+p&kk_?9trPg`Q}Ht3xu3_BfdkNy)Zp)~O=SIu
zK&coNu73@!PH8}@4t||M{YCK#7yz}sQKtbbVdhF;L3TcOa1auz?BA^Mg&$Z0zLW}V
zQ~)fW3YG?A7#)^i9{B-Iai+=f+onV)p<0cMD)sHd5BxRt_r8YQN>h46(<6z>NK^Rk
zA1nTr>2O4W%~CUH{zGij+YgNQ$lN$z!Jk5khy)NyB<<ql;1jk3x+CQDEfBN@4WTQo
zYWn?~;3|;|q*zT+HEo0_s@0r#O!=Dp*+p9NKc0Yy6<AewZBQA^ouL%KqYe$f00T{6
zkKh+T|6j=S3&IK028qEkW-?$PKl`c6Vt`Ebz&iGmKyV@$3JpL36a~l-qcbFdrOo5d
z1rhK={b%0BP{*(<1_88zdOzu;R~k4D^VrO$DsVpUBY*<^t>PHS;a0N|xN!f{ap?U5
z3G{<RYajT6jUE^V#$n`lU>)?EGh1sgwDN&<vXdEDY0*1F!dNu^+Oy_|Cc)_>_3L@_
zvlzsSUl(jC44(EYfC<3_Y^*4^QI*L3hm^M$F=`$W0WtT}xPOGA(7`0?lP3Su*bV}l
zK(GR$1uuP^MxwJpe=Y0oph?hx(`+5~<Nf;4?*vj1SQ7TCiDu^r12@QLJ>=ufdEets
zP^HP`V-4eCGSd7dxcG_aAx)3~cu9ru?*3BRkxT%)8HAp8g23;~z?pWl<L8!)Sun@1
zy)G9cb~h3{FRt*e$uZ&kvd#x2-atC@GW@k0{iOta3C-_l6liX2|Lg3!;Cd+KQFE}r
z(W?qzXZ6m_U>vyc^dvnYg@2Jc%2O^i_AuT&ZUH7jBG0ET`yr`|Tnej1c{6>n!Kh~N
z-XvhXH%W@2$gys{FNM+0*ZS-yWkNus1NW7__Fx{7F|({fYVu`D9K-E*fc4ogwqbz>
z+He5G$^xRtWBJM6hG0ah4RiN^NyQHfoXPn^%4ECgy@|YcC|0LN)qUgy<RWJa)=@D>
zK`pmxP2nE5we*eJ05&jc(rz$`C-U;!D*dSY9{QBNc#68M!;H_tYf=)civx-!H{O{X
zr=yRuwqt4ZIzYt~6xx-0o2FX*6<bSIpZ2H7*G)eh`jX!?4x>fo_gIM~qE)v>EXl+m
zJr>#wm>J*HYa9gsFlrNa2a)aA)L|o#3P8)IUa7>>tI^F>n@8i%)%1DayOKMmH!5b@
zD&;BNmX{txY4Qm;??YetUFcB%5Bo;qKm%Pqr8-d;wWU02Jd92o+~HzNRMku;@-lE3
zVZvufU+v!hD7Rk3yWTpCv%UIGOs!HD99tl-z|i<5J=Nx-E`8J_W84#4F71{2!~Lap
zLwUdyYs?+=)dSgn`LTA#<ycE(+FZ>Xm&-`@`QDO$=Od^hFbV7&8FJ3y(E{f{ZRQ{M
zaiX2FjC8+6kt`$eCvz-LT{%P}cZXsIMsGfKy7yG4w41td5ZHw}lH9y(diF4D>&2gL
zlf##MUE_ANZ|XQi>zGc9WEyLoi-YET@gq>bZ9c;yc<#`d|G;(KL>0BS65PQmZg0j;
zmEOqkE{EkD+jwe<k8!*1&iL*%wYz%Vr-3wR0ML06Q?Ur<GnE4B3!}YOT>^S7v19#8
zM=69wI3I5s#mCozC+#Dt&L3XgOX2W-&A_z2=UOJ_In$>!aS%K4Ol>{Kh#XG)81Y*N
zqtz3V8fmpl2v*LM&Gw}8<LitLI<<;=PkA<5Yfl`GE1rg-8x_`ghNeYvyZd8M+p%8H
zp4MypRrd_NDo@i>#Y-dop@=2u`Sow#4r5>l4pFVu)C~!ET!fRg6vm1^KORXa=I#6d
z=;|Zwk?KH-{<r>(3kcqca}kpd3*SDvmg1=efOQ4294;4_q=mJ>x1f+Tss|?b8_2X5
zxfN^QKYS$=|7=OL=<8JAm<qrA?V79c3D9iTAAX%@=}YkQ{+NXZNkQ2bKKClb`v<Gb
zX;AYiUR}AUgkv&V6fX~F|6mDU4fTQZk&Ve>J`x?QzNB|{2)1NHpoaK{Y3@LSP*30l
zx?-b{iIniE;XM&>IlRpA{CnHe1BO7{&M{09rHBR_QAINAyDJ;6*G&%R@H0(jxeb<u
zzD~bjZp-*w^bQK^kyVb9$01|M&8{0WtT-;5=O(cNGTiPSO5et4bxrY=4_LMX0t%Ms
zD1%?p$LScgeQcq57npPLNFcZ0M+Yj8MNDy{F^-$@aSHKBqfDDyG#WFZeZ<Ilj8^aV
z)3n<0Qy6_b2OX6CIHW|tq9GYbcp$#H1(L}ONTg_BJC#^G|0CG^`Z}V>1Z)$T3H=$X
zlgnwllun~*sGC~3_S5=M8m*8}_S8_187gBD1b2ziC;r99e5|O1;(|^3<j65?##xf#
zaE(=hx#d99K8_6&^#$lM(Mnvu!{$3_+pTZ3Q}a$KvD6xinuF|+Nuuxjr&mteG)ks>
zZu`awzgUmx!a45EB2@+Kd=QsF9Y#RQb7?$hPHSv+)OM$FcXcR3=;jPc_&OXS%u~Ex
zk~65Wnm6e<t!?<V)xxo+y58B6!5<zw%Ki3Yc43@gx<+n@_fT+zF)$jp)<Y0s1!Fc4
z?A82)BfsHuShgT+Mq+LrF~EcK$bM*kU;M%O&ZB_@2==FMzHzvGYOzs#OK5{&F;_lw
z<GVtqSSU>G2>K#wjK-)KjZ;G4<AigVYEaEX5tJ}9#NHDEtm{XKS_NFZ@(7tASrjcW
zXau@INM!n47c!W_t@%5uM@x2Tpjr*Dtevb@PDIaQ9Yu!^dYWHP`i@%m+s@b@y&F4J
z*VP}e%hrvWfAGgJ9~xPs)E^2?E5H2CM6E`Zps5L5eAv+U!6yp@G7o5IiQI;XZdVrt
z4qAkAH_DQ+H26_2YkAS)(Ay+Ra@;fevF;MXL?BTnT|P8e^7jrkMLG@5PeuJ`hM50H
zLx9ypP$@sVK%*1<%8wNk!mHxFxwSdFu#R%~IjoEW;a!kN)pL5~cD21z^{?V+CL=dY
zt{_7*G$70{oW0Cq^Zt>yu1En0EcV3YXtX5It;yzo5O!5oy}UG?sj_R>n`_WuF#A5e
zk3OTJB8s@0y?)i$lR_}I`>00BRby2%)WgcrvYBmj+Oq^;Va@b?3N>IrC7{#ygLQF|
z7`VFLK(oprYj43bKZIjHhZPW>(WI``p9sIQptw7Uy#%@y7Qa>LM=5Zq<MRBb*0s@A
zZ;-A3kb2M<8$S4GRO0r^tch+RdK@$JZBL+MD!oyHY;zn+uA8K`T>A5w(%neB$ICCV
zw8=g2VL5d7)w`_<Gxe82smkmT&x5ioKb#NDotvph9dJ8me>sm>0YqC)EJfx(PesJR
z+|a&;!D0G>VzaJ6UlMI2(N5dbTZ6S5PclFRDCTHF_a(7xv>DwS^bg_BZA_PCDSp;B
zp_VU=bjROj<gA=XBk2kbwAT{OPcLP~GR$;$z3iR*hPz*k9vnv%wR4~uLBK($!D<!l
zc6|zSZ(xwvK$h2p4D>CM+P8l}o$(9FWQ*F~#UbOIF!{9Er+`aI<yv^4hoZg^pkI-W
zmfas)k&ff6s4nyUgc@!YpTlkXrfZkxmO$@eqH-~0vRIw?8vc3gs6l`CnHpB!t?HK@
zIQX<+=qQ(rot(F>gi>9Wlns(33tQ*!Yb<8SE*C#kxzEqO1Qm#7NK6t{U<UPEs(cv|
zs7&XIn&sR1hh+)WMzdSqbNy&tOpETiVbsq298K>Uem0i`Yk9rB;#=-{iQJb?n!C=Z
zsadY>Ii0a61T-skLRcZ+s<NHQI1w(Go7X)AdhpK{8QTgO0=Ib&sm>e=IrWFrwfa@^
zqwy4S)S3-9Y)9l{S){KY*mfO9@*Y9rzS<}Y&S`JcLLUu_*S{q!rLl@J>jF2+dyEKx
zgjPxs{)L;n*LeP0z9xq*qXwvBH}=FJA+W3Nq&Q6uFar@X6mT11Oz(qwcZlzr0k#k9
zcES<oIvv^_VZ7%dH<=^KV@J`-T{-lZF{QXKf;8%dTsqLp%@yiixUXHC3YXkFi{6Tz
ztoPCchNqQoWdlBUkEzyST8VQ1XM5N6qY=-2PC43WF;L4bxAR&ECiB{Gk?m1$-gW)a
zEW&_zgIR%8v*yfxxwnV;th*|3SA@DkdGAQAM!!w-#JD5Bd<=d|Cb2;v{N8ovMKE?R
z`F;tPmTBzizUf6t*scEe&^P6?@I;&jY5NPx4XKrd+9OGbSDX%4MAw_A61M9{#JdTQ
z9P8b4hw-!LC6x_@si$j>yu0(aM=`bq=j4{vPg*)}KFo_JJ#^^<x+$<hc7>#CJ=~Qr
z+C}Ac<rdP9$AH0`6%AJn*-Xv4(_Yfy4>8FJ<MxIkXG$sMp6AyW4o>}rs*g+$ZW))+
z`^l_|yqnc;tUs+p^I_i`+GEzJh66c}iQz)xtyIsb*Nq1hNt_<BZmcU993FRx?y{8#
zbtx%JMk<-R7dt0@h3d`YMT*07S^M>Kk6$O27yP0K`^G<JZA4;*+C005Ib>PTj&2tT
z=B${XO5>{TJ3?8CtK<7tI<zF~*c={PBrjoER}lBQ{DRhOa=E2(oUyDWm06a;gBj>0
zx$m*EXU7=Hhs{`d`C}n-EqmvO(Y1L`QqVgdS@$R>V6*QKR(<Wx75CvXOSCeUwMyL)
zFX#%C@5q~$2&jxE+4+_YYs_bfGTg?s0e!8_YNdG?uRwV3pY0ImX0W#VG{BF<8Q;`N
z^fCIR;y9zXhp^G&u;-SP;`V;S1gn5U25Dudz%i)XJ`s!X@PT723jTX`c6w!F%jcE7
z=`R~fo=Jt5Umq(Rv6dCcWL_|&E)&czY<P9-BVTrCp>WLOBRfuYXdyc$5IQ<0knvk1
zK-IMr2+0{58nMwfrN}7WbN3CNoxO8xA#IpDwV!yrICz5RHI*A{GAfY5;7%;}Ab6ui
zF?TgMTjP$=;(0LN*nhdk<2T&NjG5n7CgdtDIL7PYL`Z?S-vQOq+{hj5?s;AH;%?wT
zDC+y^RH?*c>xnbV`}=+o5?pk$ll5VbEThP*4D8S7YQs!w4*KT^w_CmLG^ZRCssri)
z)mwK`o0+Re4_Zev!x5g09f!t=N3NoaJ|eHDNlLK=ol0_sW0hhUS@l7D;cky;`%zUN
zYHp?6hEa##*xgI_Q%J-XoxlLSU5i6WGq^U*6?xH!AcehPQ6WfB8=;!rZl0hNXZWL(
zXnQU7INmwBR3_TAvM7m)C$rL~E;JzXx;u5?;xK4BiN`cOA(Kjw8QYdS1a&mgQr3y@
z)8b-Z9kzHKiz-klK1b;V)#7!ArpW744;Z0XwJk{X%s?euaWg8ee?2nm3h4JRU-B19
zX?qOGhz`^f=Lk_^uB3$T+s2-CIX^?Q%2?{TY~`dFJSB%e8Qo%l{HXY4YQ4c$2==)7
z@jG)5t8gd*3Q5;1`~o|JTl1n2Kc{N+tP>YVwqlT<Wf3mb%v=O?C=4|YYw<M6J5u8G
zFzbCPSwU{DPb0*_UT8<I4uR~z6Z1m_Jwba#yo^pvFnQB=$kOO>3312kx#GFh3>};y
ztuBJYK>0ol^>B79;%Lis4EwU>OAz!o1PbWqo6vF1%)@pmC0Fe}7$7el%Za=X0Z!jn
zr@k!TUm%>#x}_Z2z6+{34rL3S{UD@;q%D`h{%qd)rj3k{r93wX=~R7-1rf<?C_R%{
z$<Tn}2v_wj?faMY51i&)hgme3wd$$PFY%^`jNS*dCA&~Wwpqp$mdBY1CU|s6pUklq
z!bcn|z3F3A&fz}8XZ3b%$Wt7wrKdVDTOmWC&ke`-A?BG)sYGBAmD7geINfBMr(`xb
zM!T?n|9-Xf!RslqD7DS#`d-&HW!N&UUi{uG=Lb^|o^~;7zT)Wm_ep$Lfz7?T_o^A;
z$$Ase8g~=;rf<wMhkVjfrrPK8^xk~tk@3#JoetpL<JP@BgA?I!=c;}+N9lfj@Kns!
zJB(L59=}OTth%OH8;+$1rDnD>Bh6Llyk6$@#-rZTBC{lZH2<#x<j+y;4_L<a;|oJ~
zQK3<tGF*6EP~Wk{-c!w|HtRQioZ?NI%0%Rq^tGoAhut2}*{fRHz9)~VsOJkWj@X`p
z4kwt$_>#0J)Fbe5i6)ue@uXKEk=gXqj1d;RHv$%Q9_)|Jq8SJ(!I>5_gwV%^2(<>?
zKp2d=eCR$B!Y-$f$wMYIY_1z;?+XK-9{rg%*1qk8(A#(2c8Is6T>d#*jqh2^R$&>c
zvE~Hmk3lI7rYSm1I8!Ju9nNkebk_C;0iGJTJr*)nn!2kP{hES%k>O9JAk&1;byKJJ
z4toRbAGAdT*(Ua+C2*<17QXSI9PS&ZcapKvxG~c*3r2h1+wu=H#9GCz9~BO@Z`-e*
z;!cPlPAPP%6pBj4xaT?)`3zIp-X@)G9BA=E$XRM*HN=s_AFq;0=bMLMs@>n5Js@dv
z)nUu)zj!AZNr$9Qf2AScm0G@(ipoe9e1sZlPD~&h-PYFz+H*a2WVLy1Fnea+?ts?O
z*C|T5O&$Vkd%0;}>%K;V;p?#(<7x9*Vf1-kXz*NIU<>h38YjG5Q+g}HQZ8M)2p#VT
zqlb^M8zQ5E?$|C~4=KT`!@ES1@?KK*75TJg_xt|2!l4R79=%DtfSC1TRek3OndhQd
z>;kj~$!C!aLWbfU51|y38gDZck{+i|VJUIe8oXc}t=hz}bjU^WD<gx`8e;RtlEPxW
zwsz_w*fQSp+6gW@?Ox3c#C~jLS3~T{ERtX!xw<%~U0ypEPwM>GgOtK9wuZ*2)jcR#
z`9eyN8?U6r;|C;P4;(s0z*$m-U^sXD5`K^ar*9L_J;r_;Ij>n$I`?|x;bJ`mfqA=q
zy|fyU-sYaNe@NFFqc(d-$HOX=XlT6Oh}A22f65T{%uBzI!vQ6OEBu$N-h%sv`}Kn1
z^DR{0+8q%#KX0(RForxV>P~e&-Lz+dFr(!~ux4g>@KBDBTDhfn8y5KpTZ;jKzFIdn
z^Qro$keLtk8t`*E7&9>ah~_Od_0&%_o_jUV-zhH<yD_kY&rDhe6rvp?Kuz%#p~SB9
z%-cCl!)^tKj%)wv10PS<N*kJLn<)pn;F@+ce|yG?MZ|(9sZ5aLaz5jkngQphFDA8Z
z-QziRneScp3%l(uwS^j>w~!=Z(v(`P;kOlueRGyW7aVo^Rsxf`%X9!~wwRV;eS8L&
z$YoK;9?EzurqH!xPsDm^>bTKvviXM5y4AAZ=M9A~%+=Gay^o}&9}Zr3AvaIsa~Pzr
znjrABX0oxZ*wdq&`ltjsKNpH{-t_RI?%vaEi}agzKpYE(<Dtf1tcfYnAnlClf}!oS
zcC^@0QND?AW-s+xOtmhR*e6H2)DiU7vfRuQz3;$kns;InSjv^lsHJ43Qz<o;U^TW!
zRdJ?~uZ21_On@Is=gx;Eg9%IOZo&^{zDd}<PE1Ipsd{P4=*>=LbKeh5L6GtVR_!Qo
z_ljdcx_#nvO`h{uw@t;iGYZdD<`h1jyo>cAD_tU!xATLZZ#UmtAltfpDLK)VQyyy|
z#<acM-^Meiv$vccjQRXLmPQ39nq01nhc2DNxl?$2vesVg>r!KpEn@Lkq1IJa(4|4Y
zinl(s;;9)VOwafwQm~&P{aoj>b4Zas=3*f{)O@WA6>}e%KFuIBHL&>F<kT<mlC>Hp
z;3_|0R7*W~x7BZu3pBL;F>hiCS+b>h4bLnW$uZ+~iOmqrRm;Wy-B)nPfA``=u*f*E
z(FhP+qoN4!j^92W+jge%b7Ft;z;}Vi*XT)^%Hg5<10Fuirqyb!WgwPYv+W`iyA)|p
zjhxpLXpN0Hqx95Ub!cQ5p^|u)gJK}O(4((b&Vak8l#ltXvFi{5YfsYUiiutT)l@?-
zoBC>#N|UUf@tu)a)`H>zg4&WNBCfGmPQ!xs)d{@+Nup$YQ73fIjirTZmGCuhz!C;l
z$&%TsfXd`nc(dg!#Xrmkekh-aCoV~@mnTW1UPovof?s+SmSIwiFDJCQ(u4iKr)V{H
zQWJ}Gr_zy`32)Q}P7SvSZ7QH(Z1w~vpstchA`?hUpG{7|G#*xbMd0)I;0S)_RhvF5
zkyw)9+IA{dvx0Nmv5rQ{y3VK(ShB|Vyq%}s*}G~Nw^4ubhdiQpp7?}e0I`+98A4Z}
z(M913T`9wJ7z)|6s7pTEapR-oeOf2$eZ==))uWg<Xxo}#gDq6({ZSc>;y*~n5!2%p
zjapZeNCgFAcrdAV>`9PLY+iFd$hLi4h!<2}^?Mu2U1qyt9<#>uG^_Hp<wBc2db*Ad
zLQ)_wTZ1D;H0j>me}vh3P$`2Uou`kIL67&sXkqbfGKmYLWpWx8E0)!CPxmZFN-VpJ
zHDl=Z)C^z+MCz3g>k*3%ss`Lz^tm11;Yh#acruj1Y3TIg0#ih`OEQ6FCL#*4FzKs#
zQ6M+s{an5*bd1Xx&fA%W&@(>&NKrv<^V8ZE*VFAcH+p4+S~n<LB&_$mW&3m&7iV&n
zKRRw5-Oy<tWM50(i^(c~eu1;!bL+OV-4+n_O4#|{S<$r}!{AIROJa}tV8hW0RB<Vr
zw$k6_HOy(>#LmlMy!U}u)<-9bDGF6iCTMcO|A~K&eFBTX{!e4E78@+zrmkVDC#PvT
z=jJ)t+)f@Lq>_5-EL60OXYsjAg^ksTsNWetay?(B=h;WXWxQ>73>CX&5eY{nc)1}5
zX>aQ)7)pgE%&Oi0eAQit*pe;%*vCMOpzYLg7PWR8vjiCd!garoOSxNP>{*lbP=tR~
z5zB_($1ob_82%AyIHx6LLQh0&!lsGowy=2ew?f|_`<@7m=f^Ob4fpFstW3ao9=Sh4
z56vT_LYs!6%1xUp6r_^4@#|;~w`Ij8>8cuji>~A5rYv5Q&fyHxSjm^DA8L<4-oD8_
zDVL|OS9E1+hw$>w$`vHTB59BN!HvK;+hWH*SA@3uvAPck&p7d6H9KOkef(S#-W2HN
z(oOd8DxF)`i@8*<PYCIy0Fz|c=(RA$HG0GkE;o`dG8qzmVhRZG`sJlZr6f)6r|`3H
z3UkK&Gc6SObLC#JmP-xP_g5*T0OO;JPeDO^wh{QV11JklN2wp>4|^gGOa1(tyUbuQ
zs)vnViN@oDKKedd%je1X()8PFhWmS)&144lc}<*Lv*=vk;YeDz5EDGq_RKht*l)i{
z4E!_^=z8wH+3{?kp2|lAQDM$^!S`l;+x{vNj#T07<Bu1(pE_L8-`)~Dm2O<r@emv)
zqxh^bs6r`LEHvXbzTa-|3iZJS_hLHA+4JKCd%N0nWL4+w+HAI6B)tlV7eU#|aW4`?
z)afMJZjrijW7O2&f3H;JK>ASk`QpG2va^pAhQ^>2nYa_<Tu1d>VlU|<Tt@DTMH~!x
zjV^v}<ZAkv+Kge|o?%KR+8SD1;rk}V<)%KA@%xIcQ^83)>3DptgsYsQ`)KzJ&Ko?I
zofsbH%yW(sBX33lTFh^4Kw);o(g2=BHHc3&VegPHypk}&KKB-3E(;5&z^>3dbw|3~
z^&b#j(oQ?B^R<6V@*82*`i%t!b49~1D2hmLQ8)6H^QXw&`+_a&AH5En0(%9cy*?Ye
zLeDpe<uXb`FPqFzNgdoUqVVIJoG(z{U#Us=jj~v|a6E1LaV&j-0_{!psl$)hMq%7A
zHrzsOkizh$V(GoYCu>ZL&L?z?S=vj}>mzR)lq*~yyN$D)gtyxHtFBOY1xvK3CQomV
zklBb$D--2Ex$!g~^n1DxgT%2`h}qNx8`+OnVSe<v&cyo$tSNcWCHIQ6h6i9o(vzod
z`#`>SjZv328VcZoJ;wT$UKrYtY(^<tpV9Ui^l5u=(JzKr3~8?zr+~=_p@+2r`9<b&
z=T^8Ncj)FT`!m!K_x4MoE8b2jj+mw<LGBO2-&^dYT5V9IBzWR;7%q3R89x{+zIC?x
zw3rJ@AnuH@Va)n!FJDvLe~Vy``>iMjbr=t)A4L|DtP?@@<{cXvAQxKQ;UZCo-G{@Z
zGz=q989|lejbVo^ZoXC6=^eopyvsd)RwS7<Tvb=dr)%YU$t+QzxIH*xML+A$Uk$0>
z22mnLOglYg&6o(@M@FWDAc%S@>}4kB+*V7^CSpSsM^7ADjD2*1!6LWl44sChEq}4r
zpOHPrKcHw5%e_Y%uYj<#DjI>vb^BbYKT)G@^Bg&Om^W*$S}Z7#uRFnfKKHoW|JkwF
z2%*7=-JC#EugIa%i~M(fP<!)RRzcm3u3;~~hY?0BehdgrG1(^nh;6;f=L#ayv-7iV
z1@UhC!x{POw0onRIptub9pUd04$baNFueaXs!U8^+l7-jiTL%CQC!{Io+DFV&W!E&
z7LDC!jda24%H~{j$pZ;H*s}<e2h51tA<zo1?ao>Wwx^9?-)}#2k2Vmqno8dnsi0^}
z&OW`$?8W5a`h4r2<+n)2R;W4X_(q4of9DOtSrD6vuxD2aS+JkASBK_kU{1>8q3l7L
zyw>8#uDpfR{!0J6xw^fx-L8vwBK=gRIqwbYvjkMR&3p2jbyy>v4jd`OnB$ub1gFc3
zH=a3N;TR~Epe88adYE|__ki%g)fN*YN;yKd=harK-%|8`TxWTJ^mG8j`uSXD0+n>a
za7MtQ=bN?N>;V;j0$<T%`zn=QLyHFfG>RhU<~q-vn=n5{(Vjk+@V;`raZ!z1@>|}x
zYk*rbs+@IJI3nnLG=jE55BVn3_3Sq0e>}9ae(q_l-#|Fs+~K>u+@FTR2snRRKkB*u
ze6wnq%|N4&ea%j6I)@xgRX;-$%Px>R^5s<RLWg$S8!{P<2O$3j?1<w%z|7zuF{M8f
zk*-#V-MT!+ce~$%K}&Mvd7gXivf#^w4GATaSFsTon*>Q|3;)!##3jjt8ZMohB}l9P
zgbQOC-$0OC+6IH%7f*zi=GIz7xurO5`YB^0q4nJKA>_sm&Pf|2qdP(S#9D*1n!C7G
z`VSvZfa1LhGX`nCud$nayZNU2F5am$Lgu})>yhd738V3Jc@tGWosA;hY=@s-T+;(V
zPt&5Fu}12LV1jlL=42wO3+SrOV~gi&I{nEkD3v?Y7^6mm{XMW5W#0=`)XoxM2Nj-#
z^K8eccLwTJxkNa<kPyZf5ccG@)H_Rx3xVW$SW!Jb6WM*O*N;7v>gAE9P7~<3%>gS}
zCXN?1bMGD(#u8!J&Vh#i$v$^cJ}W(sUzuaN9o|LNOnr^bppmf7@dsO~UE4$Ei=8F%
z(^!cXWB576GEuEA8rea&&Hb*9tsSAUV8Iv3tQZI_W-{oA87_R2emVG@I@JuXE%=QU
zEAuXca*JUob+;HbQ)S}opQb!&6<c>O?_Q=c!PV`W1J(x$bT7}`8|B8^75llm!&l-%
z#c7x3?f2-c&Pt(uE6y5a=bp*CaJTiQBY3QN9yG-#mx$XuD8mw!+f2(7Qrf%+fjSAe
zmBu{-L7r5jB1TVmW?9kIG+TqB?1Uww>HH~}qeETQ@avxL3Q#_AR`nxpjJMQkK-^WP
z8y6mLWhUzsf{&dKdjfYnzaJ{^3PgB_AP)q*00+#5z^4f_9QIgvO(CfIc2i2#x*gZ;
z!{U}=X=zmv0=aKA-FyMBc@aB^PK&s+Ad;2|F)vQ(9UPncqEJi{#LCSp7PE5I($am#
zevh-SY!*}a23#*sS8EF7n1b*WXpidp8+WS`F{r-UWuu~WAciO6E!Rn#Y!73ufad3=
z`Rtv~+9wO#-){8OO$YKl1jyX<eCBdgn8cCNfQJ2yB*^}rkq~h$h!37AuL<e|aiPU~
zFpFqtyHX@5P%}_2*^HU!6HAeKe$&{yya_M=xWVkbv64HOM;nz363^>+p=83rD?NvY
zvtwO06vs#srI!?&p<NvZ-Flz7p7(x{O=(*XY_dhwh%ykf7+XAl&{C%*#>$~rNBF^P
z$Ych;u%!p9@%$0-#hW-3{*Uc1Op$pO-mBMNdu2XRi0#@a{74!*)4I)6E`Q9tvk*))
zz6eO2K^#GDjS{etaNlvhjK12}*dm-U4t&OefLk6<Wjxp5PHL`RLDxHzvki^jky;RQ
z)41kEIOM~Y@NjURfbKA-PMkjLiwoa2pj6cLEz5DJU&QXj9+5bVfR3Krm6uT;9GYR;
z$tb#4%wTkM4aYejo^32WN)^Luqwloqz9cjoE~~RW_~7}G^>gl1M3{uvA~aFZE@+F(
zWh|fGk3{!-oCmY;I*wnMq=Dm`Kcjut^bl3w2dUl_8Y2bogj<3-*+%BH7Mb64F?>UB
zn$a<yWursf_k4tw^-zZQN9bt@S$3!vG$8hfZapOXJeb{~aeZ8S4}>oR+S#hM>Fp=A
zi3~QmSFM|4M;H+YLfo<LTjd*HL{Di79y)^@OQ7})@997t?CpVdYX<AP{!Yd$WUgH?
zD`;}o^urz{HHS>7B+PB0;zBN!DxFR*s-Q*qcl<!j$?q78^l{+!$3gwCXkg&&%w=|#
z6rBpQ57$JiebHBO@Uw<o@0JNZm?+8NXo!tGcc~Ow`7F*pG*YHU-)e&@Eh@<M{1j<#
zGT>0`c>XhztIX%5qcnlL4!8w&2*8Tm$cWRB{!I1>)_iDPL9>&hpI);DSGOy?BLd@b
zJf@jR?odr8w!$F~<+Q<JSOTz~EqcU*0`GA+?3+cOIK{x#)-ykld{Zrl82vI##o89P
zXYpg{_;KG?$DQ-oVf8wFnBtqOld=E&i+j-^ekMuDjpSJ>j-5U;s%R02e0qsSp>{p_
z=OzrDl>i&_;9&2jusizqxgs|*I9jOn2<_|QNCPr<ng4Mi1kA*{Zt`Zom{<_Z#I_VZ
zb@<GFPCE>RypM=E_YqBrx+d>7&gAK|G|w$Vc8gJ0kqXj~`Zp1eT7AQgolkM{<zN#(
z2G1o$cl(j=LpJuVT$G+q>FhcaYHm=g^iLnj?Y80wkUXAF9m?x&6PLjiKVMa|omr{}
zksrC7Jt;(6)mdXgG;9!^i1S#EXsIixNpYHc3t#)bOBuq)I2v_zW&p-0ITM>oT9gk~
zgr`>Xl^$fFR&y%_F=#iu>67SvjwuV))I>Xc2sDzz4h+HfQ{o|1Oul6#<P|mcuL@NT
zLaZ_8jNhK5P%#dKmu~f*L@dEmJ=ID<(OTA_x2W2B^yfj5gq~lTcDx@{A$4V^dIgj?
zHA@k0VzJ;iAy3$I3I!Pr*l#29?mVoxSi>FbFKU05GbK)^PwhG`j~~u(Ikle9Wwn=g
zI2UXz859z%LWf|~lm8TwzDGxHulm8&&&ju2+9*RUJC=q9Yp8oFjl47F952Q|>_@F>
zSNyPm(R?m*hF-qqOyf(e^ix=o`;*>i7)djTS=;+hGDdEXWz|KS{dEKP2F31)CD<!!
zF3#Q?U}M{X`ZrNfq2;51YfWP;CPjU$#fdxB;fTYf<=!0s#wdv~1K+bc_>|YG^d2lT
zCXot$6WHDp1#%?obOE09>P2-PY)j1@ji=5mjP8jiv4zi=)=aX9d$$v25r|5913b5t
zP(}QTWx?*SkT~XAANp!0YzamRcdp#dQ8rG6eqi6}Q|_G*Thpktx{vuUk}G8H`&UsL
z{6GLp8TT5e%I3Ac??NM9oMS7gZI#7WA2;S!qc88EFz2?$A`$zTZ-R7@r4xr9>{yeB
z@aTV*1c{Ge44*P1FZQC9WRn|nwONJHJyRhry0#x9xK@5JTlRpWGo{Im<%@KT?1C^u
zB}NQ~P2dAtQo*#|LNzQfW0DIoH$=z&++=FA>XpIS`*e%5bTRsXE?4vE&KXo*H>f6@
zin&SnWBvJo_Dl%YXIYh@$<?jq4G*S@LTE+NsKay=vuL4E;z8J<M|q}Tq2`5)K}4L6
zn}MgoDpQSmc+|x9-EqKT(Lb!nR>)^Ns&HpW?D6o`^)l(S%{??@%O?TW-b8t>(;gb3
zdcm9Tm20@0e!58*RN3iG_lQb8DcGwrOYYe51Rh^w<*=rnPCC+lF%OB`8pL=XX9Gb@
z{EG1l{4o$9e)crch{?YFd+LkNEVa=^jFBQ-_?XCevkmy&i13L#0XohI&#8%}Q|SCv
zFf_PVXJ`i7lCpGP!F0VsQ~Mh8NpYP@fd~lxevkM@G7)If1(AfG@?gM1kU;J5ZAJ*i
zZNL7UZJvH0Jky4j#U@@en`9<#R3k#O+@w?h?<?|FD9Jl_acu?Jrui1T3UtX#g#u&>
zhKHa009}JRjPp;O)Z9|actF%CbQnQ(!7so{kqQS?J&^WB-C`36K0Cx;GLl>AT)8ie
z^{;RJg1wptqwnj|y>h%`9YQP+6lf6-W(1hIFS6Bc$ee3noA&MHK>T^>NvasdPJ&n)
z@lQ3RF;rDoeqimHWR`MMfiQq*l%9WDo<JBM4JaSF39;Ls((9)oyM=bOdWj}`pxQ<o
zgt>%aoA3(BncCFT_7;7<0S}dRtT$#ME{khrqM`?)D~YW((FUEr@aiM6Y&)4IS>WO-
zh|d+$kr98(fJ8L7-Op3T&)FaknImLz>m(LF^+UmPUD~aSqCgZYZOGF4U?r<Qtd-b>
z@|)}fjDTb$?03D-7k#X`g>?eByNCov$0buVt8`_90?z}5nbHx734+t*Q3F=qo=ec9
z3%0$8e@j^<4of-n#&`tOlv1+xg*nxYd^8_lOs28?qkDXO)9f2>TDryp@fSYT&bP$^
zqK&O57x2g5^>71{o4VT<gU5}wov0o(pv&^;08a+dE;npr?gfv|U}#rA@44h~br?jK
zRpJ>2*2KnO(eC;Sa=icP1u%Tg%{l_w|EA$N|9uhvdKz^zp-3~vmGEtX4J9#XxJ~cV
zyE^`nocgpKI5!vKbbzm13o%#oJRjF=t~AiQOm04`oY{0qk%aHBd~vl`FME$gm%^si
zCn!J{fFqm1@!qzeykju9N{}1pvit_mexDD|qvTzObiotxAR{cKeQONBr?rd05cu}f
z`KZMKhq`9q;EFe)YEV(2od$-lT2CtEAcW?11tACkJ|z?Lcj98;^(QtfF-i6zIR4I(
z&PmUC_QY_%DOcZLm^j^~6hdp$^Wyf)V58YmS{?VJ(C&%mkHQ!gb2Or_DXU+t`SEE+
zjGqXO`!fb;OcnL2L6a-m2q$JCU$Pr@VTng^78(0|8?ahxZnGm~G<foi=Ub!4Ir?IY
zE5i2u&O*u*UFA9iLoj+b+a8}8dX92DzCs|W)H%O~ysuRJ4%!q_yjsOBduI^NfTE4+
zD?5@xE!K<#rkDB{K-d1kuf=X-$=P(8oyO^Jj5d@h%B8awEzavnr!u!ulqq~8nnz5T
zIv}xv1@N1Nv?oWaiyXk}MJwDIixp2RKSPh5)Zr-6go350EIjb?kiQ{d!pR;$3g}7I
z#u0fCYTI4mtOV%|?QnP`(J!sivz<D3!$Eb+i+Q2X-4l9aWC2oj8X`qF=XbLPq~kCW
z5PdG>=>as#*nPHD*3Id&%dqrjRNGA?H}9aOqF3hFF0)FMMs5dR_s2N@<sWiF5-v6S
zRNPJ;!_zxw2%#<XrO`rkjOmWLmfr%2veX$2qW8hA6xyGi7}TXLoW!|@4%fKYn`m3t
zR8##Vh>gl56N@BvA}jhvjRHS#$WUSy2z85wVLgS9oeID0+nGvgGFusIm}+#NK}dLt
zD6@Oe7mbQCM=;vy<f0JIYa38^TITj3t;*~9Y{`OJb1&TjnDi6`(U=N^Pw#SGt3)U?
zS6Pe`x}L9cY|j*z@#4xys?<oBg{<Z6l-Zb(8Z0OF`DME6JQmYSrpY|)!Ja2qDOFF<
zzHo<bikyqy!$|;w{@9@}zsuxx_nxMg#}s|-m^K`W4-pGgICP{WUL4HEC9<y%-Pxqx
zjfXNQ){O`&Qw|D@(My@6%BoyS#>_H11>(VjLsme#Oo!67*iAm-qqc7{mEp&fQhzD2
zLj!Z8G+XZsu@@lrOU9P`g71YfsB*r(tn-mz3+(8Ne9TW7X2}m&V3yYC^O<myu*a4>
zk5Kf=&-|#j-*J=QMbV-OzhZG6QIBvEh2&mGV^b$f1ktj52`;ejvt*<Nm;}X*PhcUB
z^7RB|FebF<!~n$1+fE<Cy`GDUQ#qaKfZb$fVj!)x(T=k{(M)~#6kfY~SnXK`pSur%
z1unI2<7AqPP?$?jh4~wN$M%3CNT?C0<Bsp3l_x`nh1z9_Cr_&{zuU;K)&#e6YwIQf
zVaN8ig}JM07JnzH$E0Vp*xxqKD~*?sOy8L1nS{{e>II&yS{w|vOT_BwkcW;&5H4l9
zuf06le$Z;3qeAqd;}SieOU@;DMWeETvOUj6R9MQv<!Gg4q}$;uUo0sTl=147X4N(Z
zfzkSkti>S`24i*MTY);!&~_4b7ySI)x5KXp_*`+82i07oNg<hL+|Kq@5MF9hcg6r=
zR9+4sjB5QM4>``5>^bJe1ZeL}kekjo16tScQk&<QV0Q9(XJ&Ht<yzqPV7M3&csN0B
z8<~dF)9;hR0wa{%C<hmK7*hc}17Kf>;UB(`>rl<j3mX|OmyCRiV0(>2MjJeai43(`
z9*0TvR&0C{XFg}BqUlR0HwB+n`>LQBoD8ndAa(SAxJ5*e#pIum*+SkJ4Qa!pXN#AZ
zK)EC|SX*N(qsJ(~&f(@>cAWM==)FohiF-2qu3IohDzK&<SDVn1QYqdol12*DT>Nl(
zbi?7~#M4TvdNVIVWHMX0v*4!n{}J}qVO8~8yRdY3cb6dD-61VXvyessC8WE%k&p&K
zx|>C}v~+h!cgLB_XS?^lzVp7{@h@2y%r)oyjUM;7hXK9OSxroyk0vU0vEj}YSGoJ=
z<Qb8~U)zj`16-S%`$rFKj8x=xBDA5Wej0$tegp;$%+7!J+J2SI=qTa%vNua5K58I~
z)Q7t8<u{7Dh_I5=0!{aXJGE4Y;k7Rf&obQ<-sSHxRMvE%(h+3)r8n9-4hZF-2Mm@B
zuE1kn>`%X=^_o4PfCgZP_3apCw*#JgfMqErMhoBicPYJzUjH2>u*UlFXotu=lRC#F
zuN`V*U)H!egD|9jX~(wG?0_T4U0BFH99Mvi0%)^@4D+Yg5G`;sF3^Gabl>;%;*#L^
zqEJU~T6iRdFEnPXZ}A%LJEQr8oF+rY^5yLd5_o(=DS^k#po0P}bPi-oPTydH@ZdW@
zD!T^9t2~CuEyv`-Zl?+y8k|;=mipXy1mhyETL>hhE>@DGvf<cJf=Qz<%p6>x%S?U+
z|G?{2v%bE|ZJV8B8Adu~6>&q^p#b};4&hMdTYMIUaa+PclJUYjr^QOuPuAv8H4fP_
zA`W_+*uDdl|HfLBr9ccp8)@91@m%N?dh0#G<Wk3N-(F@brgA}P+aSQcf8A%TU3m>x
z2;>td*0ZL#>yNr%-0n~k3UKnOX;)FtH;VcZ-1VhKJ3PVKg4~!?VQ-$SRM*@9&>i~0
zJo3HsC*NHT<M#LXx&$qiA(Mr!HtiDpq#;D2zbX3TXzFM4bc$MP2}5&C=f>ZD-0AId
zug^BfZC7Jv?C$E|@$5`-=C7!6IM;1e6idz{|I!6blRxAyd<$c-hvc3q>g7}E?+%52
zWb`wIPi&Q?^<)hugCr*{Vqb0c&8RsK_RK2FB8e6&bYj<4?a^d-`g8KSt=aDoaV1`g
zJasXx$sG7xD;2}##ecam<$v55xlj#3(DmWa@MOUXE<0_VVD_q0U$3`O?~T#xx>(H5
zgY$Uo02m~1s3O#Xa;046tBt<v-XpB+)$z~FSH^PknCpKEpER?DNp)W6KU-DJMEfQm
zs~kmGgm+>UY*9`t(5l*=vy|oHgq93*D0WYc9{^k<y;5@Z;^uwA-ExoZ^^J%gE#T7-
z7iwt#-JsA{UBx~Ba(z32khcyy@JoDAdf<ikk2cRWm{!pB96^hZJf$|G)bKV-K3ZwP
z6{!Vn#{I)@5q*JPujA(n)?g?5q!Rebb-K=X%1uDWLfG9Ud?z~#BhYg%;JzY4p6CoW
zkoH4Wh_V?|t|8wDsn1UIk!>pB>+6{?v=<@>#Cd$J%O^M6a4y$-0$Kd*Cd=!xJ!u&h
zk(d}HSZ}&rI+y?*oMQu;^rnMk{H{HV08Tz1%qeP97LoVh{CNd{Zn559Ti~KN>YyG9
z7>yv~aAe%o*YK>@`n%UvS9WBCeZUo3o6S<c0jVSQS=yGs<3!Qq5}ajWM=caFJixvq
zzb<CbU%$FCfl|S@U1BUXj&Dn<P*_bqaYlLaQvdOfCU2Spn#>U9Y>m&a(5l&mkI7Y6
z$nf^EvHkMfW$Fidx6sFxR<FRNAt}0yQG(ITQ0vxiD>rC|*7uvrW5iS$5$?CY8a2j#
zNIB#g$i~lqO}7pVaQR4Fa}))nS36M_f%DQ3fEc0|q|5Q-u!{exLN+8A&9hzF%KOnB
zX4&g0zlH?P)tmEFf6Lm}PuM|HSPSVydP8N&6ON3)05g?-u*+XjGSziw_1lb4yl3)w
ztt5Pb7C+p|_3gg1CEqi6u1Xd@BEW@h`CcloQZ6D)Z^%mLCEA0IAUo{V`HyAW{X4v)
zGYYA&^;HRfd~b=XMOP}PG#>(w)=`hu`K@zEBj>0TfZ2Q*%W@U!&)6XdArPY~$FQJW
z0=psQM-t^su9O&P73dacb7K1Xl^v4Iv`gZ9Y0%<2ye-qAh@(YWr8zTWp%826yK^G)
zdO+2P;61K(`lR0ykSZ7LQ8;1t>+M%+M`H1$Tk3&znuEeFmM~!lMN;t;01#!)*Oc7m
zvBr%eaz^&h=AjA87O40D4;P;JD<KkJ1b&n4?IimbTKw*m2>x94?|Y7^;%nGul<Mo>
zeaNjdggsu!B_k@5p+gO_E_u9IXFw!P#$&4qB*WFhH+FiHuhM63CbvE_1L!;6kt__m
zO9_im4p|iIrN2@e?#tfpcs$AvXK#IAY-i>~D$RcjEAz;*jqE6sAna?gzWMpCM4cck
zsj$8LR+VA}20f1Dn}`n4Si5h;+#sKX<fu4S>A^lGiT^cE5D_L)%iA1691CHP(ah{`
zlV=TKZR3<|9CH}XcG`2ngbsv-0IHbLOo5T3aB&GPbho3GMj~ga3Ep(7jJ+nbQQ=B+
zlZ>E?wU1_Vv3A}An?qFmHyAy3j5*j$h8@%gpyx<$bYWMQXt9;b2thm(|0Vv_bSekl
zC+iN+l{W9-veLZ|(oQ$1gCp>xBEmTx{>}A90H9;i{KhR_OvsMP%FP@_q&!FbP1*{+
zw_`AAqqncpoPE{K!z<B-AcS{?Q!l*AwaHEhmGDpySSk-|N$UMbUC+)_wm3!E##&2u
zl39eR?&vl|9RXllicp;7z5{ut$&ct~47K)f{{>0XaHI5}`@%Coq#Nm}#fZ*f(!(pk
zw0|ej73KBJ@gWU{=*Y?Yx1s6!AlHM(uOC8u<<Q6}9KQoyk{LD}5DwM;tDBnn0=b`+
zY_1GzLFePwScYaRhU-og+yh_(rM?U6W_S`U-3=F;8(XF*G%8-PDiha^?{4LWM5pNo
zo@Ve-1=3Vf6tionhDFdU61M;Ij_S$5xJ_g-28wI`P<x<D<vM~aYP$!~<K4*>UD`rD
z`S57~HF$C;o?<#M1B!$8808qjXYGs3EQp1WIfDU*SQCxEzvsCWZ{4U`(vMK}`EhE#
zqP$9S!pUmsg<5}LAvy}iLWvDQ>rt3Dzf-Hjgf0XOl`oi!R0b*0;4F-@N4--vk6$q9
z2`w&^YpeXi8tziXPPvX0^?Oa)%Hq3*T#8nEhA#+e=12gE|HzuPu&ZvHNsUleDWjN)
zm^i=%2*Fo@tkm=B-2a=Im%28Ivd258`3k=c7lvq3pSgJ1mm4!K{K$gi@y((-G~Hb$
zq%BDlVqgrLJ%q5az9H@IzT1mKtOeR`99qlYWe{^zW)U<m^T!;4Am#}4^hu)`NMfzo
z-BK2u4&jCb?z*L8W}0j{3*uf;k-DGY-+gKvzOS!*_vs`Ampn1^)OX7w^K3(=PrZAl
z%+kJ~AG|kk;=^zdwl#e&%5L4lt6wr3Jori^Ts%JI$FN&X@wt`#E{KU87WT?>tFn*X
zMynlFrS_FRTMR3C){QDH4b`&Lc1rmOu1&I@`tq-{`h(E-(n|-gu^dCh>EcVX_{%(_
zp@fS+_u>2aBisdahC=1$CnLH|ZrRGdD~^JyzMT~7oHC1mwb*;SDl7KBm@_tcY~>1b
zQG=)OTzXz;hRKg0FA1Q;16D3gJM?SQv(B|kwGi9=UdiK06LVA|#onyyTOC(x(#Pwv
zXRJ$QuVK4(G1qRV#3@Gt^G+%}=IW$>{^WTu)T3mJ!_P?hbD)amK%hzb7=&W3G#Rox
zG$(zkUk^o-Ek7V`l*$;MW)VU1Q$~t<bP>DU7vvr7zu5Lr#Iz28Q<=qmDUq%HUNh<v
zvwwUk9ZHP3t#{?P%Sd6}*0>X%*Ghy2|Feo_<0)=n4jV!5Dm!N0624)+_xNj3s{S$K
zi_Vxy>g;v|DgE6*cVjWuQ?GUj3#?zd2m1o1s1YQ;^sGN7GOD;fAC;O@qN9ZDG-0lX
z`j1&z<(CME_wK;WC;TbJYPK!j3eb<_i42b2r9E5xB$RphghoJvk>rwAvM*QD5qm7w
z85EHRAh!4=U`JD4eVDqUp=aAN^*EaS1^-eJA~t`j8T?7@_cN`wzfX80lYzIeyfj9V
zHu~sO`E!x3$e!xkZ1kWrTV_X~6co<H<n7+2yn0Tj7O#2sRax-8_iYQWbU4wj3=*6(
zLmitI1@WdE0G-GJU{~~8q=y8=((069Fr~^I>$E=Bfj=d2qj#stscX|-NeY+DF7>zo
zX-b#Est_++1lw*O@%IdVlwR8$qNph(HY5H*_w_{|1+H~=t3Ve*iF~OEu>?C~Qj@f*
z_dK+!MEtR!*-5rb(1qr)usQ$0Ywxtu1^%Fke2LYYvjjM+n*c=zr^&WPTR+q0Pmeq@
z>94x)ov)F)3dm;>AC}&>n1b>|5<63hym5*d7&kfq&2$7TSmNExcef8)P2B@$gt79P
zlG!V>R4uDODKJcdV>#cn0*|MjYQqBBt&ID1)bgO)no-}fRF-7zyzIMEa2;ClOOptL
zJGAPb{@-;>YWxxTeSthV?ZsE6Klzj-6i_n?^owWAMFGr-wC6UgD~C4Y%uvSo+EA`D
z*z%SI>HX+%5<N7yj&M5Bb=)E7g=)>|WncN2(YR~F`GtS~x*{r{9+NZnuDSrtgZmj$
z#EP3@H3c6hT_n<Dky+4?b)l*k%l8AA71e`d8jpuFG+`6DK<>~SsWTUHwU0McHy2w%
zV%<Q~M(D1z75ctRcqWynIbGBal@)O)RnV5*1`6k0$yDQ1AH~C~6lbc7#lQi17hf~t
z`lA=SGQ*?CIM>jdm%C7GY)?ih=pqObh4xTf@nh~-BWay;{?tY(D=#&<ZY5Z+gsMn+
zDuhUv>nG@O_}y)PEq=vh^>Fb@Llu=pYge;V^#tEUi(P2O3mU+aQ&W+m<gs+~0hRj8
z19h6_Jz-NTrne=G?%Ov;$y{bN^eknw!HT%dUklanknxy@yGDzy*X~^Cx24M8Y8zJJ
z7IK5iCe6lEb-VBn8~a{5wrVGt$<4;sf?W?ehrY3=xnE5zNN1}7q`_I%U%!Pp%X<=4
zdTy=j+*q7hN{RND*$=y^mFtj5^^P>5SK2T>=+_$qQ4!UADrGD~!b1x-uKBuTZIb-r
zam4-@mgsE$lHN?$W-N@|)Sf9fCEZ|@WdO}}5*L5C(_C|R1@68MAq2INlH9(-fLyL_
zDFifSW^2vT-{ccFtImHpEVkZ2_QKD?e2bb@?2ON%iw&$H1L_g)fd=hQRu9%IazS)>
zN1NQ!*$_C}l?b~1#^7e&%VI`qG1BDBPV>MG2Qm?V8@;x$1)y#-pHqt|md((A0~XJ%
z$}p)q=-(qi=zS8f&lCivLgp=wIcr3AIMN;(+9G?3WFy?r$#XrlG>(%zAG2)S+nx&+
zwsxBU(;%DO@anSi%Wct^$rxj`4C(D6hgE{p-^M5aRhNAs0&ejfpr`e|+yN~a_bT^$
zFQm=aB8zgd-5(%e;ubIaxwlO4ogL-jC{;M=WDbk;<qf3~#98!1&8Qr#k#9;<;jU(5
zs%C<Z4FK%LT({agd3_dtBRj6`R~<6mjI%gQI(G*#tQJ(2AF955H?%|*SzhAzY*#A?
zxd({V;DH$rf7%b#esUMu$#~WS0JMg8GW{RRfh3xXaH%%J5QUX+Q<_tCSoF1)<?W##
z5sr%^e^8yNNftj67XZ%lba_T^sw*oeiYF8Cq}m+PYcKjFY+^Dv{LEOK&{OF_8lIG{
z2G(pd<}g#D5Gi%uJFhq5x!cdRddBj>;hj>b!^FsSuPM@yDD1?R(gDKx%0893Ut*UH
z1mr@`E9q}&uzrs&bviaHcZwDVy2vh5R~jS(jheltA=kieh2(Gx)o~>jpz+r(ko9~d
z18G+}iWczvDg8TBiAxGQ3*dAtq600roB_Zn7`M5FlAq{PwQJ1${&~4`+$#RnPVVc=
z_?}Cj%cUU<5EI-7y0@6^W6?Kn@Vj75ToAPAaC=rU+)3rzF&&Yx>CC+|Fhc{cDiYK}
zTsMBo9KA#C!d~?W!l*t^4D7vsn2Qds>|rmiG)6!ck30a7Ii`BD<Uu#*ZfBSoRVhWY
z1e^YkVVG2Y%G(^@*+-l%Pu-w7jC%vVD}fm$g%?ca?TrprOz=V6&?x(UJ4=j8*_$uX
zh8vkFx_akhJ{&)qN#U`+3VW0|tvx>f@gUkBvlUAtS6Pe(Fh-eVR~(<-Qv>TGed?@R
z$`6WWkr4jm$QuEy_VL-5qG*Sst`-IuRR>Lb_tDKOhE*;>b)#fD`u*ttD(U);iLdSx
zi1D}D5FLlfMQF#gS+`5;=C*p8nP46piXpUN95*Bhp{|83?;R*SKVHL#wz>~Xjk|S+
zpmD5s^WnajHzA3x%rnf1@_D+gdTKFRZ{GDe48!N*ec!L^tZ;>RT5)*vvUdWdRG;h{
zJ_9!ZLLvo9NW-ceDxb(W%*qC6-`G8!I)i{N)y;R2SPK9gU_&<FoG#OLlODN}5+?AY
z%8~(yhqv;*%;J*(czQkuNdhKDpCtPmAHlOwk@YM*6!VTM*NLx9<3K3zk?@K@D#Gje
zX}Ii^BuzS$d`OyD#1jh#b(<j7Beb(KyG8Is!6Vrhhu-4V0xTBI$78vcWUKqiVq&4X
zPpgD7mv3$px+3V8fsy3^7t7IikdC_$FZoJZi(dPRf3mH;V;ffdjW*lp*kjj9A36Cr
zcO(CrsMQEqSh~s_VPQ=5VZm(^I{>4cjO2K#EYu!N`%IT<12moK51DO9?=4L*r-?2+
zXcBR<ERPFjzFM>*hN+Q&O@q{XReWC4heG0qY#+eMNp>hCjKj$R66~euCycvVYeatX
zQfLk)!&1?f#nAI4I5zcD`x*&b!rtK4ML>3KHPb>3wi{9bLiLzGX;aIOKN<C(SOn8|
zOv$J9Ibge5(Ua!iRS#2~hMTt1ldC`szEo<BPxA4~%t5gRnZ*Zz(_VAT-BL$KjJ+D(
z&V9U1x*@@ikh!|~NsN$ozlG#6MZGBDTPlS!+>_rlD!g8Z7ExqD8hz*;lY!6B$bQxe
zY@V4C8z1v-smz#XOzXUTzYl11oLeljKo7D;R`khF;v@i+^Eq=Bn-rxk<pY`Ne%8hV
zRbRQGnQ#+pZPea{BKyFzHz}O{+G@Z=?@<9tB|!1OcC($_^2|c6K=X%P%;hdhR>*NV
zJr6e)&mQk1P8COoX19E7J1{6D4vZ@_>VL=5*p|q6$RB|-1*$@#j<f2Ey_k7)UgiC1
zE>Aydu+GhpPxX7q7i?^vD_CUdzHv*Epf?x|URnS0rWZAOx-3pQIa#*he`@m-hK>Ls
zGSLrgF>Avj<FR#>(?rDBt@lIG{e+!18PU53=Cs~-713!2FrX@jkDIRdDz=v|0R*8T
z2Iwn;j87#RD(;cl7GPjjrlUoV??pLJuIZOi;;*^F)T^%{{VzJ3qVPX6f%b?om~5MA
z%s=Yh24Sjlt0A71-N6R<4=2*f7GSM<-rm97l{a?wI1xJWdJXks(!7>-xg4h;Z$U)e
zpwvb!h=nWKRHo+rK=c}ERebs;+cN<Q4fRyJ+N)Y^UT+WoU)l~SLi+?;|2P)=LiZnk
zBu!}vZTKMCS?ciYKQjs)z`E8M94v`PA|Wl*5|3bzYxO!{+6&1I0CbH7HHV%q0u5XJ
zGLSHW3H-GWQ0-aE@7XNC9F4QX?Y$%w?(K##P?Hq)L{wLFEVy3#Zj%NsRRPK<?}1TD
zVbU_e70VXoBvB`%(=q(8gI@F_GtI^CW#wEb26|DUG?8&!0WKC%6hRV83&igb04V1h
zU{O+_i#E{J*IN*?#tFl4{;Y$bkvt=76(>NIk!Lc#u(s)1Oz9SpOy2`)xd@zgWM%^0
zPQtmN68FG)><P;qZvl?IqX24Yl3saw;hOM;5O0|;P(3~Mr0wRCkS6-uYAHba<30Fj
z0q?;l%+xVXn<5EbwQMWi6LuLUa4QE}zjK5jTN+ExBogG;N?)o5E@rmxC$VLH{(-M=
zo5cUYo_x7Ie3%%Qb)yo2kQmqCn&dIr@tOP$${(fvb9L%0I`I|n8ez*nXD<Fvy0DGt
z@w|s&aa|fbnz?*FR*t2uEr-f*yAn;|8ytXwpo5$c6fp1$e!KBj*YZ$HZI%pgJ=@b6
zdm}prP9!&!+v=8H{wsaUEO+x;cOR)!U0~V)ZO~YI=v3<d%#%>lVSN!VXp0@E?+w9l
z2C94g=U)-UVKD36k$o~&$_q|w8ST=oJc_7ujmdMOju$b#gQ@)ZHheY{L_gn_e8P6a
z8`Kx|CU$$CiXiAaY23fcSl?e?0me3r&f5li@}~yZ;&&uL+ovj-C$|-jk1w}Ftt*Y(
zE71sF*Qsnw$I!`rdR)`|oNED|3V-%3-PdeSohes}l8Su~WDryeRk-x`(!HhoT3L#N
z?J@IiRLP7M``BIiDinN^o4RT!r>#{xR<+o!xDyVV*1oufk(s$@FYz?)ETe>o?eW~L
z?tXlUD7|qJ2?9n#?8;;IJSsCdl?D5+t<)`-DwF!x2OXL5Im@Gk8ta9JqcTYxztsfk
zqUjL^S>tb=lB$v}tJ?8Xo<#<@G>neB-;P8UvzyDa0Z=6Iw>?QWM{wz6xU8onZQB(F
z$xRrfNM<kJZtPz~BQ~Hw8r6d-S^q?Ii~qt-!RlE7eQmP4)aB#sfszRceAYB7(TkEe
zthnAw#3~j%L;=`IF6v0#NPl(jOG0^SVH*Afxqs)20rJonj||coydSy$t*V%)umJwn
z7r@`9mI}C)xWv?s9j{`EB+hXjHPF;tF*8mB=q&AEA)ukN=U{u#7b=Evyy83R<%P)r
z5@rP}?lLiS4h<5FuJu&^@G)ZVk_%~XDW-d!hD%-H=&S@O^2=cybt)PfhLAC!Z(wC2
zZM=E?nGN}roMW4DM5-g+BJMi?lR4qM1?C-GDl59nJu;;L<fu0PS_1gFOi*>i{Ilw_
z8sp7mUwEKz3&L7g;EwRgT_m1RlnhYm1n=aifa_11qBGgCXjS4!bEG3bp7K}Xl!sdk
zg|Bnr6BFTNga>4V`h#Uj8<SRAJiEZlO95<#qEemG3Y72Wzer3o%quEVV=h7<IExlO
zdkhfY)xZFG`#Y|7uEoIX7C8%#UhX^!S6v%m7IS(0&3tp~9SqBnD;~$M-ofRB%a}q(
zmBk0Hi0ge`Lby7fr_O73(EJpLTlh=9a*Kr~b(+Pjdi)9DcrLoDUp+^B?+X!?+1{5J
zdQaK@ScbOhBD7kkuK7!xkE*neN-v?B*uJmRnsg}nl<fd*sJNo~%X^G;XNA=P)c>4W
z4q}$&`rhf%$<r{(O^5KBOav~GuyJ<~qzDHz7AQgM2~<U5IhEP9hB@BbiI6BGv)g5x
zQRDA;xNnRy5DQS<KdA5ju^S`QfI+f|MKf|z2qEZHNhaZOW^o|%vc2YIdi4!}KV?}t
zzBUSeVIXF-qpzV_${>Cncv({L{T?T4f9`QKmP=QDXNl<T0R6vj5wJQw%t-yX>qgBA
z5j#Jt<sARQ$86Cc?>2~QO7c(n>jUJ){~Ae-p9k>i48CYE=8q}Ow%*>}Od^rwH1q)|
z1S(;#II%eq$1ZU=M{sI?)xz$!+P?Z+G~5Wg>*mC2=v=F^vt%%eTKnJDPP$zex(cx9
zY@w$md8%7~3nl@mkYXFrPN=Q|<jZY&ppuYITiLTm?xVd<ZmY#S?yu0E92`{(MZ;m2
zy>Gg&<y4ZVjRofa{PsU#4#c_rz1)90H*Or;AWRI`SVA^#L!L>#e|`(m3i5Q*Bm9?1
z5cm6@3@Qon6a@A{k=!*is4hq-MhZEX0`ijhA9w%5HUD7c|9)G0IwC(X(B?_Yks*}+
z;Umi5H+>J8((rQnLJRqT61a;d%;VS@uA8R~1PekT^DiOf!!XoxVe)GXO9w?cV>O?g
zBnt!p5&y4y|G$60WPwd%>h3~ca*^Qh_uJ}zllS*8Xt4osnsl;h*q?AB43Ym`2!rri
zAPPbZtvYlFw!j-kNrI*(NlEaSqi7-D-@p3b9_~E_APaMSkx_q3&zOmj0EH#pW{(;2
zJne4KDmd$&r`HI_7HqDHac*&lqjwtE!gPR?3NIFF{?BLepXae<gG4{&=Mtq<5VZ!L
zdG-Hl1_57y^x1_liWiio-Laza(N_leo9d8Yr~fq5|L4aLCj@dpFuQ$DVd~#sAf*J<
z2w`<R8}fm#no|1*Nic(G>&fK;ALVBks*OD?NwCs~_}~b54d(yy*W&+^MEL+^sP<uZ
z)rP4wonHbSg6)w6&jLNHM0Edp5^-34IY5WYOq6;4sFox))DNUna^Wke2c{H3S7SuT
z9uZ?~`i0lPO}fq(PW-*e|LricXn>n1!<_$5&r%6Ej8Rx5vwz77%_=w5vL}6aR|35Z
zcI$WVBZv(-^7JZj{C{0~l^AjkXck3*|B^d#c}SZ*#^b8s@Xz1wU;$!vJ{!b12<WH!
zk8tAu6gmGFK~;fRECye?>c8JDi3P|~U{1V(!Jo61hlE(6>{3-sz^9wlayEYq`~PyW
zKiAL!bd@2TcJ8mJV7dXS#deXQw?~8pkwq-XGX#Jb1rq~YvUg42X#H<5Qv6@X+5QP4
zNhD-s^8fmPatM=>3Y07`HK`7fTpwlN8!d3k#`KbbD_$?Y8U24=(G7CN47{&@&j?c!
za*rh$u6zH?Y;gkbKxZ4r{7O(S#Q89VLjUAyL)d}g(x)VY+$iXkW5WNx-iyOZqC?(d
znuE-%zjB7D53ynTn}wi1_v{Wqr@CiSB-M@p6&2i7w3Qv0;G>qAi#+N1WcDm2Z0yYs
z1!M4#H})Sr{J(#I<paJ4?wTm;?ynv+hykB8J`3dF|4}?Ye;_^e^KT-VX3`6>Q1SV3
zEQoXl9pZ6+N@3k{0uAzdfLGX%4mz9LkZQ1X(=~FxA6}@pU2UfdAr-(*U{NQ{k&7m;
z^Hn?k=lbn2;+BtK#L`Dj;m`!YocriuW$i@krK5lRk6T@(hMX{#Wl_*yDMf@xDW=C+
z!S6p0!vHaUIBP+)6M#pZ$-M8VXvrr(`M48-(xOP`yK~&uIo7glyFM<5mQlglzhFB;
zFwfFh$UZmqieOU#81>D^^YMa#?+Q{*6$ld*X_lIxk3@tR^6Y^20gWGPi?=BBEumyW
z_>-juDAdv+@2f@`r4q?#77{GTeAAn++8+@x5;_^bebR0#o7zzm81wx)cIS$vd%x9Q
zi0%;F)b+SEG8P(rK7uadoz|Dgg7a@*b)*Q<RQFE>W`7T5F%WpYi(5)+LVslLZ*|MB
zlqU-LRLzIaFEC5QR*S?>6Y(UjJL3EA1({=2+I|hJl!kk(h~+2w0i7{nuD2s!#UT$h
zZS(9$BNuIlTdG&<11#FX#;3+KN4mMcm-;Rro4hj=b1Zm%e|;Pya?NHwx|NZxN99^&
zYJMF~R&{{rUQ?6qlT^?5pjj3-;M-hh6O_QDk-RCyOjF|p0y08@eL+MUr=_hYd#$o=
zId^kYZ&l#n64`A2#uJp#Mi5cy>~+lt{WaOP0l+7u*>ZjV6!6&~GQI3zr7?Pdx4z`^
zL?nA~9rWm2g0uRY#7rTEuSND{$c|Au0d31tOr41Rf>bhir}Edq?J%d**G1ZH4WEjy
z8J>4tzy@en&AzsIiTgV5B4+@vh{y%Ys^5TkNy6u^M8wtE#KWw=_hCpUW_)5KyDNBY
zkiZ+%(--Xv(r`YWg=UIls4x1c<5W@<ft-SQb9G2k^KpXw(@G;uIjBYRs#!OLKv#@S
z(yA>1B~X(E+cxQb(3r;Gj^Pw3;5gzK>EZ!tQ_<@0@r8&3Kq^V$YvCEgw!5yf;r-RC
zNM@j#Ko+vM1~s6O7ic=5Au;}Ii!$57_}ZGk_K&*;w3`m{CVo!5PXFU@`IP{%K&L?^
zgSW;5HY~JHXmDX~zUwC?*`9h`%0~RMekSuWuuc(1YT{`38_HQ85I*e1d!GI>o2@Zp
zmX5|p+nc<DdGozOB{{cFVjqY;Ftw|!;eeF|QO;Za9iEtCUf{8@SIQLZs61hN>~qxJ
z6NE-2RR_C=znsQkc|Xs=x7?$x!Wq2kMk&oC0Af`ML*=)Us+9c4Y@T|Hc0wiRcD>iI
zZchyxUsY`WMhN1tX%M$FLT}yt_+wf1z5M7E1m)M|j}V;>1s9g!b8MYMnQyz+6&!|C
z5|oY>H1yf9?Mye+ioN~EOTZS`>OquzK|>1dPn8Om8DfW+y{-!vb*YxE+K$IQOh`40
ztm^EYnq{hv*=~8d+%l~Ob0&&R@^XDw#q9ZIlx@7SQ!cjJ9yxOobgGQcz==DE8622~
zif53k0{9ool=k(!L8FV=)5Ses5g{r&W7Pp3*fs$jXh9t(zfAdlD+z6a&Hyl%>??Ey
z*xjcpkGf95%!(6{jx#)Q_rKN<a-m>Ah&OE$KA1_jvD#j&lJ}U7fNwi8WwaXXE~!VQ
zs507~2?%+zNLEx*=*fmatvXDq%vU%K0K><{@39DylMsBe=|d5-HV(l!h(W^)gTz+2
z=}LRZfX$H>rv{!}A%G}OS%<mXs`d)%py5>W_s7FDyKLt|+8A1MTDsBcuU*$-?Yl6d
zwjKBJ1KE117CyoQIVqciKW~o3d=S{gy6TU`C>^0OLU22HFBifw3_Es)3FNWZUUrA#
zt7}%1)}24zJ2yBVi%N%+qs7sxpsvjwh`siOT};8KJG^x;ba~uH`>q^MoFf}aJZp<$
zMIq|p6C6!0wJ9G<Y4#HrlP>HKdiwf!#s4^*z`A{pnN}f=(6}$G$Lis13k3|UWx}Qn
z`J4^s+iW_ARI__Czu<h_J~&9S-V=#}ghOB9&U>&kn%S|?hhW?rfrNy^k1smEyg!D=
zHhb8DZgv_=mjw*Q^gfz>!CM%d>rX6o%@p<Y(<(RY3dW$Ig1(QCPZTDSHd)g*rPB*w
z_wve|vzQi<Z$DBVl@3jy2kcwd;es<IzB@jhV&Y_8rrDov4x<`vNq>`SCDWB?AMF<!
zd7P_dL(XGoi_^-jC+sZKE5+IFyq2^nUeof0E;%QX01@{a{yPt+o@>}~F})<Cty>dj
zf|sg)LkN868=>E5BwU@iNs)Ha#v9_<RJXUc9l)*<D*Mg;p>uDK<~|$KD!?x(eT!N+
z^LoJ4ohmILgp{MRFfnkvj<3AVLL!-I{U-XJ5P+u3>g~Xr{Gi6-x>Luy9YSBA#UZ&8
z^{N32dtIP6E(#$3p!@=aVxV2Y%t?|z{+<O;mv|Y@fQ3rg5a;_I3q}DUc8`y~xZ_41
zTevZ-t%rV@6iP4Zx8|(~-A{;wT^?nm*xWV|PsX2xMjhUUTz_+&ApxI~r+J-_i$2z*
zgoSP=){Y=Q&aC*`BpG%Fk3u;b1v;KH_{DmE4@_1c4&NhhyMvah7xwX-G5ipv+$lVV
zR*(kov2x$lNh7*C+U=Q)-4_O(n>-9|QmZDQ@b)=vChtJoMp8@ILa6XA4WkQ;GGhq_
zr3-zADp_eDdJw(mIDKboIawi^z+?~?T(StP&}8pPG7xn1(R}rd2;KOVUL`Vb6?+WZ
z?E55nq*<St%u-$PxfSmX9UKPLKoR%r^CoGc=mK)~EW^)?ZyI9y<C;9~E{MMD&jp8O
zfO(uudPAVNekdbxa+k7*?)|h=Lohtb5b-82({F@lR2$3?A=w;EMfj*$j?AoC8idC@
z<MXWL?WM9eQ;as8%DYB?G8<*k)K$AbgBS0z41aM9(-V&G%lCPu(=RYQC6edlbVDu=
z^@xPWn6NvXKx+VpnekgHrwu$QzY8L$#qCwqEvIAA+p!#1oawTUK|2Pxva$W&YWIyg
za(d`_ffxwg)qcnCoPhO=w^XkhyUKik1$~OeY;K&;(Y9-00fAmQ9lbA#g6}uUGIQ<6
zX&+Y<{Eo=f`u9&_)s$Kzq(MAxuI^nCDGsYca}Fmr12}o8X9LMpFq5U{2yYADj;qlE
zu&VB)nH6oz$Sr2AF4Ji?rPP_{L7Dj1xwEhNw^g`^QPv_9J?(oPcM&N(@4M?*pwela
zNE_SII&>=ROhf(nJX8*68&S$YC?5DoslO-k0=+!lB(e=r!dR*mJ<QiE`T+O3Hm|BD
zFej2gqsLpITg!Q1mPrJRI$a;F1dBexcRCmve&SO(;8z1{V<iiDXTMR+SZp*}P9tJZ
zUvfYpU{gO65y3gNXdCD12RL-pL;nS&3Vd|fgv<cpl#uBNZamp<dO5>WxF506<VRf$
z5~W4XTdHQXcmNv{&<)%#G+Xu7ua~^dhsQknh}myG^E>XLKC=efbR9SQBV73#qTr8l
zzvHDK8nqx=!I5V8eM=)h_Q&dq1F@zFtgXk6Fo_hfEf6nt^(Nz4C7Mi#_q$>eI;X`5
zYAWC7p!$P)Jo+?g;J=`LU^iL*8{DOI5%<LKNn6srzGw&sA0mToB9lgtat3!gi_7(q
z!PU|>E`?(I8UKfBm2|;%HPPv6lRk8DtTcHnYH1%};R5kIj+yBNij9bo3CpZ#8uuB+
zNTMbk?j|0KHs-H<<>H@?hcA&%^#_Ft=2ggqV1b#{ogRR&Fo2HanuPqUtwjjPP2_vI
z&o_dvS9@TiK7-l<La=BgmZ1ZcQ67h=s4{f80jLC~FS`ohj*T9mvyT46n~)SIgNWVe
z)dDfqvTM1jn(LYk4!4X(pU)8;HVpE)-|MH9C;u%1P-lRYDpc2Ek;YVsU6vJxs>?+$
z#kaE7QD=dd-Fj{hOkWH=<p8F=(Qn*>`se7lLWL-sCVq{F2KGcjK?c1Cj$9Q#M3*gF
zK)%xKwGy(!Wl@8lJN70<d0dTiC8KUC8uFZ0l@D+R_q-<qQ|mv44pS!aSiSYfk_t{v
zD1P&Z(co~Mq2LvGW@fbBz~LclbhX%)e9(uAd+m5UKWCenn-cuwOgR5EH83``4(E_9
z?zO=i3S$b;?j4D_yZ|W5{lb%2!&!zoWzIHFPAB95>OBOU-=#W@5lLN1YdwmOWdiVg
zZr2C!jSkxZZGz5Iq{XbWxq1YabKpWjlqZ9F^4^Hl0<6Oi$PbI{yh?<8#1)=*0c@VB
z^>-82nHO7f(WLNGMQ^7qs-g4*oRm<7Vk+a1h=ZdD&1wThTinDadeL~c>}=gdapZC^
zc?ts7vyHql{JwmcunhazfPQM`z4g(%-9H$Er|y+amaW4^6AwM;-V_wfd6T^FPXjGj
ztL%Qr?*>2|OOB#*_tTp%1D4#c;6Io@%&MyuO1f5WsXc@n<F&ldCiRhAeM6_nDA{DN
z!0Vuzu2=Ud802{$Zfu^!X#Wl+PDTQE<8YyNNm~D47XUaV{WD@mn`_8<q(L;waS&ZX
zd;esA;gvMpw|uWSIy3GyuwC*wvt=RbM8NHUzvd&($-2s9o5z4;e<}mtiu5sO<5>!F
z?6dV0c9YW)CHk7;oCm3^=-@*JrJ%wng@j+?-x&CS#%HBVUD!EYxpxv}C_pB6MTD`F
zS&h;bx*df#vBpMkY#FT9J=0)kVx+56X4sa2@<Jx4buop@Vs&q-*toumMXQXI)*OrX
zLP4`l&BNtnRidXlvz7eP>E+dZmFYm-9!nC08O5xiw8(P*?kl^)gDr>`n6_be(p=pX
zsf7~b6}_Ka2)B?ilAHp%k3dS$6xM!Jx^HyW?<>skFDAw*(BU3I1a>DF-8hVpgZjHX
znFqCw&EP-18Gxe`$gRN-g-(BbZ8IdlY|bDes2|j%0^Px?ua2OUG6)R;TnHR*jr^KU
z1m%=Ir_40E{_rsB<pAisUfFJ&OKVoBFW-z+%2UffaDfk(7mmLpoz{UopkCoGSEOuz
zbDGOG&FBBN5w+xsGWCNbyn-7Jjdwm#30|t$3Qn-APT1$eJ#>pzAx1TTh6aIE(u4<k
zwD(NZZQuR4qF{-T66W{3W68pl`R=Xt%Ku<UFILc?)gBL>LI8QfeCSP;x^(6HBkP`t
z>01<nEUBGOVY@lD*@lhREmds*t8K%Zo`$c?H=JL(@?WjqPdH$^y_pBLl!?s)cx@I@
zZK@!iQtdo|Dr88?mt@4)>*gf3SCROrD*#&P;^kK+ldKmGJ7pq1exj%XK^e2`+1hZ1
zFT>yFxNyj)3*teRQew%gWO9a{<C|Tu$%W%Hp`z{2n1P@*Y}q^s*g$?rO2YI3EOS-n
zP#)tY7+T@W`Mpt@-NQLME$~C|Zr4)fR(zkAf{^0#Uw|m6BT1k5CJQv*S-(`&al-XS
zF9Vjf!nj=={m|~{IDGl_rFhX>Ca9K8GEw^>fJ*MP+-a=!F!LuzLk{|3(1OcSE+*C}
zhTBGC=WM|-2`-Wis4X#YJR-EmHO`J~z2p`;FdQXblZ~%Tue9;0+qbGripWDc^+M4d
z?hEHZe^Z;O-SqW9>>)tm&{a5L(SQWb@O~9TF&4f=a0Ql$T?A6kTTxv5qoqbNVPPdH
zlVT}RV<T|eSgI-NcIn04B}ovF4|Ge#&W|iL0~2A1&(WSoApw#m9@}gNt#3?E%_OEp
zFPfSx2i|PmHh&rSxS=xyDGSJnv5h7F@rJYXM2~THnLk~kjJ!?hb*=&SOapofxg$0n
zL!w7X_bUG4h3)>PTo1L1I?q1V*-_A)@e2FzOeRLn)*eY?lW!bW=!U#jzmmPnH%N-S
zIdA#TJQ5#8pqk}JDW*d6-$A4sf;n))oNe`N=FA8T&b5T=GqnZ7waow4=nO!j`ta*J
z%buhYNb{i0<&;|gy@`GD7`$7HVjL|JiE{{?YNlwQp0!^Y=H27d{qbTDKYo&^sHhL<
z^aKNkTq{==tu^X-Y+-q8FzJ?du`il}dHIT%+wwi(nWk);ZOO;3AT+RwHB1=H#1B;r
zVEO09@}ps!*KiABQOgD1E8PTltnRZifTqBK?l5a#x7k{hC0QVrU`VS15jFKfbqqlr
zDIC@sYh8z1TIf%LW|R!6IGhapDEs5{SRg(Rj^F4*QmG_3+@QJx0e{bNK6a;KZ=D&f
zsDT_S%Ryb0wZi?HE^FwQ1KS!&Z|-ACjx;KUH=YV&DKc%qtU67Ib!!4s_xb%DOd`2E
zG8eiq6vg%j)$}oDQ1QCL+C$g1PsaJA0$bXB|DC$aqz(=V8nRpG@!Wcc^K`v8x@$+_
z{qYolGrzWH%Ki}B%_41MIxL!5|HQtNMIh|GgP}UN61xDE%~%lwOf?ymSO>lgJAslK
zh%y2Vva<xrKM$p1#OEvRq%H|M2TZeUmZ&$`u2I)~yicNDeiL3c35rmw;Ia8B-HwS>
zrqrjJ7Jy&6aQ5<F{AvCfC%m7QJC$>G5052aW>?Lz)#0vnCqJ*gmtpji>?PCVdwGA!
z%qTmcmlZ=#5}m?r#9}&<pgz#nEB)%p+J~191%nwIU0%~1gc`_D<okFp?(gQ<^T{k!
zvQqGpm}y3KKXEu)kDxTTLxtt-QHJOJEeAlB!;ZDLhO!SR3lvBynLd&NWot0S?K0jh
zSZjS%3{^<0P*-_N@F~~aad)ni8ArMImv)AzL*1Dlne%R-%dQP}3u!2KK>E30?Z<Bc
z?w6;o$bb`6gAE5(9R^h9%7%0$<mJw++0Y}qoG`wh{+-cs-(ZOxiLtjrfK98EHA$lx
zM|;JMwG`%Q{JY<gF*VvUUi&Xa(>g%WBsGnFjDcDj>8A(eib_LQ2NQ-^8$?L;9N(>b
zUh*W|7jvM5F4sCRM83xeWZHeDis)O34UnqgeR^*+b(#|T`?$m9^JB-1`mCUXQ@gle
z7!=0QQjg)&>W;=^@32csY*#X6av*el!oe*#2I6x23cTyC6t6t@b{&QaRHL>9?7atC
zSID+#_MhUG*o5VxY@IGh!#B)MCEWR;asVA(tO12E>~)zXlDgjH10V-RX8-8iQ40$X
zRm{gOIuY+lZp*(kD?Vn>Kt3GgetmQ*8A~nWCmDz=@r~Oz-eG)j=@YNS@BNwbux#Dh
zkEaSMuX{)FSRBr`m4TfR8KM2?;iLlg(pYo9TYe+yjb@4=po)bfNv-D;3^SJMH^zmZ
zs<UgCgGAz~Iqw3Ey)S+-bcc-R$ZT|q;}R9&grTUH1mmEyuXUG;Jt5vK6|n9cT#nIp
zpL=e@sFI7kV7uDccq9Z8d$iCv+Cb?H1xl*>bEUW;mXR4Y!*&3Vu{!?Pd~#4oK&$W#
z`c0lP2GhiM|5>~B6cKc1@P#M*Xy)AsXXQrK{>=|(LDW#UvwkRY{7WI6f_&4fGkiv9
zJ8dFQw}%r^50`6vHSRjALBUob<-3TnY>V~=zgDoDP>~#WdsQNK-RV&&iS4~?yXhvX
zPL%`z^>$f_SqR@5y;<A4LUDgG6g@Yw6C!osj}g#YB`jm~AEXd#?HVpl`dSh(BpT$a
z$#AiGy?SJmffp+x#A%A2taQ9_NjO3(hC1p2rUa;Z)pA>TKO!%)U4L3x-Pz4Mc5pf0
zgCkK4MFoW4&syNT>fCB?=?oYhPkS8qcZX1qgGag*;-!G$dZ1JD{+iBh0B1n|zT4~Z
zjKtk*t<n9$$3W=%Nb&}8ZH@=Wc8OLsrT6>u-p24$pz*c?L-g5GtM@a0T%J6dfHp0~
z*~pK4xqTq$YWM~iJ$>c0y+4Jszpd1P-=#HjAxV^O?UVx~ZJ#SvFHn*_*Wo-&*M(!p
z7SeUo$?NC-ashY*-=5~m1bpfd$(A^}!4$|Du~{C40Z>xXdQD|bXoIS-50?0@*L}Et
zyXw$hC#=HjFfB9iL+Cw^UmfUt;D))vb8JtxNea03!>S^gTYmlsAU{y0{f8|MyE_DS
zCWru6W{7oE%nf6U9`yDK7%i15mqxfccn`zmyWB8F>1Noa<Ci>^N`!ncM0epe4Sq)=
zBkr5cYa$&D1tfXv!CB5ZIuk!WN)v2b4~*1b!etd0f(h%BFp!tS5*UYvv+FyQ_n&zV
zp648PvehSE#O9Vt3U3OU?9p~fXpLi3>Vr**BFOoCKf^nUazuP;2~u{^!L20~sWD7m
zQ>=Y&IyzDslQt~M`<n6FT#s-!Dj6pxcBRhz9qnM$a+$~i&JQL3#&i4=saR$=r|!8a
zStP0ZoFA{0(gkaRoosZOd+yK(OI+fmV===5f%^~BZnftzyFNP9OLp$u{K;De8C8xf
z6wxP}t&R^2KYe>#=Vri0TCpXVFf6yS`<K&+bdAND-z3yOi46n}&{A3q&p1BmK^Ntk
zuR%d<3!y4yPGtL0cz0|>^M2}Et?=ltbGb)wZzs_7Vyu(;9G47`E}$rXt6$%LSNztv
z^K8w-;P4QsOUgJ|UQxlIt+vzV56?Y71z^=?x&q;vk$tRY7>&JGym~xhqyR#T1Ftn#
zyMStuovB?y9gnfP>Ohw|j|}3=sf?ZK`KXd(q>rf=59$+Hj(?+uZKMLJfgD7PmQhz1
zmt;~ODl64=!Jc#Vh=~Gqnt0ATRNSq#&$**4!nE_U$4(g9lYux4DknLvXPZXkqYir*
z8|0T`)#UlcJz)~_H6N6JW{IN%Gf!h1pt&kD9y5TEziV97<0fXI*DJSSBm@Ir9K-Ye
z8X>~ux76N8;+^hDU^)??AOPS<YXDEbxq_>7IQsq-ynghaBw^T>0Wl2-G;hy(*v%jR
zFbg!n>(j}RTl1Gb;9bcVfn6?ZXltEjzj_5j@`drF!{<CTj^Q$2gXe&1B@Z*z*NL1w
zLk6|OCu$GNEw<aR)sOqXJ`)NXNmkVk!t@d;CY2+Lz(@X?ZF1ii{9>)CIIv)U6PMkN
z8u<D0CH^}I+tY&dgUjiG!tMgcdut+{k|j@QfIt%UnN!t=I{U`%>da@CkKfm=BjVKd
z{fwr|`Q2AW<0|X9Y=npLtVViofV_hppd(by81Dt<GuNdTe|*jy=b^FIZ}WiaeOyWn
zMD(Jr;#NFB2z&ZvHk30!KqBjCAn1%Ni*fL2b|&9OP--dPJFM%&KadJ0psL)6%lA$e
z67eB&K=K=7m9GvYdm)&rHK>7>BxPXV&}Vn#Xn?8hS8p`5h$3y!PaUPM>9CESUwD#W
z-COL=q23hfueP@X2#j2!l#?*#+X_TDPL3#P9lV~;ID}2NzHda~&)1#Pkq*YHGX>L4
zmM?#*BI8arz6l97g5P=OQd}Z6BMUTTWMtN8qJ5vNp@`H{k&P*NIE*;BGmuWQJ)F|f
zC9N&EtaESe3B@>11&UZ0MCjr-ZeUmX$mZMG>NfYy6<4@Z^5;Bt_lEv+3eq?#y!ljJ
zPt&}RVb|Ryr55Xigr<684}&kr69(ZOI>l@;5*_&cI5r_4)rp(<=im>&@_m!7^X=03
zt<70*mR#N3B;oO?yBVeP3gi;Wj7DS42E`USDmS3~$M&a70!nnC;cDHQ`QK0FIvbJ~
zIS8Jgh3rUve>t?jn%;bUvz`6ej0P8y!@?RIO$sxpRkp6P%W+o!D{rzHk1C^OCVM`)
zgy7(#QD7;AD)PU1qaYK}rms%((1IR7y^`&sUdF<NFZU$bVjOjn9UR|eUeh34pJMLr
zJ?=SP@X~dD(qrz{aJQABaw+}B)1Uy>s;(v)NoEh=cB`oQ|3n&|t&4{O=96OXXFx5_
zbmch8Yeg-S4M-T~9y`y00LXo$c$}l^Cd<YG`PBMR7|+x3;+ExL_09A(Y^}1}Q^AL^
zf75-O!=jV&zlip7tL6g+MWUqDm%{LvZ|GIRir(af0Tbpqd_q9AnQ)#$%**m>O}4>y
zEn%!CPcg|n9$F(gVXoGSK#bgZvQVQ>?Iy^kx6XtU`vTZI@l@6&8tz4F5pTdTS=JZ;
zI#;U*LAsy&u7Kkplb%TN3y1+_Y;bW{vz<8<2Y`XR$4xBMqwy&BvFa}@M~azD%&6pi
z{_a*2NmD4N>)qj_fi8FUdxvIv=#t<Yq^~R%h^L}pZv-i~x?roM5#~$S+VziApumr{
zc%L0}YyiG4pf^(h;w+yvvl9R)8~QVtGvD+ASkHIi=3G!a+<B~u%!kbwK0m!D`IvGD
z)*bh_V0%&bKD<#$=lIfTjf3^WO|0}!ZjlC=I~bu>bo!HcP^AJsSn}#Ne%cM7>vJ@D
z68MeceSEsDb8ht`=q$y!*jZ2CIS}(RFV5POsj+Y@q?mpil!2cb!zF_{yC9;LF!7=1
zmA2zvV^y2@x8#ai2UdWe^M)hZr_hazAa(UM6=>@<p3&ki*6XFcugG7EyI^=XCW)!Y
z$%EHQi>6CTlf^%O6sof}uC}RNzDj^*)vg4bq-C57$0s(5i>CmPHhZaVE3Ez25QHlV
zNEA?k(sP|c$V{^ZUwe$jH2r0`rByW67H^pzS_-E*ZmPa@C^_ahPEKCHGAs#C0Rq{4
zJ)CC)rZBopD(8XrNB`P;uiM%JYU-YpIDW;&>456N^GysyvItKxhjsZF`svb@{w_OX
z3D0D`A%_b=X%gxIw~jJ=%~^XgLI3F8)PKk1#%vaL;F7%hdW^}k6*VL)vIK(`Obij)
z&7TCTYj`5F*$hI83S{_8<W$QMh4I;63b9|~QA>ZX4siLWsY9k!I(sIt3oMn`c2Jsn
z6|712kJz68Jjw${1R0ca{6b&+yvbSOF}{7t#~e)@)#&IQ->I&kNvvvRKy+{Tz7zco
z{+}ZS3?sYh``^Fv00y<&=Yw=O58OtAK8n7zBV1>6^qH<h+hFKdc@52wf28O#x{G9C
z&5BI8!O(&0&)%TdzjQt{FAQiJ9yut{4}cX~Q-(fSc%OqVc2{>TU$SD!<uH^@6>FU@
z`AGi!*wPoe0llz(djjrN2uSPM5l~T4>7DX;9!lY|-JgDy0koc*Ld8{j8fri<hMlNm
zBrm=NQ+LLwtm%YY#|GNlfXZ`x5sx$9Y-LNtYqGqxa$^1Dad}1r?8FJkV7VxCSYU;B
zL2&#GL$IX!vkDk3gCfu5*0FaP=&U6dsvt=mNq@Po_^zO{Wp2Q4g{Tx$RWH~`ZC`*F
z0rlGL{SL3Kn5(p=Q0*S9N~z#a&rvyy7k$;hgsJ~nO}ZP#SDTuY^8<lpU3&N~+!#4<
zo<qL8s`G4_n+QU|{#b;2q5IhlRYN9!CwS{N8e<{gJ0`{`12!^Q@r(`ZDGt5yT5g+U
zig)qpORDa!yKh&Ku7vZOOd58YM-1p)5vN@NNQ~-r)TqQl21mKUqNwjY*84?gtDNB2
z`UHN9d;wegXMf<3E|>3J=XW4KEi-I=;VF0{w$rQDa_ENYgPKxhKYjwRT^L<`$AYxo
zjqtZi7LBn*wcT0gV$9UIb)y5fWmMg6z)m}fmsNrm84ti#7H|7ZPDt_6HwM5ifn%tZ
zcm6<)0w5qY6vK0~>g6K*^~1(Ta@|iJ-S_U<?ke&fk~O+<qF#?kQdh!(ky^{A+wQs+
z{`ySHQvBM+iVMB`+=oA>1+rh4bytNZU2FC83BRXWW}J~@-}h;|&bm-A?wq6YT6X=8
zmFU_l47E*mbo^5cjC=|d`QS<yZpBX8IgBk;P{)aM2fk6fsP&vY@8X}ItF+>~I1=(n
zP2+QiPk5!FYqd<t1|HMiz#5&WupWHUBLab421dh;lXu6JD5{9RgdKK=V5J9>r|`P^
zDI`y0P>6Q+4zpH#yd?fGbK_DOO@0H9alqh&R#$XDNLXvX<2?lPenj}`vmdDW%ZN39
zNY>EDE`d~(-&RLAhh;)pEA1U%WVmo3=;gA^zZRS%*0_Xmw++OrTg@e-*p^ZZ`Qhfd
zrtLRK6#ee&*tvM*{AD90iA@gW%-jGLG9Jr|P;9z&45`dE7jy)4@*o|D2jOC3lv7ZP
z7h2xnyG;Y+J@Vklnl+9te@u+~l0DJ<pXgT#sU^3hH9dmwTq!1^6jec^cW+vjFHh7P
zTi-^b?8sqQh@3M=y&FKV38JIQ2)nOdrL8Oaqt$u$(TVU|f1CEn3_dFze4iHknd2)F
zVWx_1L(PV2TfH6y(}bL(w7xQHq5sNLv>3B~etJB)_^km7T3#J<Ae~oA;iOy1spl^d
zbDuueF^?eRXz%FgXoo+tlp2AbX3)~oy81P($2wx~<g~44q%_q~W74Ts&0m&<UDttG
z*As^4fAM<)VM^cC(*=KhI7JxQso_TElQ{d8%ByUdU~<gBN{pB3f^IKlFOOfQ0`yym
z$hb_b*D~8T*)8l&Y8aI$INL120QhLob0`^S{av9M2AMkshs&I^%W>432n!Zs9C*G;
z%u>k*V4nvP;r}7*Ed#1-o4s$kVSzMADFV_V-3w5ZmhMhTk?w8@r5h9w>5fHrr*wCB
z=X)-$+xy=8-OqlW4}JiaaK<rn%*^qh-*8%G=CMza&o`lWg7ydc`caQrwJfA=druPT
zuw*i2RL3?`fkf3i`kt>1=v#1}9mZba<+1_E%zWXh*E!<d0?v~t1#xQ=r4-+R{O_gL
zf_t7LGcN9Kz>NXTJ&Z<u(daoW$AneK-~nL`yA)oQ(5q^hNrH=yM)A2K`b4}Au(&8)
z!)mZsE4%3T{M<o6*Vgf8OK#7L&wgAp_919{i%0M6VH@Z}*UB7u8PhmJ4wH7jnZ46|
zDzGy_#j<f<dbpqh2+BL4+^&N%IG@8byWCXi2{Ou8Ekv=>Kv?|wP{{9;`M4AfxilZk
z2~=0STU0?Ci~?&02f;yVb9GwgzOnq97^g(t0EWnH>WX$LS7X+#OfZ4)dWaS?EN_J5
zi0a$K;sV}LEf8Op4?~nSg#s%WrQ2x<8e!UI3`p4Xgx@%twVzVmM{)|oSls4p2H90)
zW5%i#TU!xve6E>*^czZ+(sNqatB8guo!w;=VqR`l4Ir|Y%a^stTp?YI<?8I|=PbhO
zo~@m23}_yCK9aLa_W}|KHM5wPT6nJp?ON`?zfaImc5LT8vrK;T2^D}muhBTxTYWPu
zpUA1PKB^h(iWKoh2>diZwea1XLl5YNf;jj7IF>IAeS{Ze#Jlj_O^haexF70$oM^5=
z^#mn4S~~ei6Z<(~Zq;ISIG0G#Uzv3UT@OE7`K6_6AnnS7PU>1cb4wKXE{(&Uq&=K?
ztbMP+?K0Cu+fB!svAtYni_i9m)#VTc1Qt-fWK(vOrU}AVyXDPuO+|B~KQP?rBurr!
z+?6_aoosuze)Ca~IfYO##gC)7vny}Suc{IZ=|JBAhpcpj%b{u%$86OS>87C2Z7*l9
zJXp@LC@<nxIBq{={}grkPwogY9FniHSsY}5KNSjEsgX(MI^JZSnwt6s9C%5a>`oNU
zVYyzv0|6bF)JwNBUPrv&!@|&6z&<+by@5kiC1BFeT&9C5@--!yl4!FT&Tsw0JMv&I
zE<C+(4ajJeS7)lMNS)o>?33~7m0&PrNGBAX0Z_!rH3}yE{mWw-nKU?HT!`_D;26ws
z_IXXtm>0jAA>qrHXM+Pf@0XRMSB&+p)@qR^!ULS?T6br>{6$IUrn|)*Tj8}ud|8#j
z0){ruyN;>eSE$dD&QQ@Sti&{eRclQ=wz!%PFDc4X(X)=uO2xD!>5}#Z%t>%0eqtZO
zoo4VPxO~JjpDXyuUgk@OI}2D=S>v^veoB=YlhGr8WFC?sl};z)wBCvDpS{E{meWWa
z+{HS+I{SBm9@aBXNCsUYpN0b+pGx*sfCN%N6BlTqf$m&K?<qf`9FvrAH_9tz(XQX{
zBZrf7$w#89)qTdyAOb1Yj=sv2iyUmJa=PAeAY%Q3CoDweMpSNc?W;H23eSYIqU~`(
zoX=R>H^c!kpf^+Cd3|^N4zGN(a{Of)FDyBU^s`$zTk|BuGHOnD!`{6fM!Io^_WIiu
zj_*WHElbjlsM&3!1iTq~H_k_4g3fAQ7x-TcsVpmBLr?*TX%o!gfaWn(28zvjzVXrZ
zn5o%ZMJ?Xy`QaFP5~o!bnMv?k;XSPUmk&drRWtZSc4mbfUkoQcmld8ooyt(wq3S7<
zqmt;QDnr`E>Yvy)z|=HWo0b=zX*z;+qCg4SMTqC|Y+E?^(q%k2Q%|?JNFDb|q)PTa
z(Dv{FUZ=_Yp5%((6wB{vm&4o`yn3%#L(41x@oeB@b@lfmLb9i^nS*qAMO7E;5`LtX
zV@?ic)A!*8Ih9fMWjL39KG!%Qv74_WE;AbZVU-0;o9i(~$Izc7&Ed3+*cgf*TGEO;
z*uufe+c2El{O|TQt2LkTDAL58GJq-(;894(ZwMgR%=hNtn04yflR=~c*w0Bgv4cn~
z1qI0M^~>lm0OPZh30l9+tW5VakmdpD?+eisVK!*~V|ce7Vt<}2@1<bM`CuuJ4n9Ri
zuE#cY2B+8Z$}3xo8Q=7UIH>uWwxCu6+n|}%=>0n>zZ2*Jfhtb>ahu~mi`S@IDgY;D
z<f$UFBn^H0bG3>>!mNa?7gME%M@v4790@V6q`({fiIp@)o<nJZM|aoujp>nsgx$&9
z#Ra&DQhSHhfXL}|K1(93RoCnORsI^mZYfy~1~I!xBD=8>nTb+F-@rhGps-7u6(PM6
z%EQC0jo+z%N9qxMdp)#L@@bo*x7x6{1*o28O9U%usWyl+PgemnIQi1LYk*8+HXEp1
z0xYBjAu4o^dXp|T7e<o`Fysp{M_a!!=>QtsrR5^E*e`=TWlPf(CDh}<3k%Su?DcuM
z`+Cx_TY~Om#8A*}CIHT2ps%-Ee{p7g_=vGM0Tx*Oq+dC!P@Z-d#UNx;q~5FRJn6Q@
zLw-ZJ%Sw!XEH9ZvAF&v==E-#TaDL{Dvj6;3cUFX(oLEZD@tTnFlgUv*@%B`riG!j~
zH54y|7XjGC8rq7JcN4P8IT+je7Zs=z<R-&H5cK1z#btTB5we==(fCLPg@QcR3<%kq
z-sCCqD8ld9EUd5#&1jCpluj>#NxZv<U@Wltx3q0GW4T$abCKsB=WPUjxTaAL*Mdoy
zv)rz3(C?gfYDKrEYuK_|yJv_qWgm>ZU8Fmg&0VN&kvklVJ^IlF;h(LfdYs|N&YvQs
z7dO=;(%Lk^`~#_rK+DChkMd8=R#;w(ibBPU__jdd8PFgV&+M0NZ{HZU%)?!95Biw<
zq2p3eFx}feOojc6`OtxOrVK+91#QQ1)q=(?e8yHJn$XNqg&ARh^LlTr&yV*pCGwGx
z`q!b#>}xM4W<Lfy-QQrAIN7$29r>Sr=a0V*iYFo;i4a`sDEW1~(gBZA7-nM}X0({c
zrqyJJdla$Rak?qe=$-?zDlMF-A6(Eb@_r#>_0jm<CytuydZ$CtLf3~CO1za!$|0Tx
zKu|awMi#i<;h$-wkoO|y;+-p_W}TT3-feDPUYsTc1;y694drv*olBTv$z?EvDNuHV
z27fZMq}pvrXltaNWs#G%s3j;To<-MZ-tDsG-9(dTgPZ8xRSqcg4241I6vq&E_Fu-!
z_|Il}i}l>UXx<HgDj>YNg88yaLrBEtS|AY1OSQ05xvO`k_IL<J-yHDy_$sW=koD9*
z;N8wbIjE^RIP{3JUD1I;(fD1-n04X(bEO7Z<%O<_)zNR0<&8?kP7Ur#g)DzoTdzmj
z)Q9dYB9%Lktz3m%S`kkYx(?-cCkxoGd{CN%c}wHv+oe!84w9V<Bwera>V(4@msI{-
zA{5HhJ(`)zr~TE!HzN#>k-a6wMs53*V=y$~d4JQ9_NxH~1OhcTO-rzE_Q>w?4yHI`
zrHei1u@!NR7t`G01hq|)<gRu_w%y-ey0D?$$WP_Us0CSxw_=w}mnFWXRbXQ-Y{nMb
z&e{~*=b#@!p37=J0<;;xKL&zrO2O}R3Sdn#gKNN~`OCa$rHN+VeNGa16c!nBjQhb|
ztm|uE__@qnPiLSc+Kxyw9)6S3q(JS&xe&Wp>AIIy?@UQOcVKU}6cIqD^@mw9wSUsc
zg<x>c{%`<xhBCh@1|(?UqE2dp-$0qh?}4EsaO&$+tlKinUA)w@8Z@d&h1EL&hSYw0
z=a<~4G04Iy7Yb+VmaD;7QM3qTWJi3}=a*5r_$!E=t$kzg8r&x!cv-N3XnYmm3H_;|
zN^5E>KEi)OP3&MiFeK?h_Kt~Ea4beplOTahzk(chdEq5F)&nzc;U8@~(8Be@cSiZB
z$)*%Cp0!iLHAEmSd<~nnH8;Y)peKBpG{reBl&19DVyF%c5I(;7)#j_<z#&@C?rHF5
z(WakcYVQ+l6{l%)3ie?~kWG|ZUVZI`PuzJ?4AxEAqr}OHE0Sulc95u8&}oqS^t4}@
zEZGb=(-)CaAxj)GU2ZzG4CnUSVJdh8g6X=wGu+68$E<`MbMGnQw0l8T(@JiwPa5s&
zxC<vM`xX24(hv7e^z(hE46DP9^a#SyyPi%gOe!l4F@-qGjF<M0En+o}_k3RRulwgr
z?zKuSI2R=%-KWcq@s-`fmVp_jJxqN{$2drp`UDc{BAWJK$mWo4GjOP~+%-gTbl#`>
z+WD7SrU2o&xmAa8YYm`3O28xw+0PkD!9*uuiVk{X@9685n5yLH2((tII$sU@g_K<Q
z{!UI05*j(`ZfS@TP-ibi2eZCFlh;zubmt{MAZSb1GR$fMgj<pabi)F6YZ+$D)%kmp
zetaAn#X4sBZw%E7HSi_VxtJh^`tr=|(KA^cQka8fj(<MmQmwT2jOk5>#+IduiMi$V
zf(LU99a$0j2Q;hocfu1tW`z2_on%UG9%TM0@b=sxIM7ZzzF0{)4ZcBXV=xt6fLu5b
zc)V>m7Z(r|+K32({^S8-J)L!jJYUcSs@PZxj{^y-K%`{uP>nt8>jS658R8h)%O>l`
zt5p!48l~`$_o*6hHZ_$Ul?qs5Q!tT;`^oUSlnYiK18sYrbzBR=3nP;YxTBDAS#PxB
z6<+5n(~HJ_z^5WS{TM|bOI8eS(aG){M0&vw3Bor@=eJvF59D_`XwCoQ3DT~ts&m*z
zAbLjFV4k(99A7xQc6V_wo$5uiu0L7AC7%5)8&G;`e{*@?-6ON!y?>bvdqF1XleNY9
z;X7T%$|;;&1~h;Ens4_@Ew`#B(!3b->6CslKJ>gOG;-lQ;FBaZ{_4jb^)sm<l~)vJ
zJ0EkvuddbAD<t(FQVGNw=Np{TUC4Flc1wnwo6JY2U>{y<_%}^?8|OpakYT#`=&2yA
z)$skhs2@yFD}u%syQmr7mMm`M+4!@FCWsAFncVzVeC}7QgnRnL5BHzC($4jWRCRTA
zkIv54G7T#C+0tp{$R8N71!v61B1pNX?0w72=srypc&`Yb^#{EWz@b-p)BXK5E-*Mf
z^&azpf(>R@DSUT-wt8u2hhDZr!kNcYfY24GJqkkffv_tt!tz_VU{}7%fUem~On(s?
zpq4Vhln!Db9E|Z-vE+s6`FJJ#I|ko`9XNva79vYA9)SFrrS#}z{Jh9xzk6f6HJww+
zn0C3SBAMRvm}sSjyK=9m@XaFjSl6D2hOliN>3eG(_RwyRp@^JMed4>8jF`dzXZX5`
zwY0qwil6jKJ^*$NVdhn#DR}h)@D6xn%0Pz;b|+NWA1;I95CnDB*l$t9(WrFv3U0AT
zuqLhNR%D*<?Sd6^-}-P)DibaUu7tE?$Jb)UFSbni?O`&!6x9)?>9#lWg}^%ri}XcA
zUQrR&ZTe4*Jb3?2bt4H;CEWe!fA|Kvj5{~uI(9gw-b!s*;4!O=FJGJ-y^z;G=>W$1
zR5GWcbxxdu*g`zgy{=w|&pk+fdb`nQB!}|O+O5w6uyVJ44&CF@O=D6ij><%*Mu~y4
zzKt1d?XoE2=ZQSlTN$vBJeS{90(Ws$<fn8g3A`SmAsO#xizLc(hO3=GI&TcdiPWlF
z&OomAz8r-SOB+((U)vnP=lygXtWW>GB8u-GK2&diNlwJ){=H>(U<wJ*;u~$a;Y!TD
z!1!-o=E50A?{CtUM&?O8))?aj`VXQn16%in%}_3#4SoqiXpUxvX^?YsY_EHjtrRk@
zmHXmtGjr`;Dm#YnBRNrc6{NFU<@f|MQ)<$sk#f5tDBV^2zQ<h?Fc?=8IkXgg1wqP@
zem>;&W3sBU!y))Wfif5_IpbMqoQZ5QT&Y3FnvAk;kn6QxE?iv`0v8va1Cu(>P(}zn
zKmA1fhe0I2@lrqVj)YVkqD7|lz6Q-Cf9NJFb)_WT@Ye9J-yybg<EsRdVg@uQgbP2!
z=i84BGi@Gy3?}u$Ug#cPF32~i2>N}t(<KB8D1?v~$UFZ4tkWvLF7j7dwuP4dwGhq5
z=uBbn`A>s}-;kkQb=`NM{ckMlc|^dUo*1+f*;hUmz10}{y)hX7LgMr53c_=Z!&>@l
zXf)ut!d0_~d!$zPNQwC2Z;bCNw{*TcsTH1!{|)sM@wC*BtCiJMekW&zKl#cs;x=1|
z*0f>P*lOU&&sXfprAx(tMA@5#FxY>k0h5#~SUaq0s;M*LK0tYevSAg>e{gVM3us34
z*}JWt5rky9U!P#}JMK}=&SZ%K$#ku?2K;Hx*Jw##PATfI(VX~OALH=0nL(XxxWuw6
z;Yco_3t)WVaJ3<aI>czzx<o2f<sgWYioA%}YHPk~{zf$Qt&Fi(1c$yl(7@2COf*%A
zf93f=U9VmB(V;uFi51`mV5GUZ^p><tH3Qo{jt75B;%bnKZfN{9AyQ;=%PH*rSd+bd
z&F2<5I;~PyvMsjm$D~(OIwIqFDL_hGA_>($+o|NqK_8CKFfCBq6{T)(>pSWlxV^LJ
zPwV-7Xab9RvQjQz<g#zjQW_*Qmm>(I9Ore_Auu+SxJ#U6(J+ze3HPTPV@`R(n<R5b
zCy#!3yR37Jfv#k#!W@je7Z^yE7o<%*Sk*40odK^g%SCjmIAzltAN=cCgxcogb(dD-
zDWdrFF}mZ}xs0SqaM{m=5ruR;PsD)oTuIjXiDt?D=qJN+*n>@JeB{oFA%qT&TVd(8
zk|aRI%*}%&A+e>6BIu;ge%VG|wLSU^K7)|c9lpx5trJOK`IyI&!?K$)Pknx9m*7E-
z*JMr{9+sr)m*Q_44Du-uNFmAfVjH>M@vyR&CXhh0+Vz!}CJ{)frArH$HKiLUQc3H5
zP8U2vASio@4q6UNOKguU+wgZT-y96$JtausF#i~636GA?fW_l_hY(IG++*}0E*KhX
z`?a^6wa#pe=bV%$!R=>j9me(;v2*Qcl|<y{RJAFU!fG<B26}#tWcm};B4E7Tn=bpI
z=*|myy0yLWgrGwF1*(YI;CtZsskH|6TmOlu;}&t5cCv~I@$3#?d!v<p>ku&hE+IHo
zUO+xuLz$U*+%=@#(9(`<XW7r=^K@B++eJI%Cu#$?L9it>U6>j#Z?tStKVzuTyu(3h
zGm}eQepG>!1Y8a^Hn@Gx++PCp66Jj=3LO(6FEREORSyi2#F#R%0paTa(t3?zktH#a
z&=+jnSBJju74JH-oOM$K?4DQb5BG?hML1}37jKduSd163NO;o0wI9uHA;Pt76lpd^
zr-LSo`#K$>d|hPak6nD;D$jQ*O)GFRV};*mo2Jg32+`b_4ond2N)5TH4$#)@qEBK!
zQ2v&2?KDOooM}YlE)E4fz*IZb|L(ce+*6&MD9q5FRT=Is4Y>>N7`i<+eAm*{Z_i2-
z>#nqr?y~9mh?{bV>P$E9Re|^VZx0gX6~b`aERc-X>R~lBX69i$R@vFvE$dty^M3qB
zBeQ1DxSt4QO|In}vRk}Z4U6{!0`U}lUxMADaINIMgMf_q%k6~~kNrk?h#5$5Rli#m
z?><vc?ner*J$Sh_prfcqWvFJD$Q9DYTDjpLszwnev5B2_z0wgDB#{}{`WvWdxhc2+
zD2kZbt?jT3k?57r!X@EDU7+ET&ur61Yu~Ts^VD9~+N7{y`R%&yp@~P3D088I0t@UV
za8c(sC`y@4|BBx$wxcNk2AcFa1<_P4Z?C?C^a0a^{Gt^JMPh#RtYcei)uJ@aa!21*
z5v-W28$VT{)metDn8!vN*>TZ@mX!zi&%6T%3ynE|t~tE#z{w5eb7(g=PXhJMi>DYL
z54sBzfd%fCJHrBy+>efMaGRaMb2WBUniJAdi4A{<IC7RjdNaJ3-7gn_PLJh@dAI%v
z!{A=>ZawE7f!fdDR{w`AhC;G_-9}e3Bn+~SFx)a^rcZIm%ty5?U^-U;PdFBxMgtq1
zPPqE-uPM3FFXLE6-K}5pfCW4$Z)qt-)AA;*N8oiNQI0A$F?#Me4sD{GYU%}yZ>ZUp
z_oBeS@e@w6$j^MvT5p6lgjLWARqW9_^T@8Wqw&75!fk{ob_p~QHUgmxOvX%XTtQ&+
z67r$pmgpv1`RT<x{}s@2r*{Rycpt(AFO|QC;D{yY(AcQ!Jf$*3D@Uo&>d%NFh2{v7
zHb2rEes<g4K6Z+lyqXL2fC@+swTFp@TrrmZuEzWdY72X~HdP`wpb>R%x~<cxpCG4D
zxmM%HTD@q|*6nm`?G^gEIr0+Ze6fP4i%e8Drv@=J*FA1w(Q%8Mu9Hlr;WX+=nci_Q
z-mbNrm;K`*9ZRMe!JSp4s0?WxbyclxY#psp8i=JA+LE~Bt*0>HnWTRI?DXh#h5}3Z
zeDWDT{o&Be>BuDl6K3z<{%90!xGN9$d)KB-2|D)QszbvsYpR^C!jT$QJ+6*?1YgQ_
zr;lV**DX=I|H5k<UU@v8=J0C|!A-`8LF(cnHyo&G=dD;3J0`n8@9_6}xXv|uwlfQ)
ztZv79uPgF&-=F-R&p@r%T_zNiAV7-w^=N~$ZCofb=_x-+r59=UTMcEdk`a$NXMCHz
zIm>|`gE2^gYGDg@erYZG9+LiA@uyD*sbkss5(_yVyvSD~YvtgMUe#ZS4MAUV|G2w7
z4$5qe&IwoS$N6niy_Igt!<z}@uPz7zn8dwV#>tmpwEFSS6dZA(LnZqSnv<EI`T`Ty
z&Hq&SMNzAxmG)InpdFVP4WV+xUpK&*>up`i%HOvg)o^ryRtpU~zQXT1l9`f=3<xJb
ztexVJDBZkEGg(S7moH0s<Rl%hZTHbhBOk7d_7YG0r-YTsu!QfC4Gq?#q0Or=hP1{c
zpAN?+pbF_&Fr@9BT=UuV=`!glqam|#Zxs1k5Ct`&^$b@h81mIh6DDqd#!X~adV@iQ
z4xMbag7p@@_9qy!N;}lt`jcUa6ZbYz>ZcTe-{8JR8~o5FWQHWtx$^=Jcg+q~$7KVS
zrPvBQOmg|^&4sSV9hTtaVu0Y}o%$q8!t)JYQ}l>~VP3I>W}uy{r7>D}3+s%sT5n+w
z`v5le>%VFo|HA45F|-J@@&=?Flm*YG8r--cdMvPdy{Y`%cy#iV1&)96JtfBN0#vCM
zigkrEwO2JpHA!T1?7F9#X`GFKUfr81(FJPO%o(84+g$2u{(6Q3izO7PH4ED&a@Qn*
z%{otf*s57FPpiCfuB$&ac~Z~$5Nqjv@R7F(sQP5zI%Q<rYrE`)GTl<Cqw&{960aUL
zsO6{zo9>0!-bPCu<wna-ss&fCUMUB+rihr0HIixS&m@SJnVtHS_cQ#wmLC=kSv{C<
zgw@u36IFGCkqom=KN)p9(+`ktF<Lj67fR4S{(MiHjNrgL66Npgi(m!3BNQ3vDYVSZ
z7i;Lvi%h)&%KqqpNCwfSed_&^=K(mXoH)H<gvX(kZeyDHr>G{h$`WEA09l9Mh@~m{
zE~HJ8AmHf#zFSPn-}(2XjqjgbE<}^G$yc)9v2QN6+fH5moma%cQBDUvv^q+3GASr8
zn@{f_&}WKjI-YoQE_Ykrna;Y`?m@RK_ia2V1Y>07;MJ@^o9qz2nYYj3fa8&&R>(sA
zqc<qu=8$|C5NZZ<h>)N{U(>%T&;Pu$zh8)ypk!?B0a8G3!Z0ImRIza`i*dScNu(A&
zbrf<ug|1iFfvQyG7mq8`imZ9bUU_n7D%_SUmXhC?vx(B?gdk4HqsC{Kwl<8+pGHb)
z-<XYlsOrK9y^rfp!_b^4{Jt*5y$_3bV6LbJ4As!XBADTuh)O#sY2w@`6-$GYXujPi
z<?-6^$9rMX<!c~_w{JeSDJP_-TbjpcG4_*X+`+Q*^7!(HnA^PGN$^9Nj?o#~@thpF
zKDgy;>vIeuLHrM~#f(6ql$^bE8C!%cO%i>wHnIOP7X1Ji?TkKx5Ga?1E)g0ZeLEBW
zYNZAcio%2<uq{`z>JNU#)z9kktDhUoz~)u?J&VG3c})0rr8F)DeKr~!^csqJr>uZt
zLn=(Y2cI^1lw?4rXPSw9IG$L}YH^3h8%C$YphPLW)}4m$Stcwnq+NrMJ3rKSgTZLD
zJhzRzE(BD{1*{Nf=pW>8$X^`Xbw~;9F$TVWhAQC(@9KnG?+(y252t#@Sgl9DxL^dT
z^(Noi&_%I;Kyq#ucM=4F+dm5^gdH)4eq*n^&&FXbU+pC|D?Q7Rc-i-ji@C;e0KPPf
zxY68Xq-C5=`kC{6(ty`)6+pk^k|7~a!xQ^pNXHh<N?ouUC*w`^mhL|wi2wgO5XXW8
z@TKs;0s7JL@v;FwM)}QZ7l=mV<`t}X$TP$b@ywXS>_$<>`hvI$UHEvHM~v-lr4hta
zWU|i}Oj)Jz1dWZUBp>yf@CCeX5WbSn4G3-)+VP{I;?hQ2ZOV|r7bQ=0-?Kle_&r;v
z2e*ocEU$-|+L~1}5Eg_WePx>QvrlF=P_=H$!Upj>0a#?Bk?L=IxwRNyE9FZ+mUwM)
z=|mVbU<uv>A|1mS9wqK0p#-LP%-ylY*tlY82za~(U`?=d;H_(bvyDyz%;wDc$aiUD
z24!S{O91k?v_!6|&dkoa!|MyEaIjfC;S>-K7a&NvNe`|3d!`N(MN7i3mb{uCka<6E
zezRi2>1uF4Kpfar{@$e*JOgk-MQ1P)VFE&&5_4MsxGB+icJ*6<VlMU1%$9Os0VYo9
z?ue}cm2YaSZ9||>)~5stULZg_o^d!pO_RG{&=8k%vd@uWMJ0Ay8dgYPw=YULX4+LD
zs$ipSw|BHe`HBe?GFVr4chL*^z91i79vWX)gk)2>O)!2IW~E9yjAt44zdsJslr9B0
zwTR`p;8E&8ui^frYRSM3KxZLNYPJ!Y3%cW9|CnJ_QU?Ai&e|fx@k8nvM|agY<sCN9
zswY8GwFRkO&?lv0Br&9mO}GXaQU%2S-68nDgr=FcPEH_OEkGsW`+2=Lpgx}a<xUM;
zO5P&=vUc$1?KN(Hq5uij!2<cXe2ZG}=I$*qfh+}xsFO2Ksa_P<Y@`%fJW~JWxd0GN
z+Db!@O%?9ziBQ(s)i_Lgki=;F1Fc9O`~ceE$%^aOflLR&raW*Kne`AbVo}Vka*}{}
zZDdw&5$9Wmz2f7dH(>Nf2)_vid@K7lNK>Th74yOP<R*^A$zfGQDpvd`?_;jt9jOc1
zkXWi!PGw*oWbjxId^Iea`)KzZ3dyflFB&E4qXrI{k;0QKC@*l&;{e>9voF#A#iIvB
zrbV?@d4=Nni=*Nur78#ISS_`6MMA9mk3^${ZLFsU)q;Z-w%>wC>2@oLf#`6!*3=6-
z?Kod0A4Z$6B3cFxcZH14^*N19^1y5sErj@6r$|mX@mlE%KO3rZQUSQ4`5K^djjQCl
zP$zr`lRVVq`>wdDIazLTd2BL0$~PcSCYcWDhb$g${<<v27A8yCk4AVTAE0>K=h9%f
zP&yx={X2*1+1ZS;%N<m95S`t%B#7JlHj*5^%(M><Xx}uMEs(E~7mdvg#jAQTdye~>
zCKl;eGE5=*JW7uU(F>7Dd!nRp>^-yrH<Z>K#s9bm{XiJkMt<ibN{Gv8pzv4(0TYRv
zI)@OoYzood-X0}pSP?e4qBxnVygklBfU|-7t)u0#Z{ennoOtwH)>OX8NX+oBA#CQE
z82lz6K-ym??@tr*G}1z(Q~5MjNwLOo7WqDvPOaKqs6dM+>@cgVs<938B}#}R9YKn~
zXPCwN-9regLv$0j(1-~zgs8+UZt<8%2)`{aNoorby8+e!j5Bxl2NoSi_}bl{zh7$h
zewKUbPv2$~&wKXnI1cVL1~t5_6712Jw+_+z7Mf+)4Hs{zTsy8ohqI{VG#JQu!WOup
zc*#|VNWzJx{eiJzJ^8VkAYcvvqh8`~!Xa>z?0^f7Ys@S}SWkh43v82|tjfZ9#2U0t
zXZvX(6Zw0w7Os$Uli!7GC5E^iN4%9kV?RTdB;Y^;&KU@jf^Ptc!o(S9h~MjmhX>*m
z#1k>MGWAfXLYh>4h?T${&nQT!Gsd)kFLq)rWIM6vV0rLd=}81G4^^<{OU95r1s3g4
zZWj<(#L2oH!nQ4S7S2LkZYKsZRnF;8<PE77lGf3w^nI_&7I-+EmOt9gR>l){nd&o7
z7HUx^Bha*yvVVS_(&U_2&6FU_5>B#n`K~}f?Hdl2)BE6DAF%pw6ySs&WzI1V2PhlO
zW2m#6mhIe)^SA??LR$ABit`071T*caKn8V8GPo~-L0Ff=LJR|LW<xNk>Hjqb1o*ze
zFWPaRy9;^hWq!12Qzej~WyTGrd7tz==4T1+A0KN4y^E`5kE^R?K|<G`ACl9WGM;aV
z;$%FN&;d8|04Gm$$_u(@#sUIsJKM)FtOB31+TYiru*%LkcMg0%%uc}G+-P&N=}ut^
z3TZx^EKaxeb9ua_z(q6dy&*&xr-cZm33#FiQ3xHecKjNJb}gOpk~RaAjs(&K&k?>5
zMFZ?eW=AC~AB=whN6}DKFpf}a(o_965W2Z10K>~@E=RhMg*<LBgoM(YH*s&%_al=9
z#AKcHzycVA^)CCLrzf;b7Jb@St*V;b?5YPoErBj*2y&YJon<ttf~pT8F7+=EPyOsy
z-wN0qq{kQQwB#Ktb^}Tc9wieTAC^6;w#ni}MhjA<?5pEdQQ)-B*W&FtPB4Ip#4%$x
zr|U%-u9FXp!3cnbK5L)%C;`mFkRZ4(e6Rkii}wBqha(f5iziFXy5YHkf^j&e@byb=
zpO9o4d+c29zv*01oLe2%KM`K@bKr1IovQuz=A6NDu@rewyQaNiA*7^qquD?mdUK|{
zR;^p!SnKN`a-o%FbBXLfeH(pIH9n}v7Bl=kQB^Bb8C7dIEOcO{zeSF}LF4~O0ivO^
zAYL3WF4lPx>ohoH1%$;0CX^Z^V&Jv?`AR;FuhZn-vYS6)4Fe32;5L7U_%{ZT41PEH
zuV0n`1?vGzUS}w+&09Zv`Oojk4W1+>bm?H#d~r6S;rit1Rq<uF4WzkJb<I+AbW^#2
zH^1%|>d=4>6c+gjbdF-69y7j@*#GbG?f<w`amp6}oK2@ab^edkM(fTi`zshgd<$nj
zYP^)`3XGiWYQ0?WF+{#3!tmVA5sYG2Ch=pR`AfU=2DbWlld%81nSZX>-x)g82-w9i
zA^ks%eQTb383%oT{Y~u7*^bIOr3O3Fs!KKnDP72GqW~Uv#aJ>OYeP2O%v#oHIzqEL
z^U_=Yv)6pD#Gcmim8TvU!iSl<OuEaF14cX%{k8IV<Sz1fRW_VO%x=8?XPRS#;ybKe
z)@P`T_@DRnpO+JS1&v7THl2ZHJzLw$3rge!Rt1ACA+tAluXSjExZqzOeE|iyN({Q>
zDm*3mzE4ia-<gnE+o$Da=ZCoLKrC<H>(gEjs~md({kas4%mO@ZLQV@M+xZF&x4icY
zR+Bmj^|rql7njQjvcyALFM(U+w3^4!X>#eC<t)%ePU1$L5nG5&zI1T|DnfJ6iqL<q
z^Z$^O_((zv#W+r*Y;Txc8|uGY;9Yv>lD!T+9OcMGtUbZ^ca6{#DNrk|{PX=Us!$IK
zY)9fTdpgz;LGXm4_YeW-URx#|mSQv*QSU0FvFVuDdbnK6V}n=j2Vl5UCJW*3qlC0I
zM&^w89Y^2rc%ERe$R)nuWlR-TtU{Fz<_6+>9)}G^n`DMfT~@n(TNf=6VgP|99@zU=
z#)|!){P(}z5hXhm4YZcH&(hd<)UyfS{*^S+-znO3#{9?At-k`^O)kPq;-@De&I9C=
z<s!k{#v58Zwp(=RchHa{6aFTl0lVsO3iFhZCEh_4^%#%=p`n|~_z<xfbQ_9qRNV3s
z@miNnAsP-j0_G~4;uyq+o6~D}d$9*+EENmQV(*b7^*ZMQhU=6Wbfn3TE56YEzl}Ho
zYQ(eQW6po?QB4kbv=bcJFQ1m%laVuGuaNQEp>@inQ56S;WCw{BHQ9H2^jpr9k;N5h
z8Ojp?69GuGgBlj*`9y)L-dbt(;ey`+d|(UE*lIj|5>QUXi+d1)mw<f;u<n-T@?W}N
zT`9cT)VV_=>}L_1HR!0^<<<w1>7(saQz9Vyu>pX$A>mJo@c-q3KRtbHRH!?DCd-GJ
z_^&O>I~I7*rmt8nWTD0qObz|Y2mA2URJX**Lf`g1wR98=8euQ!uwk+7Jh{3yVITu`
z7I^i9f*NnGIuYz&Kuz@-?FW?V!#R%9^{EVU9&T&8q!TN^bz0i4&tPr|8~tcua~|BA
zE(70P9WO<989MKrOHTk(WV15<?UDaCTNO6|-h5d5H#xC?uVX5xzeWj7dWywfKxZ(k
zQ?|E#YMo+8tKI!!x&7?uB9&XK)-_cXnWmjVwT@amk{t75PZ($uXJpW=!aLiU8EO7T
zrh@dUy^ZVL*K~hWMH2(AZgDV#5=R04f4h*s>o^zz>NHSk5(EE&I7OiDVH-g*=*c_0
zp!1PrY2Ow8@*QuGmv_of@#QT{?#)DMJ*(j$+>!HLdxlIw0$ZlU7@+?DAVCB~AX+tF
z0w$d-XP;Rp6;jU@X*G~fSk1IvLaSDSeAPkFDpv}klr&^1(+QFz8<Fub;PZ*I6;fO8
z1(|>^;VYRKA{FMe--U55KzLo^dQSsbX*eTpVxB@ac-^ZH_Ur8FG^vhsra2<n%wMG8
z|G}d?tr`&{U}uDM^X$Gc`THCu05eT<faGyPojGM0cJLX%n3p~Smg#bf80hL|pOjiI
z4lm}FjKNCjpho@H`@`we&7<8(mJ+GNX8@$_$81g&hzRMjqfd2de;-p}%Inw1>0|kt
ztO2OE0~$enQK0$7|8_-BKcQrYimQ!M97s6+esCA4j}P(bjQ<m)s6(seW&K~USE;FV
zu)Xu1zWaak{x1-rE<MydNA&L_8HNUybw?vDQ19b|0%cs{I9e2v5}_U!tV$IAKQGY$
zdWr2RswDV-FA-{3xiK`;Pq0Dp=g@V`WB=<DHE<{}@4Sp24{>*)IQ<!l$g9{s`bU>9
z;lIX=|IJnY{lc3Gdea2|A!GXlLoXWVlaTqFC!eVd{fnVSJk^E_RODz!Zz-IS-jTb%
zp;V$#6d=-S`HJ9zr1aPS|L;2^_^B<-4QcD{>6Zcvp;ZWYS^@XGS>*pjh)_f(*w2+n
zAQxy;6M++0&HP3=6xkiA`v_kxRlGcqOA$q{|0OSm0aZN2K$_w6p<9y|C<u$pXKN%|
zbejDqm23)6G$~5NzvN*3&w}&P32_{>OlYIgLc9Zjs9No>egC~oHE6j&<z+Vf-*1TX
zK_BQBMOk=&Gv|$>CJy|ZKtJ><0#H|4H=YG3+{y?padv-0xrr_Ji>GL6>%P~qy*Z|Z
z&x_WMs$OqpFsnYPGAhe8)#*-WP6J}Y=H`|*y}qjb=Ms-X4H@cVH2wfz*aro?6n?8-
zV|yIaV+P;>K>%4$Y&=gvW~U!Nugq|eD^~rj-esD{(b34uX(EX+*{>0dX<{xJU!}$G
zA;Ed8qilbo4~9!h8e2)eXb|dKz0DK;`%t0YmIvxf>^5TFKH<v&8)#MmzGKQzX7q&k
z#%_dqYxkk_vV~n>f&z>U2D+%*R--<O232!;7~w!haeRZ&H%d7%qn(8=R?kgC^|Fc%
zUHO+bA8X}^y}9=JTaIyQc|!qM8+gcC8=%7mS0FTc+#&&31j96rwx-?wbYU-Wk$V7K
zN}oslJf+OeIP63inzEz6;Eaac(yw^JJI&g<9v?SH%b+jYqe<Uq^C`1Db;QT*rg!*)
z%^cf$Z_qwznQQx35@$YO|7YK!T!9{DwI@pbr=Y3{bt8q{G1|a#3KqG7qHvD{y?R|K
zw5S#e<8}4=MOk>9huC4$?1JEN*9MA`$)9zV^`pm>&L33?I|d<3FK)iBZ}@SoE6+iJ
zdQ6QSw;lNNBls^1V9X1<W`C+DtnSMW4B2e;9~H$k6mb%`cxG*+cbgkgf|^`Y5Pg|o
zSCVpkqcgKFYg24j0Om%xBUkQ0NAdFDb3ldpsM;3`Wk*InVor9dBcQNnHed8|uE7bk
z(C9(C3+Utt6@*z{?9{9UfD=Vf{bSGZ&1l6kV<sf%L~<4X`Vim+QpP}UojTEs<lp#u
zGN@I;laqaT+F+ZZuiS@rGAR=vWsWg4a~ve|it7Ande&@ki_t0ba;>rNT6Nen*2`>0
zTkr(ja)y_r!ap5ftQBBYWQ|ShXlZ7qOEH>LDV>mA33Mi4<DeAW*<gkzvxb1yua@DX
zsNb&yvoiXz=@D7r{n0Ob8*HlQzYi=`%lHdFnv!`3<TKy|oEyWOO6Q*yigsg>MbL==
zw)Y^ud{uD?yvz%X;p_k6?y&8ki*RL-DI)xD$UqO6o}xs|-qS08K>&571=koCW{mhN
z4X5|0+SM)yv+z24WRROZ4xT~}6dR$(sDZB)kLYF85mc8iEjIctb#1pM_>WB76=}n<
zewNV~QPIBKF*DZ!jAM(c#Ndwwk+2;*x1HIdwPYfD03b9!QB#KFQ+8~n{=vHN`Wafl
zF>2O9z$dth#@6#Qh0XtRxq!Dqg?g)RAz9Xc-wO(q!j3L+^~K_8^$|f=AFBW_)ikG6
zfO8?Yps#lILSNCpoCSQn^N3MmWuhU-L+>ur)V620yeHF|sSNxuUMkb8jDL6N1rxd8
z?n5E$B^vmnlu|=!cig7fqp^+SusDj#PFj-aR!(_-)M^ueg&r-nhykN2xTbzeqk7#P
z2U#cM^oXc!_<6WppWs7IF9HG5uSkCa8x#0&brqgGQjp5E!YqneTO$~!%@uYRU=J<-
z*_}KBz@R1NQmCjaU7MQ^K$_})w*~+H8%=2*Oa7kP7j|^ghQ}k=G@*0f_K;_yWk&D)
z$Og}WBle~9Jz@a!2#R_2hfs*GW>Q}g<=EGaEPo~YgGg@g*U)q0gO8ZZruJ0@Ot*K}
z91xF7EO&PyQKbvwXg(Q>U^0fdN)tFsn+W;t$xHOxepi_H(=*c10<{&_`?K6NZkOck
zrk7bjuXMncX=46u0zLn;P~Y%;hfr<Q0}tsIR^K-`bLT%lH_V1ca_&lbf8=G>$E|Kz
zFQ~*(IjKrw!CysZHpM?JdTN?G!H`=0$kt>8FaV$2h&Ly~(IK_XML&w-i;M7=ByL!E
zI5EY=EI_dh3E)r;3Ov%HUf7eyGX9q>7WkjoY|yo8Fvt+`#3;^)2R5p+XW^7xnlFIH
zj~n#wsfQFom69_&thH}7x>MR+TZUL@yzLu~v1rIWVIvnjI5UW7U6roR_Gwwh7~0*s
zAiJ2eH!y=jHz?^|v(iK2_K%f4sD4`H&0l}pG;fA2)*ksspwR}Eo^yyo5@5r21QtC5
zqKhJzng^<px@Oqq9Q{5S`KwYiwUn(6Es^40>VF^>MhZ9NLMIAHYS`O`|8^-5sM(L3
zVb%xId#qrNMXOUn5jfic<f1LcyN*ZqD}C*%Bbg!JUMkV)#sw7!*dCRzc2v*TI|fcL
zB`13XpD!jkl*9)3xDSv!hJ61ncw{kK_ev@MiiIVK&x2-f)+;Jqsv-oRg8(Y7`GChl
z6Z+j6@cFQUw`ZnVv@G!T$19xywdE!V#7Qdn6#G5L@8s`}Z|^$7Z1-m{MSL`hw7kSx
z;I1=uQZ-6U=3Ujw9pT+?A0mcAvc=%dMhaeY`*b;OFQ8k`L0-$OKrqS2DL%wA!Y&*x
zwv8GyBt&2yZI97TBkguZ5F>`*(#9CS@XM+tF5hU*Y<sr^tm>=;8-RlhV$ytLe4lUS
zxFBJ8r|_kXhET1}Js>24$8JUB!QEvUARt5JlDP{4Qg|Pp0i7qx(`>By_Fa9u#L~&U
zq_Syz#_U{L3>W7+t-vRjC-(VEjFtre0ATerhtT<nFRwjebL}Z%^Jx$6G}5(EUlKkE
zX90-ww<-t2vyU!hS<V}Pot3!myCw{F2AJ3Py=6}No@$Ut*Pm))Nzh7M-PuDhnMp3x
zd5?RWkMPBHZ%bXbYKd`bYdUKQ^H33xD*5bk-yKS{n#A=d>ghc;%I~FTWzjV=EtDUX
zuWl61+OAd?3Rq&U13e{q%D<8JOw)-wGtDUgmF+z;mJd(}v#UqNrS>2F`Jp-MRo|M+
z$z~sN7-7H9wB-PRll>T%D;b@#csnrfcjl=R{4MWaGCUq3!Cj?w59yML^2&~z(eeeW
z7FwR&zUPX9t7V9$_8t{g(uZ{=9qv>NH=bs<he57Irgo{n>V(nVD*g@Q$Afimw2u}P
zbG^M_a%(w$`N%IQ>WdJ?Yj1M3Tim2~d$E6%c5fAcs++|mp8>Ph9o^Q<7<w?6E<7Y*
zarJy>lBH=gA`7RnSv?bscyaP$yU!P(D<eBOIXy7K&aO%&1M)n)pc7NUddGb@yp|9=
zpdyl|^eaZ)Eh{3_F0+t!j~M*|BysWBR{fI`712c^j35ALUp4<A#w7)`G_T8;{+<1X
zO%AndfkBe<r?gei4e;mXf~&T6NWl3pVY+7^N#8+Ic&<@k&G2vO4<h<H^4qhKk1ab=
zHhR6$o8J1?mA_O5{fD!a(46<~F_Q|tx_<+QB`T?|SPc`4V`+h#_Bo;O+>pBt*%>6n
zL_KTMONfbB+e6ph`5QwyH%Ki+EP9Q#+>XmHpZWJ;^G!JmW^cRfpSkyX5)5s~Hd(Tk
zz!rc2B)~ZJqSm{A3Na1eVsV?Rmdkq7I6eBjclkpftGDw5b#ClE5Nk>Al)`j)G`N1@
z(9Eqq>K-v1Zd6n)H&J2KMvy>DKK#Zbf={7;xSaitRc~0n#(h1Xj(sXe<{Ofb$Ab~&
zRquefE9t~T*X(j+5YU1Ah6l;%=6oCV`ee;VcHWif`ERSKdQ&H}KUs-YC|uS+)#F<Z
zN$>>*$=yPWkaXf3@)EC3R0&=tjcQC=>CXMGNHWCAPZO-nCLqf{Q*3Mn*?LU4Z@xa~
z7&Jh?zr6@F8I(oZKVH6gM)Osi%0eEsLoE9(MnHceJINbmfJ6wo<FuFzdPh!<R0TgP
zy1X$lKq?Kn_yxgIK0-Caa7Fl{k=#<5?d0)mt$+;JGON=(^bQ;EMUxT%wVG0~#;ayW
zx(6}=OL6Z@Mm)H92F<r<+ZTINgMtoqb^HFnIS!(ks!~R`GJ_<+I$bA!iD_;~joKl=
z1yzN1svzI~Fwml(_!W9f^!1(c$A-qUBBwv@zV(ga*E?kK7K5Gl=m(7p4w<fvTenmq
zlJ3IeZi1`lIVTU#=XT@2{<E@ty2W6cg0h_tXxxa$)bwcR5^n2}C7dNf@o;38INjnZ
z019p`g*=jk`{3Xp%^zlFW-S;x`tVsmor(oOK$-K`tAJy_s2GVUR@wZ{fR#3Y^({5z
z*||A#kZbCt8^@%nqKRkV0)!((7JN83Kzs;IE^VR7<+9^W-s)2>kPKvwX)?!w6su7E
z40QzTr4FfUSzB2e5a7zt<lVM)<BYj&I9Qk7G9=ia;Je>1KW=QK7wCV3d!Hc{vKDpX
z<UD)tBut09QmgHW$rL|d=K6x`OE;o%Iqe&sgSCcBdDAKvoH$W24*vbVoWN)Y3`D+c
zEsB-`_=knciXinD?P4rCxkD+-28{cqbTt-J8A9l*QAC4jf*?9^9P?E`t4nyQ@<RsN
z@L|{`*IdARYQz>w7ss5$B50)z`GU&lwEJ3uup{igt>IAl=2ADTE%w7IfeGt)XPi~h
z(N6Uy_1TY#PnSBL6|aC!KldYlqKOKP0lv?7YJqUv?qSnytEE2iZwmee>J&_Ff&p;4
z9^S%J29lCz?SZHr^jF#SlExq6eKCkf+kk!Kr^x4vaPyREGsC-=Ux2oSmY!0a(`N~B
zZrk<l*J#rED{NFo*FgKETEpkW_ca=4T%2|%Z>$Lf4>?V^hU+O@wd*}LnWYoC;E!&w
z&G)u&<f|Q-N*Vsu!NKo%;Ja{-^nu~Zw%+7CKT61hPlUy#>udTOoJxo7aag`88-~c1
za4rPKgH?w}uy_i^naY=l(vc!4sMBe>z16I<ZA0J}z|AeZe$gR?{*Az<+FHlP_C5q&
zSv!dSDp-iv#*ZOGQU4v#7}+uHEbV%cTxkh^U^--n>n!-F_=7cru)cWDGwcO#H5tDP
z85-~9;Q}gfND$aL5!l||S<?uBI<){$C(xyBau@^-4tfy`w1>4?JF*D(3OR{`GuakS
zRSR_(La(amc7dA(2&=Kc^fQ2@0ssy4hGhW@B6;fd`fnCw{IRl8slX}L{j7k6Nf&<=
z?3T~-={ASE*hxDth2_R`i#xgM!832iRmH_?!i{X~_-XCFz&=LZgSKN1wT?VoZ>HZR
zVhGuY7CUynRxdM(qF1ITaG)ZzVc22OZN!M5;^37wgKt=vo}Mn<#5!KSKHanpYRF*l
z_rzyVS>tLit?{_nBhFA2xT63#oYmIaX<c3bhZEqBTuarYrKOF|>a2D~3<N@y*_ho`
zDvkRHJZ1L)4rjSh58N-s+>M3%#Rj*o1{8~ivsgy;7=XihL6rz(TQL>e(8S^?vTTJG
z>jH*cvUQ%Sb(YYwLKV$(**$<(R6n<BbEKcCV@l?Qy35?eNo1U*rjV)GgQul;x%^u<
z8R&Ot28F-7<?pyU1#Kw_5LYnAU_5INrw_eW`H4MrdCQ{aaKhWqdxnt4Cg(QeuXC&s
zFN;VhC<Ny^I7VZ*JV(p*b!BxhdCE-d4WiN=Kii#=p{DcN>l)#^JkGY$2Krn-lUE<h
zuq#I}chVXjk<hV(1L7$fTkJ0$kLx`F+-5XjKl%k9|0I39^3F7(Wi2))iUa=$2#as7
zATGbQ26FriOmyB)%-VHdh&8GYsXH`hDE?GD;Wj^YDgn4nszljTA$X?Qip|^#@nG7U
z9AA)Y>ulY8Y_j;sY;dOEbejxNv_7abTZ+>E2*qt`TWcCO*dcY$A%+qKo^=@J$Rwh8
z8DA0}%<E;v+3dku2@#O1P`gvA`?;{;Wts(H?0_Q3NJ1=XB{J2-f@n@=%*OH&&-Sdh
z^h+4fW9tu_MLqj}+ULsnyKaS8ZS1*tPh#hof1?G*_U7o^D@`xcj$99g5wc_g(bx%J
zk!~^8+4i(w2+b;~TAHAfP=8{zNF31jIy_75I)G!&lYAO@aW383Amn!OyzYFD2{8;x
z<qlcx3~pOfIdlNX=7P>=S8UbQHjl8(Nv)}wen=vtM(@{M#5<Xd(Qro!^Kdl<Co?UC
zvg8a%HNXO~yHep2Ab_{|hhP#paN=!?Rp?reO#j8Uuw>|Q{}XSsGRa~6=CcXah})N4
z3(6_6Wh~b|T(F)%2=+<{uC+eE+e`~FZ)ergJa-`vD74>XS#!aICtqj^dc5*Wm-{+6
z;Bq~sAdTG*_Cb#GJ$1=^YI&+XR_AB_v#WII(La}P7Pqagn?G5vBa}Z8zhk%je0#aT
z>8l^#!i)pe-gYWWh1ep<>hWHF{oJzew!Egu?C*3d7}V$dju_+u&dvJbVFZ`}_X>%a
z<EAMkOy}UDjPN^vVPy81o}E37Pcdpa#HgzExa9)W3RB`nK{8({gqbBAI~UIU3xRG^
zxWM!de=0kLaTDf3?fSST4FBa%WY3>VC*=_lHY)k(-1rl*Iqpqq5e2^xvjW>ug`OXE
zh)Z9ssNUardU0FKPV)hxpTAxH&~&a9I*lpdk@pAAlMPxzTav3XNU*Gs0NCT3uZv>O
zY!)d>&h|bfc-?Ti8~g)%RB;ble{b-JDkzof-FY1&awZ%xw{b5d{}Ws8>}OY9eaX!k
zI-ofP(c<~>umPpYzOTZ5p2>F$SRK72F5g;53A}nPf^6Kx+FT~rgiLN!-Xk|mKfYL2
zD~(W*kAGwRriQI9&+OUK#mZ`=yvvTUI>mD;a@SXU6*h$JVVj2$=$KiTmA(>EwzFFU
z7>JIrP{JdisC}K$ET3$*+8#jOaC;&)%s&E|=D-vugq{AVU33{Vv2-HZq8Y-zer-EE
zyTlbAVbbOG&?;dz+Ap_eR)`I%9ZcjM*b`GV{K}y6fV@g8v)my%KpQyXU~ADko0YfT
z9_@#;Q6VgOFuRXrJ~i95@hsHjqQo}tWe~_`ZI8)n^+)g5()p!5xl}fwby24mBvG_A
zjk8$970+71;yTkhUTObsYq%)Fk_!N1Y|A{80Mikm(PgT(1K^Lood$mGL?>{YeDezO
z<C0F$C{LdmfOnj!P7VlrpIKPNW5ZZbvcab`&{Z>*`Kn#9wy{0o3}C)lmP*KB6zewm
zRR4o_3?hS=R_qQZreld|sQ&&qy)^#vZG?{lDc5mX^MUZpEhiV2ba0RX{~1ll_FnDj
zaD~LDv|{CQKHRv-4VOaIZt{6PF`#$A*+t~hY{=%9t>%;N+TO6-Q7eD)SMO~??J;7m
z^gq;`69r&b0;o9>pv|TJ-<(})_00ZO4W|-|AXxCqZD#N8bljz>o%TrF-?{<UcgE18
z;ae@>>{GfKI?vn5NrxQBJIqFZguEwRg#+l0i*I!s-IrMyGo9++G48Z(kL9|I-Cdt@
zL~go-|HV6g{P{sNM><h@=HGb7pC4i|X7We~1GCSMj+UzI=IDwzx{ygTf*Sph@6!y4
zgT^_xQZSu>>aAFf(ckk25d`Q|KNR-pHyF^$lQ;A*OA+G@Bx&qrJFekds+qV?3#{i`
z_Rf}T9?Xg{M8mn#AM&Ex-dGm$=vaz@gH3f=iTfP}nPpK`)2~DVdOS19OIW??oJ(?Z
zn+VIMk<**I_alvNYx=_$WoSyohCFA!__$2|W*^X%CyW843mi2-CT!(oL>^#t<);tK
zCxC5BL5dqjCq<*GSO_oicyPbgJND%jkQUeLn$4Fz1QoWd`{_StOL<9C7%yVKYS|`$
zMs7-F46vE)iqJQ~mK-3HfmE?wkB*)Z*pm%Tk8b)%LmTW%GFHh0a{h`%%I`;`>kRs%
zc#pfV4P++$-*Hw-xg&6Cq?;w2UVr@IUBD<FT#FssT0+m?nwDnuyNYaS?R8Vo@IT4@
z9b#pt<H)M+p(ng^-r#h9-^;-ONzTN{7Pm`^qj`WXn1oLmT2(_P=m=M!Q~#APv#Z;y
zFMdqL@2W+(W-@akfeAQ;)d|YK{;w1n4cM^ClmJX+&ASmKG0(>?a5K=i{wz=Z3~o9&
zfOnE+A3`Avj0qB%ocMG~R{telznTeu#ayr^6ML>vN89?@qy><(Ig^V?W+V4Cf3y{1
zQGzzjuyG50>iU^lT;fQ<!QHs@{U4XTa0_v41mY*4QQl>wjhE-tVt{R;2wh+E(0$~x
zE$Z4c@5Hrg{a#&5_1`(T?ba}r^WAK6L#=$NFLvn8M1gvn)A7%|B+gHv^nOgP<zhHw
zftmN`yYZrA2Y}90A~1(Zw^6|DHEZGj$KG28#kDr=!VwbO-6ev%!vJ9jA-KCkfZ*;P
z+>@X|gIjQSg8Sg^?#|$F7Rlbvn`iG+b?W<mogb%aLJg^8X5DM`-FNqObzd!-z~>4*
zTq#M@ZS^<wvz#>A<$Z1Yi648VrD?~iPmjoWvbPY=g!B7fa)q5!<;Ejk@zXyNeVsUj
z#Qp!qOyA-GMj65+FZ%Qs)lT(LtDVW!TEvVE2JLO)CObcS0d+n~dxgyMCVCgXe9U_t
zFig&rpu=ruppZD(vI+e2i%~nnswg2Y^!yli%}&!6cD$x3>P(oW<7t(}9hgscsTcGl
z>%diP7yKUK$ONdbjO<7NLfHX@0$Es+5>6>V%0<@|$wxI`>uKMy@BFAkjfKy}5pu&`
z(ADS3?b}rLYPZ2_OqblB<rZgR0I=ie)tUsd=b=-rY@s37YU1Zhb(Y_FWKN*`(KCm$
z5YfbQXZ`E}^q)d%kJ)^T&PNW|e298v2g+cLzAF<7?x)V&QcM+6x&qo$X;Es52AiKr
zO|LArO45iMHIti)wKsK$u4_g*g%!PK`We)nxunc=h}Lm>+feU*HlPgozpq4FR<$Lb
z{uF_iFzFwICcSorp+AJ6@?(iET)E;5=#57vO8TI(^L-bP3L6vx&wuhD(Hin0b}2=q
zGj2_T6$#`tTDPOpE(`?;htFO*&nrC$paA+stIh2Aru?wxB@f~YY^}r5W52`~_}ml<
zA8ZPKxK(umM%}8IeFtnR1#wFyzVd*ZjVvo@BF(E$HV5KzE%m?3J-oXlb%5?kKogM9
z#m>sk4hikK3zc?*3wseNRmP8TR}C+JHf$$;P?0qTxzUkxcw}UxHT!~q?K;wIt$oNw
zzH*TT#b<dyPyzQ%SrS|ZTElv3AX7#p&_7JhN5Vt;S0?*Ej1Qnufb?+2BW*Bw;*5do
z`KlI#9=d<48SNnO)GC2W;=`Rq0=iwv*~Ldayz_3-J7%A0GmYV3#m$Uo@B*?lr+6q8
zx}#M%j*jmTF8yKY+6dRK;0%cm&q<>AMJ2d++aSCVY%MI1ILhYw)?2W+jx*5AnZ)Ic
zpjNe$Lrj3$A4JY0MC&(>TEOeD=RfZbd#DRZ;CtE=LrqNfWT~PR=<OIsu<iM!H+P8X
zmxlM+g>59@M+b2z`U@UZJ{I$1m`J7qU}BhWSc0a`*f#rc;n9&EDc>P7$)xn|Z_LqT
zZQwo*wmH!mp)0*mlLr=WyKOoHdBcn$qlnveM$_?4lefo`sci9Nt`M(}p^N9?1OcKs
zc{2TfRIRkMxnhdRbOa$!0o-Kcli4mNf=yBqQL4<(C!eWgDfR`IE<-k~78iBn*gGL*
zc_nBE0QxUet04>my)R*|9P-C}P}|up`vta7Qks{p+YaLVLIHUh_?-V+>53H4+vzKM
z)u~p-P!2uq!<|k&2)JW2zr2+>J2T6_E)ziR`CZKV=ELj1gyzs+ipL=3Ddyvlg##+=
ztu?kAPVO}}Yh*w=@!T9h_E3Sr32O$M$S8cBsr|rU#bbJxkk+d*quXSIjzILML_|bL
zW{cq*t7baxHum-gjOGn%$s37DNta4^^6U(IaZICh;j}rv=7%*>KnpXO`_-u+yRsG#
zE3UooCi|C3k;y$UX&G_r-(m5mfjXtde!eq=^<+1Ayk#6rghQFYY>F-HWpkc;1fIfL
z^Fiz?3+M0eJ1(9ZjGQ~SOcIln(t!|;2C7s1)(fVOnKKM@DF6iRB_9<s{wOH{FWc7@
z#BPa?w}W~AqmeeHtKZf6OCqfjYuUJ!uh!hwyN@o)%nGy7`}Q;!*EMeIycw6z4<I3M
z>KB?|ks^<QRyLgYRXAMXAX^P90RxOIrD$Sn6uz0){c0`143nCmIg6Rq$sZNe9^X4x
zq(}vxz+>PQ+UvW@XZ3rvi^rZUQ%80PRnSBu$HTeOfR+pXqVi@IO6H!i7$D8Fe-}|9
z@9;^I`PumhX9k|0Jh|uWRYyiZS#hdkenW(=(<(P>wjjVDN%qaxIg*-;S8S|xfI+5y
zg->BoBhSPCmUZd;V58y<2s8l!R&n++zoCWOPwJ8XaxVXUU;)krdCxt%k@U&r_P@g{
z3QljwUHl&C-VC>Ib3G)L%VH!;@}>rng9G~EJee<Ys@9&i3X@)q?ahM{THHH=pBpj&
zc2-Y}a7v@h;fCUkJ^i_i8<=I(;)i$wo%Spz*Jq~jYG_zk@J$QLvo@cpM6PdWsF^~*
zrg`L_g}f64^hCS+=Xm~|#Q$9b0CW+E0;z<qtroamIR@^ikpCJ<F=lqnoluJzyPPT!
z>+YuYW+o)YrHz%cxfSze&@E*(TmKW)uN^Wi;3Bkx{Sb(Z-t04<#>rQqDB|j?UZ1vB
zelo5Hnchw*4~F>_k7XUcZsT>ld&0$O*&g6UQ9qU+^K(NwCDnRlT`qK@Nt*HFczKXR
z9Qjw&0#daj`V|ZVnl7vCNXl@ZZN+@NQ2ZGr5)O=6huzgRz@qvS`Eb|iRoWmU`68Sj
z=Sph?wSP=)0o3)uNe;TuPaxVT3s`<S#dAj3(r}IHbenZ%x_FStjWnHCs;|Qq$NP{j
zBv&6EUY%_>Z=$z8sjypFr{}V}fSa5sLIeha#+tXs6*nga@IHu!)~nRG&^w1!|E^me
z=8z?bcZlr8!D}hxlrWtn=ud$NgjW6(^_d)c@k0iP`1Aja_)jgWYH9`Vy@jgrZNaj-
z+B@wJW&Gv@yj5O6i}%rb>vL3?fOmJ~eSXNZE>58JmJhNxBtS=2JWB7mkf{J{dz=+X
z%e1?M2B6>P0wl3#h02qeChoZ;xC38E23$6{a#jj7aa)q-FVhYJ$WI<}S-SlomxGgK
zg0%mLbLc;zy24p9EGbmTl>_m3R}#C#&eYguyLsp^`0kbHcP{>X+GNB83`_I{^k+>a
zyKaEtYKs7*<R(Ds%J3POeWpsu5<9tI2_&@Zbq~}+)7_Q0LO1=mKCcAOsN=<A(9^}!
zmqQSnkN^xaIQE}mP{={MxjkQaz5yS?3-HAuWnlOJ85H`r&H1`NaLL!USQLB!gwk1V
z__t!#IraZZF^hogA9`7h|DW`-8bdUF%z<>GEP}r!*L8mJ<P6vHesvG`O_3`_YFCl$
z5|$qB*J4{XnnWTD7Vk9c;cKC^V#lpv11md=0Y_${4gZRJ!EJ@yi^l8?Oe>2aF@J`=
zsRr6|<1sK10maPVRVp@YHnM>KH5E`bSBUgd@~f|(iyKm}@{h0Nq$Pk#Tm8<2rB{Ow
zX0ktJV)krJpFn-vp}NKHV@7|;FkD6wosXJswCXRf--Rt*g(Y}df*6wpV2{^W-9Lr^
z`p)m6`!>(8j7=gRy6k`U14tdJ$=C@lY$_V+Gv|)2+iO%Wtz9NM#@9%%LcrKx%9F`U
z%(l`lf01cw7Vd6t-yNI0tyVXgwUjcf$mhqoUKRpWGv!o+5$WmXTx<#?vHCe5t!AU!
zGlzpYSW?ydtF!%QM=PBxdlmPa=t?>3>3g`p^j>Y;gP6B~sRf&J`@B|YwGIdE{cM)o
zNO&0P2{Kl7){%&zczjAY37E?TT6HMzB9h2v=n^?$#iHpL&YAyzD`u(L{HWLgPmc0x
ze++0Ob=Y8JB|}tq7f^8Kn>oG<Mfy+M*_$VuTPW$sfxb%$@+H8~1CLuh$f#CvYz*kp
zy&-OQA|-FZ2AAzJw;PJ}V)NrIO%(Ig2@sODX(E8&pa4hoMmyD}kZuZxE^#F~yil`Y
zuOUIwTR@Qci4am|Nb-3(B<C%uRmhW8Ai!$@{-|X5oXVuVg*UekToVPf^?}jU|MszP
zzlzLEczgu#0JiPp?H>YDltO}9_cjiTpCQ_xaRG)d1I8)MR^-6R=XTaqZ{owXlbm%9
z-wut2+s#l03gWx5ewe+Ui=ZL5CT0j~S<$n}@x;e~kP9wpqu_q({(3yD+IXE9&t~r(
zZZ|;gYBV?yKSw4WAU!rPLha$P|A^>^fa3+^Ku3mv#$N#9Zo#<ji+3j+o0<7S*Od=V
zJnx~`kLL<z92XH>tNqO1Zch~;a&dEmcU4N9&=G3KEoWimvmscLkJ^a<kP<vy?w>|C
z^+sg<&L_ZX@5=t}yIfpN|5Xi8ebN|0atZVY(d1p=wA!xsN2<r<F26uBX{8G;^{NEq
zCLk$IUV!98Yeb5`;!bRl+@V|v*qLE_WIDLl*E&-yhKY~|V@5KCn-GUijRMtpeHZ4Q
zg*SJ1cX6kx=<qNV7E^ccnKGvUs(aef7a!M$0oHoBZKz+<9<@hf_r$I&Suo#pv%kKY
zsk--C4S&*)DS{HbZj;{=&X&WPezxtGCB_;9MEBmO#v?7fIM3H8FmvhE>PHvpOqJ<5
z(J25yX5^Rx73vvow(@{Hx>YkCLs+5a*?N1ztbsV{XL(c~?dD41cX#D_^cA!NKH^Q-
zUy3QNaSw_c?9bLTuN>)fxk5oix|R??;Yw<pF^)5VwfRZ(L@EORBqfrh?eeH`^C5^L
ziGO9_Sw{6jgQ?N`<k|b$+m#4`?>gQ$pI_UX3?*7BPRW)uD%fz~ePD8wAyO_8Lw0_k
zYW`H1dJgpZf8aCBQ_6)=q*3(M=o1&rQ*fw9dFC2Mz)Kjodq|@6*?k{qjwb}J3o&1*
zh`rc{cdpj%2~tqVJloJoUhlZMjfd;`?tnn#aj~fi;r0*!OKgu9cGtgLU4`1L4ge~g
zj;AoeX%kekX<oq)M7CcN&Hs^@I_gGR7x>>wOdTk-*UGSK>(QOwqBV~%pekxWxU}>3
zA$t49f5WXn-w4*{Jp+h-xgM|W-dlW^5+O^6X}gO<U53e4mYeH|aK4?NOofe&jf-1b
z@OU)iTx;Et0Ro6`BY=Ok(t!+3T>L@T6VFcj{Q{NmBo$8DHy9fkIFw)j`7|R>pKB4M
zW*+R72Wq~$wl-Ma8l5DZ6ylfsnE556|8P6A$Nm0&i!BS3C?6P>bX@(p57>S$jYn$!
zKBs;mt-pRj|J6M|ps`I5lnDlb;9b7WSX~l_@@*PWbnSG)IEPDoc3j+t{aAB^elX&<
z&rR-7E}*lYtITx1D((R)(z*X0Xer~TFvt`^fa=szI9X`x39lK}(jLq+t3{#(LnG0M
z_g$oJJX8MXq{|)oYwO(;Q~|#)Go;4-U2flY;g`D1Eo&^L0v#iq*J=5o^=A6USsW(=
zRXM5-QyPRV5;&!yFEBfiiP^kx*)7L#2493*gO}R+w&W#X_@*7`<JtWHO_akl^z@GA
zTI7WCF_5K{mEkZI-m_OdQJiQPswT_z*P_%UfJDqiJ+I?|H&9xFUq2UWehAyujoHC$
z-R(fKJw_A@G(a|szUC-plO*DNZZghv{~f(G^^BCw*Y#c5D2W!PlljL;A9?u)!o8Ae
z@Fs6fyn1k?`U?$jhl5XDgq}b3h#^7X=95yt<r?dBkvHw0v~g^L0|4^5Ha{gn6NYd|
z5XWK-x{)sr6bz#;6aqa)fRWX~Q~(bR_ZiERDgB76&)wdUVI<vEcyk`x+~J>A_zH0Y
zpH0?4r2R^+drIdskAuwnhL7E)Z|DJ)wBA)0ks~7i3><hrCSo3Yc61;-nq78z-v_fq
zkx`M8z~w=Ax+fq5B&M>fJGb+Mc@ud?G7S4W;6O^6i6Yf!R3JG(;DzHaftSK!H&RSn
z<2@xn1i55haem|MM^SnJv^$ngAyoX8k?984cPP!cU(Y4RZN@=B<*i4~vP(yeoV_Q`
ziPSHx>xU}r$LLPCSM0be#_b={%-=yVs2eYwHU@~b6e>&<F^33Uyl1-82w`Fd(}^1U
z4CyZN<+D*<zW@A&B>0z1Q<u9q%Y#f4VFKG2F9X}={yqw)<vd#nv5ep!DotMTljRTa
zRJ(Y`-|*BQb{zB2cd<LF#>r&r>(pZN=2QIzU6iR-or=|NDypRkq@~ZIVc(phnXn7S
zDa`C;Gp4)S$rkTuiY>B*(`A5PGY=AHNUB!n7z9Z?oX_WR!fgv%;EGiOrMX7jFcadc
zf%?kn){b;FAP_w3e)){w<MMGXW`~y<wZ2eC1~a+*z5L=yJ4F9GH#y0)Ny80}S<~tC
zq?y+>w|u+zLjl-P-yP}*(~ota2njh{P!`<<7Yxyi>w{-3mW-7me$<e&L|A-A$iV@Z
zAKa;%peyuTuz%Y_tBOftHO?9n8Rp|;mQ+DJlar1B=&kYgR5t1Ebi)Kq0$#E`Fg)YN
zTo)wsjMSF6*@{9s#f90s+a21BsnQir2l8cfF~ks10|J)*WM0zsK6Rae3{m`2WI6?4
zvJ@}s1ywL(xIo6a7T9t)L-`Ae*a2BXAO+4{Fqvd<;Iq#Z!DLEUkGCGfH@wh+*K|36
zZ-_+;zIVnnEK~kEJ2&tuw%3xMbP`}}t5_GNrW$tdpnMgrr0SK!o6IXj9n$7TB^VL1
zn&|Ih&8M>kh5SW}6zb_c8|yi=3j6G*(lsp6E5~-tJL@%LiOVF3FFnuqF#&C*_mD48
zs0tOpR#4(sDme#~7p0Fo?#>FQ3y^L^p_b`GK3mq`#mjfh^Ptw4hxi`aPBV@Ww@Cqx
zF+D4cP}DkgO8n))O4!LD0;z@kV%kEck@P@a{G{uPfG!S7O@}B++LK<wM8!Ig=CL>#
zO8RZPvNmtr;?73%-EGF8!(`x>awe-1+3ftoaGno`Z}gK`iA;k0zMtUGl~Zp-^Hi7)
ziIAdTr>$bMS%5QCqKZORI>WQHEYBR!)J`hf5jVt89VOMvncsTQJy|`R*?sn@b$#F)
zuQo}<hUMZ7ca)}+)Sz{fPI_&je(mn&b}Y>6yD}E(24`aVJzJx#uuB7j#+~(*t(#@;
zHpUPA-C|AkKc{9nq>p*l{q~RKZkrE;geh!tcU*Gl)VNco{P&?b4!ZD9$R0hsWYKj{
zErGJ;ub;S~R~>0AcQdb<m}Fe0Ha6Y^C=GM6{<pniTwbW5QOcw(k!zEyloP{3v98Z4
zS@w4EqX<7I=+@y<>nTLwo+}VK$x0I7W-vsG2vwkwO@mR)QxGlSp({8I2`lO3MUmf;
z$myDq58fo|VbumEUDZ$xVE8&&`;)*ve~k9%&zHB8<Rfss6QA1^!9ft3G%+8IVDhwu
zRw-=#B--M)2>gW0LBb`4^>m$;&zCIO-_2WT33j?JIK8jJ;zb|B2f(l6E|)}KWZrJE
z8g03~hciG!)w2Bnk)rEZhAkg@g`-z00>W9!5RLSoT<OBs-H3;?#lXRNM|9^SBv;zM
z`IUiph`6<<^7_2>!=w^Q!#8H3=ji^gc%KEr4gjSh4!v}&+^*0>yp@wEpsu!uvMq!;
z=wg<~D<HbYlSqqA^lKYSo5Ypf7O4D#Ij8oTet|N28mshr?AVHnsb`~BB9DDMm{BY0
z#7ih<Cd5&L51K9#v0CH!t}g^sV=KD^_M1&sE+pxlIkVI3w3|9o^1QWA-d<kYx>cAs
z>UXdkVAS4@t%-nt6|oR7?qM{YLYbTlY4mWfJfIvGd<6665zI~GqkEDRUe0A_^pHNa
zs>(Asi+y&1bln4|DvP-^q-E9Tz%Q2e$uI9ddbJK7H`y(Jd!VKg5gzfC^j}wxFxn&8
z-mAEE?&&e>etjvb5Y43x4#eFM@_O#|2=2dLZ|Yw@BG;-X;<yc~q-c{b2$K3t`OL}Q
z54N6V9$qki8ZEZBw~AD*sYb+jtkLux>$F1GJNY^s=J78_+E1=gi83npUVt5oVQUVu
zq@W7}X-2<o^7l_>jOK$@JoMBje|_gmswY4enGv#_P9+6!XKBZ4z1PC`w-wrG%a`q2
zK~n#9Wx$2L`GI+uhsG$G7Zt^B>#uTvg|f;2m>3vKr0}Y1#)E-^$gF)f_x7Ea<NXrm
zHv8>otQqUcDYLDw=mE<OZX4vpO<4FHf+ZKFD`lg(Vh$C-nJE~Hu|Ir-<0gQbr7jYb
z-Gx{eyMy)Y2H`5;rvK-qN8z;)z>MDF@Rv=$=YpAJ1$6w?so%b3S!^RWnW?fQ)qnX^
zn{u`2R&F*LjnO<_ArDUczqi1z?GX6IYr@wlwrJi9j`7`1qr6}?8pP2hv*}guU4s~3
z7O`Eo)fUK@YIANlie-zHVNB%J0;SbjFy4J~L&hS5^!_XhXbTv^7%221w~bua2Zx>v
zh4~ZAUmO47CND0)99|DLb>cQW{cHa@!ubXS$jiu}&DGe71n+V6Z3EUBDAbw<v`<sy
zsg}K7gQRF<U)~IBUt?oB!5!&Q`0oAr(0;!kfOC=zbUZf80cm-I9uI_vu#moZM4oK=
z^!Q+k_jK8Jj#;Tt8T7(^z7lP%KarxNHV4fU?gq0yObeiMqmV78GnkP{SyT{C(|-6O
z|M~GAKy@AJts&JA`d_!JSYmPUrw<l@6lW%d;<L&n@z^iVbtc?R7g51(ZvhQ?w3_uY
z5{f0n|MP(U^Q4fTpe^H5VK_VogC;r!E>`K)s#jQ&YBAm^AMj_?p_0fupr>(2cdSOy
z>LZwF&|sEu*86^a?!grGDTZNUc+NolNv@9f6E!pE-mW56&vZ#ovn)V2Ef|fWJNM(4
z7KI!c@)EZg8pR)r1+7;FbG{CD7kh8g^wr>Xv_7`O>sw1a+OQ=;eM3adpBl#NLE14C
z<lp+~_XhKdK-Ymd0+4w&kWvo=3f0uW0ODo+emejoe~kbK_kEV47VIVgtTL|S3AjEE
zPM7z;Hzx2gUaY|KxYNHr>LqIv_wp&s?S1+jH8ZpK6e!upVa#apLohMH?`wm7!sWT#
zN|hQ`BKhcqqB3a3Y5t|x$y9=!`vgbFoMY#6`oB%%;f`B{J@R!bv<B1v+gjCuubVo4
zUu=rD{Ax0_YWAqOn91dkY_^n`<DvfmkmUV>qt1jO0JnG(M7rXu)WPt$FJy8pEZsTw
z(SXsx@tNWdo})G~emUYFkE&S__|zIPgtPxVwEw*6gCT2U9eLmE40nWaxR}24r<wfw
z{qx6gM@U#*|MU@$;Hm{5fkB))m$r&<M>o!PL!AF!*`I%-4F4u@gNAza&zti5>|(<7
zLW4-Wc)UU0Cf@85QRwpzU-{p^;yqlw4B68^Hsi13m~8RkN@u;+Ad2K|CmTb;3;$X0
z|Mrc>D_~#cXUL%banpV~qh<+UVXR>=i2-Pgk5Tz+QU3K+zrXPJPaQPi>fd-H{o9NP
zfh)Cr8Y7_WhXzRz!FB)l%KtpOt)d?c<SUr(&ztu9Ju9%VJ~j+15^y~X=wg%SUtjg-
z9rAj3EKi@Y{QF5-JX|TV%AE$lCVP@-o+AHi<$pNiH~-Io{_ioMvr4ps=JxAy-qpsp
zDjY^)G++2K1y<hvA1-j28nBz?t>)CJf7$|CCt#W(D~}JOTV2HiJD=1`PxuXIVOE*f
zs^#mb5hyV}`UE1RQF;7lX!)=Afu?|mX+MKoy!hA03jli^SD;f8(49v-O2b&3;w1W1
z4@VJ^d?O<6sGXYcNGdyk)SaW--3RzKz5?F{kCk=F>0(_>fI^5enaC3bN=T(9-we9`
zw*PFHn=_B4qFWoDKq{EWxWF+`4Tmt6h|zqxf`y3iJ9Go~cru0;8fy06LC^m<EH6r!
z<q9;*`=2k$-6u$R9QmUdv>KO1?{6(qNapHXMzh->pcm(~YD`rk*ZD~(TD8(CKkQGv
z&TY0r*>a>FY1ZC;=GP(wd#2RnJACQ&W$02bKVfM&+R^pt&hs$H(U>pq;9+?y<RA83
zxQX!#)pJy*lv>A~Cv?DV@c=KTESi_wPFMuYXGo`nPdClRU{Ff!7Wb=qGw=?WrT4J|
zp;<v{WVRH3v?|*iP!kc`IXF24?$AEKy_;r46bjSid%1{sGTNHOyBmYH?k5ly+xn=(
zS`Z8zK6uP1sDJsUqj<o39JyQ!I{njq1hPIkQVPVyEC0k{aYsAQe7WttBKGjiA#dTP
zkvq+W25BB^y_wG7=z{vr`jA21u7->mee64Ceb-%1(w<}djqYJ}MNLx)m1ei{X-*9r
z`J+V;-sUGy;A7r6IdQ#`j8||P2)!?41?G54yy{g7wV|8%p&?ddyB2IyH~qagyfh&5
z8fGBCcQ6Dwo@=+-WD27vfips=rV8QrV?7>sepELA@5CeRe%82haMChzWW#@T)TD6k
zym_!8eM4$}`nO|Rjsccw-AgJ0`ww&Uz7QkRLO3F83AwUMV1usYaK0;R9~mqUVDK9<
z+7bGA%RB+&1eFYw`pj9Q$lnt+%+B~8>aa3%m1B^-)yr-aW_W)p#%!X51NhFsE+jlq
zR1AYUL&*HrEl$I&A>)bRsvy}<G(a*E)qeL10h?aV7iZv_UWqTv8Ii>`W2)SlmCp%{
z0oD54B4c87jP?_iw8cby#dhgRfyY(doJa(TEQE7DE4?#(sKRt2Y`>!t4f6X5ue=p}
ztpw-9BJF<pYweLo!O@u1C@9N7O1%I{;lg`Ogz=Z3z6k~v@4=q9`LDC4jlkQ9vTenx
zeBl<vI{v7=>S=on8YJ%#Bsrf|P%B+;Ypb*JaxedC&1EsX_jEn9Yp|U5Dkc@-5-oll
zH0gRbC*A~0pE;T<CtFu(P9;q;;md7E*yZCTfOcWOZpn6aVqHqB&QX{SuzQz6Rc2Ss
zx;d%}o!!Lb$zkXvX}#eMnm;-vbVLV%UX%}UKk#ON^QA%i!n8?`KS8Ed9Y!N5yU}ey
z^!-W8*wOL$CB}q9gEh(Pj1$VjPSno7o}~B1dmwYY;4=Bh`p@I7jqhP~33oGY(<QE!
zvymr5I8N%oxR^VAm-F)x64&Msl$rTK*HLGvXsye^7g_U>g!UY(nAMKjCc_pI{#4|E
z!V%=3oXY+m6jr8?C{{C?pg6Zr9-|e5b*@5H*$j7`jP+XMqoZDkIMA-U*=TD%;n8$(
z!}uD(Nt25B&dtqf5QO&mVG;04jhLiB{a+_7|7m+9$1>>DmjL=7Cs_;z4qn>RV#a@7
z|4WT0M^b_3Q`Mq&N5|2=yn4*1voqlOWJIZ<U?I*hrFspX7sz>-Zyp;*5*X|oa-`G?
z>2vrF?|*hhsbknXqKod0?n%{9{^@y-o>WT!=%opy-l)pS4Y%#*E)>o>zfa{Pkx7=I
zrV`3~SsQOKH2_4tTWvv+Q8e~62wh)%lAYJ_dpT~qy%<lHDgk8TTj4^r;4{S4Y%FTI
zYTvtoBwo9#K2@<8HtMzhgn+M<j@r!t(rsSrwuayrAdunZMFePo@;L9pqLK^(eS%ct
zF?|db!m-4$DC>He2~`$DmnY;=)cWrL{5+&{Nu#x;h3X|+)Nq!hxN4aSBI(|iGaeyh
z8Xq63{n5~??;{2xoi{cPc`iLu-{>8C_vh+FCJME)fyotede#wL(Y&~sV&8@}S!Kr^
zMVM^vJ>sg3lD^aFSr|fM`it>NNTh(hly0}I7DcN(pwbY#RU5uls{dx_^ANjq4Rx|s
zC!5`icbLfoj7e^KW*H&a_3cw*&fC4`#JK2J!tB74<KWrpzA1HC2m<z(yaP`W;e7l-
zG8FmR`&SHgLGt*Hcgx?&u#Gz1spE?R2=+L@?*7ib*5!-_IGZG#?jXBIwuDJ^WNjm&
zn3ewwEXkJ80v*ACz^F%@)w@ogWEc5B$5S!9u{#bHH<L9`uCdz)NP(*C`cn!e_z|w%
zB2U<y(-$dCPo0sG(Qb^9xkI4OJ`e4n_OOss?+AX{VVh&l)r2(#t-s%`0R|ZvB-jhp
z%H-8W?_7RbSrirau7di#vHV;5JYLtm$L>US!Q;gBhGmvshaWh97(cFc<4yFK#}Hcr
z&vsIa)UL9rP10H7nm9nFc-cJ0@OfT>9_Q8Cz#eHs2)MVBT!sR)ZkIZZv8tWm=TPey
z+myR=#5ckffSHB(r8aX{VLeeAjpzIKIUD&!T<(GFCso|#D!$(J6eJG0QNkc#vd@WP
z-u-Y$>0>{Fo4>UHHbWRGhvF-C)=CtTqNwGDi^+X*rV$ktzl^W>A>!sPc>M&QV(IB~
zn#Z%9_D^WH<HalClAip$Y{zSYnJY2H1<cJ$<-1bps;vSr?8RiRl>3&$h~bvQmBdc~
zDOP{Dq_uZ6-Ide$)4BUb!}(V8Pal6#k}6#xSo!|#vCWSD1h&16t(Fc@t?PNAY(Q1m
z-7aQN6m`0677Jbc_4W>Rx$esAT8F(_nwZ|3%j2PZzS<y%3M-!dJeH8R>-2CL#!V8A
z#b0>rO=y%Wk@lt=L@JG!>ZcUaoR}-}`{iPZ3Da?u!C<iQaz^**hPEg7Y1oDsP)@zs
zY1}jja37o52ibDphBFgMjsP%C@^YPbx>27piO+E$r`0VObWK-bIpH7AZoI4TGUEia
z8e1Ph!k4C6wlN%=rkxlAGZ335nl4Kb`M!EY;uV<dWSHN11ytVB+30Sf8S6C=O#BO4
z#U`W`$EiQEH)-!tEWdxVTJe60P9uj586WgHk6&9DTexP`6lZ}Kg@i`}HhG$ceqAPa
zBRPG&KVewS8d8iZ>AJisN&x!6rCIByI^F-7|LNEd*)WfbEu$5#wVs$v(xwD(WP9SZ
z^HtG1XXx(KYQ@47d)M|YnE364y+kar=I!#G>bGp3BK_cs=uFP_*lafjt@^jXJRTO0
z{KEs_4oH>M7@-m}fBocB)w}R~*7EL_P45EDrBTd)5NUpKw;ROH*@Jt)tF-QS%O2Qi
zdR0!kS%~)f<e&~{$sN4Ag{2nqKRwk5T5g*tUzbdHd(GR^*K0CAay0BrvYo8Wv(L*j
zAjHn0G(c(~M9<e?ad<Z$caW#4@*5Diz<KP^SSAh<0v>bxMe|YR4KE*1?DhaL&?x=D
zqgO5UwFqu1;5rg1U+ay{2DIsC>^=!Q0#hnJQ?PrWoUMwsoxD>F5?K79T$Fs_G<>B0
z6L7B~3u!-(Ri8|3L~zVhm}WafLtK=8s0h-1lBWj7@F+BSxMxEZh>36Y)Hm8#aV$tZ
zZ=j@}^yXr8UHNjEK<AgrpaMaiDu4mSa)v+uXLfn_aE^H5cW2)oW}#V5T)K{)Zlt5M
z<!wj{9Zd8H()EQ<`w3h{816NSVRC4aq1c*A^^1S_-pF1$@{Mq5)O}yHraKSKvO^np
z^R}k5FW}212Dki(_viN|ku~6F<Z<eETKL(ix<&}Dw~3Ri2M2TusWu$(qq%|oS&oLp
zsWmeUQ&G9m?=ss$eomN?*5{g=OqEKy^0=)As)bok)hZ%h?XE-+ZL^zB`G*q=EXmC0
z=(=C&&29|ONOqTE6Ia?k4!NE`nCaZ&$oEUQo0PDGdQ9Zvdl;+Ld_CdFCAK?~g#vxz
z!lX#IpP@H9AU22O*_!r{**cC-MRMQ_PD`kS@h4$E_MQ5SKKx$6r&qF5!<o5`DUBT0
z1lVu0Je$rpD@f-0h1ooH$=vz(5ebKqCH=B#XZ_(<I?$>h{71b*Bz&&IQ<T?N`tRJq
z0BKplh=Xc&Hfhadma0>U#^!M|^)Z$nXu=1g^gT2A6jF=(mu+9@-iA?^IBiCLA(aDW
zXPM<~bD>^lI*s6%Z;oz_a8#zN>n^P?`<)QgL$^Sv_J=`vs7f$)h6%~jB|J@bHXP@j
zCXLcfkIP;9r}6qjNqOVr*-Y>Z_;Bt^tGl!w{czABw@R9>Kq8;ZGZ4?n9{8TwYrF_6
zq*y@}OJ~E5_*GFDXQe>BVpb4K|IFhj)cyg#UgFr=j170rTjA-r9f}6f>wLG$yGz_N
zw-xh*!v3o>BO2|(A9VVbuMB9o5Y%1I+`_J)mnr=owcM^e(lxS;E(=SQs^4%23I%Tn
zO}8Dvp+;A5pCZyR5RW?oQ7I5`88U+FOUqfbcpySaCn18WH3yp@)UofX+@4X$`4h;M
z>8_3Wm4C4vi@Y!w9zU0Be3tbkT)n@UWR^9#s`x6`*sQ`5Dz}wo81%;EYNlzF1{Rr4
z6r#*Lefl)>k&Jn9QI-3(!x4FlN5zy1$Hzf0n?N{1sHk$2id(hy%DdLGlw0e*oy)d`
zSRg3oz-?Cp01g$Qu&2Mz;y)5NZFB&+DDsb_s`Pd8D|?x(uWZIQWv$voz@76AZIn-c
zBXBG0kmp?g&>;SJ!@%W`>bST6Wtv{>@wcrclPRjsk;6*Ui232yZR)if2n|;!<W(Zh
z^Xjj19fpuNu5X=pUsojVYWNz+4|Vq>RM-x6(wjfyNr6d9E1D2?nP53s4@Qe<aJs#P
z2*`yR%*Q@c-qW&p(ZU6AuQLv4h_VXt0!FW+vF3yOjDeQwa_3&9E0-RH^f+Ox5s!=U
z!}1E#bBil&pfi4R*)I<we&Bkh?KZS#mFaJd%X)L{GIStlcbU8K5~^3Kw`NjPMGFRL
zx?Ok?jh9=O#k{+(34La9gMG3!Vq{jIal|1-SFB$oCmiw?fl0YgO^9xDWl&=`C=4@1
z@nS7stiojcJJ3HfG+y9I@T9w2TQaI%k@z|`a4f&!O%iV<uGW*2_l)j<R<}5&uag8Y
z#w@mr4yhPbxpzLRBRqwwzjUKPs^z)sxqgvpKm<`HJZ2LGzkmY4+17iLv9uaB_L$mT
zyyx_WG4$Gkx3I{}KMq^>3?&I<8{M3P8dlBckF$Mp_LAl;hh{9HEYPJ;ZWw~16K4qc
zEeR=9txUR@8A6ByPY<s_*77lHZJT8a*kk#ZJ&dCYuQjz8w74eLZ{&Hmd4TODYhJ4D
zLi2q@S7hR5xP7WoT4}tl>5Au><qU)5;pL6nn%MBl$W!YE1Mi+;gWfd`9GgPTnnbxQ
zJESmkl(4R7XO9xjZnhTnt)D&tiCU=9Xc59Dw8}+U(aUOg0o4aNZD9Szbx0h$I(D}K
z_7Fd`_NuptHFW17RNEsh7`ta?w9KVRNB<XVXq8}hD&7eivnF1-+mxtXk5%NS!%}P1
z!!E#OM6Z!d+=a;EG?Ac_$8bx2yGqh%94^SeNg`8DzRQj*i+1kmKN`D6sp{{k58Nhb
zbKpLzC@Mabvc2lV*JHF@F9&@@$L>m5(8!>-w6C{I4w$9ZJP9#>*oyq9HGIICHlGqX
zw)1>ukb7Z@1mjm?;dOwn(&$!m1PW1)1twrzO8BQ#6)W>zN3okK^?YN^4y=`t8&{k;
z-<=YwYiH$_GV^Jee+B~+xPh{@3Do%7y><JZ@9V+XaQd}86}o2d@gr4<GU%=|=-hNH
zFS_r<bJyJRV7}p4C=?iNM=%fNvEN>0TP+CpI4a8nDmT0JZ3tC}RI06Xd!lJ$Pxn1<
zuk5#k2X`}zT+X(KL&zo~`eDem%!WHk{uvuLd%^(#uz)_bD~3AIl;EC{&Py@6Goj8f
zl*l(>MrA1RE$&JI!tl(YisbF+w~`YYzGbI!Y5C)q5SatqQaMPEDz$rXTb>GoJ;Kqx
zfE$?guKtZYM`F6nk})K4l2!{6&uu)hHPe=S($}rU<*0nR;y1)gWM-H5HA%~b0h15M
z{n}&18G+w<#_Zktg5~GfTIF7H@aXHZDI6Ep#Ksw?WQI9}Y{cb-m~`}1s_L)6HZ=I*
zk#6XJ=q=Rk!B8J#t%4BUcz;A0e=+u<W*UG%PHW+~cj)%!8v<M!r)JPBzX>ZFqEgUJ
zUR~ug1`54xGrZb4@Z21mScnR+6AsLt&hkNZZBeg(`9A)`&`cL<Ku|!!<88EI-rmnk
zFOX8<5b>4iG|kMaAcrA~$I<!ISSS3Ll%bh=!XbETu)aC3G(g|!X<J(J+E8C6ATav(
zV2&N8`sB(7KuyX@KBTJDp=gHMuAEJ{$TXds@gX(Rg4YUFtF-pZT(1{Uz<eGhyvD~0
z%eH|dz=*M2-KQc&9<{q&J}Ng6+KHUTL(^OlGvyYdPp{6f)4J_AVkkXN3djQ&k)dD^
zl%soIOyTN%sB>Lq0dY%%zrPmRyw(-rr*=b0!jZ|Ll-#+{%(0Wh95m}hjFv}IrsIW?
zY19LrT&GWazOo}4najNi-$hANPe9OX?{Usah;W}-77NU_^~mK{UHW0Rsdjv`I5<sL
z-JeXK;4}5uCxAc?WYl7gLOoNhN~`Z-k4-*w4RxM)SKRpo1sap>+w6u0bVR~xyllxk
zVUHZ?LI+h%cYzSqn=YZQ-;4zNIx6y4dr2Dw0H7wAj`S=D4JJfpap;xwKJKsm%(atJ
zcRS1{U7*#Oc-C$5E&4Ju5*2ZK!DEAOirAGrxhA4rJUTLe0Fbs$Rvf5Z&n=pB#3H@U
ztULL1j;e9Wi+p?dq801@xqea8I@;O&{+x(VyS<omm?5N!)#GyL=ZkFJw${+Xqvh5e
z5b9KN^kw_CEs$>>bvWY<l?L9=@p;;5aaKQ5+Ni5x?D|c0T%dUOCvc7c6!{0AudgM=
z6!VobpFE=w7%*UT%x{MkLnY;BBbci+SHJucDSOD)YL7z7PsfkfwMtgHLZe=3#{AX+
zI)55f08HdX4@g;SBezx^U8n0$=2H(IzkD%(Ld?UZFf_!7(_R+K|LUDYG)*+t^U|)t
zL=}xLJwBXu+hx?I>GGh9x*-k73_uFiOX5NQ1FHVDjhi1J-3_A^f&_3qUG58#ud~(n
zfm!Bt;DtMPzkLMjWU<}70lLPO<G$RlGEMPQx$;weQFNjdierYk@`2e%=Sj9vhPUpr
z1wCuskbJrARdkBxlq%oh@6XV+1CBeg3`z$9v@!IG5Ov|ZgZw%EP9pv!6XO}~y~1*%
z4RP6b2J!d|yTuWjJh7-=O(P3=A4VwN3?I<asGNpusw6XA{$;*;lFU^*UnVoYynnt=
zMF&?=@4$%91yJat;u<xKA2rSa=IYttLZ#U3k6#iF2`g0E#nxS?Nf2u{EFMRpBF^WH
z<<a(+RQ+6dy1~15AD&c~BYqC|CA|&|TIVqsew&S|sVFdNb5+D@+*b{6!=81t%2Z3t
z;}~hLI$CN!;$rZQq5sntcG_4ui=(rWvbMBuiY@7oPEzD-vt?TI>x>7KOnSWOV%ziz
zNV9E}*L#wQFLz9gf`qP1v+1P{?heddcETpYOaLI6sa~}7ePBCS_7yaEve+0=|73ej
zu!UFG0;rEsf(Vr{mr=$5%MP|;p6XA~9GGd+aohln_IEZ8S-)x<;cik$`C+BRQD5>w
z8cDfOBhwT-+naoF(T<|cI`2eFq47GP++w!ayFXRL;~2mHp^;zM@s?S;sK&+)48oZy
z;S`mcsXX{@!RONBc48>$TYMw`jnh?l*(#Z6oVE4?e`9`&x#k43rbFTxWX@wN`62ro
zxY`i?wU;8K9!LG!H_jlprAB>=2=0UZ`bGDCFzC*`+E5tHpf7I7OljS69*g8lf{4r8
zWHxJ1!>Jx$fQu4>U3l!k$>-}21|Hn{%iZpsW+D^LA1k-^FVjzIf9@6YEcCkzlKetL
zn>pd)gt|-NA{ro>65obXt%*uGxVTheD5VnPYVEd`WjY(Zgq?4yWK~q+ZghegW|A;u
zaUVvBt5#^#*tD!T8(+_5i10ywbmqPbBTy*T5e(p=`wYxir-W831NmD5PwiFv(np}n
zir(C|NmXMb6jfOV)qQ6|1k_oInrk}3#aIYz2;pib<bURG9uM@P0O4#k+A_5--COnY
zgXiu?ozHmmH{1(#)>qlSE1{UE%`%%6Ol#BY3k6P8f|ahaOl9rgPrL4;j1iKeZ+j#5
zu1SjLUkSUAC)D2&x!12o$qIxWE<4J=?M{}ZaPMKwpAkrfVvV+Ep+&SJ-JRYl*xH7I
z5W7`mlmNVDnJIhd6||)T3|Geaq7ah&#^c5!7zq=7?rwg1eLsX{4CU-ouRK3d$Cp+U
zYZg~{1!#ZogrCSydWwu6ykJoG88Fi&Iuf?baE8VbIxtbA4@)E8aYUY<N4p$3*o^8=
zkPq|-SHQml?Zs*v&-!+qcsCH^P^owg2Q!ATet6F)><CncWg7_xq8X9XMC$@YV0^T_
z6D|$Ho_E+sXfD4Il#K7=^9-&xI|7?e@$+m;50AU_Q{`Bf>}8yPPL+F9$UjcY>+O{m
zahEDHgnSX+Wj=1NweL#^!!1Zo4lvZO)q0ztU0ml%vc0aqPr3mR8h@TA;)E!deDc0t
ze6IT%<%Uy;A6(JbXA}EY8Vy!>@Sn`p&m|fi=+Gf7t>&RYc8vr57R}YGzFwbb(5qIa
z_1VH1Lv`>qk5@fXcX+aT!^`e!W*ASLE~oALRPRC5Wh_m0$3xU!rB`+Bvy8MSqacz-
zs|Dt&&P1TQ{jkxHd_HhVC|9Vi(lC<4xlH*Z&f_vX6{BJ9hcs(H9XM?8R2vScc<V>)
zN#f0GUGL&Ld$o)54f+2%3aX`bTK$pj)^j;sjZ*cZg>lAip)-~?(E`CH<3GMle<=H4
z=|GpZ!c;Du3@VxGpbf%!#R47yYGjn%u;MyX2Y{Br)w}vs%{m7uKg(G|3tmd2PyEEU
z%S}7gkUY|w_Rc~g6VALgtrL~vuAu9w0`;n#JeL9@FsLZiPxqhH(cuHbcR6*~0Vt}3
z9$$MhjC8S+mu_aqp2)YRZS^Ol_jmfE9jKGHn9{d7(IhoMy=dI(B@5($(wdKZ*I&{S
z9X)x$wx1aBXJ~QXi;G{sMK~MvzixS<)9CG)s~9Xvt~K&H%y<^B^K;y6+&fA2Vd|sy
zTp;c$gy?>cuk!d-#!|vrfi2i1Uu#!64;_V0s?-7wyF#>K5E_N*>Zxb>DsjE<YV5Vy
zHy(er@cU))tF4VK3;3hw$eSWWX#-;)JRWau^XJVk``H3@B@`x#!Sqv4DO|y!3?)@@
z3`snL_wyc+yRCkQ9(2>Ax|FpX)wKo7Cu7LyTTQ$^Ys$-o`}x~P6KiWU!oDc$jh6SW
zA=6lEHoA*?_~DVXlL0krEcqMcGcuwRAs<f=9UKRQEDvSf<$J3E3F<`cJjP@jrRyCv
ze_!9>USeKC-2(kmQ^q!ZRCoiLw@yw5s1Cc`47DFnLiU5uEPFB-b1jn8I>;5?OIyMp
z{i<JM=CSChwk1970F5~lv)cE{jgMSrCOo)T>;ayQTxXr-E5N;mxX&j!r$X5gkMuD1
z5*p@@VG$Q3lYaE6Xl;`)CT);A4gmkFS>?gzOmcTX3Q(u5fy?yk+Mk_OEDO$_FMmJt
zg%?cv9Z1w{;xTmi_PdkJJ<m(CCsoS~yZ2=MqS##{LWVyZKP8QbFilbDQuRn4sj)S>
z?zg#3@w`hF3P9<01I9%X!PxLz89<+GmZJ}0l}><g&^sJHp)o$x#r%^WUL*zR=aUF)
zHkTz@aJ^!H<#7IqbhpEvTM>)_F1ebfXcZ|aYbk$V<i@k8cRSw&C-o~gkq}q4Uav+c
zKiggrpSVox*KeUT<N)z86_JLs?2cg<+^B`S#Yd&Rj#X~%B&_cl4Ue7tsMie(UF}ov
zaz2{nPKxIP1*bIkRUD<io1ABbrsgEAZ}we2V>Qs9A$kkzK_)4cbb~!ss5oLa|GKE&
zxMl?%Li`wu^anHqd2_iPPL?V}_v<Trw=R<rs*<lDXBK>y56c%2;+FFHTKj}`Mx+e<
zG7r|>>4T#2sizA7)IFN_8zZ(TyrBd=ilNe+pEO<A-)l>inw4C)8W;dy@sw4){D_ZC
zfPvl^^DLxc!KF1Te(Yq>OaibdY3*WHpNJaI#0XmQ<o(Nb_oFD*gM8YO4eu=a>Gy&h
zGam#kCI*Oe_56-mh+aUF5OEm?YtIO`cBs*l75Dsr;x~=dczdm{lEGU9ozZ=|9xFa*
z5i>s?d>Tqscj9afs*8T|c76D_YlBw@TQ|e~BH5365R8%lkH%o_4tTV7{)2&fnd^8z
zC&3V0xg~J;(v-p+A})hmQY=BwnB1$BbmuaoJjs~Y+D`Ee=dPp^JCCDA0FE{5Otec1
zFihA_6sRpCoJFBMnVUsj{T)!c`8-;nU5BJF5=H{)stKUBAB8;A<SAgj(5Puq1eB=*
z6x2l4{&a=u764<EhBo{x+2E@D_Cf@u=7Xhmz57gMpwYMPNXl#=rk$Kz#J264+MLG1
z!g|R+UHh63V!t=7$Pmq}dCPJhB-C%yq$j2kkg}stpcW03JmSjR@6C|6jf7)8|7Ubd
zCiqYq1M%l>L^x9MI`7wx-AWK(L=UK5YkLC1S>AfD<mZIwppjK&L{w?qGt8fvYvXOl
zVW3^eEuJ2e#L=^yj&=a>{HHyp4IfC41DVhr59ZiGRLG<}aX_z><tZZv>wY~IYgO+y
zB7<#C+jxQ6pb@F(2M)_s?o*}KEc%!Eac^mqw9MjL`512bJ|hIllqSEvdjcrIq8%}@
zE_*Y&+5ij`!CbX-B$q@_#m<EA$FGudSefA^tQU*{Ock}eIr=K94qJCLdy_Td@hUZ^
zj_H>B(+V5N2j}N8l2QB(dm2?$oVv?ER$Q+A;mFroKgYWDIfr5tpEMt9eAq3|2`9nr
zC6{WsnJ5`H-QpCt&KgMJcIn;b;y;g970vh}eIgR)o{XR<3Sk7;vd(bgY{P=-9vdKc
zssm4ux4y%h2)_XMF?-?>gHBzmx88N<f^#PdQzO>Iw&McQJwN&w$4L1L$9CdWADyi@
zF342i=JD8d?n;L6EtR4zsLJgf`<4wjn^+_;&N}w(F>lNz;no+a269^8sF+NWfj^j4
z<{x{SO^I37W21+2)Gm1EHS&tjtz-feiigU#2Sxx&XAf9l-F~uwiAU)#Ff(=6`A>I8
zVWkNY0%XyG%oObAH&lqKbO2@5SwGqt*U~!b<Ze2xdX;I>csA;ifZEe7;um3uwmHqs
zZ&V|mxgZlv@&_y;uYWFkB^LEvESjeKYW=>CT%Vif%}gb_CuSZHIG$Y}G(8NZ&zJ&0
z5%hqpvojd-<e~_)Y1n_pijAT`thhjg8=<}?Nk0ETVjpIwmzt9{L`AwN^ngW^t?$m#
z@=1;o;SVn!eUpEc+HB#M3sBo6WlRSj6#;T_nJ<sSC41`Svk&jzjksWCBU}y-V=hU4
z+^_5%74a=*&%SuwHUp4O_U>!!Q_pag`s0sS=jvP|c<f!<(N>U24*Bg5#@lE6Rk|N?
zA@&}?K<|30)e2nRRgVBegykdOp(o3ZGFJ~2qmzyRP@BOQPCuu}*PcT1P1k}X8@G+_
z4}@TjVRZu$lT(h_3FQlcjLHIa?zt4wu1d3!aDX8ouVRe5Cgf92tCrN%bTA8bsb(>p
zh1m)UakLz%edW$$^R_$&g$VTaX1UfpK`9E*3P~^A#>C}1u`*J?!pC9c_&7YvC6eeo
zQQ|@pA5leSg^rB7L72VJMntd7!4g_oqb1=?%Q$I&QetVU0i2x!jAN9viP6aUy$e1u
z!;9ptnfOLvS%Zb$_5rQHPJ15vJwZSyHfBr&i4aUYE#l9l%;98=vevb8Bp8@IV65Fp
zQtL{p;J(a!Sh0gwB`Q+-5b-g4wxNx2KNRw8&lUviR#y2snQ2Ub*drqT+eka-54k`E
zWlR<~ggN@L`{j-c9?o5;&yl}dX!3kRwd5|c{RQ(e)1HV=xOXC{{F&bjUS1E*GXCW$
zm;E1kMy0p(+aQ{Z=8&gj#;Lc?uf;HGTYv<ta9SKr*8A<2-?p*FZI9*4r-J?ZUWeWQ
zvEKv2XVdV*i9sey0$)F&XBWq_X>Y1bq);hW&JR!_%i_QnpC35m0&0;{OvdsI%vM4R
zJ?J%S6+i+tH0H`bRK6s;?sF%sTr4B_IyG|9e8l``F~bEvP*mpT89Hl{3RnWz^c~}^
zl`l{;#W)kiY@m1b-QrONV`R7BXWU3MMxMv>pIsiG+T?~taUpz3;e9h%H-GF|G`zW%
zy>&6-aB?RpW|Vb5)=MvJM_J@M)Yrr?>6<JWNx|$soA#)JE;gDA(#;Plpu@T^ncVM5
z3NRTn#E(X^oXMRzohTu++xUs8dOusiq*vrhQ_@xBp1Erh%@U$t4lv^^aNcR|!)H&7
z0NJ_Gk{#M%P{7LSpn8qXden{)Bssm1Pm2{C3w1rvbh)hvjO~W*9gWx4G4?3%+8r_n
zWE<4cwE<02I0oH`s=h8Dp(cqGU0=7=y?LzVy#-INX@^aKRtxG363XNjCnB-Vb!zU_
zl?QYe#EH~mn|hRT&99}(@0$ge8IwJ491x=EcP<8FcH$d+3$)PR(hai#eKCC;eEp<+
zE}`*N;aIRGXc5nxp<956WSiD57ab!d%Bx;5c61+OS&i8=>Vn+ZMt)9z$1zZ;G3q&p
zHhtP@sH#*WC#*Wb|FSUrM26UIEsuS)>i$j5wuDA2i34=^GFGWjOQ=ft`uUk>%5bK5
zz5{2Bl2-A~x<1>s@#{igC!USi?MUo_9{;hmc>A5Lx%2s0!$f#56*Cr3L9(zLyC`ca
zBXB)HMGt1D^K)*y3D_fy<=lNL8Te*P0UCC_ecojnGL1$GOzC)Ntf6vP&;0G=H|+a>
zq{tbtZpsv(DOXew`P}cI+txEd7t<u<pfjmm1X*l!-;9I?MTvVSK0A-E{?zX}yoPVR
z{sCSCf>@^p+19JmR5V;8Cg=F21^9G+Qd&<TYvQ|tatS92KnGQ>9I~bqIq<;#+B5-2
ziRL*mtG4Dw>Qq+UM#R9*^QzWuH_r2C&VR+VWX;L@T+?1+L{jY8PL<HrZp<Tzy|jyu
zTWm)QyEK4$su7fELju$ZAqR3OBd1t>^<DOe)`{tCdiBadpk>{F8SzSG(nzX4Y$vCU
zTqgv}I#enxUE9!`JYd)W;<|36kcV9V!Fy@G!F3CWF(`%w`SX+t;+<`OtdX~cu#a+~
z{c8hZ0~_eZge$0?x=mj}#P4Il*r~o9P|V~*gn0aX0{%OS!HZ|kvhYWG;$GPV=bc{&
zN1+MsCS$tJhO>yH%R3F_JALK><{F2h`JYbT6~Hl1-&!r<n;kb&?eMTJN(4F{DRD(#
zF-@wTeeAvB>=S?5E)WgWC}akNr;>WSBt6E)M(uHF8VjLOqLRjEHH;bq3o#B#9VzYv
zeo5)!**#k+;B=ME492F~8G*G6Kp{=_Y;UD6OqXloKac@>45<}+qDlj`$skEhUX2$v
zU-Q5>7&Y<%4pEd51ysE`I^?!DZKBgvo=t8txqU=9dx`w|F&YLDZo(m;e2(r{0ULDk
zwNbKJArUMeQOa_9($sh`mo=-czEqko2m+N&X|TGeNI!eU&$h*6Q>K&%j!LWEota1p
ziP$tSQc7kWcwBT(X1Y!coTe2=vXXg`_zHZFq?ATPA2&fzBUnn6R-7&OU^nQES1kC7
z5t{P^M|nJ7UBtg`?U3@?ck_R-_tsHWu3z7;fr6lPC=H6FARt}RBGTPTcXy+tln6+J
zbjKnk7APs*-QC@Nu4Qev{+{!k=Y7u^XPhz4e`_z<Yu)#{=T&olKi_HAK4Npz4qM-J
zyjWe1<wq^6O&vNUEB2+(V%9s1PJ*z4w)W#1I%x@!YpkwS*f6831u7|6#6n!-FS4cb
z!MT1$$K`qp^_n?C<QpI4UK|ZE2Dq%V_uTs3*ANlDzFJE@<<zd@%wHWa)5d=Tl?4>T
zd+`J|{?XF)k76^c$DlllH(C?JuEa2PEp9OpnS1OZvRKi6evMz<ZpPjr&lm5bX{g<$
z@Nl7Ed|4;w?rk{=jUda#mej1)R9X)9g$VHu=D0m`uLcV`CS$`jHRuS^PV|>U4-9gN
zo~mOczZ>`q^|fK%`x;5_YejiGVy{|aARUa@tr*@foHbIsVKFHZ$Bsq7W*Mg27Hz_O
zf7fMVSqvXN0%}mW*#Ehq25)w>X3}XVURF7_Zb8yJj>Gn&{G;ewbhpS-0%uZNn#s!I
zxI7A%n52>fQf6Jhcz-KYclXl~?DpXe(z8VpUVuEz@>JdUOFEL0m422ys2r8T`<f6|
z&!KLuCNJ{Q%|H{?gw9FW;d@t(N;Hu(VtK~cCVoe?Sfbi;vYUx+&C7mFquOUMQ%%&q
zsr`9GJ<=oqHHWJNh(Hn2Ld?)KxN)Zf41Wv4m1vEM4G!JU@*Vu8$*X7G7UNw^lkLv$
zz6%Ps?f?O<%A@$E$OhZ)k^txsgoVRu<da1*=9<O5%X2*9_<i%cgP@^TFGyDT@i&a5
zgL$%5&tt8-BNiE-l{g;5nDK4A%Yl;SHj&eU7Fs+aRyGwTjpDnv*pH|#ZkC-NJr%CW
zQ>zr><>g(Gl=f^oU(|x=Jw<MAO|&i#Mj;Y%-HMgtYyw9d2t>nJ7s#!}Mp&``nha22
zlYt(Mjzra?`q?)H5#<g}dA%9?B*?F;c=_H9N+IkF5I_a<J9x-Oi+7>uVN}bEdq0jR
z&FAwsw~73Zya!rE)}OC#yQi;Z&BsoO?&Ya{QY;CKaN^E-vER7)wkKH)RvVLDecebq
zc4)>DpB@|$%h1vmr7XzUl~%_RKnkXMty;!Oq-5K>HmdE#s1wJoOX__YrpP)vm~USQ
zlLVcbFTocsg%3KSIhhtn(8NaW&BMX-2A8V`Z;a~$oBcxlIr4<=SO=uG7@dizskX%T
z@HhGm`%4^Nt!McWd~w5_;U#ch3$ApYr#jh6mM~Utvn0UI2)uMIMvb5e0UZr29C8O$
z_R>-D%A*^DE&`&NfCEGbFmxqkS9Q#==qF6Ta5jyU@#z@X@2qiZ7wlfpJKG7xbR1FW
z(P^5<OJ6;ccB-uxVJ5A}Fy8h*?4FrF5v3cj%BYPMc4c@w#G&%SuhZj}R?{;nukt(=
z5HFqAcwN!(Wi-2i6(t6RP77vX*2ZoZ6_Kf|>|n$apgHprsuK)lfXa~oEM<Bz;>wDz
zNcK^9&hc|^U`GulY|_NfzU!lcyqnIQ*kngI?6XzhasK)MZo1_(VuabYjRKd|-dDLq
zsqpJzV>@17ii1&%rHz^bA7@DjR}kdov!?UcCMz)MVsbVxz$B2-THcUeJnQ))T#~Se
z?0=B_d`)D1ra_cBrhP)uW`ZuKt(S*6hn{=jG0OnX21mt$my+*c<7)n}^VrLcq81dw
zAr0>oo$Y*<_Z{1Xj)W_*-$up)NR=A%4<0AaRwP<g#~c%X7mH8f!R4uzlQ!7v(nlF8
zd0e~U%j3*xIp<3QHku)CmI9%lEsjQ((4E3&gNN5{xPgW6!NpwxGVD!Iqmsz2D4sj8
zS?Oy|%<FfBe3_bh$!@>(@y&V$B7^@kOq<n#RA3P#DA$lZk2>RkMHlcV%i}%?MEc;Q
z&CKj+kEkU3y2_d~%qYq|toV42K&d1bfw9v5@(%pf2~?8LMw?_;;|*u~D^W7r!(6P1
zA286sna!FP;jh?O$MEg-E=Zodd?gThvxJCFbWwyKV+1RWLDL{%gWLXvFx^CQazyQt
z?a=*}a1u7G=8(6D+9JF+;4cO3YDqb7f;9({8()K;L{^zU6ccC(73k=Dk|oCLm?$|{
z_XIin7@U%g4_-;3IpJt_s>Q}augtP<?z#F8`Qy4>9Zgdsk15EiA{x9$?@YmDgg$NK
zud(97?3fdHC2+Oacp||2&b|6deX;YKx0A4_6)JT?`M<PB?Ps4UN80s$X;Qk*8v7M!
zX8B%Ps&Z~UKr2ixxINuUr`O*q3I<~Hq_e0@n(Ja)3je*LKw8<Hk?G(^Dh7Lz7Ra;d
zrA3N<O&NIz$*s)my&p;HQWU5rKJaL$<IyQBRIEwml_89-w22}Qf`hm7i~j-QeMUNY
zPs=RMXRK6^?}%+ZVi{SJ9NX!M$=I{ENbTyR4n$_LKJrKAF>S9A)a}S1heF69CgNb<
z7bCwA!NQtt>rgQl@f2U^)IY!4_VJg&PLK0bk;L@^wEG4iS(+@aFil|db;_fWU5~X7
z9f^1Gk)pm#2lblNN-~NMqSOu|E(?h?P0L^d?7*2{=E#AN>o5v(wy8dqAk}r3ln48&
z<&nw3wJ)!%7Te<Jf}3_(%rEe#%c<~|KWP+5eXB%S?~7i;xCBDPiK?K?gYu%i#<Rj&
z;gUFw*R<;Bb6ZY+Wrr)rxX|uZCc{aHzeW3kQ)8r5LYKeI>NAXQf++{u9e*`F%Dhe3
z=sI?VnD$#Pi$&%;IUTO2PnnGB3?5%J6Y^HtEDJd7E?9W;8%5>)7;5aB9J)jCu|8Eb
zdAq_T4J|hOht3Knwcl0ypUV&me9Ay!R^$u5lZ%$ry-O2}yLTy|Yr9q{z#IH-C!{S`
zkIr_jy@MNMx(-|qV~^qrU)9}Q<`wUMb(Iild#!i6&Sx1US}jo5A$pw1$1O=b*lU@x
zz$qvT^zTr%QB+>W!P5%1!%rKCk_;(J$LwYc)2jylqLxyzWPty<&4qmX&$PogS_Ic8
zUv>F?-%={OwXD5=RE>V7P-|Wc$jZkX%E`XwEE%uTMzM#Gd}btKWZq3=sm*K?{?bUY
zt0T@k>aFkufXHUo_VJiPuc0Gjw9yr6QE#`7_Ud)?9KS<tAttO^_!=Ll7|?*CpDapK
zuN`bpQwzEz-GTT7GuC!6p)EY1p$T9;gZD|%j_D>-vrXdg4hOb|KFtNW_>PQP-nU6_
zi`pWhqQqhVSmuM0uI0fR8-3#<rCLRCn1nBm7W#I%%@q`Ct4r1@{r3<2bbO=smU|rZ
zn@3EmTbh*fNd@%c+vu{J_6IJUp{zD5PrTHtC>F2!&;&oX#*o2dy-k|nq*q_{HIxGf
zi&pmQx&u}(y{1uR-fAQ*$HYomO^1wHmG#!E{2ZM6vzf=ypf&mX>9%p`<kAYt=yoIL
ze)wrndMwzfP@OT4YLVbw&PL2xgjfeg(8c+HXjq`%4&Rk*vZ?!Zm_LiTGRd;g5ooVo
zPg*pPYr^$9#;LPYe~4oO6ksUc*nju}{zD~>+>eK9{&DdcU7Wq{JHV^v*4T|LM;O+W
zyMfBOEhO@>$omIb&tvJp$zqq}>GeMqHpJ>+Zk6aQkfTtDuCNQ(;%j_pcUhT`)*iq`
z60{<uim=@WNyeBHxvH)<eKkM8j;||=xqg0UXWggIY(q-9WHY)ufElZ>yDv{Lz()Hl
z;`7CIcyN^U?IKv?-KfkAJufR-y7$ixre5Y+_pR+2gNQEUpM@h2d%l<RE#cNu&c$Cc
z!9pNg?R;$Cv$GVloPQ2#0Vfts@<0FdAAV;MhDmlb<o2{+wMa)C1Zh0ZQ!Mg0(lAc@
zggKMxO2s>IV1+jQl6paWo#k59DN2H5{<2TXP*7cmu4qI6E9T}r2g>qM>et7}ZyO>A
z5>mzG3bW;C&cm+wZ{75NoDaH1yyL<js-fFonrN4B@;CiQUHJ42FreyZ1RTZqKM<Q4
z>Z=E_P@7eGM6{6GtdPTT;H%hlxB2tn=_(94C#jctPyqMOrT@4Ya~}ZaY;;*lA09uS
z&+Kh|L{O^w$v*0#3rpa}m>+5~o9vdf2OSVr^f4tou3VeU?$a9KjTn(;m%v4IEPImr
z0+%H*SJm(VRk`3)3l{wamy^gBHK2;svF`yUS*Si^(tiB4Hy<fK#n*(p_2Wum4<8i4
zw>C=}L|^OgN84alnN%9ff^xm~kfZwaWBou}=8ucdF%JW8CS(07z-$M>kgXdxZul*J
zu>-%M8|eM!fP5!g8gxR=&~1+n<8gD9o7)w2TUU571;We^we-&w{0agqj7VpsqWu7s
zOeM9^?;T5I_TOTqSqIGz@Jk&kK}K^E{o-(qz|o?1<1UJHzP->%l?h2p3>ye5DUu7+
zBXWB@=#Fwe1>RV(h!!rlb^+#+pwcb8-{V;`?(-(Es2BX~bT?s{__{I-4-is;$NML9
zPfT?U5Gg5BQ&SntGK~TEGR5QAw>M_Rz@>*>-?zT*Y5$v*z;B?f9xU918oUZ|<*0jG
zbEDb&0z}aWSpdrJL(;8|>b!&fXv`u?T<umez!ZDN;e#nF5u{?swJcl0>2EO6hWicS
zsq=|k=ehfwS2V(Cd83fbL$=`Q)kmdOI&*_jHQi}E%)MZzB#00)CtLjN6_sqpJ4J5M
za4Pw&fmi1PrhFVAB}Cj!p9}Yxu6V{1!ursCmn{hXiVq7yESuE_Zv5k0YEZ|13NYo6
zONfK+Vu?Uy72|KR!<t}X{_@7pr~f(Vic_^pjVtsFx_z{*^*s7X=8+;Jflf=9-?eMk
zD9U{EP>Dio4ye;0?x=JR`G)>xn5P0j&~{|hOUh@T?DnOV&mu*C!k)G$0#E(bR)G?S
z2T)@5^yoNx{wV+4C@Dj`=>mvzqDcb0Vww$vm+JKdPWVbZS7SR*qG~nA&^{mI+pSq>
z|1-jUO<;s5vjzTNjP=<Y@a3jKT5-{IlG$l@2o82`fM<XRo<Sn7N5m~pFR$)5@YBjc
z@Bgpx?_T>uWZ*}%b(q!v73jpM5irD6^n{i9pBd}BqPSiIM#j_I(hcN^x8n`k4b>?K
z*pEF%03J{9H~#s6-x=>;ucsKmc}-Qw>+Rov_Yiz))JuVgT#d4aOeRN3{8$?3(-yNJ
z*zS^I{-b679o7Ez+PxJPl=rZxez+L?`iCnBkw7)6_Zm&EblSfp)8f1WImSiIv+0f}
zYUis+$zRv?U%a4&k@Y&V83=!F0El0bf-!u{yU4hCMle$$xC1%HS<1615caVd|2KT>
zT9FrG7l+xN`4FglTu1-!?*C~OIm``(h|l^b==p0dnDGRWLi<u!Um1ru5%JGw`N!{i
zbQN}-eu>(B<DVe>KJ<OB!yY;U)O9?%uXx%Yxx}TNk&v&K{Wconudn*gFFxzQ{?7nJ
ztbeASpBMQ8JT=BIzLYBYw!mlaQ#C)62Kp?o@8V-lir*%jKQHCmKSjXgbPQCoe=jDF
zVOn>%x^Uw-Trf6t?+|32yuAyoroqU#`rq9CCz$dmLMoB;ufKEm1Ha<KyLq}sa!&Ch
z#rkWK<2d#9z~$mL(*O4To0F?R4Rrvuomod~@u=|)2%%^H`yo_0jFTmsf@~7av4$O?
z$q5^s*Z;Rir~P}EYH5d+Jxfs^HKhQSc^{1>&=e4Pv`Pt#2A1X8zvha6#g}^xY&cB{
z-#!1!$zc=Jk0q`Te&505642y+-@!c8z?vcWWS?N`GZsP7vhYHLtS~)5jOOn=(7(P1
zSZfHt9^~W1?~3o=W&?M30ubSA?)DYRiK+%G6OdfU>4w{3Z*i1W;Qmm{Q8cI|*eB#6
zrHYXob6p>xiu~Z+kK|5FS1NuRAO7ds@iTn?74M(PU}5fgEBs&Ye*4ok*c1d`-(pza
zLzXERdSbnIBofVJ7J?;1xVZ`h92tPDCU`?k_xfux`DJ&{xWdxPxNsOFKZBtn10&gU
zZ3*gE`IDe@&1^g*(EOe(b)>{ldZjNDgBf-2hnSD@>UUl^7MT==^E<!2lE=f%gs=Y#
zbbd+$Mg`r6r?Zd$oOq{T>-lcc)j%VXi7%pu%b_Jfgj?#gaUnPRZ+#RkBkE}~;$PZi
zv@`iiZp}N96c@1^sDXm_LVll`e|{&8X&{6Im%$kB(TR(n0KNU^(>|yQ&P#ywZed)z
zgfmNytF#5ZQ(R80`!427!&ogeeM~wKt%ogi@pSUg6w3|ofZhi!8Er|+9R#D5oZgK=
z*bEnrHCuzON_P#{aGT(qUscDT9Vt7tnfPxysJhLZA|##vx`TL_=m5iT=s!FdARy#`
z2P*0Rfa#|k{=bCjgT&HN?|xTX?cnJ=^{yKIZV7NhYv>1?-Z!ffs(}xJkbbT*|IOOl
zFbT05*%`u~A*jF<O2|b?+;39F03H$S?7S0m^2Zc1&j+iBherd=R)M%8jczcODf+yZ
zx*<ae5OcSQNf}>mNh((um(w_=AFAvf#6a6(Lf}2%_+S30^?_X%nlkHVnd1JFg-2i4
z4D@;z+V`e-KXKNNSB9v|DC8p~0lTnDYkf6aRrb47Y^e5oOK32virsPTE)dR*4-x(X
z*aI*c-URTdquk?nUW&+Xv$Gii4^y^sMsqoE7k)6|(_ImKjGx1bI1lD}F?ip7_RlTz
z(=(Xa*BO2pg$jWRA7}P8&QoMoj5#K%5Am+XF_YC<8hP*=pI(@C_}&()OftKd^$sP`
zp#2SWaT2=c)Fu5qjtZ;9Xw-XW&O$6wtJH%N;pn=DhTeq`@aQA2ECiy)mRPn>9_!XL
z6nyV!L7Uhyw3*?%Xw(&JL!%9jZEzpp9wh@mz~;A*NA<gdr(R%NxKKp7f_ve}6<~J$
zw)J>pZEdUMfYm6OrM1f9V(MhJ9qo<DuVqUEW|Wg3bbI8+&*%Gdw^0qu<~Sz_iON(K
zO-Ls8PlK1oCncPK33UbX`W>inoL)jo_95ZDerBjr0HU6VY0jz9!?kIQ5%VSXaa3n3
zoo7N!@$JNX;wMIC-E`plsNvE&BL%e@gCZU>=O~G=S!$PQc90+T!>I8la*|{FWb_Ku
z#wMR8v*^YA!MdXXI*pjk>Vf#7c=PS`Gd~k<R>FT)zE97=#VLp+{`S_7S=K!YEQY$c
zuI~;@QS%pH%M{OaiM{D-O=ax)$PRpDnKPvpOm%mgIiBe9Q>-JGFBYu!5OzwJt7hW2
z*kGL<5_M;0zuH^c#%M_(BO?=Ai$7ThwP{Sp*{k!-VXqldo+o81eOTvoJ&P2NWfjSk
zPET^jXIqNWi-#EZCfq(^ATk|I6^&Rv3B&{E2G{2yq+X&+n`7ntpzUL-wn(V-M3n=D
zgXQ6koHDb?v{r>YN&6#yP+H<$?oADCa^0G`I$rJKQ>fj%CanTyqUD#g@)ZuN*l|2W
zd{GR#DLG0-_V^u4AicuJ$4_Z8QXIzQU$WH=Qo)ez*W<mrk~l=){0*$z==9RF(qrR>
zEz8zG_0k%+E>~DB(vo2x`l<pqy{s_GaV88M7dy|#ATQ(RG;phhbV2vPc=&eA^z^j#
z-V*(D@;pJ%k|LnrDe7C|<R<2wduqF3F*D0HFZfwfZkef~*tFSY&u(O&zcm~ii`tYL
z?o!$iUEiK#H`_m13)~eRJOUGnFb>AhPY(sVTU(PNEcJ}{#qTvR2Bplfz2ixNm1scQ
zL0A*R+Fdu@;Dpg7?W-j5;?V_v#p5m5Ioy?b0F>zopy)y+HG#Jil-VQ<aVMXkV707O
zPc8bPe!fBQNnDFXJw;}aXefYhMcZ%L^hird7l>)p><956M{p(_HZdDqB~cQ-3%b?n
zuf1=^f7Efx?};n$)!M!~s?Z{oJc5~0Oqqn;4^zByBeM&xBC8h-vplsg#2YBSqE<~H
z&SQ2f)tqEwHtfEdCGI2R4`oP9m5XZxxHT)c3DD!O$f=dTIm*`yjNKE5F7fAIY|TDF
zRIT#d@EOOM$=2>mwGz%!C@a0KRBn1Mr1PA1(&^BxZ?|6|mb*UscobimruL~i8cL;X
z3n`)f{>m{`zuU5)(q2PEsDAs%{*Gdncnc<_!O%Ni*>$h1tY@n`wO;;xW}jb@I3hwI
zG0bAPCkw0jnzzNW{ezFE&KSZqHa3Pz{14VSp3+ECEA6mlNmk>Rm=4Ff#xO>>#&8AK
z5_z}MFAq)YtaL+To_sm2-kmtLo|@vVdk{QY00<=AeM8XwKrH%T*ZP$f;W*T3Fr#i%
z$nD^kPRlOk`s<%w0Abw}GWW3CUH11eM+z)3z(lKt)v5!!UM=+#jtf*Ovl7_JMKxU8
z#fIxC)=1+RdKSmd6i%(;ZM!~kf3(<q!k9{`DslwiB&|V#QvTE=B#BQfdbCe=^K0-=
z8m&@IR^?&ZwxzD=`+L2IGMO)yrNx8oxgU6@IqwpfOhQ6C;yLvCUU3V?yL=caGvaTL
zequ|74pam?t*gLNqC02UYFV_KPF(cbqG)$YH${lZgE50Nbdp#HgM=yzLgi_#N$!$7
z(WiP1LE*>qcRJn%hLa&p9I=;Z&Qp!J5$`Cc7-Q4QzVp6K_)IP#Kk03f>JF3tCILJO
zLE3c*lW=USj6SPQsoe!JgWOMgLq2I-7CR5_5HiHls#Vjh>pn~HFdWDb;yK$ZvWT_R
zY3&J~6iaN@>^SE<S4ie`IxyZD*<8cb-giwzPWq-w&vUi7%xRN}8>DX-S&?qq?;5)a
z*5u)C`i<%#x{U<#T{VmC#-82-)hc_xlLI2{v(mZA%1Mbh&0RbrV7iKlU!`{OVYYO4
za~!SC2Udz5wH7?IQE%E;S_I2^aJ#wI&r}2F!_S>|wtjlg2J_S~h*&2+xTU8{B!F@#
zl|aK=tYqMd(IvKBhDCniTk3qgBU@!}5i<)}G6k|g>6FIK#CT3W`-u#yZTQ&zm3|B&
z33gW+`?Dj9?a_xID>8L*)~yRVQupQUD0KpPlCPjS6&WBnRtEDo`{J{blQoQ2W9=Jj
z*Jp!YUCidEiuv7e0N$to&_;@WuEl~xqQ17%*!|~@^|J<yG^D$KTucNL?6A89M_)Mi
zc_{9m87!SEv-x^C(5G$*Uv}q=D;U(KA=SS!ZO?S@yWLkNWXo=KKenQii;_hNYo`5Z
z^%|7tF!J~@g9fRdAv-EMr7eR(1~Hsf>m>E;lP7C0UgalXI4zvV&2z|h2!*m^L5BA_
za_&E|8zqZjDCx<N)s4Q0UVp<<A_i(`1`+_MmCB~4RVg#%O>j92;fLxz8tsD2lH<4F
zG37{T1e~fmR#E~2q0W}}rN!i_%PH%)Zi#s>QOt5Xs4+4zx{RR6{wIXKQUPn2W_PYb
z42Vuk(4523NufZP+v0fkzD74L!uVi1{9h1#H1)yeAt7`ixw70BCR*-na(Q)sq$qRC
z+H3UjtFgN?2gBs9%cIG9`4p$x8g6YF5*dO;X$K869=U`Z$li}I+pu3Z2J_&p7kYiU
zekyaA7iY4vTeqIz$@<<agPsf<#f4#qpGvmCT}+N(k)&qLY$WMU9J|X%qpdYH&6sMH
zdHkC}?r+iusr@f+-8+nXWjN#)fv#cULb3gDnZ;c`UkNWc>bv;xPI6Auj0Sf05R!X8
zG7VgwOyviX6qOQVzrDVD#nx<h&R%9@Vb8x8%+uv9%=)TXWt07Z!`DA|f^Mk#+nO}?
zkl?(BUcyGT=@Sq8`;OH_!{Gko4%?id%KQWW(}iW{MHgsDPO;t(b$F@4K#qo6+Rl7S
z3&R1eOxo*Y)N+N+!3?v6%i*>3Q+Bg?*t!KjNE9>O_%j#rNzC2Nr^tTe<I&w-^_OV@
zY^Rkzg7)Fm!md}$1vy2POO2yO$Xdw!kAMTkN&y$J2u8fpfAiE4n3<-ZpB`qnHx}}~
zxf#YUFjOD`n4_6GARNVwKVJ*hQtu?csLoNVEG?%P*a3+&Ttj?>pPS8}XSko9Py!HO
z*cnU4Mo_7_+8oq+(*KpW-SgwdJr3a)EM9}<L~rPN!+7X=-w20jm_9_qstoIVu_@as
z#1`*erslNwfth5Yhf86pKLJq3ExQv`A|?L11;d-2S}d9K+KZ$#F>l4?CvxKaxlIkI
zyN(|$VY)zRdn!LTuqb%iuQdS7^&&)*X1AK=li{Hy9$F&_2Iw2~M$tE^=ZuXpGi6I&
zTO3wLYX@G{gEDEj4KzuS2X$rM>7b>lUGL?|9-{ybove$x<7D>bj6bapHB&%k<a9)$
zzbi^os{|K0ggh10QCp#EXfw+*b?|cqX@M~%Pfj{@Xv}BxBLSnOHA@y)W})dp;1o`!
z{6N~h+_E26lb6T`UrWL`RxziRE?h24uIMIEJqDMWp7)|Y6TdJ_n#)}os=?1yU%#<3
z27zv&M+!SGj}|RzL=)F*J^#7`a~z?IUa#vfEXxF=^m);mLw;z%mx=SC)sgA@!UnbV
z`M#Yf;X*F#@0CmR^W+18KF6EaKT4-nLGqH9|2FlRd8JaQP#B$tx+a}NOxf8ov7ytC
z6H9;#s}}Nl<EryS5o$=24|IDC!?<nNTaZum8jkPdXoK>K7r@ly!mxS=i78wpBElc1
zqlE3UFQ}q}pTJo*W-THfamjk9o2kayqI5Gfe19XqTKvmssVIgsH;+a+Is~T@e#Wtt
zv^=%-L#qkRoNA>dTk4DDySStHJ0aA&XPRd34Lr+w-oT@<K?$iy2>ru>Tu_X<q2vt3
zVp7V_tI@eVf!?T;>U}F!lFORSeuReJ-NDIwHD>}?)L~_rdcdNh@f)J@FN=y0YYh~e
z_U{|MLWW73fHLTv?Dbb)Ms~2W^`Z95t%LgF2ZNZ{)I?|`kl$c=HFAX)m&;WhD&^d(
z+-{%zKV3xL#8vun{Md5;3}khIi%L~az)*RP@t*5Mt@`?!4Cu{Bsn-!py22--q+l{x
zq=&MO-8sh!xpUx%gNjNV&ykW0P=zkEZI3+k6X;%#Xpi?uL_}g@V!itI5fS-BK45Ga
zIxit*P^i;kORzcUVq#=Jy4sf++WW4I{iLBY3;U7sgWzV9mliLlYrQA|M%hz&xxYG?
zio;tJQ4LhLqI9oSd6<EX0z?F_3Al;<JL7jr0uD`=0jX;u#<#W)_FRHCd?oWW%*q9<
z4pfU0BY{+QMTV;qb7<TVRZ6e1BYV$xwwqh5Ih2zhs`2$X7qwpM9wmCVW_cfFedXoW
zt@fkcYhuIZL4026TvnR-_FP5_DQf9v7)~9G<WAFLYTdy&LYw9V-N0_yak>1(p5os6
zsn{ar(VR)qy(qUDUiB6AM?Rp8(Wa}i)NX!aI_pqjO&v??>!uPU<e4<}JP%<z3<6BR
z@72O1lbx1tDL1~Nls&m<O3<HC2%R?s+P|(<(z%?XVy8pGm1A8q{wf`8wJ7La$jjB$
z{AyxkG&E4+tGP^6&~TF>?7;#h<QQb`wOeM}?}-iG3!2^M!GB0-dNYInS-v2@ckp9R
zQW|Ylh&2Q<&RwS&_WuCv{)+3rfZgjlnEo^DzWq9mWe90|X!L=ThxGD&`i1q8Qd@*W
zTwF(wlf6|l1nd|llNVaTZfUlRALKjhlKC*rSK96wz$AszPa3F+kk8!<wc9oEg>|l3
zYTKcXXPFop%mXG@xJ2a94?MA2@qdQ9*JA$nxI6vS{|I*vWl$RgZZB$0pH7u)tlRA*
z8i$6t*+=V$o>rZAIPE+Jxc@H1KZ1%}AsKxpvw}TuS3bY9qJyZP{FE$@=Rly~XB|lj
zW2nl3F^<)OPyQL;B;){MgNW&S#u@<~%f%+5;Br3ddffAGV*N!FgN`NYuthl74c#T>
za58gj82|@i-?~oAnRlQ1y)xRBqPd((F=uy$V+q);%`<?`mgYc@&gFSPB<NmGd0RUq
zkqz?cU4!G<m#gF#TiIeUzBPF5`&Ds1sGXypuZaFy8$-Vx2lF75^{wyOXGod@PlNSG
zN~!nOCl!Fj)M94+#75f;2W@98)vf*Ps5tiU_7~0XhsxWXDw4%P2#Zd#2^$Pd;`C>!
z#-CMDrHT`hTsw0RrMRPvx@|*YW~}@WNo-ZBEu&_8>y9CdO#)Cyd)(QTcH5R9+n^q#
zM_MUN5qS>Jotu;;P(Eg}z|3@{84MZ6AR%-j8!6Dekt&9_9O!?i@UR3?E=y!|tv%p|
zEdah<2a*@@yxm{(o1}@vd4s(>h25)70U2_MLNql29Z|dTO1dlk+u`P)Ww>eVv*ok%
zo-|F|bVG^VEWYHh-AJMxzb_E9fw&#H8YY4f$89ZlF4?+V(~&|y`|xXjWMgRElI_x%
z*no~y>wws5_`UKcNbmzNx6X#arVey}UHMxm^h9n?VhjE9i`PSGISy>OlrCqoLB*XY
zy;&`a+R1h<KRb>LdA&8hlofhfQ?{JTqRx_a=N@zI*288}5^N;F@F8kVz%&K4XGg%_
z+Vm_BwCPafLTPVoBg_L?9m?7UZ5A_IHZwYW^Zx;}en$Gg#H>5bY`w#O$nby4tgj|^
z9OpTWxg=^-EL4)ut{4-=t#1Q=&bZUeqH0G=7v@oj<wfLr<Stm441Q?nK=%iX$3E|M
z&<LFpM57o|>yZC{{`|k-&o%Oll}@%RDH&b}Sf4r>#endY;|PO=FAPBU`d<UkFZDJ#
zr;;hESuftH^ZB5%U*!#<YN&ZlObmc5C}NT?BB|Khw-gAz6w<PAf+_qIS07lz3Gziu
zI4wcFR@^4)hu6X%*p*o|&+o(p7Zx!Vndwy*71<4+t~;#`<`e_8{TQI_a~VskFti<!
zR^aN4*eozV73o%c`I4B6lFySBNh<U9YGLx4(y;AHPx!^i-F;NYiM4yOXUqD$xlpx(
zqrvP=VFuYn#p(HwMZVON+SMtrYn<Px=x>cfM3qySaOJjU6^o&l!G<(_jmTDDRKVlo
zl*k9(4r)9FF*h_f)O{+BBb%CzJpoOus$uv-o|PJ}qVz2Jj?dYJ7+~9NPONiaY`fJr
zwtcty)jAbm+f~gvipnUlY)9ot;)mbhA$^HqHhmzrqx?uJt?CEbuCg<?%Qxr(y!-TK
zt?X16j(18<Ba5~jq;=<AGpwMi@pc+_BaTlXg%ey+3VKaTYrz2Y*>H`|f+$0Is5z=i
zEYH7<hRfeZ13iXfk?x(iv(6Z3ktAg08Fs%|0=L@6j;IvaGAYP0s~qSyk+LK6p8~By
z4Eu!02bw6f=u$w(&7^*IMmDLft)1Ie?aonROs{3xU_6WqW#ml=ve=%q;nZacs+!SJ
zKrX?P(ad+CQJkxvH3pf87h+I(WRm#7uG+`{q<p{UcaNAn1jy@8HRtZKyKTSMka!#Z
zg)9ZNb8M4{MJ?qEHK}%Y${><-u4YtQKV)H+-}exTI?aTw$r&!LRxUixJ(^>iDO-KJ
zc&AQZs^hd5rKfERNyw#v?`rWUr(#I}7+?`zMcNzAu%+bo0_nGb#1IX3@A|opzP!PA
zLH;b_;E-bBglx92JUhrnjo~D7%4JQW)26>_BGKQ}G%!wdMJ^!>wNr+B?c5JqU>?o3
zu0W-hmBO%IaK5r?rr*;kGlo91zdjzyIv17Qe8yj#-IQUAw9uXee1NjlC`+|beAjN#
zm)1|fjTRg7ZdUIy5BnfZ&ngyY)`=Utn3v?8T~gtZ_PCXLwU*VZamkm=mbJFZ`yvvw
zX-)1N-ju_dwN?Lm4FK$T-vRc)ZvZ>WnyyDA$6zAMQ3fQ_gbz@3d2~$J5^UMCHYWE;
zJ9<_hsQ`d|_6NY8+A8Sq17I)x0kDrnnq@eaWHnOC`aXjJ?Bl?|j{YV9*mv2M0&TK(
zxpi?rq~?U5CU)%SIZa?Vs<IDOrrx^Pd^vu;od)LGPML<rm2;(GDHZC$;KElm4d+eq
z2tQqDKC^iML-6N`N<i_L0j%aa@cg6?+&N4}o+uH?JX0z<{B-wD6xETlv-)WYU&qdF
zEMR#?6<W{5Vwk%x&QEo!O~-+WKO4a;gVR;(5kE!5VIx9+gjo(=U!2K$3+_L*?x<TR
z*ZjnNS#(bDM=G=;+`0~HDVzm;acrm9q4bNN@TW@&8z?0`^=-(;s}6l{dc`HOU8;t+
z*RkWIqL+Wi)W;fOn0lPQOfI@o;6t>*4XG#zE$o>)x46V7bKf2i$`Y&Kj&M@6a0I^+
z(C$E#a8Kn4M11sR-cQc=a8Uy<b5~_E(&r(+m8EZo=ktxTEBYJBa?_vRPew@Pa}$Y#
zVl=vn(#hp&GMj}eOxTQV`z~&vl+r=Zs6Y{b3{i*vMOIi4ijoOCnXPoXI2nI%z=h!_
z{>TA57So<s2a+c?Bi40!=i7z}priKMq{8}$vCS}qer2JfruO>FZRt*2;q?iK7i*ti
zWix)qu+lRPy#s77+QjPf<l4c)mk^b~GUI3^C~|wF_4((G%%^R5&TX@^&aj}#rz7-F
zk3CjY^W#G4GwKpREF6A_WI0-DDl*^7B?>b5A%vJ6aXiAHe_-lnqo9L)3C;{qTKZ+l
zW>Z#T4sr$IMb)`Jyh%cMsPt`u+6ZMU{}n)l5#d!JfHwB?tbPPg__18m%0@69_~x+$
zEb<aCGg06jsEoO-`MvzP8^pi0Ww!<T8-IO^&t@qJnw;R{ohuaTbrOyg>iCak%je>P
ztiWX2I<PZa1~dFG<eXZ8wp_=|Lbb-hs;{W6FH=UwAN!H9@m3JqoUySB;+;EKbS7#c
z@rxs+Ce&puk$DzTP4$Vo4yqPprgfb*@opCmRFWT`s<xL5^82O}P~QGi+4J;0@w+8Y
zd#3|}6e8D)M<OqR$ltuk0ropnfs^(jjh8kato4t`v8N!Y62gU4^)Z$Eq)^6vcQFNQ
zJ32uuB%NZ)Q{4ti+=@9*sSkI(>|<(KWPHTc=I-wJJw_|r9AgIbIc`@l$V`|9&~Y<<
zi=ha)X?HeR%~_#4Oa7hQOff7w_|iG@(3|h&R7tU@Yw@i<H8mjdXA~fits2a*6m-V=
zp`tJ*6CM=`C$vW7cLD6&uP#Nk+)>W+p%S^E)C&G+EepG6X1|Vb9BBF^cFLl^TDsm-
zU)X>Y2q`y`QDbo)o5UNCN_$aiG(Itr(LLEC5$YDwkSydXVq*w3>=hW^?PE+H9?Gu~
zOMg`-+>!*k%~E`Nr#I*xzA72$!;$zV*ugngf`TNzV?VV~+pDPXm5ot#u!a4cg_e*^
z^b-U8HbT%Oeuc%5sudU>Y#^$gqMX%#vU_loBtGvHNO_S%?<0<#<M%<u!?_3!>GfuJ
zQ`%b2B^MnBxi)Wc(Z;QghdPw-2-&%{@l_?b-jxVfx1YEO(>|bTj`u%q@QZvOep(fD
zTI5obqsnto+Q+@Y^A@i3NBJI=(Ib22UQ3dozxJD<s!j;2DQJwjQ;x(^dZ=xu#u=(q
z@Y16=ltJgYCW=iI1Dg=;^r9pQ2}vOV(w@3Y{{b7ELL`3&Hl2Db5C{^F#$3|-1k7h#
z5sMKz7t0t~!W{%4?=rAK=rIn&W%A|kJ#l=E+Bv9)@VE42@&PQ40_Y#?*(q0Yv!A7#
zC5c6<JIMH!t*#MdF)hEtA4+Gkl4(L5rfk6Im{hm!zaP(dl`w%=r2-SPCl3LuIbIp*
zSvFr4|Kg@(>Z?)X6Z9}PEU}HFC*jnnPlLV4^OR!fr0vjZ2V&7<P|ZM}&%RQAayB^Z
zX|b3S#_@6&ALWwOm%iI4`xoy(VMU8jw`y+u{Hml)OP0C&BtxETi8tEDUN%}?hUvO;
zOVyZVj7NgAkbeYC_$kQF2j1g|e|Yv-Dt@sJr9x(rh5c(4`Q_dQ%hLmguT#O92D3uq
zVq4dTy~U!t!S+e#d`zi#Ici2?w76fVsWHQcLn8>EjLTwsS`3#Zr4!x_Jv$Y8dVq0B
zJXtJqAF(Z}S3kS4{zeDq*u6V~-VOfw11{~Kg!pjUl1aVZw2Kvcr^VqhB;52{4eYgs
z2(^CjLryla>S49bL4dd3g=`xBSO_0}!^uaz68$qZE_r(b7!xxJ%?>p6=;~*gb4P4b
z);VmyE+pJulXw&@>;uEeoo4DqC|}6y_yM9k4-n-<6{l<&jrF@zMu+q^CW_<A<wPs0
zn{P|{SB1B?yeyWLH^Kg{jQv#0b@@RW+i0l^e2M9xl<jB?umU~QW7Gg^;&2dK@M&<=
z&7B|dHx+xOCN>f9;r=)p&Qe0;kIQs7Edgi16i>v8^s3VJ+>zb!$;!PKK#rYhK3%Je
zA;b-8!T=#AKWz0~yao>5%qz0GK1Zh}iyd*6hvmQ%Iz8U;x!gUKyhYnsL~NR8AVbEq
z!kTQP>W@Q*-6=sUItp`0){A#&T;Qz!be$xgt^@Jp_nuhaWC7I@#8Qaccd6^`JLvL)
z)<@a%eUqP*Bi#C&sc7D2b{{eKUVp6py92dP)T6p0F|piPgaYlNdN!zY4P*e3b04e`
zLWQa`Adv<0&XG%O%<!zKnJx1~7!37bSkKkC?k3uZ>LlA4&4rVKrI~cOEO617uT%F~
zXe_spq%ZD=cHY=UZK8O2?6+=;#&*jC*Gr6w0!4hwj*rAf?2mBAD-IP)d0fce53R;O
zr`a)5Cy`v2X0`}gz_OIqC6O$akoVGUnFu1_$kZ7{wv4E==!oCOn{SR&*+>Ar=SFPT
zv^_ze?pYVdBALG6&=q?#GgzeW3&Rsx*(;Z}@>Kz*UK-TM1u~jK_gcd;g}w^s9Rd^Q
z&Uk2Fv7ixm;0sO(GEr7H`{q|W*#7XK{TmZ8u{&!qZB2Ntbnim0e&>Wsy&31_-Z?AG
zax3vs8I#i;<qIbY$g|#9u%Q~=d*Zg#^~y2VqL|g!%bw<Ik;GvBB=Lb}(<=uy3koId
ztPJgokoeYz5@+%8my=dmBSXNO#@}&&U1Ie@k**amzjUJ`KJ~!NG%J)ANrjhaZ{@yS
zoS)H<RaZycWmn-m^-|iB#-uutbYsBP6>}{kLE^NS;O@*zhFic`uDrT05@sxyW2%s&
zEVg-gBpGe-kmA*s_1JQfCr7)9jhV5xw$s`pMG{a5OpA{#YFQm2J4lV(dgA_D&$t{9
zJ{)4ph1><u_{Mi=Jhw98O~qhl$7!U4s{D@ph7Z^jZa5r%8xZmfgU&e}7qRRv%7}Br
z+-^S6OfFes`cEz{`jo3YlhpalZ6}``wzs&b51tQ?5&ee|g35UHz`CjXrtFM)R(V5F
zNmDS9zn<Y@gQzIE@1?Fna}+s8(ITtf44W%5#IT>Lt`dI~oG|dK2e?g!3Os`F*+~7B
zx|(Xat!CIwlhJ+LA1U|Iv-<^EMBVVle;&cL8I>TF$-VXAhBqi+CV?^X_8I(*4C&P8
z3oG`m{JuD585X2}?JTLU`N{h>6@7kXSY|val77FV`xvR4^kGdj2@CwJ7zv@>{5#ZK
zrfAE^ya^ZWy?`4I=UF$T{297mS4D#ME@Yo&;!bC$m<-un%SLR5;_;8KF&&xWnD99C
zCI%sSKS4|@%M$YI-k89N|I)Y-1j%K*4s0wJ&BoH-6Zvo$5gIAwD<5YDA8Dle`W6)%
z9TMVhZKv;$XwYwe%uyMnm8~8t3L_K69$s4;wkj5@>OX0o>eRtI=;_~Ir-d2tw`@;d
zuK=#>Jv=kh*kw|gdWVM@Hme`PXib!r>Uo}ZL^DQIU+4xH@|`7XXJfZhXmG1Yedzwo
zxA3)FtJtZN@c5&26dUmgo6gFU@>as*w^%OHa?Otb5)KYP{~+O-BLL5f<FJcoHX8=k
zms}}MA&0lWh_>VQr)G2-Q@=rNgesQ5@9hd1+lZmpTK4e^4d5RsGZCXh;wXRfdTHX^
z$$D+*7D=tLc%pwY=U%4wsytnKESqJ9nsn_|xz95#xc%A9=4JR7+GVKcxr*g2QytgZ
zc?NUk+XHjIm2mDADbO*?2^Qo42MDaM5y5$HA5)BaJu{h+2sP<o&|0BG=Br232uw>z
zKQk;g>dv9;$0pI+MdHA}raO6YeQ&=^>$V3K5-$H@XX?j~s*Us&`TWdns}(2IC4p82
z5iRe@M7#V#$qjZFa*M^QxZLJj<dQFZZfTKSr|oheSedGGndy4sW_lLG${GCJ%?vT(
zn)Jlx_C;kFqu!p)sV8bsgi|Tae0!)cQ-q3|t#uAvT&&5><!NO9S;K)WJ$$wD9;BW4
zFA3L$g9(y{trpObWZE)qa}_cMsF^Z7x1`^3*uBfq{Gz@qZ(<@~>x@E8&TZF|E+GtH
ziloe5-AK?W`tYy<&8J?+EPBm>N&5?*maEhL8VOJ6b1+ZfCqZmlvHLQ3U8czrKNW9V
zHy2vAy68!Kq;V7j-eJo}RWIwl4euq~h#;Glz|+Xs7k4fd%ZYZDZF1~NlZ_^ZvB^Px
zp?|-_NLjCEnCM_dx}=f1QE%P~i~8$kG5*f_JA`hoX&<6McEanEW+UK`d+C&y<P7m>
zwH{xz8BZvepi+XmnqNvifZX^|bve9M;BH)QPpE}G+Mw(89raeOw9Wm2dO!GvdRN+Q
z_JC8QFAVhtqqO-u>V2>=P7P3R=C|?AJ0icK-nek^@G=n1hWg2=ZnW#4#G5_=W|j}s
zk5*&>>pi<@^^^5>2tXkesM(6;=WNQ7Ne{A6b%wFt5+kfQf8`}mJOqFMFTvp1QOH>l
z-OBpcA<mgh^}>kqVUGNsu6{JYd{+bJTN+_Uo}hx)tc{HpWq2T&HC6N&?&q1{$Ua=L
zp5>#EsiFMyV0ca)1rt4QjgN=xwGCP96B}p6r2R*RP634L><Z0d{CL7Xk#p5<H3zp{
zN|!zj2ZZD+(=g_8n70qvJ*?-T;oOBjw$AQu?0<26I?hb<R8z>x%9l1-Qd=3(Vyx*p
z_j^Im?V9AkS1Uo0m3|>c3Yljwdep{vGU#OQ<SF(Y!kruKz`0rV(QXHv9&#WjMTTri
zMLWvJyyzj^iwF`zK)PO3iAH#JHzgoL94ezm3!biLPuF>V(hj-3zY-vtPOG*|N5X8$
z6nOXGMt}a|8Sj0c+I5zfsE{TM1q=-gXOl=7|ABS=MV`twLC8Y-1%n78*E$~P_F^{J
z>v92c?OUP;z;~oE#NKph@lEDJD-(Y7<Haxh-snzx{?yw{j}7Z1c7z?RRLoR;j1z9W
zrYZ2FhUgo#ElGtjo8S)19@^-Kqu5cUor)T3X-N&H5Rnf(=?2|tPI{V$b>CszDn8?~
z=;?$g>-SAD`K-n@SmD1{Cd1aZUO%XQV=mFZ`(cn@o&-T*B1LxGm(E8z!S%d9ul<8y
zHE3s(T#?UIN~v&Y1B{Bp*S@^<;%4Wj8%q0jD5+?iZ#|@EijXghpFlaTVjtib?Pl6E
z79|6tB7Fa%DH^L$l<3EH@StiXN5jK|?M@;zi^Zw4-yvbp#!dcwE;oD?{*Z`K<cC+#
z)6Xu~V2y}1Ig27+C{aF8C!NP3LLua&@HZUHTPJqZqBF;@W-hHKoIlcGcKV_L947rV
zXeIp`oPfu-d?l?(xm&JsiKV`gjjHiuPR>{Wy)C}vNPBHeiY^FLJAk^hrf1qVWb?FF
zZ$O&;rC<KJ6D@-&utzg(%wBGQGU9wBoWngqioqUU1A}vjN}+)any&4acq8O%RTq5j
zgJYuCIQyGg%ZMaHEh-Jn1gsSi^1egeilMbn49=BK^wq;qr3jivrH>i9GIRwqiibwh
zM-K_R6L;;Fy1brM+&g}^qb)8bXqB4GH{2^}UK40d&CsItk&%RObmgqoRk?WfJ#_f)
zq5q<|1b+-%FOpX>QJRHfd&0v@O{?4fZ-**Toi=9X)_k~3ch$@C>ec&>?hHL_S0471
zo1gvEPX6Ym<avdZdf8D^3!Qgh0oq5481MZ4big$4kSNQ59oq7tPV0DKb7F(8_^Dj=
zqc-@Jso9+C_~LVIQ3xcD*?=nVJ;Jb*fcKV8=Zh6#B>;6pW^2+dFkH=bdlCbN8?mY6
z3AUQNc?^ak?h`CX^aH4SF{9!e)GY%RkW>Y#JZeSan!pHZE0qI^K`~F0z~;(8T8;&)
zm9LjYMr8=e$Ekbx24=xtd@$qES4QD>&rX>Q-N5PliSg01bmvF{CvWG~c5(50POI#5
z)$KU7oy|2bEKoTh_8-;bMx<5s573*N>}T1FYkf{J8Qc>0)|wp@Fr3WhP=^<QQE{Px
zj*G*aqLqkrl?ycAI(@hEbvxvTM;F8C3KEpX1V_y;qj3s9>-Wmr3$IV+2SYmVA(zzi
zbq!lB4u|cEmqcXsq!Xc_Ce2NP6uLfyViKnYmp-7vdVPVoc%kCPuC54*-9GM<e>d%p
zWfG1L9yI$J8-+>1NxlTuk>sE22x!_3DHMk~5XqbuRqW5X>T{=u?|0Z*w^x=+#7Zn#
zSP*flZC0fn!)uO<D7YO7uio(IBdDIVbgQ)95HJJ8Hqf2Wb88*%UbH6iFX>FPMTT~q
zR&|^ft&O=|+B=?4U1+8Ga{idE?Zw@>s(>L4FXF<`DxQDKky*^Ucc{xc2?_U040;>w
zgLJqtoFH0ewg-M(O_0M%J<r7*CZmC8D3)1wkhT<k^%8)4$kP~R6U%?|+CUeVC7Jjd
zY}=IY{l;sr_I~f`{q*S-95O|~$bRXXt^ad`y~_Z~@`#Ld35`Wyd7W9*^x&(^{=y^B
z_zdN0{Bi7d6pzz7clgDVF;*Q9V*~x&k2{Ur3>RWk;UoL0?w)mUyC_}T;YY&Dz$B(S
z$`_%92H@F<w;y0@ZC@W5LPw$>zE9|H&Y=C3nCp5Rrfr_@WAc!YkosvJ)(2#x0gsjo
zF-F;P`o^Jnly#++OYJmKjQ)>lJTM;+vXV>0k3A}Co9oN$)eP#C1ZM_WAc3ES(b?Bf
z@OF;?o&6TG8PM4;?lC$7I{Ou%vqv(L1SsNj=&~302ezGSSY6NH;<((@^R6Q+ZDcBX
z*KzEW*h%O3J3H)3hSYkEt1C?4rdQh9z!J(9WtVxShl4g*jb{6<kzEPthWH1gp12X^
zMAfAeHv2x%rFe`(e&ogIM=J6_C^EhYuPZLU!@k+M;Hn69Z7a>0I|n{XUU!1NZycVn
z!yWCK59DMl3eqqbjSUUl{}cu1WTv}m&tf|EvF)F3->#WqpxgH)&?LVB@@jUhD~_5m
z!4`U|EBFiBkfWf}2F+T~OD*H!t!gju0MoA!{96lxdc{Kk`21A~u$i22n1D_Iju<h-
z5{O$_NGSHHP>k2|`y?b~IA+`*<BO1`hBl~$SfayPMKDINnGRsxzMT#>lGECgzjga2
zdKj=j`9)Lv&j|Uc$Tvk(EH%CtheLPOoJy(i0oUnTktxAucHp^<Dsb{$!SZqahkpK!
z6}g+ipr*1#@(IUukf~(PhI3F67xsGdD1ik!iLeE8(@;xWi_qji=7?d`qMDJc!ZG9e
zcpoRJj+Fv?ve@~(G8ayUEo5Kj8cppgd2JOTx20@QfkZw^hSsUAE4%XT-<uNuRIR}j
zo1nk!8rx|n&t(b%TC+QbPlgE)zQ=~#RxL@8TtBl>eM|0X|4+K@=M91z-+*B=1j?>s
z@}Q}AFn#xXH(Hsd=2KN%%}nQe6np2=Va)Rwv?ap#K}+xD_mP(!YM`aJ#zYlp>Aj6X
z?#J&3Yv~O(=VZwLZt4BoR}jB@f-qL&mcYl)zYJ;#(#B1%<cYYQpW)-mr)oF9mkOtn
z%Xs<ab=KF#vJ3XSPoKeY4~L}hPwe9tDJ@cP8#Ky(c%C3rwlpurF=MPcyG-+>%HUN?
z!XvR*lWyW|)FI63D0b@=bS<CN{#^byCx@Zepm*^Sul=cM_@Q<Eyos<jS{7VeSEq%q
z@PS4tL%GDzZ)0A}jX)s)V_)M2Xp)J>$Mxq9^jBwVIMCVJ%B80+c>JS-3SG~(Xo&Uk
z!SxE4O|%<tQA>^sQ_?t<dL-lCEBQgE$-?^<ldob{*k^v2rd7h^`{IRY0GWSuzvhBD
zZr~gepQlkn%jcVt2I^CiKq=L5AOZyBv1Q_`WwxOs`?F;jejWy7?ly^7<N;)luc~(5
z;=Fpx+Of^)nn#ntFQgJZ42Cm99huasoudf390e$4(lF_azTphgpr`sgRyP*9*3O_s
z0}~EVLJA`6|2+aaV5;AM=jb$VQ0Z=oSEP{~Zm_sx({<mkM^bwn{1y{=ppP+9<Tjl7
z`2%kyKBC!}D+7Yg7){4jB3A~BSe8%nOxh|pJMK9C-jHhw7smU7p4)$aT`Ac06wQZd
zAA%;~g)(LiQ((@t-kfl0wH<m2Cc-cpC5A_(FCSQ-e%=pdUAP4e(72|Ev)ziPw@V9t
zg^Bsq>;d}CYIeq@-wz7z+2B*H!ZAnw9HsyS25W#`T8QT^=n_8N+|>2!xBFB6{B4kZ
z@6i74Cs^@MBEtL|dHs23F%3)zyK9=pf8W{f@8rSkdgP?_|8g!Re)$k6+@gfgJNSJg
zJjsdpfAsPEQwaCtn;*j%!jDgH{uR%k@4&djtE~w!e7=jFMgEY#@BDW-@+Z|p@ONx~
zr+P$KQApI$<DGB+r@r<7{8XQb!PR?QyZ6rz^K;H-frZgc8aGo!l6am@+Q#3*;rA)x
z`|BwxSb&gu+5Y~ceSfVBZY;{+!8E6*y@>q|z4hN;_4_-p$8r-<`=2ZPIaiLst`x7}
zten!*{(`geF5X{v{x3fC|4RWhg~M0nc6lCA@AeEEVU62dmQam`HU9=RE9PHe^7GgD
z{`;V_Tm^DxDH>J_6gcSLf#<7m%}?1E{%U-+(G5OM7n)bUn`Zp`lVG1mybXe!Zo7lP
z@u#}&*TcLeLfnnGy(VZ6xYY-Z^==z#r_*S3+nuCBe}}^F@4O6mN1q9IMkL(MDXicA
z^>II5ybD8k@SG%G$rD^+d}}}G1q)r=><RL%EG*KoOi!KhFxa=om;XBy{`Jn&`yle3
z)Ou3>9!0R%&-mcbQ&Bg!XWiy8c|FrNpYMP8Mg`}yi>?Mu6fYb1PhG)PypI5D@%@Xu
z`tw7+kA`RZAco2IZcm;4bqlPw9<Y-TR!uuB^7THd_ZM;3n{-0hN%G~yoat%cpzWR?
zMWM7?kd@6AV1C`zcVJj<d(NJ#R1^eKFCw6J&9~f}US{I{v)Mf==<vN;tI_1;j}4cD
z`njTj52fk%ifO$N*gp*|eMJ5%Fo++*iuLej_Vi+@C6;P@RW3LiJ@3L{5HMZ1*NHq*
z5)unhmmc-~rOnVX6ZY7?8xFf=YAI!|TrVHrT2+c}SwMMw5JIxTvxN~|V;&;Voqy=l
zSFMKk0|Ewh)!x!|4t$|dN*N);3rCsf@to!SaYffa^OIqrC?mKJUb!E&nu75HLHF(o
z9jl1NF4iv4y_<&)Y+<m|aD5&=zM69g7k?%8JL>#B`aZ)(=`NM}-M?bD1_oPBisw3A
zFQTf~x;lYF3b!78zm!Bj{0bcfajKY)t<abUtV#FkJo$2KDtX}hW`cwy$J8Rc)32z|
zV_TMytwjy=hM2g?kMZM^*RfHb6~b*y)=0qC(|E>EGRK>+9;4_wElsRJSgqJH6Pym3
zISN?7%gbq~LSpKL037tpP|fFh-3OW^;K0rn=9K;U`_0JbUw5k@idH&0`BX5`UgY)j
zzyzC}-FaZk1d$$=)?Y&CP1yGG6mYcnII(8dYfwcra)Lhg`=|lnx6W7W9ZRXy)t2ai
zZ{4^tMlZU^$d_WU(gRE-R<<zv=|GX`s(`lRA>LD1y-;w|X7%}I)p&zyASc3ud)Gjd
z&Xf-(9FmYEL4%34<?R)NHkEh7y@M6|tIHG6(;dt*Ghrt&HBdg8Z;csDm02yE?P>1%
z>hZbG2L&dv04-X5mRrKJg<PDGw!g=pjw%JA_Sv@U*SqL-;5NBFy|h61ZN7b)1Z*?Z
zlcH&@vHuK2XKyfpb2DPy8b!17vX{SMe~@hR@N4$D?8B2x1K!g#*K(plP{QY8Vt=x}
zNfef5c>~sadzj;LSP+RHN9M$OIYX)UVHjP4(f`5RTZcv2?Qh?=iHZV(fJlkbDczue
zbax{lUD6FA-69P#NOyOul+xW@Lkv0e5bqjq-TU6Uf6sHg$NL`7@%%T64m0ao*SgmF
ze$Vs#d?hHmxAfvO@vXDdNxMgEZs`OaeieC?8kPAM&u9}F-#j$M8Md|&2{6(Zf~|sT
z7%svZOZ7pm4^k?M-&O^{;y)&zwT={H)y^nFR}UX|#I<Xb()6Fp2POkpJutVYQlNj_
z+3&&Jln_1Tv$It3byC^pOFhDc?2KL0HW!?+KSZm5SclNhIvcZS933hslDeAe&+0Ho
zpc4%yoU5!Q%q3FTQoHPa??O_x!*CYCbO4m?jv<r%<$$8}KvtR<xk61Z<*t*ZlG^Kb
zwXkDSQsQkzfjhQt1ovvQBHlL5pkqyffoIhodiGCy=NvQghKbL4F7nSWfqeZ~4w(!f
zCl!0dwULWa1fN>mM_g<Oi~PF#KfR3-j<1V9Xt(T-HR}P3EH|1z{njyQba!MA5~|&F
ziAmT*AO`vjneWC2<vW%DRGWU<<+)MObefympzMkrm7RTOX%f;S*q_!;sdZ}iAc_W;
zcee#A#^N;ciq1;2d)=G)Ct3{-q3=+!(^*Ug08|?s8tfL9sKle0$dINJ`78$j)duFj
zTBkM4>88uK@7~$SWrpA_*K7m+HM`YJDr~&0W(XJQNRJN=MFP5wdW2+0Xw@i1!eB)H
zwxJ;*=>cU%RG?c3Owl-e6N4Mi_^v;K0FmJFDrO(Zk<@qRtW)G&hIPf%88~iDr2yLD
z00<YOsyPn%7RipDA(1$u#mrdgC=zE281=_pT;k)c6L&#}yx1A=t-0)0pBX$jO6763
zY2Pr4|52#?;pg3ms#{odmu!9p{Jc}>poE_X-^yDIGMSlD+h!c!@!j)jgy`$ftwDVm
zG<!`ol}CL`n>BR6kzD5|(B|!PH;lQa$ihG);g6*OMg&x?wvRnU9k*vPI%63WfS}6<
zdTCC?U)BHpssK+Ci|!xC#Sds;rhe$rZ0C{(W+Q+4mje>BBK|T3aSXifN({u<JuAT1
zTY~Y~cdJ4C=?EliQDu94pUypZ$qsSx^oOrk$!Qev`itCz+Zp-vNw47*k_5zN_X5k~
zB}%$+`*_Qj!b!n0WAy^kk0watt`4-&=5pIF6S?EKd{o}7)3Y^y4{+MW+9b73aK7{U
zd0ODn<&&;q%FNXLx>5$xnH(XtFLivA($BwQeKMs%$GEifU}SGld3xBFhvk_dNrH;g
zKmDyvz%4px0s!_{bDKy7l?&Ayl;b~45^Xn0B+ahQ?URgH4H^wxy?=A>gVR`syu<G2
zJP9cKYIFiaXKGOso*<2KVGLB>VjxpY;u_*8L!5!9D5%`BH;G$@*YyZ1HR~3B-4#5h
zzT@r2P-d0_dcKuNc=)F?efY@cq{-1%L(A0)OfpD{O>ay_+dZAMHD;s!eY~=@3vYyt
zw0fme5?7@ah15>T_QCP{!>vi9xFu(Nj!(o&IhuimT20cCo{%TzU75hIhHp`AIfg4p
zX*NPD9N$rFyfwMqhQxcXf<-h})e;ql^0}3rImPMl=e7F0wzITV80ZV1#8RQLfd-R|
zL1$DZP)c<0btm$A2l1araSa*f{V?-#-@k7J5-v;jN83Wt^cO1z%B`QCn(Q$kGt?9I
z7q24)l7q~Uz<^KIi=Ln8G^+Y@2D3uhy0TUyW#mEPS+>VCm-I^kt|CF4ULLpO_n-y+
zayG!)TKxf&NDz6bbf6^Dyfkytt@$nu#8T)+-yLGaMUFeL!P7Y8=QCKnQ8v#vSKDbj
z%9#c23P?l$(G!C*(fL>Fvqk8<mrYPbxe$#;qg|u+#&Z<oZO=;aKvu=Qc%#*d(e-}u
z-FRK%gu~Sm{h^}E$F*;EQ_B-M6%2Ft^vDu807IJxeCrgTEfUdhO+Ywz0EYIfSJKYg
zjt=Ohr_L$TsT+I%F;!^2dz_!IkaUDJ^D4KW_f4VDY#`0N+l?IbM9CBzTGssy6}9yB
z*1U@d-7`1-{b>7KM1tSX-P0w~p<5YjBnnJQ_Zc{5qCB&VKn@rn{7TC39z38^FApdT
zMl!A?%6s_`w7lp0gKV;@c2ywej!J$JDjQBL!fT}%dVHhj5vyrHECrzs4#<PO<?HX?
zX>@xEqBCI*&{JHBd>bd{N3(%Qi>?ghqqg%hHh^5?6E5m$WVJHmY!L^;E|;r*Saf@N
zj|gs{pd^YfA}zXSdu`*tui8H?y38il1i*S!nOq}y;K8@_CbQ!PbDzJG?R`}Eg7^{f
zg~T9$uE=fl-1o0x%^D3d%0$<`n;tp3rGQXte;utvGBXqkU2RtL@6L)iS*RHtoCz=n
zkn0zm0CGK%RzBEQ+;rQOH))KS7(lL5^`svS=4ML`yAGla<agtmcMM5yei%0vr<g>s
z%9XajXETvTK_gPEv$n)%H+`<-b_gh5r}q+pp<INp!)(;Ww~>ewY0(8rYC&Gy;_7Xn
zSmG`yQ?K3%KiGGuI!a22XL5d`ls{K5v;LQsTT}zs77mJB<I7CCgvq~Tn*<fjflclz
zi|aaMzM@u#A+xW!FLsN?D-zh+ccf=$cylCk<cA6nC~WNs_=oG`-dy(PR`jWyZ~^1v
zZ$%bDu59-%Cg=G=9-WX`U&640ZMYn^Fc;%slb)P*w^*}vdK*=Fiih>vzZCnv!xQK`
z9>;Cgtn4e2VKAMotdMf`sOA+5c&ZlgNJVeA@BJ5Ih50!FHYs~e|FdhJ4L7A$j{~vT
zD)lD;<@%j-86lut*P{W-waMLIl<V3?K)DVFlxx@CnR2(*4vua&R=tPA1zI$14zw4b
zCouPLTMamL59O5vMR6-%M*xRztrOM3iShFg2c;Xqnpt`e?*GaH=zjNFsYkC~Nmqif
zrB#_9>DEQ+^`<BY7Y9nD?WfwEcz|0Mk+L2R`os?TJ#|H4!R;$+E>L~o)-6Px9%XJM
z#%ygr64X)6nyH59{++?{+4J_!(HorJO)Lie3DmBk?4<MQ<|p;QSDs65CkCvzfcH{D
ztl;<34Y*V7v(awfj=1_<Nq5$=Gls4lC_<Gi%yrxklsd?sn2%9tE$Z#g0|DN>UXMd4
z<2Ejar%ofV5w4{Euf!doq%v&h!uJsD0AH47Wj4qDz*P6*+RC|;WV?Rtxj$$>Z@-nb
z6U?$z6l}MxyPudyCDhE;YnXOKy_~Lj>071cyy^$cxC=?KtD(t9b@vP%Mltv0OS;(F
z&+U)7SP3=&rh2gNd(R}pa!T)`i92?FK15mD$}e3<nTUU4svArqALz%28+=hJ8%+#&
zhNgy88ng&Jh+gSB3l+a*^>PI%{ZMb3mpQeZx{kzDM^boLIZaG7>Z3GFHe`V(-TcX=
z*tTm?{aI<}y!gFEdP9z(wlm)pyIuZXF_;*#|Fzr??pwRvc`O^%L9PS*M~hG<oa$YT
zF2G+b-~G^L|55c-yEdQ*gyOtH>Wt33>HK|O|82(Qx5-ni=m-YP#Ve=q-ln@=OJi0d
z5;M7>=iz<PG!4%SG}w@wYB2_PZpRD3G{C98tp=gGV39%`82P`cfLWNfsHA169oCPE
zkG<OVfZ1<;{vya?x?j~Y>Mt(HPb?Yws6Nx-r<Nn0Ou{ou+Z}<gd_3=PUR#m#-0Q4G
zdvC<*xbwx(A!z^Y_e^Sq=mR_My>AG&X<)~N`ZrwL#4+#M0CwD9ft8?V30I~x$q7eE
znpkyqeW^RrJ10R4Yh2TF{khgC2=LF9In<E3VaEkqRoAKIm<<2k;elYEN#E(#NWa|(
zxl}2+3hcP93m(9Z+bR*$!39v&nw3!lnf6Fj^^5PJ&h7wJeHWmr8{H8}Ge}f*t9WM&
zLzcmU_J#lP)DJsuZ!(vKAN7YxsL<uu#yUfjH0xHAf@i!CP*s}^_N+s1;1Ajp4;uI*
z()BgDMsmUs55q-72Hg3FDrO3hH&17W%P8Y)kGZNAE?1F}8-GXwiIpevDY6c85&9MB
z+9LF7Z6Ko!PHPznz)t_>N(1;-M-q1x;7SWrDjje;Zlx10#1l|de$n23_wHSbt$&E!
z))XffrFNf^KvM#%nK=Hs>I{U}HD-*4=(0C3+ziBucft7qR~q;>_Q<9bvZV254ne_s
z8OfEl23+YAIJDE&h8S?A(?#!hL{fwUuJpmW(%)QZo8=C`m97f!1zc&jfwr1I9wmQs
zrEN`2NP+Fm!DHv{G-ir+)8rd3!>xKf+bvp?NQI*gFZoxFi`t5bIg|8*f?*;E9r2`v
z+v|q{XzQAcC<fw@n%JEM(j+q=?$cyl2WmW(FleXjG{H=97&KZVZaLwxKwbjnu`R{z
znZ{Xk(j8Mq!7qTIrYH2i&JfWv=P%?IoNu>G=>B%*U$l~S7;O`XQITW5-lN?l!=KM9
zh-*2OWxH^B&p%Z_?#)xMi|rVrso20rdTqHio#+;eA5fnk50XAQ-&C!cEJL{NXZ`?7
zkCjAnHBEN|u(YQlvn!+Cmk~e{k|KEWgm18|iM=1+s*z4+EeJ#AKnjKU(5LE^TsF)1
z)T%GU=nv4@y@#mMM^i7n`52L2+cWpwt7$VxudNZygx~(MzHs=X7c$tvI9r?8sWFI!
zD;9Y7iImAa9;?YXF)F4QqX2+nfjW!Ia9fP8UblKVV__&ew|zQ<7YUYT0AOj=3U#6~
z{Z1rU`mm4L5O#gREMRc8NLaQ&g|Ojtt@Npk-fl7+${;&^Gc<IgT5Qp8s1AxEz!Klz
zwl}srJ6L_2|Dgden*z49wyol+VwZDSW+-4wgJ~01djvDMg|ji5C-~IQJq3-qQn{!Z
zKn4eQBPlW(Kn{Rd|ATEep1G$Tkf(LlMA5f9uvZ_~D%qQwEpq|8?SYsD7Lo?)o>TI}
zZacAe`hzZg4;*#Am~VSryUPe+o@euqDo|*OC~2GsdcR6+=Q)d{OAGyNx5Wga4T_Hp
zfG*7&IXEZdWWgHYj8hqQc_9*S#5gw*t-IGweBov~Ug=Fs%q4W|-Al@yu@4l<xIfy}
z9Qes~ivtbP1vBj*L%##N?U7*8hE{t$Vxrovz)@ypEJ=S#3%8>(Yy)o=z2Wk_Z*(N5
z)}#2RlF4iAR=!RXB#elcIx$@`{=*L&fg<JUvgV;pm1g~?{kbpKnk4~fXjwv9_=_i=
zrS05jP(ESJ^Zpi=Xg*f_1!H{Nbx@&_UbFf+fkzA$5OK*Rmazb|;|UXnf00Fhs;?jx
z;o?Fp^_WC5=F?1xSm`_0)Lt7))6%~#A!;iA8mMz-IzYO<Eo{qe1tn>Lv+0igQKGs8
zVP+7|p1jGlJ)wYDUiTrv4`v`Kcd0ve716}dZ$Z+d5ZEvs-|DCdq0_pvu15A=J^H(F
zjyy2dBDS9=3GfWZq8k#Wns_Fw)Y-V2AH$>g?4xe&K<^plY)@rZ3D%TqufbSq78QgM
z6)1&rWw+}>-Fx<PqLW<$FO?QbZ14dM+SM<r{0I(JjC@!%DKnF<(llc-<ocvVzevbT
z`AquCmHxkJ&@@MyWG0CX@g<+>Gh1eQxg0z?F=XFlci&xO?n7xf{U$iZ-S1PPZ!Uz(
zI6k0ddEl=sb5cB4AV0ir!vV8+qx+2@YjL*Lg1f?mn9RmbC7@liJrr+qKP8X1ovP_V
z7%4svUQCcdOPfr!=N^xFN#|LpVWHncOQ2d}&bW+iMa(Thn{XRzo|YeBhq3&?%48Ct
zpJ1CVrI!a)v;8f}<eh>)EVWhtw$xs3aSt67u!kA~BBh>F<m(8GU|&6P7<LITY6u_f
zWu$!NPO+eTb>Q8UHJYNU`5L%tNAgw4zqVda$O9y3)Rw6lG=M_ew)>}c-O79%s~H(O
z7KCwB3gy1g_20&`vUgX3gbAvT<{ad9=b)gUyff^9&~)n6UB+#XPI0h-ScuKBL{emE
zhkRXFlEFpAsl9LUnJpkeqar>b>Of2tg&NTy{|da0dTIpu_-P*>n<9+eLb|<H%-tYS
zYClx&wa{tYwhXfdSEiyZg2k;`*~$X#-eV8Z2gI}J?#@ZMX16td7N4K}+ftjzR!|ez
zW&3SnXXi~kK;3d8wHGO&?pK2Mj;+$ZeG@(Tis@R#O`l4C2F@g<CgY_BzU^@NLw~Vw
z7noZ3U@$|Y=$9{F&@5CRw+rw{!>qTXRkTY?fS8>i?64&eYk)00vDLok_|3J$zA6{{
zAzNC+`&zan_yQWxIQgIs{$3QDYe&|f7QfpY87uoZt@F?dB{m@*xu3Ula+yHg={Yn^
z*R@!2hg~NC)|pG&0=NoC%Qev+%~r;7k!^Ch2b;QKV<WN7E9jq!A^qCl+6wuklIgfC
z%X=T!A8%q^<vxTNNl*GXHmIki-LT)KYFT{d9qIA$)mB)95eeSqE7i19i56XHeF>Ov
zs4s@0mGD%fc|6npAo}9#xPY;+Bju!FVs+l-W?cf#k54JeVxJo=x+yq4n0hSGQTwzd
zQqz+_X6++SoV^2D*-`Weordh%0C0$fF1Fyexbr=F1uN7k8z7I`S<>;yh)7E<LOFC$
zrL4xd5x^eGY}7;g($UMyYajIK7ifhtnDT)@$jD$aM?&S)On*pl6@(4R?q;Rks5o>O
zU(_jTB>pa&r0*Lm0zr*lM=kOOu}9H$K!WQ?{an$)8FA7#&tlOgsn$aDRHsn8TT^Ns
z#q)>lmFDWbGQzUwUDF$~?8LTB9Lchv9<(75`u&cPf#7J2XZig5*``2@;w<UpuwhzP
zFLU~@9}^>;XV~+#$OJznZgihG&TQ!VOgktA7#+^F3G8Hs;)_MrD@#OCF~A7~5_nbH
zVt7vK`~IG($6%&9H@a>9F;fj1J@WIxLOuL*p&srv0Q;rnZU4r4>EQ|=x}VkHxZ6Mp
z;wOCp?VeG~RvnIcX+M}H6I*vCuXuiXpcLI5(=c8V5Z2ts=W#Zc8RiHyzlJ`U1=<bZ
zNc1dOFtND!nKO?Hi`ht5&Q2(z%N@ET*_WlSdFDtMt`_>V$Z0%UaI-CH%!~*XhjW)>
zvce2kL7^yGFaXM0{_GE$g9kE(u?eC*iUJfIMtqauiSz?=*!N3~2R3fxD3?gCtgFIz
zNm>xv0XvUS86o0Xg;QxZ$rj3Wiqtwc)lYQGDWT_UC?<x-H_{sQQvOn(;#JSiqTad_
z{`SVHxnkXeWPy4Y`;ESD41|JuHb$nSW}@w__*r28U(M?;;##n~@i98EA?KW^_C1qf
z`9WpY`l7zs-%IHc#o?W1la+Fv9J`zkjA%!BMNKJU{4&-O0i#upGV6VX79nh#G+q25
zlcTK_O|NEXsg=vK`$Jk|U{@k|N!nt@f;AGA=~ky5XUGw6NZdZsbC(=^8Lr*C%rg%V
zy&T7(pT%@MP#q4NrDxC}p|*P#?%p|zuc#C<=}dz9nnT+174b?;=Mee@sFRutl7Sg!
z;9d30=o*J;{g<~Ikeb^!CWM7PW{hf7vVB!=Hy8z|NFq$}*x<dL4kFlCq?Y-20vwRt
zFjLJqD|=w76so|ZRhr-BDiM(NqlClwMxiaK_l4DuD$Zartw8~(mKHir!y$c(12r>r
zQpKn!b!GHjEBQYbzk$fIswU#oJuX%qnO}v{w@;qguPXuub2NziG#{78<~AP}JOLn&
z*Upk82Hi7@1a~>8=HR=|n~`@oJ9}-_t1K;a=#JPeCWJsnV(dw+{RY>qCA*ML*o{6D
z3O%aVz%KnHWE;6{1}cX?w$1#=J~uJk*!e-NuahoH;UK<kSf_`@hTO-iF9VcS2D)9t
zjb+F165zc`<2?Dca?}x>j6U8pm0cDv!NH4(8jfM=h+$()>rJBQ6Bd9yf8V#bKb>p5
z{o+PxMoPDLYCZg+u+U2W&UMw(!R$UvO^B+mljlW61Xt5Rn6ohx3x)rxWOkG+e>we$
zJKn)MJc8iRr(||OLMg8$;JNeWoA##=?yHo1yAljd;?Q1^KmoP8k<=NBg31WAOz9+X
zKO(&I;Wz%z3V>EC9a$t<FJJT1LM#sRxz6E_H5E-%jIWpK>koA&dHSM!UdVv3hD|i+
zqgrQUIYx4REGv88*aM@xqb1;u5b-TC_@Y-;Xf@7KcIw?U9*6DaHy)OCmC<U4@hBLM
zG`=)6I?+OGR`l)34tZpYUSLsuGfbrYW-(by7R_)(Yw-QUOBY!V#|wf2^@f;6eB5QV
zVQs+S8z9S-FUW++YaVe}zDA>n1J0KzBdsGwEr)8Em8Bl&C-#wlcwcHq>w27lnsH5Y
z8+c!$^{3Tv4PBLgoYpeex__)cX}2H$(qYJ5KjuCLz<?!bU{uKl=mW-7z%fI&0Nl6{
zl|1FpJ!r4hpaYV{vC@U7);2RYW=k;H6-^U6Ra(VSI9t!Tu4V`_m~&nR<FK(gwG-H|
zRr2}z`31#R7K--Tg8E3bhJoa0b(j8vY#C2sHD=X3lnZFJc(5sD9~Z7nZ2S)#Wig=5
zVi1$Go${76CLu!IX|t*qUA(M)POuPzg;YmoJw*oVO}j+Q#JhaXqzSHzO%3v8nuu~Q
zTX=9!%jPSkM2JAW)O=!&U>3d2-4mg>fJsM7e4;2M(H$H}*xPWE<9$w3h6$)ktkZ7p
zw;CmL5wiKa<tr6=y~d6eZ4G+XPOxRY`xS$lR^Yo!!tp&Av(b~5=B{j%Mp!>|Z<z)e
zbGq;h#5rkWr-+S+$whIsSMG$O>6+S)%R!4vEe0>{P1IV{v6Pta3h0{ygff30+}hJh
zRV1EiywKj&HBH!4f?w+5B~Cb~!wrM2lN6SLjK4^|j%T8DvtM}BVJz*PlsN&2)-~lq
zK~|zIA2dF;;uh(DZpQL7;O-&KPs8z<69&@77GE9i%s*9Zl2cH#WN5KfS)K5lqiAb*
z$_UCUKQxbV1afm*&`)4n1zW2Q=fqE@F!<$^`g^uOy7IW&tLx~aEb>OnP8x%@{e@;u
zJytt66tyJAem2qHK6#@AfXC&=5mTYv2!i0nm7XM;<hnQdt}+gzt<3Q^P;o@LL64a9
zP&Sq-Qa}B^2O2ge=99^i=i9?77RiEde1YwGccC>$!1qpR!wIqNH`TB^edQ)Yvp%_@
zh1PVM)$aidkGy*%Th5z<rJ#rcFk;>P`uKmB73@d>LBYvNeT!?6=6w*&=<07O#YKuZ
zH0hoiDiLrH-}Ql4;c6WOKqcR{Q+$h|zu{X>BLGTiBVWJfVr=)Fa4VXOu_ZQMH;{fA
z$;~IVeCK+f{(PX>$V%{#7Ls<{0%*sj_V^W>ePU={FP#Q6FC-l;XH%3nxgP4(do=K;
zA8t;>`QtI1fJqenyE&Cje}(ND|49fAgBo>b162z?vjdORv2H3)uRpO}R*#ik@mer9
zcLU<ydv_wHV|~+!>WD$X6EE{-^6u50h_q6Vt^Bop$=xiAi61LZa}t9{*at}U@eX+?
z{s7dQKX7<p#vNe-5~GIxKe|&}{*Sv;XC`Xv=oR_%@9gfJKl5lrKDv}fF@Kq%Ki%5t
z#G{^~jcqty2xj8)%7xOo#%k2s<?Nn)R=YI`GC&6V)8u+zQL7Y6`l8~pB|h8J)zw9o
zjcRm+d2lHK)=4gliMwUi3Y3?k>X7{d-h&~9+>S9D-l|1VDSVNuUXd%;j;FP#Uhh=m
z<YA*WL9f%u!wc_XW`pjw5`yVwt=vcP$8>W?PPYq!Rta<v%W?bP-cv*rnT5@1whIO;
zL((vS6~|&QuwBu<eDq@9<vVQ@&&{8(;sH<k!Qu>x)o-5XD~lU39m3lq-)LUiwSy+4
z6@Kry52X7&Ij8%`Ck$5FMDKsWii^j#1`1G2M-A~KF|6RbiRHUHthM&rCFY)|;-n>`
zywR#lqxAxxCNj(y2)b#O(z^sc87Jpoyw8Shf|8GV<>q5YP68+luSpItfR-<SX(`8|
zU0Qf`0Kz+y1?n)0{%xIXDIUhlU*em?cll6v0r**byvzVAg-B+A0pu%^5ZBBk3e@wu
z9?B2m6r8Xy?eav^&Y#Vb`G41-CEBqW8+!ZpuZ6zaGv!Kgsl=*O&_ul7w0kyqw3sc4
z*Y00AH3AELeX^a>@<hrO02a*$2hUOj{nskm`WGJKER;O%<<n~N@E!{$^j}_XNqMc7
zo%&&%nKV`ka?JaqUsh295K1@)>yybqAgUdslrO7YS%DsyXO^@lhSbZTyBtJ7ZOIFD
zWrUF>-p-h!Pl>6X?yl~lc+5Ay9j<uh-vTrI*TeU}xK7vl3hAsx&29DmWjz%xVJ4X=
z$75cDr!<GM@k>7xVNmw?G6wB3xlfcM(mS&^lS+;0jUn?RR-(11-u}o|_K0iPnV31e
zQ+(!EC_v*gdaaG=j<Z^u{JIT+@u466HuMvwYs?2DpxL0EwXXj4m-3_Q`q&_$2)=A!
zbIuA*?+6jU2Q4HAD6i>~9$zGCkr_c?U693(fzV^l7I1y;Zrhj#H>_A6t0T$*-i-^%
zTQqz@jEd+A+^7x}C%9T^EZ4qD%GG9o^U#J;>#*L)LpbB~vj)z?t%-_YdVnu`LihlQ
zn~%?1qyq}a`joc7Kelv5$Ss}9;M&P6u(*~S2nv*s7<cH_x*SDVGvO>9<lzX>bqJyE
z>0vIk#{MN^zZLF1n!R>BZ91y!YO{noG*_ope!e8-&qe=mfHH0-_Ys+JovV(M$HO}A
zw#uHn9Ke;?WSuPTL9mtYoNv%zx}3$g;2He{#KRO$yBdFPPwwz{Yi;o^wbZJUJ+bMP
z2fF0fWx!$7&$g?)LE+6GYcVFFGFnw9>$|s1+3tzHdPvM6dKuuaF(sS<#7b#MrFCt&
ziNSr;TEp&m2^~*nVOA0x+j7(XkiF$HYy-S|w6DVmc!leZU=irl(ec+(lNB<hBkN!h
zMXLQ2O3_m`PCWw|;*Sh!k14%Zo(1R9W)^^1QDX}=fyWf=@AM1S;yU+Y)DPv$X$75j
zRWjYuoeGYo;k-xqeX|jdImRQ7<2y&X`{c-eX>lYsWx&>SlSq4562_DK<p;GK9fHZG
z)s_b~9q~{7C&<VMWN*+G=F2rC+;!}nmvKPtpACx6ySqi(cV;_nIy^N79sv)_;}~5J
z^c0k?cXHXA%6WmP>)c!3rCI?)<QFXCE40j+7YmPt2zG~!Pm!JBI-KqVd5iltY)!?@
zB(DxP`Jd}}a<^e*mwsZjyU@IIr^A3C4Z-!gxxO&3Nq&+8#Wjakt@L^lhw}$Es~Pc)
zmPt71|FW)o#ywL;!iAB&i75&+DLAz4CtNu54b|i2bEN2i(^gogN``0mdi4J*E9sB6
zy9-D<I=D0Jl0hDgp?${&iuS>tcFb%hw;=Re*tYI+3sm}ae{FRRv}Eij?&5RT51uzz
zwvbqlCz88r-%~5@i<{Nvb^X?xF2C@I&ELg*y7UICsjQBZ7$yBCFE~<7+02e(Q3h*A
zl1T_7O>@ORO>-IgNiK_g<P-|c{9yaz=0doUw7Ht#SlRj=x6Q!50iH0DWS9T5Gw6&!
zq!bk@Opmg|{#Fwoqg=sxPlwy9-=$YKCfueC8%s>$1mUyFcMhvVE-&t3_PTI{Y)scV
zu7RMJmK42Bg&g^erLyOT#zr8xb_=`rHXHs+8NL(JlH+h*c*!jp-yo%X@4UTpR7><0
ztaerdu4sbOI~e|yzCKxdYO1e`yYQMZ=Ewd^%d)jRZ7AreI!-+#5dGmCg?0{lK4u_c
zr?B|=ht%Z^nO}dw92+CNkc$y6^HqDraJybyP(_5}*52uz7upge-!$x3Zz5BOV1vjM
zBCQSz<FmG4mWv|PJtsAi3*Gy(Zy(j<s8R6}?L=u+B;k2@%~YY{=B+!`!3TpB7xOk5
zUCK8!$=L5%5D@BpXumk0VBQ~3T{L7CZZs|FD&P9dsy`c#v0c2=b@a8bKp0<z`JRts
zW8h{mUUxT1bBI8M2~~?VG5WD6j{WM8@7U8YcfI+RI4fb!vpzG+(Gqv=^}&s6YAjCQ
za9Kdmscl6UH`Yf^mc37(KuMKN;E9Tq`Mt|d4D|ImeNP|&`ntL(<3CnE-DPo%@~y}Z
z9c$skOQxYbX8NRByNo8Ev2VjHdSkeXO%OOrC;?i*?AsRu%n5mi#|d+0%^%gvEk%HO
z&VW9MmH!}COn%j5Ry3B-wGOgX=Je`+^oELWo1;ZL+;F=W@@SXre7h!yjdi9P?c_Qw
z#%nJr&A^uupf!>T&fMQJfonU@ty+O`T1O8bKe(3soa0MoAV6@BAQ9Z&<;Bec>w%FT
zVZ#DxH;Xtme*u9pGR>-v2z^|0AyxH6rFULb-!Umz7k1-}0wJPB4i=TPdkqffkA~d~
zN~CIPi)ct7xgS~GsZ07q+Mzclhmf@?k<n_m6TZxqf%TC=1WB?=yNeM(k|tT?ETJxz
zmd;$NmVI?v6Ab+hgd(*&ZBV90VwWRC3PX`X-Y84h-^KbJnSa|sL(AVg1xD$(@c>LO
zZ7v9t{z3Sq!|uPQCjpZS(=jZ=J!3T=d(ULh@tUAxp#hvC@ezfutN(U{n*Lwn2vv-`
zX-{A!vE2DQEde`aK+i1Ma@JMIzh^c@5ckQN;gVoSBqu9&cXZet0~x_D=WGK7-zdYq
zK=^@q9-IMT(jO*qXsAEM0O97nXMrin@F2`1u1%NKGvO?_n~|1UZ(9IX6CBArf1}E|
zNJB-B!Sw8=d8A>1`PbY%>#3E<7uSHoh_Xn7fP61l_o?}H<EhMfvjY<VzIF>387gzs
zIdumV4Raf(k@!K6Xe(5>7uPYz#$WzeoVMfww<N;?P#~lN4i6$o+{T$BF=xSpG?eg?
zH#Bj_n>iBApo^^%MCQHaXFC&XZX{TH=9vp=73UEde)&+V(j*zF>THm=*7|bw#G+m^
zezH`g#`1}|ndFQG$OB1M5V=U!s(bmcn;`=#>gr1Sz;v=U`mRP^JxD~5Lugc4AcK{-
zmYZQ?%u5<p4mKTQ8lxmf7L6Dl(ia9n-eXkHo>2_vDQNt_{GL1nPHBMoO%_;Th=TBP
zZky_DhY~!Q1j!?EYz04rQs;Yio%~m=A8r;ko%ejXKFg2TU#Ie|yvC0w2^YY5XfbhT
zJNq1Qz<9{noD!pYi_3M3C(&jm2Z%yW_ZP1SM4fSm5@6HeEF%_Fp8Cnf7ETlRjA&MY
z!r$6_p|&@<-?#9WZwWjS8=k)zn~E=6`3B!Ty%*0MdDRzsoiG{KT=B>DO>6PP=N5kD
zksS7I{ajDrqn<+VhL)GkjE5CEvmXV*LA2ABch*MID9h#ZeC9P(+?iU)?s=berhO5r
zj#gIKQ<2+0tGGh<U!hy!(rdnd$9V{#-%J;i<fNoRF5^(BC?KaWLiFQnN^rRk4ULjP
z`NXx!RoIDMr_3;P|8dqt@n7M-PKRrsy{>`Pf*hrv$hB?peG%=c{uhXNYcOsW;3H&f
z`4>c6moOeWwd<ND-NvrrD+uUG;ep?{e*KNyJHY0}yvr;7M>RJv0Xzf(T~7DyXRt^h
zT&|Muc$BPWN>S>MG3MfX@sdx<fc|Msra4pr=Ua>)8#=WW?CIj{b?qE2ojal&lFu&x
zBGd`=B;~i>dyoVab6pEx%nCn0*JH%t{}f7Bf)UBPP;!ex(C_X5bDx+lH0YKsCLW#`
z!G*V=d};UC2T);6Y8Iacq$DPD8vmKD51eJUnlVLREO^=OEq$M6>XZbvCc2g5y9Qkk
zp97m2BmMnk4T_y&#_;gw;7rj7O~1JBQH*K+G5Lfmd2ack)Z#u1-%m?jw5<qxkAfH5
zW%|b9&}FW<_sftV1CZWDS=11zr?u3X=pXce9(Gu}H^MPpk@usdT6gYP(a=<=!0M5A
z)a-M?qqJB&OFmTHb-t5zU`eFnwgj%}#E~R|b8pz*bXErT(|-4s`RbXw+kdz^PaYoL
z>73cMoT`2i-&%IpL%4Znok#3!;4lA_<xA!uqnm1FhW6Bd?YFQIFZNUqads{0?-Cvb
zxB5`Yr^`xVx&aZ}JDDq7|1@~~cpdlwd8uqB_8ljXZFq9F7mx>YO1MNj;;t0e3)Te%
zEE#6pp7R<JrWQ}Dgjljr#YU2s)0u+n)pY$3HZ3BRDB`>I3f+cZ^5I64ck8!*Zs-?C
z-){R`KM}b0^Gqu$e?5jyLm0%@$bA%#p%nv4zI>gKS)KM9BoG}<$iwUZkg5ML1hsGj
z-RuHkjTJ=JA44Wo^7dZk$FMsn8hlnRP50-f-FM<@CC3?B9S9uQjM@}iQk)oOT%L>2
z3;A2i(l(l$kXE?R%WmpzWL-ZN8S!}1wSi18y@l96eGAm0(5$r9;{W)xPmrJX-<CsC
z!vAjWbW3{Q6eeK}K2XHxUk9mwzt3kva9pnu><ph=f3R@ENUpxuYp~AYoGc+o8_jUd
zw^1i(Ak*z@#-Z^N;yS$+CVaLg_`wv=_N(|&@OmteS_jZZbC8;^p4GIF2*3aL+x~SO
z@Rvc!;^<7z?q_3f4$TYH%oU7{DW_}gC4x3Ny4HayAW*P57wOx}mCv|?O{*%4eR4LU
z(~gbn1P1bnkIV1Xg}<)+&5|X%9Rr|`6X}<>>o^TOrXn9h&3KZ0{n+UwPs%a^%jh1F
z5?%e7&!-1_(@<+~EPLr8{|Q(Bsp3DaZO8Yn0A*)lP7CmY|8N(4X7X}J9LhO4IfXa?
z-jl#^u9AcugVpIqwcf|<OKK1^5{$9_rw#BU5+I2eO{xlF@HQfeJYYAwCtV`Kbb``B
z>O$Y9YdEE>Pj+`K8SC=*4}R-WUE;8N3_0n1#P>e+wMtanb^M-+afe<}G?>l`@8qCr
ztsKZ3?aoi_?+cK!V$-Pm09h$*rHni{!`0iXH&rAK6%sckiQbi@xss1sz@ba)b$iZ5
zdhWL9r$LGe=k}xK>$QDv)PD}$4&znWi6w}Xushi^Z~@r049R%;`uzBaQp0ZX7cX8!
zsR*fvhI|KOKB@_f<o`QQZ9OT+T7utH-RxiL^+Mqo40d05sO33S6?$KhGa_x54-Id-
zhgczPmr?{!I62aGnZ8k131qe0?EfTLzkO>4+Pk))Sn7Y8566(smKc!_)4)~wUAke}
zOGH?B05AjSCUviYYK1JgFy&+KB3fSjH7c_ZN3qZ3ar>243xn0i?z-!5cwJ+QiqwJn
zW4-H>&Odv~|9e|yx7FAVg+T`qsfZ4+x%r8TrYiXB{^>CO=L9lFIx-DEJ^R%o_}4EK
zLo!qyuo{f}p8!Q;6|Gb(Jz>MqOkEVvdDSWRI6A_{#3W*9Bcee<d#dB?=1P4^cyys^
z$vc~68d_Jdz=TVo)n5CZ{`Rl8N4~%)0wWl#GR5&rP4=%32BtM2R%Y4&VuRhz97$Ta
z)9%7hx|qH`f2AZ~QTzJR#Y%xXxF8tQpn{s-A#f`(D|m(d>;M1P7o^XS_7$hAZ~nL`
zMbp6tDNE#VB_UD)#)^<296Hm{0c%_V9uacNKkcx;T%SKCs8<W%Zq~Q3XspuwzM38*
zT?nw1ukje+f`f;v{Ye9vQf8wQ4&Z$?h{pclf&S-G;q}A5*21R0%J9eg-u&^tU%>k&
zE_Elyayh_W{r~s2B;+JS?0E`VY|%6-JzD{*T0oeJ%b=aU2$ad-uU0S4Q9$6AVMoN%
ztXtj)QowSeohWXd0++&gw(;C<cj3l@8wk7xO`o?mD_vA{ML*{Ry!9Piod+N74{gxz
z-&+DXp4^VBoWFl>Qc~piUQP6M0^+|cfa;Ka{W{&eb)oub#x)js7I9P@Dg>dFkrXoW
z#;bZ%pKT2T1m|NIbRec9ZsTedod%Z|2nIT}(kKVm*o%)<GN8(nDIEG}02Gl(TFU&r
z-T(8W{ANq`B1Hx=kaBK5WcmG*sUq(pLV+@jBH0uH#exY57U#WQ;XKgpm#?zieu!8J
zp%JJD4Kgw7k0;e}dtlWXN)dF`(}mQn?Jl;L&KmVXLJ#_)s1ybUW%yryX%+8q*a^U;
zp;!E;pYhL0eas04<jn0IBhT+2d<PRbRG%kMcPGkCq(BnuCy;B5M@OTSD+IWB%!f+k
z^goJR#tSXUincW%c$*i9?*S71irw*!?!4D_YUoj|5rj$_fQ2eK+oF>UI=>pjSGw7x
z)P#<gB44g<O^Z4gg2Ma5gL^twWWZmJC;DHE<Nv%<MBjm%OyXT+7|HJ|(%YNh5kCIH
zj=W`&eAb;k26TlC%RS)TJy9S~S3jBA`u1*H$VnIo4X`9oDAMMo)~F0Y=Ery=Hmmf(
zd_)L4XGvRO_(#~YPFGudA8S$*(D@I!gP&5m9>UnjD=jAJ>)~_}2H>}R`hxcR#ruzO
zeU1stl-ig{PIvKtck9t2S9P>kk^=QKDusQ=yI6OvLAzpY)f?TV4@-teS2aK?z;SJW
zEaBO_YnlZx|K@<AZCfK}^ZaWHsRZ+nc|R7hzzywPFyBNx&q`*VeTUA&IVIrG-mK}m
zBMg96U;T9V_h0+ZJ<0ROIY{SPPB%x}zrd-#c9<@pkZaV=h`f85Q8%5M6mvcdeR@$I
z*Q1$CF7;@Ax(=5;(&S`s`ANM+byt~x?Uie%SXTPt@D<-afO0gjN9JT(&GIp_+EXS!
z)4i%yYo`{2oR>%hRi7|+@n}7$=l7dQsegOold1Ijm;CUzo8;FYMT3x6JE$y-@sF!*
zkG$H9AyNVDQsW9*LP9>)ih0U($iPt>ejsB9N29gX{<Kmpu%$Uz?Vm25r-dKQCK>~9
zobWI>I_Y6=fnZj{<DL7$#*>(2;<9PN_qvDCoYCqK^4(meQyTwrM(+{)bVd`NdR_hf
z4*BQQ1h4;>u4OQ=>{ehFZp}1E%(}tp0I5Wl2t4=1@lx6B*N51M;4t2W^PT2!yZNs-
zoF(79c~)UL-LchGS(hc9l&a$qulK-V`-0D)E3SVmoDO~h)p@9EfwT?es+I_tcL%m>
z*4ruKPa}hz-5b|w3%FedGtrg2uNl7zeSB-rJp0vuq5b}2nmkTHM*Z|LzlHxk*3TD^
zy36T$kdwN&0yeK%Ak_Mi2oA04dk{g5m4{)~6}P>5da$t<S8C8H+u(8#vY2E5g3n*3
ziFoQOHk_;^f?M!Y39*LZxA(oF>nq)f3jL`vj}SdfoiV<0kauzxcDHx+Fz3dTiQj>4
z13K}gM6jb~D%dm1Z*}ElD+ii?y_U*bklx@am7fd}kK}R{sn#-bl_=d$_r>sU38N$T
z2Oh$I9i5C(JaE&4djHz={p;%Vfi?Gkw)nwTCa_6}h`)l7Tgp*v@^HV8c1VQW9lSgw
z+9j7h3q)quZtSgeOAvB9$og|l6LH%3WXdG#4jsTwygI+8F*H6D4=3i2X;%jN2heGJ
zJ!Tyf&vn2~tuTK>%|I!jYWu6!qtb!?Ycm@erLwc8FYM-5uAQ12Tt9c;tCUjtQ2W^G
zqB3}YqzL6Mxh}7S!uZ)05ThgnbeIBgT>1}`KLd`h(IUU6z$=Ag!--0F|7K(Gv=Z&s
zu@e6tN#U4ntNf`mjCnG!0tQx9^@p`_h1w0&{_h#}|Ee%PtnHLsw4H*?Ko|9AVt@L^
zIaKe?)EdB@mRG5W(+0J_@wn^<IBZTx-Cy9|YDL9e%XEq$1+@sp^f%9x3ik!-_jbST
zyu$p)j6r%}Zv&Gx!)+Npzdr&DaF8nrO0N<Lk$>j-=|(?DDB(4k52S#6x;)?Z+#l8P
z{O;~bG7|ziXFK!FrD2|*V8a`Nb<C4n7rX7m<(AXL!t<YATnly6jGu27xg|H}J`T&t
z3hLh|Y9iVofjMt4PZWJ;gWTCweS744>qXs4fW<9!vd^e@L`??$lkPh{{>FU&#N|Zn
z)MiaA?X^vNRyGj#B8SzgaXOUk46mYb26lGy0CquC{Py_=vd>3OXrYiUbWNku_gO;m
zdyGBHK?cE8RuCS>k-R%v4pF?G<Mi0tR{XH(UPF$&uQBplQ!m&I8jBadyYum_od5K%
zqX_9r;K*H^oe*?1D9zm_wmR_L+^aa49=mOK)^a;5Yi%?Ox58?2!i4b7@8_q_qu>TS
z@;vOh#uu~@yoeq#bDQol-DA=1#|>gAIRnAB^j-$t61|U+@ic%X!`m)EbTx@zN?=>c
zWt&jo{w18e%g}0@zNWNhDyiw@xkDB#F@76n@!`AGEc_7r>+yd)0Kk>|%#BQSQN<PU
zb#faA0$t;Y^0k|&^J-}rRvRN0Px4oU3+PaHRo@#ibjLA9(rezrH7ps$J`8{wComaM
zYu)!`SwT|C*9S7nrX`a3+{K@YTnO3YvqoBc1myXq`@;N|)dKhz4w7$;2t;4Mt1mfV
zR_M4M=KO+b;-KQ}(=ya#e<FCIILqxAZJ6p73FM~GN4LQ;b~=ql0UZ0Y1?JPUL9|oT
zkKUg>{XT=uVzycyI+alvLAlcxf~FmgR!AerXnoSMIsas@J^X2XW}zCM0G=;}n#cz=
z2ZFUul?i|!731M|?f3HbFDG%$!{{A`y4e+RH@Wp+ME0&lIi)Q0B)#c<cXx0Qu$oVd
zQLPrfgI;2`{p4YUdcIa3`90!2{d5c2+rOVZW{_}aD=oZ`KYA$jiQuf`cVI0X&>mX|
zB$^IecUe_Qn7{;8{7kg3C>}|E&wVe@f~4Q;8j8u<zz)X8sYa(=J;efbR(q4Ec7Ubr
zr=HIc%2;R(4&KPi&2P0{Xwg{%tEJ+$_e$xM90{cEDo^l>fDpPD+M$jg`j>>&LZr@_
zi0h%`?pzx_Y*o=(cVr{FZb{``xlcj+WPT?o5R*K;E%XscR1UjsyU+Fp?drwzS1a4L
z#yfrUHq;vI1zB(3MqNCk3+6;x`&F!MgaeEK7NV<EzkDP3WRCwLeP;F`R`5s}B!={!
ztZE)*kaXsV6un_+h2Sj2x3-5Ms;tXm>{fT~o2)N7SmdZhwt<74jmypsiB^M4C=rj7
zs4pt^V~_ajf5f1;MS#I-tTuhf{QE|#g$Hap@0!i!V}vshGq2#*dR{jAlBHpU(;R4T
zaU`=_Y3GvF`?iGQ$CfcA0k4l?FGLXR$cwsc$G(ISHl>4<tOm>b2VR0WVGkKUaA+oq
zSC|f`0`-uo?%kShn|Uo5a=8gi6R59~xlAd#;Mp!k;bA4xXctsTmJO~kT04x4RX<pf
znN5M^ESNZZ^4@mc4Pql|k~q3Pd-waI{CHJlaK+x}xSlpxjkhr37|qxKgGwM_tl9w^
z+(#pXw%X1GY68?{Fefrn3Y2A30UnC1*HzATg|3ny&_#Nz8T<6jXWu(G>6~Sm&Q8}?
z|40@|O$KAr-}{jFKlYUW3cD!I1p-(Q`7em9X|~v!55!<>gC_us%YHA;RZh!9aI_A>
zWhmT{bnMJ6l+OrKthF<-Tv40=BE16Dl7WQ;_8BKZ7wJ=IvdWY43BrP~&RMH5#g(+Z
zfKiWrPIYG<0lVWD7Y~Ng^d8?J4+KHJhp#)wMOa=hDouDU2M%X+PBcpSGLe>3v**1%
z2!mSs_e*>smB_vRfTGfNy-FioyKmUFmr}puIErUJ(ePfU1^1cA9uRZOe-*k-^-POv
zfmJx@@m#l?lQ~jAS$DK02jT|y)G!%s5Jt#|5b(&8pW?8lRLBfjh+n9Gdyum8+73QK
z=W=m&<HpU*G(alvKuhLz6-FoKOI6Id3PXRcq8~$;BvvJ}&F}O)mO&>aYQZ^?%bq&6
zxyH}ew?7&%yv06{MsY>E&ZlWLp!1Tn*dFk)1c(2)N^!d<rS@2L9pf<t*&U#g5cFRE
z;Nl7R7bne8V~biDxvZqm4*f<e;3{EX$_6{~p?-vL%A3D-s6VzCO;0{EsLW!y3V(Ex
z;S3u?+4JAuUsI@cM^w7$@;-k2dD$JGSq-eV<Wgh5r<8bIB9HfX%{GHD!lhtSH3~jC
zT6t<^V5ilQC-C_TWLLZ1DW#&qac`@REE|Y04s+9Jt8m#=Jas#wsHnifB#O`0L5%=(
zPKOGf<vwG4;%2%V5@;;684^YJ+4)N^4ar+nPM26ei&|;u7T+LxAZBZ*RCuz#E8JEk
zz){6%bfaqN?k3mKdq{m{yjsAD$0Y~*0UDoRC;D`zi0*yJwZsP!g5HmA%6&LKd})un
z&6Bn**wcTi??_vC?*RmMI@BZ1PRy5OqER$pi^Pu8oA5lMHOFD|N#K36dp}gw-75@L
z=521l)&53vmvvRny}rCia+!=dGKn>lF$I#wAPG7Rmb8v&>TmC(H`vYPGnY!>DmwCr
zaK7@Izyrib=W-z*uX-}JIz@3ZwtBAe%Ya;EXBnJx7MHsPT2(I&GbTs_lHZ>0ufNEU
zh*o@=NmQg&C#}`AMkOSpLJK1o`xw`Dxn~=dV$!{kw*Ao;mG<jcnN{)*xpS22rx<oC
zB5L_+4A$%;zV3MT<drV1=e;^Sv1SALYbZmNQf4OaiZ;hi%(z@&afTm83uLw-iiMIU
zwG{QH(n)NBW2(;yI@HMu@y`~Yi^nthQV)dDCLm5?t;?+k4M_?c@}l8lF<tR%X_W=7
z)$0?Qj>B;;ZBcP<3=XX^=bOI~{UUG!wGSBkm*Q|3;v{Np8`9`2I1&unzh)=KgR|j4
zHlw}?B8*VkcClAH?dE~W-q0G@Lx?5pO<t#d&!5~)#Gq3nu-JAf4pb=_!Ljrv7I89R
zRkN8u^CwR@KRpyPH{6AI-%8D()0hqdQU{G00b|@7SG+%+jneunL=h_pqsNUUbF~_M
zdS0I(xg(M6lWlt#cXH9{T>e<K3(K9|;|tX~k86aSE>XZ2M&6Pk2DU?*Q8G>&1!`#t
z!?ug32lzu78t9wxU9%J(iO+f##)q<I|GIN;nl9OkNBV-VzsQQgrAo*;vDx8>(`qoA
z(#~l5M6GKUE1Zy@q~;CrNoyI24uog_0#RX-bgaFa(^tN=#|S^MJ#V|GUg1KQ!ymTW
zi}vvtp%Xulu~c)4$?afHt+c1r5y>4(UCJfgZrhxT_255N$>(>m=FXGc_0R)#0#@9y
zE_g%IAg?=PLT8+zgz7*Rh-2V;^Z=PpP-CNZLC~Gb?J=M5(zG5Om_Cm^(h?qRzW`ba
zwR#?t^U^sG6xF(IoMOY^H3^qU1T_rh*p3DWs9tp>!<9%bd2}jFl@dV^0rN_0C4C?-
z4iRzFS!QZ;HXp}3$v{jpN=iymZ09quw`q?^6a4+;xPuA~uy`@n^Iu=u0V+8XK*?qb
z(hgF5&tag11N>6vZ}jfBjOsX6jK{Ilj1=iG`0$A2^UUquATTTjSyna*ZJAdn?t~L?
z3Yd)+Mkex}b~@QYryXa3_nD?IQ!0_t{*<<qi-}~Wu~R1duw21~d9PkFre)v$#IEIQ
zef9u6_HqDrUS+bhVg^9u2W#h3-*Y6!%kAc8Y)zRj^Yd*~0@%&kSx;RqW=}1boVWG^
zS68ENl|(kaxDQee`fJ{HgOmeQS1pUNK^?1&dXrrimP}`~;M}k>nSnDccG?cbOyS1A
z68d{=7Nv%B^c(!7R$IPDQsXa|yg0AjUpzW5m>A9(eSg8{-j-W0e2}|8xRbI+)U8pR
zt@I=0V1qu%e56LB`ovRXb&$c_bv&NY9uu3v&{Z;5r|g*0)u=Zq&C1nN1Vksuzr<+|
zv1)i3p3GB;;kJzRq~V6GXY8ixkV0W<MR8?2yH?Jti?jWgS@h5?Cx*ZNqFojfdZCCj
zx*qDdF%dseVUfm=>Kp8BvbvK@E98oEPus}p?o)qs5~5^AUiU}B7L$&}+!Xo<67QSx
z(_9syt$NKP1l-Dg)0A;EARzscV@wy7x6Uz*tw3G19NN7}B|z|9U?>~Y--v)?j=KXV
zYB)6q?}#M0)^yZD6xx$qRZOVn=bI>j!%)08VYK3Ie3RJK_Kk>WM%7v_p(DSJq0LBd
zdy;JfMo|&QUzaSWxOKhg9+o>$UP`l;^Lh&en(5_tD2`wpuk9mj9Nlfs5*5FzFU3`d
zY%>KB4nrA(vC7Mub6d7EnR0Tg>$PRs@vT0>x@GJBH+ld?Im=|h_l|U4EJHMrs8YkY
zh~r7z?wOqJscxSv$yGGm*__gEVO^%nrDV!dsqh-zVZ1y4addd>cWbA&ffm9|uHD9R
zr)%i_@iO1c(-8`sd29xv-6w-|C9&mhCpPX_iO~Aq$y_CxyxO_BSHZlx`gK6%gtbkG
zuK@OAEf;oN`XvvpBrp~s7H&|^geybN^SK7FU*j}sC}zvPP+6!^xV6jE{)qSYzQ|jC
zWbNvvN+i49ad^X-@YDXLC{?FZy-`G=PgIEMqqC9ad-L5s%>y>XSFTXe(R14IXa+22
zV=%bpI_)3PNys>8j#QX)<vzV`Z`D%zOy&qM%D<<un@k-h?!ydP5)-Y0{OC|oWZMT!
zD5p1eDmSEgpGgH&!9LTS8mm_q57-DrKyln+VyTxTE&GiTvqw2Is*_J>gZ<c;l9j(b
zpB)XxV0jbiMFL%oJ-9zpu^-C`%%Ke0p0{N}Xxj!Ta5PyjKBZ_bYSkTzzId0b!?Eo+
zze^e3(XmKEa%&n0$j_N9-zoQaK2PQ{NnJ59o4q*SH^?eX;PB#|RxDKX%56M?G|!8(
zE}}t-vlqkp1%<w?B<=+<8}$x!D48wQJQd(6JAUI&Fj8)q<T7zq6XHvKh66u=<I>ir
zTN6^?j72}trn6lMz<5>4PJ**<9cOyj(iZrVkoH10$E~ImS(67vojUUO1PD0gcZ~|h
zAm%ZAxnM&npV-eKdz-7*0E0u6gh&Cu78V_FgSpKJHCW6q^dVVyDYRkb>rGd7y&^LT
zX-H~Bng@9!zv83)=D%`vj@+Y%!wkp!@76k(YWgg1jikjI`m$GT4CTIvXEwsrTgzMU
zn6)G`-8gPF+CRx6EH^tABEA{}cbf&N2&4WDh9z<8mo;LEY@s`{RRJH!rM`9>FfH;e
zK^=GHm!rh|!zFNftEw-Dd=01l4R_@9nTWKo<>PhR^Lt~}K8D)buomGitXb^9y^>FG
z>9xy`>unRUNj#AuSFdexd<s=-64(OxV|J!Ex)b<(gK(&5drvwak(}{6Q)`~_S$-`l
zJ!>8*Sc1!%rE^;!aTYNfSg&`Sr=fFpwjI}e(Pla^D${Qdn{?|D0TF0ge1<%p560~A
z+2ot9T%&75&*fT-7_YD#|JZmsAYc7`6M0h+p!|X<{ats(P`Iv~ubQ%HwEJ+z4K7tf
z(Tt#j4fn(Wh@KR93gOD(?sZh=ULYkOI<W87dibyd`e)B%Vcet{VD0Z0+kFRE<JOAU
zl_@d=@xBcUyPnc+TEGriK~C$#ZMXW~?e<aXank!6J|7d<tt^?B3h>|y4Y~Xm$AYe$
zNv&Q41!O>$vDbPCNEPA??_i-C8KATjxA(QS6uNpJ^smHH{!8j91e{V_9$n7c8u>b*
z)GnonJQ><x(6H*Ozvf8$EkhI|kt<q^=7s}0#J4KG;)tzb$*H_Zp`LyA6N7k0=3%RX
zLg{gdQVCB2Rg3HC0(SR=M`)Wxy^spvjJpHQ_-1EDmOGRf)3s-iBJIsqNt{T|7uS4q
z7KVtJ+$Axw%Yd5m$`dAEh<i5s)83}Sn81lBX$pa%wu<aJmrKs`+BK$Wr=5?5ftMOG
z)1&KzAiTUy$!w_q`c(pPhwL4_79?fdV(-DD1GsAZ=0wg@cUpm-330^B<Nm{BkCecw
z{nWho1~l1-s)l6)+OgARXmWs{kQ3A9u^EN?{%%&Ogouxmskz~fu8fmJjGt&EtqcB+
z7I8@pUUuz!?IgfG%DVjk=6qEiw-}}7YpX<VKF=O&nlM_Lqs>ZRNBEuHcH5E{8nQnA
zN`dU8W~dB)9r{?Vm8LW0fw?1Lv=7Xt$}=3S+@=cY>^IHVba!a(Q^yJ_*i1Ab7-&+6
zP_5cRlAgPvTR#FpI7&r^o5Q`d+@)CTO>d67{vXEv0;<Zbd*g<WC@LUb(j_3>T>=71
zcZZ5}Np~nMWzZ?z-L15AcgRNAG;F$g*Y=$Ad=L6P|Mwlkp$-S&-uGVjy62knx~`wL
zBa!K`ZR_2`)r2BFKU4Nx|K-vp+D}->w*E>%o%1wP36av5?eRR;qhIM~H^%ZOa#SX)
z<9%}Fx8gZ1cO%x>w^p}3U8I8&`t@qaw?K`Ze8Ta4t$uz%Id3%gXYG~Dm)!z$oVoRl
z)7hl+K}+F|(pt(4_URuD<xag99=WiZR;?-4B~u(oX{^iO*IN*D(kV`GqSJlk6}>f8
zuMl0D-KjM~tK*kzw73f;5$JJC$57ySBoF4jkIFwH!49@gXUCuoL*eBcUgGzgEXH$-
zg?O}s6?gRbJtdH^o_eqt!6@8&R1i$IIe>ex!?m`%a}F9|OMKB;D~R~M>lL2K{s2mN
z#;TV!FZ<n!8)MhEt28A>J$U@~E1{b-@`=2vWv`#ZBMiow+-r3JM7GfdCdL5I4Dld%
z#^B=FVg<fN6j+lgu%>K3gG4)XN`Z79A)^q3-j&_*MBYctA=8$bVEQMm0KLF60oe$J
z@v&?yUQ<Dh2Xt(dQjsrTl7~Dv3~u*l9ACo6=7XUqqY`nC^1!+P&Vuw?sQiuRD!e7P
z16R>I%dAiP0Tq3wG)~iVyPY+e___@|xr+@vAv}m+)Z|Q(zDMWsEu@8vqUB-b{dc!;
zj{7w8a@&VwDU#V|jppg%FDD$MqB_gPWt7ug7Ae1iqnUDq#G*~0ozWITuBrKqbH!1D
z{A_v$HkyU2@S465wj(x3H>kBEYW%{i2H|x$2*k<@o?B`{LC>95xL4r@QbRW18ZS*p
zMLv4&$HUCsH9zq_@-dT@)ZsmQzznatq>Uf+5x1g|kBqHz*kCSZQEGT7_fViiERmc+
zaJOCW*1LQU&0Y064{AQ~BkmKEU9p6HlSSzs?nO!|uyyo0&c-Tn^XP?{n)F^I1w0_5
z3rW|82O9uv*;KT6l=TcTbDawJAwpece)NzIWXn)zErMFcta8`k(DS+}QnDe_O4fLa
zZQ7CgdSsw^Fyp(*a%OLokig!|SQVB#;Ir9B7rYvfOYz(*9WT&G@rvj94w_=aK3<*`
z{7Xpg5(WD8Md}U45<$E2rUb~ENH298(Ycl&Pj{5em!{R&6Kk91hwRgz^v3;K?rZ`K
z8SMJSd;QaF`}>(4KhR8!T0_%;XLrCCS0+XiNwt=Y)MoB3nJMM`5LKW`W!{dN_^uSi
zyw6*a;ReKzpTtz|MeEJzwuT1SkT}@IqH8^UTgW!_ZUpMh9@(o;KEjcVA-kHdqsc`P
z@+oY)rh&p+ixeDz%%{pS)rbs1B7tTs9v&V|<5;P4y*=f6i-Gqgbpjr}Y7pFm*&ypS
zYB=DQ*d5Iz14hN_{|O{02B<hZtKNA0z;q$+tA>icePi1sCgE8hp#!T)jHU>q2e}q(
zHKx5l1{3z?CE?A6KTtHqf_>ksp{8H9kAxz5J<#9Oo483z<Z_2lkJTjw1vyA+AyPrA
z(q1dDP;DYV9c1Z;z0b&k724%7uMK8Osk%OO$+^eO7)ggzxJ|g|Z@C#Db8tCquYKOu
z60*QXQDQjYbyfiy6ZyjQVv5k`V0_S*2#&m$Zz}BZK9zncu**aSc?47-kDw4VYvUg(
zR2mID`|M3Z+xj$zU4irv;l73-q_&&ZVZz#cU#aGa%ntS7_^b#XDPr~e4`u!LVUH#j
zI#k4nh{~(Z2Hl}>iWctU7meTZ^l0bF)sr98TK04};-&flxBv52Dal#%%`H|7MRjS)
zc~1Fc!8n|`Ou2;Uc{~cSgXC1s^J0Zx-BRf$y}$v}^YC4{)pnE><!xQeciQPf0L5L{
zS>0wKsP5wWvr;iPe3$>^c#VU--nEr50paObbcDzQLg{j7|7VF!w!KDa+{3X9KbNBU
zKsUo7(4#sM=1hq2^77a&@acDH>=v-->>Y?9^wkf7GXA^hC^sZg*JrqTlG(Lh^n72H
z8zJ*|IXidV$U0=Ns2AehL{;?1KIWoGCKw=F0m^=bfvHevUL%*-O;to2&RcN09rmA?
z-?Re$f~8kVbHL#HI=XQV*aoE3w1}q?NJ3V59~2@J<=bE|s53HgT4hQ{waL6CI2_ya
z0II4zw|-9R*~zTku+CmX=xdolla2-#^Z;nV3M~3pq`<VyCRYSvNTN$J*hs4;IH$WQ
z+CsShXQY6>ekZL-0EWWCjE#WJuurAN>!C>WGR4Eh?+0TalikIFc$7e-z<m%Y0B=cA
zF6=04b*Heg6`u2pMedI!e&%F32v9c=w7}9HrxOE_0?8m!Ag+E#QEM*)qu8l1p3@`9
z@tG{CY}oYSYNE^1C?*AIHIy}W2PNVeed%#V6ot3)a7Og}k!mAtILLO=U2fI?G^vA?
z4H74m-(H+<$~(6yq?>hD5Xd9J+&o62cpcKypR>Gvb3iy|{T*@|$svUn74=Hy$fqkA
z11wdET%-N015iU~`=cyw@T#U0I8hS$raMY3Fr^1SL*GV?vI!P&D>U!4iNUAGBjt~U
zHk}t2=5=q|+U{ZzRDB|P*g9($hXtv1BP&CVN&{&Oy`B$AJVs|nhqP`b)%CkLjEBdi
z0B&|8(BJj1yOoE#QRu5uj)CG(rJa7vXo5K0eYnkbn)L$A%ah5FagdI60VswL<bqam
zYv|CPz1eA^Y2#QrZIuO29#=^1ON&OuoAL9>k61zY=IOrOY>jO$P^~)Ed!6o4_azJI
zjL)FZ<sXxpOnfMMcfRBm_S`>ldAAs3KeDR#T!7K(+6ioFuR*;~TOEOqV<qz#!PFk(
zBTm_bAReY0KhRv6K~~ZK*ks_L^jD?f)&nh;6!YuY$7|{S(4RF&PW^IbAR|C(xYguZ
zabYaRZ1G!t+3ETb-(ws84GgsK$>C}?fL5In=206+P`0pJp68&STxi0udC|ppW^_qi
z=(*x^Qju??#8fO_1nAd@XMusyKiCa$AyzX@zSG`&weit{cBb-ZLj)>xS$-}(8bxW=
zbInmB$*e~vaJq!vo$iEa4pLYm?ux2QF`-^FDKoOs(6d?I@q~hoTOA?z8Xz8k>s5|g
z>^Q*M4Y#y^<Fq&;?kj@1MVX*`c)A@bYK5e0IWdOv$DL}p{MDP(T;epgcv&ATp2VAQ
zu$XA&e^6;;W7cK2KExpC!Gwa>d;$^|jjtZHg`f%Jl|1bLpEvkf&g0=zDJ-OcJjgJy
zXvVC~se)EaI_t9!v!{D2si60vp*BoJ?C!tBX>o=_ul)$Zk<EogTf2w*Neho~-@gCj
z&vpBG)0sHOX4eh8sC-R{_@MQvzOaME5Q;Xc_l%LnUV4JC*}>yL`x|YmUCvuqan1m>
zQ8oj|QuoDkZJ{l8eWa>zKepB~D19XXdeWaIW*j%hhXAnEh``;~aKP4*1BgKOy5=D@
zUK2&TjlDp>q6BIsCd)UHWOm$TZ2o?JLC*-CGoZC#iF{9IHy&>|u!np9i*tbY-!lmW
zm?*FG#-*EEy9xQZWKsEx-gr%*0e_+Zy#G5QrM*fD>{)<K`jx18i6(5p%lBW7^+4#)
zA`F|M<b;FM0&F~St#LXL+=2MfG)pjo<TO2XE$qejcM%YG9tzyz@8Wxn^OBNO#Fepi
z+D;T6j_Eo=GkqcG3dwuYs&{J?@Dp?OTX*?*atva;E}EMA%tSmMw_r^aF=$Cpue_0p
zO-B!@*&KM$O(XWb4juylWK%(Xy}PIeN0!d#M<jL5*TS~3kpj*;?*|_xWImQYEah<s
zREyOv-^>x7<*TyX$As6(@tT#J3Rc$r)2hd)2FDZQeUXfD%O-QCHa~Mx;GN(ym!G>7
zs^xB6AvE2|1f;pfSHgjJ(Mg!MSPTedMYZ(m@6Fbtk9oLY81I()P_y^n&kdbe-~Xp*
zS^T?bnWvgx{n(nTJ$AeqKi6o&Qh8RARA4h*gL$|yqhpbO9K>@v0aLA0eO@S^wAz^B
zT8}ZHb<3t$__D%;($6Iv1$HtYv<(fYyMA-$zsDhOW69rWY^E~m)u}p>#2xeDb%MR%
z**38Jr_<J-zfv#;qNZU`TH6K*je>RqiJ9MVDsZ$J3E-`&<r~+cf5ScdP!1Q>y=s5|
z{pgJ4>_aIr?iZzW$uo0y3w`gaQ(DkSQkVu*M0Q(KZ5ss)i0e7>OAojf^uK@oNCMiS
z{eDN-Ne(e4grx4wFHeDwx^ui)+Ra>t5x4O)V5=IR<S@uY#;23y&LfY{?{rME!N@PJ
zrA3coK6gVQ=io;po*|MfX-rmCpM(TEZK_5K_5|o`=6=5aGG75~m>}#)(~rk}oYQUZ
z1c}S$GL@!d<Fs#LG|N%ul2gczR7FhCtEa}{v|GDo1he(7N+IDQ1<_a=5XyNijFc@i
zyjF5R2BI_)1#GXRN9U(?GPLH`LxJWG<;j}YrgXwxfB5WxRD(0_VkqjA8!FMrLiRw{
znZ!O+5xBD%r+<wKLgFY|rKBU&JY3;NzQ9|Tl$8z#leTM%`AV&4k=$~Gg@y6h_>+5Y
zvbk_*8TAX)H$1mUOP8%=kraC|AWX<tzGv^x!$yc<1Wc-|l%Z9O4!a=&2yEr24+A%E
zmK_3#QK%f?xk4J4qtEGG)u%YZC~FvzGvj<gUB7j$M`pe!>c^wns5vuVZn)EQIhy9E
z<Jwq_0(1G$r&F2fd4AjjJK7itiRTW!-^Yw%;LYcK^$tfjpZz{85gQ_LY%gAj5`N<Y
z#K69DuxMO+4MauVt9Q;yOPp(Q8PrYB?^TIST2Gbv_a`DP_=4lv1EZd3IU6wn131K|
z-bro+<-O-y1Vm(0$Mx6ECqhurHDT9Ddy3=+O>$O^a{B3J-AM=Jrm9UIu7%+Wz3~&^
zKWMx9Ze><)I+PYkt3Vp!)xZYw|9Og#JN|%7&ntlO|BeAwMCc$UMe@mvpjw>6r|>x!
z`p!s7QOmO`WpXaM55v+Q@S`wT*l+0<cfUOlZNkBs3GW&pAO}S0_HQ$sF72-Tmu|Bj
zo`n~;4vdzoGlI4^3t7)RJGnvz%Y&CXvvxL&Gu`}^u~Y2X1G1z1At)hR)<SNnWq4BV
zVhwsw(&6ytouPD-;@9Ug&MiTW+qrF&%{1-9d5nlb!tr2U_uc==P;4*O$>xH$PkiN>
zVm$OsBJq1x@v{SVZy1Eye5@)7udc!ZTD-dCv`C4v<dVif2G(kFgs>nJR4YiM^p&eL
zF2)n6AFJV6s20Q}Isf&05K;M&N-9@r1TT-FR-TxDSRL}Fw5RPZOQ4+Gr$<P(rg~ls
zI+>Dk@gpD8JA)Qnk_ByvaT!e;&3dd3^;^aZ9#G(!t$)^XI^fn55^-DyRuECYpa3{Y
znj`D{m<+?cbg85vkvEbNWm|PPB&^1AJtJ6kZw@O@TR<2Hlj;svB@(WyC8BXz)K#mv
z0@}DX?7Nc+K<W+r%z0i;jrE#h3@)q~i?2LT3@w(bE~YaZepJ?Y_4jgK?QDnkBd>-|
z<p0yCVEemKk%JE@6+)w%KA+j%+b`ZM&vDs2366J`^5QPQO*#F=R&xMxI%`v*C?``K
z-u;XrAH*(Z%_!Ptq#HI+#2Ub0Z3x{rz})`As)d(cCo3`<`dNl@Qw3VI&}EX92eh7i
z6#5P#Jfn3#?%&v-*d%;}=4>l&Me!z@yOmZSt&cI3W;-SIhcr@MCFxP?ByS!hFIfgd
zUC3U6Mqa!#Usb#QKCee1o7G%hlzfUX)8B|_&wmineH8k$>@=Xf!vEXEpS_SieEb~&
z9$z`sm%t;D;oA$>0eDt+_JeT6hvp7{tZXj{u(F%A<tJ#Df-oWqQ?Sx1&p58KfJkD9
z-%wP4;QiatiWh$51IZWzDhPsHHP=ZEQehor>RS0r{)?G8+bn^m3;u!Xj=HQRUKpOr
z!n&bH2erEoxQ|Nas;VALVnOu0cN6zK@y+vHGmPf)OwzU?&C+1lmMI<>p}4bi)*~l;
z^akYWkmQ(tY>798tdCh#Xf%vX+k8bYlRL5$J($WS$<Z95j66HMI|p!TYhNa3A>8zi
zTcaPfD@-MkupfPpU@VAjeuD{y!+-?MSY$e1!DiHJO4mJ1SYvB<)~m(u@iS;PN7Yz9
z$hJS0OUHPM%AlXvCZFE*=WZh69(1I;7n1&9y%jT$-CYU@Ktc690yIIZ%OWgmT9X`v
zyRGD|u2J1l8953z45b*&kxVM_kj{u=mhpb62m+aA`S`Tu89)u*K@wQIeS2+c-^Af)
z(-q*L#VLAPga8gYfu|sqGgl>_k?vL!{R>;8WocZa8XYumJI$c0@gkjKTa&jdReeON
z_FJaWBz<2JXgQ3p<TnWvGVR_O^~I0T*>{9GX!wav(LOZ?Lv*#VJznQ=2L=jA31+(K
zbZDHm0NRk2xL;!5qs=$>V-0~iL_s8C=uRG^Hu9+<CXh~y6tSHPziz##EmExv7zZ}~
z-WV2^q~<qof$UE_p?zi_;2Xx)y^~m@V{g%N?1*!m?8fqP_Hi$IhPCeJ98B~p0vo>v
zw73bdCMdUOfR4l$c;}wl7<GM#?*Ub9?}<m;_o-K(m|sukQ;WE3Ms}s?dP*m7qpB5a
z`zwb)5!{`AmXy0G!6s9rf=$E_FR6!##7?`_D%}g7!d~sU-wKrGKRh;DEZyfR3}<<5
zYu>XWw>F2>o=L7rz_G+PP}QsHY&@Fb%7F5bL?j_3XeS$tSu=o8f2d%}er&MPFgx5p
zG56DsvKQ=>Lm=*3XD<}pe!jtop|nKxVp;K=w1ZTch|BT?+vQUvY~@-zqsLmx8z1J4
zg?JeGpWeN325Ip73#Ds3=<;FXBy(BnFDquY0yr{#dMCuZwBUWaT^~Kr7U)mu^cq~0
z0^W~RL-zr+rl%1Y_W{v5f)w}sPJKmM^@3M|=0#`nsit422y{aQ&XennQ@KDR#boo@
z=!=~Iu<^%_9zER%mv9mE-VPDEZTCzcEwjho0|xOQ5BD|z+@h@L<DW==F3A~TO@A~D
z{|+FwSR0om#)a6@ZW>vCdt1+G+KS5{s*g_5WkGYtbwfeuO9Wo>XT#|kJ|61O{kvfc
zwx2s}nkkB7aKVG+#7#q9A#6Wk>6XHjTBmC&&nkm>jiy>>=k3c7m1WHHO}7dQ17;yq
zbBqkV7W<T%HFnSDgGBW#5xNu(J}Y6&(qJQ*pyTS@UJdg>(n}+>qzT;lQ<}=}xs_vq
z!z0M;&p9Z<&x?+$%T`;RNP>h0A7Z0C=m;e>qh1}VwwTG{a@-l0z(aj_LIvi&&kUFb
ztdRN(2x}D;LAMZvA~2oi$j^GB&DVIB?Wq3MnE6@J^^=h5gj!UTQOO4+vfn_ewPJBq
zO~uA;9Nzkn>4du1<PWl3d8-+su+7Rmlbt5u+Ap-Qih>D!I}Q-$vKop<BNohHd4J$B
zen1C&`<AbxNz(N+_8IdC_{>B7gZh)1@CHz?UjC)#T3n`vy(0MH2RYq~vOG?lT_IMx
zNenvfVGW5+&#oga@~(H$Im$qmVA`AWF_K)gCTC>xd{9qV(93-wrfa1Gl1<kvS7Q1q
znuJ3b%yX+^Gf)VQ#!uGp4YYK>4?J%C(Vw>Gm~~t&l;P8_o-{x5rO*xU1Z3N^rgg76
z4u?VoonMUCmG5qGd<z!3nv%KTQ=n_OO>g6!H+RilG}gA2*E^R^;L+=G^#Ewku#E)R
zdEApR`do_mhef7u3L<1NYaBPCahBHFUz;;(waa8&K$d`9%t$GWkgMRS%_d@a>x5+V
zWIAzkuQARA@O4C-P}4<eHdMd(h7jer+O=dc-%zWj;|y)TD-NKPlck30Ra>}sf}Y_3
z7G;_r#3&{98Az45<9P6gR<a3REG-y_s~G<X#ZYiGRrnC2>SxD<5$jWx==mst8|$TU
z3~{Xq_16vRJ1%l*&wa8xT+U%A=DgdiB#nETxZkM)6P6W=eTj_I>2!*Qt3z5_Iai66
z2V!F-x%=f2+lFFEMa~1|^}NNht^I~tOJX7^Tm`#7GE*4I;ikNE+x{Z;a*_156%uSx
z{d}#{Z0$-%vfOFEc7!%f6xBCJwJNBO6D^<5b=@JvLQ{3L(8A=^fL`LH?_37mNWruN
z5TX9<$8YWEE4)KsnQgEzubQo1Gr@$Xcfsot>;G5S%&2=a+Tq$*YfBSBT+zb8m#F-4
zUZeNokNOjYQ~;kDKmJ?i_+Pw<UCTWhei%!f0*F`?0%biIO@QxCN!?TmWL|F~mS`@_
zdot7r%EK5{3+jG&1IWk^iq^vMUwGz;oKJ8(a~P0a3J;6pO&EPo{N6$o*~H|oaxUg)
zRS7-(&M0su+{Y{8vRZPVhwrIdIOnvXs9Zi?pV6fDGRg3y<nl2v{Q3r>ReukhDmCd+
z5Vkh?Z0j%=C|D)pw`;$CK%kyRjwd=+q$U0y<xrpUH2#+&sMU}?Kz6w-2kRG``3&4B
zMk7fB8V+yNm+X$Z(n`6>DyuPg29o*0KpzDa+dJvC<Ml4IQR=ujxG{8E25frNGU5eI
zEN{-ywq}NCNv4%P8#8guT<{UFo02zb<fa+JS2+=f{T!bk4vH>5qjo`<N|I`UV)B{y
zgicVQ#_;Y(OiE3!c@{0floRxq#xxu!v8NYEnETuF<uR=)#N4kx9C7#+hRk|ePnHF<
z-)IW#(jaUuZgl`56l<scf~IN*={7iFX2y8VOTnAxRS}tF0>4no9c{@=ljnNLg07}Z
z9bv=1iRP^cf_M;ukzj0EQ)qvZdYaHtXeWh%)<Nexp(s0OzZ@`-sA%P<3+%r#+=PX<
zj!t9I+j$~jCW*VQ$bdQ+za5TJ?ifrryzzoSmtxlp2!2iv_TqS4z(gg_*&Vp+i$#F;
zRN?;afv4Nv#d;%D^^14TxY55YstD|B8pTRUk~O*D);r~_tt!FoR8SV(4A7KPv@3<h
zGh1l`bG^-=WVB|`cT$*UTPzS{zfzFE_XCfW9c4|;*asSM!k%9$){q1~9xlq01S<b5
zDcoG6m)QGB`9MY+8HcF9)Uea3n~|f|1@@`LJ`Rl5#p3*3*yu4+R7h$jW1-F~n_6!B
zeUt2Mp@nZgFvmNsv)e2$jXtvEbUNHOYK_#u`~Kl+3lXu10Q>7_Hv17zj_&r)(-!MB
zGdJeny^|67G9l?wcdDG^^D<DOMW*DUK=zYig%2Wybhxuq@Y(ph4Ay51Qiz%=?mql)
z<D(B0h)kOIp@BR2rCkN0zIUAjphAR4;m06_T$=fao%bn&d%it2OeT{!Ao?2kqEw$c
zJzE>y@lrZm>urc+y1dZz=v;cmMiE$W7=4E#xw_y^$E_RXH#liF!3*96?P61+LIE*B
zuAHtruF5_d&t1MUU<gr|jy-&}=d!<uvd({vQz+~qMI_luX=W;xPpnN!dnNOuYshdk
z=ef%&+R@{~4ZqSW0j=Ku<+=Jwhmfycn6?2iqLByAsq_|q6amM^YVM;6SJ3?|bSCcj
zZ{FCi7REe0S9eFBEF!G`0Yx%l0oKp0CLB_<s#Trf3rU~jgLZ~>)}<Pp8QaMz&gV;5
zfsn@2Rm7wwOw10^(uZ?^Q=v~;*bQ0DzN6_kq2lMdjPW6{&Ur)3YNq07Wa^dnjbrwI
z^-RLCUMT#Wsj^CEp!{@;7ENg;<N4>uR0O={B3aX?8x1%L_hC3l#J~F%{<@P$0sKK6
z6&E#yabkiZ9Z!4E=d-F*BKSDlF9@(zx-?GdL=$<4%_Ah|6@H8}m0oQLJo~2CQ9b`@
z@%cbf^AqAaWok4eqP<Q^2nN-&|MlXoQ4t1GM6v-A9oV-&g7+Rf2Bf}NfdOiCKs%vY
zq|4X+i8_RS?<~E!pMicC10wPNm(^PZx21%1d&9xVop_f&+NBQWyDpWuixL?SQLQ4w
z*b&<z%9sdG(B3Ac*29aIO|%*?Fc_@{0Q$l5nfti^>-Bj_{Q%EK96~~KXMK>~@CB&w
z&SrZOuJ~E%Q4Z@6#2Rw$r~WsI@gJu>9+3Z9DxIRkjr=ERfytgvLXKxM?5kT=kCyNc
zPNqa6)q!U|mXg%y8D@(4ip=v()Sc!}b>1@xV$p@HMs+<gcU2U}3$iBPGgEPRgMjDj
zYJY%TWDyH$OHbr0Q>n6?YJ*vUbmM0ZjsT2&ZE+m2!2F2DnEsXrvur!TR!52cQ20ZV
z8#RNE0>+C0XCiLPF95wYB658p4y*{6EEY7GK$)lvY`KlpX$&W?_9k2<D)Ih5T<C`D
zA884k%QkLDSw=m5m=J$PE!nAZ#5hj&SQsKgjkm|kC{{@Y?61(4k+!)F^o?aw5na^Z
zZ`b)};GVG2#SOhVCj~We16(gZ-z-T=Kmi}DZ^k6~0o6B%f0K*T0sijCV0mOszQbG~
z_c`z68AnP#U<B`7uxDm&zC?c;tL+b<^AAsW=dg+EThJc`H$HqqkCOlMEgN74-|AZZ
zUzF^BKHLr9v4I}S_}%*5f$O6Iw}CRmwD0@A!x-4_9isZ(266KPIR>J)f%EY@RKM%T
zZvk^ZMKVjlr+XbhXnK!49p(4u&M$@ffBvzU7JT^x3+COM-3YL#_2C}5VqLrebYwBX
z0S>8%|FzKn{`Yw)_!gyu9eV%9xd~h`kGJ6CXeyB=eMkj94xdow->>4|7w6yK8{j%3
z{pP0+$$!5DF4W-OXt2`~6nPA^fCI!rzhA{)X(Ru+P%dQfFSn6nrTovk{pT;ci10^m
z3%%=$P|z&?i@omVHTmPq-N2W-UShrU`TY|7h=Q+-ZX?*m7x1T`{lOns@y2)jp9|?E
z5o2e;`<fc2kfmAbajVoO6ez70G-*SBv)KK6o&LFs<ZfV1;Wv7`{DU%m5#=+01aqO#
zZ$#FBhz6O=TOm;-yZ*l+h`&0+*J!;(;Kx5~pR!oHVEo<yiSzCOd#138=8ZQ0f4BU9
z{e4#mewF9rU$))22;lkh1NDxFa!}`wgI9w6tpcPfZ-l^R$1kA!$ARI-H~tWTU+k31
zHrd}7(AUp*Jk*0aKZL##RCu>v-Gr9HOO+kTvC8C~K)CXMr$zjQfQGFo*3iJ`OWbr9
z_0LDyldswSF6O7?T`G@sMI@^+c2*CwE3Ug$_`bed!&cm`K++{+Ec(B%!(VSr;jC89
zxBgmxtSoy3FVKG5=i2K!KqD1kI%k`q0$J5wn%+^|DXyk$5qqM~a}<`J+}~r&A^*SM
z2*${rNDLP5B1<+QoP%Eu*qawm{LU5nUw>U+XOp)6_!oY*nS|(p(}~|n)=pi6SdEZb
z6Ae)$eqWE9i=tfcMCL7?X=yYi*O!{?CvTwW?M&@+*t1+u&Qo~SERVLi?W#XxFgKri
zyf8K~neX>-J~}Epo;ikGFknfD^4n89)9#BK<3TQH&9FxBCgY=)Tj`0C2w7{@ARXe_
zcxO7Y=Ds+cAK4RlS9L!VfdDITrhmp+_#A4WU3bk7gnFUunX*qRk+V{HZ5uqtxBGUE
zk_13nDUI|8a$&V1)sLVsT~EGM@vrTM=l+kTrMrxr|G;bhe@l^t>doeX1Ydef@$ykw
z+)Mr&*W_2Fqx75{kT#TpkC#geWrCc4u2T_~jjQ=g6uhBdS80zans=A>owz%Ew2w~w
zqs>WlKE=Iw=zJucKvw<mu~>WA>BE`F7>7ixAFgy8o~EtNY}l_4HZhfeO~?i5Es22h
z5Xf29GX@wdJ98i`X%8csFiKJLXBJSeQaZN7bh*0VBjJ7X0fEIJ%R-}gsPX)m4m?^T
zX`Pwr4YvE973RiVHev4`-va*LdoTeWTfe$y>E-v4EH?8o8&9=E$914aY-*~%X`&mR
zfE%yz$qDZti4qNM;1+TZR!Htooxz2a{<WjCc*~}hP72*c+6TIUz3{T;)?3gg;=m+m
zJQGAU@S4wwn`ILjWB4>aDfxDF4qZ5l$=fRG@%+|su$#jrj^-2cajg4jXjx#QFJs%+
zgZ36t1u-Q0fjyyxI&&st97kZS!PcOW)Rg$u9+qa49quKkHD!{JbH5#yr~7dR+Sat@
zHit&j=5dl;RNio3LUkxzrR7lQU9?pb%jN<^o1}>zH(^%m8+XmFI(#$Uh-+{7eHS1%
zhwp@y9tMOPzy%zx?<u=bgr0FoOGW$D{w`KBxs7i6W+cDu&jxb78PBPzKxP3ck%HP6
z58Q_ZPIJAKfa{7pZ7|=)Tf5G(wg800p|7Q*&vWcZ65M%(`u6htc8*%TbB0O2|Gu$A
zce#daU~6(Gx7EC?Lh_xSRACp4buPz4Wbf{HYP**sj#I&F4XjNiNSo7*fz!^LSWdS~
zv-RirIbWSrFIFukv7CFFY}Oz_nrh!M>pnor{>cPNnIsKA6fD%=-c?!@cp479C%X4X
zuuCz#$eu`)cE`5W2r|*|feLDaF5lJ#-Rf}`Ut)sWa@9hz#lg3O!NCfKI{Z|uDa`nB
zk1{@-xmVYjk(|%5fVLFLsE?5EW%$(HZupiAXO*@#5m98987=VxcWNb%Y|l$H;(&Mw
z$HZAo2;W0YAoAv&X?N<S9&Aw4;eWIHf%r##l7KSkEzqguMLHbM3n3%d$pWHoI;8!*
zA}F<}68)-You!+Uk~L@7!FzOsG&t&;dv*P`&+0RRC$&DKH}N0OFn#!^-B@5Ezh6Ve
z&{luA%I8^ilGsVQ+d_2o_DkTX@ex5CY&UMma^&7Aox-$VM^!Z*smNs@H*upxHR3`q
z9k!yshRXX7pXd2?dVxdtE85#!z_;Dqk&?zH8ZXEIZu3bte5&(xIJp>`isGdr^PS$s
z;1FCU>GCWETQh7Th6c5gmBRh^VHP;{|86(G7UbJlP=GeXx~Q|#+*qKXmIyipw^_(3
z^s%<&LoEvZ7(^4Z_920e*mzud3D3NfPsIuz>HTvpD;&pWCjsQsWG91}8^htn0Iv94
zcimC#;+$n@iYNjM47?vpO}F8Q6uGZgZycv64{p&$aye2;$303edO20q`pR!4dqDA1
z#`7*7LrJ&gC=JV*1De}xap)0SU|Qm^ab(pU#c_{XI`Xmd>JC7!L;DTB+<`5DGk_M|
zOR;0bf@8nV9E*u!l{dR8dxw3`=swZLbb9UmL;?f#6c8(fom;wEhMnsxQ8ttW5^0As
zpGYUs|1z~My(t0#2U%agknh1@sSaja{t-tGB$9y`10#+(ArZ{Cl0ZIb5lepNI-LoF
zPV%Vhh~u|?lL%)ZxsHB3Nu(cPo#OhgedA0MX*?Nt#ZCH?sZ(AHEB6w0${k*V{Ij(c
zfUUm1y8WJ^$?$dmr?^j#<Ttqm1dc;;Vq<2opWM4~#e<9y0Aa~NN00*&DJ{4Z#FBj5
zRUDq_1<!54di0E3@H!iIQX3`@&L(RaNIJhi1Tfq|6_4-U?^weT7K*XccG#(U3LV_d
z%`B(M{CHTVyv@0d;&p|Iz<b?Vy?P#|vAS7Ei)JVjPtGiK--~%;6B%ZWwBvRgKPgMk
zWM`=L+R_+5t(IU1@5_}}w%OEMB8O|+uF?}9Ch5%VR5`nk3TY+4IcY7N`t8cZZ0=(M
zny05fZT+o7yWvXrZ=6Ol7>FpgWZ9wLv4>e-me;7{O!=T3oBhn&cTjafP_;6;2Q!F4
zj$0iuUkud0+&cdLv)U9%$nD};P%)O`40mCU_E<Oj>*cybqA0pJ=krbM_2D&=o<L0w
z<Gxf0$_GCkVI?w|6_B?R?t1)6Ve2;E^M*u1Gr24#dJJ>9gR!ZzZe5-!*7Ee^(HEYA
zE@h5Xag*2q&gzQ^S}peY-H`~)fUL3hPLDTueT*;zN%y0zbl-dE*eIjOcpgd8I4qK3
zL``z#E4`Uo<xr*Fkr%G=+Le})BmxyNG&MWfbHdrJQsED2P8(2H7h>q6S){4~`2D*|
z7BbQP>-(Z(LC2`)PWLkbR7H(|FJ#5*!c5R=vL@IX%xp&ODWr}zM{^C`*^2H)L-n|f
zG20pty*N)Ja+$e#9Slp;Bup2s{^H95`?Jd1iM{+Hv|45XG)XJ#J9qC6#g;CaZd6$@
z+b>yUnk`8loc|PAT`gVWT$>06c@`8sRQkvdGGN$VsdMf}!~P-o0O?G-lV7YHvhoY*
z9Q{rsY2$;0^+2*vdR#el82y!gV)RL0Oxklp#k8;Q;vZ4^l}DA((2u8*2(Q>C^Z=qf
z2!pC^N_$rx7m-v}t%naVADN&T{NZdUV8<-+#J<*}mWM<U)B`c|jOTY7^?z^$x>deB
zZc5*LV-59sS(Tn{iB|xEA>sqj$V7Fnrp;ql2FeD6PlKi_%rUnwApiisCtUq%nV#Q)
z_dq}E!SeT{kh8-rIirQg>3NLyddDbw`(?zB=x^+_Pj0^jBD6ta*aLWs00gnqeQ)Og
z%(NAOdz{Yu>Z0QHcdR<9<a@S|7}F4Z7Wv}Fm6K!SknN+*DJlu`3*z+@Z?R;ayhRvF
zB1izlW>KhXVsu#_rJJs`&-RG^x^<e_2YzmT(Vo@-=yv>EP|5prZJno-9*`+CCfV6A
zIW7SU_3!LtX};{Skx9Tp*#r78@mjlO_AyBtOtFU5<*@YMN*N!YYM|vB(CN?UbA2ia
zf>VaY^LUp1dOmhTpGl@@bU$P44S9?xavo#6-7K2Utw)1qZy|4k|Lpl3!|N~m)xNo{
zvmACYK)-Wf6|=TqOWPOtaTy`*)9~Wgd(4NrN@Dj{qMaFD5fC~BluWd?Bxh2n81)RV
znOSZ$WD%w*n2=`I))(=Q=7vrC4-by^hojGr3P<r+4!;X05h>!P>V@N(7tpSzGxaWk
zoAGDv2=ig3#n_i2s;1Ac-o2BMsoR7i;~jg>H|8%3*GDB>RmTaROim{Zjec)dT2mf3
zRPG#Wmzpvh5H&csevfb^{3VZguRyD8&^HjB_>O_U-!q%}O@cC#5I1`D-0i_Y9=NYr
z0tG)SqTb1Q)xvtRT#9FXw$!)w{R+!L`i^9%6UG)F=ZTGPC#!ke8wiY#7EjG#b5B3k
z-p*RYV->?(u{qhk(&a^dXL!g<BHVKSFSfhYt&~=&Hap3qsd_|#M;CA0KVe9fVQ{6j
zy<`o1aQ5B~+PyZY+R6V~Q~}Or-mJApt7@HjvAB}vzpo3}%({X6Cw^S_1Q7Vk<rKCi
z8{ur`fllkGgd&u7NJ8oYlC62riTs#<O!+g{_F;)=xy^a!NTvE?6eB5(qB|ChHA`f@
zEz%^@)tOC=!sr$}j$1<^>cv__D_)g`KaX2;thcnyM<^y-n+LgA0&l&#eWSU+iSeU3
zMoZB7X+!85Bdf|vVN*)^{bGl;;XEWg{DDs(rPSCmQ0)b#LA}$KuG9JH>GNA(rWa?e
zkGJO>RtG66XSyuL3+Mz*OgO95L?;?FJ!)*1BwNc<%50)c@V#5rigc&UH6kZOgYcJw
zZ2!9P%z-!XrQwz6vYDf|GLQuCWyn3FEf#PqTdE_)Wmkq%mZ`&+9&X<+wr}2PkX)+P
zPp2IaTbK={C9Gmf4iILFNoK#opLf~{uAlaEk-1%@l1(Q?at}MW(3K1?qx)2uzhc&H
z4~>i1gsH{O)U*^Py4=fIlbZg-B<Nb}%uFxGnaRGo>ppBUWa5ZKAmd@rYz(4CUji5A
zOJe1bB0cvY|Ht%wDIC7YO;>f(k*6T`#B@Kpc{Lk`9p;8dFMG9R(mFEUba}q^xk%_i
z>O*&&JoQTUF<|9>7RbOADpmG1mHSF}QvrZ-KMTpH@QE|17ez0F{|}IsZ`+-8z)8#d
zQ2t+}WiS_U-u={Z&RhC5yb)o!hlu{`>tZ>^!5<&IHiN@d;0g&Tfm({IeAQBf<*tuO
zS6K7!BcIsKMi@S_8SBtuY|&4d{Hz3088c&=e0-YCA~7Q9z9G7M$Madem#LYiQ^_7W
zrs{lFzUf+AS@KOkV{&5}SeQ&lW66TyoaJVMr+~9u$Q`B|L(=-CuLTI{a!gXZ0&u-*
z^qQ@$x|4;7N_k2EJhComTKMur{A|_tI8<1dHPC0-O8=Pg>CgRE(g*0s+$$S2;sFOO
z;&TYn$+Lk8JsE~1dpi4>3k5l{lKci0Z;D#aR7e~P#evQ`HqriX&@y0=+d3tG&Yqcf
z(tC_%F=6xNt#1IYhj6}UKc6>Vi4^bAm2nhU@{?Ib=l)|Sf`uyYxW-b1CQ5lljNV5c
zOpIGqShh=7hD0+T*<<45Cz0?s$_O}bMJHUio=C1Kt7^Jnc~WjqT*<_Y3<K1)Fdjm&
zUTq>4t$aouVQv4pe~~MJulTK-HwC6<lSeH~FhmZhj}?SJFGAtgK|T;g5)Mp!kJ6ZN
zBCW=*0Cr`XCHZgbVE@E~hM@B^dC)%3T7n?zQ6J<3JYYrYnH?z(&eKiYh-+Jj7nlxz
zGP;Ur+ydv-Cry6tAd{?hMt@_xkV$-gJr-Xi9}u)fmf2h%FrxK-rbRdEPt<ZdZU&R)
z1IjM_0X2GqriKH`oT_w&Kn#|;XG^@l7hym2;N6{~{WX~7EG`7m!8>U?M6p=Js#e+_
z!J40#M-5UlTIq3@uB86_QAXcEBZy7yOuuBI4n0QpyfEfpSLP?le1@Z;)}xz^u`@K{
zZF)A|!|By3fsB=W)EnFgam<YkK1!;W+T<HZO!T)$Zxfs+uIg-;++ZijIorrxtBsv0
zPGBDD=Q!>)eto(hKb0e18%p`q3L(%_)cM_7Ojyk7`rL~;#w#m6Osx0sh$JL~vO~vm
z^cFDQ**>1y@ta^rlSv&eZdOQR6A1_I`#LY_o%bKg)y<mki%c*3Mxer?wH(?-N{+A6
znm0S%6{dI*!vV_tBUM`hIV1ICUE-49Cw64{qPw@~RJ0kyzaE<TQhYZkFrjH3qpc;$
z%K(kjk9^Tp7b3rjnd4&C`Jrjnq&H`W&bvu*aUMh>(`gERVWMwo&1*w{w1LDDK##K(
zb9t`35zRDeO=Xg*xgTv6Rtd9)hL5Hvqz8T*c$zcIwK3i!eC}-HjJaM)TUEM5gH=o+
zZz$=dP-$N0b_f6fq-`tSa7k7jDk0I|?BskYXNq{)?H8`Ieko=bZ3dzICKROZ39oIO
z=slVGUH7xX^jaG4BI@Dkr@0ZnYd<?&A3SbtQkx5%-R2jxg*-|U^46c$DR)Z3Y25A5
zxNHW)$YH`xCB%hL0^O(8<|*A<1>$qy22;IC^K;=ZX5qqz>rCrwtM&2wbteT{HzcIH
z%<)k7J$vQ%em13_d%ZNd$Sc+=>CnB4O8jFtecF^__R4A)XUgM;kJo6K1jpDI1=O)E
zbxNxwiNez@(6eC(9P!0NO{g!R-26NEbt~;lVmF)UdUpWDL^fL?@M&@onTT){lTNhV
z$^%cnn8sOv&5Q@<6?5V;vyrSe7BoIuYx~VfHt8h(%8;(`8K6RK$C%=SbB{sTn)H9T
z$7=8}2UyQ@;-)H~O=XsI=ndH_j}fMpl>PK580T(T*I=TiZr3XzFSd^=AjLQ5`DdCH
znjz%?3>IzHCGtP+6i4`-Qm3*$<tGSifpUa<AATOCn{c{LIG(wlJGzm#xzd+b3zVOP
zZ;U(&mJ*^j{xU8xqWI3mR#hbs+#L!8+rrR0eY0K?R^1o9&PH@*Ef|<TBAG--O+>q9
zQX9(kKUQ$o8hWK)b{JOYp0@dRaO1m8bV~}gi$u8;&2}*6$RscdlU!wmnqwI^?OX`u
z@$rA1+zG~rAe*$(EPv<WA=YSHDtgqUo+is@CP4WT!Choya@kY7tu2-NGqs!~sIj9j
zd+zV>V0VU99@tS4JzexpzEA1GEB)6p9T{FjRKBWOe`q5r^HG8g-?fnYvC<401*H^7
zjO}&2m}HAa*Gu{c0#|$kA|6ubQ}L$|OI8~t9F;M-KR&Zi30jq(;zXewFVL0NYMbd)
zUmK8+F^#$}#e1^BLf7abGsCx5wq!Z+d22}I>S^<(u$Gfi(dN|0g`z5H;_2fEvyo-y
zqYsCR=R1UbXQ&TNT|Qd^4=zs8LxCjZf6&KU>&sUFeQfynMg7JgD>JgOf&*wJ;4Hpk
zk9C%++hoMBHz8SHSrS~u2fRjC&s@H##RAL8KEqbWZ=w1X7%cSL_)dT;rtz+_L~sm_
zucB9Vl_8~1+pRDc-2Co)K8FK&bL7z}@?cL0dWkObQI7YKTaq@HnmrXLgM!|>65N)!
zx#J6xzd)nzp%gq4jsXLId>P_0C-6uv69y^sqg7TqG2H#QjNOJWr$N^4atPPv+;%}w
zU5V$p(^Lh3#<UnZzJyv2r<1ymFR7-AA$9{YqYM#VS1CpWw)<>8DBi`1^!6cdD!`BY
zT;)2?SX2&aMV%C1I6I^mC`}Y!=YPPA%mdmTVl}LP%;@xG!BB`rxOQ8%FC0UG1nvza
zZIDa9c8=>8a82onqM<m<i~P9WxI$Q^eyHK<a32;Q{Y(mbdRZkf<2L?|O65n2RMMI<
zO>Q#nF{)9NshUH4v)xbSlIO31HxToeH*n>bH;{`)RS_Qmz0t6Fz>#ic@u3m$20r-$
z&ceVO*b4UsdUi4g0B<0Zdd1_*s~#5u8nH166KjniC><GEYv<w#Z(QRY?Y>LBMWr_(
z_vtpk%eA|7M4&EpVYP64P+px0vOJVOQWgPJu@?mO)$;cb8{9UU8yM0qdt@V~Z8?L7
zU+2;6SGu1IL*$mgRP@=9Ucdu_RW(e?Hu|<N{Nc<3-N{J}`|f1J<5m>tsrdZ~a)|mU
zxTE|tMiJgZ=N=T|OySu2q^G($ss=73s;O^z3Jt920H>Jm+IZC&AZ&=W+DWMv^0eC<
zW-$ER>d^W+(!j`Z8-V6J1x1*fA5$dvZ^-n0XKb^NDKC4;6M;H`$l*2wrpz@4lS0R{
z21w(R>2&VgmD0ty^fdWIO?oK-o&uA3!52dj;vECAd^5XM=2MEQW%xsQeY!&Gs|^OL
z@fw=;PlRqv;c8@Fv<9F$T#48msi(e*62cn;rXLyWJsBoI*3+mbwmUNJq~u2v@A2N@
z&E~a*JWMqMS_gW4<lgmJKj7z~KHm=qM?@Xu1(#kyCwcXE!X*0;6IMYJt_Vhmkp@~N
zk@_nDi`D$uwr{!6<f$o_UO+0=@K_wB^^aX}489Alj}V=HU&DaJMI3E}TX34neJO|^
zWxO}m9n;bvFlz@ElouXlLx)&s_OO3~LQdNcJ@e1VCUTM%BIvlw9^4zeeN(PulLq|R
z=uBIL^rI>Qq(~7yQ|>k@2{=iAvxb8fizwJ!St~cVGRh%gBcK8Xtl@7S^|q#_{6}f!
zE#7R@3frqz5i^n+WejcmkpqdYD5irSFpBJr<<lwsQT+LqKc;(sd9IRGN8PqDl7Fvp
zq)9K9JIOf~QL+D=a$3LQ4Kn}-Oqd=4Ez24lHXIN$nebv}oN4WIgfKbu4aKZNOww)#
z#+0XY?6<A!`T7xxi&w9$c4wB`rTzWTR%&<Vo2XlgP%iO?eBS!L7J#x=>*fkVT)`5#
z9fVAgEU>{!e-aDrT>f`E0)n3HH|m#;KT8+uUdXd(2jSx$qa;C7#QW`5wemCWoWDeZ
zA>8%_35(p4nhp#^D|IE{QM`k1t~V1G<J$Z9#$3=x4*`yw_Ktb<?1PVXr8#aE-w~^j
z{fca@NWq6P;~m?VgzQ^CmSDC?f1`pyaP(4xj`hxDsV~ToqVECTFh|U;wb+;`lrPKV
zExCWAg0}%G*a5o}_FFR?gjB-k?Ih5lBSr@lm^w+lc+yHr)Y9}!;a^4=6xvjuw}o8g
z4T|cX?q4@iCls%Lia|DZKwZQj&{^T`Pc_SSq=OHYxa054dx=Rjqv-_kv|Te^R&1vY
z3A@KXt=Q=K)KNu$2T8$4q6rO&>6;@<KE_UQ;Y?1?Ia#jRcMp(X&_=;;pz5Y121LZ_
z$^-KTU1kcz$5db>#U=}P0t%4AW`PsXE1yQM7K;+O?*oMpb<ob)hcQ<lBy5@wsZt%G
z7yZ<-0PuBedL<?j54`9vCu*CgjnO@BpB*YC{N1yfn>_(uKt{!ynxTy!S95Kt^0RU)
zZ~E0KJPS9OK-bOl4E003X2}UGa7Tc1p9WYvcWr&Bx%DG46pjzu_u;qwq@5n?20jyr
zuRBK^=&>$i&@>#tJtXA(_|A(I1*LAL(oBL{1}9rJSNS<QaZIspmg5G`u)>nK;C=uQ
zAzsyiXB4#EQ1ti8=)`6jq@>H(gI;htzvH@}+1X&KINa`6+YG|!BAIl!1FL{c9vn89
zzw;m6?F4E%<Bm`QqyBk_%XN_+#Q-}tjqEcfohpZtZ$v8}$``}FFDw`|IM}PWC4=uv
z>WyO4+h-pL7Vq0@pp>2sNZ9~CGrG)VfK<tT>->M9e%0ZqU-iV5AllP3xZN+IWQ$O4
z(k<#=yPtv-xHEN1poE^Bm$9vi(N0XVnf5f!Ip;6?5DDux6P1oZD5ulrti+CkmqI^9
z{(WrNkHy=qxBLI8pF>Y2Oco`OV4&$EkDB1uTMGyNZv7}`%J$qzzAvK-C;mo>HADz+
zNfL2ee=^jpn~bmvQ7lWQ@w$Bun&vQ8j-PK?-0ACVmuTji>;rjayZdyipPGJ>Q^v^*
zFLj1;$FNq`ZRQwGexGq#ed>O+{h3CcS<kY!PcK25xAU^fX6h-OGOzwd|B+<a=|``W
zi@*X>u2;NcxoRV+!DZR4RDd^GZaV2qm2qh#bMaV1eqh{(<ZWy`I=a|BvU{4ZmcWa5
z&^Iubcj9Fra@wDKqsN;5_uBBEvmdzJLLTqkhwOs-AUySHFjnn@t)JgjesO@wqA?Vp
zmo3{3x->q>H~JqXqCcWt0zk2fWkw;mW6v0_Q}W`i$979tlF-x~=D=$_ChbRCZ4qQC
zlj3^saf&`lp72Gcq@-AOA~eQxk)(+4qS<#%0aKPDz}vlc-}hemW$H5<`LJ^UFutx#
z`VFzx3r$RY@C0REPAgg9>T5sX@Pqx{AAHgavZ(cY1zCoK^T6JWc1I{f`?Gvksiz*u
zv0#jfhBRVz+7)~Rwm#~whQ4N>+Nhe3Tpxo;QS{MVVFg2*fbB9x6j9a0Vo4Jn_TbO(
zVx{0s;e&|XHZJE0u625`$@q~TK=OsVA>Fgf6A?mojpb9s(8&Zd#<v#O+FSrCR33D%
zxD+_FyIG`zI&BDI@>S&m43>k#FT5U(73%f8?4LFM`t@6d!<3yC8CWLZm^IjD;Ptul
zw832i-kc9Cttp2eO88bNe4Em;!icn-mhY9JCU9nd&X(`FL|N%in?Pw;8B~uUxtC6A
z{eX<^eU^Lzg*(Wo`p`tc$*L<87(pD>(vc-cs1$Ip7FK00ulsU&vETGDGBEgQ9a|ZO
zov>&>bG3uA^9&KjJH1^<ImpzsNi+_&sL&i5WSvI47xtnx{D~|N88o%&-$DXz3AH9A
zDnc<n05_GAZF7nHc5SoXw`njw9Ial6v3sm8X2>OZwYgl`LB~jue70HQzOZOGnS?*{
z<o8{pchPvt*dH19wF5%A=Mi%?$OBtCeXDkV1~`#M)<!6RJ2r*|&P@O~-fp-yvL}Y6
zXDba-`{W~~M5t$8iTAY^^8NcC5{$YdQ-Q4_Ur)0Cyp|-Jn9oiT<PL;->JD-hgFWXx
zl$IxB3mAllK`8Y0o5a|fTNL`Tf(#F_Zxk_LIN#<0dUx#?_Bc#bp+Jgm+Lv=?)4A3)
zCS@m^i`ALQl6R&YLYb>~#}yL^)`I=xFn>j+4>>cf=4H^u?5&ph!{}>I-vA~Nsq8Bv
zp5tO2UQ|zIrVyN=q}r=kW6SzY3^#7Av>MJDQF(JsMiSe&&-O0bT69;2rE`bp3S(K~
zq|q2Q6I1RLTR*Mpu78qET|xRf+w_lBUwt$PQ6?Cr$;9k5RiYQl#6ggNW(cZG9adC&
zd;e8wejLs@u*eJTO9nYvMxSOtj829Vi2zZmjJv~m==|2~kn3Zmx=V0!7NoPU5uG=t
z(2t^zdTbTXNvXQvdS<xpK=qnzCqkNH9)#}an)PsdJd8UL#HBaA-2K#g&4i2Y!e^Nm
z5rO`Xc`u7ednC103Yhn<E}<~hikuB`9czmttSUEuk<w=)0LI2Pb5P*{X?yNgZ_AM`
z0FQ@;CW2Xl%w~Id>z*A%v5c`s<@+YVrwy9xBaSG~^w4RmpT|23*~y+~Ls{2W(T*Ub
zGtw$a9I{>~e@f1vQJA_d<leKS6?}&e$Lz`1g$lbv!aCZHiEJn|Qm{6{(&lR5*E-#=
zsk!*4KS2AdKj3Ov!yG#lf(L;;bXZ`S%$j?xQBq|*=XO>w1GRg&Q(+@TtUQ;fSt8{9
zmJIdGI7f-(-<>V=TiSmqUO|-^f4?MKAe{RPR-j7XqvS%^0tj%|O|^&iV_x?aeTt$L
zD2MVgz=%ZxHLI<Y7WKldN+$%-3^o#huu=>J^M4v+Ts3@|!Uq$!PR9!L=}Va4;tvjY
zjYA9|mW~nHiAzz+WqZ?)&<cXn1}iNlo@V%N!nLaV+olZSLHJfVw&XYVS$LnB9^Pjj
zTRZSz{|JZaV#8s&>(7A$veuRrz;p{CGE5->$a^hV5D5U&Mcwx9v{4yBx;K_3<K@+s
zF#03=b_F=4$9U?pWhgPbH7f@_+)^q5PQ2|Gu~vl-G?8FMv#42O23r;8q}F-^+EY2z
zC)q&Ni9y2a5_IN$Sn1IfqagVB{G|0b=XEe7l3tB|it+I(`xdTEB^vQTm}RSeo$$pE
zA$qm4JDKM@x8{ZnJJ)PrZ$f5rM$<R4N3-M@q(AYN7Q7Ojm_0=?JwP{9!-kM8=~P?F
zYnAiAFAKfPjSRw7Qh_Dm`@N{{UN*LVFr)95JL-yI*~vGL>E#nN`Pkwg%CF}U`OWM0
zU4B1PwL|sVD2$!GWrhliV^X)H3j!h6i#7~K)nauuz|(d51VVcN7K%~)+P0poBRt)}
zE8(>RKsBQ_Qg6QAJItj0rm)%@XD{Yg8GjKI;IgWM3XWSKSuIl~A>$5a-n;gwu{`yU
zi`IM>-$g0T;O(k!Nr>^@R@%k!L}02IAew+!u0g}Crc_d(l8t9H5Fce7%=-A;@7Y%M
z0<8eC(b0j3u3ykX1hF{40&`4PTFytBhkPiX@*_dJW&d-Pjqq|wQ~XQ!JIQMi{13%8
zlIaoKj$Hw#bw%3gRkja~l(j(QA;0sL;MR0yAa`&z)CLSdH?NH#yx)Bo9Ev~(+C`Q)
zex=xICK&keDm**ofe&xXI>l3LZ6vU0Mnm7#A3loJVmDFmGb-u{58sfXH3@t^J-Iu+
z@owNet4}8gF#>|mv{W7?<jid~Jo#30_|fy6SM7U|l(iN)W+cZXj;!z*O{aA~r5m0O
z!y>c$z~*SFP!zpV%l&H4MTi89<OliT=B2+NF-pBa<H*}?ko4;jQ{%FRrB<vq@KFBL
z&ZgTP%{zkEbLBx_Li2~oaK5o3HDB|w9C<|lm=M`Gk1##{ZP0!*dVq|0W5o|X^+9}{
z-@gB_e3Dsk1neY@Q*k4}x{>)JV&i1TzyMYd*jfX(05j{>JRznZ=fh>z)%5Z<iEvth
zQ)Xa^FJhDq*Yk_9Larw{$U=5ib2P`u!7UugVjv9TaWQTCYd+gh9{`yid3$?1J_dx`
z)BV!_5OO=S6~ql(<Z1sV<gVf;A>N0jedZ4TQ<5)E-tF%)@7rB(Vz+Z8&iBoumJ&~`
zG^W<|R<-Hs*%N$GeKO#<qXv#U`PoeQ{Q>C&_j=qfk6;F=NHax4euWyr=lN}vO;=;=
z{||d-9aZ(Vw|hkt5NQELS^=fII~7E_OS-#T6a+*{kp<G--LMErrAxZIYteb<(tXa^
z>UqySW8C}aJBEL3+{?vU^EdN5pU?Bi!5ZCoXP(qhCzQabJ(up%D{s#8&aC$<S}xQv
z@{PeO*KgU;(U`vJU%Adx5I`4lN8iikM=(%WayyNWlw;4u-Hkt)BCKvR!5J04F&npC
zfqwFSDR0~{)$__Pgppb-=@Vv~=XZexqyuN}dWnsycCMmh^9_s?O+>yWuzr+gO!3up
zWDAMZrE$UVqMSR5Kh1Qeg(KlEQY$%PVv7wm$H!@)?Ixo0ceiN)6_@A10jB?7)SVZ{
z`*S?H@FeZLN(ZlPkumCK@o?#BjI+qK;S#Ujud^6uhgb4$;z7B5+Bi`5&MZ)<y9@Me
z_DYqDtKQE)2+J&s!$n004l%VX!2~QrLZbMQaOUpJ2vf;B=d%=G?o7V+K1E@4MSFkh
z#aSztUiv03Q`O(&8Xj^nCVg`A>*ykVak;tXKm&!z^<H`sVnx*ihS{#ou43!nR2?dA
z);>dtwu7{fB~6bkEnL<ena<C`->PylyX5j#+X{f54%^+FVCZz(h%g^EUzy2M8g(m>
zGG3cHz^S@FWUM$Zj<z!XMJI<|KHzFR^+{{FQj*-83N3yHHOy~hT}u77^}SpSZ1fAi
zlqV8{8bCQD?OqQpr9!#=JIK?MmNrm)>&OO~XEgy+BdCP_1!xRK5?o%<U1~eSg}NfU
z{nEEnXo8MFZN%6@BE4bWe6qSsN}&d(_Xflvr9PAhsT@JiArB4^l>;WjlH}UiZdlJy
zc0E4SM$Oj;aLq^k^80@*Xoo-zXPl6vqG}@%kU>cpNy<=#yr|yH!DPvAufuLh-PlRb
z?JzF(Y8dcF>Z0M-WP*2F-((CLoC|Ri-Xp+!ePmmyhJL`E`^@TdDOW(9>OJgqp@Vs-
z&5!|Wwkt6;x!v;q%r|>(uz!xLJdN7o^Ae9%piG6{|0vsC8u(ac+7ifK0@?&=$cV?+
z_S)psi?6CnMj0zm4J0K+ViuA)?EU$l&li5Km$__8!U%fjcDN!AqHl5B3+*pwW5+#C
zcm12S2anN4D7!Rj&SiTnZ+VR-tPP{>R=4Pq*ApGqz5%!$t49q#+RAX7?j3G+xBWHv
zC8blxUH9E+7W>a08c{qT-I?tgI+fk3JZaorYjk_oaHuQnD`p+gSdszU4towH-?9WJ
z90z@R2H`e(pbe&qS#OQYWZfo-%2<K2gceDUknDGi)fNL>2df-{Zbb8*T*by8<3GlZ
z@36Z^oT>U+($PZm)hM)_axKQQ^ciHP?-0@RNpO$r&T7`M=lw+Ps)EO+N}Ng1&a8YX
zNQ~Oz$)>$4N+{+t)#1pU-;Vtri9(AyZ{AyK*q!_R3bov2X_dVj6d#<$TewS`{M#0e
zmi1OgKX!ymZ`6j17{q)8wZ!zebsB2U9NW>Z+Rf@6o$}XiN1OPjw9^<QW)tI`aSjvC
zorjehs~3%<AsOQvt4>p|{pctCF^GiG)`mYGOy9W(G3t(=?>GAEk|ZVGTXcbOBgOmt
zTc*Ozx~s#jQIXqaNOuTDL0KtFYtFtL7kI#oj|~0j?)onu|5IcS|BqKjaJp{od(OY;
zy7Tk%REVcn2)zD0&lP#H^J5<8qB<mOo7&dKkI&$+7$N2Rn#E4rpidTW53=U&ZH^Q*
ziIuj+?{Y5C1YN2YX2=86j!aOXFdLw#U}0cyCEn(Ip7%*M{D=y#k1N8MpM-=Y-%S@q
z7>fUv80i;j9?<{#Kt2mbpzLa!Q5V_lgriBD`%%&g#VctXzQQL$;LXvOkkIPgd`Z1`
z@M2zebl_34mQEyVx!jHw0-M<|WcGyf`A)K*eTro<1~D(D?lXqov<5-RC&W;r&M+U<
z_bnJEO;WVY2B9vr$xkC`?-x-O!Wz4!v6dD<?ppJ#0B0)c_#FlyD4b&2*q9IdL|Fbw
zgeqM!THaUpn_wLXumzr3@BmxRM{|BbkjJieB<=LgL0Eyu6Wp)-gI&D{iJ7&bm4LBR
z8j;43uK7-vzGrKWjTg*UTSxo6C6n5^o?h>+MbH;$=9yoM>_qn5`s~K2{auH}cjttQ
zVMiOm4~w6qPcxA7V3htU8wEpsy32m~EiZ#!xEcT)n^>EAOh$O7fZp#(noHyt@PkGi
zRiF;`9AoJ@gDb!Si$%<&t|wBJSB3Jx<l7i~LR*}9>G5#jSIca!vsKu0xL$Nes3fSj
ze%(aFr=y)cxDC@Hmx>&>JRGPi-1!02DFL7kn+*=sX&ZQLPARN09U<m%yA0eD|A@V6
zs#gPTWxqWoHPbu$aIjSDDFEt7k2;!dr~V1lHRvN$>bSf|C;CO&G?PYIXtyX?O|ES=
z3k;*lsI{TTQhX$AF4l4QzAkHb9{w2+Xamo<-|F3)E9drgxg82;>h58qmm5T;YCmjn
z-`^*3vtE;XQa)c;vigyV6urfL^HPD^k&X5J8@*kT9F;7`=sRXORS@i#a$-7IOG<vo
zo0BCxjvKvGQpQ21KkF1OlGlz<Wxgem{Br(;LJ>z;_JKL0n9pBaU9wmZ^27Vh`}f@e
zRp$(+>V92Nel+eDTnR;_u05fgf!Pzp)K^?@E!*}@f}E|TQSD>+m9gIw+jAB2@5I4+
z{66c$EhpQ1@pmT-yFQ44Oj?kBZJWstGHG+K5>Nv~-jn|Pe9bRFTQ+yYLe&0V)NQtc
z>nRtuw`IUt4Wh?`UUIrI$}-nmNZk^M<4>)e`;^OWK~{;0|7gfn3=!1l1CVtEe))z!
zW(8az>dnn;ZsbPZC3o(>s<TO$A}AARZ2hh+B{t30B|X~z=v^Tl0hAZ<ui6_!=k?(n
z4gb20VU^qajTXK{KNmG^8PJFY0xeO$0zs9SoOTPyn-f(7Y1&GulAqpzsJXrVTIgyX
zOn#Xnmrxj5_%-oQz>bs`oTmIFsPHyHjOreh`*L(msZ9?XxBCSX;0_{)d0k)J7Y!K8
z&BB&nQVh&|ku=ymwWBAsb|L1yr&F!j;Q*oAP0{4CH!H$b5{FBs;i@ih=6xs}@F>;8
z6$aPRiCt2EqE;i%Mqe*;(jPzF9m5F>G^Kd8E=<#nZ`3(?cC-5ol}Cw_@s~C;A!~@=
z2Dbh(AO$6HxhFy4{CKye<MX#CAPa6`eO*dT)WHwJ<hl+e=f($&ohb6zF9YBQ7L*Hz
z8O12@hJa)VRi--q$<f+)LL~jb!)BOHY1rOEcbcgIBa9id;nekhH+Jj2NkkhhQI6dx
zTi)2CC|hF2Uu%5e?D-NjmhP`G;19^kMHpP{$z;0fk^sbNCslkPf>^){E`>MeQr}zP
zzf1LkkgojY!XoLb1DIVb)q7?)l$q)P?J1^36V7d>#pf>x|JbmQ5fA;!Z~f>*@LXfq
z`<USafW@u9ctZJyP0cUwGjsjAOEc^mLG>@|(~q|WIf$x=@RV#-<X`^DpYztWP#4u3
zf4(Ljj@+?WX%B+{p8}q=D9m4;-tWKg6%yhMR?iKS6@=fpMbaPdPX@kMlO$;2|M<tH
zxryM<7wo*h2JUxSyVl(RHszRc7w6Y{+wX6=^9ug*YiL@(-=<sx9}&Zx6duW|it^_d
z{`GJE$3~Ih?WuItVgUVMD?(5B*MIc;cPGYtCBci4n1uRg+wsonqWOXu4uj^`%k6*v
zp?`zmz>f_q2s;7G_c;pIK}zs&oc!}YIK*Gxso@6v<=0sqesP5U@i@Ro%=N*9cYKQ9
zpX%=&6#k+Ae2t6vHR4^~`6b8NA3BY9D8Co2e|;MlLHNsGy`}%N?REnE*)ZWlEf?|k
zr}|sBfPd(J)0ujZ8y?0RPeAj*BB<>w$wc;_-v$Hza-`ngo4+W^el#5MZs9FqWYIFr
z?VV2&r2;$QysCZA1G5C*HVghqoBcYdm_k4gW7>*%Dfs(0+>r+z0t%U96}uo!0o8K^
zsP)jzzVv}3LQ1(O5Dc`;B~+pK8@LvKw(;Np25JHxR_zMQtNFjLV(?cqbil)PAuy;Z
zNtqRywkiVevX4j@zVO1Rz*T?$#qetD8{>#4h6ve8jA$)^^UrCVtf#>R4ZFpNC<=CS
z28ba7wy)3hIWRkaE+nLqC^L09X)d~izc-K`D_HIH_E*2m{L;-p$0Th9XfH!+{O1*-
zC=ibuo)c>FRb2(crR#P^GQX0?>RN3EtBWP6rNC8#?&~70u%qQE^Zm<G{aYWE_}<AD
z0Y`QA+oBh@?xYIfGlV}rJv@!&F11F5M?Y!{zijK)Ds`Urf{dm<4Ubi4HJ7xVZ*?3s
zR!Zs!`D8g*tBDvd;Qay#oiMeb1F|{>n2_yDPsvzLCb(R@9pcU+Z{Du4#ZyVIonMw?
zURtyZEzm4`+a1eiPPzbLhfB?~)+bkd5s+P;3buK+HHj!#K&SW&{k;BqkTdYGs);1O
z^4}lqHH3HInZFaI?b-Yh$e0HL8D}H(;em{>gTQS;PSPDRL|01k6qSUG*^V9%6Ueia
z;U?Bk0BE|}voCF>iv@YuEj0j92+dDGKt*m=hi^&l3V3<Ua={jz<Gu;N9YUBp?W>Fy
z<=a1S*+-pyM~8<pE-*0oEYhg-$;?ys11~mOs=f+mnYG^h;6;A>G>!>py(Y(5=>-3!
z1LF+B2i-L+2~s{j`^sI_-QP>iMzMi6c8(MuwV)u?b*&>Jnbx}x3Y=v)lQ908uKrr}
z{`vFYIw6=sZ+v)_Aq-7XAsMJxzhQdu?JLSotgS!Q*9XIodD31GaxpyZcG4-|OzP<F
z!!W16*A&11!Yf<nt}yS7fXDkk)@cp;oPP*ZJ8R@_`KXG#yt=$*_I-<}9m2st7t7H>
z!+TM<TqF&yO+He6+2j2?b|#hDT|mzh&V7%d<tajq({|D!QH?K8xtrs9Z@}#I+wr%~
zZXKR&F$JjB=e+N2bj6E(I1-#`5aCDz{kFF#2<b?T;jq3hP1?*Nn}{if=rHBXOQdH}
zGsU;)`_Jc14}abiZx8=`-f*Q)?u};+T4eEB*W+27{tFiE#wEXC&;>*uUV8+lsu67F
z3%*=N4<5gH#eo^cu8#*lFax{t;PuDSp9iNH>HOibgqL#BAHit?>7kwogvhvNB%})Q
zbA_1{2>tnR!=u7p0%ZGffjglOTT?X>LPC($tx0!9s4CW6*e5Is>)LIX0Y|I{{1^|_
zGr}jgrI-1VxfuSsQ11d7rU1Odaf(D(9f&i__O_^=`X2ia3R+MRe#uOo*+}{O(&Zum
z+5~z<C}H+C9CvQgZ9kS@!=qat!(|q2Nw8PMjOFakq|0%qN%`uV^9U+SVf}Fp)X;=W
zkq04D$>XoBmm*Ly8*`qBeSKyfN4EsZj4%BgKp>du@zKMyKs0k@5Y~8qBPuA|)A8a}
zZpVxFzP>_Ln2i3*G(gA%;z?T4(5RtOi3H#~Ip&Ry?7IT$KVRtv4;EHH)=}JuL#>2E
zNFm8zv(*Ot1cA=C|2rn@GXhUXA93FzG9vyLuO>ci<fkB)KwY;0$k0stio%mlPl7tK
zfI}pHht=xR`5Z-Bdu)iC7Vg!hl*3`GJ}ASJw1=}ZwS=z6pKhLBWZZQ)Lot+&3y`M_
z%rI9i-`oim&X7q+di3mL7znJ`Z>K33DPNVorN>M{JPv{<R)#jmBWR4#0j?&O+B;qE
zozM-;Kv3q|GAu@m<r{ssP*t~4Lgj|@buwmVG8Wcj!sQ>y(1%_ue8Z`B-sT53?3D8Q
zeTG!>NI?cE!0@I&P0A;NTZvi{LZ8<*t4RVjs6IkM3-j|LtNmlBB%7<;@6l%iGuCDC
zNwfq=*Nao;Pm9&F<L%0e7oWv(XyNmEAG)ZNiCYG~uAMztIgF-Kh1P|Jtk2Ch`NQJ}
zK@R2h7TjqjX5(+qpJ7uu#l%gXi8*)>SMy~ta=W<IuAiRw*-p8daq}-b<|Q!74g_J(
zjcWDicD22z&F^v5a&pKu){1o;3Cubo(i*ObEAy}WIjZC&NI5y9tb&ZiW90*l33prU
zNv)s4gAgBZSjoOdMDbm|VkH)+==+B7?=y_`FyKp3PZhdzI=C;2tGtY&z9J;xFLM}5
zWi8fLZjWpA{L&*Jd~MnL7|*kQ_jX+EL9?#KGo0o$q%S>&aR8Q~o7J+ONggO&-{5mQ
zPUzYYX62ZlL>QdjW~Jk?d9x*e&V@%(D3-O)TKbHB@7dk*%&o>QD%O!JkTGpHkW^5x
zW5AK9{i525Au8PhCHW;h2aw5Cn1Ip(&-pgn1Djd?U`@yP5MZ~Rowq@Hxh_wJ<Ec(}
z-kSsDn9-n`oFoxSg0icGU^bqPtCXXz_BL0u!YhTD0tUa~(BiJuKfyF_&E+b63X%Zn
ziJh_{lzDeR(UvM(?t)H@?bN@h)M(SqmG(QOZE`bfq7Di5k&&8G8e6@`$?b!c?<xWD
z2t*sFkEFzLyiS=KdrPa2qcFM!l3}4W{~u|#l`n6Q#2-v?Y>bmdfaJ-P7r3gdNAoiC
zrcJHV4zMLUB{~@4Xo*5b$Yx6=foeR+0`&Hct!N0Pykh#^a?9U}R=E^;bDV^<t<+}9
zf_g{Y3+R}K4coqCb_F*ykP@&s5n4``cNtoF<gr>#1OQ105)q$MEae4vIB;Mza0OQU
zKCE7i45jWp+SN9@$$f867C<t%SsxVTdx1uq{7$w#QSmVo?MmoByZ~lLON@ccQ1eu%
zGiU(2{zRVD^p51+Ib`S0&qR@pyW<oTb47SOV%svx!9--y7V@J2NyF}BZ(T#5uURVz
zE^o;WQqZOcICq!r!0iwB%)191^tEb-Xl}I)=I94zO<SH4qq7s;7mXHF)a~)w_@GNi
z9svtqmA<5=q$6gwR^BRmx%#@=tc?eTik}Sg=e?5VVZC-X#ERlA2Ug24s@x|oZd0T2
zAz<*V`?obsM<3U$19RDx9dGlZ!b*R9w+lzNvrV^BWe?-v{N7ThAsEQ!%X07GZ*|tX
zyu4U%-bJ52xdn=vprjr-P3O9Ge&Id?xmXEiPIDb#UOkN+23G}c<xQh^p7|5i9K~gF
zZ!fuyRZVp{$^I-a7RtOz*xtbD2?Idl6KxwP)zu4`aPpgr-ElD>VM7L(2q*E()u2&%
z1(pL>^ZhaN5buJ*6*x60pW51!1e~fDTvG^$>KoKR#xEd-);nH<8)NKg3a55sl!<tq
zF$-X=w?>_CkP8yrFZt4_Pqxzu*vwSN6fA*c+*0dqkE)9Y?a&ouI+C3NZ{gDug|~K#
z?S|RGQ^0?_uj7Hluhl-V*SCg4;uW#aVqgL9F|DW5{1vU+Q6LXL^@P9YFNg?Njl!3^
z?RCh|HR1h6+_L&P;nGm-6n)r-YL%~o%hpH={#C{c^fkiJ)p7cPWqX;=7!NycGE<~A
z`6TI4*}uUSW~_i}V0H8sviQ~#;~jQh<h9dDWn>iP!MHb09hPiA*Q{rY#EoTYJw}t>
z+&G?*-c)dHqNH0H*_}6IX@veIqtY7tZaw1rBA$CwUZ+MGjeu{C=LzLw)zZ`sul$#`
z)60`J>RTlmRjb}Ht8YT{YVS+Ooj>?QZ^%dKs0nU_YvEC6_!srbuj(-}sr`A)BWd@6
zdJE}`3K>~{42Sz$i#7pa<y`s6Bn<2Q)$ecK;n6=Qao*hO9iAvO4z(Jr(nqq#?b2D1
zm=3<TNje6ykf(2j>JA3XHqYC?I8SkDqu=)9qFO#|@<&g)b+FE*5`<Llwo!SnT#iWt
znE=U~hqfQ@^l<AL(O8+SNe@N^6^iYG37Kf{W7~V3a6QjNl^r+h_abz)1-Swt9B%im
z*f*Oy?5dSjCbPWw1)ki)N$C8#T|&bcU*pG$+&xzp2=N}utkteo%fjHwU*T8+@;U{_
z*+p7;?IMS8L!6o;BE!M03*phg?1_Q(Wb;t%Qn#)#WPi53GhM|BC%O(Nr)_+00Sr2%
z6`{1P^~tSe8C8Xy1?c*D>~N8ni`Dtw^`L=R9YI;xk~vgzQIgegja97-?0r|CsBR8N
zk8AaKTTY5=O<jG}eaey{odih!cJ4zbg;d|1!h>4+xGeW!8N$;nG@=BUg%pH{XnmC4
zxJ4ZDW4v%~n}tvxEx4(8{<UpdA#0dUQT->NCouy#>txWg;|to6grMV2==_BA(yM)=
zO9DVps}ud%1-Ll4Cc9~4RRKhW+#sq9C`Q=Khf?2@H@>y+XJf!40jl=CosDG=LYR}&
z?nOQr0882bjdtSSGkPuGum*@`9k-6+hE2|g%=Z`6R$^jyMVrc726{6V`xRQR8preb
zY*k_~txX#o*H{-b$6qdas)kW7ORe@=uYcniw23W4?np{%X+`?PGBEQt1R;*>(s(t)
zF=?u-bCUcaJnV1Wc_U1Z)?NpM{aFu*`r1B~20$X&C7F2IiM^4m&@5eZEbt)}jj1>n
z69`T)QG|s?ee^yX-6<`zzVbRvHOH8jkU4y;m}h2~y*s24j;>;MFVw)t+vD86NC56|
zeh9y1&r_{Zk9_#Bd7#A~<LhkY+Mu;bXTrMbOsh3h0*~|57b$}6`DO&3!`r|;B=g$G
zTJ|ErHzLJFRO~O#^_i|Rb3rmR?qi9Njs0OA4K$yHN|LsxQ`x~Ks=l@SWv1VST~Ioy
zYxi#=o=d0rx;*FWHQbgtZ_2l?RKE;AJqy=QRXc<ZtB<^7kl%3J9NEQTHR}v*UKdGA
zn!b}Pjy9znBMx*3y1hoaqkFi6B{Bj{w*@Bhbt>2md*XvfYC4waG_*u56THsJJomr2
zi<8hti4gCx7r5h*@15vc^CI1R0CW6ECgL`mWOW_rt(&?G`-{*|@=p4#l@%!;#xbaK
z4(ncIg;WoL(PZ|#yDFa~jIStV{j|SjG&=Zypz}%rUCn>iEO(qdHd?z~NCcQ^w)D)e
zd{y)=g#Y01MCN*$I3ywDhr)-V69pF#`i!)W$PQ0hMC}?oE{YeiPpx9EO5E#vFI-KC
zW8#YQ*R_V1L%(bCa&2=9EIa0s*nd@vf2cFC(ZwFU6X~(=Rjy-OU+zhBNlm<(YPClT
zwK{{B?-E<H=_$!axVEOa^Q!3h;5aZ0@~&0pTx_U*pf2t_-jwyUAaUJZ8$zV@W3)Yk
zk2a#oWv#BBSa-YHn6s2SKMHLx6B_mwJA#+hEP#B{WiR@UfVFOcQ}+{)w*iO*N-W2u
zM2nn5Bt*nsuifV%IO8u1oa^f9=Bh;Osy$AaiSQX#sFQR+cuyMIcL*#okrbrvormHa
z!4uGEVcr{-+YLT9_9!M$@#*hP9jaGYS>E4MZi61HeNXVdd=mOi|E29qV4V5beyOv+
z<_g66q~Z%5y5-9QkHa*4p)w*Z5OdZiM$q<0#cdndBgH$%$%Gou=VLM?o~=9R__|$~
zb|`(uu^E`HgbVWW7g?VAOiogfS*CB-3iWUjZ+bt`g{rK~a}3Bq`d1%|C0AyvFLC?1
zgvMWr3{+^R?>?ZH58Ej<ezAdDAl34`bbEqNug7(1fi~8ibZK{~kdK~S9r8`^yN-->
zPs@bYq(h)ne3dc#!;XaEPI01k!@Fc=IGh`()i}@VEkFq2_N@WKUF(j(Fxk5kkC}ye
z4RggePg^lU2_+ACX3O3;$!G4bZ+|rD44q#v0u_t?8uEo)rLlT}SJfUnMPyUVLHWl>
zhf_NHkV)0TgMrYLKoL<<W4Ni0qubF9*RMdiIymA0&khWVJeGoI2kw8rwrew>LiGCB
zzxD6vUwDekYO%OCy-fmBN?peJ$sWOhe@kflm$~bfa#+O56keoiGA>Mt@h|H(rXlJT
z7D-MIxKLX@S6G<m20QaOrxH&R^4;;G6kg0%tI$3it#_{pk`48KOvqzJzDqF2YP4{q
zn3JBPBB158AY^gbHe0vGZeo!O;!_^T7Z6YSnJ`zqS+vFRqC9xRzHNgyS5)!r&?uvS
zcrKR1dTfMZ!d$l3aBVClgG@D7rvTkkU_;}3*VoPbCY(8m<C5hbDR=Xs{Ex}_Q^(m?
z_z~<{>hql0GcinWf>x9_6{_MKGh;#tKDL7m=0-kI+%V*G5K(vg+sO%y0#sxAjkwtZ
zatZ^sptmRdMpUkL(|w-xg)Enar`7ISk9nXWoUA;k<t(W(1=+z+mFdg3_j)9cd(a#w
z7?S5;y-~hhujAJFsQJA+2W*d^>zA<=HD3Ae@L9k#X)rMj<nR>GM$aYEV*{oKAWe{g
zeCIqxJ|IJ%4|eaw?>$g<w~FDD#pj-H*AL&u{YXIr4%t7BaQW~f+$d854$l!0(eflO
zp8e?L`s4(@;m<nj*?)l&<^q&(kK#tkTs=Ysm(xZRvR1;Fm_eH~&=cwfY{b^CKG9Gq
z(565a=m-><E6(hq1{q5+$BU1=0!#igOo-)=Q}5E3`V7bZqsbGXEu@RG#r(beyTc7i
zr>>Jv4lIP@k$3wk(OjR}o%OMNhOTp8KrguYFn>l2s(G{>0PS=NF)oYjda~(bAt+~d
zmPo!rK*k;C1pC)UR`tp3hF(iG#SyH!0mwG(k)&%Sqzjv}Q)&fI)jv-#)%SVL7mW{k
z%n9kopw^ljro_)BNb;&!>EjKiN#iA;dn<^up|DIlUlM;OBzn1VBpT4BEySLyCdAL5
zG*vl5>aIg0mmXV66wc^Vo8Y*ySGRkE(tqrEB<p?0?NN<GhKJDU=Y$+Xvl22@4+$<|
zqL^Qr<PjdroD|OFX{Ke{z1^_1DVp}^IN2Vp2_17n#^S1`Y1YpNdiNram9_UyYo+&D
zJ(?e@5%rxcFjmuzmqIK@Mf!ANghid((@&7TvC%-}@pcc3luqsYu+=Gei|<^XN=Y(I
z^*g=zAzm_Y-wze&v#ytk)QYA7p7s?vdD#Ak7y4rkRY80Pp2wFp;w3=1NHFy%hQm_$
z%`J4sLoWOg8ofL>wD)V@J1+d38)*S#xsfkY!c^j)45~iwY?$tM);!d5!h2s?g6;^j
zB`yU^+GJS@>{Q;q7({9o#<aa%e|>)xOH`G~>8K6|AUr?~l4pNZUC2%BzE|mWaqCx(
zP^8h&?&&@^AbTCYd)D_JxUMkEV$f`8Zp-bS=*PdUS>~e_Smsj`c=Ogn%6^G1OyTzS
zS?EdiVrw5oa|w)3(w|gnco_;@eTGZ&d(gC;I)^{SorQ$JtcZiEHnt9|wt|>{RK{NM
zAuIviZ=?RUJ@8C+VrnNd2Ppzi)`8kU%5uEi(R5z(OENEBI-l3Ms#}i!wv(~gpx@?r
zMMpYtQpO?9LFIA&NPI9-LY#3Mms%Et`e=?73WoT(#E#5s0|uRNY~@E#q4QSk&!9qF
z5~~K{)1d+k*N{a*`C(lfIk@QiZlj;+AAMa9-q&}(IU1We0Z9NSt>_tS#**NozQbYa
z+nHuQD@vA1+Iz)qw&B9E?E3Z;k$~Y+QSQ&Z^a<RLh$>wYvV-rS95j3ao^QR`#7Wv;
zTl4ClzJbKDjZxufpNAm(5V;?+WYjj+Xy-8{y{=xlJ7*hJ`K<m0D@NPnlCbwT5rCu=
z*pm=w>oHht@;Cu@Alnj{)~p`sw01CJWz%!p!!UB<!S!VXhX3rmjah7`HbUOgW&Y0N
zN-^IEM~MKcs!ML4530OTW!!H^$K_*`>9U?;4g2Sc3+&!1+B5j-2;w9hktujjLQPrq
z6j$6{TKjX^FFqpKO}7O;E2%5=Ak%k08yQOvS5KBm0zzci^J40x7Q=MCJj}lrb-61Y
zp}_C9S=?rETYbD|U04!c8wx|H2fbo80~9@;*HPWdO1*we{#E9f-DOwrw#m{4SMfVO
z@j9ilcdiw{#L$80bMPv5eALZ{TloOt?u5-3|F>OMwr!r|g45vqeRK($b&gqreYdu#
z2CMynYSNik(mJfy^*r8cyb8FA!P<B+oO^1vdR%MP+j!&Y9t_KUX3gpvuzy_Q%!S8g
z`%V%}%m=w5VQD|MOL6OJ_{N~C26c6NO0>Chgtllp9l3EFiQWHE5N#m#0RgPNCs)u>
z4G?oUq^8ILBJHZaF_aA!=;&<Pef=xukZ#&JRsrNwz3(km%2CE;xM}2QB@8fy4;QWy
zu%#|KKWkniVje0Qp@b0EU6y<CC7&hmc8h8J$IxhiHXM)EZqBvbdYV5sT}~N;OgkdU
zPxp_mX$J3_2dly73jkT{lsI#2V<RY~lvS2Ci+p3YD5X0^WW@zkDgvlj+WKUz3ag;r
zrl_|=U-rzegfgWp!T+5de~e@7(gxIQgCTCfKhg;ecP)!3)K{WmqqZVT8l?3AM+Zlf
zW}D%#DBh^C1A>0F-BwcrUzdsarn=h6%KP|+de&w%=lBYH3n5d7gO@8`CvinHnV!fP
z#P8{D(`@+p4a7zdWIml0ZZDPMx7){HHEma{@O1$RcBJS`c%ufFWZcD`iZx=W%kp(l
z*YD|fHHwi$4}I@x>si0H1baal{?k{nO@1~4=+`rvUbyH7Y}9?Qj^GeY_1>O*GL0Q-
zq4Patnw~+K`jG=;kLS@LotaA1iEzCbGa)gD4Z3}Yqth_ixa>2?PBZO2TVo>en<Q);
zpVm*Wk81J!unCai%DLp;gQHDUJg<>yy0@mBljpp2+30H=x3uv+prC4IHk2KVg~yl7
z<O{&;A9LWnJ`eJm>Fxt!+ysFo+Zy{RNAK=&ErE@sw5NfX7z6j2Q!|3iRiZPN<S!47
zp0O^q*%tFt`?*vPm7ohnf;!Z#^p243gWRAJdY+}5#>;gn^U#<!J^C7ZuqjXa=casr
zbzpIt0tNd~A|PP>OvCsPdt$j1wlHW?b4T4ZquxH}Id<{TTuv44-h;)mTaIyVM~?G2
zZ6u~hgtpsFRy%4T+Ho%#9wL}<1=vuJniB^hr|<xQ$7HiD?;jlr9o~`JTub>-CxxL(
zZCkP#C&r5)Cy_=Fs9J`;rn<|-4?uG0`_AjFzb)ldFQmP`uO-4M+8S9EY;Q7Vs&!j7
z?{!i<D}uE^QnHReUGsxE??^9o=RU@0K56o?1H)(f8n~~0sT#<2{Cy*5sv$}NAdJp(
zaPcB^u+*SCiHl2gIY@HrHu)gu=IzADJk@7>?%rfw(mxqVxoD?vpN=q`K_2VFS93R%
z|A9#^lBD1?J9~az<1O?>!TH+z5O`25W2Ya0yBk*TBogTau8zX>2_4H4q&nbEmMQHI
zoL-PptgOyyc(36-)|^;zw7IgHlcn0CwC6O=39C~+j67yY;lB`W94>yjJC8B#Y+~g6
zb9!>2z883#f9b?l4OCpV#`-)xcQttzJ3Sp!;lv~jyz318+I2RnlC|GZ%J=rP83{Q9
zP3J!th*h8Yy-yvbRu|%@rXIju7eKNTI?ETr!^>o$QWC}XwGu7Mp{_5sVx8j>VBAAJ
zW$VLPdY{(pxUoFj=ERo@Gr>7<UVl}!$LXe8HMk=f)upc<E<x|E?#3UN`_}E*w&kj#
zU)VlbHI;Xog8p;DVnH}3GP^uKDYmb6Sj~J9$E`~MY9yGOQ?(jf1@dXP!G^Fa2|xqp
zfX|dF4ypZ8w9Hu^&7?0LT~fh0Rd25HwWJfYuzW`(9g)S(TdoBQ7yZ4XBYcL*iHP`R
z@b9SX4WAD~JMDkuEe3$R#bs{ro@pDSB@%<0XI{v=rT->xF#s2cS%PpgxaOYKnUDeh
zT1tx=ah!6nXSMAJyy-&QJP-~%^6)mQ#7U$DmKY<_v``gRW4{rtd8yj_yrt(c9;|&Y
z427Ge^2AMlwEs%oD9Y<{+_3WsW_VRMSZ#=^@71Sfqk@^#YNT?_apTz5Y~+zacklzY
zL~A7PyyrX%gm!t#wYNSfi3(tkpCnBYT3N2@3AED*e{+KeE=oZVTADh;km@#`EVKs4
zIGlA8%`raVu%5(DddB`tE`qytDsEh}ad53TB}A9XdOQi|XW(L$LlF~)vt_np)BlaY
zT+T8UFDWu*G3qPa7XO<4PX-elXqKAZ^nQU8`v01${zfc?6AAg^>N{`q!1+1?$RxLO
z0V)j22|YY6(tj+MEK1+R>AH9KyY-;rkpDmCtQF?_zwFyU#Q_>}FrP1&JN?S1)ftj`
zcWza^$4F>syZ(8iopmHz0=F8w`x671_H%N7uAf!zWw)UgH3$)l^S?i~^q@>&_sB-l
zs*$7lE_;Tw*rMXmhV^Jw7L`!d@XSSb0=Z&p9PoU_anF<rZ)EF77VzJL!9H%PCaRRA
z&)XwU>7sLKBnn=q2CkrRW{Z$HG6jLvl3*`RyR46`pd|=@0POhEMnUj2mVbKiD$wvo
zdA()i|9v(Kh=zBp=w*sA3EcZ+Q^4?3(YzmptGpn`I5{M(UmmKGJFWdbSAv)3Ixz{U
z^aq!PVSbFoXECy<sGw+#qe3iSrRz@AIv2xyU3%-7;M3PFkt<{wO?zjplzejEJg!;`
zVJI*ok*{&)?s!s&Y`wJqWPj(2h}q;Nk;wbuis9wKBu@<(Yf9QiKB+L8<VDy<*0p!j
z%=9W*pRu+a{<0@)hjvzV0rK8-wRq8v2dobIZPJN>_2-nKFxR8}!L$LM;*D?KwWo&=
zePZSn8ndy=@H7-J((%G)_S~*(r4#ipw`hM{kytv8+A^-qw(el1q*4)XO{Ln3oEr5u
z*w7L2+eIAv_x?Zfoi9b<eCOIfSIqz14TD-PrLwH+85VW(d|S<UjTj7oE5M+!|KwQ+
zcY1!0h+&VF)v{aYyB-pl#{}Q@nr0Ci&ykSUdWK_7NGYgVa;5p)IF;+b>*^d}X$RIJ
z5C-wgcc5!N5qBCcIiZLuwAh@iNEj>Kew<+ldiDWV!9Q10GfP{me=Vi%U@1-hxs=Xu
zUB~mxu_>`g6ZX5!%<VHu?hes_dtIG3Q2TBIbYgXXHO!b1M9pSQRN2Q!-&+LRHF)yu
zqLbXNX5!Ou@>YJO5r#T}n}~>CyMP&%ESO5a(?49km<Uk_A>_)GPm^rrr(gLz3}(+3
z*vAL`P9U0e^<Y@Xne)Z-32^^U8UJtM2K4yh_pO&)?;^2)g%ee&k>W+gyaO<j=1Nx#
zobSh1^2`zoAEbW`4e)iDMcFx3f~6Vx$;(YJih6Bb)7^IKxT+IsicCmRxC)Lr8>WkW
z%byh~_HLzH)B8C~xt0?$Ukt6BCcy+L6&r12NM+|YF5bM{yH`acTi}Wvc;jJ61yq2G
z+A*g+_DS!(Pz&$fC4IdDcj}_A1!7ru%s%!9=$AhJ6fb|<C)vK3hE?J4a2q30d2=c}
zhA_k)*b7E*DNt5<&Nhmf4HuPQRhLRs^sG#FlL_3)zLblrp$U+k@B7k5Xce|uj9DQ0
zNfMqRij}?1d%@&bja3|aB$0->-J8@jSZery|NV21_}jRpUM}Bsp^@*9poHw-+uHm&
zOX=%B<;f4=<*foyce6F`)g{b@T7B>!iLQdpolUK_F+nxe6r7}^EZx-kfk#yBB<Fsc
zD=03J_Ha#B*+WKxi2N59o0AOGOcFnww8`bioR9Y?9tJa;RfNN30&a(^5<rEkHuQ;J
zNxs|>JupX~DEm!5P%>2?ZP0P#HDhgXJtm#8R<CkHo5Y!4AAs2dhc^jF4m+OLSd$*_
zg)UTj4{j9KIQ_=RKZNfFTH`020aBXVYFN=dxvtk$eXy@q(F2ABq9E-^e0@XcEl-xg
zd+Msfypu<$S_%HG4VHNSI8}$#EW>B#`~w!?-*O6Wb6O+3;yB}}BfJMjmKw#dK=yg4
z_Fhf!7}h6YUaj?$#+D%Y!XEvlZ3lZ}X=mi`t<%e60T8`GDJ<pTq`w!O<jjNY|NYeM
zjyN(vB=JBtuqn$3yJzS)-gdDam)m)ZaCdrxTFteX#XY11yJy!v02puFpIRKjbMKnp
zDeE=`I|2vb<f+#6x^7Q+#P|g?bUd?}>?Lf;G5AHYzP6DMnSZ}wkNc9bqS>9;l7<~n
z3U=5WW5Ze{<pGzh-B6yfb|6ZAU`F_d>=FuBf@wQ)^Cdh7=M9SsU(7tV&u$+;fT<PX
z`<t$wImhxH$w{xFVE@!d(V+0=Y<hQm(4kSNZ1qC|$u1?^@#?ir9`7DQ5|ulq5kXT0
zcge-w@6z(V3Ff(Hq(O5-Sr|&={3fecg(vT`zs7KhGW#0cW!Bw$_e6mtDEU&yla6F>
z5eK84|8j?qS}mCqXoDo#QGrdhdy7Wi4J6Np<AsoX3;~x=$xpOGtC#MA&LA%LRD&0u
zC3&!N`lQTs;2m%urp-A<YN&$Y_pXq%W>Yo`Ae38;#ughn-Zi|BW^wmL9KQ$>2GIu$
z>QB-7da()_JrOY*;S4%cD&Og&?OnQo56peX>f^_6mKcq*>2oI}1DsFxaL3BrG5Fjs
z-^cTM=^^7~tK?9Nc^YYa^JUBzKCz2Tx~iPS&~NKwsF!B0b}$)!JB97Ud~(|VafZra
zsgn!DNJ?KyiSWW>B!>#p_gDL~q~!&kX5YqBQO;2pdt0-(LxtqGV%;_7c*_~j<g(1P
z*34?5dgI<LOT13)=n+M+FU2q7)Fb%Jm8&Tl6E|?k%ci{&Hf$nB2d-?e$h`#Y?np;-
zcbN<qyDDVU33nUeIB_C&g6npZ{ZM^0A8J&Biz`jRy1M(p{MEx`50=)e&4R~TnMR}x
zfr-@W#0jj_e3*Fb(NuiBD=f0;3KBT~=th2T6}scjER(It=lXI>D)gR|e&Ai1_9~*H
z#`6#*O@^e}O2>5(ms$>b59FGuu|WW93tXh*Vu>hC^_xHyn14Hl-I@$fFi@xTeUI|t
z#AxX=eI&hSA0H*X!|hObw~(Kd?l|E*_+?{?A%cjgDrEh2i}ZK%?<{W>>Lz0L;+v))
z!mTV}OAL?jBBB&F)!8zYgVz*gU8=rDd>bA~18#E5u-<zSU9Y>>wc3_3WI)ltnCFLp
zhXl`~++?y_$e?XHNitx&7Fe_;&4WbE{pb?c5%jF}3=$lFMS9w;kJTUZ4?4AtsFiYb
zCu%w(=qc*;?UAc-$QNM1^nvYgmr!+oy4+F9E#<i>a4Y!?`8llfe$<is9H;vnryRAm
z&4|c;@+yTAe}iFz{!18^AJyQ0f?<#O^<DtO-DHoGy}<e}A`frvcoD&>U15|bXJ-%m
z^|6S15<*+zuX8<O@b6#b;`bytZM5g!CCmXw4e|OFT40kMS87Z9`#x=l7=G&PsVZgr
z`1SVgF)7HM)NY_7sOIk#3mcX|-cv^rnySWe&Kfu`v3vd-1#9SCC34>Of8$`UMtLxf
zAHQP=5fF9T_MJi$Tiq-mRpNg7Nm~>XmHIX76Y}I&cjXX^d~RY11w36LdIF^NtF_M%
zl8!J1uV9qjM%z{&CnmcoARX5HBqQu+PD?x`ERf0Rx(XKMP^Vh6r4*(-ec|VJlL9*4
zky9ED{T8jN1xnO3mYjECm>poaD!MGWn{}ek6FRG?BX4`?I5HR-aQLq<JH7i9B20MH
zU0AW0zwCZUd1x{hd)%@Z5lU5s?ACeW=CCdP=GOkl8u8%ES6-hvrae^iHBh=WnO%!g
z-14f?83-rYiXJ)ykr5AmX#;`Zkb*?#DWc6CN0wz>pRr~Ppwwv;V;;=Gg~ZqDB+&_5
zELaf;9NsXS>O2*C=r2IXY=KxrMe2-mgtGNuX)wv2W9(v>7?#gDZ0yM+a+@!X<%ikb
zxTTkxfa%^{BrGk9a#dcA!wWgZt7tcRwJ2C-pMF5?yJkow#&ZIJ7j<_zmJh@P49;jV
z4SYmB0&lV?P|74btoFC(R-Ywl@oQ#|v_dM^T9e=1*LmUmH5s7gXK=J!a%=>7@Jw&w
zIPk6N2obMxeCjbT5iI27)M*K|gs5h{dJ7eA&YNvMhBIg&yQPGFo&uGeE450pE{Xw4
zgrO9@LGL)V&D~0pADZtp%!Fa*>Tp1U*IC!UjD|l;r6WQSA6gQGAs=zXS$0+7nDahV
zc96eDD()iM+q^J<qa0*(TZtSO>~XrozO!`$AzzNb`dn^DNWQE8xSRy|?bAy2jXzU#
z8u)#Hv9%;qyxQ~hTs&No@IC)fe+-hy8UhZh4RSYq1{*0chc}hj?h*5$qp>%=fm6{V
zJXlWiT&*i?DNDK{QnL;Wg{p-z4F>jm1O$>mT5VHAG#)}ojx7c%HBV}fGpU)deO&^D
zh=zYph4D!R@t4rl>9^`;Gl7^gT8!*M+D2IIWty_wV=i;)ony+r(OQ+;*+JK=Gcjk%
zjsTMTX}3Smeb8u3dyE7R2k&+0Pb9Zo+V*o1Q|y#BCQ-UjTw6!+O_u&tCyLBiRqhN8
zXOiA<SjFm7(MOX3P??jG^rR220}6eyrdcCl)2l`XrGFv02b)6brR&KhqpB5B%N>IH
zV|P<B-nH?<kzAdg^PyQnJY2MuE6So}`WMO!{9HZjp4w!G$*npK<)*{m$a1L@+FZp$
z?umEBh`UeDK}1R36K#_U&hyeGSiS&KnI(nN^vfGa@KAfc;%`Y%ug@2?=ju^1pqFP~
zBYd&2G0M36`sf~y4#>Zh1VAnbNFzO9o{|jUI4J2c9ouKfeO|qxUv3M^vQ+2grYylk
z9ADBd25s?ZY#)5b)pZz6w<q9rsNCmnZ3B9@g&D)vSO{PH0hX?YK8!M@Bjn^W_t4c?
ziHdL011dO<JCA>$#pC=z*Zh<7(`8;W_qGHc(+z(d+7m{e!#gMaL40)g&$3DEM!m2a
zd!nbkmdV*?AO~HaStI9!OCV4A+wd=X(MjkPb{Og<d*Y#6R(jjPgyiGE0Y#2|b3&(X
zCb!+t`M$}K*w+t+tR`P&D~jHeaI{8^cT%lJ0TS0`a{L64xN(+RM>p%?pe>2#UY3-t
z%Ow$OV*On+3=*z)c!&(Fdk(l$j{fNP4J^*g>UNBHS#KNKx8NVu#O?a$q~uKE64cB?
z^DmngXJxHvMH4u@eW>G$ausUuYR|eEcjcOyKQlfN&+V@7z@v|nI&V}r?jKD!p*U?6
zBcrdcsDjqIAEZLuj#7av{GL7k)#W`7BUZkLy!UyiwC2IRj?-BQeRuW7%4g@wNr%#!
zt+UB00o?~b%TDfq@1-Lr7rwnTvi=~beWXdt#-?z;xThx^l%e!^+n99%Ye$MWc$R;p
zXHL#H!uG2j*He+WKKaATKlU&D(TS3QAfP(naD;`}-@~wv1ocpnTC18>DNA0=vYK{t
zFetdFjR#%9oI-J7epS=~eKDFrA^ka&rVl=t-V)>g!S_A_k%-VolOCtHw}Zi8;$s(z
z=eE)=MuPfc&O{ePhpo@5q-0LiB(+kYE<cqT7guC2FTx%{Bw)3ouPwESdg(PABO9nA
znZWJ&w)?H0obv7rn{_;IvmULN-~$ysGD`PmeJnAcy$<Aq#Ns*82QgBGhll^g_P(b9
zZ0|7J2H`*0UZalBN`UPZ5dv&4xNG49Y;Sk$iN*+*R5Xima-%TxUP3@m3aU$V^m^MY
z8HpEX+8ri+T&Dr40phr&0uSD7Uoj)=Z3a{YuQHn6ZPfbLmU2<epBZT1&GpgOk-UiK
z6`Nh|>9CCunQ|w$+B@)=WtdNrke&a!VLcx@X**?g#gsBv7|(kYhX=F!f^d>0x;sbQ
zvu@-*m3x*fP{L7dKX*A-*uiCIkRf~%)lG}x#}l7A{ITiSO)qG64(WCZ-B#yB|DhuZ
zt3*6L8l0%=>j_dd7y?gH6}9;XCJamsp5*)k6XpmM_=yPvy$8UAod71xQGP-wvzC^x
zn@<w7U8zY+xe!)%`2j#skVrwUKe!lE0Ms#<mO*+X&4EL~ZCnVc%<Y}E+ZZm39yqU+
zKanv(@U13NF6~2m-_=5b^-8lMV$z-IOfB>&Y*04Fy<d%$hoVn@AzrA9;%Bp=3HtmO
zaw~le<~O`zL;j0S|B)#I@RY)zUFzxJ23nZ60Ah_wT~E19k_o^<nKH)6KY@mLxL6)X
z{d%m5Kc>vA+-vBjw}k(jJWW!O2IQTsi8FsUZ)e$eo17aKTb)^fBD>m^uAw1f&Azs>
zwESDg$d1{O5|(=R6A@JvnM8eE`G96HcQ*0*MW)1&)pd0ZMG!^<r`9wOz!FH|5BsHc
zNLR66_T&N@Bb^cJ+bbOZOiSQ}2@St<Ufb%U&d@?6%qxZ<_4_95+I1PYIU-8lweB2+
z0Q`n1lW#hZ%(l)OR!T({U*6x{6IYXjtdUjhJ^XluQ|TgC>Rm7;Z=+Huc>R9-K8P-8
zPAXTN3o9h6@1#O!di|5L4C6(4S@$%4GerIGWYr^U1UWgmyV%&mz(pkj&Ih|)U3$X#
z;IyaVug!*XpNYM@D_3*wbwBgq9R{zj%Pv-<?Vlf)25cJD<et4fBW<=X=)2;!{}>-#
zN;B1YK-?itQcm~6&n`8XgMs-G5rT$DMIVgMy-j__NIIrBAW0-ukYVUK=TFKEa|e-8
z2hjs3<@GPma7K6roKZpi=324N=GREN2j8<4sJ?kZ!Do`+#2&{6yu;U*e^SeWn(&fi
z&<kenTV(NP!9;Fz+;k(hJ}<Q2r%F|9_2t!IJPt*c(_qvfXiuP{V|(&34y4)GJ$o}n
zEKU{#G0WQeAofKu*F=u4+{19;jKnJyt==*fI2#6HlAC5Ke#2ITy4V(Z_+~5SFXVLG
z%AH&o@<u2plVi$5w9zqXi8g8FjbrHDLK#q;iDitv*rYab_BO|gK>E>Ht|20Pyyjk~
zQR74hBwc~Tye@*kJrA42+$bFs=;2}VxR`yoAM|byy0r|0teX}I<hK8j5x&0#_~-lV
z)#=n2gv{^p82TPIqpDTD0=_}%Sq6+B?;<B&J@Qi)zK`?y+E$P+<rc}XNDb9<o>%sb
zHis2CiIW$3VzR{ldZ;_z;Ax(CKS=WZ<tcziG!qJ16xOEv%$Hdx0D|0mW8njsNga-?
zA|l5Ox?=<7Q=cZa;Jtr@hOi>=EG161-IwCk8M&_OS;u#HLty{gh5*Cm9G>!dIW7K}
z?3a-an5^T6pdfc%q=cRH9CMBW!9nvsCnz>-!^e%Y^lOCQIZeS2AWT#Hg9+s{J~qf=
zWNF3yWtf8T`|F?o{Yd}YO8?uJ{y&Yl{$XM0#qxG<ej!gW`64VWrQfyxq)xsP;rHSG
zHwqK}zg*zCz!*McJb%3I6|f2==6?NX26z&o?o8?6ym$~YZ9}S+qe@Aj&4B!x7m0f0
zH>~=%AD>!)S&qU9b>{T<SuTtf*eyX=$EDq~98q`maAvsh3134^$d9g0Ab8u=Pa#&5
z86Ij13Mo`}vhVJ8mwq@p{BAyMGFgoV$Ahx9awrYIhLO465Ze4XV|z$mgN4ZKHgf*;
zEnGye!HOj+!+t7P1aE*Dj#bbX<zEx<&rkaFEtqVj-UeGK8EOebZ(uo_?3)4BxaU)s
z_?vY^x#nQ^{i!v^)A@Zmf4xV}LQ@Rh+KG@l0Ru+0zIsBX#}VH~T5tD(D*Y-%2mje!
zky~|QlQoXl@qnMsHL^lBhX)s+94}=FY+s*mCYVb-QAl^-GAaWgCe8Q=q!gLgW#<*h
zijvY@?(XvoKy{d3k_PY{(Wl4S@68mw+w=HwAH&eMf>OUbJAPv4DnHx9%~@&w_VJeR
zrAdl?+o9FucIz|M>(?1jR-&AtP*w`a8K3Nuq4oIvWgkI1idQFmRpn6c!3V;;S0+di
ze?%>RAOMZ>K|Sas6YAs#Y=F-MeG|2uJDCvkuxD->N-oOoP3l&_!!1ut7EK8%_DhS5
zjY1`|)T&}z*_8vdJ*qG)$Dm@#E=9wrgZ10%4G0L|A_Wx{@4_p_F5S;h^I1+>4saG}
z+QuStA{o*VPGD_rnndt;%O>VkY#`^p>B;TL9mng~UW_er3oUU=i${Z)W&4h=D;3uS
zz7H$$=d*;kgN5F$ZVzzc=wm^P;oeTimBNz)1yij<eI(?SM~UWByXns_J?htq6K?2g
zAEpP-^GI+kALskelZJ&MGS*W)vefK=7u1y%3o(9QegsMRLHBHtcpOc5q#WSPNdAFe
z^?|r~Xf+7HY`qU5wKmIXjNprN*A9!_q%7NHl6ukCmeYN&C4TojWe^JXX}2(om~Fl?
zszVL3CJx*ZR93!2++#5Gi4Z@a`2fy9p)J2hA?pK$=@%%;jm7~Cch1p5+lQ024=BcW
zhw|<fWYIwUWWONXoG{bTa+;{V$9zKJV>#|DTR~hqN2^hiE^X3Si80sNgmlAj3T5Gp
z9J8&-g(p4cK0?)G9_9r6BByqrnuyCSf?lUi&%g(>N6-hC1gn>8+eJgv8#?XD#E;Yt
z-LT}*h+9VORv!MskNK1qA!-^Yh&Mk6OuHFRU;Y^&Jc9x{1#c2=gDW5I+$io0S4t`N
z0-F~rs^?^Rfc?;`3G^vjAMJQtoX<{b^>&I`jKTw-AGjasxUUR{wM2l#5VPTOG+f%1
zc*Zu18|$Q)$cS}Uvl0YnvxsV+q}PXKLkLH2B&nl2&M*$1%SV5t`Wu;isDrS{?UV%a
zE50Grjg%lcT1<x&8+J$zTTdkJ?ASY8oT6o`CK1|xZ9kSz?B?-t(0Sy)%UI{NwzVs0
zc67W3eQbb&M$D~g1U72?>YP@PSKY2{R%(MMmp1ihdLHP5u4-j598x+qhv|fzNQl_4
zuPq(<CcZc4!~qAFXyo!gw|*0F8jL66gAg&u(oosrP2}+6TP#C@R?2Rn)Jw-L$0kZu
zY(E%fhn_$F^fkJ51by(+SNE&l>NhGYK&CBVZsv9xo=d)9kT`^Q06a$uMP_Q$N=!l3
zufMrkspE<D6t7d~$zoNtHlS(eAz`wQ@e!7GJaF3~86?J@^B+J;m{j6t!d4M2Pj;?g
ze;2ueoZ*HS9*F0TQ@j3WMDz9@wGutHHbYHV${%iB@7xBvL4>>r%(<KDLCO4oOt_5j
zneJY<mp3l>GPO$ysfI`e_YYk2E!YV(sRCXzr!gP8Ru}I!OA}Pk$2$2<I&nGLhDu}#
zU+&YNIc^>w=_G%Ikgs08@y>kO?GQnoX1rDr#IY@R{Jlnz(Otd$^QEp<OR=TD&TS$A
zuh;#?Pi2H$Vf`W)d<Nr2r1y7>`8CS}z!bN*rbG=;O#mMc(d~odP%60lkzG^F%9Krd
z9YGnqj4<?|QGd`c2>%K78u87Wi||z34)f_+cL?B^o^jbP+2qhxZ&W%maj<CBc*S+c
zqor(&7Rv!g*jn^ug8TQM>CVo=;f?lB1KP(X)@QoHP#ah|$=Y1X`psf+JF>-)lfOm>
zGB&3+P*cxdulEpd1I0eATp<Va(z<RIE%KFsM4PAW*`Z~%$KvftsB4h?yXku;s0$h3
z#>lm^d&?snb3Uo<)4N4P>uqPP`Opxj<?Pja%Z>*Ls<H}twV4&;3HmvqaTnFCaAbKO
zUNRWj9d?x%zOc&JKAAuESbmXu{NRLh@vb-O!ne5bOl>e_5^>o@FbCCp0xEL(aJu`l
zH^I?<h>3rF$$~Y4BzNT=ha#K9K1q3+xyKMweNMIOnR7n3KzUjQtfu?$UEcG+vV^w0
zoVjSM42!w@64bkdk1_k>c$`<jwLDlY&1O#o{D*ri9g1IJ%1}v<{O*3^vmgRWLkj~#
zwnKwNz;GidT=5JRwUecUYLpn*bz6RyF#boJXJy!hiplvY%wexx%fHz0Y1{`ZF}|=f
zAXUmo-gbM4Pn=;%W!<}ZWr2s6Tt%WyE8X-ubl?LYWW~r}zwG$+X3j!7ljS>LNLduL
z)~#75we1(1%7#SG6Z_y1?<ktJas>TEK(aNvpF#xYk!^bn7g{hbI}Nwr=Sj~cN@-2o
z&*%VvrY_(WIv-wN_1Jf-trRKnIyiWKTe~t~OLPirE@yBs&0Zo~rK0?fS`{Fg4JGNP
zJ?7cg4jN&R7)4&kyHx6r8wIuRV$>+MKOuHG*g8O9%e;C&anRSMVDf#fY)_q9rn+?1
z<hb{X;>G`A@4SPe&e}FTW&{a}fMfv)l3Ie~pr9Z*=QM!Ok|k#l6&oa(NRk9ZGDuDh
zC{a>3IX6gba%wVkv!``@-wE%2yIcFuw^ds;HRU)|(=@+x&U2pUzOOr*eSkN=15k{$
zPJ(2gFWl_>>i8*~dJ#CWLWKqMd8OvVFlVd+_G>KBs-rcY(nWVxL)jTJ6)CvXmt&B<
zQPN!*jOfnvEMJXc6)_L5NHEu6Q`x90tUsV!m45u?R@<tO-!NH@LAsbptw)4)04C`(
zUz8)N+G=*n(o*`G3NRN7>}FF?cKL5D3K~`foH42MyT2OK0S2ReM3U8^E@hwXJ)`3p
zRgnpd$^!LR1l|Lkr(Q?5I$mZJ0}dQf?ZYDZfou{b6A!xZ(QyJIqD&AQ+8Z+&=$TDB
z$psXqX@$@LB`}2j1V$5?E><1-rknQq*Hn&Hh(_yX)Wk4*lX496T3fH>v;1p>`r$U@
z9kCu_M@;o}Re>i`UC9EmQj|N>r5yXvo9_h)S#>pm^Lg<;0n}8C-E150eC`0w=h{2v
zmaPcv91-GW1j_0IiVDrb{OI7N&PUVHjl`DF);XGi6qhg2{8oxSOKm4TGZ~Do!-YaC
z2=R6j$Z98*wRoNW-frD@s$~fzk5S#z-PNf04sB{B!0MHST}op=(NkG1HeQN@xP`-F
zf-x4EkTp;788v&IjdB$5Jv*D~olI?QII-bYeZGHZ8a**H<K~**;E$44MM{l@>xNC{
zU8HzFs2V60DD@PC7ug>V&Vh6V)s*>-1gHIP8dqtmO>pJ2)tL45*DNo3PjYnTR60J|
z;cd_Ifxm3en8?CWl(CxlUd>3P@UmDd)CoN|!>-!>DwTy}y5XEbFvzFW?8?mT(-W|e
zm@7t)7uLtgX*D|?JJlUcWZ5Q5RLxDkFT!@sK(GevP^VUCQeu+Brq@2Ivv47X42PMV
zJlb8)^gkj|2Z4XH>mm%86o)}UM7?W-Tv=6`<+%F&?w-Kmn1am_#Bl*;-MCr4^|+v<
zR=aA2_uv4b3ZhGa$8GvdD=mmF<u)i*-<)n<?2%{8xF1H@b9-~_1$p2-qaus@J}Z2!
z^?Lel6_%|eH#KL_>L<tKShz-Xg!K13y~5;uuihQYua>Qmp_5lqw+v3B(NRKUWp<gW
z(MTT<8_9N(tSJu6*XN08fce_ntv}2G%adI6_&`7L5E97apve6V=)Y+wxO6*9h0XPt
znw0b>Drx?H;W$eOYLC+ytPX>XU>`!1RAi3`%NrMHr$3PM$<;NrFgNwPxrD11^c`Y-
zUphtS9B1U}Q|_j_wCBbk=70NTHByp^bcABM>kvy<dwVbIfZwIot?p8(G`HN!Lxj2l
z$S$ojK=2E$kT#eG68X+!@(0DWyHvEqqCq6=;Yy>Rr_u99sj{BRaIcN=zRj-*VxMAw
zw<S{+Mw;8@6`OBV_JMQ)d~Y+547ae*sb^O7iv>_L!+V5}Hf2=VSATginZs;kPGlWe
zv5l~Yh72V&u8mH#i*r(g6XE-*egm9?R+>Zj7*lcQtsAwHEA;pgWLbx~0q87lrhSij
z_B}V8Y_Tf=^Q^O#6lFJ<z5bZQ=@P?mN_#AilK<hZtH@BI^PLmnY-rTlyva7^>F<Y+
z8{|pSBw?3M93E4%sa%scmO?i{OaS1O-YzK-6GbcV-cZnK9&RM@dBC!@`Evxl>+=tr
zwWKZ84(8uJoa(Q&gTjtMlIaUF`G6bGvo=`+;)Q+s#Q_FJ1C}Rt$P^~=zU+}KyIPXV
zXZoS@M8Z_Oap>tXHK=s|SN3wT1)rdmd|<GQRYer>ZCM9iM^WYA)}s#8L$uPHJ#Ed5
zl_+mQjNsk;VJL5T>N0UN4)HoeA78WWRq0o{1%~uaMQo9bN-DI%#hp;kx^7VhL(1;3
zr0R9gnjb6q6UsdjBX&qS6d^73yYqX@1%jLjzo?;XlMb@MJpJMaK7_ih?!2qJ=q{sx
zOjAhhlKRJy$v{~Ou6MCV!(%E{iUkdW6SY2?^>u}!iJ3xf;XiHI*k3kmOeAE~WI%(b
zwrX;qYJwLO&A#Fg7`Le+Xi-u+>FlS|U@oXHou!<~Hz?}AKRZW?9id9BrB87O+>_?O
zGioO?A)CsK+1WzVtbzJ`s(zn!)9yKA9P^i}TZnnzMdBJg+`^G!^Pcp9XcvF&UcUNe
zdx#FNxYB&*bk&(@OJ!(Ke6ihak|Kga+ktCevG+H*ZGebw>79No_w@2;S#HPX_wT>o
z{7w5pA_jD|O$bc(vKw29%^P35)4MnPShaeodAbqI8EBKSiG`LEyxakk0|h2yaIUX|
zV3pnKulxsg@9b6lD$5bAEer?vr7NO+-92HE$tzxFCz%*cR}jPc4OqNy1B>@^H<6%2
z$GK`>>G_T>*!>n>3fJ!C0avXFyv19}#ROQqH`l_p8-y=No)=h;X3z4-&LcrPi26hr
zs+Liji#{wJ_Nwv-@F~myA*^oS6b{`~!aaE~HfujZSQ(8f6!~Hfj46%Fd<!B7W?m(g
zJB-~uW|qrH2|Nr+CYzAyv_Vezmpb=ZAG(dYSqj%TB_0f*Uu5Pd)p+#S`5)0jBuCQK
zYpct$zX~8L=?nUAt<4kG`yI~>kyUS`u%E#x28?V)Z`pf3_p09CI43%;^md*n;t(SR
zGFbIG0Y}0EWU#jW%wUb?q-Ob*!72?hSjp?T=V1uWft&+Dikq5oAm7k};6`QuzrmKS
zccPhM(NHFWevAkbbPgo2qH0dk6l5emnHp{=5e5`3(-p+jN{6S27`zAiucYV1yUfj|
zLnQQ4GH=-eWyYnoX)rhr+kt6=G8=B-guFCrY*6e*O?*wF|8oOr1@OBm2NO}fnK&cl
zI6BR2>syQD+Ft6Yjd1m9rdtZFsG2Mxdp!oLADrYGj$5Y<u&Lnisw1$A4lU{Un9jJR
zhtWyN$yTneHLm=<K=wq7eQ62g4QKI-LcmeH+Y(uDq(lXU3Qag(81+vT$uq5ql#8TU
zy(N`viBMu7s&-$z=LDbU@Y6T|N3gy8kY8&1Y*>cy-nrQHBO-|ALiuX(0|^FPp)G|)
zl%Qv`Ul*jC3Sz(+RYc~svz76V*Tk^O0f$`kOZAlyjO{{H7aW-k?OW<lIgOg2MGDhT
z;$(ZB=?{{voyw_$D`r8WgCULqlR<`b479%6)oaD|DBtU1mw!lKo)c7kPLX0x?4)&i
zsFC?0Tc%B4{i_aijeB&xz}$;P=^yjB>cbKf1mSBiibd0-RtuJ(rarFq3CKNb6xB>g
z1%^M&Ii}E9p`&>+vOculRcD$sVR$}o#I>KdDvxbmV0R0*x>piDNsib{tKWu#TcL;F
zV4J9rQBLZ9#r=y@k}Lg-eNCpUT{bq~Alju5E@OBd@N3!xD?hZKXBjZG=~-aQVS=eC
z*wvgXt}(85%LW;;4wA<kjsJF%|AEoJ>^^ldUXLE!VuV+(AZJC2h<AOcu3o*-Xah(C
zktAWHZqeO^0ocRd7h<uoQ&Uq-rkneW>?Dn-938GI#7R*_t)%bnx2VU!24m?pw%nin
z*6N!P{mwL0r~Y^=49*rC)EvaB_>OGqD@JJ@2fpcR)3YPXRf@N5`(K%!9q^Fh0eb;Q
zZzah;PFza-UXUwUTMz;E0u+`ZGl98(8T@M@6BSEekicW2xMai<b#>UJo;C?Om=e1n
zg%6R<@ZM)y!f5j@>D;EWQb^ETjZp&WZ{mBnR0AVKPpNyLR^=a7a=k9UQcOSbA6D`j
z)+ONErsowB)9H}iVMMBu-b2-mKaP=68^4wCdfDkV_dQfDnu5tzOPr3Vp7Op~p0v{C
zq4b5seIU?q;~+%Lf|x;SyY9-W&FR;&Z2=tc7-xOL=(=N{^D4N9IpZsnd+t6O&lAfO
z0Wac{DP)hY$;i4V`hdut(%%2DO}>eV`3gT4*Q)C?)f_v=in=_VUA*|cF?oZMm+&>4
z!M4y+($w^n^{eW$o6mMqS>$LSj?-I}P3)UtFJ9`T2qMrFQqZlBo7<1F-?ZSc(-|)B
zyzUs8K8NXqGCmL@H@y_i9(TF%g?c8*>VUarn@o`hef2f}ndW54tdoRDhVzqTsV;i?
z23*LIGAt=oDnmU-BEP$sGvl<N_q3O7fA>Ic3a|JUv(U*5m4J#-snDS_xFp;Bei9%f
z7(eoLs~;&PZ2Aau>PLX=Y~itvk6x*FO?f^DkbMD5Nw33Rxc0PpzUzJWei36<Uw8&8
z!0R6Tx%5p_31`DHp9l~jdnn#G@hP#&Wh+OPusxymzT5JvyY|D2u<8SmSd}57hia<}
z@Otf}mB+e5E4*iR>K@NGOi(jG^c2>tdu|~uJ>CdoBG(QYR1Yl0hx(3WMy3LO2F0>_
zI+l&;lhE;ZlFb-gJP}QgJZPYrN!7TRz~!;#X%;R$zvMN#R^94dgN4Z|3)xJx$4%CF
ztZ~2_YNvi#$QhX*WBqS7_4TAwg&*H-$t|pJ%jK1ksKV5rFmP$zEieF)ToD)`xL83}
zi!2vgI+BZHA|pM7W1Hb?i&#ggAw+dyD^v|VXGY2UCNSMONiJe`a?9c2&c5t>q|}LK
zLCF_8>=K2heM2Cr=gJ{`T-v&H|F>+b?F$cZgW$SdE-tk^-TD1l;6e0@T1<ic8C=wf
zoOR&}ceU<fp`@=(-2Rx6_YM>}TT+J|ZGM*8?gY)Y9Pb_obc;Y%qdjW^(MySw?xnFw
zI14FHVBU2*-gmCz(#g@@o_(vP*^_oZf_r7oF@x;VWQ`|scnEOb4_*fq&D2vMTtT$@
z<!Y%KkceAiKU&)MM<OmWGjm8I(q;Np<?ZKq7kj*bJYmcM3xb4Rtny)x288n7&q&-9
zsoFn9;!<9BohF5hmWDF4b{+WDk}xF~UTl>5$GT_3ulo`c$%1HM8F(Uf8si(|TGte7
z$C?KzC(f@OFFGeHuB;-s>t?W`z0%59yZKbrIal>1m{wLE30UhAR+W=#@{e{I(F321
zllM0i+F!95p55>I^q59M`fyoYYB<kW_5H|<2FuBztX?*1yS7EB@RF@|$oY^!PG=L*
zC<FCa0ZY!&lYraNtb=oiKH;n>`I?BC2~ZkveFMEQ4y{kuoQ&;X)fVdH=$ed1s>OYo
zK>BR^w0Q-!r3wjHe|rE3pKs756;BqmGDYCq?=D>VF0Ez;&tlHL&^WPW{?%y5&^<$R
zS7_gE0~xb3xrtU?>XkH{UC1Vjs!~nhAK6OH&4C#P>|sd-9UE>`QJeX?Ttks0)wIEn
z-`HSYl(mN&zh~4gG^~pw3@MDtzfx~(z$8%&-&-SS=c)VUW4As^SCh&ptV_PB_9GOx
z{zoWotfbjv3sQqZ_;%WBhlP#TFN75WY+51f7D^xxSEGcoWhz=p_PJ-nY4Dj0ufnV?
ztx3->>+(=dS!~6T*3_<XU)%i12m*19ADKX2NdgNyPSgE|g}p|ZWbd3nF-yp2i<L$A
zOxQs~4)EuC`<UsQL`ixZ!@WXziJV1z>t?8)Nuc4|if)z4B%u=@HDqJ8+>un(EwZss
zeX1G}*tM|DR%2qdF;wgfTo?=OUm#t`^u}04Pak3}>zqVgWiD>697pytee3<94lI#g
zrV$3&Rg-!i^Yrwqj=W*ssJ<hVUqOMpSvYe3Xe^1er1LZ%<yg_4t?F3$`UfCYZ`*+;
z2vaZ?*FuK6Cgw$s1z<t*vr$+B%J2>$JD~_#X${BGgPJ=d7;C@5=J<}^K@ipCdTvax
zI-odcZ-&p6*)>>VOZXU;GnJDc?4)Ev>4wU{W%r-UEwaw?SC%iYi5OKMU9pg$p!S+t
zJU^@ZVsA5R6o!OyZd0Fvn)>FsCJ^QOF{FB<l`-&J9tEd18AEP|SPGluQV~>ARZSWz
zh`*n*k`m48hqQ)DuHAmr{e>y2z{go+R4Y?eVa(Wxa>!tF>e5Q8)9UB~S|7pWPEUw#
zBqrGOBcS^9_wMoaCt$!u^(A6iVPFN&O5F8Bb~`3=w|kt>3#D)Osw_l%yT2HEXOCDG
znA;5;*v6B|z{{gudY~ps*-E|1^-h|#p*^V#UeI8f_(%6ou0bAZ4dGPQdBkjHksR=S
zdNM#JT7jwt60ZA1u(c8_UC|6_HJ`Tj6Ga)*StbQP<R;6~s}ORI>jT<M^BF2~YbWN!
zlzPFF!!R3u<$K2Hqoue^h^e+{|1)!^gU8pTNQN5QR#??Xgdt{E8O{lZzA6TMiyK1_
z>GW+%QtPhrfofo(M@Q0U8H)l7J!fHvnhdxgS=&1rSBx^f+vs$v&%F57;_!^GIJaRQ
zht(A`8fe%1`!CnFX4_<=LdckOna)R><AJl{9Y2)0_43lsO>a4oL<exosW02dO5%vG
z9hYA!6VdVVo-J3;uG$dGf^*yJ*YpAh{npkNmXEP_MO3=YWQA`lzS_MLMhrM@*lv5}
zAtK?D-<$dZ01Bll0A2vPyqO+u6J|L-vm0aErs{r|^Ei81H(WBw(~r+gKe}U0N^PCU
zT{2*?m1!oBj0uZ4##W3vR6T^Gt)}2T^uBf7w;2p|8^V(QIJ`K29bT=*$$!i+x&~bJ
zq3bTdsy?d(Ec7_Mh5kol2pagqDd-9<5m;Y%<mqbAxtu()KJV(D4@MBXZl;kc*R6L6
zS{Red98ik72`55cX?|8!I8fqewAxQ>wBoplZsPjBj;!tHg$WFScw$;ni)-$WhIDlX
ztZa5ik!cE)YD=nOf7GG&$!gfCbz@iW6~wyOsFFM*pbXI`;gAWnI$8Se#FPWr{h272
zx6-yY0F);-`x(T}bEnPRDwP0f!&h%=g0$h~!F(<$LhgmcVBI`@CM5a{aKn~dt#gjA
zT1m`1>o2y{Ji|R?Fp&Oae>hrpwIycQj)4e(10-wQmnn^OQ&wSQNa!Q;YkwcDoqi8y
zZl_T2H9b}E6@F!q3eyi7xec=g)JTd{xs2jC($=bE@W>;B2@1=|X0qMpw@h-jCxprr
ztca{X4mdT3xJ>MC-ojp`F{dju6eQ<aqh;yWy0AtN^(6QLwm|46Q?OUpd!f{eGsdzO
zF6K1Cb_(pxRGHvvDIyK4@h;zSg>#boY8g>(aakc&797;*)j~4x4}APPGNh5zihpo@
z@BDV($~t|+be3J#TvL?PC+bN*^lLJwjW4(+rWOz&dtqQLIem-A_*N{ix?~Gw48M`Q
zUd-ME78J`uZ}yqm-KCCMI^O3<%brgp;?B`uQI^psdW~eSaXZkgW5scltBw?|8ZHyP
z(EZhTZ#B?f6J}w;OJK^;IOTjEgbu@zj?xclITyXATFN`0URFCyh3sclXJ-^p0kU0>
zcVKq4SBF7Tp=CVX8qxeic{20nkv{KMDon5r;D=zg>%K1s1IU0Yh%+?rnc<SP2Zkz4
zZ~+*I9aj1RYUGbi-cfDTWKYDY;^Z?d#w9vUQn^H)YuBDa?{I6GTJYd)Hh&ldxbqKx
zxbvNpgBFX^!Df$_f>*7N#Crl+YZdpryV{y3##?L%-x(2u)Uc2x2+djM7-hz2xKo@S
z<pxqETppo)Yzb;Jz9ThEV2qz=bNVQ&eI+_kn&ZgAXS)*V;l@fo^P&KkZs|8DSuX$;
z2enc%zE+B?6952-15bse{_JefTr7J3kn~*%6dBWMNp#b0mw_smsqa)BgV~U1_N$U(
ziA>OrN5JNG2lI^<zkhw^QVU2xyr)I!cldozm2%&s6aV4$Cl>><sqQ9c$-mF~2`+(Y
z?>RZ~(Sl${riqubLkqzvYV9uA18bXh7MarOw~pifcUW{2Gg3~fnM(>6blxO?Tc&CF
zN^dkT0m6{$*LB|0NM4>%U|Cr*;XH9%k%9Lxu`l-B=9@4h{6jKpCQ|?-QhPEt5kbQ9
zRs2m3nG+^vGJ8m=P^>>n*3~5h(WIDM=cO@MiUCoA+y>=|=P&sfy-$$ZAqR?vPyDOJ
z+GaJr)0dItr>>fP-W4ETJU)1&!BHQsn$*6-l<WExz}0zVqm+~PQ<dTdmxr9Xkwi~z
z23Ht~YY^yMhuts2eha^sEq?CDgHK_!CxoO=GCFhx5u-JB;?7y*YHvjoOLQKXaruVH
z#B_g8?U}MO_&kh`j-@Le!Pg-kW|cRMCJ5#HzRE`{@ZdWJ{gG=&Vaqc-(B_6U{;F}R
z&bG+w4KGVFLDOuWDA#2Kg<kakn#={-gDmH;eh!pwo~z@pIrVZl8k?ON#XWI!`35z~
zQc0An@xnq(3@L@K_^s8Y%IyYdmqS_@U6UkiJd<YNkvLZnk(XnTS(m5kS6?LZR`k*b
z@L>A!&|^mm07plpu!F?42bJRfcyPefUY-?H{wNPUtIvi$F7-xWiKIYUK;>^`a+)u2
z6*&%e{^e^aRhOzoN_a}hAP=Wbb83v=_G3fOxUG$Q=V;ZxHilrDW(1uOq%J0VfgY`l
z^gr(Ot^s<9tH(*pVFxHj-)tZ6nujgYC&wiclHfw!|54$sz6vm5M*%VkFK9n%!2oV&
z_LV2Vzq#$M7*s|5!4431GOc>(<m~4+R=xm@x9R<u3hH%{;qSyCzPGX+Xh4~zs;jsq
zk?yObI=mpfd53=pgg3j?PAetCQkEqSX5VU8KAzeywvz^>yT`{{1b>f&XnP8F*0!|x
znZkz_AVBoV-pD%DLJ801CMHMGqTix|y~N%CBJnXj)xv-QjP7M|rISI9p<qd4U6fu@
zDv&TxAH7K<bFy0y@~MM58Ni-0D>vnjRa_z!VR=EE3Zi*wca*+S;4A6k5${`_LY=8$
zh84DV8R2^c{Hvd5Ur9y0FME|Y?W<sqzF#XkK00moEW46`b=hGW@)?;-Oin70&bYrt
zH5<!o@+o(y;4)01%5Ux^flBe+7Z-Jg_64>*e`Yt^4I6kY;!dybyJiX&`E3@;p(M((
z4~bLuT0arLV-1_BU9)%UomE>{j-PBty=4neXN#Z_d#JGs-|2iLw2LK`?j0s&|7M~@
zc}}Y+ZDQw?I97cCMwI&O|ELIXtp(_S(wlE@I*gX`HjDUdU%Txzpt}~O5|a6&2&mR>
z>7f6k2(ZN$0WIG2*jBAm4M6b|G09s8$N@`ua=?(8pWHx-Pw%*!3u>h~MDivEMmPU+
zQ1nMV0LTG<xvlCARsZ{$T|wr6J2#m3x{A6vTN_z3P0WVQWNS1&x-7)#s#@<bstl>U
zLLVtqP~Vq?#5^==txU~5S)fUA?^=JEUX1RVtO6HM`qhl3xz(+gAY}Sc53{$A@dR3*
zPB;+fcQ76-AnsdS!<O8}ZCt57su0adQ3R{zHZW$1*l^7P-R1bGb3VkhVp6d0XF$X_
z$OZlcKm^~8=TG$Ga%Eavw4anaqzCrpN>nfHfSlmofn2?e5ucqUfFju0JIj<@UqRM>
z;qQ+r4g^U^oY=>ng+z<Xz$K?DvU|c=itX12k@Au`vmarM#W<fHlPE9U(-L)eBDYDk
z9#>q^W`@%6aD#brWMaL_Kr3!hJ?2ARwvBaEYnJAeG6<PIFW@<LZix$oOlxV9PdiL*
zvb+1&W#-{Srjds)94D()lBy-0LN;Gq@(Zi>T(&5%ewycdIDMa@9r4V({HqzY9?04x
z@Dy`C*0&uMIqdLtCq@YP&H9#lwP{v$#LB>LYDuRrn)$I7Vsz{4`j>;zI(!nQps%4E
z<Gr2bndPvo8-vE28HsTi?E#^!bDIaQfgf9yq~~Ah;Q=eAj^PQn6nq+{`o>Bf71pC@
zs53LL7f7zu6F2}eH;9lJ`<A=ZB%UWRPEFlR7)C`a<UhE;qB}vmvMY<(nZIx%!*VZh
zW;?x7p6gxI#dHS*)nqmO*APc3gw?>#=@Bh)v2}>fPYglF>|?WAfB3Bt;=mS$H`JtL
z?ll)Oh1q=TzPwco(x!D7N~ns5pL^M^d=_8NvRk4djh3uY`eW<$mvHbL(6w(wNMz-n
zxGjx7^H>{Y%@uUnS6}MJiMsBDySrw|Oe})x*5YA>bb|EL(5^wyt<*p}N<Ng#2R-#4
z`i7sD2tKg{{i6R|?+&t(;R}S(HWH}G3~<aCvzL%X)lNBk8Rp(fI2N{T<wfD!{8yUC
zo?Xza;7z(p>7ewpSg`Zcb+>rnG4FY9WNora4DG2?F+8uyTOy7W)<(e%im#~$C(L0|
z0uF7clfKx8)ph`pcfVJ_?-UIlKiV%|+X8U_28|zhcCm%;fV&;R`YZIThc`eQ7+1Np
z@Rb!S9S4lo`c{nRf!U<w;X?Y-tD@PN#3(J0qMfCiANL9cSJSJdgqU(Crx;tj)vj`}
z@;TmYovW5UxxkbxT|v@*{vVG$2nLWiaY#7J6AwZcQg5dpn$dp(vciWW#TiNpPD8|L
zyP#Q2ur*CS-OT!h)({es%=I=xvxRvJbM}(&kkR1~D^1PzRr;gCale4RV$p>%pK~8W
z)|#3h98T@IlB7ZfKB*|ImvJcaaLqECqG#!nb=Q8d4W_$%ZTrlr!AxeXjduH}C)W+L
zCe42`8Ost{yO!O=T)(Tcm8H_oRM1nW=-AGA_9dci?U|aD(@+7bzi1ib^0v|0<xwo)
zW45gdKyjZ6Bz<U7m5%BU&eskL99n%4n;cTY9|~Iw-z`amzj+vh=w+(%w8yi+2nIag
z*I^xF0NWtyNHe6uX)?feELFfvj?Iysq}eiBguBCH^GR&uC+qfip#W_V2+#&&yGf5G
zac7#$Bm%Jqf}Ca(0BwN29oSs&VnFb(pllE9x7X?0_RDdx815#^yUDKA9;;$SRN^EZ
z0PNVd6-E%<36b}n>@1YZ#0vrFg<|k>qEpXcy)Pz(+WmEMwPU>TN!bgqrL+#cyfgq5
zY*WdNWnVG)eQ&M)(LuY8o9sKMjVBcVz^c6DW@#gTD=i^PBkM%h?MLN<I8qt_Ppwts
z8b6RDc7DTGK1DwppntSo@(fF2CcH2_-UeK!$m+X~y#sDV_ymS)l!7%^jV3Yy9ni;r
z?SO(cgN5!UrYwN#ERD{g%b}o8b&D4010C};l+=y{emHhWC)o!e&0Oh}gCnQu$%~2m
z!l-dZsOWRsnMv2AW_iA)bb{O?b$m$_iNO6JY2`R=_9Ecv>8LI%zCvFgFajAU1Jysc
zEf~b!>0~@Au?2gEJLpo1xF&VVNK816XPv5LX&N$6N&d3GUdhK885=m`!hkdK2;I1v
z!midSuLC!e@8xq`Sdy-8fr1gowB6piaT2B`a#wSwxa6UlC!NC`R+7y3Y7!u<as~v<
z<539H^&>jPTMwbTbWqmh88n&QU>+a5qljnsee0B6Qr{<)goWWEOBZ3HLt6rT-Zvit
zpZCpU(2LLe_W5((H~+?)b1!^%S5g5vH{`*E;B0W%%r{;vCt)&un%WZlHxt2~>mPua
zkxIR5(cfwupZ5)F`N5@{bhkOgnHdZ2Z?u~1A!6^MF3&czfg#ALWX^FXSfS<^ayLgM
zc5d;annsw~UN`7K8b@wM_T<0pQ7TJoe&m_<9Qrxi*Rspb>I-l)<9x10d$ad*`X(No
z7v#M6tVue$p`l@p>U-max1Q827c0ZN9q$ZbodWIGK(WYH5)AtB(#?ALEb_Gw%!b}v
zA$&XmSXk~=;du!g-R6f%fR`Y_xwC#G=Ds%mx;Ima-E))ZOO-S-GfFBst(dI->`H$s
zJ<w5dwDa>1>x+6Ep9TCEHK{CZYm!ix0AaiG@rO}<8H!SAByFrPG`C)Pc##?vqg6NE
zyz*+8gAHpFVD?KmjMahkiApt3mUWt^!G}9biW(^+x^kQRQ;ReMJRt15E-F(w15)?i
zJh2yu0DR<z+o-PI^Gsjs4JFTfPGH9x%pJMgoyqU0U-QNV-JT(&Aep5ru5WBm=txh!
z7SourLXlRllRI>6+~7l%ccWo6N`I-?@>*$?#cq4kCtJc8mG^>a4d;k@DK4M4$|TDM
zLCDIm+|Kx&{4g@-<EFOlF3(BY1F=#&F4Ob3Kgu+az@CUc-XQbeZo3N7z9B&}0r6^g
z?|MhLy6wpdb?&*N&PPPpeU5GCw@Ut?m8sTO?jZi?*}e}B<eIl^LO!WQU-E(>0<xZw
z#)iuF+2gRJ(;E_;*rMD0URAsEw1paL<9yiNR2V}VUZ)jwe4yh|)ej;JupsSNmes-j
z?2`Z2)jIPTHj7j5ywa`0^H-`$91;den)pAesR5|^2kv+iS(W8D&;I5W1XX)vWJcr>
z04D6v-WGVNm42w@f|#1T+^UxN!CM+~9RL%^>qVUUKS)V3!Hs7-s2<YwN}3H*lSasl
z825PBFJB9+6cZawT3x`42l2Rs_5J~XOQ=uf44tgSlk^&4QQcr(34)BX*O&c6WI1Cg
zFdx@G=1P~u#vAU?Tyym-%h8#2vM0Ig2_n*`E*>b&TpJ3ye_|r${^3L?ms7e_edlKf
z_h0^QdA%R*Zt32#QgNxV_*ifF?`rE`i2`p2sF5t3d^)C$Yd!7yU=TqsuAWQT6|DEE
zw|FTkI{SL8#8461xo#48kET2W1G7Df8$pMvvq2b@m=x?~tcIh_Rb4e~@b%_>N%l0c
zY*|PoB(Vi9tynr$LKr%jQQ#~)<dyY9ytsTQu7^G@$gN%RV5WSPe-&xjX;D*YUrZ&w
zYYkOh9x9A|Dml>_cyc}zDoNL}gGdqw@DA!}^&&(zNVVBAxb9mjkcmCo3qzkB3pa_9
z*di#}kCMa`5k#Rcy8@TuwP;Qq#be?%4#xqFLSSLkdhj5`S(I|h8GB&3Lj6j1%Z0<F
zV5ZiWk5K}B1zGf7(8eM$_7xX!DFCJTPmkfBJW8kWk*7g@G3B<?1!Pf>2GjZZ)jAo=
z!538oTjz=Hn#wbMGjg33tKGmT7<`hR<W^bKlDwCK4G5ANyTXKwz0efMJx!|%VJzdy
zZ9S7*oEsw@EZ0q|I%P4yXSx<p!8wpn`EQ;=7<K03fAJKCp{CjYfv146am=qEn>eUj
zGHw56M>1u;a+QldSY$29+^NF^xwoQn++5;1O%<ypl|0M5z=vM$sih^R=~i2#xqW!%
z&}PC9V_xORD&pEU+Z?%6wj>6B>^9UC+0FC9OZ@^PdYRXx?&*ZLXKCZJKt$u|vQWlI
z3WzUdn|h(HvCnQma5+KI>l&NmVbUybf#nMkbhyXgK3{HPARAX1XRmaM(}E#TkAM`s
zvu4^jWoPx$&22Zt$BxJn6Q_y;bKJ)^ExLPdMI+Nx;+D-F35Upj*S3a4`3MHt6`dP(
zP5!_4?mKT~REict4w=TFLD%c=ghDoznr^;j*Qj>0vC>6hL0UPlw*8EfvAd;4b2ubZ
z{2@N8{7<Ww&++)4EcXft1DBenUvi{(tDnC(CU_(g<qnMGM4R>RH&qgwr((Y&{<nAv
z^YH&APhp*&a<e5yf5Qdm_q@>@>Qwi$D&F}?C%L`;*mCKSr^#N8EV{SU9O_pt04Wh!
z$<Q+`$vYRQ?Y1+jV|$pFu5X5=&jx_qhr8-+(~^P9$Q(a-Y2yfD|M&%&7?1!{PS<W*
zsKKI;o$k8Jz$o#G$;N<tG3=w=k8wyO(&Hqu@4&O5;J`%BcX2_93S#=sLZT#2d4$KX
zlw<S%^BVrAyoSvo97s@qJMhdMfdTG~klL(Gs?QFi?k)tm?P%v@p!w9meCjc+*k|pz
zVA(28&@H0Y0Zr)JNPTv2H9!00%hyu-1H~wN7mmUd>p)07<vh9jMiJ+4Fmh2}A!Yb?
z$reQHy>F3M_@6_hkM$rk;L@ZeeU$h~<)oqgV~3PAtsdynH#j8-^$k0d8;`2dLyN9d
zXqa4<i**po{3;7mf?W2?0{~ePQ|nIek#u9m%jLI)ocICvt1#OV3ue;yuhlsBx_&H?
z4A7V?b7iM4*Y$?EA=1k|kE`Cc1c-cnLt0{qe07}m?PXEnAyaHb<DIVKU2&?SQ}uaH
zgCC2oQoXOew<TJ)0Q1;?9N!5U_ZmxTnxGZES1t+~!S<t7^?qLsz_^6JdoAo0YsVuX
zX?3)umUay1tB6<Y<y((i-K?&_1eef@j{#muK<GE~Vd=wJt=Q>}WAR6K0&n&+NV#0)
zAuxS3yT}P&CZXs5HoQCFH`V3!=xY1?%O6r*Qax}YaS3{~g1Q*i(U>}+A0p+1JFO#O
z*~aj8!XFy9&tXBW5_gqF7d>f3MAgX}V4g3qxPm;s;y;x}7CSj+JOQ+Qy-Kydnn#f)
z;i4&luHiuKn4E3YnxXh(Ew22$q4t2a*tqz}6SY^P1S_s;90PJ$xSw%|N6nsJ&s-z#
zZOV;Fhc3fXzI(OYG%3R93kRMzU<M~PYslik<2{)Tr1V8Kdp^_D;|ytW;joIt)o|qM
zXn7A}WISakPoJ~47PI~m7*{m#5~<PSJ!0SS)xivMFk|ed4jyzcnR&ta4uwl!0Zp6L
z&h_dO!~oC%IzpPq5N{;m_wU_%@RiQj-%^9xw~~m2B*t{tTVkm<BW#nd!;fdzqIF^=
zk=!@Za@{j3?C5tuP3e7>*xq<rf^u3EXj4ggKs(&zp6?2Elx$t`Lex25&S+kf_aNLk
zO~@q1W2w1ic!nO9U3P_YYtxNc47Sx73+xdS(T@N`@}6uI(Vva#cxT|9H*9zhucMTI
z@Sa>qW&uOObv1fn$jBK}8G?<@A?0s78@U?VYbf=ZH^HtSGaOhrX~*<0+Mgz-5srnp
zi74Ny-%!bFBF$F=h%abk14pjc#(QBk1`9q)=?@WHMPzR!r;9?EEnC8S`x<S`(ZvL=
zSAc7S4);u!u(+%84X?PfNh5-f#GuXGNYu@uJkQ|%wHS%3HyA`RmE(I^N;+pd<LiTy
zO5TaOvT<@Zg>8oJOH@CJjjsYB@LN+bt#&d2U31}D!POocTzhM}qW;6(U0m_4IlY?G
z*t!j_Vai~Iyn}``4u;j~qp8_8t*ZezIGw!cY%TjVn;DV{$Isw%_I6|^P6#(lk6ztn
z6yPLTZgZWq;e$|dze)ja@3l?1V>!C38geM$D=x;q1|boSXOZ{d)c*Wo=x4b#<M49^
z=ya&)hhDJX+b@XLZ{?Gcf4k={y&Y46*c?%1bfuh*ZyYOm9DPz0ax?W!;b_O$W_Q&D
zxNg;8YFw*U?8o9K{Rd1vmMq<QG0Eb>hu)XNIt?p4w!3YlV6``kJ>j5K($d}JewNbn
zxkAk8O5lwq^G63}^PTbcAHr4)*VzGAqTT7g6IbHSZ{#6LU?M&sH}Hl!2v8=&9%Il}
z`5o_W0<o^{C4$oc)c`~(X})P!{^4Evj`uD-p2d0J1uO?00oHG0I8Qf`;r4U<XTyJ6
zN7M#p?Rj3v7>;a2%p(%ti(Fj~PS{(}zo&fdLi6-YWR!ZQt#?0L%qhhu_bFuW#SNvm
zMt0DU&~!%uTL$HavioH}uat0LnQSm}5&4%<@On3XhQGj*2w!exI07nAWpjK0{qEXu
zo&S*+3-!Ku*`55@Y0#->4r2Yg#^%WrcD#}Qx$bZ1ftyW4zblu{7Ao~y&Y!Bt(J%j9
zj?g=uJ3}e@ajMoh=QVzBmG9H{dvLWrN?%QYBk-YD@7qjOa#)N;sBFWFWBwG8CW0$J
zzQLWX8&3|Hz01XIiGTH;0Ok|t>jU;f!zx?iV8=0DVu>;MO)K(L5mD#3_Lc~mUf`>E
zJGM`H_BbBz&kTP4yt^ww7<^nu5ZL(Ke;*9RdxB${VtubT#><&yVr6zc(3Ai=C<EQu
zQ-RkXfB$ldkeE24jANwODqYNd=|)wQ@R>5xBBB1k3jjb7MHcz@jqEo9eS8A>OGW;1
z(5*X)VEFHWrf6j(_+GaG)4f9-_hqpUx{#!ij)zaj+yS#aSyYWjDp2t0GoX_ekVR=<
zgU+(yL+%SqxQ;N-E|78nIoY&jSLZuPUk^e;!nD)O)iRpOL579<qo-xy`vg<J+|T%p
z{O3PUD1g!{FY895Ke*yF$_;7H1<AhXnP&BQ?!`nzr5-xnEEs*s`pxN6+bJKr6*(+r
z$iMi%?ry@)_&nNsZgb(W>NNz;gQB#izKo!Kh7>?I_GP&~T&gDcAid0dQ5-B(YcN!e
zxA~p^?+SoBUrfONsZ!$nf&uLH@5C#OOZVmEdQmkRh6S&{=B@aeIhfMu)*C@QI3vPC
z<|cUz9-J|^3em%ZGnD=c&Ir8z<fwts@RU{e{ok+#R0_i&6zLY;x2X(FrhiS(2LHJR
z5~PtPnx~RUW#GR#{jUA51^uV1-M_m?UwH6uH27ltzyIpj*CpcV1ZQtlIm(2@8XGa}
z{GF=w*97tZ|Azi=KA{J<m?m}wPI|{tC%vD@PkOVtPI|F{<2=k;tY?D;R@K@%-f`+)
zXX1s~{rl<u*JJ+YKRhwR|N0>b=Ys$4bUanh{_466JSglWb-i5H8;z_zB_k2&NdJ!b
zA5ZVECjkFUTu%j$L9F^mXZn9g3b;>8QB9YfOr6RXKXm$CgXqgBI53_>yyW~l8s*P#
z5HJ_;>CaKGr~X4q{oOB_G7?@5N@D((0Q{~`m*eKIrTo{I__e-&z*xk~KmSBN|7j@%
zDSv^=z*nKT3^oCVv-~wra%h1hXCN`_(trJevG`N#3Z3fTvoV7ns)84k@M=^tlq3Rg
zZNQX+=f8d>C;aN6E%;3M>!kYi?t<{I1ZS7_zthT#rCm5a{V4z_GnBQ`nE$z!|NJ*X
z;02*)7*zj}$Ncce&+501$~-!`VOgw@w^T<ty(%3D13u>0+U;m1`3%fQC5z|k#()0}
z{smYOG<yf{gzaw6V)^?|w!r>ffXQ^tbA1`Y!+jY3r0_W)Cin)bh&YG@G^VbUy|hZ3
z+If2Yo9l<C#Q*j8Xu{Xm78So0kpBH+QFsfwO$sHbQV>K&1`#@y?E01ITNs<mNlKv2
zW<i+S;-G(f?CsmPeV8v~JeX4E@^&%<=F!3Yu{+sXnQ5bCwwf<4QNIx;>u31&IDc`v
z_}w#XQiz!FuahcA{K?3p{Ou>T>esIY|51Ox2cAs!>uv5@v1IFan&@e2M+eSKxLTF;
zd>6ZW)p>@Ywn8i%C*t36%H4%(7Q2N$=d*Yud;Tp2wnGC*6~i6!$cX8s-UJ-DzrM%!
z@Viletr6AlV6!G5`$44w6U3^1Hl>)(eq2@gJK+0_wbT`N8!0NLCpdb;k}}7o+Y|bh
zJ!0PSvL`xn6}6_-5~`m%I~=$oC>~HToC<UOi_G%+CLSWP@9^Zx-?xN2nt)wms%d|l
z@!bgM+@14c3?VCBjud_ILFY95gK{>VVy*a!&{=ObX2yI8m6@1iq211vO%4!T)rTi~
zghBRFRT3&5T!rlV1Rd`A)9c^4K5`}G<;yhfY|V?vc!f##d2k*tgl<J!I&|oCP-%f~
zvZZ7J$wG1Z%DGW~(JfJ0N;#yU{Zj8ct{Cn#z+bOkX^kAdcmsw@_cd-_j~PCC8_7~V
z*5Md`oG;<A{0#HwA1vg0lPu&fPv(z<X5$5TJ|@(OzPQ3Ers=~&K9UZ;=ow94ySS0q
z)6DuUVKnEKl^Qyk>ISq%!NIrljn?*Nj(}VdRN{o=HiVQZ`P99<OF!6E2ArO?6KD#b
zow<qmM*Ryx4`qM<V-BdD^H9O?)_Uucjg{u)bRqlk2cGM4Z60uUt`@tcb}J@rU{b6Y
z1=H>d-k7rjtin=z>yvobouYgsLq<nz;WZwB0SjtKkG``eU3X1yv!*$HZBE15tTa~s
z+~f8Yr#WX%2BAOysBrLmN{;>h_#bA_8?N9~X2p<v$XU-OLl*p|W}?TFf7UyKu}j9R
zf+wx`>^8qw>p359UFAokR@iopj0OS~JI8HQ;A*OwETz_q?Zs@9F(Gg(^KGCjA<lbt
z=Q`Ow4#tS5SU%Jd$~Th*bU)JPwxaz(jp`)}us@S1f{K$8_qhoTWS+rDVpTx#n9M-;
z0NYA6!x>Pqun5)F_3JU!9dh<esgG_&xv(()X|K354tCG51k%W-|Jbed@#V^UrQ)&W
z0<!h?qzl_Eg_-c(Csb6!cy$COk=$)@7tpm|#4=_8Q{J_)pz15$>x_n;8-yklei*2V
zikkEro#%;{`bX1D!AkWY@Du*2q<*hoVJkY<mCza~S}&m&`vpW*)j$83s@@h#`rL~~
zEc|Wgoh9iub7Obgx*N5NPOEcHa|*o?VGaK-n4d7>_k$>!Gxz_VH5qgR><920{rYv>
zIUpj!6r<K#{A?&ZO+rtImbifY-raaj>LUr05wB^s2qP-hng++3#Olgc7Hy_LpIB_Q
z$MF%Qr%ma#+sRjH?Hf=r#pqsvow4SGJ&t3bp^KB`u~IqtTwpO$j`{xej99?&*$m{X
z<fmKn888N)Z{=Ng_`f6lD(x>{rdntp$OV|V%Zdp?`9=#)6L5u0)s)o!Y)w22=B5e_
z@?4&<<M;<6Du||bza$}HyOIGvG-jyIcaIlU>HOAZzH>^~z-`2N*}~Df+5;<=BuOhb
zQeu@3gaAJDh}-=9ZyFjJ0iH+s9am=UM$g1<Bgh_DcaZLHmjCgA((lFU=<URmMDsZ9
z9+0PuRXFv{ap^70cNx9Y>@@g=htT5baD`u<K4%MZoMWYT7#-cjXZ&Qsb7ScHB9f|G
zbn4z!U?ORow>iR4lNZ6_U)xWwkzn{5&H{{V&T%bFzYdO|dpF1^DDLYu3$Un;Gzmm%
zPm8Kw{|F{}-9Vhf;l9-0fC(fiOc`5vc#0`m_5J5_e?Lju@N<i{%>0?WY@ohjp<>D2
zMe|K*<x+OuAy1(AI4vqcb$rZn_A%2@VfX$HdT}<ohQzAll^84PrO)*};Gs6TJh3Ck
zE1^23I`LubWQ3dho~txm|NV<|jG3&yyggmt7VI|9jp?<i;5oR;HkMQaNmYKa6GWm4
zb|l6gBEk>6ifJeEI7})p-=DN6%;dmF+6%kV&~Vx7x)I*4IqFn-UpXyEe>M3x9aHb8
z`-MY&2Maqs&M;H#(sKM&_~Xl{P&iAIUUs$;I#Rn3B&Qa;bdBz`zca2oXtBc!b9fjn
zup2XKrRpHlo&%q0uO+dugjzmltA0XVwVWQ6*_|_BH&>>e>}J!~13I?ZhgxbmCWf&f
zS|by821d}M755CKOfAq0E}2)H9vPbWbyA_JhPmg5i(J`PQ8g+0A9kC_qqIQCZ<c!p
zbg?yMzBkHsUZcO3V}y-fTtZ&5+Vd^j{`k<OU)V0A$nSBp9<);S1Os^*Nd=}gasu@S
zs>5;e6^<zWt&O50#&A4wkou^fFl=7xz>Ox~s6Gfld(u2QtX?++F9tK9?o}D;m)Ep+
zLTu1oq@VCeT?-bFKc}7QCpubXSHa!))Y~;{+cGLgi#`TqC|)b8x=cx_`WB3DdFoHr
zG==N*M#~-V0}^oz34@rjKwYBhTzgCre0t>bt@pblRHgo{DQ@%Y^$`-CnX@cW>PH?9
zS>AnYF;Df9u&<i0;dk*7*ZJPoG}A=Nb0^&Q-^!&nDH2Yp3e*xzbt<7}!vY?`qFfL9
z%Xx#M=*2zOAZCws?cI3E!=iE;lf+-Uj2oBxom(Aa6cEapVSP!Jo+^93=j}=ECy(ap
zS-yAZ;xiXWdvGWA(G+`b@vV%R&=d!`+-ACY)kmXu96ZH$UK0CQ>@o7jqMS`zD|7aT
zv8c3_jb21$j_U+pY};CO<m5%MF{Rdh%L)lJQeM6O)U$}m>f@uMj>SH@01PqU0n5l%
zbWFyKpFckGoefFduD8|UNw{|bs?<3AFUHY#ic<k~C0Y`)AicME|I6l!V{u6kL60X)
z`fT^e+W?Q2o60dyW2kgmzJ3w2<nFK~$&f`4Dw1CO<AaD4Su93v8zUDT`cEPP>Yy*`
z7YpD&&=KUgpK9H-YJb=N;qDnFU(TpVpQ8NwW&uiG#z5}v|M&0+$|Q#cnKRFX-IW3D
z+eQsW!l;|D$!qk7N>r(Co@cBZsN+m_g&q5!NWI@k-A>-RchJt;>U|;XXkuw-Xe$nt
zL>n;n0J7)Z*xTtTP@k5glh^T4wfjFq5vtvf{sKi{4tejsB%atv`|QGQ=9X25W=b8F
z4sjbw*L|Y0G?HH9O@)PDkCRH=c>U}VlBqF}*7$`2dCTQkr0Ay70z<7&t06o3c%~)%
z6J=L|=sG2-{m!s6pS@)(9n&Mf^=CznM%VZs{pP+tI>IC^J)X?e^qTP^ldWI2%)yr6
zU#JMx{}mNs`0_r8XR&Kt!;dGcK;#2{smKG-lg(VtfUUsbT+^myw#|%O5d)NuKTId_
zTpM5vumP+=Slz*zZ<Ss1oBO@4Sz-k-L8EIP%NhG35b~OnVQRE{WbR9FdhpoGgN0%_
zq2Ufj`A6bksaCC^$2~g9zaR)tym$8|)td?D=A=LteZiYtvMSHQ<o?2SI}-Hf3ljwI
z`Jyxbx+K`0KCX#ucD>Nl8izP7VD(OVO&~C&?a1J{UYTw9cU+oROzFe6EAEPUN|c*G
zw>&WC1#s3^f6F<8H~?yB)uY{2Em(wA;|t=Og(07(65R&Enqi<lEi7>)YSs!j(La{d
ztMPEa6r44JkwLzy&&d4wPKW<9nL4PNh_dFl>-duiHx*}<W#u7aKE*Ts*c60PSMY~5
zCU$w{q31(Yg|d+DQXZ;>HEbM2n30mYM!WNFp&nAj`-I4;=J1=lgABa62GUD3Nw<Bi
z6Rwy1VKk#yEU{v4;kK>lfZ_AGS3MRpbE5}~wJ{)e{+D{ctTVIfN9=r{J&Lngf8N#L
z@xWS@5OcV!$7s33h0QRR=m6Z}1s@r&3;da2$kWrJlCaok(-(o_HjMi#l7JbOnS7kG
zT{rYS9y*SXo%eJNHj~0_*%6pjKE9g_G%pto%l$HpJpsTujMVH^BkH!zL~oY#x@8b;
zV6)#+zs&`RjbAu9(aLZbAjk2Y?gTfY%S4AFXK8#bW}2qSC|_r3=g#+Oe|%s*3fNRk
zuM!X29<~|HIR}iG0R>8bm8I_#>*o*Ky%m7TCa4h7+J6QG1gdh!7DJ-OJYkwGYKh!k
z#pqhqhV#CAmW6g;@un)gm1bIF<c#nRyjo_vnKvp34j7PnQowCc9e(~2gRTA)Y^*Cm
z=u<;5k;1wHt+0dh<+5MbhZa$|1<CE!vGH|-kZ-Gv6BWCJLi0y#YRTgbAk(xxQIs4S
zs~|5uTR5L9rK1(^=3Djnt1%3hsoFn4>b{|2<zni?wb5e^=vWzHC9X+sj=qfsRE!1k
zdsL<$yB)@?qW5u!W&@l}rYmbNH>DqLYT{XY5-knA10AuN)oul;)m=<bQGv<z6%>E^
zMzYWMFLygOM-+j8&J;JeR=vbZ+pt*Qv?2{AjHnsT^rEAhV26ckdhVU##*|5IYwKsh
z%_M14Ue8;<yTWaR(2&bi1~dHCX0Spa%O&IG`2b2TMyV@Ujh@m)vu{|W=Q3v?lqMc$
zRMast!tifk9Gv~L+oI--H>HvH{uFFZfI48J!E`lI3#9RKnAQ0)FEx<!7m9&m)NzzG
zxy{*vc4dc`gX4jO=Qm|gkEAzFpD|(G&NZvAD@{erS$TPh6zNIeT0@a`13A&g=#$~G
ziDXINS@}vRB9RZi3hKW${@MIUpUsjSvw(y9rf)mGOn<q;s)&#0%J4kl(kplXd1?*u
z|7rgh4U}Oc*u3&asNf%EVh|qu^~FZX==P>|NJY)$jGGn+l6TWOi!D7WZY%>*a0P$6
z+1ICQmOaxkorjn!D707UNroV)^gaLN_WQLt^J&~RS~)0}Y^@Ma^n|paU5DuV@--(y
zs^s0y(Aw#pocJh@<m$UCqR7O=VAqO!lF2kRjm>gk9Fv8c8CeX<8jGbxXfA}(S_`;f
z^IrsK`R>4(?>X4QET@Lj7Q%L*H>Z8BCXt^A(T9@U{~8bEeK#$^pi%hwc@QKo`$v%c
z+>pSdEq1Lr>yx^|zOWxb@@00yJ3duWKZ4}-$@msl&9?;qPZ0n`-R27+uV1J~1&4P~
zLIfkl3qQBM0T=+c;V!gtvS2a;k52D!y;;bEw5BtoTg(!9ipO_~<2Nj_B%~v*2|X8c
ze^f|9t3>&-Y`MF6fflm6au+-4wtZ{=1wnL;ZI_`pqF^<!l3-{5+~&LNzR)AG%r^2?
zt@IZKrdYR;*HlFZj4*Gz(X_IjD7={b%+VfsT3aVcOlH8YXg1ZT-xq_B)(N(e+*gY0
zFNK_j%FC20hX5q8zvARK+0Vmp19E)qiTnGa(lOGgkk}1&wUn4$-F#D)`-<>Q5WaE~
zT9DY{-mj=WA;Ftw1WxkRZLnUo<NJGQgQCQS;M@I?K>r%uh}XaBbu`U4?s35mtxr8p
z9<MUV5e3Xk*>EW9jVLmiRkki8>OEh*%W1V{lfraoeYqXYoxBy}I;or~@fV?^G}C!G
z#XMZPUE*GIrS1I8;yNX2CI{u+YD`tLEEd4N;0URii9&2`T%azj!+mO6;cgNr3CvSI
zR|Uk(Y8RlGozFih`}pP*eNY6gaPQ_!&uey&J$GMC>fi<i4-Lkd*SE^3%7qmLto4<5
z#>yS$<nOmcp6H4oQ)OZI77kZ<nZ*&sHhpZe578?sY9lX0LazVJhaV(M6Ur5YBIpjB
zF9tS^fG<BO@nqQ0xN1fh$h1Ad^njS)W$#^_BKa$lmru5tpAJ*JX1jm)D%riOm+e11
zxo&df$yJ-vAT?*gcb)7oaDuL6giB$~5zYG}H;2DOpu`DUS5o7-g58zO<Q1E5h7^8|
zm131sP7*8olW9NT)Kl{MM+244mabIw??5&*ku}}fU&r&WPW01AaHqRl@o_@s8!eOR
zpkO)dMywMmy=WQHM{0-YBW6Nqh1R0tn>~$FSlu<3G(|6zamNS0VRwI=u=hwFc=m6{
zkg~6*huR^sRN@&Aw+s~DHn5#OcAvYs#E07T;1C{!ypC=u4{TVdw?|spiuu$Obp@}L
zVKntN)mW3c_V|dFia)8yiAzHYtDEAS#C#%b{cD>a0g*tf>5~}V!vvsM*llS(KXPOk
zzeVxUVb{9lbWPk9UunC^O=8*4Us8qoJ}D?MdaUw#-h{v@A{ay)RA<TF@}PE-aUb#{
z3j;!SV@Qc6IJL9cx{4~k)?2H(ik=YD3TrHT2)#}RP4W3dY{(QZV|9*qmf!gPqz%x~
zx(F2PfCTz3qq1oKk@WtYIia4UVk_KNkDg=EcSdmk6;7<Eoe&QhgMrlYP;7BnMJfGT
zUhzne+7aC0*!lw6tfl=|0=)?<$?DPA{>9=&tmovXiU}{&!eA~k^M!C5$dS}KQ9HWk
z5P5F*rG5=gNp7dX`*MT0xuazQkuDOSLEri@BWynGF`sB>mt!pbIg8{(JX3>YR4XWI
z24_14oEwFZ+vm9wqlwMtg1*RiMM%mfN(Tn<5*G0RyFTOleTLl@qw<X~I*S^|Rl}T`
z&Lh(Or)+9Tyd6a-(ykQ7@ez#>s=Vd3FmHw7C|uLfLHe?kQ*v0rQO?Mx1Gp>t+-cOF
zPEv~aytlX3AXf73o{zWd37;#7wl@RQKfgi&B(c@6=E5l?L7Z$`F+o%<5|Db^+X!HJ
z5#izQc2ZMQ`>WmUGNmFZxZ5qw4Yjr3ZR@s9tdfLf5dkgtYZIktPF9I<D$j8hpMFcE
zPa-f0-2<>1Re$~Ktuhj-E6#=1UGF{o-MYdWdl*Dr?v2iSmsBDs7}r4Fd<=JyWUI@i
zY&&5QMn^CekgdG+ule<__VZmZ6oFqiHU1y0eRV*TTi5TgK_nC@DM1Bk3CW>Lx}{sX
zq#Hz9N+qScyBn2~9J(0<grQ*=I`5uyj(+d)y!ZR(-v1sI^@+9jT6?Wu$YmRg2IYje
z3RUvg=w_E(^2&&l0-~^qgy1Y-4xPwx2NtQE7R-<fHBuRs59YFqj!>9QBi5DA=`?e1
z71Kv^kTR^?+w`~m@o{l)a-&u3vhr)l93w@kA=GQRQo&`sfES`650|4L3*0A04x1uh
zhq7RFsmZ@=nnJee%Nj~;_!n87h6fPJ?K7y9KR(}GJY<pf%SW1Qtzu7^TdoC~0>b=+
z2$pWgUxayh2}Z<QI?)&Ea(*r!*X1&vR)yTEFrLo0Jm??K7qzEV_<BrHutv8KNtk@6
z&bocbdqW64;@k>?Ns8~uS6b70b^gZFB$r`M!;U+O4zZ8KvD~!$&}{MUDgNa-F9}N<
z*4&#jpB7#rQo2k{mlMM<Cq;SA7xVJPq%n)%W{POUr+tp2bL)_t^C`gKsILIV{E6Mg
z@n<Hp1@cHEJoiwKGz}H|3b3ynK-h>YPJCO+jqrn9-N@FKGdeQu<Zkep^LNht6{Pro
z1u3F0&|72y=SPd&S?dmrXjp5K&WQD{(`;fde7@T##OQ^SeM4O@EL)lIwK#=NX>kM7
zvXSuvU3f(CX`?G+{Z@f-Lb8_)a|+bwpw2KkmcwXv4%eYDcJwsjlkX^E<=(>TvSsq4
z?q3Iit-EUV4m6~mKl)&Rxo+ey>KI8S^D*J<o}%wfOyx-Je%OYZNT<FjImAV8yn~p6
zf<nx63fSQW$6iHp?yHyT`OKsc$Fp0lDIRqgE|=NcJy{uMX7ak(YX1`XjX}q0Nxp&k
z31A|;6_tfRfzVjT$f(IaFkraDaOZ#8pntV&1>`}amMJ%O{Jd)wjJ6{VhNtXDyay%J
zpD#zBDL1^hX>VU><c)^#!l7&w6AH~4DhsK}>or*)p~8bk##|gf)rdk~WHzyJ?G_GR
zNc%Xj!F^5BlFe(MK&~#YH)~jZ<o9>kUmwj%^Gy;q*wtGbv3U{LPK=_i*YXEWyOj;n
zX+;G$<(-ov2(sjCwyor<P9Gia-LiU4^`s35nYwEllt?8~$&tu`K8sRz(k{rF0Uc-D
z{f{VgBCNH8ghT5Rdih5h8Y0#>EIRJfD%O@xMHxsPy!n=l17cgI)UjuIZ)@7-qhT!$
zEJB!XtrT~faK?)6wB=nuki&Y%i{qHuhSPknGbh(PyXt{2ki&h8m-*R*NFr8~uASJK
zFU-9R<LbQFlL3-1y?0cdfbxf2zp(C(f}vtv&Q<cN6vM4N(xma&2LL5EdePjw7zyo)
z%vp)XFA9A&ZQD1j5Y$OVEE!ein%MW@5f8(uiC`gBul^LNzsr~Ut>(B`B0G;He(o*g
zvg>R0anDi9@yKn4=Gv0Avl(V+PeS?DHu}r)p0)GN4?cg#(FUiS<*#qpCZqS&4_(nT
z2I6XG4jMY4Jf-5WU|j0%gE*n?_@>Tw({Cf6I~NzZsqpM#Qs9;5qupid)+O2vF;3es
zh91D?wZHdmH7<4%Beh4cO|eS{sV1_rjUqV)FS`7S*1s=sNKnVtaK}mr$~^vtd+~t9
zFjkMP)rMA-T@X&uR;ESGw$j`UYSXDPsq)je;r^?uiTxBLGi63wi-hq`9-ZmRr>nhU
zv5~PhN?l&e7>Ju9B-z{e<QymPo{t~L_8BZJ3%=6KqnC>CYnq}LOXUKG`pcs1aGS=W
z>?ihEeO(mXi*&BLzSXXwFTI13PY*rTrp^t`?DoFdtRB-w_bqRBcb~qeCPP5(3Lw5D
zd#B+iaT((JmmfWLWq}74I{Drsrcrzxn<gIMy`QBNH&&opGFVB(YWB5FB0#(Ie3ae&
z`}%M};8bOg<762ta9S3gzfx+780yfO<|v`Ya$GQD3AA^@8yb&pn!IbDC(fjKq=8T0
zj2t6&nk`HQgmP4XR5#)U9lwou5ZTR(ca(chVh=>7nwwo9FgvHj5T@$I5Nvm$+)G76
z8XUN5nLw>f0lspzv>7mkiriayebQ?N4tzwOhfRIM1sOQoz$Q}}fSiJ#6uUDzvjmzs
z-e0(}UVmz!bMGjFA7Oj3QV&gle=*WNRH@LGYpyw3XwFC4cS4wKdbnGt)zq0t56Q)E
zzU*kNc0fl=#K`trVx#{ovp#!XJxj8lsx-3;1VjS`0JAilaqSEzt@Ju~o7AZ?SLsgR
zDAAttzBmq)P2{9lpCBdyn9KyANFBxH9<q4gxNZq$QObNF2%uFp6<>$}leR332AF^~
zK6X@aOSTx!4(kPcZzKy8@V$2%7bIs;eDBkZiYO-C=GuA-8{nG6qe%EK6Fd<?kQGJB
zdTr%cno%nK#8oFGVJF-4wn3V*^q&nWlEYuA1aWw_a=E#GC2L6QJx=B1ReIQ@J<Aai
zKKQv#Jha~LX`3c-UAWHXfJ8q<1RAdG;xcBdp~4)DH_r%Z+;MiMzVqXj6|%PQ0;kDj
zTgQB2f*mf#)FPtmF$T4SJ+%+2nA+F<Sh#S{U+wO4Tq|Awu>}?0{j^t2GG{jrz}jkW
zm7cz)dyr`dJdshN*|u>}A+e0X1CM(|SH4YlP_T;?JKa_)=n1#Q!SEm3)X4xvodgCF
zerD9$rxdx?IDb9{)S`%3CUn=s4+1bRW4wq?6AH=L9iELAY4;R|l*5ZqcJYW7xpYBY
ztY{T`6KLknRanxsm;J)e$;te%_?C}tC;wZig=p{e&|P}nHy1%Di}GHGU%oiMmHVYf
z=2cS$4pd3-WeH!(gF}{I8B8bhh}+v?7T#w+=&1XAdT-A?Wa~7)JZJIG80xP7XAJcU
zHR^hih~g!?k0Eeg9mIc2jye{_>dZ{2$ngA+9ZB~4N0$H=_v+1K3Clk@*`6m3fRoJt
z8e9#O$z8qi&!xzKFz>52vNe`hufy5CLeq@<6KPJ%1WH~qoWgNt^nf{hrKtj~YH{L*
z&4nQrQIEovc($^0a_N0w4&QQd5&}jE^nEW&bdosPtWv1~h|<&l-{$aW(qN!^W4Zpw
zQyJu%>ZE#!s?Lo_!*$h11XWD2(I2U7&kxcY$PilSJ4b)0D^h2DvcgbEE2OC`Ev0Rn
zc3!4ZA*>v<rq?Hm9G*CkQ~czyy5h6b_S|Te>qNk>^m&dSRhwpu{-Y|_D&IuF$flA#
zinfN;N-#_}n+GA>oKAzLs;sP%vvs>s<^D~h{XkQ%o?4;kHL=>^l7KtuZjR=3NESGs
zC*OJKa&HoK4G@DPX12Q@c7ZT)O^o0>d&Av)kWcT9%+Z9x?0T=AcnirqXxbRM&i~$O
zqLv1zYRgy4rLY7i)1G8%13!h0P`5f}mz8I$$M2kNW^yS!VVA>d3@CZ*i$7qQh@PlN
z?oJsc@wlqByRS_g?%%*?8p}USw+$ERjTiL49gxsqiYde6xtubhnrM?q6>L$d+_my-
z%IQ{^Ve2~qX%6zvG&kBE+ZkOecXM(0epZK`e?|Fx0i^lp439a`?O=^AXGyX)f7#-|
z0RFUXkq;##ER(>|vz2nND%zJI8mO$w&dG20Blo^!0r$@U%p$ZS`@M!5^wh07Iq!rJ
z6c|0{D463I;VdkSEk2ESfB^>^*=d6A+u&eSM>0=k`d}u>099GhV+Zj6%2n35dJ2uV
zIeK^ic2Gi$`Wdm_wjFZ0k2RUR_O^b5LHliPmw|&j*#_<JluPvlE6_6<^}bx?_B^Sa
zVWdgMh<d8<)l|v9Z{bo(v)b}Q0)Xx2P$#<xJtyL-vFDdPM#6KzF@VrYYv6ea*b0N-
z)C8HEfC4$BB*$yyoG5@YfyYt3VfZ@|%jYvSnEMAjKhbT*iQms>IGZnO5V>&^hMdZm
z)l9zgm6RfRAYLIX<#4FDq9$`yI!|bI(OiF|P{f#8P)7@RkzIFb$`2f*YiCg~y+g?_
zx7-ffU$$xz@LeWNyB5*WcREg&><=qS)_k{ul@yUar<ziY!JEKt^wje}@rt<`EwSyV
zNJAG5b()LPiLEoovK>Z6X`x2Pz>>kW^Vrps&0BUQiv$@#e^IB6m+Sy_nlgN_P|K<N
z>GgNv664rKz-=xK-%2NXnTrHI!ta&SX}9!o8sv){_DvqbG^qv$uN0kay;J4^TS)WN
z0jhq(BK7E<H=AU{K;*wH5>l^tbvF$!V#sEZijV@oZWgEyfWew#<Z{u`GZq9lp8M2(
zs}z<TyEx?gQfVH5h(5w9>aj5@7|B$Znkus=KoCP)&USdC=~vGNVou|mXc^9U-v081
z*M!yB@Hb67)d+1Bg5dw)$_7ord+ue6rHzT4QS=yF$}E>p`yCCvFMN{EbzMg-e~g#t
z<^a<7;I6mow|bNA=x9$;z@6sA9u<T$sfnOY?Ht;{*C&-GfZDg&#aA#X3oQ{Jk9Z0;
zGjr!hHIz8ReVv3O8E-)e2r7qapuwf1Ykub?CmnHf_hJY%y<KYMyq~<wtnOY^=^rjr
zd!I%wkv<(G+UN+X3+7LJ<VRV9@SMRpFmHttO>1#7etqt^H6#ODSN6@oVNx5PB|s|P
z;fg3hijRB3AOxrcFC*7dv(o&J!f;G#{JgXGOSj8Jf7xPZmR?E^Na@{~=uT-<N2gkJ
z2*pr0ny;gtk%yywpR6c<LG)b2-tf-aR$htbOf+XiSZ;pty|wUZiU{#>;O@d@MZu5m
z$fQa8L^=csf1p~UOWC}3xK-IW1WR{4?q#u-1hBMyKT5x12sq8Q#D@T|{TZKegCt3$
zv$6N8FjiJi@?kGDcZ87B#AhBHJXU7v>?wx?`SO9^Mct&05inj0cyQ}q%OjN%XHTe+
zTh4Ewq)$k~tiE0hl8PX<T%gvbQ_pyfCSz%aYhkNAnt0ws0F;EIX`T-jTT6r;?~;&<
zx>Y4?HJysYW(37-cnkQ(qER`9e><R@Ke$TVkkr<}N1@^FI^$LEAVugBrS^Wj!kq9q
z6A{C=5Q!i-)0N~0(=F~yN|6fFquEMc4lDM1L(bEt!-E#GR$9#8mtMPNypsuaS`Xj3
z!*1su>Zwii8ZeFR_p$I!9}lS<s;$?L^-ImR^GBmBI8jo7u#~+>?BjPqw~V$MM}xa#
zXk<RI7=4@tp1?B1z)wEq;8N>ApGn)MX)?Gwnn8Gyj5l?<$%M%Y54)x|LQ<R0B|@Xh
zTrf{5>!ZrqweL}8!>j8yV!4b%#Ns{6GBk3@6Hp?<TiCZz*7ch_PTy`to7eCfBrZ}(
zqx|GcUd(r@MD}t)OaRO|lv~>)O3+?SScO1o3sAaG_J~lv3bPH~5!T|f?ANKD=c`7h
z^Hmg83K6R28Qh3Xdr&vW@kk7KIYcl!nT==TH9g$;aT_CJ+Sz(IO;{YzqbWpt%UoBK
zNWq!=1pt#MC3Ij{=f7=_9xYIbp10;Y>vEzv(cFU?`0`+|sWRxM*Av&B%&V%nScq@h
zJm+v9G|-H`(F0m8O3e`0m5*q?<q|<7UKd7%v-%ftI|-3Ew%=4+SI2D^!@R)wC5@Z%
zhoz2wpz!C7siwf@3nxDcc_Tr?wv=HSditEQh%MxMOr)cBkum8a;YL=uT3OEOx511`
z>)D$cjKEah1@Uq4VsYie$1AEU5HNcA(^MW%w{ZgD3TAy%FK8YvZT4@sNKICVr_@M%
ze4NITC8e;{Nv1SwR193J*MVzwgM`Ke+G9TY@B)Q~X6A%<c*&86&n~pMT~=^plGufB
zD}`dE%jY=B<ZD;l<Yj22`q7O?m7rESUT8$j^MQ0usV4~fh0RQH7}j)Z`n8R}*Z9@3
z?;(r=D_B!Yi-Q)_@#}E}thY0fft{ec1+C^(uPfQT;BKxdB_%yn(e>EcnJ9b=+6aH8
zzfXbDh*Hu67NsmVnZ=5RGuEY`KaJx(DMb!f$h}#nYWYJhG;1tnFX=8rJqF*dbApaT
z#k-bYc`+GB@5-bQ0@6WW9b)DEC(EkW43G;HOFJFUF6W*h3IkhfVfBt7VEiveLOaHc
z$E2h6ms5PDJzN%%sF$R$57hN=LoO#+$wPLI+?%=l0|QaoA#ImmG9KN0-4O1o-RSZG
z=(vWqqWH<sP6Oy0l8>>%tGguIurRNAt^}8Gl^SbpLw;|3fVri%BKa2q`E8)U00v^&
z`A*hQop31LwEGr?${C-Ah%uYmQ#Cy3Cv2<Hmss<ArqkksWF@`ThO`y(Hm6(H%DEUR
z$eazB?3HS?(tV_4xzTss&;)fb0A0Cpo3@F4v$V3V%w9n<i5@*n!!um$-1+4e6LA|k
zK4QN(IV2u`eDR9hq{{J+ZxwsZ!nJCn9mg?VQ2G55_V$&*V#6gZwo(O$Ac^Et>>k+x
zlM3vFKEfqhQI?@y-a+g#Ep)^I2Gj$JIit6+Xg&XAK4}~7BpSN4{N6(>>uDtp|BUC*
zsiFG5d7v!IOmtmR54|!WqVHJ_d2-+RRE>qyY=hU+f|I}cpVrnfMyhXFb7X-@POf6#
z)-7>o8OxwEC=T}8_eGZ(S0upz_4&<-rrBOkfY%v~^)&?w-@yKzj**nRN%RsOMOXfo
z%9JbUIgb5+>%KKmnhEADtxY&e{BGZx7++%!sv2un)pm{KooPZqSKa`0<qSYqR!?NL
zJVN8St1XSPe_ugfC@=c2$!f>hUtYPEHBOx)7I>TQRsbduz4v_%j^hQ$p9b(>#I%BM
z$UX|d&Hy0M?&5l=aDj)5JoBusK>~3|ZpRthRB;G!ASz}`0(N3%`j6fp?Xam$oFn6O
z4U-0Yn3`4`&TUOCu|5>t!$^g>!9A(xlg;6YCD2}>)Z#{oylU@QMi!A(&?NzLgvP6z
zXM>I@s_?6D7);ewmvl~ZLiVBe*3MC*O!HB)o>7y-tamS@Ff?#8j#oN<Gv5vvZ(+{2
z<lFBpuVeJDseSte!knRgeR1YW)4>|jH3GZQCY5=%un22%H&RLBc1#qp*|=ey9Au57
zX%Jy|#*&cny#!bfDE5{d7$IOIc}k<%njkA1^~A_}7WIc<iUEd4v35hEWvB87QIT{Y
zqVpgN?Dg4<d__P8GRH-q<mYkw*Hj}$Kpq33h{ikh0d@eJcX<+Wr%pW9dQDTQV1Wzy
zqHxOYNgJyu1V=x-S3HE#W_GC=M{W}@@*z_b+L8t(Jzf!~gSL|u<=5W+DcebjH{()h
zJMqUa-sE%uSw(I0vva2@R~Byi>otEl!ROivKB!o@?+IyT_pTy`w<9yN^kpy<&_D2G
z6W44HH?wk>%}qY7$9Ie%>xp}N8!jz#qdYrvC%ItNElOr%RWhivn){+U!Ptgx+myXy
zGrbOoxOU9%X??jPMvhf*+%qv3YQ<QZn`;r<-<I6KS$C55;k5CvU$aeT<Op-3Lq>DT
zUuEgM7MkPfuH@^+UZQ!n_?^HvU;=%hR<4zRSUyFE*M*=cPpXD&@9@l@Z1RV^P9$}B
ztPKV-ocpNu0g75|yO4?FK!Sq}k?`Ai`dIiVASgsC*aj>*vG5b0X7ck4x=2~aUiNDF
zGV?%h)#7wP-$3r76m!5WE>U>?C$~78tm))MiQ!BPzpf5XiQ;nehQb!<-RjW|-tHN&
z*H31L?~Ykbi%xWZ0p#KgUi{@svr)x>A{7_~>1pmJIJ^(0G6mNEXx*5w=p!z1e%&>p
z3a5zJl%qH!Ii2RDw!M3)rrTmoO2f$J9{j`8!<I~AzSS`P7_K{1K^;3Qv*Gwb_*DWJ
z!*pjyulEonj@CBzT?@vB`glhzl)`kqPm_kDj=W$^76deBn@BV7cxL;U!JM$2v8e(R
zXE1RgISKX$cz0-N0X!@ps+#7NvWHK(+G4f>T2r)hIVOE^LTA@vxNc0>7u2bLBA7<2
zM2h!GjeF`$BA1)HPuGrM=^dZzqEGXg_?>$V_cAvMw$Wk5vHhslbj_kZ@!6x3!pXa`
zb2W8EN}X7HVmVkNg`yUVtSK$tcgQ&3=-?!Ws_f#K7?E@R#QnZ8xjxZ44J@0o^un8(
z%W^|`XZjMkl-wra@E5?vojuv`Q&9y<-~t{uVNc@T;x6fOTNn5R>^;mmDdo@xJl<@e
z?>{hAWs&p`9xon)MpSn+T@HJa9UaoZa03zEI#Pd+*3O;wZj!L;vQ(^Wqb*qk;PJZn
zMF{_Df&LAJ7r07=Ga}S@NJo{%$Mo1%Bbodqf2th*3Wl783dDpgRYfygsPO^+Yz_mp
zzs9#HyDS2Vu-yRp8hGTuqPkT##KzC1`<3)t$f$My<h5k}>n_WNClwxRyQH*(OhcTn
zn(1lGwCBn@*l&N4Ni|NoIYfsWh;Hl?*m5rfc>M8-QOhQ0hAw=u=qKR{YF9gZ!(QDc
zBz+LnnI2ndHY_Oz5%*6Dq3o3abVS=DY^*C??1obH8*NT^=&Wk2MY~FiI>X6x06g>E
zGkUJ4(va6!m{tDwoyXZ(xtum?)fRE1_&mA0soO$qgO6satg^_V5v{ING7o5ldtbd^
zvff3!zZxB(av!Fn`!XUy{-CBi@Q~l*2rY@*UQ8#JL}*rl1kQ+owf$}UtAcIPa@RQ_
z9<AEI;<^@T&st+tl0eTjE1midP=%C?VH~Q63dwD)|B8_)RE%tFA}VXi?P{m#)mfBa
z5Z9UJh~xMQ*YKymzJiPRo69+f(Ys9)aTmyt-Or#ni0OqPiglVKiP|gfc!{;b)*2<w
z6lns}mb_QnS$%syu{PZQ!_6?^5b;W9jd1z6>?pjm-9QLSo%kvE#scc-p}!zoKX=c2
z_&%xl3sx&6lCCUMe#XxJzU8kX*a+bM_Lb?v+h&?Hs7+J=Y@*^pCVV=&6v`fQX!u2F
zh^VHC>#mA#RApQ~)6FN~RGQyGd`f9>imjKP6vwF6WeXUrm3DeCn_XHKCbV-8Kw=4=
zn;B!E%;UXCcv)PiLq7dFJpIPJa1qf1C=|+>Gom`VGK2P9ht(mnP4e6%Uq>C#eOe<5
zwEg{W3h3dYX;A1`&wn;s3>>r>c%Jk+CA&KKz)N{E@U-&0vMHxFE{0aw^jITCR;ax-
z$j$^U?HU2u(Ap#H)$LjARi9_`!7j2n462L!%0Zp%?C7!tvTkJYW21;VS@hj8@*00%
zh6Em&0kj?KSx<qaj?Eb0z|NDv>uI+j-v}?B%erQg(aQOheXi0aQ6mPL#{S_J%@zFl
z{rmblsEL}%MALfUNVE3z!z706e<5i8E+@Y;UOCWeFdwDmrlBNyy?|5I7ymqj^`lS2
z!D4}KX}=W04@d5Uz%Lxb&xz;5@8~|Mcng@`%;;737Pw?%t?%Ix*~#5Ts-<=Yi#lvl
zVQ{$GW)`b_l!r@7Jaw(ihE6O_S*2UsZ{fmmHK#<p=zDu6=c;OWld3}nIqw7LIc8Cc
zpJW!-V+K5Q=%(J?1mmmrKzaGV(D_q=0X+ejPf@~{Wb;091&W8;QnOuW^FhMfPn<U%
z-*9%dgU8HEV3Tu6l1xcI!9piSz#SHF9=-TgF#mQD?E4v53_hi#d|RyB!r1OaV!RKk
zhPE_)mD}j(X<*w@0&$?C@)`bxyQKEBa1a3jMdh#6@hfO*DRC-+?=CrYmIIBY5?RfK
z4^A&{Dw#^;fVhxa=W6&s_tM2om0o`}!JspyaGtt^rm3b1oYv%YvwLcz<8j-tS<fh;
zauSD7<9JU<%`>EMP!3^7j18|-k`7@tS2bgK(MjZ|l^&`aG&V6&wg;kte!_ZIKe*kh
zgmVaQX|?ERuT2-^++S&*K*#*;`F{OUP#lnBwC@uU5iK^d7<G%N6ugvq&17?Pz0p7`
zR~!=<$cmzE{`%=(7sY7Tvv9V(kA+N~PFJ2)W(Ce=EULcn!+A0_{)i@+0NZGd?VPV~
zicxE#?geHFR$5BD$n<x{aesKjH$&{zk3j+&c>-uga_fy5bO7V8*)LvMf)ES372$Gl
zXL0Hs#39<)l2beoDn95>?7Z5sc^V}QTp}WAZt%v?JQ-z(`7}YSV<0ihza?|me%b8P
z*32X;O{2gShH4L^S7+OirpGOGE8rth`n|XfMua$c^lI`yB9!XNjXWGDQmYas`cqQ1
zUr0;SUC|=Yu%#k2R6D$0p)ANNpBO0E)EGzdEA>U7m%<yKNW}~Q*P@k+^V2A>BO=O;
z-2n8D73fndSl`vApvcxsQq{7!LZPGOH}GE;!8-x@+lcHM%&hKt_Nv*u0+A=p;RhZy
zYqRohkb)ws;ov~!b(8UVGwj<DZf4}JBZjZ95%8zlyc7w%`@Q~Sosj95^|XM}h;>i|
zIZQ1Ww#9&jfZ7vdWl5uq@5ZyU*PGglrh>LHn@KSlg-%-`k#eqHZ9!`);|uifXXr!z
z?UnR*KRfE9>%N^OT2I!CWz4-9j(nCIgB$sue3()|4uoLrl+yit_@5M?#|BpgsoSI|
zfsV<^<E&Q^iIbjmZT7locatP-&X~|KbFDBQoyv2z_VDkJ&DIxaSk+~SH{k`6DK6R;
z-vAa-O;Ga5#U?NT<+hrP7}}2kRy@{FYKn^*$MGv>I6{zdEd^p$pWNK1^`57)y`&IR
zi4?vhoa!mRa<YwpV)VE_`ctkqx)9bw(Z1L35KX;d4|T*|S(0G$ZFP+^jd_6kpLEF}
zUw|UA{X>ZL_lJ1%Mhf*57MfJ(o}-_sDi?_eE_TVZ@zY+ZNG3<Em~Lmbz2%kljfJF^
zT!!JV*^&lkF1;>KR4a^i|IAx&F(+D`$4|^doi#&b1u6?jQuPSJpa(eY*apE&cKzhH
z*CbZ*602Q>f(VFJDu2%bKi}kE`@&;<6!j}6x&!j-kn%S*TY$+Y6?dV?g*xiptBT+r
zEG?H8P%rpKm$gEUJT1l7ZaZ!-|J=Qum4Pa)njd}gz<yUCOw@yZIfOw5aEGeiO>A)8
z1~Kx^>P~(i7)0+wsG?n>ib=u+gL2R)ZvB(Z{Tu)8MK2ikO7#{*)cwATy*a%8Rx&7-
z8E-IoO9C@(viush*$|b9s*_{#3n3={U6;<4ZV&sEaP9Dy1y*PBF10;+zV-Vf!fx~8
zCd?^Bu3&G^joo4F>{1BI8IC!QV~z%0QG>ODHP_y0=SOTs3qJokHT{FB{tyB9&P<46
zUgLkQt(R!mqj5@f`yTHd*bnNP&E8;jMP76Bep#t!Q-gyvlC_$4|B@UyvK%o1FbN?6
z0~6V4cDKY)`^{EwXEaVk>pFL~yFvZ94K4%!(R)7Kvo{@M5c-DuAh}H7P5;{K{`<vy
zQxt9b_W=C!wHBe?SWSk7Vt34#Js<rG4D$P=UQXw?(xNyb8Adi>_Sks~hh-Rulg9Uc
zu#%OjM}OW?uR@UOV$NyhQYOZeWZyFHc+wBgaTd7Ve4+YRF#l&j38Yg3E@--jwKV?k
zr_ai}Xb&i0xRb&wb2U~vt8rK%>rRQm>TmFqx!Pna$6aPTHEh3)d4v5$d5t*%XS;(m
z{pz(0QMcl6P*VcQ=-U$~JZ^vHpfb|+hi&$c-&*}bS^f8m*C}B6ZB+=#{p*i?Os@()
zYFivAC83PL4b<-A{Z3Z)l(E{OP)<?u!^oIn7S8<hdj=3$;k74esy(8CwG8YVWJz_#
z>+rShWHJdFC0fmp3>-O72X#6X`r<%8{5M1Ef5Z)#cmv%7=xyHLSJ@xe)6uVo;Xvv0
zfw&z-(~-r-{41g_NBC&~{Zi?|6oIonOR&)NR$a(+-+d6aFRMjCiwv{SpUV|X8_BHg
zyE*Lugt05z4;Cf=Z^`i=0fWN|Bq|JyeewVOPU6t7`{P9L&X<WpqNik=<&e&u^H_2Y
zj7dCx%g&*&5_sb+Hg?6@VO%p|xO{gcvxZ*H*=OOkXPbQ5VITYM)5gOJ;{4oHA`TKe
z8NjAgJZu)S*&YKJnqgQ||9BTa3+n&*&4*6l?X>sbD*DI0{#m&d|9MyK4)pnp4)A0&
zsnfcnMPu$ATSdv(uVb!r$AQZFnSGJ4VJ>0Qu7p8KUZbrI$MlADsp35miU<cc`erEu
zTKI;Iw+GlHISslg+CqZwto{2V{Lj6ByL)Jjx}82W-hce=pSPWe{@8^==Ut|VxEu9z
zzt<rLe3>sJ7qFxX<UKC!o;E2ie0V3T%*XtLOuNy{!b+VM9n_n_6tzmHarXF2`<h2@
znsW`2q44fUWQXHsJsuvNEPgKGBBlSr=l%8~worUl&zCE|_*K8ES{#{&Uoa3;Q4&I}
z4@3e3i}(-tM9IQ<=!=AQT*h!T_N^=74T4f+13TVU^JaBW`(xqE^SA2h?QZ6CVV&ed
z7E0Sn^Oh8BRbhP{yk!=}&<);&ybEqCnuKuI7&eiHdUVHy3}x35&nZuKYqCo=9?HX~
z_mVX?-~I2~<R91Xk%B<GH~Z1>>u-<pFx6k+Ey03W+V_ADy?MdiK|3{*!vO<>QrKpj
zWq~YriisPz9S6;Nx@u$ba28zAu^RsO1a=)Iy7JbXi<#*6klrB%e{vSUU5fp~0$AL#
z)|eu@H17#@Y31dbhAaDEUeEYlcHy5%=|vPO3q|#WOZ+Pf8G!&%7b7IO>G7n^@Cpnb
zA~(3}JH8>Hf-WcSnI9<l-bDNc@$V1*>zn;~fsg@MlOvrgB;>zul=o1EVfU8n&B&{)
zDRiW-LOOkf-<v$L+x{XPUvUi4uC<M@Gm@6AO6eD(pa`$LcX$Bkv8Jm-OHmM47Pn?e
zBT0bgTe$gl5_Q`G@9%#0<okwye;AZkLC#leOFB;P>HYER-atj;=YsBnc;@i?>kAS`
zt%65q0^F616fiIvHvP=sPqw2&lN{`(jG0j}zBOcW30%d+Z6;*+%P@8?W?aHyge{$V
z<*8EWw9y<%Wnotp0O(^V#k()&>EECPOnUG?3kspm1yi+V6~mS+uU^RY>6i%tM69e;
zF)g4C8xcD;Q@=TF+$LH?13w%b^2b&|utgKI=C2!U0^eo02Y2lE<@vA-2PEgRLI)CL
zB`xZ^5Kvy<9J+QuVH*7h6TLP|!(B@*SKPM{+z%xLWLaO3;SZi0PV)=yOTBttt?<z8
zywBNmDgW~EyK$aoF)$9p20{db_iF9oSfJ*XcIlTsDrViDYmt+Sr6*q0V2tMvwBtWe
z3*F2Yj3qU~uDeA4&bRHo%t;Aey58M^^W*SSbG;%av1>mG!|zK`Il6QVBjZ1dL{yIU
z5ugBBGqq3z649zj0o$rj*lYh7S^28P9ejMV4ytd&$98<(iQT+RFT$O0rw#zrXeB|k
zGgLpqbsyba{+<xzTF_I6^~nSjn4<vZ4rg#X?UP+LjuL!0h%?dXicw{Xq{XAriZhl@
z`cYj|D{!-o%sr+=O%N!Ee`syAeKcjU_O<2FQ@O1fYfN1rIDi!(I|Ux6gp}qEAlE;B
zc(wV+qto;Gm83riX@BN_fzN=*&h$Oz`n7*eRIj6ORM*R-o5?c)mb?Hw1X10+AEU06
z*UpC?w-}D6&Lr2(lQeNraI<aBk;kO69OJ}~HBNx}Kt>DYvV1&ns4<J|h@y`8Q%?Xq
z1tD7KrRP1&6T95RZUBj;0iqUPo-s6Vy(TorAGO^T2{JJev0N!%G$ojBrU0>HQ~MR%
zr@+^T-$S6zGpe{9Q-)E$Lf!}1B{Y84A_%?x`^vkT1Qvr&vyj(=6hOe2s@WPo^(IA3
zUDL4~o^)EHsybQ3(XMrcu2i4(QRm8!-S2QJ#ZTYjOU-Iv8Z`QHSQgrqH?&A3`mIYZ
ziD4P^FZBFB*P`Q^?Yu9^3<jWerT#>&!Z?g?o{s1%4wL9FUJ%~@^JNOi-+gf>Wm~XH
zFYcFKjKBa28M_ioi2FNA?Me!WawxSLZnA>2zYA#&d3KAlE;H4UBtm*5!<^7ROUih}
zRYT2og&R}H?Hzkc<7(x4;z5K`UZ*0@=z6}((fgGh|EKlNmsggc@$WwRyJdUvc%L&S
z)q5oDzLJ$7QlcJxPT%9S1tR?xHd*?JnWB<fe`3^QiF-ZlzFh(jk@ICqyzb#ZzE*nv
z#;y`T56%jCpPx8#+wBoPk&6l4UG5X6QFLL{YjWCrki_GiyfsrNrLWILBYd*AI{_jt
z+hV*}2^g%;JOCpaYtr66S=C~lEL>_?#bxPFPc^Fxbpq|ffcytgWdmxot4}pwTFhrO
z@nWANgqv#MX^edJ*ByX2Wo@%oQa(U78ud(b+dzeFBH$(GZyj}-zr#0ObJyL*9lghF
zlh#hohK$7FZop{CV%F8VzF3LW$sv&+LQR)=jyUc&+@rcNRDWw>e+g4*<L5$!{ki6~
z@u8udM)#ncAA{inU*22K){7D_YNh_@io}3ksyBLBXGGrcbKy4oivM##{H%i?lYx!%
zNpe-VV>SSP9RNrS+&c&><pdC!_EgRx%FjaJZ&Pjw{XtNMyoago6o92$Z^co~)+M~!
zk#t(#pO3Tsai{ojwa~Y6Yv+0W@i${Wiulv>{qzy{Wx@D{&8ylG<)k6l!1dAT!31aG
zP*$kAvh&7*)d~H=GX|LBp!M9d`L1HQ^Q#V9Q=}(=a#H`O%`?$1TTal|uWtw|&A5i7
zK~|T6Q?kLIT3}Rl>*0k%VN?jLfXsbmG{u`piq)hqTT`LN?}(PG%6jx|zN))UK%rLS
zE8y~nL`|(pb=^mogbU}WWwO;N@BDB@luBh4F8HYCgqJAvJz)BlU(!M(7;>Rb8Ig68
zDf#K$$=;eE!0o+MG3%2{;S<)b-@l)p6Y1nMoFyZb(R|9@KTuhJ6o=i<zt<lgCq>L|
zmA*Ocd=FzJ+3SRcR;m8}bMqrgnRtjl)j4zY)=bl*@k~*qYOZHP_0aY0QyqAODZE%a
zKtiX64+xVky~A7CjizHe7`Oe}p<Hjf7%&((ebbZq4U0+ttC75`A<NC@Tkab5mRw+3
zETPf^@ox6m(>Sd*&|<37avuHU-J8hmNfmZ(l^7YuW;P_B_wkA8@G^s)G;8*SplFJR
z(587T@Iy5jS?B;jYty5k4|{WKqq6pk7FiM*v8%CVErVOYzqD5_BTocjz!>4O@I&In
zYb2u5t5uBK>8y4z@c6#hnXUO)CG+!K)$y$FDsb0t{BMCxX#{}g_&480F0i>Tv(dz}
z-F$MJ;%kzz`Q5Ld>^pyiAO~)fcOvqvw6Aj0ITdQ@Hh(XiaEV-pV2>h-X0W5f1nQu-
zhTz|Ul5MU@NwdSj3|DY4e?({4`6ug{MjC!^r;Qm29;c1;P$Jd=CDD}3g@xvQgL5~=
zZDcbiwxjlT{TB3Pv63U%U+X1IO1wCvBHD4>@p90pvsb0_xb>jWZVYi;ylk}JoWJp!
z3~jx*12+gD&x!5+PRl`IfAG&uK2D|pZ&so4yNk>PKQBsD0RY|H7J{iw4>l$pL?PG<
zZA^nPKr=PjV^@MFlD>YrRNwc09>PBN7PcjnScTflrvf+-EG$XDV{c%Sa0-0*@L^Z|
z>LEOqJ%QaS-zggEc5!iPV{kW75>yP2F+$CLY5^!$7|X;SD3g;S4KzCe;h&7W<v!y5
zTnzgY{2$Rwy2)Q#TV<*)7=(i0x-iavDd1ekKvj`OPZ;`JNhx62xEy&GC8vqu%FNyx
zC%KZc2KqW$tNl%ZY_`Z7530}DY~wWT-O5bGPD&NAxZRGisuJv8u&d)O$f$Y7^Tn6X
zc@U~I#?xVLLWmfgSe&0ex^9o;j(tt^;J{hGBm~2K`CL0Xfj=@ytdibxd=J*v#AY<B
z-oRa@kP~+_-{gDl%Q2e08xWQ-nB3$(YMkhr5v!Zd#J3I~DG_Y#sJ#3vm~#R&8;8b)
zTcTi+$&Bh_c}a9?GlzqL<h7O+8g*xLczeq{+YM~3z*(WYjx2IY5ZD!L56rjj*>203
z_KaEOcQZmGd1`PZXG(EB@Ng-c^1RO&PZ1GK(FJ3r(}5gr4(mcsLI`r4`Hlvxb?rNg
zwYil74>o&M*sMCFPwZC4ozi(5up-!9?z9GAQIVw>);rR@n{wW`znDmJijA7wnaj_W
zX+TOx4LiF^{onEXr6MYrZq`|)nH(066wA;xT%5gj55*BL$9Z0i(m{GKaEVJxsPnnF
zARPI=oo!#&Tskm<q^yE;`X&Yk7&ET@sFH)b=K9J>+m}+NvQF=fg^!|eGDwd`hILNt
zzRqele&y<`OMK)nQhY%dR^c$holb-W4t+Dof15d3BGYQ?^V`NRLZ#Zd@`CnNd$04?
z?E#duc=4hax5_Q498)_*w|-+M&fy7ZqGMqLz<e_DyekPu23o1l7b20`eLZWQ(VN$Y
z>X9y25hn|_6n`H|1T3!~A*0&u8`^r}!mqMck+;mik4RHQU7!$T=$a6`y&|*D9{ymO
z8BeWkJX?l1XZaJWiR6`3^Vb_S0PK!PhhhOhV3ql3dLrf50K=i@O!(xCn$^8K8*mpA
zq!S+^eH97iw<+G$BoczOq;>fGtLDuGMJ0i9&+7Rr2;Kr-cl_Ifl$yg=osQbHOPM!?
z<YU{u+#SZ7cif8oX1{mt4PQBETH)Y`d>39MWs-JC`zj|f;_LK9#dbbB1uT&PzFMX0
z?0(01O;c_dDatanc{q1LH}X2u;%<z#I03N@-zA~v*nmzd>%)a-o;93P4Kc19&VDW%
z?G}AgRf?fTu-F@_GP-8;UpZf8JFc_iU??cZvmZOVo#f?=WcSus%?Z-IEKc8UCbt@?
z;HWC&ztnS?nyPeVZ8{Ys5Po_vQ*jvyJ2Y?Jc{@EXiMeQv&pFbO;w?H*C$8f&AvG|E
zB<OAeZO+w&)>}WG89EZPu`NR#>0d9_#6^&BnZuuiO>>rg-kQ9O&Y|?rxDkgWpr^zy
zow=VJHi1i=1LoHs$Toij94TelJ?T#2Coj_2Poa2Ea=iJvOLO1$>_e4-KRj0@#Q3X}
z9@%P^O;1b_n>32luZ?deO>$YFR6C{H8J0t#iy3P?iPVwO_iZ{Y8?Qo%6qL@--Af^-
z#XM`|Z#o+aF(3ZsILUlRgT6QEki&6vu&4AZb`9}Jf$;I}QnZf6%fd6L#K-}R$7XQa
z#);)%{w<dXi4D>fDkP#qexO&YUCOM>0Ti<c$kwuzPWD!78>G4Wg}p2;KEY|}BCX*S
z#?oaxmm}fz{lcUkBXK15Ha8r&H&*JK9c-NvBRQtQ4?AjU9|~6!JUu)XI3aoUrR&Te
z!>swJ@l@4=orem468|2I6%39gP5LK7j^Uzb5;u0?HPfQwKkFvPzv`w=YXrUJ%0i*x
ztmCY=!=!#;eLs0YqN8^+a;6ZbIw|(Bh$n)2pqPma_b<KNKhWAl^<a&z9Z34E1b{v}
zmJUd%DOKg^jAGDa2Lq5;;0Ii}Q7~0wIVqIT&dMcg>DvSYgNtA|*6Qls>TsoMV`_n)
z7m7;HKGK|+!tMBOf{yHRvF)_!Y`3Sp*Bg-Y0j%?fR4u^%vNmp3SxycaebXdGE|{nQ
zu1F4qD#EAT$Nx57dMBB?wA*2e!|KO9O4EZO)iMLoRnhmSr>ufOaJebYf0b<4u~FN<
z2?Il4n-T>q20JBvopNN|nGQPigMnZ(Jc&l-si!=1;Qa~hCaZN;{ly#god{F%toss?
z13XZpjBx0yj5{>KDpkFXw-KnxC+-E0%p4Q1Y>r<Juf0Ku3n?8uT}Hh4u6sW#wfOuD
zCUXS*rq%26!Ez6*e1x)bJ=5~R@GkCs*OmCmP<n4=I;N_E_ey@bGS=fxYu%(Lwv*`G
z?)z9t_?IuYD*V&G%YwQxsx02|0in<{tS6^gI~pDOG|DHdvCM2|(;w_AdTwnGt^;y@
zL8ZDM`R36wPk>7geLai&ivE`|=Q%GK63VYBX8Z9~dsFK+-NK+gR5Bd?639E>7f(td
zQ@&DkN$uIz+V{*6?bz44q&ek*5HCK<1+PiW;Fg+Rn&_&@hVaQQUuz&{8udF7j6+~%
zCgTiv`5*u0<u?OfzR=(SUYeCAyG?d{SfalH(D!5S4;$yH%wbI0<h|3(B(%h+(I~Q2
z;d=gnI*rWToQT<u4Z+oBcBCqt>%?GE;#I%#%~$QL^=p(H({q-7U^4aqIF^y$9(?7-
z)ALCDTwpHZVldbK{z6%e#6fe0B7fPkOahzT?L#-9>v57Qr3#4osb1O-SXMBq5<Y11
zVjpf!%LV%H1PrHp<KyZ^Ci1PGGaL2AsKoSnf3;hFeQ!2?y3TS5GSb&+Yl(Q$Htgz|
z#|5^2%a!h;<Uk14?4dAnW&z0uT|~=-e);5mA=<>hYVv&^igqArj+NHrIPJ8?z~>&N
zs(H}MHD9Bv6_8hDN48cEa|BMBIyv=xEx^<pe?~}<z(jk!I6HmuqP4nkYS8gwWnlvx
zQQH&k<+claYPWnGJU>mQ|I`;{zN=Pda03jXLLeW&tk3OW(j-s7XC>BtvS(HZvD*hY
z_?WoB_lLqOc!1e91pr&*fhc*Bh|`SoQg?K~xBkI|<Z?$~nYpl2k;wU&F=R?Bi~r(C
z_}vMYhZP_uB-O9P5wx&<);WnHWCl_fiiF=Nh3yS&DMI#-+Hc4L%h#-qFye%UqpUj=
z$-2)LAO1Q+|9yeufMVs<KiRhy0(SD{*=4+s>pa%U!nB=}z0~ZJt<ipY+n><qMJmR2
zbLAR!(MLhdg4RGGeSd+bm0T7kjys;Hkif#fw^R{D<u7ynXuVr$#ISyIQ{K8zmy#~b
z>e6q}dosCa#9_|~V3KAn;912BDUuM?EkpbfBbkIyCodfx$6#il`0!x##4TiSD-0)s
ze1buHk0VQpU^6TPv;44%Wr^;^^hRIk4JW`&y*<*rNE{FpENqo66B)y|F{Qnwc=5@O
z&Fu%8WHhbD3c+7Y`S-biDPOw(|HhOL8T!eT*SG&CQ(kQk+jFdh$%w$ljE73wiDc8Q
z;(WhmZV=iM8r{I6da&`$MzsMT1P*HuxUYs!x0_{bnh^DaMXD)sm^L3lxMyFa957Fj
zU;wLor}Nm*HGd?fpR>@Z{AWOvZ>@bA$2&@|&8F)Y(xq?h)Uffi7xClI_#XIId^gvU
z$HVb;4_%RjSC{Mu=-U>dC8FNq^4Zd#dWEAwchRqNj39%zI-KwVZ`38NUWuO$o>siB
zJ$|kZcg$Z$O2v}q_#@MW{t9lr{fmsA@M5Gmfyr~Ge&8CJVCCkfi`nLgow?rAi~o}x
z|624jiDZnZ%Z4W-pv%Z=bG@>9^(wOv8xu1NxGeDO+ZO66kYNm`r>AGua35GZtBGi<
zRTzhDXyhx?(CReSE?N&|khza70s!cf+t}F7Ypqwg@E2?iBHV#}RONbxg$_yh!M6{O
zhS;GA?T*DquWua;)VvDb<ccwTq22K1`1Lg*2>DlkvtMn+zc0`X!14VCV!@5&Ih_#1
zkpw^eyzZRE^L*Qkd+oa?BSh-<+RG=@quxVYmPJ##OBXl`&uJpV#Hwi0u_UI$b#vBq
zCxv)l8|5{wnhM66GQD~fOOgXMCTBm%!P7Z&LiZtcKVZ!X``VzhIY0Q8+xs?x({ed3
zMJyrEFiQPJ$JKXhqsi1*_75}-m@KWPo!Q!4@|oPHj+Z*OjpEQ$;Lw?2@_VBbBiJpl
z-C(Vn<f$fOT+>fY*J)3e&-OXy(xNFd3#o-5UHdr-QB&={>J?Th?Cu$$zT}F2I)C<F
zWgibAk$c+N6xN3)by<e-1aeS=U~^F0JN^vA!tf(Vby$#D1c$^IgWBOFTr0MBDIc>V
zvKV<f1Q_mfJGcRux0O2@ui+ZG@?MvzU{Qwp!O?hCXJ?xQL=kw&SIOu3puFUz8Fb4B
zvi?xmUphnj=nl2<Q}xgu5FQIv<u4nz`bK~z&SYFM`C8vs5;-W4Lg_^=+Iavx0bsGn
zqF5~Ty8?~B0<x9_EyWkuw4z{~$ZQ#sKr_pPrZK0r2_L?*@7ftMc!fa!p%@tdm?Vwo
z6+@Y{okrZ$yBuxDs<zA-UvBe*P7&Z4+P*|CXpO@gCbM%6M+LMF1?ro7Efs!BjH_M;
zM^Z^~a@PuHJldC=t?Bg=kyKqW2TtQaMQ-#}Yy}4o{-7=46zGRdR3XHG&DGubYCx7)
z$odSC^~9%Fdw2*B0H%BO_nQ%Mt{aJ3=qC=nAt_&W5=S9+A+g$ABi7QvP0M9^A8?@+
zR@2qYj{EAoelC2%7_I->QAbca>e`Z{w;i{i%W}qf<pIgQu7l#sFxMyiql_QF%#c`2
z0yze9KeUn$C^L7^`JqKla#u;90Jh$I@9>uz`OTPQ!XXxw{7Mf=`;H%K<mNoEMvr)N
zTwn4s;fEZB&bgbT*@_<geH<i?d!KknAJGAnD<NA@{c;`4z1svv1~%s2;%B0(!_)55
zN}Ctoc+V*m!X(aj))`W|lya0Vudo*bq-+faMs9f8Z<P3z(P}GTJ!y}`&a`!MT6y+2
zD_+5Uu>*7U$_HM7_LvD`rS+J;)!CZ4$DOY!8dDf~%EG?PR+nEEm<GM5u?~&032ta8
zS?jckjioigAnmo+Z86R=f5)7{Y>&TxT-jpje8;{g8f<Y$AIEcf8~kM#JF=6v5w2cZ
z;Y<|C{p(VFU7G#o-br<%$N>V7w$B!Teg~N^ZRa68RXvCxHg{qpI`YOSe>hoQw*C)T
zav*n!GwGp8^85aE<#Bi{i1oMXPglMd+Ru(E7s5c@i^|g93zswPv{Sab$>7N|s@EK6
zudSZ2REQG&-9gs68~05A?fv*Ca><Drm8SFgA%zXj+hj6{oC-09xBs+P&!AAcMjjEd
z9;f_G-79%GUxlvIxDK>PHBhdo^y3ApP>F{*hC0SfZy0agm3rddXLvWQ1=r8zf+~FR
z_X(K5Yt*2Fb8K*z-T?!FzfmVtBEv)9Sp{eY-4rNy_2SuPIZuMbR5MMct}P61{OlZi
z?!ectJ7el13{9sHq#=r%IjqFmvO3K&PfpwE+lX;&<C--+W>!*|q$D-QYYNMXZs+(>
zf4+Banf9cXG3_?u<#|m!cQc|oKBkw8jXH28wB$z@cJMN@#`(PS)*Ld=;xHnsYw%G^
z7Q8^2J)wq<j)^YWr41?aNBb@J3x5rV<xrXX@xZ%9GPxH>bj+r<iM_kuWwi2PUe|N=
zem2kout2pI;-A@m)E~F?uIeK@0)4|Y_D#D#*`>7zd6z%vH5x0+#t-_|gN2h^;(O;4
zwf*-TjclCSwAKcD@S9_9glsqN2WWE?{Jp(2;VmEiii@rF5cmRv2~5?w+>PvH!OJw+
z&;yW<4ds`PE=brg5R}G!sX{lBTE+9qlKDIX^2c%+I6`>O@5`JoI*-0Wg~?x=O!E7!
zpJ9^jsxZ*5K3<=YgUWc8>QxzwXM^qPeG*Icd~?yf{k(N0H+SoAecd-&e#i26lem`h
zb4nKQ=Zus=d27@=uGg<otvhW@2%_Bhmhx2!6v6pv^W*{?`W+V9(A7I(-vNwy8sJrP
zdM7nWYDzRs++#jbirzMdHP$6z!kz^thFMA9y?dAPV~6OfYq3lMJBw<ELthVs8tZuv
z@*SNmxmPiAqXMef>~XxXR@?+UT{d6n<NQAPxOd}93Od5h(<x$$%e`0bzC7;2<3-J&
z&Z~_I1<=9V%l>!B<us9RC?llR7cc!?hB*>5YN$8Lh`ST9-wm_g7@8jStXLt$OmuI{
zl?oDStopFNGK!V-gJd`8*<B86*n54ex^$cE<dJe$Rzt4~dY4_{bXTpH-lek@&P>lO
zEfehj?s1v0+eDRU<LU>mw>(xqRt!2ka8EK@EnnKLwZDj$xFPyf-3GVC$8(`g0`YA4
z;Bzc*xK{1!4~)8XLL^j63t0dd)@4WYPO)=>ux^S*x`>fyjqv5}Pa-_--$eL?{|6#G
z?6&>UXLCNSu`ht`q4am!;`=jg*;QGCIQfra>SylSDG89@)Oe1{U6&1Zcuj~H1`;dj
z6eU2acZBU+DbhmqU%5+^{%k@KhM1?NhEx<gswx2s_NGf9bH4s(T!q+!4G3txz*I-M
z%P{H28y@(Un;4;XB1NRoPdHLBn$|t2yfHMHA;AF2*SS!;I-Ju3XPlWFjGV<oNE?H>
z%aCmOtF9p45u<P4NzD9Ggi-kU14AF3B8>wmMeP?7yK2+Hbmd|#uF1KxP7;=wjH{p(
z-Zmp$zq~)L>pci)$yu9gqXoEu*_eCR!Pv3{r{iCi<USH8*8!832Dw{|6W3LIxEw>f
zr9Xq#YPAwa-a(wFU5(dsJB3p_bsDpeI2A-08^z)f)vFNpk3dc<ezF<|G_t;ynq}#!
z1l4T!%H%&Y&6vgc%0iV>wwaR2ay&G6Z9dqdyWW1!2Tk8X7F{N&1~k~sk><C!Zs5<$
zB<|47HrhsNRC|u%Ebea{+^w>ho`T4<M4=KHX7?KQo3j{Of7;Qo*EzbFL?ZiZ6A<h?
z!`CT%DPCgs%l(lmz-&H@kn5e;<xvHsU!2@a0L(m8Fk2TJ|3Qbh^Y(f;U23Z|<^4U?
zGKJ6R9<R!tL_>4^#sty6ogq-nVzX}SBUWA%!(2sPq;!~@!HZ`VCno+EK78%2j?q4Z
zjojv>mp`wBbB<Hy-nePr$3gwdzViiI&AZDh%Zr?2M}T+U*gTS0`1&Qg!xBh@x--~)
z_8}!e4d{-~E|)3(LKz1HOKzRE_x@alW~H?_ZQD^NZ@t3w7(<`ZN2C8N-IoKPUzVce
z`EC`#IvtYu>-$ZR?Vz5YwHzKk&9A4L5KHyAR4^=eONy^c{dp*De)xI87SB3nQ}r*B
zJ2|ie2Ra;37q9QMew**`=vKZ9PP4{=3&k&QZvZ>+-M2R|RzQ2lt|8NfQ9fM+9TaUS
zf2aT7BzKf)L=6|V>5N-#8^)Q^XLcdbniR4Sd+r63YUqc3<S~-OlO$Kg$S{7w!h^oM
zaBrcV>hrn^Z>SDUOt6q4&avy)sHXM4X*ZvneLO<9$ifm1OH?5kO`5zl_XkP2$wgaA
z_^b%r*sZ$dPd2iyj+831FR)N|?o^g5p6Qp(9<Mu(W^0p0;@Hg2TU5GT8r6GEJB5+7
z5Q=U%%00n9eohxFY^8{A8*02%t|Uew?;!os`@Ql3coRYlQ;oD7TqM+i)$a7FjCGzH
z6Sn5V&AxZ*E2ZFvtNU1+qs3lbe+IAQEpmHKvFaY7MvyDy$LQ5pc7SpBbS*k1KRAAX
zxZRv6i;QQpF(L^W4;H>#FG<p25$^K2M_*|;OG=zXBX+L)Wu8PuOr;^5ae*V*`*_}+
zR(<F=jp6XQdxZLt^Yver;MI-5T^yy5)UoxaCAeX|-4gBpSb}5s(|+PLu$`Sq@lG|l
zRMmM-e7wIto@WuEQwhco<y)WZjEr<U-`Ap=kpssV_=ADk4Lvfd{2%SVH3BK)p)>!G
zm3Ttkh+=XD(Bd4~60;VK%Seb|&K39nXMBTy;2+HwLEvfM`4UiHPcr40x=nZez}($O
z7wf~J%U0{*ZrxWU+CT<pX|S_ukApUT#m}NHe0{mEnz6rrOuJ98^BlDGtNz+m5%d4s
zv0!4DRGe5oxHWJ29(0Th;_@&#FDdQO!sOk{6zwOf$s4`Ni(0|(Bd)fE_7Kc%JIj!!
zW!oc-&Pux_N$%I*-xM1EANJlls>-c@`&ASL>6R80kz7bON-NUc0@B@G0)ir;bS<Py
zx?Ab)PU+4?=Q|hs+0XNA{hf2(GtOUUjCTyi9=LU^b+2{LdCxh&-|KT-FSSJ|Hd&}G
z7Wiqck;WSQ5>moeqoY*cwk6q(!=R^x5kz-Z=$WR<%!z@(UrLy}O$_81GI5;ef`ZGe
z%)*O5jt2^N-GKLp=O)E4sjWcfTSVA9VAQ#Hag5wQ(YbImn5N!u+WEc)s@Rz63=U{o
zZ$Rb_^6rq@W%V&L8)2!YIroy7Kff5ny*!AWw03!@1@Dd)dIm@KSd&rtHd61~$K|bK
zqY<~21#4K8cVr5sDK+gwO7l#&YKAl~<kvuk-@qNI9qF@ne>agPpCZSZbz%L^a8M>-
zZnwygN=Ofy&mECI_hdXTP);bH*%Su8=t*WFWPMvR#ZhIS{MDz#(iq8W#B$Y2zkxh~
zc3ONp$r$#8x+??Ub;0~H^T!QC>}kBtn<A>B_fh=dKITWHJc~ZB^$kKEt^g&)(o@$(
zI=K_;;U~7}y{gGh&r_s8W2*oZM79J=vR#xb=_qDE&X>{j8JgYB6<-ypecYKRzs$B;
ziVGXfI?LoMx+dHRTBUE{H1e@ILHmCb=Vg<n#v%|Tp2~)X)uV(-yVX7{iUu`tEL$_O
zGlkYA34FODv+<#)S>)`Bh=FuD$~m-+(>5nzTY?AWtBK9`9Py3v)ar!oIlx{O)dwGC
z6Dx#oI8#Bj;5*>amO8`y89y>Ti}MxV0v3qb1~J#q=QyY-=0o#84CXJi5MRb}m{T?}
zl|IWaXry@Sur(v3?a9-CnOTJNbiQ{D7e8`vOzhaX?ZatRo>FnJHR_R^>i4lhyTw&m
zwQ`F)3<Q?F+BHt?M%UH{;=1?Z?Z9#7WH*|VwHsLS2Q<PmOAO3YDHzu;uBt(h*@1H$
zka579>PsG*&xbXaZ)6m9Hf3?CQN(bD_E-oi`e=IP&Yo=_kZgCIkjWpO(l)pnvUAgU
zgsM>r`p0=L5}!DGx}2sFROY<l?)}#+3*HE)Sc6L~TFY!kuGjz5GN=MA1I_s1PwJ;`
zhQ!?4IcC(MBMGfIMxz8F$bZ{G=~DhcDDs<k{;X<7Ag`Tg2yxi#?uiH97f%sgHCnH)
z(QtZQI6rRyx(^;|&#dshQXndj0K%AvSR}?{J5gzy;Urbilj(A?*ZQ&9b2BDH#EDkn
z`#L5WnUu&UT&(N+<(`#dtu>5VHR52Sye=c>+X`FJD>Qt8-rkvH=N#;~GsAYKkJDSY
zK9Xx{c3uq3QUr__RQ{NHyzr@~C%pS9%1R0sNN;!_A2D;-cTy2mET)D%%J;`yEX90Z
z(|n#c0IbO*ZV~ekqz$!y?aLfqF&gqTT)HZHd7*=)y|Z4KX>83$wi~V)Asx&svBTpV
zsAwK<xps`Icx@v8nQV(&sYm1vu^(~u?v$sB!+ZWX_pwYCf^6J&@y=rn_H002{LOqH
zSeNg9-R(KHt)>(`jx?VbOczUf{Q0%45k-@A;=z>)uvtvPDKtcBZJN)=nnkt6K8QXq
zwH%GCa=esLIwapkl!S6mPtkYg-8Ga-sL9NfNsCPgZPUadro3ip^5H(=By*g(Ks<O=
zf7_wq{x%4y&aWd82Ktc5BrQ$rwZ1imGwFb!DM_Jw?k~~St3CSK<|tf`w(0mXDojIq
zk@-2gvYd0uO7u6_Z56*SA=d|e5tMF~0*ML}hYoQ<Z0N-N4N}6O){0+-iaj4e1W|BY
zZ-_s~c(@vQE3DUBN9f+*b%%hSVJpE31-TdE`wJmwjV#ckGiut^38#&a9LhT9E$Q%Y
zB_F(`Dy!r>-n=#f!i%jcuwh;}8)zT5_^M@bGS6FLBd}<Ex5Ir#_C!~dB=M%01W?)n
z9PPN)%nrV4#|R2zAwfX}yfxs}Foog#mV2l7goHJ6BI{dN@$h-gO)nT#qSYO`wL0Hb
zrm%kmOE@02*477jxnsfxp3y8z4A#FJV4}Y+PGNGN4e`UWt`HyKKJwVJ-kGT_$_8Y%
zR5HgA0*ACPM*u^i7?(#(x9sj{fsRne+x_J3`C5S4wit9|1+|VA=}Tm|<iK=&fcBxp
zbd-^L^10$WtS`^NiZ2TORd80I^ak*kq|ti#J4NCBjp~;?1)03*(Yd=?mB7T3N8i^s
zzi?o}0U7B;|KB-o{PdSwt<HPA#>Ogxf(n9*!EhF;1nkcz9N9nRiA<-oGN*rQ;F6d3
z{!T+vvtm+3rVo3#`u`T>F1%lz*m^<RxsGw{ypvE4Pl_fk2#PB!LCNX(Z=9Rt>3-l#
zq0PHSQyFuCXqnRaWE~}CK(zNSoO@yS`=2=XlPv;EbX!)C1A@|ySx4_7lYAd6bzf3E
zzU_!zuXd!$lNJXtD14uon~lgZ>id->wUIHQ`n}0iLDIKhKQ1^+ET4a1<6-$yZ<O+f
zEc?yI$xX>EfOD5t>{cz)t`#kGltonKPL>U>+_^8&`z6>xg>y7rQR1(#=*^Te4znp?
zpE{EDzrv#F!>ybDfpc3kk|_v9aQUZw*DepfNsP8hf%FK`xjDTt_=#m%9X96r*uRaP
zTGJt1l5R8#!kJ_39Cp6WdvN5@W{VVl?)J?CJ+^nH8D;sEWd@5u&)4JPHv5ew;~%5P
zgVKCdh)&M1WovFWI3->?GyDj&rgAkhc=2yeozM8IY&7F@|0R7eC{yYs*OwqL)bEY!
zb(~Rdbyp1XhP_a6Boq6lrOnI!<UgVxS0^6Vqwly~g`*t!5rzKMaD4;h{DLIQeq*G?
zmcIC}P-T+8LY1XIUf-wJtWt0Zm3LS10#3HAC5F9ZYSj+8VMZZ*3&4a0|FZC{bXu}V
zpj@TR(onj*g}#>AXTBNhXf<U)5esRmWZP%GZor{wA=^m;$did(NFM%C%V52oh_V-r
z&bxqk#Wf#<Dcw!`^d;1UV`cMpFF67)?D?fCzx^qC#43R?3A1)&cuAh6svfc5uctD_
zQg`4gEu=X0XoK$P`SNxfqlU*~A@G<qniP<&%p!*VSGF=k;VnOSw(@iHiIRak9kMzr
zp!9$XVuVPp9xLZD84r>>=<<AsC{r&_emAD1755Li8tt%+{(oSrdAYr!5}ZBmV~}F&
zXbS2F#GtMXx*E4nSa^4|PJ9=C5L#PV_nnL*X@^|<xY4&qGH4bo(Z{+GV;hLq3*>wA
zbZa-=#yzfw=P@_+gAn(UE6c;93u}@r#-0vF{#o-UcJA7W8eje;XMf>_{cA^FK79;I
zP}ufeHbwL~x_|8uh&u+}lyai~i94<rZidGlyX<v6vR&>{yB3&huNgY&hUx8*h6FbI
zf>ODn<~$#Wo0y5Zb>}yd>z4Q3S3e+vyibd-#)M*vmMC(04?=@AT%OgWP>E~3<S_y*
z7DOucmr&eaia2DuuTP%d%_S0YTLwqvG)DQO{`Xr1K{~9AKq^&EV`i3uS#uXC*+e8`
z#|0e=?pKnFg`m!~>l(n9YD|>dQy6;Q3kLFLg1j7(--!Py%Y5O56)oV&pTK1+8k`Nf
zstQ0^dW$&8u@QO18HfU=PrYjYkk%C9?8X5-xexlmspYgjO1Ih*-twg++LtqD3uRUX
z`nDO!M7L*ht1&VME2iblT6GMIGo+<RJ{?aTR@?nDvwL_SaW4)(M80#MYv}3zBdQ<C
zVNlAhoCjDFzf;c7aeiDf8L&f3fLk*%!@)n~;od)<{vgv*&Q%kk7I|_<YIC|uwb;N~
zlo@GL6$^2r2G<d34;Ojy_sz;J1Sni3jHC8)N;v})67al#DwiPha!k`gvd{@yg1hHo
z{W^mFO0cz(O~%e9?#C%i_maoq>-%cnO54ueRG__zNTQ3t`X`!<`Teeyz(IG1O+c4w
z@nfU8<YwGTi(1~cK(zJtf{B`+I<f0Rc_Pwy?gJcmycB=ytK}mDH!go*(6f4WxB<Sc
z+1Z`xYB3TbrL@pc%xsNH=B3_5ZAC;kvhT1@D7=81#1iEB=Pd;KS}!`#o2yLziUcRX
zEc?sJs-+;PlO%>K>(U0vkT~4b8dbTLaRO3obnkyvAazNsK)WN$G9N1UjX;l@6;3_A
zz{LD<*~bxhqTEC>r&DVAy(NcV+fUT}Sn|7jAJX4){l9RHU!Dln4qM4>ZEX)R;z5{u
zHfa02cXeh_S;1Qn<TC+fct$~^-`C;Wm{uZyUsYDX)*%H58pLHWDTh_Bk&D}n{}ba>
zg#?GiYz7I)UVy%#SuK1+lVwrZ)ikq<EwO%OZTTshMY_{&r3d<I4)K9e;S$~B1<yp`
z&TGw=%6S@C6vA>cVD-v;`|~}eXFRa+TF7a<mpk3$aCLV}P*+zC`APT&!m-d~(S}Ao
z+%Quh<TQd&qvF?oJjeh>EHxdBB^t`#C?bsj{h%HgHHBNqYbQEitp5NmUgvkmVAEfz
zBo>cP&yRQHL8-8*Gj@#z%zRvYe9=k~J3rrOAhWj41?uPj$9p8<8<=O@G3|1c&SiUu
z^sgd&BU=!v0XD+zcmZUc2qsZaoFDdcmh&UQ{)a^^kiwlH7<FOd?P!7jy7@1@!Kq6b
z<$DW%pawtS37>ECLuN%mcHpec{b_H|FkU^{;!#_U0KOG~kMGw-5yid-e>c4Zrq|cl
z;N7%mltMln7QJS&-U)$GTjvWH{C7SmW(B+jH&yzx?T;ryC_JOQEoY&%5Ii%)#yJ1d
z@Bc0Q{x@m=uU}sLfM538sC##Q2aUYF;FtXZ5^{YHT=uof!v7`u|JTI!mVhG*n#7+`
ze_!knV&KR^4YvmgNSyWX4HEjjSM<+|yGsv*P6!UhOiaH`PfR2uc-#A6|HRS?cy))c
z1^<~>`qzy3>%af!OZq=w(*GYv(#n5OKpR0S+qC3lF1b@n8_vHEaKF#tzo$<HfQEQE
zUMBsvtpI=R1t%Rht)9%FX(R8ccpab4%a>gIV&kb$Y#5YHT-U)|9GCrh@4udAf4}5^
z-s*)L9QLVGzSa8MN^&CLYIs|#x!-SYaDIDx0zX3~kl?{x$8t*ZEV*Y&skpQ<sU^5s
zw-~mGrjl^We{DahP%pSnWLYyidi~XPr$^G_t0nZlgM;HyR~JulHAnR<^bSHlJo&ia
zcB-Tto_tJy8|vOj(S|~?f3b9Jw01>o2b;6)h-c<M#d|H3U!yBc=a4^J=^DjuHYU8c
z(3;W_K`Zz5$tztB%!8ZcW8H_hHCFV-yprMh^s-X7Mu(q~Be4D(@qI)D|71iMWU+rY
zsQ$fEkrfBev}e9M5{etx^Q5&$(RG>|tGDxwzbFiyC%m!Sx?&-!VGk|Sb}|~g9Aj)#
zuQ=v*=Ul4z`A+dTS%KG;S&x)3x$g4*Ktr>{lTZA7^{Gc&6Sq*n>W&KHCsr6Isx9k<
zEag(grQn8+oYwQ4o3>?u)H5tA>^{G1m2k|jHw51{Rs$mkqUx4OWtYHNy*g%Wqx(0v
z%1aSE4ppfF7Jg@iA34Au>JGuxLixE5;P<;0>1Fj?i8+!Q)sN0_dZ=W=ZSRmrZ7f))
z#)pVRRTu9I_2v9Wv!wb<TDX~ocN|ZB%Py)Flbz~q#nxvIS>E3ER+0Dxnsm4jE#5gU
zmb2;}x4n5pAVXp9D%2>pq0#UDO4W5~;txE$$RfW;-x@t_GYlpISLGJywSCT$mor1E
zJ-wh`T3Xjfc0pFm{fYDDzEJxAC^qa}WbtduVmKQ?pwK!X<th0C+D-ln#)9mtS^xDT
zg#gFR37j(z_eZ$`OR=|l>pJI<_gh%IUS{D`E+e+jSlFpw>x?^}Id_YsjN{C@CamKF
z^8FSiGvE0^N?K=Rr(~l0K9>8`(jAz^;>$-Pm}B(<UZ4dRqScw0xZE2vS5(fa4d)Ko
zFJTyn_XQ%l-A<T>OxM@(uEH5im7-$vJA)-6l0qF2Dtb)C9{7N9(jVZ(vAt7~=VFQA
zq*wF3WF%_BXI4*16uT9k`0I6y{2gQo06*?GKw_W%0FTzGzQIW24j9}{yM2G+tb*W%
zicq*|XHRHSKo!BTpG`pCH>rcZf6Cf!tj#K#2N|<XsCt8jCRv@VE=&96PLgrA52@9!
zM+`^WuU}zPryGE5nliIIWZN$G(EHxeFWz>P5V9_|&K1$Av*)D%y>qLt#rT1DqYO+!
z1Fq0D`y7A=)C*g>(>(C;hOVpvHueEzcWbOYTkVHk^>%{xiU!oQO+zXnCwvC!-n{UE
zC(LmB2+D1{{AN7h`@By%yyj!><5uH<wCCpL)yMn$s=X@<KGo^!4`GL54ZQhjkBj&G
z+HNy?7*2DC8*lp_oAANtr`-;wo|R>FZiI7~Bk1v^8$fwoUl9jSr}MlAK0SL`f_34P
zi|^iSF`WHHEG}jZ0)IEGfu;{^bTl9+MXBp_v9L;OY`th9EVS?0%@ue*6nVrxHLEw^
zbvog6s^;3I7c{G9K-6|a91mf0dS3CGPgTgWCyRff1eu?EndYG(qv#aS5Dd)NKYGRd
zufe00oHV-4A~Hv?rU%y3|4Gj=Xqk=S>nE4`u#e1Cfre(b9I)Q;`>b|Cm|GZbi&m=x
z=%<-Zkxl56_U0$E*8x4#Zi1i=o*HkABU{6{oi%I0>m>Tp@jZ?Dx^FnMwT5PQk=aUf
zAc5U-m+I^IC(rdeqQ7XlA1ZdT>wUegz1(OH_W0b>b+-OCD;=+pah}>CU;2Q^anPi~
z70}}CfbtPjiT|qeIs~RWc9$(^F2K+hWQ=~1dm_!afsT%zett|Y1L6!cOaRfysJN_~
zRDHbtv5(F>oLiChbrfT6>zqa+ud|@{%a?G^p4U+$Y9~h0D?0CLj1KL{*5^|;{D4w{
zy9Z(@KP=zVW9D4dJ?Ok@?Eb}G<IPqS$B8pHhJC_LRbDT5kG$qFkhs|emxEpwzy;Gc
zc!zbwS}*4KRp&?uj~y*isN17jrj>gjmY<{Wda5R2tNo8bs3$w0({AW|Ks{CQyKcdc
zI8^)Z&VC3LiVay|f{BEVfI-fm3It1X1F5f;W_R<QPMYalzf?bl_CLYLA{vW?q^|TP
z4x#~=K9Ml(P0Ya3Qy^jsf=4rSj%LaVxs65jFX=VXo}BFIRXM|+HiwXFJ8eoY?7{F|
z&!<{l=T*@K!ob%++8jiD+N(*?R7{Td{Xa*Jzt_VGLHL>JS@V15JfuCT87ILAPZYF7
zHEwlmB3WwUrB@38?M%b`aY|k(*~qSyW?SxKjzs;D+@Fl!ouVATSJU`2hxZt{g{pg|
zGsLdPyC{Th2WKEJF7e}&^zT~^_)t^WTl;lOq-Bs3t)#z0ZuF?I-BV&hI}#Av2%ah8
zVh`JWH(D>nSmkj|b6H9i0DWLhp7FUIrw>yHCRr_0e4Bv0FF=uCHG21MW=F@JCeH-A
zcj>*^AIMz}dy&J8ekM~LoV4pv)P0gRS1V7=R;29=jo28mR7hXk59}34>mi-BJ!3MP
z_^etY4sw(!$YQg?m3TSNzuAgqYi(&(u4N>O4aSyk=xb)bN%sAi={Y;2kheK$5;n3F
zL8qMM+RHC^fNP}35#zMVwLPj$i7J^B7*c8D(O=!<Nw_s$9)eEFO-X(apH?CCb&YB~
z5nHAhi$QlfA<IhNprQ0qbctDiICqI9wd8JLqWc~dDVNI-Q~Sb5y*7EaN*&2G7KT6d
zC7bG4w9rL?3e^n9;<+V_{knolSmC?=DM)>A8r+K#v|xg^;@e{$-?!iFlPbxn8?;vT
zJJnx~cSbQ9m<=N}d-Ce5?<WGf*XKv~+t|AkS;8LF>{W3O8Dw<^2gwG~d3(QPH92@V
zK}*Iu3AP!4nf$=2Gcaqnd4e2!(&|L3mRc}K1i622V9dIH5P+0xpsFTHxEv;+&2KXE
z{W(0MA`2jsyo*uA7mr-dy2cNRR|ztxP?lf!r}jVlG8ct%@&3oS#68O{P&Dn@VqXEE
z_4lzt8xLon;+T+X=LDF{u=$cprrAk{{Y=!hk6{lqjo<x#U+Kmu)zdn1Y3KnpAMSgk
zx@!`C8((yCep;=vv~TYbXTDL+S1IO8nP-eTgO}D^sm|Ldj({n23*Agcg=#x`d+Rdh
z?W#PWHjS=aj}|cNr8Oiyb{vM}j4JB;N7XTHXY<wBd90B@a^g>&61JQ#PCj0^8Z>t(
z&U@gTaRd_i*ErkA&+^x<Zk2arN-{F!UXa;lA>iH|cX7On=Z_CSDrEp-^Yuc$rR2wE
z4Y1-xo`bl{S7^lSsPZbU4o4pi1uon^bY?es8d767EDoee$fNH~HS;I%yT>|gPtjaE
zthir%c~@-E{aM${viTEU(>z<meA7pv;T&ZGa)A#Xo2~YMJbUv1xsqJN5;%vaJ~RiI
z&AxLuH}p7yUiIq(+-Kj|$LUW`411xk$TT<tak$vbCx+&Bkjk3hR|O1E?V0(Wx0ADs
z*)A_s=5|e}>fW9M0=FiyZ_+{27q<%&6BBXwH7jlWj<%;IMz7D~#PQ(9WpInPT+t3}
z!5Z<OpI`rR;%<SP478wS8IszF04>n|<80XIEB^-_D{o$FD|Lv|cLhG<bH5UZt-F32
zG-c<<*_F#ROc(mKO0n$)!8UK&QE_jFCeW+Nmun_L3=^4^AHxutsgoXiC+Sk#dSeSR
zm0tuVO9?ef;T%=*6dLl+sMd+B9k5m@dc<iaN(#IzcGN5$PggR*$A`@D)Fvq<FcPy`
zNVQ&{e;PKvT^$reG?KA%-&3zVBGbaB#cut8(0_~VGJ8<E(G!rF5Af*L3KBUADt0<8
zG!wRqtE>l?Ju^G06M5JGnK_UaU;c{pTVP0$BfxdfvS&wet$ux*cvsvN$(DopnzsbY
z4G*8PmWw5$-R7dGe4Zy51J(6-Q>s~*GgP|Dp_psLtVZk@k_o`fWl2`YD}*!a6KVEj
zzBq*ITq|Nxbn@3z{O3)ONp8EVM_v5mQRHWh<qE(n_Pl%kb`cp5`UeKHXqvl0KK11D
zMSlFXE;8q3x#k@(pPi3_B<+Gj0djk~&8w3ywdFw$rP-(TXn*?jEcyE92{;t*G$iS#
zG*~@@eMb4gl)9f-a0Xw&G911`wYj<co7)n$xR;YE`Ey2v^gEUFV0Cun2ijHfF7Ct9
z6kjFk?ti}44A^@^X>NNPe-RDu{Z@@LESf_CBcp1Yhr8F2bkuM=a~KwGzFOtER@7)d
z5MgIE^8ByK^{kG28Dp}jL3QO)^RRQ>K4R-+pu*PGZRuiwPfLkw!vdptd!m*)SF1R(
zcrG2Q5y<XhJ?0{x?;IQ)M~~mzhaWyLvAic60#|@s8}*B-@RG9t%HG#&0^}DFhF`{(
zL0X7{*SU#&bSKD=mj@7yIsbcgka*TzNY7+CS(dA#cf374-x%B2Qq?i$n!(~9s;Ez?
zHZl2YAIz1<_}i6XV>y}$+`+vbWA_42*e#}>@!b`D7v}e=tCfF`GXbY}Y*T(~qLk**
zBQKRj0wt5F3hU_k_JZKTA|TA9JFuev{hZjO1vYriGlk`AmB5ms#u%qBi?|HB>7;)A
zfG{f$bEx+0Q;>5NT}_YVm~%plMXl7&UZMIYL39twoLSJ^l^FT-FCaBr6Jf_C$a|6Z
zroIJxk`|kPMlrSJrxlLSE=JobI2_V6VQQ&FqN5Dcq%}<XiDrh#J$sgzqCLvxS+V#D
zGo;qZoB(4`<+HvNeFY%b3r{|=vVqSa_5nfee5EH=)b9blLXM3y5WJlkcGe$kjP12J
z9Hq0b_0FP7tDhh3WJp&#aQN!#&w5C>%;sEeS2Oz4v3;(No`dKSFdlK#dFeyoSZJhJ
zHD%Lavp*d`J4@Huna+AARenVRsVleV)%&0*)|u9ihz^?!^Q9L_2wi|v#zav$=`=fP
zYFSI@h)5OVsieHhQ7A-M>WcBXx^&C|WGAfiS-W~fp=Y~VorbE(bW!ClcC@4i9x0}k
zm*|7NXl(NWalNzfdXk3WD>ml`XvEK7$LjaG=K7)?ZMSNT1}Ad90;HKBuYkhYT=mPL
z0uR1Y6Z#vlvx{E6?!C*wwyBCvuf4tLD6V#nVU(8X)p*hH%b}xjYV!V8O@5}}xzAip
z1o^NULkh|e3|A)JCu7mQaj1j?C>ZvzCZCIU8X8YYVWHZ$!Wq?NW9*zOjjqh%PJsn7
z8$7PryhwZ9MQ7t9sV2~*_Z*q=s*XO#P^_)W^Ed1LYfb^Kvtu~NIIUvV9RJwhyoqwM
z#(6(LW|3fZT~Yn{wav9(IGv$XoRA$@r*4+4Jeb1hC17>peij!b2Ldt4sQqQXzJK9*
ztN@rhb@jHh-?fy-KR|+b%3Hw>5}Ya{inouLHjYSVGZLyDY?ZFI-E-_{)|}Z?E;L&N
z_u!{KcQ=SywN2$NQiM#N*g+z7eJf?r$4mG;d;9dqd;xII8FR{$h@_7>$ZHX-`1b7)
zF@~KRy{m_wHwi>h7sG7xxs<chf}ZVChX^6_yU<>F&I?+U$rFzpIgluq6@9`aO_di|
zJHIC&MSr08Gx0Ua{L!zUKKm)7KmkHzZZVvV2e$RncwuA`aaAUNdjV{My^ye&hyvn~
zfuYnC6lf1S4JF`#&J%IcPMZ*5F;bbi*gz@bi0z90T`?!Jk>cXB@mzyn(N;~^>0)<W
zRM9)ExlTW2k39ccq}bX^xPQQYK)rU?8X%MGgq_Zo4W$X1X4yV*xDqL}7Dc_VxIfx{
z%qvxsSbGxF+GRFM?2NQm^AeB!kK(~Hyd1I|QYgV^ryM}gm-~nhGfB&H+9t>VajGcm
zv0^gkP^sHJnu2Nq5;=qQnYe=seIxOJyVlxi(jDn3J!ylopM0&&f=6kZTrW1MB&S{c
zS}ZDrUp5RvxeAqQdhl2V>tM$p`Bq}WYOS`DR>j6CTuIDIXv4g-@!m*6glDhD>|z|C
z_7}QGokZhV?v<ZG7sAaJ57+LP=CW>&S+n{$JTJggUFw7HhhKtV8y;S`&bC2xLz$-R
zszoyCtV(<lc={$)w*K>%=4!{w&ocxRh6!nx=XWw~qoh&yB3145kNO(l=W2VNwx`M9
z^{nsNO_pu(WG<X*F3y1$RN&)2DWI+qk+?{Eg<p$yRwba{6aPw)LVNXyl&KGMy)e|e
zc|fGa;~W)*VTRtEcpxf-kj>^{?Uh=l)lQr2o)-tF3hxkuN%XJ#arV9hLU<<jUP$JX
zApBFWzN0|qyJ{eN%al{S{QdPSzg+*Hy&{=YY#Sq;LPt9@+mD9yq={2nKT|`6;zffV
zih8h-)Sj&sJ*F!>AxDun8MS=Z1qV%Kdbg*2jhHKgmYy$oq!ccAa+Hmu?2S!6ah;W2
zBYwWz9m{It^otnRPQ(dgO$P~oV<bzY@q=4FI!mO|${aj^G2ZD#HwgN$-`9V(QontS
zmnIn%S<Fr&--3#stR9D;+uQ*M@#@UMsk+KkY~?iV>>Wt7N-{OJC$r(P)5hp_5A4|B
zEpG%{R1|#1bPsJ$y<c;#cU`I2{QLN=b}<iej>(pWBl&ElE?wUXInl7|>XWT=&)RDy
z+C#xAstq#b?^sZz01>&hvSz>arH;DN)@rOk6{qXMRbDh~V0t4P5?l>Q(5`9$J$}tC
zS=$dQhh!Areqq=$BYFF~ua9RWQnc6}c}KZBmu_$GJhvx_giq;T4{qaI6mq`#IIM!H
z1h6|A1r~Bo!Hb}J^GS9+9M6K$)K@rq35YgVS63gH81-5{E2uizF7y>GHyswJgm}tZ
z6&*XZPJ+;ar=3<%5u+u)hux~NT(;@Bht{MFY9&@mzFlNTDw(YamEkl(0wny-`%lcL
zs}#vP=Nm<Xh{nfsu!vow^$LkyljP^LPKBhlQ{3mv3Ni$WpM`c7oP<td(?eygb$jTU
zJ`;1~X((S?^YN0s=8XcS8C{5jP8tx;5Or0e!sr1#h+5p~EM-Q=#3WNxk}r+FJMRh1
z=CByw{C+HbfeP=`ppt1gRxN+TgqVK~1@cldfs9wx7JZhJmVHA1j)Jb?lbo*@s@1(`
zqDYU{9723HoW=biirder!=hZ3+W71!$3&5__v(b5>J=s>!iA{><{^||zm#_8yF4p{
z<oa%vtjEG0&yd*#g<b+n?M0D12FQZmri%hu&;w6{#Kh|8Qa<@sPC3r;51-Kd7~A;>
zAXiEYmE!j&KjXLxk4v%jJK8002v;3A;hF^Vzad;fv}<_P;VKmd&Ep!%&*Ur<`aAb^
zh8Nl$9JQZha}S}YOP?0}%GF4t9UyTf)~I=#H+Z!(UL7(~vh%F7lCDWFPfsj_(n3$z
zct6~j)$T-Gl|Fe7#6UBsm51q%+cww72?{%Aqr(EbfxcNzX%DZsxWuX-TaBtg0qx4*
zRvLl!lSv?0+1zp|x*CMk4<zC|Z5N86b9GR_u-w`z<Y=$Ycmuppt`GFiRvV9lDBaI7
zSZiLfn+`<ZL))|j;7WnAa6R{7P<Kw$Im(W2S&~<74}e?SqWLn-REp(zd3)c^Y}w3c
zMKAQ+%&GqWVNSU$xEO7#D`>8Co9{-P0|>137}T~dXaIJ)oZfLUUEQE(S}PNhn<5tU
z&16T({+Z$L(}@!`{ywpt^$6Q`Hi}X{IOW~UrW}twxzS4?mjCyB0=k(N2@XTcF7hKe
zyM-3XDk|Tno2QHbt#0yEcRT6Nz;0}t6UvIzMq~NP1lzs>d@H5{ybs`ogU}fT;b_v=
z`Pew50}Qg#z#lt@;~T<QQH~UtQDz$Ukuo~=ZOg#HFI$m@Rqtoa>vItWWc0$0EJ42q
z;XIBOrJX881wnpJ@o?j8aH!)rieZsYfAfWs`v{?xlE;=$BiPRx9RI%h`x3}SqC^Wd
zfDqE&wON9J(6DPx5(fXyrKXv66^&N1^?0hIgK`h|HW;;`pol#x%4T%+>kCH=6f|cN
zcPh~Nq<idrbJc%WZs4Eb#R1&;^?(SHUpn#$Q=09QpAibibW$R_b`pxi%!*CMs~3E9
z`l;NOoFLw!HAnv)(q3%1xY)u(U3zw^PZXKVFxGj{;rw`5fA)5gR$I&WdSRcac$On-
zK+Og}_=}pYZK#IM0s|M#cQ@2*lR!&coZjLMH4Ex3IR0E{kV1ko2U2cgU0%gVzO6SW
z?q=b9n6}3v$tLA4dmA+5=)Fxkv7CSLvP<Wh{7DRemj&=+`(cQ6IOpg4(FW)79DtXd
zE<yx}5KVRBt5ql1m7~g+pAS9Rzn3CY@viOAu)4ilb$e^+Uum<F{BHiX4X{8<T@4n3
zF5)DKHlXmObq4p#pu|X#y9uk8n@8b;;`b}W86>=+i8%cbPd*n<Dj};NEG;r;dWCGd
z8gyESeB4OB1MLe1edp6@41s}z7z&K~alOTA#hK?j?7SyV+!)<0-)m0TCZD6&P9=b}
z^XSQDXHAINbZH9gLe3o=hsOI#51KcUDlKL06FADfVRcsIfN8sjzADBL>*umjV3|K|
zx^+K+N47kVf)d%5iw-6;dYZR!_8rDMY<~@8ySxU_Wx&jW@lF1}F}^in{)kv81m}Y#
zYb<E_6U+Q@uuX<4=fMI#l9<k_bJs36`oE4^WZu-$&^~aK(#OKj23U62Q$gR$LVC40
z0nfTAvm^S}nO%H{7JYfK)#t{hqA~iKrg@Gf(me36XP;S80-6_~dHCXQ8yAl}!ue$5
z0~+x=!lPTtsR0Ycr09Otc58B~ANa-;v#|HSWL9bd<!|G@jqXo!l<S7qz}+CM_bghm
z+JS=H{Db01O+sQqSM>A7U5zM3w^Wc`t!9fA$7?$mS{2`rvvIPwP~z^|1|vo<?IdYD
z3mr&*FRtN@3BlG$q5Zw&9`F*#0|H<A7^l&}3Ei{nG3$hTxya#hPuaU)dE}=t?Vxjz
z6AISM{!QqDB4fnE8i`!FFJ`Zdx1y4g<9iL`zp3)%6P`<~ycU(H{_x;%D7dxZ@!Mdn
z$st;ibj*CIEj3oROg-^87H_(_(N^P6Y=-eD$f8!5#14trmcGB)lr;Cd)_o0~8kvMn
zkP}M4pXKaX1ohDU7&b#Pv@>?!jqhvnW(^4732)OREil+r|FoK_X=A#Wr*<?iml<nr
z;9{P!p}_$WzdKPff2r5f%>86H>A<Uv>|2Axg`!QI62t0XNHwP~>D&UaD$GaA+on5J
zauyPHdAlR!Z$+CoHs^oZEaB&izFfC6Q%BX%xD28TFYlv&UD|A%+851%^-bNPgLrg1
zbTyDTE+=uE{Bz9ihZl2etqcI|V#{IQRDEVuPu%3UeOY(-u%*Pti>tLM`gV4_r>DU2
zIV}SwvvQiZaMndS;0#@d7X|cCqy0Xk_i(pr+BdHsibauX!o=<y4pWy7*?TG<Ij!~B
z4=cA$NA*Bh)TLWHiQ_9Zp=Dx+G)znZv1Miq0yA=x4eG!gos4u72r~lc5kToXz0qF?
zYG@U$h;QTk6;3CCDp!QR=o16^BSjTetrg7N_AqMY>eLLLBd1m!1@&?Zb2AP@IJpT9
z{$X(@qj_5jV-CB&UQSdy=F`gq!x^~Y&A4w@@h|h0o&;v?GBeeVC`h6Z;mi*TJuXyw
zNP=I1y-S}bakss%a?dzFK1I>PepTSnVhRY*3d+}ptzs?gKr-XQy#9x#E?Nw<PNO-}
z$qvQKF)fGps)ww%xyB=FwQ;|pQVQqLt$FOC5EZO5ck@}P<7*Fd3E*|C@(y{^9Vrl=
z_m#+V6FjOH%o?_MP=oWPxei%9;5hf1>&$+dD#b0B71?;y>no^k+(nl55~)XazST0B
zoP)VDn>(2a^C!=-Xs7aDUc^k0jhJ%&Vq}prOi<sc^gWfVw(jfG){s*_TIFmbcFQnj
zEv2cwfR*4|pXhQfEYPZ4*o1LoDTG`;kwfYviQ{vhh+}Gd5b~Kcg`jH_0Q<Yd<sR)9
zAZUnble_rm<k%hU>$=*6?GgRfENcRe{X0ttA~US7$tUW08uG`28qz;=#TOTc)}<$l
zI()olUZ3W8;>Li2FL1glq(^S}y+^3{c@9J^f<fAkYvxzVL~7*rgViDHBMHZ?RsQ-4
zKB!IEPGGP-7^B3aLbmnE>)e(WJ{@9*?!fs1rp=nTzif?am^R_E)S>8-5u2#Nppp5g
zJBCYgi#ZYsxFYyjn#EE4*g1RS3Owtd8<D-c*%~Y}s?=Tqx5};6Xt34J;m=CTJFhNk
zm2k|<spH+Qv+{_kw3!*)+rMW>w>76XJ}8@T7PREAUeiOqU1C1{^>w6^{0D|bF3+WP
zJdl?7_>!Bw=?;&t6R5}nOX_Uof^yCyqSh?8)BSL2X|j;mRNm&jpB^3_O<!&|NPwzT
z3P^?Mpxpc!)a=j^7RR+{=0ss}d3ot~avFK?aJ0-^y|N^KkmPl_NFaXrqn8Nhl+1VO
z{ogMQfj#?t2y#LiF^5GTNRwS;RBryz5nM?+C4FQ=AUn^zskpmUKATR$Wy8skSJ4Vi
z+b$G#YR^7#fEm<$$LkL>?MJcj26-%c{I-EuDP{<w(?XeMhP8S=mVd=k)4u^?*pWs?
zNCsKCamPTONTyw0A4JP}rPq{k0Hd>qcqusr)3UWk^FS*D;~ja?M=Kl*az0kx$Ed5L
z{%WO076%Y!mhBpG*7DAEl*t8ZDH)#@3U`a40)BUa6XIg$$Gu7M7wbb&-)m@^&QFRV
zMvX0!MKfuE1Tth;uSW(CE>3N$+_+?Tal08M3tGQ`blLudYR5GYDrG0(%Q;@46Luh#
zzCKoM8z&U4rs<$Sssz{y$5i0-^$LeBijn<nIZu+!@}y!*on7`5ZrMszZ7q<HCn1Mj
zMaGGNx@+l$S$&i85$|D_QJ&?$n#4APMN}xy%ER*KyO$a}Txq*>T(bq@N8u20STzDS
ztZ=!e+QAO0olSa!5=WX$@h14sRFK7<<13Cj+Y)o`pd17A&2lI}XHhvN)}1Bjuv`5q
z4MX4ovKaA*dq)Sa0_+1_iA~)`75@gWwEZ;PaOmE!peQ)sE#y@tZ#uhxT94Q$oFqOB
zjH=oOB=NSE@-QbLiC3yk;3V;s``U%v<$PMio}9*5FnW*Dq+VTpl>0dY5syo_e7-Oo
z@Tx+Kv$DTS0d4ZS2BrGs=pR7T`4O=vz5#ZRK$eATlUCr)oC1hhe4W63(5PwHYB65q
zCzZ(0;0VfcVIaNu9WIN1JcG=)TM@L19b*~H%QE@&@p`utic=eAKTs>gu^0xQoNN^0
z)|MI%w!{!tZvF7SQ(~#zR*a3`y2K$Ofdu<@?O-*gg+AMvWip)Ilw_Qn9tF`J06|x&
z{`}~+om#iupMxE0V9I;;-<5D)JD~W|d))d=PHpuQ<_>6&@5edGm94~?#AFF&mEax^
zE611hDuy`q+;uWz0*AShZ<<;iaU*-C(iwQ71^vL7b#Yis!9rY|6G>4qJ$%nt&YvSw
zIQZRxoD*_%?FP3!9)(#qO%?K<!_K&b`RvA%>K~LfYx390Vi@GIISxC7x;204R2n=g
z47clhYN{dFiqq>NQ5le1K0ZEK8fn=ep!=_?H3igPfm9>?`p3@_yK$S!_Bg?se!Z4{
z(CiLBbQ{m5v)?{}ntYh-gu0)#vwQNanwkt`CJio}-nRB>>0TXLW3joe8E46S>&;=-
zv0kL7H`ExB)F?KvNJBC6jflhK#Vi`p!@M*gZhxht7uJFXH|G^q9j2c7)zz3FEAvjJ
zMkU38PcN7grloIB7P}Ew{+0p_6BaaxY8{LZ!6y=()L=}m!P5!0;6F0ASAJpWS)=AS
z8r%buDE;}sP+w^D@1?!`W@-OL2Oqp4wR6@^6DND5eBbujs`TTIQUyPI4p&nHS!%}=
zRZKba-(Bur`C*Q!`y8@%l^ANZ!E2y$v0QxmZrI+FW76)pD!T`{Y>uwpQz7m<G{b<A
zdmo&+4qp)%mg%MO1ztwUCDz?}f^SG3-bOkva23>Tn+RMqu<u;KmwH`<jvNw>$F(3p
z)Sx?du51;=D&pee3WH{T;i-9UlbIV6%8JSh0;Tx{<$Nvk%{=9N=mA+a`{rzYA_4-!
zBJC*bY$HEMv*qitEtk}hAirXO-|Aq7bX1Ox^N8MaV*j|MrumonSRW#~bl%3`z--uJ
z_%I^j%`<%Z)%7Hu$ZC&EZU$|#ebij5xrT$~xTJox2Hs~69DuA8u}_xjkLv#|c=g}w
z<xoGO@(s&8e8u}xET1n@G5s~Je_i(1kFf-jTaVfT#RCYSxAHBA-wc&l(SE}D(AJx9
zRpeN^bl+kibZKSnz;kPP!Ia>YP@+;dt%#kWC2x}PWZsxBR5F$c9W5_0kO)^=EPmx3
zIaJ94_quRwyTvCIVmQoRiYgIMzA@!K;joU*hvY#Ms8x07JGKFRO}}rdMazmSN+c@=
zlUt)n!+bVDodbCiQ46mG>Q5do()uqf_Bp6B8%AyrK(vy}NVy3?P`BqESM6+;4>zk^
z<aV97LeRj^R+8W^TSb^V368X~6RgI<NEs*x$BS8_&!}g1Bq?U*8pSeS1&(M0z2ODQ
z`aacpCM}6(A4&AMSfHbr?}I!1_9Q*+R_~vCET+Hu6)<LLAYGlCMaW?1d5-c4P9SUd
zt0>Z9Nog23h$OoN#S;00afs-Aw6;C%+N8C~Ne`h$r|N{nD>Az_&6|f^T?EZ|<b0km
zrzhuidco&%oF*A}{bllX6fI4s4HCZXz;lcUxJjx^Ia%#uc5&1q2|xX#U$=5KYCmiT
z9vyD)Q2`5>H>4Kyxk$Elu;)aF+AW&56E62mrZqut3o?9<E<OTHQ-TyGa}4&q<(V}-
zwmfcY{D9fFo-{dA%*a1KP79}z+s%ICMtVNis<ThjOFS0W!aPS4(HJ>N{l~e@V+!;I
zfC))O4*zP!RRKeegIzZOF7e2<)~o8{%&S~A51Xxz(_o!lBOOj4mDm32yJ|U<|9W0x
zy!LpaG;M~jI<A^lXtXDx-0PnEu}>jrL)}4S2E{&E@gJKp!9qzzKR%0?9(}AG0+qOk
zlSWFZ&7Z-DR<wl$!H5p=W9J$^_t2hM&o`Nr7uL9)7NH_`B5+Do`Z}Hg{-5ZaOV0ww
zzk>lHxEzb)I<UY@>$j8;yfGhI5dR66Mi5l)mHi)fg1GcPpmSP0Betx0nI;j%4s7na
zl0^*X9Aml*^;!c|3;nq*qF!HLz%bzWMxKq6#?dcBkFwN`y|0sYV9TwW1Ok#6l=I@9
z%fE1-;O79%RLr&Ol@adl7gXS~#Efb5hx}5Q1+E4wz712d)daao)6{-OxpRy1cISI2
zDKzwL8!)M-CbIMjp#+hbkfOUz+17E=Q%O%3(6bc%m;C1RfjjVh<5|CR^mC`iax~jP
z{|Lb*qmaZ0y>Io<{ZvO{ZUgg+oMWimT)rbW9ocpnna6lm)JcZi+qa<yUV}RumZ{Wv
zqrxg5rTNdiz`k$rgoxwW>Vqvj?QwLHg9Q3UEqng;{o4_=s_zFr-Zza8CKY&jze$Lh
zF-7h;FHv@5gn`C7S=a^#rOKc;K}_J1R}GKC<JDlc2unv~w^F!1Zb2xQ`!YQ#w_Eg3
zqa?e%Mv3kIP-wpQ_~TjAQ`q>>k2$VDe8AHTHj5E%PI`Wm3{Wba9v_Io-06tODKR}J
zbGe%5LKHw|*LtUzqbBm{tjpo+gXbcC`%Cd3eCKThLdb;buetg;Q{5*=4)O}Zxa6Nc
z@F0R8nFuJq4=>iUE^g>5S`D5JhtC|ysMU@soU3Z6mUi$kPcaC%@jnsvG#$xfsVIH{
zo0Z&9wAKUa5S>2Vmd#urNkv?G)8YLTlJTN`b1W(SM9i#9E}gHE3@jN}TaScE*mZF)
z*_=Pg=7|(P6-1TyDMH~P`E;^cxNtBCNkQ|b4Sah+(31jibfVT(sJ~fs?*{F#Q2l`+
zBm!)XlVS7Tr+J#LMqy6k9vdU(DQNW}<c|q=@4<W6<Y1syoH|ZA0Bsjden*LWtCWz&
zLGw!Dr~E@9?ev<n^&Exy?)h*w34BEjM*H!8Ymc=>v%yyw%65R89u?aD0MT4=-{Uue
zH0c?*1vzKfP|ek{kZR&U%0>eF=1Al;(#Y$Gh0!)f<#YI*Z+2;%(uCo8=WxTRU#eZe
zW_5u(f8#8r6Fp^^4Q^Q0XufpS!)~XcJRW@0ksIxSSm03SETs9^ic1Jyl@CBA1UF^7
z^MiHr+$xLqEm5vq_qxW5Sq-<{s+`uo7ACULV;<*d1wBB{7Y9%t^U>NFpTR@ndvJoF
zf#Qdb@k)0bbz@w%F1<%*D1{I1r)dzt4YK5ok#;NIQ0~R&0Q<+L2EGW3sfw4Kkqq)V
zO`f*+3~CCW8aaC%;M%Wd{cM?*&xBc^T4OS-LdInye4$y_snQz-A-7hwpbOkp2vAmh
z<hVU`FkzZcNVa~mql@22D&P@cp&4HkQ13pDqWN^M%OA(TpU-hSev=qwhO^M0=ZKy_
zX>1ISPN}cdbo8C7!4I<4lNj~4Z@*3T%$Y0dN>2gz2!))YYx+g`k0MT8{u_%$0N{==
zuXEZ<#+r}njO9DEj#KT*5JYA{IV?wYeZ-1#?qpW<afQ*isWo3V0n~2Rv0mJCC_zW#
z-#?gqaI}N3Rnj#_6K~$Sc~jp)>WBH6j{7&CNBQLd?Z$myV^6&!+giEuj_24z)(gAU
zHKN75T56$8E3CB>Y&AfhcTQ|fEMEUjo_8mx@AR)Y%;^sEYu$5`kIfDqBS;skhIi;N
zf^3NWt!6zZonr1mxD3r$3~6g4zp|6o>zUa+ZQ`Ngg+*NIgvhoGzi|h7-n~cpgw5)u
zTQAP9Q1o@oaAP6`NsjI7^B2>B9{R<m^-uo76Vrp<$D~@1Vmj@OW`kW0SD$jAogKNx
zvKd01%e#1R;<<45-wIW}Ry6Y!&Wjx@w#}g+8~WK=Hv^m<`$uQpOnK?S4E@GF-%3&P
zwjY~teV8!nrh4f&);7#))^@B=F2#`1d@8ZTe|b;5mqrSObG*&={mKWfQlsf$1auNs
z%Lg0+hdUqTR*kjAqexw=p?S8MEniYZCj(X+ikcfDDFkcewx+YuMWSKfEIqAWd9~ZV
zT`WjCP$Ha!^wmDcs7#{ATqLN#qVo8{?J^|3S45FSpY2Mfw$vE(VB-v1Yqq2A5?}H{
zuSOCJh#%vD%4E`Rpb-zQ^MX&ke2tYYKNN!|S!a0th~KR~Ea+rnN;G0;FvlPDm8nNk
zrY+fe1(}Vyy;h<%xkAcL#ZdeBy1mvYympkHw!q!%U}tThPV4OAxw2pnpK-x3%@wE9
ziJdnFsb3@Z27aoR3NhrC_zP5=+0JWsgbz{$){ajWaN*JK-s_IzYaC16IF8oAyon$R
z@Vez{Jz1zHb~jDXp;$Z@l;_!XjEB8lkGCVBQ$sFJ5=ZH+4l1dJi7I_9Nfy(uE-2pR
zDCI6v5VM<wCbOR}ROSJb<Bo0v4Ev*{iqFLkg}*F7#OYBp>BxAsfa_@|l<z?3En|u8
ziWIlYL8j1Y0ee9}9`G&wVEA))VzWyWl%umeF3)-#MAqR2Bs>n<Kk%c6LZE>3kR^PC
zdp;ObdKfqI5u_4ie6z|^o~>-&Q7!q1#8SPwOM3q{$g%xlx=nQ(YO>Jn-<!ENCS>=7
zX-E%sXThqNWZhnTftPhJ@zI&dm9c$5A^lednjo{ts865L++7}CyqD5)7pBhVOFEZ^
z%14GHKl5y93a2v{?3gwr=5xZHf8G~^8DegKb^efHoP1wDr`FtX11`>j%QK6d1%(Ez
zRl32Mx{RhLIhky_{?XA?bNe_79wQ70EU;W<7a+349H#m>N)aIo%y;e|q*Rp()mZGI
zMD6&a7Gr(0j=6WZE(gj;r<l1wJvmdNyJS*sX5%!XI+*bggT#K<dgRuX?#cer3vMbf
z6Rf&VVJi_7ZmJjGgfV)2o%C8RMfF;*x4Tjs*$s%bGF9w<EHhjWgeEnTwn%S*gzpep
zJb1$QM8=H!xkSER4a6{blle`qJE4|gh)rTZL9U4JD4QYJd>WSJn(=_9t^0AK%o^7K
zu-ROhD6^ny9HHF_J<=aKgVvrKwS_b$?CUse5`Oh#?s@2HN@g>O|6pz<wVpb#(n*v}
zk&%mDKS7Nxt)g#}>Z_xR9z5pToEat9X*!~5hL}sZjBBkZ#Y~N>z6Olc&akxd<)jQS
zF?_(pa6jZXg7$7GF+|Nstw2<s<QwuhZbc4y^;#YY!=3o|lIi0bhjv?dOI+%5MAxhM
z)w!fA8E%@$fC-PR;#4Pe)Ep((bm%h6?fDlI9(K+{p0iMuJ@G?A`=O(Se?C-uid_mC
ztlZW=0{lCd(=xVnq(wZXp|mx8*Cy=LunR|}e6s1K`&^(xOj$>sHKgPuyEB;)r8az2
z-NO`clX_F}!i%rf`k^vD*CaK5TH&pHnIu7}#*x@g?OK-z6{M9ebOD$Sh82kkn`+U!
z<wlbI&F<i4@9PDB(ex(h-pL8@B?}wBL+a{Fr<fg1zxJk}#lDy+&t|D(E^=-+Z>R1&
zFH3Zi-t}-2_$>yFax?z?Tw%GH5W@F>8)x5|3siNt7F<6RH$jiW{RLb_C(F#kv=9?W
z4eNu>)q!W#8e*S^_PczLtvlW%Oa8|>4HbS)`)pk@g(B_ils!;z*V&}rxt(m6Qpn3N
zkA)fb(h(}xZz<T=vn(DK>VWo)Fh=r)rmXlkm+mTNGmz%3#p>yhTI$>A9A6LI>;fV2
z^6BC)2}K^_<Lg-mgzjRa$c#NEtJjc-WzBLMb9*^f372#`?+f#%F3ZT9vDBn?N;%o9
zj31xu;SiQZ2$`f|YbzRdMSC-Uy#MPWt(@m$j0Oli`Mjt98p=z!1g<qe*lm04xP<;V
zr11lgWs7~NdG&?2G9#UybS1})-u^Yo=Gv)#>CCE!n}Q}r3J=Gyhbsk?Ym>abZ^2Wi
z_K`e$P34e1d>iBH@>flMA@}(p{2=0*lL(zSw7VJ`%?K<m3Osj3Le>_jw+o8ehII~}
zHm)>+4knFwfb7Y!%?xiP&CB<9v*T25cn)ctUj=z2*%3l%Po?6c<pK-|FM6kEyXjf0
zonh&y?Hvwd)p4~2^puzv{n+pz@Al@|RnXFRs3yf4o?G*1{+RgDYO*3^`w2cR^9p#{
zw#(F;`EbQGc2?>2Ms<SVkIodIvOkMLpjz4M*!omX-9RKDgNO+FNczEUHWG%DNG;BL
zrBVvosL>sPl<i{afo!4j&jzfFU!X1J-Im`U<JcktnQ(Y4D+V%E0|@IT7kIktfX@ei
z)_PkZ{c?GTPD0@5N8M!GfA`bx?|KUf*vn8r5uG@3e+N2sp97psckfqRbsh*<-lTas
zvn@d}_g2C{5?k-CQ%GWMD#latu$x$IerGojt3682n=&{`Mt8Sme<kuXQ!xe=fJV>5
zZUsu61u*5)3LAl$mnn4a@VvNq6%RgeeT8m~Hd_6vC`187+uNjPzYk_7ZvX{pc|8dG
z&+h22Z4xF5JZl2w-gpG#I_`X>oVFc9@#YW7b*8mUiEapZ_@8=e`C>P_4yWxuTRgvO
zF@?D>dwPeaq7w*OQKenBFAxc<<VvAJ4QG(}6^Aiwd)^yW2_`A{wpJ5l=R>^$BToi_
z;0Q$eOc#B1u{Z4mSb4)7)Z}a!F2mlHy7LzA_wVb)3vdH5aBlzc|9{|sIq59OaF6T`
z1=Q5X<=6Zj7stgbBot-$$9R`xPcZbQ!<ZV1o?*HpZH`q2&TJgKj7H0ouf|7PofLa;
z&_M4?3jYEy@7!G7OO4HX1t%3!%)C8ETIFQx`YRF(!p%RjxiAYv0mNW>Va59Ux7wrx
ze?*LYDc|7mb#i#opgQe*MAkiPo6s}uB*;O|pW^=$^2`TGHjY6Nq2ntp#V~DrEXb8M
zdsSPvE_NjmWxBQvuOK_-X{ebwceaHavw&nG&(-beYFq&i1Q!NRt&TA25S8T=IVuUK
zoQa2~9A({!4|zgYqm>Z)muh|-GQAtK4<7ZMZS7CQxlRT}Z|($nWb7y3j?5=zrnyVw
zw_96Q#a^sjd_=ELNuEVYYVMD@)sw%<>tggbhcC<rhGwz{Y9GQMJ<(uzPc%4X*^gZ)
zU<EO=u<2bd|E19yGoK*uwFr#H5;|4rOH$Q-m&ua}<He6Jw|Y>-p4QbME-ZDXES#G+
zUhG{y7eq;c+>Y1ociimzJ5y*E5qxK-4bQ%z{V^0T;Y0DVrHhW?17<Isik@FTDDcQw
z?aDK_OM*vS?S2QHn%PhBgGXMcID9S0xt}!<I3bi#<--$9T1v<*+Y8S<b&pR{j%TR6
zV4c-&I;8&^Kf2uT>34>d;`#eq{vw5sCx6qD;s+F3CB)3Ee;AMaL%jY21$-qi1cm6|
z$B4HI$hNLgVQR~>!-DfJN&n7#`)@hLzkh%6h8pN9-jM4YVEjJBYrrm!cgHHoK?%f~
zItYEZ_q%xM-!F3W%m2>222aTcRN?=f#Ql5o5mZsv;5U2i@#m}GA8THY;I6EY=Jof`
z0t(Nft?%vc1LdEu27!B2pvdT8|NhBzZ^Q4x&qvh*B1n50Nxtxc)c?)Tb9ipwb9di<
zf#2V67ahD%O(WZcsvjm~0*#R9Zx_q|`PF{G2b}Y5+Bfh8>A!zofZR$7E&7M=l&g>^
zpmgCfH^=CI-0*)hukZxfbhyqlJ%s7(587=8L_I<sD@1v6Kmn?nLdfTLjp%>B&aJyO
z@E~-^3%^&tf3g5X_+3Es*?dhv(PZm~-SLm>{qJkP`Mt>w{`fh-5{36|{_*pJ2R=~I
zM~w{e1Z#{q-Wf6d^P~UvQeFh`dyJUL^hXwLp%=Idh5w7aw~nfEZQH#u0cj*eN?;+<
zA)Nw(3R2S2BHi7f5|fbbnn-tdD=FPw(jAj-_BC<&JnM12<K5r;jlJK!zwtd|_y_9r
z_MUfKah}KVJ2ZpTR>?i=^Q49T7RdT9H~(XlB)o~u->~wx)s#I19B6v>;bsnKF>ZRH
zqW$8u|9%aA9&qO-{2n9VKK}hmKEi`zvhh%hXw~-1Ft@)CwU!9%6dH>acKT#I^Ln1g
zilXx`SK_w|1HX@N;8lUl3K@dmuSwGb`1OoREE&c!yS9B#RXrNFUaFJ0MY|{|dXcUB
z=~0i@J%#`L_(?I~i^}lb%=lXdY!VgtPD#rZ24?UKSf!i1XI{cV_(BUO9anw*7aS`~
zjmu$NI?lVaVP5JE%}|96^?Iu#29wbOpSjk+7vZ$>DZq-=Wcp}@4}RiJOu$szT5v<e
z?)UTgzuupXaI;QGb1{nz9%+}%bsj7M*zsz0%Y=yJ^H#TaoI01iZlnE#g6sr=i%IgS
zQS0|t8?ys`6FaCrtkubrk)Z6<;gjie#Fe25X5Y4t4r!K^Z_|19g92&y^>f#^E+4%Z
z>NSm{2WM@vWLa|y15o>}Rbp4B;ZLTwCxZbw4;9414rAMcG9g@fZr}a+GVdusFbaD5
zhND{1jpV3`DHp#-wyGab><B1==qv!d3IA?%vMBuF^}csA^46`@sfVS+S?Z<6$T~gH
zF0JZ()16Y_J%{_Z_lCxNZQ;Y}2l|hooZ6;$uS}&-R|<>)PUK3z!2!VW%ss((&Xe}N
zqXWXfh^r4h>NH4Su1i%u{#yKk0Q$)6bt6$2cd(Iq(8i`{`2lG}e0su&Dr*cMtac>R
zlo<(z`iOj>SV{l{B34fB|MD$ti;~=ahxYN$PR>f{`H8`0907BK6{?fa#D0$e4$-+>
zz<eVlQC(Ise<$5oxwwiIP>(C*2<{nBeORxtO<}r*=<vV#0ru2`Cyjxt3z@Rk@QSN{
z-z)EBqxx3oOg><Fer@m`{ycuA`rXKV{GQMyRR&D`?JvJvFT(yh`eW9@r~cZO4x?Nf
zMQ=U%4|+3LdY@`y^3%T{OIVKM`v<S10C53>tg!Gv-ikt)*updYw|kn1M4T_--NBG1
zpG;*CE=wP4)Id~>wjlWEF=iBt$z8M)i;9i*2><mb5;23!i7M<aKbQv3u_Hr)I*^d!
zod~?FrF4W2Xa}{8xC-#0=4&J}9ZW;C_UtfH;<Ka>uf`eQlF=q}57#-#(}8E#F8rhj
z1Scubv`904t^oU{GL$8sTqek`4pbfd{Ll1BejikhpMbaC*;<plS~(8{NeQ?LCNT1E
z7b4c|oZ2w0V3k50B24)mO>rg$7j4>O**_MN$Uc>V)~2Afnhp?u;}CB@mLt;;!?I*a
zJH)#HZ$*KS=I-DstMw?7!Mnzo@GxfWyR=KryGlSiXfp<T^-}*AzorS8?d5;onOwf5
zOrL+7x&OP(+}sljv}M)-kpT|hRl#OCZ!c_OA$L8iT8KA(zWHL8)nWc93KSxzpf3VR
z`f?}ASHHPKa9*6#M^hT%iN!q$eo<k4L9&-&Nd&MxnAym@&c{Jp)3xFN&KB<0SU)$5
zpT8lp6<{wKs`Ol6Q>8A5v-9lVe(wJp{oFU&7*UQkCSE|$iGwk2q2SWIq@1Rc^nW;*
zOi-*l@HyIQWwkin^7Y#?eKF$k^3cb}qdj%UAt24qFlxbKeI_46o=ziR%Nx=ddKp7!
z+)3uDl!LuZxO-6^#%)7W+NM;bzZI#`+7Hr2SB7&ZT5P))I)mN0ZS|?f<!4qavK!7>
zth#INu&!>mp|b<f3uw~frn;QndLR2!#%!-fY*;*~)7p~J9RBs|qlavcs3y1=F`Fkl
zmHjC)!ZA#%W&ojh8`SD~ap~WT8u)|x&S0Zr#^4BAYYpqCOh(;nOJF2rGaHUt8_rvl
z+sU#b+3iqv#pH8YGCoz__ZtYgW0k7kuOIe(r{j*R;ExSTcaEh*T>d57*gc@_e_N=%
zcn&0VPf6|exR(>NCfX0A$9BTkYZ#{xd*b-ST~5)z7>(qMzjhXY@~%obKDmwMe8uIw
zfJDsiELUSJE_er}Mo^^5CR;szTrz)eIto(N4eFbEw9A<>kn5^vhV817W4rPQZ;j)@
zL!0%!iDUZKy^}zgwu$S&J}IX+FjLdJ@mM6B94&sm;j)^`l4|n^X~3%+2DAZ{iO_&Z
z7pmO2^yvzX9W&KSm3h#dv|f1meOt567MDRO2m~hx8#T{7!17ER;!;1XnN%BrId!V0
zhr{0Sa8K-k`rXM<r*C+6)5YU`GrS?71^wUW3x9iFHum4<3n%-xFZ@qmIOG39UwBB_
z|Brp)Ip)J`7*|tO{@iZIg%XizQYU`Xbn357=Ogn)#5wOd@~=$#RM}h%E^)@wa<_`N
z@-EaV6EHT5wmM{;xqc({D;Vv+bVnM}y)<6{7UGrsHra(V`HqN}J>7-^j5Yz0V|f4>
zQQul&3YzZKe3NN;Q%?PBY(`v!rVp8ok%sbC@l6T#B&FN}qfH)N0|c?KD(GwMO~*^x
zFr!7}phv}+j3;iv2yza1J|@#O%Fpjq<g<HLc0&1h<nvU=mMALjpx})Xb=)il4Znx%
zw%gP6{5f34IoY3U?YOOwl;s~MrPiV`xNVFwzng{f_|%RMWzHXOKuij}&45v{Us&@w
zyK=^N=Z*V;16;7rUHn6NYOz43<}Ko?1rKh7P(xAIAJ9$!;EE8&H8bh2d--P@l%S-s
zLF^O@t)^}2h-JSKU!}F)7Eo@J9~8WHPjD(be>5t+x?z3NBYwnSV|X3soOfTmzamL9
zmSdn-Z?Rvt<*H#KkIz9W7Sqh&E85!e2=hcsMFIPAvXI;f+e9zAiqur<UF|r(0&<qI
zR7<>vlV26S>|IOE<M$xqzzjO-H)0E8@^4mJYWkF|D?#X&|5A1UC^Wn^oHJPMhFNL;
zsF8{q0HNlq3843uuiZ)*dy+buBH;Fv*JN{|K7oI8e9GQO;c&A&<*0UTyKddG;!R_P
zAAu`ZwRvGZ><*oio^qjODepKg8I*xvl?;NIEnohz&uzNpW;qV^o8FT>eB+uF7{4T4
zfwmb|{vrmhW}a%Pm(te;4c%fYcFFVIV2w9fa+&Y$v`0Thyg1ud5Prn96e$x@PNU7J
zPOXtgS86(@YLDFcxZW2XiSrqSr~PXmcBPbWjCGrhL%ZTVS`?zMiZ>kc!wbGmUyQDg
z!|qcVEM#bSFGIuxoH@K74(F#U_=9*oFG0U(fJ%@KoOVH@-Kfkn-He$tI@su+=oC;X
z<MtlsKU<(Ut>{2(VUA;l9M9Q6kLaE+z_hj*Ah!wk972Jxem2n*Y9EyF*{>r-n`9T|
zL%$9!O(+8+epiCY)2qRcRZEHJ{8<u*;$Z2|R|ujn`kTj~{#5IL(~zY&auBq6@{@={
z$EjTD$d-$9RNXZ<ZJeO=K9)m@1k3mQW??zA)!VK5Aj`#0gX!nsaCv)bBL~VOe~RF{
zekdyy!Y9r5iM_kH+4{Bi${kk01B3NcZ`!cU9@c92_4tI6k#>D1zN((QRIe`EwF{GZ
zX(c*hzZwHkXceFBvw*JEXhaEjTN0ieJ#Zpj3UUQ2U8~cxv1m-G5qoM$D1*%vz?-R8
zO*E>G+c_tI)LD8g*!Fa}SY!xP(Y<*_hptx*zK?A^N-Cv|L<y8eUUYnZ<*@5SM;<$R
z{d(%&q(fIJdhg@ET=l*!<khwzod?RjdquEkt*u4N9C+VhZzvDHwvfz+K{)u?f%7Pg
zO!)2zuV-UE@YP)f$YjD}kzPATrDKmYtHX{-sqjt<e@IcHTQ~s?+DYF!C<pknmm3cG
zf-sPD-&Yv6U<rqP)S1j;wt-1tDg|Or7K>A#>UBTZ?4sg5jHFi?R+Y2V3Qpqj;X@qG
zlJA(sbZsdypA{Ojoo;j9UFs57F7n=4Y@ihwX;i=6HGK)}BT^1cGmJ}MD@{L3dF1VU
zXf1fImTX^~E@(sNguGyD9xsN|b~fgh;LzD=TN@0)>>-rXy8o}`K7`xv_`xpo-Q|Po
zL1B<$aAWFT|1GSwgAw`>eTA>|vD|MceTCIJ^nz|yJAEV5N!zM@)uZ9%<?#~pNd7d%
zn0rl?n>h95gVrVcc%hos9`*jgTt)p2FL9hdcsHZ(J2kJXGC$qqaZ4Drf^v<aER*=U
zh7lLFeiO}RA;@_9ZE#;`e=|@b(qLJ+l~K1oCpdmQvg3)+U<-$$prBns|284xK&g||
zs_$|6;`^8SNDKf#Aw`g_UYrLb_Y-crJZ>xx`=6W8J6)cB{lx-+8`3{F{Fe>sg6HIA
z+aEr9Ne6m<rj1}=Ih@ctzH=0tY67B<nUh7)lSedAaJPuD7^xHPBKkq9M9}V^YZeE9
z=wn_#R7?<k3~UM;iUfGRY({-8QH0xeYtN?Y3l5l$E0Myhb*CI1zF$sF5PLYD-*nlJ
zf;Cxr4`g69e$V$xRuoXPeNTyZrL85ldFub!0btZ_t&P>jVoE$NFXYvoG)qxG-a~gH
zBXNp-pU*_&LeWyA94d;A;q3k?4{4i>5B1wS(9O{w4cZ>kY5^*2Uh3!fmYZ%FN&?MY
zD5Egf70?bnF{vtvD}5EsqHB&hHI9QxtFV*^7jh3AGz|aLsZ#yasb=p5O(dROyJyvx
zD~SQfMYX`3`QYr7@D|1l#VBnim&f5pcSuG;#nF@evW;k~wVC@w4dR7Ze-o-cFh?O!
zi>pMgS|W2Z-+}3Ad{+mi`c5^MWOIwkH4`#u0IVNyFW@_0Ie*B|*&WD8o_u*C%qhoY
zJ))swcA33_9#5~RocCZBX=L-Yce-|sTzw9M%>~H-n|jrFa>b7GB*kr<b1licWIF{?
z0803@$-bL^r-(6sc<O>LEuitb$)HO16&wd*u_7-?hm<Xs8G@4)9VkF{*)mgR5?knV
zXAYz(GY>02THf9^Lz-vN?R**T$-!}k@vxEvZyjcKL-LSh+kOJBOe5$nM)Ggg@9qcL
ze5o0M>tJy3EGB<{SkMa6vcIRkCODnl0hTd?_2JxIB|K7g!@=(@=zgQ4jYNJ^qbTwB
zj@n5rElD@;mwWPEM2mb>^=gJpMrgu5``)+G{ip@FFpE{Ef$Os{={YXEAI1391^qy)
zj<%%g<p3O$s$OG@yi{el4<0;G9v`7Xv4;tO5;zim+TTjxcj1kQyBK*qY9Iw7lKs{9
z#t5Fkgn<+_j+OFFj+I2r<;<q(t<E`~Y3O4M)irhITctD+UURKz7i)6FjpFe_ygKC*
zIiajBXY!>qk$P^<u_1pTVcoa{fHcP*l#{pNcEi*$5sz)`r=HZqj)@J~FM|rZqt$`l
z6>^-8eH7jib;rgav?ZBhhRbX6O>4$t9m-K=i_{InAqp}Qf#;J2x_4mi99HkPjVRm0
zLSsi`2~ai~#5Qm<gqJb=@!t^{J~aqQ8O(jb=<t$Y7FX*$s*jzquc0W_sapP{SGu#(
zjzZoW+%e)q_6qxNs_7Rq#df5n1~W1dR*K%Os;vPelzg7gn@s+T-gVw#)c+0Mb!C5>
z?hO2KU?D4JE=CMTGg9z{EE9BAt94HRUvD(<^^S799YIk6E;ZhIxrFO@H+tZ9H&cZJ
zA+pwMD$(jJfxzv{aaEzNr$DM$c>APWbiI?Jy>Tx7TA|H;29_LLWVe{}i&577C-4RG
zaZl5op<A^y&tauQh*!$(Y6Wa|Tg1WaofbEA*8Ih+K3&;r>6O*&g*uzYQKk8F@S#@m
z1M%hl_HE`VP=G4xC(%<K6+ZMQ<XDZsj44>I22bPtD-+o43o@<bpQa~6PM$%n*y{RL
zB2>*=@Y1G-u;$6`qE`hSokbM4Ge8DepX};X#>m=-=zfEW>3&mDBAJy_cI{@j+fps1
z@zkZ`lr^aLrujyuz$Kp{{n2u{JJ*&#9IvbpGY}Zrqca>2)>`<jbb-F@&GT0EA4>1_
z@*o|BOr{{ya5rd2sNM30)yq-vA+C!vp@){cq>$uA^UAnU6=J{jQQ>$X?YSJz$8fk@
zc%6|Ep!Jd1O3~+PODmBqFggDZP<GY%qZj@629visyve3MzgRl_7Hck3v=Gx|Hj!t4
zV2RfHTlbmj7AtawUg~GLWwh3U(lz_i&!}YTq1dbXsuLq};nq9-x3ak3)fcJ*Snb;(
zzCo0+sDnuToe-;*%ajJc85w}7?QvZyQM4b~BgCc2@Ow>00>OZD@T{yp^P;pVJ(DRF
z)0tyRpQSu(7|s*c6aJjuUX&h>Tp#FPg!pa=-v%DA8ioPUn`4rQ>r}sqi@&#f!I034
zhxKNdm<+mb+R6#y-)_AwcIl3-l>sZ&Pri8c?==3fR&(~5T+eoGITaur9{0e8?jPYi
z<Y%$wFDP#WU^y8U7y_40JI)*HRx+twA8CqNPbhGR>t}erPRHO+0`Vr|D0|DDDL2hL
z?ip@&6}8rr)YgZPRkR>62J+(34B@IHhDT;ftSj>1KFTVpIp2bi8k}|pL1s3Xcc*B!
zqwEO5!*w0eil3{i6;Qn=%|U8)#hDKXVm}>lQa>GVVoI~CKkdOkJw#s}G%7G+?nuL>
zet2C%wKk*WBO9fM?%nYoBbk`N9+h$74jJptBQ`F>zih%JPo?&%IIS+gay1|1OMi~c
zbI35Nv5rqSoK~*Yh?*$YndioO$W+R*S@7P>hxY|1*ZsNG2aFIgHsgX_r_Rn7t=q4+
z0>TfU5Yc%nRg5O2NhBE94=J2&ME=w6Uj1*o`+vLLJ^Lmapq6l89Ikyc7~ZF5*SfKJ
z#y6LqU@)f<I)y!Vur(IXc{?_{?R>6#NL#K_WKVAZ_#U$5PY@#b9u*;G>|ncvPo~ME
zobJyvpliK2=0vAXYm~G%F}KlZD{m(x@4w|_$L%3&(Tpz8$*4~Ahc(lY%h4e{774rC
zH*x}Xf0S`Z<)X=&XIc7QkV!_$ya??C%k>Zr+{UMA5&uMx%u(yv)O4o~Ijr~tI)mFa
zok4Ih`4kv_o{9WH!|t^BUhrUhzBR-2fjD?4y7$yt52ATeeo+}7F#TFI{qy<NuCa!u
z8?Gr=Y7{^ck|>3EKk0oBg0knSrFL?wT{3Ht`=3%SR4rbwkm3}KEt1pgTWgrrCvl}F
zl9_Jby(=>ik-ONcVyI#-js$B+c6R~o(qIuyU?8?WHvhhdieB6<#30oVNO-G&+pyc~
z-DKQecaOGXohXUTVRykWa^Jf3NEkhNyvoK%yPB(5yA_?=b|Y$1uG-cly`c<XbNi=j
zophps|L0AfYGvo+_s~0LJa$`QC%{|`Pa!61-?@uU(4nR2uuA8VJK%mfp`S-lW7&OJ
zh!ouH-5oL}tO4K+jkq%0Jp3$Wg5LN9VKP6N+<&QFH1WdQ?={Q^8850l?Xv@BQUk1d
z+R8RAk`Qz-$=<5HI&#<O{U9G{u=R1G=s2tUBvV>+IT2m8Fui>gk`~`ziEx5@@1PUY
zo+`@M<vtJxs9ag?uUCn;6D|G}Xd2{XzYf~Dt+XE-gs53VUv&?5`DdYNEke~&UlP5K
zK%P45_QPN1_bC#ACHyRqPZos~W`|?PJ6B2ZVa}JfUd2669SzHKx1;MAHU}9aDWwqn
zbiCWKB17S7eOz@sU3&&cH^y+gcxfpDvFUpZ=Zmw$vKhJ&n=uQ+$!7oaXO+)_IsE$}
zhuZ-=w6@6w)Y|CF8+0l8nHj-qbM>DckI;}cIzBZ6CsFTcD*-KIi3zF?F5Laj_g{Cv
zf7tzh=YF?bTC?dA*0?`sF_QytVf`FrJ4GmIkNnm-Or@LcvR=tzT|8bAT4JgP;%e2F
zHTy!eskVU`?db=MTe0c?i66ew@&A+`e(tiyc#Ng8L%uMvNZS<gD71D`B&-6}3D@~-
zvz+=x0Fk60?G|jVIaD1f9?us9P0fkG5WYD6Z4HqIUqhtbO0OQ1p>NW@F<oIYVlX*u
z)I?^=RfrJiY0n)ZPc~h{H?lgP*=iC~RAPih6HmMEr#OAG7vs0zShOcvx$>lGqR<Mz
zc4YO|7{r)-vZ?U}23il&t<!@<1^O7m3%}0Sa>%TJSSX105VBt>(|Edn@xv?*r0j8>
z3}rGZi|qIJ$qL?9G)A8(wT9hnrx0p$jDZTcNk%dv`a+V%QjrfiE%%n_tAL1v&*|{9
zsShR<up@+M3CR;X*_m1)$!2#1WHq)INt^|g=xy^Gyj$#V7M+<a%~XH3XE9N3oP<Md
z++*Y91P3PGe|$mD5lF-zW_U8@>XW~*y5r5EGmiRjcivoi<d+M6b7I+e3YgX}w5qv}
zN6UNuBbOwbDOfB2W%V0(<O%3a2yBK;OuN}w<c5W2wE1S!yNoW!GA}vD3$|pzHa3Ps
zH8T9VG`0M*G==`OEXLYm$rh}5b;+iI{86T|h)i9t%Z1GeSzGGcdE%$?kiYCbnSpP=
zQlo;F3GR!7sSJSXQ>%TZ>#FM86TY-#OQ#%F#jcCOev-Y5_{NbyV!rlF#U$BuN!ckc
ziT9<LbJ435pwxsZe|xDrUYyQ+2?xqi;XU4}rFcSsln!XPZ`KAANw>IpY=NW7`gGr*
zk``bI<p4@8ISLRPKHj{O0e;iMAI=PM)R`qhS&5^>y=3Q29FOC&YHHO8OkK$Z3GdyV
z-%SwFiN3g;2|>dPI2r1x-wH(`UX;5x9$Fr&O9G-UCAx$WTdng+2%wxk=G(W3QaQZ0
z;)e`03PiXizj8PKp#^eI04kC?0ny-oA>cAbbSDX(X$mdko002yO)Qq0T9MCvb+7-Y
zFJ4tJrpdxUu(~FUBX@oT3PmWSY2tA>zzQeC#zq$!N}$$pjv1UqqY0)UsKrsgsk>bz
zsV0J?V&!WpR5Rst_-5jWyN#g$$?SBnex<MR#bDNylh=cMsUF5mm+Au2t?0A-r=;>X
z{eS$>q*2Vw!rHQKDj<`q*7aT{8xmj`aQmToEmc_n&fpd1dHwTkw|2+6jp1-^J7+1j
z#!Vd{I(;8oPrT2@W-!>h3OoN$AvmuK$MROXO>Yp$6?`RR*RdHZWL}$X@13Pc)x+hl
zu}HqVKlSC~>|1Wj{Rf55zPy_E3L|rIOwL)mZ)UzU+x_GT3!Qq7Of{7GMVv$a8%9+=
zheVS+zr8&?x|AF5>MUZ&y8Gsug&Orc{24Cwu0xDnK-7Bg7%3<`Tmza+3a$Z7CEOUb
z7JRHn^jUd(OYFz(fHv~sotZrml-<?&1xALmzv)<7E!Mm9>}kGCwOEBEhPIl&ENHXp
zX8Bj_Nf&&QjYwjebF~VmtIY&TO-BT~70pn<(zY5bZP#n0UEY1D+o?{KpFl4$yK?1%
z-U5DNysp^xnhUq3-tn3q@HijP=TtVfR_;25cdWiva1G4lw{Wulj6YG>4{g2_&y<?E
zVeA#>B28}RebqUQLe?ZJR{$ie-ePd;d^y=K>pc7N|5NKc{!#sh4+xd*2Q`<c>xPkq
z3m2*Zp|wF$xbMh7NpxV*PzidV)Y&qt%T;I}B;uh(Y4rf~18P(ybbH(ZJ~RcShgUi3
zM=j=Q)Jt|mLU@H~RV$ckPjvOI-I*|aKM{jr_lC9H-_(fAa5W;cCZ>(`H&FfWjgcu8
zkm~I-3e*YD#BNT^&w8J<BqGa$v`daX=SlT-U4`vF8-1MboCn#iReJq~n%T+6Sl0I^
z4%`<S)hEZ}BK^JT^2K6UQ)7fu`r~D^?1_4zk3S2$uP-OvZ63f{<{E>fhZ8ot(Un!h
z9xZezmrBq#V$W@I+a;96R|#W$(r8bLH02{ZtV+lBJCBLHhvpe9I@nhu=O{*f+xM_7
zt3YUM;%8olRGuZLB)Ul?rIl`_D{PL^a3V1j1c9I7Ck&j$3#mtB&DYj`7W?SMMMQBF
z>S@1SBkR+j_KHG?Q|(JVl@yy07tGb{9t^<Cg(TjVEE&F^vzU|i=*EV?-qMg5TaFHb
z$~P8d80_P%(b){9ebGs|XoMqQADhtOo(VWD-yju%HN(<hZpZh=KB{%^_uE%b!N+Q9
zAjNwAEQb7^_ak4NV1}EYSdnWfkgy%M)r7X`J?7k|o0Jc?*xSM@7c5V@mTy(_@SN!`
zfxwx_shK*(67O&VLPqCo#oO4w-1v4QQgNKG&|+%r$3Qs(Z(%GQED*7s3g-)I;yA<T
z>XGEz=pO#4$qaQ(;!tNywk7O<N0H?NMfpHNtd9EX8%iBz^l$GZtGZ>&DlLZ|uJvV?
zvzi_3M)37*Oq3@m<f#iEJwH3$KlK1XW`?E#sz=Y^;o>gys@LyjncC0ya>oM>-OSV`
zS*wF{R^mq-Od&u<&~@{PsmkVCHvJ&X;*^)rI1Zh;_0e84(eFmQdIcQ*I@b~7<x<e!
zt1M?0R(dM<dU+~9I<V6t!1A1DVqu2PO0TB`*`TFfaojtQKWt@YLWq}mKGle1?IAD>
zQwL&ENp0g7FP)2Opj|xfj5@wrMxM_QIw@*l&p)?<k-JRp$)2dlZ5Cj|H>Nro%l)A<
z+EuN7XN#|#hI3S;NL|i-nzU^$3wvQlCnyFxio$3fm~#YA3T}c~$p3aHbd?i_2BlM}
zL^oknd<xKOeFW&{nn*U35Yn+x)|E6{eQJBy3<tfjDaBI2W%iq!E_J<de0PH=ov4Aw
z1yJJsFKXWX?%`kl)5CucpW!w5h%E5%16tt#+{14R7Wf&~tNktfXSl`seKh9`#axd2
zPnc;BrCT@O7=VTS^{m%6Ycb}Ya55G`(<*K{@bMO+x2G*pNSSJ-<<eA3m2!bnt)or*
z@yy<f<PU*4KyFNN>!a@P`sQb-6rg{JO2}l!HbOu~GU6iSJ^ZkT^Hn(s-_w|ePc?P&
zH#2nl@ITe;0F5o>S6TnFy<-zlpZqdztpvR)qhmXVA#8HF^=Ogmp&G=6PG{ph7Ing*
z;dS@tdtj<edrLv6hSp9vv-iuR>^ZEZgRJmyM?W{3JBS(~B<80Wr$UZ%?X(SI))!w;
z!s%otj~^cOr*@R6IP099{KyBGx~#o#XKER8ZP*~?L22H4f7D`}ktD=|Al%V*TNK2G
z0#Difb~;x<?xUlV{i!2uIbdF9%~fGfr&Bft`R6w<6eQ#Mg+Ur93yEn_rgl>NQ(Z3?
zv`&(f-6e;iw7VexJjI-hLJH)c_Y$#-FM5`jV9%-5IeWtMF{KjtQd`La{qdEDvgN~*
z_=|J@5PB_>=*-m-B(1u2#;k2HmqOh_Mm%1c$l)3P`NoZX&V6PeQ<U^BP>}u6Uy$!7
z{|yvyWVr`~4G!MPZt7X+lxE4luTXJ4c9!<O9L`bGGuQjLq!BxuJ=gLklDP2;gjUy#
z*f=XmQ#oCdzCD5xWeR&%?hq+>Jf%(6#4!4)Rh2uYMbq~_R+AP+(aMOfSY+nc674h_
z=1=C}0jqWbpP6rG(S1TzWd)oSmIuGw`&n%2&Z|A@G;kRdXkzRU^Vs%1h6SB3b*YFF
zK9+nyOJMHR?U3P)QSKu=d0x6{b`K40Q6l<sn&iE=AOGcw+nmt_KBKI<>xmAHOw9wG
z?yy(5k>dZf5O<+X?ez|<li4+bzC)coX$k%_=BITna+#{H?6+TwD>nP(9*|peLU0rf
zRutVcEgJ6{4p8;L^+LqU)b9P)=)?!SfB|4J48%XQ8-1y7N*}h=X1-p1v&-?`l8laz
zOh`>K>bSTtu%kGm7PK<<9i#hqg>QBbM8j2n*E^-jNSi4}rHY{>8y>=7;;SWkvP;QV
zahzDdD*s8hJ7%6KXR6wU65ao;(s`cDE6@vds)~S~lgzWPJYcla;5ESTBhMbm(u<<i
z$jdpO_;jVt>#~H}b>?!T@XK(V(j)b3Q5%{kHRL*-4>ULW51cxgym7C!$R7|Osqp~B
zh-#MQTX;<Ga=QQKiS6E!1h)m41;5U-AU9j(l}|f%EG2(fAITp8+xIZ!xq2=?9BT4r
zt(tDz08#-4I0L{7l^_GqbPNZSNcf!r8N9A>)b(IU(Wk>wMcE@=s3z+sm(@}Vfc!uF
z#Q@;3{R|iYEI!u^fDiUdjXsSlAm2ja(EpBE+-M`QQv?d5@dl_MtN^)G5#3Ww3~Rb4
zsOabsCq&Z<l!r}IS@N`{)Mq_H{NYL-t<Dva3{K14#A8b+_zVxoTq|?NLP^V`o1JOG
zn2M#{ItmbliVFfo!j+q>A_wQ@M^+@klHmyHi|gNZYSHkWTJ(Hc?NIkUSj9UK?`}3j
z|FDXGR4{1d1=8+YWWnjG`*y4GGd=CLTbG;yl)h&y{xi1zEoQYefss5-Zgg|&8uS!w
zj5)2hphejc^>@@#12-C)vs`K>k3<Zz*e#_hK)$<T=S$((1y=Ogx~mc}#8)ol1na41
zhH>06;kKRlUW7dtj{`kvN1xIOv#?D~-09}X6jo2J;93X`rdD{1Y%%%eGNCP}oX3Xj
zutGE8SY$M6`vn)0W9K4J@k!M>9Rw-6L!2e*yJF3z=|^&J>!Ev2et!a1(_JXadJ-G=
z#tpp@ZFUOt?M~X|Sy%kXS{j8)6YdyN)DwuJ;4=m%s^?Z%1Nevu?mG&-0dFl0*$YP-
zI={Whc7Wy$gEG>gD81i}`%$SSNk37N4*o2vm|Qi1%f%PRaU37iiKp|bC(d{623MHb
z$*XpZ3k!6jF!SZyierSamU!*IOTWuE45ozMN)|<pOuAvE3@rR*JvRkiKN2d>;b&@#
z24XW3Vt-GnT24%Nu8^5k(;#0XtWQbU-Mbx24zRnN_12bUt0}RBK)450#i%5#vy3mt
zXNbaju?$~NJ8n-&vd<Y=5e_-dOxM1D`PS7SH3SS0^N!y)`yE_bT%`R==HKA!0sc;D
z_eP@JVszw28>~INAhMBWW?Ch;{m43V-OexI?9P!0kS1_S*-SGknO_Kw1QOj=U4qTe
zNM*iBW33^}a&a?N(spJ|F{%kOi5ItX3$!2v<z*N6+vsM_X3);+6v{q9cUX3%ruxW@
zKSsc=Oh$5Ko4N7PwIk#a_RWoEle5Fk;IMlWUF4-8yKK}WRUQ#2c2yiLWhb!c$6`q)
zw1S~7?*s`URW_6`ND#>0iGUc776|%|Zv-w^jh7lx6?c)WZFE==Wd9QpQ1%lM5OdHB
z`KtQl$rJAYBCa`U{u)%gKKb0YLpyX2WMXrTQ(gvtddP09UrH;s2cGyhlNo=@6+QO?
z%V*c8VNjbUuzb#<<`q<D!D=sk`Alfsd8v+W{Iy54n)6DTJ3@W}=8w{y5Co}GSc^N=
zp!K96H_>^+KL`Oz1FEb#dz7cf->Bh)fH+EIe?w@juQwnB>>LxsSL_B!s-h)2kx5a@
z`W}Z-36r-6KfbZJQSHA4@o+!|b6R0;_dsBONUfGe+4w}+cy|IbGnz?EX#0{QR!Bgj
zp(K=hDvi_6*YV&yYSap!DjT0hHBDs%10EY6nIREdUWT0A-f9uugLs&JYSVZP2*`){
z7r+4lqG)RaA6#9I0U%&G-9^8-eTZRfL0YfA>$KVaM}~W#{H<fZSwDRDW|T(Rxoo2(
zUI)vLKU3pr$)-nP0(}+8_j6x!FECGd3pHomx}4m_M<cw<Z9LArpi`J*&Z22p0Tq+M
z^cjRzo6ko&JrP4KMn08vPGRdb4P`O4p;1TcMcQSV+Adcg-O1_3&Ea?elKNwlk+f1&
zmFybf@kp78YTNBZEx_n#gNzmGy~Jx*Vm=(^T_~f+Zs^Gz(BrJB(Pb8{<u3h+1_*?;
z@a}tHl(*6C|1i<Rb~0PQ99v2OK9tqAlSQ=dEVV7VS~iTSS`tfA=SA-A>?6TFXZ3Q!
z%6;1^&DnPjd?@3EvXZy>>&NcPfHat9zalzx*+xPzMeeDwy%{+e3k9<Dq-*NsT(Z$B
zHT*p~@N7(DRL5S~aSA!ITb=ZoUhnsLTViN5IdBZ+c3#1Bl(k<Qink7o1Q^$Yo&ne!
zTV5_Hn;FK@0W>#GCbP?%L%iB;B>eRc1~r_Uiaym5AI#0)yd<s#?cBLuyEyO<`w%2(
zw}7WYakI@ndNaeuZlV$Do7NLW4d4P9uL;C2d9v;Dp}X#JHxe*Fic{vGB!CNyl$VbW
zUc&{hCp+^`2u=a>OnG#cWm0rv+Bej{eY!(`4Hp1`L`q0{I*^2u0z^*q(ii}X-_t^0
zzlIB(pS8w~J|!WocRsOXar&YiXbzgLAtJfAjZ`^M=4ll3h_ndMw@;U1&0?}kl=bpm
z!8WD@_O|s-6xNY{?Ox#vL0U4>NbNwoN&Y%LCCbB+bl&r^r{h3suur3J6X!y5RQ}ut
zyC3DtMP0_U7battPcr}SlhO_bsC1vSaym|;*ul{PJHOBZNkVY60L=*F6nZMT#%%(5
zUGex2wy1Ol#@fyG$b%Vb8jcq~n7*CgWX{5_U*H8*W;GlQ&U8$zX%=rLI=YrQOfoD=
zye|bWcwH+a{&<CbQgBjJV6`_)4>FU3F*3OZaV9=LSuMIRLk!(;+JExg%VaU=Ep@Zv
z5CKa{IsyzKu72N^k~tIw{}M~vIT&oT#Kypen*}R@_Hc^6<6^!*E58OC&J}>tMOUZs
za(649*bh=$6jU!qrXRHI&nK@tJ{YLXJe)xJ(y4WI>`8KkvVAAIXtpc$T3R+X^=I?i
z%s;w14lrWI&L(tVA)u3)CK)g0<z#o@x<O54<{w$T*IOsB6%bhql2S5j)$Gc+c$u#h
zxENhu=(NT8So%etcL!9Lw{*n2KDYi1njzqcs@|M+a6a7Ns`{f__OdpPM^RE3hd}14
z@Y-SP{1E|SvnZWQM8hVN^gK+Jx8sLf-leH-;uzR8zkjJv);K-2;i(gR5Gn9>j;Z9F
zG5VO051`~3$|;JtC#Ui`VYN{cEiTrSh0?)XGqp~NUZ*;Qonu7m!?;d$s(7FVM?zeJ
z_PZ#{ITBuj<6)N>XMqzW60wkXQxNjAc0MRJ@sR1u6DC<XY);=_<2t&X%WXfPFFF9)
z%tF<?E$j;CkzWDXF+<s}K$?6*&~(nD@Nz<V|9U_tfAnEp>$Z8^ByKQ5`>Xp;?%pK1
z|CM+D0U7FFH&acT@LtM~Z^8qAQ;$4^JLmj&Trv#-7jB4@^83VzloID?Nc8<Pe}wJ6
z(B(m$78&ZY`GVrrkY)<>W~a@|``k7M!9tpJ^=1b&r3|6dqb<H}*qVK>G{7DTL`xRA
zgB8k`0OIj8J-t5KKi8po5Uj5jTKKo68NLe1<YR$TeE9akUrnFhH{dI?8}1&De>diS
zz<~1`5D_W4V^U<j@rgGBv$!KS>jjC^Ni4Fe8k9q%f4uOd)|!lrrwJ6QllpOL!+aTE
z{qmbyL}#>)eSh(CcSmn{)&UVVyLq2;WMf3ed?DPh4dOi!MufLNV?%DM*8CBqkgxng
zkjJ)N?BQTOZKL7dU5HbbTJ~ey?+HCTXdvny^EML(Gul52s_-8^APMny{>><laO2t{
zjm{>(dsm2e`L4~C=h^;JMr|-&UIZhh%K#m|jzs*Uen2I#LNdk}7c{e5!!~taAIcTJ
zb#@Sbv(_9%>$(?qeB*{HM(tB?x7!T3BnpV4`ZZ#UVyu^~+Z1%}@sEBW-{=&UTA5Y)
z>tNyrHy+o2{^Rt<?^bFVc)EDT;%0FvAg7-9-j1&nN3m5)E*=qH0aN<^57<*NMxjC7
zR|E+xsjr{e+)E`t^ukwpv)ywFHj9gItE!FLgxaGiAb2X%EV~`~#Ri~Cv)Ucc10rpm
z+heIXK#Z0+okr?4nBZ-FDdEIY;0*d7+-c#@UUM;;^Pv*j#?P}k%-P4V>O7pPuxPZD
z1PPJ}+$Bch2kS$HlYyO4F94UI?|^6R`~-zne+M%m3R3r-YN@MebmCoS!YI$-3fG@j
zx)nH91KqdaZ{M*n5WHW7W}Wm-sANz|y!YIKKL+Y94B&)<ny<}pu0ovTpfCBQ5W-%o
zhA8$$?<<65Psy0+a!=SUzqVW6jXkQlzB>utCz@tWfMP(t<X-y^pD7kxWA%=I6y^5|
z`$$s)PJ>`5WWWcGe~yK5ZX#@Kp+HiIVPPbl@*Bt1)X0+2Pr*@w2zykzpYOjVD7|g2
z{+!-S%Ba!aL5#_kH1Om;?ATqZ$+>{z-OVTgti5mQzi#PAZ}_{(Ou7L=W&g!k4QziP
zvINQ&sT7Gqrk+D+Y5hL|6?_6$22VN&q`&^vW(h}MPy?YTxd;x=J@7yAv=G$(jxzYy
z|JgeV9O$p7_|LyK0wavFm5)s&7-*`<UO;{yXu$jOmtS<i;Hh`xj`Hv40~*!fWoLZz
zyf7JlGqvOT#DD+l|8gb%eTn{kiT*$K6xpkI+a0%4j1!)}Y@mx_CR>zBV6y!n!uX%R
zFz;~Sita)4#KPZSnIBKV#JLxp=soRaFYeuXvnGF7ElDDMd(67vO?L|Gm$wMF9oXgm
zK3x9GaWJRgv+ve_L`{4OAB3L5sfjiyu!j3T#yE&R)i9AuC0vP%AE~DkVnE-t;J`8z
zfbhFt{IKNR(cvbKoqnU21ehCCfn0)|5|AWqZwYS0zu?y%q#xYddbfPH{<=JY|NJY3
ziI?>kr{y2xMN%*r3;K{|BD01mn|Le_u+Wr2jQn<P19hfUI6{@<HnK}4d(<WW)z`GM
zLbafB{UbKV?MUsrq4Iow(uFy%{7rH&4+wX-=ufqMp7$LMNC8$-*;i0L|3P)T3~}=d
z=vs2`KX%xCKRB1Gi$f(z1aVOysM=5(6NMfjgVS|s$@mZ0LtJ3M<7!1t{l{tk;|F7K
z#q>HThD{x4;9`Ig^4ptUvSnoY;RuY63{(lr&OVU}1?iFRPOa^+I-fXD=oz+-WT*$T
zf|Z{4v`am$$%#?+bC~I}U54I~DLBu<h-doxPXNM85ugZ8@}4H}If>r!i$JxzMiE3m
z)wyT)3q>#pM-i<3i6Z!yk@CjR0a}pZcSrh%XHD>XA0?GDww{N%y)uM(>gd9hE3g`e
z&_kmC{8LS#f3ZxKN4JAuQ90p28Az#rF_T}Z$?DWTkuP(R1X>Z#n%Y5?XrN!GLr0-J
zkF*!EZO6Rb!j07Q@Frk%B`a)Br-9hQ-cJt2@rQWJ9Un&TkEa3c5o}(1tP>GK-Cjbi
zmOQBFefNgk9+1RjvEcMeB8)g}zSP3}mpKD|eZNY8t6qtW4*8u+^NbG8(4k8}$T|bQ
zdS2WgnT|vKVnK>$r3<W;%C_=N`H?7gYRN}>bx0um{RI|HFd97kz0U0F#wmq4HKk;j
zcMOM-m~s&(RVVYrS8k-^TOT!C<0TsFP84i)I$CVt-deYn2nkY7R5rgg&Pwv8VrFu7
z>#@ReKa*|DuQt;>s#<?1SADgCpKmwni{Br21SCvBZ;0|EWKP<q>Vp*mm;F|*a=srT
z9%o-uA%nWz1XZw|Oc~>WvwWE?R+ztun;NpiZX7#Ntw{Nunb*{FGM<XE-a(<4<0|_o
z;IiDm`Bb+%X_i7%>^|XeP6|k%bb8lK6*xrsWk9EuiY!s)U*7g#ivV@dUV)DEHvA0-
zbIb-tn{!9|`0co2cwT!?zi+Y~YNHvh<SUn~+tSbaD@38$w6Q&t>9d3kebYZ6=n#g@
zV;bC!u<v9ViY@h5*zvVkLZC;HzF~m<W|A{6b0%-bO(@b-AdM~)TiW+|{)%Blt1T!9
zi>6B@BtG}KFZ0X`b$_>m(aCrq0ri-L)O2Dfdt_yJb0X~N3tO?EM;~QZwrA?4mb*2+
z*jvoM0eavkuFfNOa^R^Lzzi&_zjFT`()VX=p_HLE0<Py#0GcIb(4S(PMPIeSDIXo`
zxiwiUj?Z{kHY<#p+GL#76k>&jjGXvGJn{+nSQxv%-fZ$zJVXY7cI@DB?c&eUI{+fI
z!!WC=W2`-*+F`3(*lyh~YyP}cWBSMP7Vl3q-a4os!gCn<_@?X3)p;Fp$X%16X{>YV
zar|oB$$p86iPm#Xuf!g^I=ycX>oaq$K5aZ%%-$P|;#K;S!1Pf`^n)A66kg9~&QzQp
z&N<)ZXO}@Fe2&jKOeeqC!{(5Ct}>@wO_M|Kc-V6rG~oUI`Zke(C#)G-7*LSj4KmeL
zF%sJaYLP&uy7;??%8V$BVw+VzmMby8-XW<Ip<q`}EG{RRD51Bg;oN_;AKkep=WQo$
zKXT>_GZ?oxB;h;n(Pbx#IXjp-A9R~Fcx(IP?i2=cwjZsr3=J{7CKvJ;Nkh(Vc1in`
zWrr@8$8un46k)c_^jR&D^``n0i3v*|A<v3HS+DmngQx=KNru4<U<NQ)$l9}(v%e{)
zvv^~!z8jb2O}QZ!L_MC>frehS#)HI@7ke(-ey~h}HcO$j2vxb#^g>iej6nc2cLq=5
z%jrqqU2vaqyrpY+rjCzMEhk1nVsEp0jy{xenbvs<dR-;Dn~utnG@(p_LJxcMF~Vuj
zyxRM#0IU4o!FfqOCf}WjQHhv8ko~V<ke9*(YjfIpaT;k1$f}~%hZ~7N&3GSW5WxGN
zQTpO1KlXpvyD_uWzrnTlWdBtLQK$m_OcL12ir;rOE)Ns{yYPSqj~yoO?r)3Zc0?vm
z*lqO=8a(yzci8{&?N&1CHsRp`Cg8ND2B#}1u^u%B&clOAtbyz*oIVmnWF^~im*H<3
z>T_*nG1aTabGVU7#Pc_P69pmNnM!@+aNX5d+MT^6=}YJQOktCVs*TYH2j&!<$JqWP
zPb11qCzg6S_!VQ=3|@z(OQt8c1`LEHP)P?jc+wfwJRo{K-y)R)Qd|c--7cBinG$&O
z>%{0|I8sk-)|GtkT6YWM)$+QWhUs=ii_iGETD&dVv7?S*eMqUGj=jZt-v_h1rbG%}
zbl)j7OBf%f{Ib^+K(!pn!AZ-$MQ773EMHFr(w-X?uhX944XA@nj-WjC>c`Bm3;UMA
zSNlI^g&nTAtdE(9xvf3kq`Z{8v%8$!FjqD7MP039y#{#vf0lhh|B|adskX*BldoDS
z#^-pz?CK8VJ$Go}jGZCB#ZUTLP>^TQjKq}ois9T@Q^2wIwZWM6S!Eo#!@Vq}L?Ve8
zmadhzg-Id?yG<6X3X|IDUB}Jer4sn#&vWso&Crv-_|YDkG@RgGZj)+6_b{L{`~C?}
z`_O~+W0}XP>1hf;<oRL{ZMW4Agi=XKR$4A5ji@{MgER*ryQaNIlIK_^K>SAyLfF|a
zH2bDNs%6Sc{{&$^H<H5|8QeJxPQamm%n!9bSK0wmnK=%XAm@m$izmrlKw6tEyjTnc
zjB8B4A9B9;sld}J)7THCNlw-<UMGcp_MB)X9XjvO5Rb)1*#&k7VbDNhT@>8}R5h6n
z!qVTTw-5Djj+%yOf1@iWMbm^8jBF^@wjnWXcPzA*Dx3uqWsh7uQR*sH*~zRoLn6|r
zaWY2M{hT`Eh3CHYrR@`&C@0aaT{&+Ks|lUc_gk;5*ev+~s@IzH*mJZ^^@|5)C;e50
zw~qd(hG#7l@36B~CAXX|KA@$fTe~=WB4?h}u2nvkw^XJ&$R0M`cK9uJJUzlcrtFJ$
zYhZTQ%Sefb94Yzr=M9Of7ork?1T=ttQff5xWxMXe>sZ9~TM{Mlq19c#Gyc`SDa(ZP
z=-A82*V}d%-}_Phu*D*aOhdV!fgblZAe-+iUkL(L(~WSQ;?5ARVi1vD03y<{$!i^~
zT*DWY=%fq9Y+|+TlY7$nGWBO021}hVVzs;OIDyUpx6OuTchU?#U5Z)VMYm{)p6ri$
zG}FcmGsyk&9{xhbn1J|dj|r-?-9`v{qSwLtn4TYEnd1iMgTqJK0hp|=CkIUF^!uAr
zexN9!Eej<zmBN~PiI*fAq4b*R{m!HI@TU+78Ia}N^UV=0wtviO+1U6+$+w2CW|So^
z`^^C^5a^7Yj{!wm>13ZOonJjk4K1z|*veavf-F_>)soPtfHu}q>X{}erwpDIU)~E=
z-R0A4cuv;x)TgBDj#3bZDpHx%a<@)*1c{{0l$|wnn>(*(Qbwvrwk#1|jz=$V8%UXV
zzA{>8Upt?MuuDWAbg<H>=VWwhGt!BOg%ytV5UO$80gUn$)n4vWQR5AAcacp6tJr3H
zKn5<yiGDj~@wg{Tg0r5;?drJS*;ZFo=I)>CE9YQ@D_33EBo>T0t@i8d(vdYgOurqm
zNc6LUj~#0GJs}bFDrxA*c5UQ!wwvQz8yXeni8u&Z#D|N3ltInE&jlBj#IPB?xr?RM
z$iKRV?}q_qFMa#N;{4W{cnN3yx0RMURtjOcfUT>OA%pe%9CnNgUv3z3PHlhA7OI&v
zm>XzY2MOq$`FftHavDf$>Sb0<)-UYiV~MQ&TTE(20~6|wE%$I`3QS;wgSo2Q?K>L4
zu}8IKcz=$5$}WC7+ICQfX^;QO%kaIl0xr|_Hl9KKoKmEYv@gvqXW>u#BK<)Cy70}O
z{=jv0`w<q>rO)sP^ov@TY8>t8K%H;$d*v~{Oz4^VtpRFHLO9{BSDT77N?$&VhjrXS
z#OPb1ck2tBfBfJCWc012B!CEXr^Bt(E1PWtq~`WISk-==;(QlJJi4Oc13ODkja`OQ
zilDrUWnAyts2rurw<MdNF@dNfFQ{>8D0AlfiokN=SO5BV{B~P4zcSFxYSg`e2!!mb
zYNa7s;fKY<9pfhGD5pFSEjX5h63*3&;nGSUZj7zu*OxuK*;Xj<Iig0MzzHUHVyTlU
zk&V|Nu8FsrYBp1M!7Aq6I_PJDXRw1}eP&*|;i3y98vS%m(?;~h1$F|5Rkj<)$Pd|0
z5$8@4`+M{6%FcVC4W<<W{0q~{Y<tlnZH8iks~4_og<8F-NqYo6Z6SVI*R^3CU>80B
z4!fTPYJQaP*Io7=Cp_}q;{wD+_fP&OHClaNLp=9HlxkCcMxfWnFshX$v8?V}!ah~9
z?@1A70DTk)ZhK#Et@tdxF(7Xb#1x<LR~F}LlVmyCs9}sj;biMo{_i)V!m||z#4PI1
zWG7=c@B0~Bp==W@cPCICzSWiNxP>nhurb!9oB|H_GafnqXFT#KDm0dmyW0-$1EWTv
z@33EFGB1R)D~{h&EaHi2iQz#^skN#{$Rew0!}Ch#Y8Rf9GYCgRY{$9QjfAtOdR@V-
z8CUIL43xEWQdc@@FsF_>N%`R^9ea~Ehvu%H!8@rZIW2d8)uy}+ZbvX`nDX|_mDK|(
z>25TtfSFdl?IBobmH;A`D3(p)7rN}j?TPZhLtj11xY4^#wJ1nPm_5WHeSm4bT5<eL
z5&0rZF`vOCL)*b&wV(1`zWsUNebSK%3+>A8tHScyTZri21I-y#D>UsVjHaqeb-t?*
zU(D&r`{B`t*jN%O5k-M~STK)-?r*sP@A#@n??!4q2$JjfdlVView$2Pu3uE`_f5bL
z0eI;kp>RKg3T&DV51u?b63G}LEmuvQIh-oV<k4y19ISPA1X<;0oH?DHQyeSQt;rXR
z&2Ec2Yj4@<Z5ZMsLa4lxix%IcW5QbntXAtf56fpstNv*er`Y7O3;bmi_XbAsvW{<}
z>ny98jvwXrU+-@&OW;$lbn+DwR9?R7${9>ly^EE^4(+NFw-Yj$Yw@!_FnywicU2aL
zgd+0IGY)HxTAR&qgu_FVNbHbsw)Au3n~eRv1!~q)NTFph*e&npA#oXnANuYj$IomV
zdY5-5(H0|O;Tc~XH`+Ckktea3oH_B-?rohFiRpnJjLCIUd9(P<>!flL)@QtvsM7M7
zC^t{h&L{0HI)z$r#qkNxHWiOW%whdzqwn{a;R(VcyGzWw7^GZciE}qhWUxpSC|w^Z
zOW8BaCF&#k_Lk+Ulu1|nQ=&A-lp7m$`rGl?q(Dh0051QfN4r|FX)Ukrc6UA87*6im
zIf@K7hOY!uWGG0y$ak&U_%6nK9_UGJL&(m&WHIpAe`Ns52cpWO{TD$@Ig7`wnnrc+
z*6GJ%*+F6&-pppxIX=P_BjS+^vVgt>jNw4Zq2E-H4>yJnIM@q$6L;U6MN4Nh8o^2k
zjk|kr^|?Pqf?}lW>dyO@+mEW)wwG<Bej3C57|5U?+v}k1es{Z99!TW;Wed0dWecxZ
z!B`VmLHVaG{PGrJX8kW)_|kq`1W6Mw@VH*Xmg1K)e+Hj?FjDHXs52X_@ZsM$EHsvQ
zo>bxN>D$JlO9owQNNN^eF#BVg<eY0pJhokp?mg+%K#yho9dp8wybwmG6JFz?Et6;g
zYwu%(FTwMO2$t!HSF`8$?n|-=oy`cuE&J_7Pk7$$T%5l7iv{p!g`3&)E8N}$#K%RI
z7V|Bs9MkshmJ9YU3kIi36?*<UU~}^6O9hgqS5n_ZTij?>mqrV<!)WAb5QB;F$BK0P
z$cl=O($bC90GOWhoQ?|Jrz43yn^muy=;YgNw<hojaR@p0X*22jf=GT!(br*5f^qH^
zeeaD^QvLpp?~*B47J#)f3<e5jf|o#aHNZ4Xcxe3%0eT(^3R{<4c??JG#ANC*O<EYQ
zOa&apWbIVb6E5o{F+4b>C=YG*@MbJr*PiD~_xP@6+Vl<LY==k6$;75gl0jJ}=gaT2
zu5Z&C$};pg@7<*gAbor@u51zeAe!{h=E-)B;vZ-do5wLAcf4?7(78cSJ66$gq+P7G
zNg%u;U$uoULp<~k2I9-C&otOumOUp<a(mS-Ev}#oy>VdF7=s(ex{6|^Y8+IXAO1vE
za$MI;m#zSXu~6|#K>W<p=dXcv`_<eZgUO0!4oFV4(M-0el&_D4R`8+pQzy`Stdon4
zpUN%6v)Z=`%D)NVU7C(vsZ}3IPoQg&zfknF@3fhW>Wjco+vMs#UQ~Q|x%niTc+B4N
z!4!yM>?k@9Im?$=H|dPlD9KZ<3}f-j56s1`f388vJL7!P{7j6huD?tQ?2jgF^v<eD
zT~l6#rng_GjxXeA=VC(+b$WQ>_)ljb``?_lA2y$&9Z&8&ZcDm>hv5-9O8YL?5zT)p
zI}-8Ub>4XRqlPI5{RjB8x;=8Be1bFku0Pg}r`D9Q(*neVFKN%LtN?K?+_B9&n`6B4
z*729lzv>@4f1J7XmKfZRVJtdgR<ety@jM`K+#R1prS&t(tD%{kCF$<a->j?iOy(r-
z?H%i^hJd||u1tHoFb*#4+~l#1SVvnM!6glGrX1-~*W~J?hg1*6gIVY545EBC=RC}Z
zsQC*NT_f_9NGw9ce#3=9tHA?($m09>moJZ^NkI|QaH1?%nBWW*ZxLpe8We<ia^sd$
zIS*|T!}-P0Op$)!yXFiKP<IG<73jF394PB~5BCW$s-WvAJ!%!=mE5q%hetH)SReQ`
z_Ca~<B*&Lriz~W)G4M4pT-HY*e62+onMMPgjHW=lD^kIP_Iqo|^)={=36Q8NRxSB}
z{E<eX5)nkR0XsMKv^{uMcv^r|f<pVVgI%tlS>bXZD?I$A`2578ynO#hw=LPyV68+F
z&SItEl#;Av6vp@3BUi#23|vNGQsgzq#8@|Z4mb29t3B;%-zI|<V$vJ$R;{P$=e*x0
ziL~QA-_w1`P$*@wh#K(5cG8;1Po~Mqr0Ia#K9(Y)YJ8qilcDNJ(`z0n)f*5$I2+IO
zF=9;oi~P(CF3Fv8@1P=pE&5|5p;eaL53yLmCJGp<4TeH|aV(s_8xm2~J=(fZcGI@n
z^D1Re^hlSy@&tO8cW`4h5to(p8(6A^FHT$P3Iotu?q?xkVFw=r^=xt?NzS$6ZVK-Z
z)A3skSD3&IiePT7^5OAFc8^|@Hm`!c!$P5SX59{VM$K!JxAo(1K4i4-?q(;>^yYBY
zx6vIwIME%VS(-|@jRh)E#mr^^nth!Ue%89)N7*#s;F`%FeMdUaQi0u?p6^$#s2V(1
z)P4$o%Uw6Iclp+tY{yd9My!ExZ0&H7zE89GVcYLdrM7@6)Yu6;l~dC=bJ2YCyAaZ@
z|H0Z@$2Hmh{lk}yC?x_SC8E+Gpfp24KtW1UQba^rI>wk>q@;>~w2E}+h!Ij#x@$0`
zbHIoV81WqQiu=0!{+|23pXc@S#UCfH;dY+Kj`+ko;%~)_&qAF+9yco)6lNJ|S4G=d
zuns@EX=9q$RW<+H%AeWlD+C!pulaT!&39mUv~#m#6<kX!yJ8Ynu=&8O#yYm+UCl^Q
za71G_1b#U7oXr6V8U~6lMggciB=UHP`1{9Y*3r_*?zbE;V~=)P?B>dyi!W>~E-)N*
zPD65hp3$>aJ7tcqUx0R)f4$1NY6-w~jl4@`-ar;3kUsF&_DOvKsKU<=H7<M4yO819
z%MOqSmnlqW`AX7}(Mi^`s`eO`NiQ(#d@fu?-jEB+=nY7S%xa32>c2tP`ObgPXG8A&
zX3xs>mSMM!Ied}%ft3}3K~AP@`t3T|hdhF4*#k}PrW`#4B}{5e=-LgjbhjEs7hP}1
zC6G$AIbUi&t%{k_i5pHB4XKyqdMs?{0JVl|^U2V?sA!u<cy3y)zqy%DLZRK@`v|L3
z@*&8m#)&pwXE#Yvhh7MBau$s{MbpWe+RAToGj?O{d#Y&K@VlS9W-y=4t<hE257rt9
z-yue1Y^cwwEN)k={Yr?+wI&$qx2qE@*Xk~~<MnkS>I4LJdH6`o=J^T3{`{A*=ja8}
z0fH)qnAd>hzUvQQHAY2ZKwY?9-eFyc5IK~p5}ZM@n-@O!(P%O^VyJS<h1F{sXv3Jg
z7|(auX)O1U+`9v=(*EJz?FE1+*-S0H<DQwD-b0SCIm*SqZD}7ihGfi3iLqz<drY@@
ztLx-w3w!0sjVlIFQ_aWvj_c!^cWrM`^8Oi-{+K@byfcwI;5jI_qykg;0Q4xR3-{(e
zE}1z5st@rsr~sR9rGCrPUf3vdiMB51(NZh(IzxMq;Uq<{%J2*U36|w6Z~A%!OBn97
zDc*bY-DFe$-lc)F0Q7JpV(;(H%%2zavLu0Xw&?{&L6>tlU6yM3wS6DmavK6_m%E0n
zXX#-TVTX~z$n~wy1YCvWu1!VP{^L@^S4P7*Vf-g6_+ny;HQhsti)U*OK7{zt)KWX#
z|M7Uwaa>k$*EWl`JHq#RxLujk1CQf;8w&a_&US`o$sy~??Nd9~V3}3dW0~Wl<Xsf?
zLIiwUis^W>^wzqbAvnVhe1Wm{C4u9!X(+l#k9=}xp1Q|T`9^1H1Dre%9*!(*#iL?3
zefB+sx4tdBoe=l8s(}(%4{D#VcO>3M7uvv)qtB_l0bNuxK@`B>ZNsW6a0TnXeW-is
zIGyPSb-xfK>3BP?QNl1_tE?Dt?Iq*(A_IMG%&AagS&y#t50rQPg)fcENjt1-!nE2*
z#~rZImR%+Pc=22kiMKA6A2fHUFyx9EJ6*;)PO^Fxd<j^lNo_*j@2!_-+w?M(w+)<1
zG`=3c<<MCGIAAWIjQ%qrtCX+m(lRCp8oPzv-F(^Hx0#d^Ng*elXgWySF*H}=%KP>&
zP(`i6E4b9rA#tr(6ByH_NxCliqwD2^D0=|VWcCnP3u}O~zg;UR!^H@gAh|Y&nV6vw
z<_V0#&)%ru=}|=Y6*6cHqpXj&^+<7AI0fcrP-1wds;{r_)psqbi=N>BxjAKpEiT1Y
zsxw>15a}LI3GW-thl^o8+Kv<}=o%4y$Z(|`0e62z90b#m8f0{h%$}U7hNKQF4xQh#
zlcxs=2~JOsu>x-1HT3|GP0(JVvScj*cGs%`SuPRJL_I;D?2deFlE}u>&(sdkZc49e
zEryXGzN-(L{DP>S=^J)l8m<!rsvQjrrrP=UV(&CEOXdM`;?{PoslFQ#BSRBYVIu#%
z6&M3kRm1p9!<;!{4vXG6z1ApRy>WP)IMw_FcT;4=R}gv!1i3fHYn_9{AGUTFBJRC-
zr`jtOmu>FeEgE#QtZF4wQu=W@cAXMCTB8)NU%5q<>X1LGef%_Jb&WrP%hL%BwtGxw
zk8C%n-C5v4%}fheQQ3uXK_#W94mOr;FXKB9y@!C<%WX+Xn0r;-z?`qY9W>;+ZYDK%
z(HICA&&MuBa{lx^y=@Q9r#~3I`6N9X<mw-;)?43bv~!-j5}#j2!|j2JBk>9!vz-Tl
z8>AnA(EEv#WVv4Qmzs^a#_ilpM`wcf{EZI*9#NbT8BP|B$maM2OMLt{R-fGyC!7sR
zJ<e`3?NqjpR=CmOlujnL4@E6(1qW@aPzH6tYsFLSE(cTm`Ax2C9!E5Zya!anZ-WXm
zu!v^I&H1j_F5`;A8qR8|skn9^=a!aK;W&K(nyHdJCe%wN8)N`#TzshGHSxFYQsmbu
zoxhFj?`~>kJxY7#xe1?pQ^ZX7@o~v>a3JTH!uN4!#%p1QqxrgdmmOain5qLf=N{Q7
zlJ3I4etsm7^6d`C*BiPL98FR$7ug5mo#e`~p-YTe=2^G4TH6Lq1tphhx|Cm`=)S0J
zk@MT8BsgWfE(iz!Bnw(S)<>0Q)pny7-dtr>#eRrXex{<_6~LKaDV4A3PSY@$_%xo{
z0r=|luVU4T&+#=R+;+Y!<GudI00Bo+Pj4S=(Jpn@=2a$W7PA^3r#Nh_FiNuqZq#o%
z0yW1+&43#<s<Qo6SKXJiwwN|Pz%XnHV^OEQq4sXuyEj$J)o0#r;CyUs3LYznmIf73
z>%lKYv$*{`<(hqSE*t$;mEcex(FRcXgkn<L!qwS)2a)=sMbHfMF<#W_o+$+-beAo;
z5_C|MKiw@!59fwe-E{mdRtGla%1h;*Sa2bf!Di6zNjnYinxy1On(W%$a|}IqgeJs0
z=;vP)eHLtZkt5v6Cqpy000MH%{}_-rnFHc2q>rclqG>AdR(#@r=_t1=qrcY9#yNJT
zigQzAXg7a(FLzT~2ez3({CL@0z01AaoIWiO^#Wwl{pm2J$94}dPEGC?9~?BE$XZ6e
zi8_AtXP|S3?`r*1H#+;6YU59Grx=s!!(P?2@tf9;dH6h`YXAfrK!I}^7WuF-+ottX
zAR}xWFt$mho>@0doYBYoZ?CpM%7Ce*$tc1hWsFZN{d^66)aFm-tQIKjfqACf0x{_s
zC;)D`A(65U_t7Mx?D13N!~N5tOkjRZWqwrs*W?0o?FW%GzYc^#-qA~PG|?J}WJ4Ck
zSt|GLmve(s&er3B->fySMf+V56lOQMcO2<6aC{+8j+<Le{Hm<pt3u!<O?2okoSk3j
zCwWOP)2pc-<-|M=S?B~!MN@=v`B|BSYj>IVip?mkwfXpQlAOf#Qemxq)YIx^LJ9!l
zTX@JJSuEFj%A*jAhtu=L`?6y4!8NN{O;_va(|U7MmHC%mfIeax^>GE_PeqlnY9Qrh
zO(?(BH7PDpYMdU%IExQBccf7rkrdXQCL?<ojKN;S_v+9G|9<pY>!TSZ>YK3zyGb-p
zG?(g9Kk$q2jE9(~>nDqFd1wW@FLaw(4;F`OGDOk_T`g5+*0s&@sBbgVin^hy%xn-_
z*Q%TKICRiuVV!15Fq!k{RzwKBtM`jGiw;bXZUNafdaL*-0jcK+tNAJ7j_)qt@@x}N
z1c}+V5_RBjdL921W#%d2$n}_hEDJ=UFERZOWP6wjVl}J7XAg*kEKnsaUF_-*E^x_u
zSDXvGZv>d1dc}VdS980RuYF^`LcpTcdG!iDK|jM_UNE`u@2*GBb{u(LZSUzojR}}U
z{<{Jb;hFhUmhZ3n3$VScup_lq?w;7wB#+`eUmHPj@Z2BS;>=hZBS@S4C>kZysr4TL
zeQJve>Je(!XEFu;<&3sH)zRPwDQLPX8NkT)D0=69YT6Uh3`W5kcekeqRGaI~yX{!H
zKioD*2-#OM<Bp}rqQw)f6>+v$;Po&SH%ceTnaqNlSmAl>Su6sLD7nyua}IW09%RJK
z4%0(Brq|2xRwV6%rGD<Xj^82l_&C}%;0x_YHZ1MQoEo*T5c~Maw@)r3o5{P3(bgvf
zA3yQ<QGcw;4I3Zq@+Q1Bn%5G;VzCSeT#VM*K<fVAd#H~BNGt0us}ZE8L8P6RLjAd{
zMMSMPPpK=cRsYQpLix8czCF1&49Ng$e-fBF!&&Q8J6hPZ6DZp@Ct}h9Wm!MU%&$qT
zOoy?DJNH7P8-S^^T!3X^(V0em8;g47VE0*jF1pJXpXo?9AWh1OA35OE(|-I=={=!#
zbl3D-khf>EUvWO0%cpnOL$pA>)uIU0-umouI?MBZb?+>Omr-Zd+&=*vtj6dOYd4FG
zTOvL*$k0eJEqS~eL}qzhnhpNKp{Avs2QUbXaBxY-f5*ZG7@lye&>L#TXx95hYh`qG
z13lasKV^%#4=?7!;!0+2Kxf(#=5@+c1SF&_LAN(d+SvR3SDzCQ#Mz$gjl3AZV{MBq
z0Lg4MNjZK?d`5`k&^i;?J(guZ>bES9x);pN^IlL1Sb^QNWLlnxWK^N$R23?hDz%Y!
zAeUl1aeTpX!CcaLE|J<SFTFm^jCD`@CpomL)M_9d_gTlHu%g&tfCqRx2gyos{g<~h
zDA16+olS<b&%0wYr)7+bm89{=FOL+y7ON#0yysV;ue#pwafRk;8K}-=k2^_N&bgdn
zp9+4PYBd^W8s@~GAVw>=Z1YIhEJ(hdS;8x<mS`5nu3<s*@W<!fi_~wviYpSNpEY`$
z=;djmGyQ6`>3Ou@bSBBFOS!FlR-Ibj1^rt_BB$CVmG)Orf00D{NF>pzb!nc18kuj@
z46yy4BQE1AhE4oztZDj%=1|SKhjH4DmHie<C{mM7m2-ToTZRg>=$yp77bVw133q|=
zrpUC-!|2v%e?n)eiw^RQfuLMag6Rguf%VPX_QS72TfYFe*+1G1i5ce~3>~P%CKbNj
zT!ANnzOrnVc3z+(U^`X4-^Zdp^{6FEUzgrGv|X9jExGg;LG(SB=GCWEfLd{6X4D1x
zm->gN`T15K&vlpD8I)agM%1o{yfbx!n0|Wd^tjgO@#1bQwicwz!s;lvc%6wx>E6M#
z%I2<uO3~@RDxQA7o%^O6IxqCR$oL+=rJ&nNM`xm_{TSCNXd()JbUN5lhPh?CCsoO1
zvf&gX&!AEA5a3esrJO2Ol5&>x-YN7@D{TDcMPhX}!&l-W6+A!+&+|saQmr*XtYC*}
zU!mzYOh&4ym;>fZef=Gs=!=t%N0kEj^WWG#CEg1Va6k!Dv9feZLN`g$H4K|+<V!8c
zW0flKYcRde2JkAoUHV@Aw3Y!LMrWaM35Yd%3S+jFE8mtmPI~6~UvU_JUA@)0W@(Y&
z22V`6&<u-fai~_DMwmqZ<-%ML^ERGg@DCT}iQn^kmHu#HUL}6MrNdOoX%y*}#QXfq
zCsn7*Bp2pUkGHi(PJ`b>3bb1jeivn_wtM#YEKZHQ%iAJoRk&5Wx>v(vKB1qzKojX&
z9Z@=8*G;3Cu5Wd{$<c2Qexn4l+OH5uCjv_4^ziUqpZ9(rQAYXZLHPb^J*v3d9^Zzx
z(8%4nai?+Rmvb85!oxtta}+u3I@px|F)z>q_>L33VhfBE{Aw>f<?#L?%%{P$+i??D
z?D_iqwsmuwRxH(v9BL+s1jX~j_@$u|pYCsy>_j{pmrSaJP2~K^E(&Msk#rd>8eX4B
zH@VlosP(10ul9|A6y9xod`=@gRWY)NrYFEMG=RU+-y>}=VSqX0=KNRrK*{U%GZHtg
zn_hB5ZZd7ONIxU;Q9m<#`0Ta9dBDN^?0>fLUeX^N%!8jCOv4c|lMHTI^+N8?B;=C{
zr)7d#Rpn&3=fd~xH`SB8L!MBx97abM%$W|kPXrA18Aq)sLNkwm9ajnbayv8{;7eGB
z<n41hmqk|nthel9tGe7vf*zsc8_I`IOh@zT*|`<Pjx<b72NNJWDXO)jPc)CPQiv>j
zzZ*O%0t0K}*PFDYMrheW2`<+YP0boG>pn+2qid4J)09$w9s)pg2S|hnG<!T3ip!P)
z@=Q%^5LQ_qqvt>s9esDJ#pH*$x81$hGOak2E&lg9P{5>t-}-bRlmL1G8KOxBPDBHQ
zJyv6|&!^}sD3eM$%>?^l*M%R2-oFUqvuHL?f4!E3U0@FvC1Crj(cY^g5(@>68ca(D
z*gvhnM%tO{w4aPZPhR`dVY%A&x#Ql4k>((KDYEswv&T%%37%coW^$1BkW)pmd};hD
z*dVtKp%iQTWD<0{LqSW_^m7-ze}I(+3RnCx=Gv`nPkWxLG5E!=)0Qq%t@0pK_g@W=
zP6IeUt>p8sxs>8hzAsr5tzx?{C)5oZy5*AUvdSuW6NDJks@q}MYpWN1iQ1w=p+Q#6
zy3W83NEB6=8C(-yI4_{K^3}fgy%nVesarc7dKrEUUFvC*P?&A>0qYGZlpQEwnsW^`
zZSaw?^$-6oyzQ2?M#|}}Wpi^=lwy}Uu^ZS_7z;PE_xU7jhwdAEpaP!a*~ggGW<csm
z6Nr89@#DeOXG->r4YAEs%3DvaH!(>aa$XiQ`yBlsNcuUGCdpGd#qjX6S!12+CE2o+
zW@Twb9feEA<yI+sTTEAK`qyh$Mv7Z+mf<Zt5^Azs>C6lpp=a~kB6P-+XRxv_-_%}~
zH1dilMKm^4y4e}D6_&M1eStBS)z}bNNjYhZ_Xiee;ImI*bmk5n^7iPf?E8s8XN~59
zMp>)^&Gu4%%#>V7?0w7{n8jz=?4ur2e?@m*!&iM{FYW-o%@%!8n{7;qI@M#3y=+*k
zpfWR%9Uzjfx8^sui?knbTEx11ZD`)`qAxYiNIdQB!@#F;hkU*GdB@bv+ejfQ8JP(k
z4p-w8nSa<RC-b?ctnE9w<KEo~n(!TK5lE8iff`F{hU(gdLun??1yQlcjg&l3qfElM
z?iBtG=KvKxJ+F$Kp+auQ9mAi9DH7JDZhF{e-N6|iyX#$NvO{!ep#74kM_<|3arDwh
z0dN*$=SmXf!y5mpXK|7h1|f3v3Y5PxLt*BcjL-^0kiKpecXho5R74wTl(1NQ&2W*J
z6tO9JdYEW@4Ch`SNWt{wjD$|$DG$D;5_MDrODYzPkP5~FHe`^uMGxCKymo7ftZX!o
zj<TI3pUffy6JR+qrw=M;ek0O`EHJl<nD%~oAi+C&0f4guS?PXVFn7WLN5v$J6#@%)
zR|?Lsrc!^Cflr8CIVQ++(qm3C)#;!YtHHCO@J7?3y#MSARQ)>=(=Fjn_~`cRISWeK
zcEPw*9>*6A&hvuZ%|D(fv$G<f-%m-_4{N4+!J*7|$1Ku=@9D#L*UlE9Qa2kqLD_@r
z+BJXieWjMLW4+I{hhJw>s^et<BD1l4qwNp~$^uH{BKIBXml3p_5h~B)zJp97Sg7_s
z2*cBCfmM23a90}n7+?E=6l^YxY#HzxKahBh2{F=A?SR)f$oua2GxttG_2uwIl+w`l
z&2(oiEP{a?SEhfRUJ)nj^P0i<!OxsBjQEjYc^oQ&^qvjbN>2p1VaD|F0b(Y>aM6fD
zyzc7ZLFzK$lXI%?qrbMbYO?jUg-YkfWQL+|xesU!slGnHydM@=Gd*4djs5A841O7?
zjN0Mgp_FesdiUD$G)NG8_Xz&H2am8~gve(1F#&qoT7W&szF#T`tU~eZcTW6T^}M1;
zqSh!<CLAh4!48)9`u-cvQyw}2XOLGhXYb~WQYW?95Rx^zDmh;ad`(akiI2IjL_0bw
zR9-Yycao9?BG+NyAF%p_%88aUY<r^fvnA>FsYxs~j#tw&`N95jYVmi3{;)>gCqHw(
z`0tWDQtb&Kh`A_ukJV=Z%WrL@hhxDIBOTq2O&ut#g^c(~{(7(VN2CfZ+<Zwl5>)TC
zo0Z=nHd6{;7G4+O#4{bkq;hs;wS}cVvPGF$_FWHEVh$mU9&oxWErs5s3~46hnWPO`
zfP|Cp;62GBIpk&mr+QM1%*uGq8P}C=j5;*bo|MVo**OWQX({2n&?^_60_a<Re`Ry>
zrB7wcxwOCUT$;0<)$(X>S&*Fm?RoJc_hov1gL{|1*Kfwx*nBl5re)p@&ba^NKa{Di
z{2&L2CZkWYC<|9|-2Nq6el*-qQcY$`o8g@0136zdx^#cXR6&<SEeZwpjI%~{0xfmU
z48TSifZl+OGDvKJjWXlpn?m2vIohC0cYh{i@awOZKe;Q$$ma@}T)3Yzl$-jIMatqj
z=oLnrm3jI#-Wtf)i6Wornol}i&qKB&1e|t#q$?IK|B1HRA@l9-)*wHB{tHlAQYm6N
z@__?`L&q2T(I#Gt*R%DDt^%t<V~gGWUQ;3+qX(dcarhtnl6`?+bwP=t<nx7dKvlrm
zzMEiLq3#ed%49WZz5A$Ftiwrju>b5;{?Ow>LG}2LEL(0F0+XT@CgYN~3QbM9yU!u0
z-AG9IS8UYv+uc%rJ4!zuO`5qr@o&ii1<+~uKBPf-7>wqR`@hY{a?sBFjhbJ${&MCU
z4LSHX^a5mESpZ`zv^uQ{$Ldv_*q)&L-`uQEw_oR2+NtXNo{?pCm+7yxBz1x`26pR`
zFJbC&k8XUF40uEXZ4BklB3K@9zg%?UA2%+4#y;ErRz8&9fpK?sXoQsEy8syy8o6tb
z*^a0L;5>glrr=T5yX#1uyou3pyG@kCnF}m^%2(1887f!<DXKeh@zRdc0IC{pKUQHT
zkpZkb)qy5Y+TQk({;JaRc8-tEhfV$yn)wlL)F9$@Mrn~7e-C;7g(qF^K$a!8Zl1*W
z05AqRHk%u%Ks`|N&Yj;Z=zHj%KHV7dQ4pmExw0Y|@$X6d_hQN=vFsGC)6W5k)pKWz
zwPIzl=#&_NK8~hyM#xuA^Q~D~7B^{W$)13F(3E3JjsLAPH1o#lW7s9ZuAOFlsu28Y
z^06PZzc3KjS;5>!qUd9O{lNMZQp>F?by;o#OpaspA*0k}0Ar7el(*X$8^0gJ$6W(b
zm{rz@>8DqYwWnMXfAOMt=<E;Vy5!S5x+loesW8_Tz`JC1T7Uh43ja?Uum_3Si7`Ld
z_V?iYdGVu*RPmbcasA`~cox5%Q~33s{=qo}!?GU(-p5C(bm7vk5JZn?@QO(@lXDor
zC_1;0^ZzI3@}G2?|NR*J^D+LO&VOI*@RN{_ZZCSkzWHBVO49W@4{4M`#O5vqQ47w6
z(HW5cS_=8sSp1LyX_aRrKi{v%@GDtBUF}Ly8VaZd)ZgQL7ypL`GbE*F*zV8f|9X2;
zaZ!i#33LwaLX_+#?Toyo|KV%@_q-!r)I&+%46C93KS|y{pAk;tuF6K{pM&{Pcb(Gb
z`X3$)L3$tbCk52M-k$UcIiy#3FdxjBfy=On?hEc;ztq2nnRM}rKsr)n$_xL)ANr64
zRe-Y^GwhvaPd-<u@jpD618J5c<U=F=1Ej4-dPN5*gc1ib36{CtkAD49|NR}W(SUCT
zYHP;$E6r&?j)V)6t`gV+jWUKOpSb?}2b&;eCJsULEGPawg?>9$Kzb#|!#u(fkOw>U
zKc)TprT)9Ph9U8R2*VA+zkc412x*#nx)?7o`FoHU{Qv!f)dAb7<OxcC$-jyde}AkA
z=@mU(3-dIFeu|}bBN%^L_T8P3=MV4i_Hl+uy!;=A%vT@yp(FK0`WOCVNM4ZMSvOH=
z=mWyvgRh=wJ$`-EWiOc`QCT9Y_m%ZA>X{LZucv=~uz$^vJ1!)aca_p_+rKWNJMGs%
zEZfd3hRqw~Z#t(A3~67IZ8QW+!wv=c$Dv8~(jLl;T1}}2r?mQ11V{Qp#?gqiu}>6C
zqM9Jq$#O~yc`xobHB51`=BL50EC=w=O`+hbI`MN&Q}dsEDH~3|lKIEPtEVDOqaZ)f
z9|qI*pFejllH9Jzub}*ST+ZSmj9~ZV2PM7gp*b&=m$a_G%Ev(EO!Fzy>$+qMzg|F}
z@(gt|O(pn9JiqyPpoEOBExv!ag<P}lSW4e#*_itmVX_DQlBEvkfbaQnAGs%>KRH@s
zSs?H5j#FKcA7icPIMw7hY#9waj-%~nJX3zl-^5skUA|MVb6nHW*cbqllO&*nFD}Dv
zdw|Y*M!`XgFNxFi20Tmiz4hC`j+!_c{80wHc_(QWK7PdYA4cg{o{+YJI7L1ag7#15
zssh<4MTV_>H_tH>z%dhbA)J!+ztVMYrg~uBYG-3pv9mv-K(pqmRTyA&))0O4MmL6Z
zUr&v9u4#0wj=wr}@+m(l#tC5(%U@4q+%&d?0HI@YdVa=L{ht^z%hrplK4tPC@uO<X
z1U|;z{US=?SEy-xGb{2<&Qqp~*$leAXvwxv;j$Uzqui~HpHwGUh?sA+J#2(7S4m9!
zEY%eKZZULrr_B|!ojgqjRso!(Mj#t@b?@IR2|TqXuyjUdTCPUjuHtQy^1AI`Yr^($
zSzVH|zGTh&|1PcapuwCPYClryDI(*;%!9&x^<y9zH<NwgixZK$4UC(`b^dAG%u2hC
zcimp>%jn;&p;~PE9z`N3rPc@m<K{?$1uNNB+lL4fW87)WG4&eBXE#@`9)nkORu5ZT
z1e152gLFRhJo)?=bmQ;mrVaqxaj4vItx<Fiuzxt^f#=IT=~-r~q8624fe>7ZMgN}&
zm^J_Z2$-_}Zv;%23+r>Pt`B|)FZDURvbBGBVQP07#(2={Ip^;HQhi5RiWD*YJwe|O
zUP+NA)|r57d_@v0H-@AwO|gG3HsGml1fI2dtf+6)36v^<=wxc-q4<3H8D#Kf*pFU$
zYmxc$;~qQxT;+=gLtO6hJ1ymP`To+LYD^KB&*<MB(g7>FA&2|kw+C=6{~pj@_;J>k
zQN*%morWXrHL!+x6nK77Mrb|?wRFL2p?Es#O*a>5TMa&a9D~en(e@3j!^HL!WJ-M9
zk9O|wmgg4=zw@xB6LqWeg&;W1AmH8>&Cja*y|w;%L7f1OIfev9so!fQd7GA{kNEP$
zy-<Z)x|8qwGn9WjbuHXxrn0Jdw;gu5cJcz2!e`;-LT^ODqoRkenKxW5_KAW$BTVdD
zTO-b`$v4=W!>8l-uzMi4TEv^TzT-KTc7H1*|GB5_{78u<(D`IkelJdQ>e;tDf_3}F
zDA9xOuLL(I%K>UO+<v@PRl@mM#>ul6!~+fw4~Q<S`=>$}!~`rl;sd5o?#A_AYZ#d-
zw*$$5K**<8ug<@hek}Z$FpY{_1d93ZZ>U;ljDkX>R<y+9h0gJ67u?gEY07c$dec>>
z-Nc6go{_xP<@Gzz+Oz8Opoff(dtRawv;_>#s+|SWaHdZ07sqF>I+YjC+9v~`)A-)!
zC2=@5R&1wIipn)<tt!7uvhxpEic16{AJ^+@T(*=Tb)3TV5+Sof&=42G*VX5lS#3(i
z2KkbJu<tn_QgKD>ps#7o0kE%G!?&u*ejmMj^D5%3_6ZKI85`_mIs_CO4r8QMt(qL>
zwibIC^Qb5&(r7u=9tq>b<kBB9CLJ<qp**c`H8j$xcb#+IuG&jmhGZ^FcEPp=*SPcw
zHYHJQ(r)@^d_SnYDnKEcML5*Bn?)ijrX=3Tej%Ac19c)U6QoDOCfpj4f?jxbj6GQ`
zzVJU(J&J-r_)uh-%dwIr0$>9}@|hdzf(;olo$o#<4z|fvKB^Yj@f0}u(l^MVCpcVh
zVI>bGYNx_1NGU@GyRivu=EpB!wjrk8@otGVN>oQBajL;{J}@!aZBvi<7?z5=1o?)g
zDRRU2%1ZJHb6>ukZD1HMuGsxhdtO>)Iby6-LiCPDF_VVi8RKdO<-T&G&l>Ej)9=|I
zdtbg`OOH5ryLznwcDZs%nuRX;H=W0xuXYNY1H$_A44OXaajGUO1BJp*O6-yTJ3Opq
zc6}k)I(dBZy7`86nsM*iB4zj3NI-<PApN?|!*Kf0n{S4i8wH|!gU^^4OV-KX&aUGw
zsU`ZH&wE^LGMLtS?ctj@pqwc`+gkgnxKu#Uv{p_=7R!52{i~>3)QtynAme23?Jlj_
z`M^8RaAAMr$xyP4%lZ$qr@jV2JuLGcP+a(;c_RJ*Z4@tK$r=DT8*Sd3J!{xsBoDRv
zJraw@ak}h$qiMVriGFnm%X+%&<U;IZiI=nsEEI}lmG*e@eiGJL%PI$oHMchU$wTLS
zb{v`Q02JOHgG?))6^54EZmFU0pN%Q_QO0z0u}qtDf?r6IZ^QQ!#f9j24gB#d<DBTy
zCm80|l(pNgnH>O2%9P4#fAWm!=N|Kx-a$Jw^Iprma><QwD^T|(Nzldv9Yvl;6>luU
z8T|aL#&%wpIuF@b0kL95#<{5Z0lh4R&2;TLdzQA?x03Vhbw*H71n7ttiLGTgm@0iX
zx%TLm)h*>*<h3!Y8yDCUJ*`qmh0aOy2}oI<%EIJp7WGa+hnKpxV~>{-gR*_p^MhIg
z{~+pk?6os4p&hOm*SM)Zog(7GvZ5AzsSDQ+=DQ~wT^71&l;2*J0CGx^<e|&DeqOHp
z|FC9O@6-a$a3mtNCbqYz|F+3oxrdYS?1bcg!sfRgb6{ICyvCl~7(jmU<7tYe9s`nU
ze|KrE@T%l$+w*eCLDzQqq=Tn-8IB+(MNZKbJ~cZOxqI<I^lNDdAy$L)Vg!W3eovOZ
z5y1q-s>)9#GOHMM?3x7kyNr(^bgeyKxckCPz;M3@_+TaTW`{{D5g(zAz6^EFqZ{Ye
z98R#zXKBU-@k(}{8#rlv(Cf;!H6yteJ`p6D50<P-I8)3O>ZFr9yPd4K^NXO>Fm(b2
z-B{b2`5r|=e=L*@nWO^nMmGzN=`}6<o*{?`fzM-#YSd#Fgw2ou_oL}~jjog+83*lv
zofDnb1KF=5Iay@srCpaUo;r2vyX9G<WZ6+$46;&E8?yYk=xG48nXK>zpbX0cS?9vi
z3~~UGMeiv|n@{44Dt1i|4MyMVztIEx4RAEg;1;vi1NA@yOy+;+k?jYNvJByOtoTMo
zc1&_8RTid{mhyIVSF%4O>%Fi32ZqPwusy+!QK+AyUDZS8xxvKCGwOF`c)nz8BIL6g
z$3&cB0W2vFEzrm5tRA29c6nFiMmp$qG^x!UzwZCUeix;{C*OF;v$9=UXbHhs*H|pN
z+)8(4O)wsR&XNI8OQSPc;iCafp#-&ZDoj75%(lPu6pNIPk)2|dZEpoT>|mCGa&}3~
zS{an@+`bhU=bVNSuwolFJHIQaNUqGErzgOAQ>$ko>LOwXm2sH0y|-zM^w-}DSd8Cr
zeI)>C#l)3ZE|whny_h&W!PE9U4hXKZzxQ~;vBPuip4aBwK2IA?B_Tv78_nFv1cP87
zD4b&;IRFnc+XxKj%%l3V%+EN}lOUF`O{}}<XPJcKM|Lln6k$?{6)^m3(+Ggqzdi;T
ziDiShkloHT?SdG3b#$Adz80QgboT#<Ybywnu>0h&X43!3m?>dn|0OhpTB(@&c5#y+
zchGs(dq4`ikUJZAxvDJu_ncCh|NETM$pXUNr0M3w_V44%Jn&mLe{6o8JRF>)BFom!
ze?|t=<u|-4vmd`a=W2S%J&9mJJoGHaE_&k?>#7L*?}1htlNCZS;*z4P&5#pU1_+G9
zeI#!62b^~(MU4})24qm#y!*J<12Vxs*{AN*en2Q8Z*)>EIb%McQVpyjN49>)q@e?%
z2FlfB-Xji0xqOA1<>ZdE#ecC-QA>NRSCPGGDmhnOjHOi!%5CF{STN+FJ3tt9z7RUu
z5b)@?Ot;}!bft5~PWSwqQ9C}H!Q2Oo_xve{0F}oF0S=3)lOtWVtebA4IH@8~t((i`
zG6dz6R*lrFzh<!OyrjT(;APbWBjBb~_BCZh4cW<zIGS{kGiKIO_t)6Y2QNmfONvP>
zTn<Njg|o`SaI<r~pP!(ova$>-UEWXDt(V)Vj}6>tGOSvYtP#Oxwmq4HX}sZ?S2c4U
z8;o+#?9sQOiBY{98cyJ~{4B^cLhcfHGC7THsAfIi0@4ly&Y`$HDAA3(MVPJa_nbM0
z+jM5kk9s0ls)J2GWN#52>K@&lbZttcWR|{{fY?`%jYxR%Y_qK!Xy^+Av*eNL*u$Zk
z4BSTP3R8i~8uT{CyKnJjTA(ARo_K%DXW8S6qi_@7Ve>}N)0^!9S`jX|NpcAzjU-?}
zdg#o0Zfu8l4iJ#h9uKBri9j|UBl8aiYJj|R5y>sNH_p@m_?G~;<YXD9gY6-bTQWYV
zhvb%gRGjBsS=<kD!O814L$`Vn4ii3?uQ!=51u%x*dVV0>!EVG4ExRP-RC=o|nP6~^
zX=OaJCLb*K-xb3TeLZ|KZ*Ap#?XNI9QD(*GIwEx5tD@L;mwag;BgHI$&3>rBFagL@
zE3d$wZpP$MelE8+mi<UIvG$a?k#|nR4B4@n91tuGS;0<zd}0o9*s+))(N8P#{}=Sr
zg-`z-{Z#OyUcQMcZ}Y*bx}yV77A@}JM_MLI!ISfiis&{4sf_MP6k8%B?hXB=2qO81
zB1jRVG?ge20N0@%tAr%T(-f=L0&x21wT3p_TMi|DxDtRMcw3CQPQ>PkS4YhQA3Vi6
zN#v%$DeN$Jbz@zsiJ-Bv*M>Kr&wL4)?PBq)6Pqb|FyBb+EbWb#3so6ILJnJPpWX^Q
z^GGEfW{uVJ>u2uRI?v@wh|2JCv_#ebH2}a{b?*Uyfy`&GrxYcCbf#JN&&X4!Cf{eV
zifXB%b9o;I;?DvbBpCOz$9o=-%p6-b`Rq}=1<0!@-`6+k@z$0pAm&zK6nTD8lYzXo
z*!rjzMto7=aRc?*u5hRt_<k_n*atvI7bEYFIsQHaIeM|8{Y6Nm%i@J1J?TT#>&8&P
z1=r8tgs<4G)%%{<;20xmcw_LO6>rD5p{rE4^LXI1Lg=%kvD5TtfTxb3zYK%fa)A4h
z;nnvtP?}rNMPAcd<kr=1v#G+MjvZa9$?$8UwnIfKPg(NGEWHN&ahMEwHw@Svqxkg}
z5il{kCAGMll&*p)Cgdxt5K3MVX99&+EAGXS3eMCst|~@VB}pYCZRYG$rfp?EcN27L
zMxtZPE3U<ECrIF|I&`kd1V@tdhIWo~;1ey?@C}t`KC@W_VVw$lsvde}n_Qujp@k7W
z`xM9}ox5xm^Wl#~cwM<-@A_wkTb8W#CTYZ1;I10iFe%42*YR^U$Z5W02h`J6ebDC&
zXZY~n^H^8MmHvyzia7cImB(85VNq<|c{<?YIYvD`W7`#k>13=)vkE$JYZgF2F5fMf
zg|UxG@tLRvg`6o>Q1H-?-tm1VGuf;W@R{WgWV#$yG=}e@4W>9xNDPDRf9vIAyKJ`3
zLBr$TQMJACp+@S+je4mF6(MBKN!`V+mZ}u-(cm^q&E8@$2QO}2mOj1TZn)_KN;Tou
zXLTr^`t$c^qA{q5qt`8}A70D=ci>_4HRx-N#dAU+Y`X18M(|qfwOGQG#Ioz>nif!o
zU&5D3w(A4B9m!0@GGINhFTQMfrp?BLt^Y_wIZBkGVD!tY^NTF^5Td7=0s*L3jEz`c
z$*~3ahUom!9zcr1d;E0f0YnxjDHl_c%WCJcG@>zf)$bg`!QF#1FtZ<%(38;Xw}ZMd
z@E=#U83?Si12Hnror#c<uOc)|xMzO>y^{anm0vos`ZXjUM_zFD$Z}2Xhid})p|2pj
z{Bw5UXIz2-{$6SCcq``?TW%XQsvxuVu4`SpbxBS+Q2Cy)bE87wL-w)ItMYT6ta7c<
z8%Jwp>cmQ-^n4<;%Xtt&NQMr&!yzk{!!|Nd7{Ln<A$a<986+j^P2Xx;b|`(kTqXS+
zo!2;2SEYog*Ew&{+_RC*M%^@IPc=nRHVwHnG+WzFBzn*u6fU|o6ArM=42!rR)^q$7
zPa@M-Y9@~5-86BKy_C&xUn27Mc>bOb#SH$*ntH}i--MBe<E}&8aEv@<2z=9CQ<V4c
z$Bci<Ari^b_-^Q6HAMJ5O+l<-<VcbCe)k%^Z2w5<a*(8It$JH4(~c?aT4?&{K)-9@
z;->e~M38FI{Pd*#l*jFEJMFty9{&hrvL}m_-njp`t6ijvS=SV{T{!bD$|sRYsj|9w
z2iJjis2lgn(@a&2meqYBv!24_m_S^slWiB9@RpHtbBtngKo-#z+pwt?WG@FWn2<T{
zjZ`#oJId<#k9rw)N-pOL2eV`pu*i71M5@NW&^zyi(%j3w`Sd)d`N@;>jDxY41j5W}
zE<K4<**}J&H*_&hSwd6b?d~GK((B3|JARUk`pTVGzk!Ruj8|7M>(cow2<t0%k%Zce
zW%+k{6Z?AN77Z$s83^RXLlgha?CTM3dQ=n5sQDCFdf~h!JvrLj<#2s9?s=vtw%lGg
zSWjnvyM*n$<=BR|E5b<Dt7&Ocro<)SH@N3?iP^+vwGYeXl(Cm-gg`B~y@Emf(D;${
z@J3U$Az?ZkrYOLQ=Q+%Y86K=qmC+zzB%V_eeAZ|OZou-7cA6#{s$`KR+xvHZ_i%K1
zYg4di_rbaIL8@aj`SgNKj`!2>;#KkZ$LEK)%bGNO-9{}CgAAV>vpXa(B1$`ZCdBs&
zQ(R=6tnRi5L3Ltw&LT?cKrYMcU@0`fcdw})ec2|0D<?FS!sHenX@Z6mS>Wf<*ls$f
zm0Q6K#*wo44<@oMd83+n>coM9#z`esV@y&nF05}M0^>$>LhsCus1BKG>1gFIo4Ode
z?p`<RnHoaX@Z;Jlc|)w4Yn|79&Av|Qjbc@_wo8Yk-VkN?aq0~Z>crFdE*npOi@*&H
z)bKl6Pl$h3GQ#h)#x|^0!-~pA4ksitZ^u8|7Z&#69vQlzq`+J`c_S~Q0BLI^Bxy#-
zdZk4)%h{Mxgq;ktDX2nz5P1G+ukWCC{4l_c^Ptcw1)sEfYoW)awravkMzyvs8+P9@
zf9ZvF(kRuLX>WZ8bg5+55Wy_d=*;q6q{l(k5@Namx!GwrF|dKRDWKyhx0kkR8Z?iT
z;K|*rEQ8v{_EIHy)rq<K*l)l_`?qtlyu6qzj!Ad-<Cd1wq+|+MH^$e3O1fm~a_ybq
zi2jKq$7%c(jE3}Tw5Hb3Y<8`0e!^;yDuOrSH_!zY4AKi>i*9<m_VnYG!@Mf=swsDZ
z_tx8>plzjmwB@E&r}?&Wg1uhNs_z(U*g;lZ%HHOQbT4YbK<pG(mt)*ZG}erm<i_pb
zfb2QlOjTQ}hslpzB5W7<Twkeb>zth?txod)X>~sM2#K~mKiT|d#I~ekFtt<M0=t8o
zZbMlnI<^#!yP>y-(+_+vwT90BcumV0^L0VIYTUdz_Z(u(Nu_eJmAAksOuG6hw8-gR
zjd-z%5#(S|Jt!^4AR8qrbcMms!|^r8D(rAGWvyIQ3mekc13BE8wiquO7cv@3P#?Pz
z(e2)G+c?F%Og#&2H-8!zaRqZ_Dm$LE7XMn5jrw<}9WJqrsl~@!Xv#6+Jl*5tOvsrG
zs)Gwi_lWL|J=*NLfH&EMnKjOOsTmqZ7Yu6sUj0VtFD(F$U@`0HQw?X$WAaRd_jj|z
z8b*~|Rkx|xj687?jdW18%K<ADHp%1@l{-a)c;}0$JL7sMSEj!CY|lnKb*XuadPv@{
z+Hu7sadmMfB}IQCX%KtqTIjKmG9_=(CMz{gM3d(56obIF=7TA`<Ci4U{goZ3_~7r+
zY`OE2V0Dc~{;|3iOQ%W=9J3-X=nt5h!iz3xuD3i@9#Q+<BW<}$ovehg@zu6wb;%8O
zE87mi%A#wKH6N5aP~N<M%`C-%wYv)1SXQ?z8okb)amd5$x%K6cT1m>tDeHP;VzXfQ
ze4OQ~unVGF?py#By_Wx$sE)plqt>?ec3Q4G#+9%hlu!-vul+Gr(y-B{O5R^S#H6&3
zwwZ8<(Mo603){F9sZeIC9VV$CF6?@6TMvKvPHuVl@*0cRJ@M(>lC~fK)lOk5(mhyw
zGfK4_eS15=?%*6&jcC>f*~T}clTOQww&@Y1@-n^?^vbBXJ9Su8^R$SQPZFt??Gkk7
zclRJoX!%J=eX1!ImmkN>wqjC8-Ai2SAl7#0<(o9_5#RmCiW-eX-&qxNMeccF)w*)F
z4=Qn0IgR_9T|;^UlPX7qvX@xbq1Z0O8C>9$W5MO#e%H!uhmXtYL^E1!h?(z%(Jg`f
zst;3J-!qcqZTqGc8VzBe*52Ab0;`F^{<HD+-XjO9mO~dW87yzG9-Als;T@a)xrFGB
zaJW2tCN(DpQMXlB9VlMxVifP45<@4tUUvh-pjwubwfy7&DS7cQ>Cr^W`%Q1@F;(V*
z(^cU-WY^9bL9u0%uaCl>PoTAnbY_LL-RI&gW8BTfVX5Jw*~v@g5ve21)W(T{_#}7C
zBHjoo(s*8^G(DX~=;=LNYJIbpt#dP--uu~UT0{Fvi-NC+iY~{A>0ZN+1+U$jmz8Xt
z2O<<g*{WNz+=vEKnVv$0mtu!Iv51M<0@X8E$Ggb8sX9XcSTZLA%fLBS2tgh=7}4HE
z?&Tcp4>B~e>&a+ATs9aW)QSR9?gxwCG0B(jB2(zuksYBoP0FNqTMf;k*B)lB2GTJk
zaO|%#MafA(6L;^3L-)_+&CAx#Bu>67P$OT`QAa)wBdchFi0QdE_Me}!tN6M%`K=ME
z_L|ZCc@2daMI>FFI98on(4H+rWz=I+uqk2of|3>yTM^n|<m}33SK#Giol81;Ml*Ok
zgf&vcLsa&o;YOX1X}$6EQ@JLo25j4nYynYlPXnd9NEiVlvQlyIAv=Vdbh12joGzyj
zK>kQ9TnU2od)*4;pC$`-Jem2O-|<#Dwww|4lhcl{LdN&`hO}j(&_Ra~#1b5yO?S0s
zIRZCZ&_pyW9~C&P@}3>2N~esltHZ`H<z(y`ncl=VI2qJb+$G*Z;EMWvE-h!qq}LYa
z!9R^ZkYzrfl5ICo)%Q_JCm%Nc=Q+Zd>8w-x-PKx_Ic(Fc2G+MEZ8{OOgfFe79Q5<h
zBBvWtnho<^N=foC8VDQo`gl<IodBhspCA5sV<JP<xGp|B!?pgjN9y<Kfgu4GCzEiF
zoZM37p>N%e{(0iPgEKKHM^iH|+as&@9H7(=T&#p_epTbxoW0Xk_El`@<;!uF$rPr;
zUg!<fodYW^&bvspLwhSYw%@I6DAo&p6Q9wyYz6<_1I0#6z4<inwqb{{eL!>@di#n=
z)LP%*x$Br0Q?MTG>i7yu$`((^>{{cEu1%bVm?QE+b=cI&cc;{354MC~;8)%2q-<-p
z2VsK@N+B}SVIr;b#P~<$5HF(?x`E{20tQnAEGs=Rysyr_8e5K4k0m&Ozg~~6+fPH*
zd_B#yMfUA>PyQa)tD4oOXRKkVbIsI~{U#@I>E#te9Df8|KR5dNb!zG+CRUVCC7tRS
zTz<t-*}Ck!jPB|Xi>V=mPy1odXv(aE!+{jDM|0mKvii`#-ltiBjhxNXw2Pa0PfHJ$
zfX}jmm$hw}%_!Xn|AuSNaR`WH9doB%tDa^(CtK;&%SEZuE^G7Q<&W&`SS|-y!?2ST
zy<d&BRGQAD4_(2i!Yd?JiqWxEWrAuQj2R1wx+)o_Tsp+Kjb^#r>D~zwR{ZFEf`uz5
zD`9$l<hHDq&bYa8cue>AV2>o9w>u+Uc}&UhTHcG7>-v2N?J}~@>?VpHKlgN(*#0J@
z#L{CPKR9H1WGKG&d(q^UNT=-p8bl;)N<WB$heTcX>b!*P48t@Q%r3l{>{VOAPLXa_
z^^uEVuvU^wRey%_s-5x#W~tg^EX{1<pgO%E+_zb9t=16H@rY<vQw*jl%Zr<qH@%mz
zp$Mt7UZt^l6Kkc(=@X`orl*&T9F(*W|K5+a5gFUAg{)0X?vtm?;?kgMY&zIw=Pntx
zK?BQYp6&sW-r|YS!GfF&gJoZQV>)I{H7Uj1FWx6b)b+qRJ9+RfQ+;@P#L$dMRn+EE
zs9?=SNXek2g{#&cn#*20<*-O5SWG(-S~-!CLPL4<RntOBD?Ln*_x`?V)WOZ!wQ%vN
zj=%(4%|mJ~QSL+PXYJ*NK{|T7`Vt*((wx$Sedoy~oBVUK616t>9PT2i<CkQUOw<#|
zr*0oWRK2B2Lo#XwL5Qz4^!2NFSH?bUc*e6<@<|pdCmR)CUrHUk*0b3uRp7mNieCRp
zZr$M?Y_&y(Fh)z7og2Glg9f~OwL4Se<p<+yJ`Bk|dy5-I;+Kt>B?Ja{YY8<4MyQ^t
zsZH7&F0dGhHog*nK$UUN;lO06OGs71E{oY4(Imsum_6;=KM2iMW#?wO4WKV(#D`<!
zdoLhfr!42z?k$<Uz8>?TcP?C3FnCBji~Q_gxdoW!ZvtLjF`*CgYz<Ewyo<b4FEu&G
z(0CT^!QRAeKYihZhfwfP)4R(}Qb%}(##ptwI&{9##sFO-DmF0(Z7y52^!?>RS|oxs
zfz{6g5s^aeHs(20Oc6@gcW?iI4ek*B%<;!DVt}2Z!+`ZfKeA_$L3yAy&AW(tIaB?6
z>F)Cc|26phkL)G;W%2F7ZxmwOdFfjgn|Dso;7%>~l^Z+t3>UfxMX%h6-8r|Ck>ZoS
zbF*am#Dw_quWf>L7ffK-GU|*6p0fpT{`4D_wdWOd3LH^83DAdHXl<DRn=iQt^d!6i
z>%L!<JGG%AU|p8iCz<0z+cxery=}HySzR}TUY6SXz!qeh=w!XS-lN3II>=UOk5J9t
zJ1r?}UQ=v(u-E=_m_`YR0eRtu3;W-lSU$mhP-v|__WH&zQ~Sn*>447{aXr^tW%&{4
zJOAfk!?~ZT;hSr9!$U0b^4ig1OG1NvwY#bkddQV0jZOF9My+luu_kNN8El8?`KGD^
zwBcH@=@ELS#Gdb-Wqm)slM;_@F{M8?-`32mWhb49J4333#`kUm1q>-h2X&1&6f5oX
zB-cS!Rp`Q}phm@na2~c4gS*K0Zrd;JoS-`YGs>{z2_BjumL3}|4*5Hd=$qdKsld<4
z3t=t15uv9AQ<6D(`s(`7l*s!~!P*Kw$;zJjr{b$1>JgN6f6au5d`2+9#kGUvSAS4s
zvt1-eTyA{KnUH98&4==~+sd$0^`&k@_wm&f`6kXKtxkcu{SC9S0bO21!BGLk!Zwla
zNq=U(jdK}@!mAcOhc@IC)Eekk1HN&P_-(9)=}BDR9!)X)@1Pr8T#7&byNCQ{#l!8I
zC3WhxuC7ClFzMZ|P7{<SmTwFDtk)<+YH|psf_V3PNX&5$+^IQ`4&QVmS~Li+C8g1X
z_FuvHbscf!Iu5gp<1HpVF)V5$R+WXV7n}p#Lo``B<JO<<SPKQ%!QwE#dmzSrlrEJ_
zcUsUsC0h&YgEJoD2ylP9@`)n47PP~fgFj38L_VfH%c;6g@O^fY^6pdiK^nLPvL)UI
zkuD{(bS5Z(VsQDgXQo$pMF)a%Ppx96x2-kkv`Db~iX*2#E!^$VuH?kdo?fHCQHgmO
z6H5UBv-Zj<r4ITH(U{pGwp`}Df5)wlzx+Iv%>Mn|{oVOQMhJ4>X}sJnJJ~*(a=nw3
z??z<OhB_4OrcXkHm~V~5uhy&yPL3|;Q>B&<^YNAb_&v`qN3{8j7t>^ZnVBO;Aj8o3
zlWASHMZ2x+ejj~!%_i#b2DAPaq9XAzQc3S{;fq!2GFo-fP5EX9$Wvk1YamZ8_o?gi
ziuZ==5Z_K24fOO&ma$Q`>=t6mtz44})*3Y`NzsMlEu^@NokQQlX6LOzkfO&w-A^E{
zf+4a`@QP|hgH@A7fNIUpgGfUM9oXkuXsso^u4+^_Dy5Y%KVa9ga`A8{LpFMVc`NUr
zaUrj^+r+}N4$|!8{Sj>47bBqqZ_@MIbYLfp^-z#9S-pak-u%!O;|qB7QGIbX#^<9(
zjUwz~Qx;v5ij`j3glhg7bGT$pvM61X4M>XLJN{h^vevp~Jtdv8M=;Zx-yKfQwo^?)
zJx!uNuBCM)@IlVv^XX-uy}lFyOU}$Sd1m9);x+*rm`^wQV!7DZOL>o(xA|R9Alq5$
z0co)&RVE6{csf0>|3X(QHx89TyH4pESfvd*4}{Co!Gp#<=aXi~)xD=^C+iNE>$1Vo
zwc|Y|Ai%a$f2JYcMlC)>8ZxL|El@f0ZfY|s);!v5Ku3>)?QlJ)4K2S5;w1Uqg<-M(
zN;*%Hoi{#q7x@Wlo4%C1%^9rstfN7aQ-*pKI@#egF_&c5vfe>+E+|hozCh`UgYsSE
z_fzY5Q|RP+0Nosg2%ctR`Q(j=eD@J!!JtL~sI>Hc%0a}en7-rTdUP2Bzr0Ii?Jc4G
zy}9`+RT(K%u1MgTZSk{Vm)TQ*J0FW*v}!vOdemGvuHt|+9><oi@&=1d7S#nLuzB4^
z;s&K=@#;0gLQR^4?CXL1<py@2mh3;&d4%Wb8s2QzI(ZQt+fUV*vv;_aA=Nl&?#8#)
zvM4^?@3v<8?Cr*3lsbg2Wu?^FW~o=Eu3Twns#8iwA)~eG=d!YH$bhhz=Zc-i4I0>V
ztYdcP1=Gj8t|oeoF6Lz+rZ)W;o2uuNp^ce6=$2USSdYXhZGTX+F-TDfq4Jn6&2sLP
zung8(ZZWmcYs<_lKT8;cng-W-95$;*Qn4Mp=%TWlF5lL?lE06wpq7u{PRsIIa;4nD
z`%ytIiekKbWA}xE8BTa&+iVJISf{w$91SoPO<B*TfxYb`HX2@tTk8W^iku??CkU37
zftVl1O4-`s<le-D1_X~A0Q$CeDc}_L(XUyU)ia{2tsR2Qj$>-QLpij@Jm-xkH+T!k
z;k<Z<iJDrPxp<q-Y!92H3++~;8D&~Wl|5G7sWslNe=WW@KNnxsYoFn*pNr2kIg%*!
zKHm?7&tr&fMIVTFHJMO{7SmadWE7>$)R|cch&^rBY%D!TT8mX1I`+NKaR0wfmp-4d
z(@u3+AlSEY_cD<IiFG4^Qs%SHc$c~~#CuOG#dbVWESV==hd7!HjfF>PtC#+f-{Q;u
zdGZ*$Zr?VGEP$ojwnm^M&k|Q_ED_I}sd1k3krYARYu$s>TD-xrz4?Qkq8{ddBmr7?
zk)(`+MhsW`BHLKi_)G$%E8`G0-0ult-TeFL;h|Ql3N4|~R!LNIeLGcB=8o~q*m;QE
zUEi6G4BBzPTQAyOtKR$OSQ9WmHBYT)3Ujq_snpkFzAdO`iUyh&)8UhoL2LqS5x%vT
zR&oS!l@+RGP25jpwI6a%)ZXgJ_o~0Cmd2!n$$=~Cz&kG8+}}(&Vm9%{H9t-FyWViw
zCRY>gl|4@1lwjR&68x|7k1{C#=(BYCilximMd}m%6kgbs^s$n|VVe_q457ZrgFyrF
zFtC~4F)_W1%%ZE$aa$!&AulT?y>xd)p!QyK$TEuVeotv+OW84uoS!-|F>aexh>kZl
zD-}C>9CqGqY#e5fHat~x3YQE&0BuHx$Thpo?~wALZ_SO6X86DcC|SpF{9s<k`n6H*
z#_&V9h#RZbfuxZ20~n>Yj$|0V@}&|kXV8yw*Q8RFS;vxaG=4j`e2K@*_sIJWA(qHS
z=1#|E-)xs{(N%D0I_w4t_$wtHx{!+}jOP>GeRd`zBl1Mg;#A5&?8ZoMm<#2~DZASc
z9>nH(YYf&UGkYdl=l^N%+T)pC<9{ucs7wl#TPZ3rlBf)&sL+(l-04QHBWal1QYb|y
zh0s(^l)K!*nB$TpB=?OicQ!M^#u&e^bAIO>Dra85KYo90e|=xyeZSA;^L#Gv=lyw}
z=c~jJn(@L9**!t_g!t6>4F)zF^c_22U-0$5Opci2r=;XeHA}Ne6Ke_(OzWWxpJ;#_
z?6RJpgL^u5o2Nm<T1`=>wv$s@m9+U2rzVnG20eH(-gkzFLFHzLe~&OfeM>modCKBK
z{cc`}2$4Bp-qoNj4moK84|0pT`S1(e*%M%fg4PO|yeK3vUnO`;1j)3DWf>psbdH<r
z9oapBY^J5V6jTNDFHpeFL^HT`v?1Td989tgxlpa}Tq;HJZXc5pzES63p2?J>!lqB+
zp^xwj+%KUf&V%_DdOJj2g&aLv)9BZXcL6A(`|_U)FO9vzsI2|$>tCQgJ6cth2TE4p
zQXEkp2)--iXPu(k$dWe}A+<`X;jAc1-TR)(q>lbJIwb(Rvq8XxuT=<#@$Y+z%frmK
z->Z7MZVW92&_il&@!d^_l{<ZOLK?>nYh?4o5O+gM@~Yrvw|UQ#^J(6#MP&!X&5s^r
z&N1MzQItfoeK)K5clUg)&7<dm`X+sZV-=p%jcbk_YZI#owH*`5Zn0}Us714o!0P+#
z^3YT8@MP(fXyTA(+MFUD_9XUwy{hg+W)YjF3+^%OPdSj8&4y4*Z8_Gwo@j<tU5bKh
zZu5~Vg?ER$Nopxu{WD4ipxMFe#XRNX{63gMcd(l0XKsWT#H5>8kdm*x5oI{wE&_pB
zR4)}Ek@r*YcYX5Ea%ppDNotw8I-Tz@%cznJSKCnsrQIIwHGt(}!j&(7^XwgH-5|bS
ztIG81Z+B}3VpPM8Adz3wlf$H1-_AtbfIg(vt85u=<Ape|I&)hw)-v;H!X(t>{-FF$
z@0)H9+usNmU!Q(AU6Yo1qadv6NZ1!q{|AQv_UbU5_9XE^the=Hk2!ntv9=1YlD9a%
zSk-!fxC7>F<X!S$w6Fw_-BC>x%Zs&ux@|2|iLvx87%8NDDz)-CI5&gr>dwZfJfy@T
zO15KszE^{j?mJr>Tewwz&n{JY1w6_iqC)F8NactzzpYmnzB~m9`z)mC*=(5AyiP|p
z*U;ov`?XO2K;*m|On~a$_Y__R9Nv^1bwJZIi#3+p{V~Ap98u+|i&GB)0b~9#4yqh5
zp=99vQaYNjyF!$ea*G9*P-fu^sh^{fXJv;FU`WXsk!vFz$LDu!F7AIOhQ|7aY7kpa
zOVG&ct@-BNiC6m6I>&PR%7+zkGI6fsp<Q>>vHFpa_<eIinm+4Oi_f&(sI=88O(CbX
z*oFJ=8g4jZ=`?9!LGl`{D#vTHvg-M%x28Yu?)p+2<*@CZ^ZbwpESP37YeLClK2(Z&
zE^XmIpOO~r&D#w%eDIl3t%*Q5H<EV7ZcP|}o>TrVt(Ia?nj?15#mVwcPl<1-a!v5U
zR1oa1Kq{$#XoRyG8lWKPB=r{l(oAN(l{G~CSZ@)D&n_P2#~S*63xUoS+qvl*TB${(
zLH0}&>41y)e6X=+=7xBBYw_@RnX-JoIhXuznjKQ>n!=8CXLjqPhSt2bLb<nlwRV<^
z-_N|@A0;kAXJs}775je?P73az1+38&Igx<V85YPwG(|NKT*ODPl={hFDb&n_0Zc9s
zL*1!l1Va_CDHg|VJjRT^QgnBanJlx;e6viM48_NVDi(WcK(hpOJtSdX*Z!XGw?T0c
zvAG!maa!Jx%|!VWNI^mv7ZCe(3r++|k4`8DG8JYn_?zmwllP7{w@zQX;T+oaAj048
za=sqGtKDP3BkDSL94$Q_*uZB{7o4?Svrm;I7Vt&@RztCYhU623kRyU6>9i{zD4Z|-
zK+^9IcZE3EzY{;=ruJZ_xp%tVBlFl-Xe(f&iGYpn%bAH{4Dw@>X<pc{I{56P-j~7R
zZ`DQo{HaE1;^Bwg{KB5{eIUuMDV9SzI(0vP*^)lB1`~09uJ5Y(w(@eSzn!n=bYB@T
zr7(?j{H|(D`t7AFHU=O6gkrz3i<&nBCl`G!6!rHRCp%^YZ8}24PMTmZuuv&H-9|8s
zd;ici*Sxn3dm{w7@GaxC0oCFAv1lgJGs0i|hzABi_Iyp>*|*_$o`rKXuL);}Nu`i2
zZdC8pobBpa!>6jRmP7QWOmY`jUic;_W2+q9u|@kysJg8q->h@tP~xQ#{64$_7CBNd
za6Ua*tiF;(u#I*0R>k1cO}c<AP`NLovo&F)L@XK?eeZHb2>&H|yB*Cj;)JgS7@_ZF
zbpFq*>0g-|^d%XI5M?JmXS+?5Jt6Ss4!8s&{qlj<r-B&Sj?uxLeTfP8?QJ30fo8GQ
zSXSsNqH*BX(iHkw9}Xv)r!qI<N>hwTyc<$q3Cs%&GlHG7ZmLWN*_A6p24fOm9uR7k
zkvpQT;$3sC>|AA`@AQoM{AND2`S8(iyaMGUsW};}KgP5yn5c|0`CgnI^qO9D6swTs
zSWybZ!>n}6^DLeBQ!q#_oG<{aC-j1;+zfqPCLM(-%GHZA9v4cA!xxGpD)cXiR7!+(
zY>Oh6tO_N}lA@4&Zd-Gwc-v(2IuZ#v$ypX1{V&$=aqo2gqC_^Hy*)e=%z9zIO4cQN
z=)=yt2r3S7@ay2a0pd&$$;$7Vw#SDd(|Ul^?#sA)<qs(zZvtB7`Nu|>x`EGyS=TYN
z-M++Olf<|(<sk872rr7aTNGIaD<6}dOU*xkQWbQTRyJ}n`o>TuZryx*_M=!;hPPVK
z({6<w7jzSLQk<;mo%7~>gF<5kd<U~U^BWw<gb)0EB^J5_Gx4X1b3O)>O%$hYx}|?f
zQS@fo=#AcwbY{2E+?Bk}#JIe?9is1iW65&>U85j!tKzp}=BXl;LsvI`ny^(hVabn}
z$7u~eF@RC{%|aS4y1bwBzV<#-?cCLaioz`UO6d^;sOwf5!|q;!+=u<|C_p~f&?6Cx
zTUTCy&p@ZHPZ8fd;Ui3tHv|IZ<S`RkJ>1&O^eBF4E%1$sdb=L!4&z&aQ*&XG+RnJn
zBbUZ1g(wY5>k`BhOGqitoyfCs-_;(@eEl=EdLTZr1z`4wd^1I`Vt|8eSMk2G@liZ#
zZY?zVz9dv^mb&J?xZ>=Qg^buEuUQnijJIyXSZF`<kYO0gH@=&SwumB7&J?Jduv}jN
z;WE$wcDz^^IwcK_**5P&vde(hh<o}_UT6ZRNg35dUp5?JF$hW6<H7@3WRG?D^kkn#
z3VH<gX>#JX-Fu44>#T>z*1RDX3(fmxcS)J&oXk<!<27Q6lbbKzmb6W6CT{#(&=hjA
zZM;rS%gHjc@-b7*+31O9!qA^)OFkBT1A|}!M0?%1o_I#ZNP-IbDq5wCzzf0Zuj}uA
zgHSLO)PBG7_${ZSpZrwoUGh6`rPXJVA;Q{Op$YA|5Vzj<D$LH{Q2+G{>83vJ8_h=)
z0)P}NwFWrLS=<Gn-NjxOs~ob5`>qr;ciASxEYjL<Iuq}ZVuVDc8sN9dgh~=C?Hy3O
z2R;ng$=D9O(dv%{W^6s0jZXX(v9=Rd(Tj0+<3bAQrtee?VH(XfmJFxKJc2{5t*iJ)
z6SY=l%*7at10VL7Q%t=%I@O{hr!b#-sSKTxH&Ud4U8{y8YV`>jxy5{&svK)F>y8o&
zS0B6T$$Vy4rdqi^gJypHCAi#VYz@9zRv}=Ec15UlP@O`R$gZ%7(Nh=dWhxI#1N$X5
zx-r95luT0HZvgtGJEC+EgBq{B*O!y##*^bU@GL1h=-SInz>3BnDAu)I$ZhDYmX1FV
zHr9A4y`X=i&epEV{dcF1d81dmh!BL5ykhMWx7X~q?Z-H#uWor_?DU5Ddv3Cf>Y+yr
zIGJ*u)|b>g?dpw8q2t5??w`Oq#C(|Y5t-aQCxokrHP$hpF%s+Q(*q-D8-S2djXO7w
zVYTAsjI6RT`_hv_WtnrCpTFuLeW2-9_GaP?2X%aFBe_tu%|Cooj^&sNl-}0U)jkjp
znV&PW9eVA3M~1K|sh@?;bIhc>y`jP!j<08`>G^gh&)O72VjSSA#PBM6;ot_G!Nt1q
zKo4y4oQ<B%KJE%!P2JHX%J?hcLj<4k5y|ithJv4#fOZuMSb|xuT4}d^Ofg2qtWzU$
zN-|kxlk+Shy<0JGx<59f!5?<>Yr4Zcg&Nvb^xj%QSEW%`(I{4TJXeBvSe*;ljK2s7
zHNIXLcdxb>($EtLt6b#>-rlFHvHX?Xo-&*2w&pae>DEk!`lF5yd({PY-7m7Xr+yGj
zIVgNyWc+1|uX0dEDU?AJ(sFKA^3WDJF=8hzrtGsb<r=^zMn4D`@4D*BoNns9?a4|l
zvt2|sZd5=6B(tij^_|9^cV#>>cfx&#uV^~)t<O7No@;sAa}9;>9RL5W(OHN#5=elY
z=|GkG<4LE$8Lv`7Uir{wCDGyJ&=R{gu2G`T%=1hj{k6aRmK(l(?SMBj#9*vs>I0#x
zOGrwuN8fbzI)yLDSuIQ7qt!c_r{YVsU*+M91?I24%$LseZnF=j2HQI-g#v={<y8@<
zJ2zG<-u8Tcy*=_DQI&oX43ShL-fYzCdUjbV@O?!?T0UTF`|GaC=a_FRb9ILI$%Vkr
zng}dvc7TR7z^OjJzNyDKc4POZD~YZ{073Npd_jh_o`qZ1(X#hY<Bi$1s?@|VN^2PY
z4G9D(HWZn+yd}E^87f<N{U~(kO1L_IchjlnElGDo8L{J<ahEGj2CPDN9r)&>qN07o
z3MPm3w0QqLIi-ARL;h39yD_buPZ}Mnj=RMqPHLs^T;MbVv)4H6{WtYyQwo}&9Z)X^
zz;hX}&gufNxP(M=`_!+Z<dpkazI<bsV*Io&K%=SYLl5`10>fc&Tc{%T@uPvonGKB>
z%D{*a4G;O~f;0Trv(lwW-0{bmFoO<HYG3~*?FVMZ4yw(k8g#U*YYZ<<>yf@AiX`UN
zixOP}C(F?@H2As+X2(Z?1=@KXs4h6r9SqrlJgZPfMn|Oiq}8WyKR;C+E>-kUdQqj(
zOc0|JX)O$#^&1aSrD1`?*a6zAaAvF@5Ptl6vO0{rTkq`0@kM$DmiQ72q+k#SwyQ~n
zw9W^r%{8=^ug%8^i=pf<drs33!8qI`EmL3NH1+a$-4>!cE%g#>TR$&AxLQQ|mUw9h
zBdf1HJk0nSS{3v<(&F83h3irt|CzX8(Gc7j#dI@;yB`l;YUh&`hy)JQxXk(^6Q7*2
zv884+!P}jpUQX9=Fi8M4*36VmXHqhiy|8{`*#c!}rRNV}XTR4J)8Co``xA!cZHoYG
zO<^#x>yy-hiEI7DD6(k+d1swnxG3WfH_=ox(TqPHQ>`EaBVr@`67s%0z!D<B?Ztej
zP5aN!kS+m>59It(kHVu7CDUbPz>Ho{))pQu7S)AM-!IC00=s{M7v>*DUbyfU09R1-
z_Lf(1jU7@Q+@$11V{PV+vcT(t5gm7h?p%wsN`477sGX2_F|W&~U9EQBc{MHctt^J_
z9R`oF9(g?(uZjxjQS%i=RymSIAaw>+?I{a+FOB)NTw_ecHJ!!GDmZ!%02HftQ_OFB
znu^c;{sCCmseqkqQI8<M;i*?@jk^@I-S*9hnH^BuRo6#KSyzC{!m1PPS64a4e1|b0
z>GQgbU{{Szt{v+uj@0rTwK53Cj5oQ_4=jxI7k@wz=giw5FX^Dv20$0yePl*TShWOO
z_bk$)MdtZU9k9+q&?09D(7>kv`bol}JoAABQC{^;%&8^L@*mX_<>l`7&`n%YC->Hc
z;!f<>UpwZyC<*wl<t-GoEA@THSK+@9^xqY0;1;B&r-W7BTCtN@1*a_i`|nC#C;~mL
z!#e3LY7)8wc=ZNtH6FI;=HKQ1{o<0p&H{}*>%+6eP5tu0zxt{%0z6;9SVfgy+K+!E
z@#6)0575dzYIlDv@+D3A^VR=#?E&-^x9Blo(Ocrneyn)8UOy@Vo*#i~%&fRYXEnf(
zd$3DOba;{4{Md(&mca82u@|frw+OI@sEQ={<y!osq<iIn=TUrL{8rkcGh4tFI^70K
z@ZEnk?uHP!qNaHL^(AX#f31Xnb$$<EUVF#(>;5Q;<)l;qm`fjVO-}rOXxfs$9&>Sx
zJ)YVs^`j`3u`7-lu+=4w8L-tQjv4%y&HowSInjWfp>d+YazWsq2*im7|A=Cl3l1n^
zi!3;xXc;W@kAvcXqJKoO+yw^|aX`_}E|@b#{#hnV??`Z_$V;ZHzrf9$DKgvm#9@lq
z5ju}JOc6UE$YF|p;e3{uo(6|7T@L^Kjea<UDceaq2NW%ZKtKB>4k-FrCO_Qye*i^L
zpZTY&R>^ptJ$1s6lSBA#v*ttwb|@aqi46a(LVy4{k%1E#epC`pDvd2F=cLlup>j?t
z?MJivNvSxgG`7C?ucf1$^+n6;5+{|mgfIC8Cgh~j*!gM+PActhGHF>u<A9={;@1z}
zo3q;V7tUv?>2W~Ovi9}2c5y(_4`%g~QgPN7{Xk6q3;;Nw=x3QMz4Iq1n)5HZl{1p}
z_Ri{@8J765fqk-RYL$@ztM62NI_-q0-I!U?hhuJXUGdU&ZeV5k-KoPX-3(Al2DT@p
zkX8+>czePlU^hSrOmV4GUEZan0&DN{IUQJDT$~a3$-DmGTR1AT)NlNxOB@yAsL&5K
z1AIf869;~j$&x6A{=WyZ$gNY8l-9=sx305Wf23jKhmMbrpH}v2dnrL&T>%4Lc(4T=
zv~#bsDBE`fG%y;@-1=ZhJ$xHr^M1VC^#$DQkm*97wSgUk2_Yol(J2Xu0LJRd_`i|;
zf4vQq-~DI#D*WKm<A01TIaO?#7r*5PNMJ&Ni94DP1o9NupS{P<5&>8CEdkguuPx}m
zN8{UD5a=e%*PXt2OXg4R?XMy|(}B0#Nzb1PNMs6tO9_{z&i&{3{#A^;A+Q~FUw$Pw
z_`0k_fRI3+(0C*J$|~0S`T2Egx?m(ikmJ0Ws;faBAeprvjgL8YI)6FMw%SxVS7bB{
zjF{XxILjrrXOymiC)6`uq}Zk`BgTJAEZq%C1Nq$c47Cuh+B0g1Rt|0?`s5`Mm1o#*
z<!cdqv#EbWcbYFE4pZ6$g7G9n?K2E;H)9u{8@<f<=t?~js1vA&9e&-uc{RwNHF-y$
zAV43KTYQMXzpY$aNRH6d*3SYJjx?v;t3lEr*rrUV2T3}ko1~3UBjAE3?k;`&7s2ek
z(KiE6YRe`iD+_Rj!W%a(ZXZF<i*1hm#dX;HdIZsW1zS&jxomkD8@eaGsuH(IjE0v!
z_#<mO<0e)f*4E=z@3#UxYzuxb`9eBGxjZ(1JqWTjTK3Elg5Ot}cn@oPf3+1fAcgzX
z!pNm`Y#G=iuVIs?-`+V>fMTuAnC;n;f|-#FQs1(~0sXA!=qR33CmmtCtD#8}#0X+?
z@s?<Po4ha0qB8|oYK`Gt)hNU@8(?_YXpy{@gmTjnTV;<FpW}fNR?m~<KwNVWd7Ti)
zUNx<BBUCjevkIR*v;wVg0+B#&k{)yvaMbvIge(ZcAH8c(=`x>Wi%QWJWQKp9a{UTC
ziz3f(xtk;d5bZ^R8JCrWtDTBd1zxhH%{s7wLT#l#XR9B8&p@EB2f)Dfdb>3w%)f<w
zX$w(8Wi+7t=)6uAQ!VaFwui#lm2z+|cvDVo&{LGy32Zwtjs=c3w7EK%%rGnNXT+Gh
z@3qD2)Xq)*LOXvPwJ=b@%lB8TQ%H6c-tOFsM}kX3*J|A@^iFTQax45<mE+;d!1sSw
zqH!2GSHT!Zk380n+n#BLwYx?yqWMo`VjOegI&T;k%0X=t+mSvcR8^#~Sp>V@sh+kG
zKZW{)X;d?(S%M+eOu)PHq4{4XTRG-L6E16=bUrFmdyo}(iSISanEhsVtn~|zeR2nk
zv&Bzf-xT_RAln8-@ni*D<!3>~JedZE^L3Lu3XJRgnpPk$Z|)|pUbA6IJIfPT!LPPp
z&u1Dm8+gie!_kI0mLuY*V?_sRN688-lz8Bgz$+Q(Owu#pGa&cL8?YKL;Ma%mCsr0V
zY;Tym`9aX#?DLtK?X2nE;_$q8V(bjXMDLq{zOz(d<cv->*O;w$IsK%~qtZdJQRw6=
zMGP?>rSxjxv!%8uyK*EnUgT@=6iiwTsNigYJ|?^(aS4Kjx3xHAoxiE&?C(sv<-5C>
zlx`jVjMVZS$<BN=0!nvsIe<J!b-qeEU|MV(PQWuugQgD;oo?8!#8QG1l-^Pa)>(pz
z^zm0DI|6J%mC4pUp}n}$PdY=9cn4~a$O$Y4QR@VX;F;KHdfHB#se{s?<hPnOX5-cY
zBa+HuSh+JCrxu@8wu}hgYkm{<rep;V0tyTz-haj=B{aAVf4?q`3K^1ltCx|Lm~<Ku
zljW;L&y4RmzDyyD%*$pi`g*2|;(=$oLh{SfZfJqlqs3mPfBcLmJ}!BTf0&X}k~c8w
zklX^TQ<<@JPtW$ktROx)tUY(zCD(Cy#w?ZL93(-s!XrVU+&P=CobGR)h@6;6?o2;d
zJq&}(;NxxcVj}vd_pnVwaDSE>m0cy&X?Jy`1P+EUr6vSCqctdBjIUbRBhLDU;~xWV
zzzt4w6PNYVuKRk~SCOroL{G1!@5()XYo{eH#~Mrv%XiWPDRWP7!%o}w)B9WYe(hkk
zc)X@0F<Eva7&;VALVd=XHM+A`CXF-=`&H>TpMRXqwmO0Rs{9gDx@N6eaMtee8z^^5
zUh8k>gu?WzR90?vXH|)`Z}>#w_LW3C1iuPz)zi2v+qx2MaK<TfS@e3IoQ*E0ZTo=M
zI%n)oI+7%XG(OvDT*RueoTriJ=Q5}>h_ZN+_vcynZT`F1%ea?!xZG*l^4il}$0rjT
zx}O#cG;@jV{c^~2+q0(x!aF%T<MXxjGIz>3M@Mo#rU&<!C5mFPM@ihOr(f(5MtUUT
zO-W3yvGfY4^r${MvMcptY6mf{P*CZpVji4WC})|_QSi3pDr5#T$cXXPYHecgG*fqt
z%6@M7J^?hC{@VKlHWE>P5G1f6hv#B*-TtAX<YMoVEbC?qC@f<nd4%j06QQO<)^TW@
zMa0Y6`I?uL*jn*wkR;c|HrYaBYFwP!3G5)D0cLX&9l0wt#<T!>)B~>6FhHOb#r$S&
za1m~1Zh)K2VMbkPa*%aruYSl4y<F|PrNcgF46&LdLxj8ny*KFY`*KL$NKqz#AbDhD
zfRIv**L2Z4YiUn4_NPMzHrlaPVtylArnY*fwCmKybzlsEgTcpbCxFQN!ecP`s#Og>
z+tjW;uk{9fcG%SWHCzc^?>_LP<u#M4h~%5W2$E=K`IW@lMIK@q3_8Mp=0vVoineX*
z1ZI-Ed(yMqcFX${FFeiwmAFuiEPJO-Y3<omqe(wZdU^A)*B)=@h82;u+1ppt1F#Bj
zN#974t=9SaEG^)ul80|3<+C&>nMT#v4tz>s_CP|sb4KB<T9(q$*b4?i)OJRcUp-W3
x$YPQWQUhFl(b_O{Ze&v0b4xtZ2nU@Pw{(8QbLQdQW2=DQ+0*AwrJuC9{XaVx%?AJg

literal 0
HcmV?d00001

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 7d86260f0..9be22a5ad 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -1,11 +1,15 @@
 # Prometheus and Grafana installation
+Two different methods to install and configure Prometheus and Grafana are described in this doc. 
+- Prometheus and Grafana installation using Pod Annotations. This installs Prometheus and Grafana in the same namespace as NGINX Ingress
+- Prometheus and Grafana installation using Service Monitors. This installs Prometheus and Grafana in two different namespaces. This is the preferred method, and helm charts supports this by default. 
 
+## PROMETHEUS AND GRAFANA INSTALLATION USING POD ANNOTATIONS
 This tutorial will show you how to install [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/) for scraping the metrics of the NGINX Ingress controller.
 
 !!! important
     This example uses `emptyDir` volumes for Prometheus and Grafana. This means once the pod gets terminated you will lose all the data.
 
-## Before You Begin
+### Before You Begin
 
 - The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md).
 
@@ -67,7 +71,7 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
            ```
 
 
-## Deploy and configure Prometheus Server
+### Deploy and configure Prometheus Server
 
 Note that the kustomize bases used in this tutorial are stored in the [deploy](https://github.com/kubernetes/ingress-nginx/tree/main/deploy) folder of the GitHub repository [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx).
 
@@ -81,7 +85,7 @@ Note that the kustomize bases used in this tutorial are stored in the [deploy](h
   kubectl apply --kustomize github.com/kubernetes/ingress-nginx/deploy/prometheus/
   ```
 
-### Prometheus Dashboard
+#### Prometheus Dashboard
 
 - Open Prometheus dashboard in a web browser:
 
@@ -112,8 +116,7 @@ Note that the kustomize bases used in this tutorial are stored in the [deploy](h
 
   ![Prometheus Dashboard](../images/prometheus-dashboard.png)
 
-### Grafana
-
+#### Grafana
   - Install grafana using the below command
   ```
   kubectl apply --kustomize github.com/kubernetes/ingress-nginx/deploy/grafana/
@@ -151,13 +154,13 @@ According to the above example, this URL will be http://10.192.0.3:31086
 
   ![Grafana Dashboard](../images/grafana.png)
 
-## Caveats
+### Caveats
 
-### Wildcard ingresses
+#### Wildcard ingresses
 
   - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress).
 
-## Grafana dashboard using ingress resource
+### Grafana dashboard using ingress resource
   - If you want to expose the dashboard for grafana using a ingress resource, then you can : 
     - change the service type of the prometheus-server service and the grafana service to "ClusterIP" like this :
     ```
@@ -168,3 +171,171 @@ According to the above example, this URL will be http://10.192.0.3:31086
     - change it to look like "type: ClusterIP". Save and exit.
     - create a ingress resource with backend as "grafana" and port as "3000"
   - Similarly, you can edit the service "prometheus-server" and add a ingress resource.
+
+## PROMETHEUS AND GRAFANA INSTALLATION USING SERVICE MONITORS
+This document assumes you're using helm and using the kube-prometheus-stack package to install Prometheus and Grafana. 
+
+### Verify NGINX Ingress controller is installed
+
+- The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md).
+
+- To check if Ingress controller is deployed, 
+  ```
+  kubectl get pods -n ingress-nginx 
+  ```
+- The result should look something like: 
+  ```
+  NAME                                        READY   STATUS    RESTARTS   AGE
+  ingress-nginx-controller-7c489dc7b7-ccrf6   1/1     Running   0          19h
+    ```
+
+### Verify Prometheus is installed
+
+- To check if Prometheus is already deployed, run the following command:
+
+  ```
+  helm ls -A
+  ```
+  ```
+  NAME         	NAMESPACE    	REVISION	UPDATED                             	STATUS  	CHART                       	APP VERSION
+  ingress-nginx	ingress-nginx	10      	2022-01-20 18:08:55.267373 -0800 PST	deployed	ingress-nginx-4.0.16        	1.1.1      
+  prometheus   	prometheus   	1       	2022-01-20 16:07:25.086828 -0800 PST	deployed	kube-prometheus-stack-30.1.0	0.53.1  
+  ```
+- Notice that prometheus is installed in a differenet namespace than ingress-nginx
+
+- If prometheus is not installed, then you can install from [here](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack)
+
+### Re-configure NGINX Ingress controller
+
+- The Ingress NGINX controller needs to be reconfigured for exporting metrics. This requires 3 additional configurations to the controller. These configurations are :
+  ```
+  controller.metrics.enabled=true
+  controller.metrics.serviceMonitor.enabled=true
+  controller.metrics.serviceMonitor.enabled=true 
+  ```
+- The easiest way of doing this is to helm upgrade 
+  ```
+  helm upgrade ingress-nginx ingress-nginx/ingress-nginx \
+  --namespace ingress-nginx \
+  --set controller.metrics.enabled=true \
+  --set controller.metrics.serviceMonitor.enabled=true \
+  --set controller.metrics.serviceMonitor.additionalLabels.release="prometheus"
+  ```
+- Here `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"` should match the name of the helm release of the `kube-prometheus-stack`
+
+- You can validate that the controller has been successfully reconfigured to export metrics by looking at the values of the installed release, like this:
+  ```
+  helm get values ingress-nginx --namespace ingress-nginx
+  ```
+  ```
+  controller:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        additionalLabels:
+          release: prometheus
+        enabled: true
+  ```
+### Configure Prometheus
+
+- Since Prometheus is running in a different namespace and not in the ingress-nginx namespace, it would not be able to discover ServiceMonitors in other namespaces when installed. Reconfigure your kube-prometheus-stack Helm installation to set `serviceMonitorSelectorNilUsesHelmValues` flag to false. By default, Prometheus only discovers PodMonitors within its own namespace. This should be disabled by setting `podMonitorSelectorNilUsesHelmValues` to false
+- The configurations required are:
+  ```
+  prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false 
+  prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
+  ```
+- The easiest way of doing this is to use `helm upgrade ...`
+  ```
+  helm upgrade prometheus prometheus-community/kube-prometheus-stack \
+  --namespace prometheus  \
+  --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
+  --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
+  ```
+- You can validate that Prometheus has been reconfigured by looking at the values of the installed release, like this:
+  ```
+  helm get values prometheus --namespace prometheus
+  ```
+- You should be able to see the values shown below:
+  ```
+  prometheus:
+    prometheusSpec:
+      podMonitorSelectorNilUsesHelmValues: false
+      serviceMonitorSelectorNilUsesHelmValues: false
+  ```
+
+### Connect and view Prometheus dashboard
+- Port forward to Prometheus service. Find out the name of the prometheus service by using the following command: 
+  ```
+  kubectl get svc -n prometheus
+  ```
+
+  The result of this command would look like: 
+  ```
+  NAME                                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
+  alertmanager-operated                     ClusterIP   None             <none>        9093/TCP,9094/TCP,9094/UDP   7h46m
+  prometheus-grafana                        ClusterIP   10.106.28.162    <none>        80/TCP                       7h46m
+  prometheus-kube-prometheus-alertmanager   ClusterIP   10.108.125.245   <none>        9093/TCP                     7h46m
+  prometheus-kube-prometheus-operator       ClusterIP   10.110.220.1     <none>        443/TCP                      7h46m
+  prometheus-kube-prometheus-prometheus     ClusterIP   10.102.72.134    <none>        9090/TCP                     7h46m
+  prometheus-kube-state-metrics             ClusterIP   10.104.231.181   <none>        8080/TCP                     7h46m
+  prometheus-operated                       ClusterIP   None             <none>        9090/TCP                     7h46m
+  prometheus-prometheus-node-exporter       ClusterIP   10.96.247.128    <none>        9100/TCP                     7h46m
+  ```
+  prometheus-kube-prometheus-prometheus is the service we want to port forward to. We can do so using the following command:
+  ```
+  kubectl port-forward svc/prometheus-kube-prometheus-prometheus -n prometheus 9090:9090
+  ```
+  When you run the above command, you should see something like: 
+  ```
+  Forwarding from 127.0.0.1:9090 -> 9090
+  Forwarding from [::1]:9090 -> 9090
+  ```
+- Open your browser and visit the following URL http://localhost:{port-forwarded-port} according to the above example it would be, http://localhost:9090
+  
+  ![Prometheus Dashboard](../images/prometheus-dashboard1.png)
+
+### Connect and view Grafana dashboard 
+- Port forward to Grafana service. Find out the name of the Grafana service by using the following command: 
+  ```
+  kubectl get svc -n prometheus
+  ```
+
+  The result of this command would look like: 
+  ```
+  NAME                                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
+  alertmanager-operated                     ClusterIP   None             <none>        9093/TCP,9094/TCP,9094/UDP   7h46m
+  prometheus-grafana                        ClusterIP   10.106.28.162    <none>        80/TCP                       7h46m
+  prometheus-kube-prometheus-alertmanager   ClusterIP   10.108.125.245   <none>        9093/TCP                     7h46m
+  prometheus-kube-prometheus-operator       ClusterIP   10.110.220.1     <none>        443/TCP                      7h46m
+  prometheus-kube-prometheus-prometheus     ClusterIP   10.102.72.134    <none>        9090/TCP                     7h46m
+  prometheus-kube-state-metrics             ClusterIP   10.104.231.181   <none>        8080/TCP                     7h46m
+  prometheus-operated                       ClusterIP   None             <none>        9090/TCP                     7h46m
+  prometheus-prometheus-node-exporter       ClusterIP   10.96.247.128    <none>        9100/TCP                     7h46m
+  ```
+  prometheus-grafana is the service we want to port forward to. We can do so using the following command:
+  ```
+  kubectl port-forward svc/prometheus-grafana  3000:80 -n prometheus
+  ```
+  When you run the above command, you should see something like: 
+  ```
+  Forwarding from 127.0.0.1:3000 -> 3000
+  Forwarding from [::1]:3000 -> 3000
+  ```
+- Open your browser and visit the following URL http://localhost:{port-forwarded-port} according to the above example it would be, http://localhost:3000
+  The default username/ password is admin/prom-operator
+- After the login you can import the Grafana dashboard from [official dashboards](https://github.com/kubernetes/ingress-nginx/tree/main/deploy/grafana/dashboards), by following steps given below :
+
+  - Navigate to lefthand panel of grafana
+  - Hover on the gearwheel icon for Configuration and click "Data Sources"
+  - Click "Add data source"
+  - Select "Prometheus"
+  - Enter the details (note: I used http://10.102.72.134:9090 which is the CLUSTER-IP for Prometheus service)
+  - Left menu (hover over +) -> Dashboard
+  - Click "Import"
+  - Enter the copy pasted json from https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/grafana/dashboards/nginx.json
+  - Click Import JSON
+  - Select the Prometheus data source
+  - Click "Import"
+
+  ![Grafana Dashboard](../images/grafana-dashboard1.png)
+ 
\ No newline at end of file

From c1be3499eb98756af4d2f5a5d165e6ff11cceeb5 Mon Sep 17 00:00:00 2001
From: Ana Claudia Riekstin <17534478+anaclaudiar@users.noreply.github.com>
Date: Mon, 7 Feb 2022 12:53:44 -0500
Subject: [PATCH 323/376] Adding some geoip variables and default values
 (#8159)

* adding geoIp variables that Shopify uses

* adding source remote_addr for geoip2-isp
---
 rootfs/etc/nginx/template/nginx.tmpl | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 07e36925b..2ee76831c 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -245,8 +245,9 @@ http {
 
     {{ if eq $file "GeoIP2-ISP.mmdb" }}
     geoip2 /etc/nginx/geoip/GeoIP2-ISP.mmdb {
-        $geoip2_isp isp;
-        $geoip2_isp_org organization;
+        $geoip2_isp source=$remote_addr isp;
+        $geoip2_isp_org source=$remote_addr organization;
+        $geoip2_asn source=$remote_addr default=0 autonomous_system_number;
     }
     {{ end }}
 
@@ -259,8 +260,11 @@ http {
     {{ if eq $file "GeoIP2-Anonymous-IP.mmdb" }}
     geoip2 /etc/nginx/geoip/GeoIP2-Anonymous-IP.mmdb {
         $geoip2_is_anon source=$remote_addr is_anonymous;
-        $geoip2_is_hosting_provider source=$remote_addr is_hosting_provider;
-        $geoip2_is_public_proxy source=$remote_addr is_public_proxy;
+        $geoip2_is_anonymous source=$remote_addr default=0 is_anonymous;
+        $geoip2_is_anonymous_vpn source=$remote_addr default=0 is_anonymous_vpn;
+        $geoip2_is_hosting_provider source=$remote_addr default=0 is_hosting_provider;
+        $geoip2_is_public_proxy source=$remote_addr default=0 is_public_proxy;
+        $geoip2_is_tor_exit_node source=$remote_addr default=0 is_tor_exit_node;
     }
     {{ end }}
 

From 53a232f829220abdc40e42dc9ab44f9975b7e319 Mon Sep 17 00:00:00 2001
From: Yang <940129520@qq.com>
Date: Mon, 14 Feb 2022 02:25:47 +0800
Subject: [PATCH 324/376] webhook: remove useless code. (#8236)

* webhook: remove useless code

Signed-off-by: SpecialYang <940129520@qq.com>

* Remove duplicated codec
---
 internal/admission/controller/main.go     | 1 -
 internal/ingress/controller/controller.go | 5 -----
 2 files changed, 6 deletions(-)

diff --git a/internal/admission/controller/main.go b/internal/admission/controller/main.go
index 8645756fd..645f298b4 100644
--- a/internal/admission/controller/main.go
+++ b/internal/admission/controller/main.go
@@ -72,7 +72,6 @@ func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object,
 	codec := json.NewSerializerWithOptions(json.DefaultMetaFactory, scheme, scheme, json.SerializerOptions{
 		Pretty: true,
 	})
-	codec.Decode(review.Request.Object.Raw, nil, nil)
 	_, _, err := codec.Decode(review.Request.Object.Raw, nil, &ingress)
 	if err != nil {
 		klog.ErrorS(err, "failed to decode ingress")
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 9afe00953..607bb5cb9 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -1741,17 +1741,12 @@ func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers
 			}
 
 			// same ingress
-			skipValidation := false
 			for _, existing := range existingIngresses {
 				if existing.ObjectMeta.Namespace == ing.ObjectMeta.Namespace && existing.ObjectMeta.Name == ing.ObjectMeta.Name {
 					return nil
 				}
 			}
 
-			if skipValidation {
-				continue
-			}
-
 			// path overlap. Check if one of the ingresses has a canary annotation
 			isCanaryEnabled, annotationErr := parser.GetBoolAnnotation("canary", ing)
 			for _, existing := range existingIngresses {

From 86964b15a889c37b41f520b028643147213d0086 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20Kov=C3=A1cs?= <ekovacs@users.noreply.github.com>
Date: Sun, 13 Feb 2022 19:33:47 +0100
Subject: [PATCH 325/376] fix inconsistent-label-cardinality for prometheus
 metrics: nginx_ingress_controller_requests (#8225)

* fix inconsistent-label-cardinality

for prometheus metrics: nginx_ingress_controller_requests

* add host to collectorLabels only if metricsPerHost is true
---
 internal/ingress/metric/collectors/socket.go  | 16 ++++++++--
 .../ingress/metric/collectors/socket_test.go  | 30 ++++++++++++++++++-
 2 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go
index 44ca4b48b..0cbeeb4a6 100644
--- a/internal/ingress/metric/collectors/socket.go
+++ b/internal/ingress/metric/collectors/socket.go
@@ -217,6 +217,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool, bucke
 	}
 
 	sc.metricMapping = map[string]interface{}{
+		prometheus.BuildFQName(PrometheusNamespace, "", "requests"):                 sc.requests,
 		prometheus.BuildFQName(PrometheusNamespace, "", "request_duration_seconds"): sc.requestTime,
 		prometheus.BuildFQName(PrometheusNamespace, "", "request_size"):             sc.requestLength,
 
@@ -258,9 +259,6 @@ func (sc *SocketCollector) handleMessage(msg []byte) {
 			"service":   stats.Service,
 			"canary":    stats.Canary,
 		}
-		if sc.metricsPerHost {
-			requestLabels["host"] = stats.Host
-		}
 
 		collectorLabels := prometheus.Labels{
 			"namespace": stats.Namespace,
@@ -268,6 +266,12 @@ func (sc *SocketCollector) handleMessage(msg []byte) {
 			"status":    stats.Status,
 			"service":   stats.Service,
 			"canary":    stats.Canary,
+			"method":    stats.Method,
+			"path":      stats.Path,
+		}
+		if sc.metricsPerHost {
+			requestLabels["host"] = stats.Host
+			collectorLabels["host"] = stats.Host
 		}
 
 		latencyLabels := prometheus.Labels{
@@ -415,6 +419,12 @@ func (sc *SocketCollector) RemoveMetrics(ingresses []string, registry prometheus
 					klog.V(2).InfoS("metric not removed", "name", metricName, "ingress", ingKey, "labels", labels)
 				}
 			}
+
+			if c, ok := metric.(*prometheus.CounterVec); ok {
+				if removed := c.Delete(labels); !removed {
+					klog.V(2).InfoS("metric not removed", "name", metricName, "ingress", ingKey, "labels", labels)
+				}
+			}
 		}
 	}
 }
diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go
index 3b124efa0..8542d273c 100644
--- a/internal/ingress/metric/collectors/socket_test.go
+++ b/internal/ingress/metric/collectors/socket_test.go
@@ -153,7 +153,35 @@ func TestCollector(t *testing.T) {
 			wantAfter: `
 			`,
 		},
-
+		{
+			name: "valid metric object should update requests metrics",
+			data: []string{`[{
+				"host":"testshop.com",
+				"status":"200",
+				"bytesSent":150.0,
+				"method":"GET",
+				"path":"/admin",
+				"requestLength":300.0,
+				"requestTime":60.0,
+				"upstreamName":"test-upstream",
+				"upstreamIP":"1.1.1.1:8080",
+				"upstreamResponseTime":200,
+				"upstreamStatus":"220",
+				"namespace":"test-app-production",
+				"ingress":"web-yml",
+				"service":"test-app",
+				"canary":""
+			}]`},
+			metrics: []string{"nginx_ingress_controller_requests"},
+			wantBefore: `
+				# HELP nginx_ingress_controller_requests The total number of client requests.
+				# TYPE nginx_ingress_controller_requests counter
+				nginx_ingress_controller_requests{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="200"} 1
+			`,
+			removeIngresses: []string{"test-app-production/web-yml"},
+			wantAfter: `
+			`,
+		},
 		{
 			name: "valid metric object with canary information should update prometheus metrics",
 			data: []string{`[{

From 5754eb60f46efaf3a0ace6d62a3c05c274956838 Mon Sep 17 00:00:00 2001
From: Aibek <35672535+L1ghtman2k@users.noreply.github.com>
Date: Sun, 13 Feb 2022 13:39:47 -0500
Subject: [PATCH 326/376] Append elements on match, instead of removing for
 cors-annotations (#8185)

* fixes https://github.com/kubernetes/ingress-nginx/issues/8168 by appending elements on match, instead of removing

* refactor the corsOriginRegex comparison, and initialize CorsAllowOrigin
---
 internal/ingress/annotations/cors/main.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go
index d2f232af1..de5b8c279 100644
--- a/internal/ingress/annotations/cors/main.go
+++ b/internal/ingress/annotations/cors/main.go
@@ -121,19 +121,22 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.CorsEnabled = false
 	}
 
+	config.CorsAllowOrigin = []string{}
 	unparsedOrigins, err := parser.GetStringAnnotation("cors-allow-origin", ing)
 	if err == nil {
-		config.CorsAllowOrigin = strings.Split(unparsedOrigins, ",")
-		for i, origin := range config.CorsAllowOrigin {
+		origins := strings.Split(unparsedOrigins, ",")
+		for _, origin := range origins {
 			origin = strings.TrimSpace(origin)
 			if origin == "*" {
 				config.CorsAllowOrigin = []string{"*"}
 				break
 			}
+
 			if !corsOriginRegex.MatchString(origin) {
 				klog.Errorf("Error parsing cors-allow-origin parameters. Supplied incorrect origin: %s. Skipping.", origin)
-				config.CorsAllowOrigin = append(config.CorsAllowOrigin[:i], config.CorsAllowOrigin[i+1:]...)
+				continue
 			}
+			config.CorsAllowOrigin = append(config.CorsAllowOrigin, origin)
 			klog.Infof("Current config.corsAllowOrigin %v", config.CorsAllowOrigin)
 		}
 	} else {

From c9f61211d3442953cadbf4e89357af500239c596 Mon Sep 17 00:00:00 2001
From: Alastair Firth <afirth@users.noreply.github.com>
Date: Sun, 13 Feb 2022 19:47:47 +0100
Subject: [PATCH 327/376] Versioned static manifests (#8162)

* update deploy script to generate static manifests for all supported versions

* generate static manifests for all supported versions
---
 deploy/static/provider/aws/1.19/deploy.yaml   | 676 +++++++++++++++++
 .../provider/aws/1.19/kustomization.yaml      |  11 +
 deploy/static/provider/aws/1.20/deploy.yaml   | 682 +++++++++++++++++
 .../provider/aws/1.20/kustomization.yaml      |  11 +
 deploy/static/provider/aws/1.21/deploy.yaml   | 682 +++++++++++++++++
 .../provider/aws/1.21/kustomization.yaml      |  11 +
 deploy/static/provider/aws/1.22/deploy.yaml   | 682 +++++++++++++++++
 .../provider/aws/1.22/kustomization.yaml      |  11 +
 deploy/static/provider/aws/deploy.yaml        |  60 +-
 .../nlb-with-tls-termination/1.19/deploy.yaml | 688 +++++++++++++++++
 .../1.19/kustomization.yaml                   |  11 +
 .../nlb-with-tls-termination/1.20/deploy.yaml | 694 ++++++++++++++++++
 .../1.20/kustomization.yaml                   |  11 +
 .../nlb-with-tls-termination/1.21/deploy.yaml | 694 ++++++++++++++++++
 .../1.21/kustomization.yaml                   |  11 +
 .../nlb-with-tls-termination/1.22/deploy.yaml | 694 ++++++++++++++++++
 .../1.22/kustomization.yaml                   |  11 +
 .../aws/nlb-with-tls-termination/deploy.yaml  |  60 +-
 .../provider/baremetal/1.19/deploy.yaml       | 671 +++++++++++++++++
 .../baremetal/1.19/kustomization.yaml         |  11 +
 .../provider/baremetal/1.20/deploy.yaml       | 677 +++++++++++++++++
 .../baremetal/1.20/kustomization.yaml         |  11 +
 .../provider/baremetal/1.21/deploy.yaml       | 677 +++++++++++++++++
 .../baremetal/1.21/kustomization.yaml         |  11 +
 .../provider/baremetal/1.22/deploy.yaml       | 677 +++++++++++++++++
 .../baremetal/1.22/kustomization.yaml         |  11 +
 deploy/static/provider/baremetal/deploy.yaml  |  60 +-
 deploy/static/provider/cloud/1.19/deploy.yaml | 673 +++++++++++++++++
 .../provider/cloud/1.19/kustomization.yaml    |  11 +
 deploy/static/provider/cloud/1.20/deploy.yaml | 679 +++++++++++++++++
 .../provider/cloud/1.20/kustomization.yaml    |  11 +
 deploy/static/provider/cloud/1.21/deploy.yaml | 679 +++++++++++++++++
 .../provider/cloud/1.21/kustomization.yaml    |  11 +
 deploy/static/provider/cloud/1.22/deploy.yaml | 679 +++++++++++++++++
 .../provider/cloud/1.22/kustomization.yaml    |  11 +
 deploy/static/provider/cloud/deploy.yaml      |  60 +-
 deploy/static/provider/do/1.19/deploy.yaml    | 676 +++++++++++++++++
 .../provider/do/1.19/kustomization.yaml       |  11 +
 deploy/static/provider/do/1.20/deploy.yaml    | 682 +++++++++++++++++
 .../provider/do/1.20/kustomization.yaml       |  11 +
 deploy/static/provider/do/1.21/deploy.yaml    | 682 +++++++++++++++++
 .../provider/do/1.21/kustomization.yaml       |  11 +
 deploy/static/provider/do/1.22/deploy.yaml    | 682 +++++++++++++++++
 .../provider/do/1.22/kustomization.yaml       |  11 +
 deploy/static/provider/do/deploy.yaml         |  60 +-
 .../static/provider/exoscale/1.19/deploy.yaml | 682 +++++++++++++++++
 .../provider/exoscale/1.19/kustomization.yaml |  11 +
 .../static/provider/exoscale/1.20/deploy.yaml | 688 +++++++++++++++++
 .../provider/exoscale/1.20/kustomization.yaml |  11 +
 .../static/provider/exoscale/1.21/deploy.yaml | 688 +++++++++++++++++
 .../provider/exoscale/1.21/kustomization.yaml |  11 +
 .../static/provider/exoscale/1.22/deploy.yaml | 688 +++++++++++++++++
 .../provider/exoscale/1.22/kustomization.yaml |  11 +
 deploy/static/provider/exoscale/deploy.yaml   |  60 +-
 deploy/static/provider/kind/1.19/deploy.yaml  | 684 +++++++++++++++++
 .../provider/kind/1.19/kustomization.yaml     |  11 +
 deploy/static/provider/kind/1.20/deploy.yaml  | 690 +++++++++++++++++
 .../provider/kind/1.20/kustomization.yaml     |  11 +
 deploy/static/provider/kind/1.21/deploy.yaml  | 690 +++++++++++++++++
 .../provider/kind/1.21/kustomization.yaml     |  11 +
 deploy/static/provider/kind/1.22/deploy.yaml  | 690 +++++++++++++++++
 .../provider/kind/1.22/kustomization.yaml     |  11 +
 deploy/static/provider/kind/deploy.yaml       |  60 +-
 deploy/static/provider/scw/1.19/deploy.yaml   | 675 +++++++++++++++++
 .../provider/scw/1.19/kustomization.yaml      |  11 +
 deploy/static/provider/scw/1.20/deploy.yaml   | 681 +++++++++++++++++
 .../provider/scw/1.20/kustomization.yaml      |  11 +
 deploy/static/provider/scw/1.21/deploy.yaml   | 681 +++++++++++++++++
 .../provider/scw/1.21/kustomization.yaml      |  11 +
 deploy/static/provider/scw/1.22/deploy.yaml   | 681 +++++++++++++++++
 .../provider/scw/1.22/kustomization.yaml      |  11 +
 deploy/static/provider/scw/deploy.yaml        |  60 +-
 hack/generate-deploy-scripts.sh               |   4 +-
 73 files changed, 22517 insertions(+), 163 deletions(-)
 create mode 100644 deploy/static/provider/aws/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/aws/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/aws/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/aws/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/aws/1.22/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml
 create mode 100644 deploy/static/provider/baremetal/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/baremetal/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/baremetal/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/baremetal/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/baremetal/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/baremetal/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/baremetal/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/baremetal/1.22/kustomization.yaml
 create mode 100644 deploy/static/provider/cloud/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/cloud/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/cloud/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/cloud/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/cloud/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/cloud/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/cloud/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/cloud/1.22/kustomization.yaml
 create mode 100644 deploy/static/provider/do/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/do/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/do/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/do/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/do/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/do/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/do/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/do/1.22/kustomization.yaml
 create mode 100644 deploy/static/provider/exoscale/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/exoscale/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/exoscale/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/exoscale/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/exoscale/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/exoscale/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/exoscale/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/exoscale/1.22/kustomization.yaml
 create mode 100644 deploy/static/provider/kind/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/kind/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/kind/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/kind/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/kind/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/kind/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/kind/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/kind/1.22/kustomization.yaml
 create mode 100644 deploy/static/provider/scw/1.19/deploy.yaml
 create mode 100644 deploy/static/provider/scw/1.19/kustomization.yaml
 create mode 100644 deploy/static/provider/scw/1.20/deploy.yaml
 create mode 100644 deploy/static/provider/scw/1.20/kustomization.yaml
 create mode 100644 deploy/static/provider/scw/1.21/deploy.yaml
 create mode 100644 deploy/static/provider/scw/1.21/kustomization.yaml
 create mode 100644 deploy/static/provider/scw/1.22/deploy.yaml
 create mode 100644 deploy/static/provider/scw/1.22/kustomization.yaml

diff --git a/deploy/static/provider/aws/1.19/deploy.yaml b/deploy/static/provider/aws/1.19/deploy.yaml
new file mode 100644
index 000000000..c73b0e7e1
--- /dev/null
+++ b/deploy/static/provider/aws/1.19/deploy.yaml
@@ -0,0 +1,676 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/1.19/kustomization.yaml b/deploy/static/provider/aws/1.19/kustomization.yaml
new file mode 100644
index 000000000..d18ef3896
--- /dev/null
+++ b/deploy/static/provider/aws/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/1.20/deploy.yaml b/deploy/static/provider/aws/1.20/deploy.yaml
new file mode 100644
index 000000000..c8117bf51
--- /dev/null
+++ b/deploy/static/provider/aws/1.20/deploy.yaml
@@ -0,0 +1,682 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/1.20/kustomization.yaml b/deploy/static/provider/aws/1.20/kustomization.yaml
new file mode 100644
index 000000000..d18ef3896
--- /dev/null
+++ b/deploy/static/provider/aws/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/1.21/deploy.yaml b/deploy/static/provider/aws/1.21/deploy.yaml
new file mode 100644
index 000000000..c8117bf51
--- /dev/null
+++ b/deploy/static/provider/aws/1.21/deploy.yaml
@@ -0,0 +1,682 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/1.21/kustomization.yaml b/deploy/static/provider/aws/1.21/kustomization.yaml
new file mode 100644
index 000000000..d18ef3896
--- /dev/null
+++ b/deploy/static/provider/aws/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/1.22/deploy.yaml b/deploy/static/provider/aws/1.22/deploy.yaml
new file mode 100644
index 000000000..c8117bf51
--- /dev/null
+++ b/deploy/static/provider/aws/1.22/deploy.yaml
@@ -0,0 +1,682 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/1.22/kustomization.yaml b/deploy/static/provider/aws/1.22/kustomization.yaml
new file mode 100644
index 000000000..d18ef3896
--- /dev/null
+++ b/deploy/static/provider/aws/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index b74690c33..3ade4013b 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -331,8 +341,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -348,8 +359,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -382,8 +394,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -406,8 +419,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -521,8 +535,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -533,8 +548,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -572,8 +588,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -584,8 +601,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -622,8 +640,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -636,8 +655,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
new file mode 100644
index 000000000..eee0f093a
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
@@ -0,0 +1,688 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  http-snippet: |
+    server {
+      listen 2443;
+      return 308 https://$host$request_uri;
+    }
+  proxy-real-ip-cidr: XXX.XXX.XXX/XX
+  use-forwarded-headers: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: tohttps
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: http
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 80
+          name: https
+          protocol: TCP
+        - containerPort: 2443
+          name: tohttps
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml
new file mode 100644
index 000000000..ca2086ea9
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
new file mode 100644
index 000000000..cc52b3114
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
@@ -0,0 +1,694 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  http-snippet: |
+    server {
+      listen 2443;
+      return 308 https://$host$request_uri;
+    }
+  proxy-real-ip-cidr: XXX.XXX.XXX/XX
+  use-forwarded-headers: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: tohttps
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: http
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 80
+          name: https
+          protocol: TCP
+        - containerPort: 2443
+          name: tohttps
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml
new file mode 100644
index 000000000..ca2086ea9
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
new file mode 100644
index 000000000..cc52b3114
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
@@ -0,0 +1,694 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  http-snippet: |
+    server {
+      listen 2443;
+      return 308 https://$host$request_uri;
+    }
+  proxy-real-ip-cidr: XXX.XXX.XXX/XX
+  use-forwarded-headers: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: tohttps
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: http
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 80
+          name: https
+          protocol: TCP
+        - containerPort: 2443
+          name: tohttps
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml
new file mode 100644
index 000000000..ca2086ea9
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
new file mode 100644
index 000000000..cc52b3114
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
@@ -0,0 +1,694 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  http-snippet: |
+    server {
+      listen 2443;
+      return 308 https://$host$request_uri;
+    }
+  proxy-real-ip-cidr: XXX.XXX.XXX/XX
+  use-forwarded-headers: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: tohttps
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: http
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 80
+          name: https
+          protocol: TCP
+        - containerPort: 2443
+          name: tohttps
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml
new file mode 100644
index 000000000..ca2086ea9
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
index 242624ef3..21aae7795 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,8 +348,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -357,8 +368,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,8 +403,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,8 +428,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -533,8 +547,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,8 +560,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -584,8 +600,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,8 +613,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -634,8 +652,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -648,8 +667,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.19/deploy.yaml b/deploy/static/provider/baremetal/1.19/deploy.yaml
new file mode 100644
index 000000000..ec21480bb
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.19/deploy.yaml
@@ -0,0 +1,671 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/baremetal/1.19/kustomization.yaml b/deploy/static/provider/baremetal/1.19/kustomization.yaml
new file mode 100644
index 000000000..d13af0f82
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/baremetal/1.20/deploy.yaml b/deploy/static/provider/baremetal/1.20/deploy.yaml
new file mode 100644
index 000000000..f4c419ed9
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.20/deploy.yaml
@@ -0,0 +1,677 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/baremetal/1.20/kustomization.yaml b/deploy/static/provider/baremetal/1.20/kustomization.yaml
new file mode 100644
index 000000000..d13af0f82
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/baremetal/1.21/deploy.yaml b/deploy/static/provider/baremetal/1.21/deploy.yaml
new file mode 100644
index 000000000..f4c419ed9
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.21/deploy.yaml
@@ -0,0 +1,677 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/baremetal/1.21/kustomization.yaml b/deploy/static/provider/baremetal/1.21/kustomization.yaml
new file mode 100644
index 000000000..d13af0f82
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/baremetal/1.22/deploy.yaml b/deploy/static/provider/baremetal/1.22/deploy.yaml
new file mode 100644
index 000000000..f4c419ed9
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.22/deploy.yaml
@@ -0,0 +1,677 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/baremetal/1.22/kustomization.yaml b/deploy/static/provider/baremetal/1.22/kustomization.yaml
new file mode 100644
index 000000000..d13af0f82
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index af3463951..8aea1fd40 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -331,8 +341,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -345,8 +356,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -378,8 +390,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -402,8 +415,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -516,8 +530,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -528,8 +543,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -567,8 +583,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -579,8 +596,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -617,8 +635,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -631,8 +650,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.19/deploy.yaml b/deploy/static/provider/cloud/1.19/deploy.yaml
new file mode 100644
index 000000000..8930e5c6d
--- /dev/null
+++ b/deploy/static/provider/cloud/1.19/deploy.yaml
@@ -0,0 +1,673 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/cloud/1.19/kustomization.yaml b/deploy/static/provider/cloud/1.19/kustomization.yaml
new file mode 100644
index 000000000..a92167fad
--- /dev/null
+++ b/deploy/static/provider/cloud/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/cloud/1.20/deploy.yaml b/deploy/static/provider/cloud/1.20/deploy.yaml
new file mode 100644
index 000000000..ef71edab1
--- /dev/null
+++ b/deploy/static/provider/cloud/1.20/deploy.yaml
@@ -0,0 +1,679 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/cloud/1.20/kustomization.yaml b/deploy/static/provider/cloud/1.20/kustomization.yaml
new file mode 100644
index 000000000..a92167fad
--- /dev/null
+++ b/deploy/static/provider/cloud/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/cloud/1.21/deploy.yaml b/deploy/static/provider/cloud/1.21/deploy.yaml
new file mode 100644
index 000000000..ef71edab1
--- /dev/null
+++ b/deploy/static/provider/cloud/1.21/deploy.yaml
@@ -0,0 +1,679 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/cloud/1.21/kustomization.yaml b/deploy/static/provider/cloud/1.21/kustomization.yaml
new file mode 100644
index 000000000..a92167fad
--- /dev/null
+++ b/deploy/static/provider/cloud/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/cloud/1.22/deploy.yaml b/deploy/static/provider/cloud/1.22/deploy.yaml
new file mode 100644
index 000000000..ef71edab1
--- /dev/null
+++ b/deploy/static/provider/cloud/1.22/deploy.yaml
@@ -0,0 +1,679 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/cloud/1.22/kustomization.yaml b/deploy/static/provider/cloud/1.22/kustomization.yaml
new file mode 100644
index 000000000..a92167fad
--- /dev/null
+++ b/deploy/static/provider/cloud/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 87f64383a..aafd9fde7 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -331,8 +341,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -345,8 +356,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -379,8 +391,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -403,8 +416,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -518,8 +532,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -530,8 +545,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -569,8 +585,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -581,8 +598,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -619,8 +637,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -633,8 +652,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.19/deploy.yaml b/deploy/static/provider/do/1.19/deploy.yaml
new file mode 100644
index 000000000..6f63e5806
--- /dev/null
+++ b/deploy/static/provider/do/1.19/deploy.yaml
@@ -0,0 +1,676 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+  timeoutSeconds: 29
diff --git a/deploy/static/provider/do/1.19/kustomization.yaml b/deploy/static/provider/do/1.19/kustomization.yaml
new file mode 100644
index 000000000..c7bb8d250
--- /dev/null
+++ b/deploy/static/provider/do/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/do/1.20/deploy.yaml b/deploy/static/provider/do/1.20/deploy.yaml
new file mode 100644
index 000000000..6e5ef30ee
--- /dev/null
+++ b/deploy/static/provider/do/1.20/deploy.yaml
@@ -0,0 +1,682 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+  timeoutSeconds: 29
diff --git a/deploy/static/provider/do/1.20/kustomization.yaml b/deploy/static/provider/do/1.20/kustomization.yaml
new file mode 100644
index 000000000..c7bb8d250
--- /dev/null
+++ b/deploy/static/provider/do/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/do/1.21/deploy.yaml b/deploy/static/provider/do/1.21/deploy.yaml
new file mode 100644
index 000000000..6e5ef30ee
--- /dev/null
+++ b/deploy/static/provider/do/1.21/deploy.yaml
@@ -0,0 +1,682 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+  timeoutSeconds: 29
diff --git a/deploy/static/provider/do/1.21/kustomization.yaml b/deploy/static/provider/do/1.21/kustomization.yaml
new file mode 100644
index 000000000..c7bb8d250
--- /dev/null
+++ b/deploy/static/provider/do/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/do/1.22/deploy.yaml b/deploy/static/provider/do/1.22/deploy.yaml
new file mode 100644
index 000000000..6e5ef30ee
--- /dev/null
+++ b/deploy/static/provider/do/1.22/deploy.yaml
@@ -0,0 +1,682 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+  timeoutSeconds: 29
diff --git a/deploy/static/provider/do/1.22/kustomization.yaml b/deploy/static/provider/do/1.22/kustomization.yaml
new file mode 100644
index 000000000..c7bb8d250
--- /dev/null
+++ b/deploy/static/provider/do/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 6409fffde..996fb7ea3 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -332,8 +342,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -347,8 +358,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -381,8 +393,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -405,8 +418,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -520,8 +534,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -532,8 +547,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,8 +587,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -583,8 +600,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -621,8 +639,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -635,8 +654,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.19/deploy.yaml b/deploy/static/provider/exoscale/1.19/deploy.yaml
new file mode 100644
index 000000000..ea82a935c
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.19/deploy.yaml
@@ -0,0 +1,682 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/exoscale-loadbalancer-description: NGINX Ingress Controller
+      load balancer
+    service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/exoscale/1.19/kustomization.yaml b/deploy/static/provider/exoscale/1.19/kustomization.yaml
new file mode 100644
index 000000000..8466627e2
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/exoscale/1.20/deploy.yaml b/deploy/static/provider/exoscale/1.20/deploy.yaml
new file mode 100644
index 000000000..f933c41b5
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.20/deploy.yaml
@@ -0,0 +1,688 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/exoscale-loadbalancer-description: NGINX Ingress Controller
+      load balancer
+    service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/exoscale/1.20/kustomization.yaml b/deploy/static/provider/exoscale/1.20/kustomization.yaml
new file mode 100644
index 000000000..8466627e2
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/exoscale/1.21/deploy.yaml b/deploy/static/provider/exoscale/1.21/deploy.yaml
new file mode 100644
index 000000000..f933c41b5
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.21/deploy.yaml
@@ -0,0 +1,688 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/exoscale-loadbalancer-description: NGINX Ingress Controller
+      load balancer
+    service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/exoscale/1.21/kustomization.yaml b/deploy/static/provider/exoscale/1.21/kustomization.yaml
new file mode 100644
index 000000000..8466627e2
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/exoscale/1.22/deploy.yaml b/deploy/static/provider/exoscale/1.22/deploy.yaml
new file mode 100644
index 000000000..f933c41b5
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.22/deploy.yaml
@@ -0,0 +1,688 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/exoscale-loadbalancer-description: NGINX Ingress Controller
+      load balancer
+    service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/exoscale/1.22/kustomization.yaml b/deploy/static/provider/exoscale/1.22/kustomization.yaml
new file mode 100644
index 000000000..8466627e2
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index ef0769852..e03f2a9d2 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -331,8 +341,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -354,8 +365,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -388,8 +400,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,8 +425,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -527,8 +541,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -539,8 +554,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -578,8 +594,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -590,8 +607,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -628,8 +646,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -642,8 +661,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.19/deploy.yaml b/deploy/static/provider/kind/1.19/deploy.yaml
new file mode 100644
index 000000000..cfe8c44fe
--- /dev/null
+++ b/deploy/static/provider/kind/1.19/deploy.yaml
@@ -0,0 +1,684 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        - --watch-ingress-without-class=true
+        - --publish-status-address=localhost
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          hostPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        ingress-ready: "true"
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/kind/1.19/kustomization.yaml b/deploy/static/provider/kind/1.19/kustomization.yaml
new file mode 100644
index 000000000..94b7c887d
--- /dev/null
+++ b/deploy/static/provider/kind/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/kind/1.20/deploy.yaml b/deploy/static/provider/kind/1.20/deploy.yaml
new file mode 100644
index 000000000..e2a18a480
--- /dev/null
+++ b/deploy/static/provider/kind/1.20/deploy.yaml
@@ -0,0 +1,690 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        - --watch-ingress-without-class=true
+        - --publish-status-address=localhost
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          hostPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        ingress-ready: "true"
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/kind/1.20/kustomization.yaml b/deploy/static/provider/kind/1.20/kustomization.yaml
new file mode 100644
index 000000000..94b7c887d
--- /dev/null
+++ b/deploy/static/provider/kind/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/kind/1.21/deploy.yaml b/deploy/static/provider/kind/1.21/deploy.yaml
new file mode 100644
index 000000000..e2a18a480
--- /dev/null
+++ b/deploy/static/provider/kind/1.21/deploy.yaml
@@ -0,0 +1,690 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        - --watch-ingress-without-class=true
+        - --publish-status-address=localhost
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          hostPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        ingress-ready: "true"
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/kind/1.21/kustomization.yaml b/deploy/static/provider/kind/1.21/kustomization.yaml
new file mode 100644
index 000000000..94b7c887d
--- /dev/null
+++ b/deploy/static/provider/kind/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/kind/1.22/deploy.yaml b/deploy/static/provider/kind/1.22/deploy.yaml
new file mode 100644
index 000000000..e2a18a480
--- /dev/null
+++ b/deploy/static/provider/kind/1.22/deploy.yaml
@@ -0,0 +1,690 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        - --watch-ingress-without-class=true
+        - --publish-status-address=localhost
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          hostPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        ingress-ready: "true"
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/kind/1.22/kustomization.yaml b/deploy/static/provider/kind/1.22/kustomization.yaml
new file mode 100644
index 000000000..94b7c887d
--- /dev/null
+++ b/deploy/static/provider/kind/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 4cd1c32d4..9d2711dae 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -331,8 +341,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -345,8 +356,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -378,8 +390,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -402,8 +415,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -529,8 +543,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -541,8 +556,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,8 +596,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -592,8 +609,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -630,8 +648,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -644,8 +663,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.19/deploy.yaml b/deploy/static/provider/scw/1.19/deploy.yaml
new file mode 100644
index 000000000..8b52a7298
--- /dev/null
+++ b/deploy/static/provider/scw/1.19/deploy.yaml
@@ -0,0 +1,675 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/scw/1.19/kustomization.yaml b/deploy/static/provider/scw/1.19/kustomization.yaml
new file mode 100644
index 000000000..da792b8f5
--- /dev/null
+++ b/deploy/static/provider/scw/1.19/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/scw/1.20/deploy.yaml b/deploy/static/provider/scw/1.20/deploy.yaml
new file mode 100644
index 000000000..bcffca757
--- /dev/null
+++ b/deploy/static/provider/scw/1.20/deploy.yaml
@@ -0,0 +1,681 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/scw/1.20/kustomization.yaml b/deploy/static/provider/scw/1.20/kustomization.yaml
new file mode 100644
index 000000000..da792b8f5
--- /dev/null
+++ b/deploy/static/provider/scw/1.20/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/scw/1.21/deploy.yaml b/deploy/static/provider/scw/1.21/deploy.yaml
new file mode 100644
index 000000000..bcffca757
--- /dev/null
+++ b/deploy/static/provider/scw/1.21/deploy.yaml
@@ -0,0 +1,681 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/scw/1.21/kustomization.yaml b/deploy/static/provider/scw/1.21/kustomization.yaml
new file mode 100644
index 000000000..da792b8f5
--- /dev/null
+++ b/deploy/static/provider/scw/1.21/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/scw/1.22/deploy.yaml b/deploy/static/provider/scw/1.22/deploy.yaml
new file mode 100644
index 000000000..bcffca757
--- /dev/null
+++ b/deploy/static/provider/scw/1.22/deploy.yaml
@@ -0,0 +1,681 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.1
+        helm.sh/chart: ingress-nginx-4.0.16
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.1
+    helm.sh/chart: ingress-nginx-4.0.16
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/scw/1.22/kustomization.yaml b/deploy/static/provider/scw/1.22/kustomization.yaml
new file mode 100644
index 000000000..da792b8f5
--- /dev/null
+++ b/deploy/static/provider/scw/1.22/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 4f918c422..8fff56b99 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -16,8 +16,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -32,8 +33,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,8 +47,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -131,8 +134,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,8 +155,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -222,8 +227,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -242,8 +248,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -266,8 +273,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -286,8 +294,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,8 +318,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -332,8 +342,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -347,8 +358,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -381,8 +393,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -405,8 +418,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -520,8 +534,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -532,8 +547,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,8 +587,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -583,8 +600,9 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.15
+        helm.sh/chart: ingress-nginx-4.0.16
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -621,8 +639,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -635,8 +654,9 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.15
+    helm.sh/chart: ingress-nginx-4.0.16
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index 2ec0adc1b..4ec213792 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -26,8 +26,7 @@ set -o pipefail
 # with enough docs updates, this could be removed
 # see     # DEFAULT VERSION HANDLING
 K8S_DEFAULT_VERSION=1.20
-# K8S_TARGET_VERSIONS=("1.19" "1.20" "1.21" "1.22") TODO @afirth revert for #8000
-K8S_TARGET_VERSIONS=("1.20")
+K8S_TARGET_VERSIONS=("1.19" "1.20" "1.21" "1.22")
 
 DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)
 
@@ -66,7 +65,6 @@ do
     then
       cp ${OUTPUT_DIR}/*.yaml ${OUTPUT_DIR}/../
       sed -i "1s/^/#GENERATED FOR K8S ${K8S_VERSION}\n/" ${OUTPUT_DIR}/../deploy.yaml
-      rm -rf ${OUTPUT_DIR} # TODO @afirth remove for #8000 - this avoids the duplicate files for easier review of the build script changes
     fi
   done
 done

From d5772069e86a5b3e1700401c168df436f080030f Mon Sep 17 00:00:00 2001
From: Noah Ispas <13436814+iamNoah1@users.noreply.github.com>
Date: Sun, 20 Feb 2022 00:12:12 +0100
Subject: [PATCH 328/376] remove 0.46.0 from supported versions table (#8258)

---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index 3fec178e5..f132be8a8 100644
--- a/README.md
+++ b/README.md
@@ -45,7 +45,6 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 | v0.49.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
 | v0.47.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
-| v0.46.0               | 1.21, 1.20, 1.19             | 3.13.2         |  1.19.6       |
 
 † _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
 

From 527361c8eb2da54862d0c80f5490d47c00f5e354 Mon Sep 17 00:00:00 2001
From: Romain Dauby <r0mdau@users.noreply.github.com>
Date: Sun, 20 Feb 2022 16:14:11 -0500
Subject: [PATCH 329/376] Minor fix for missing pathType property (#8244)

---
 charts/ingress-nginx/templates/NOTES.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt
index c10ab03ed..8985c56c0 100644
--- a/charts/ingress-nginx/templates/NOTES.txt
+++ b/charts/ingress-nginx/templates/NOTES.txt
@@ -47,7 +47,8 @@ An example Ingress that makes use of the controller:
       - host: www.example.com
         http:
           paths:
-            - backend:
+            - pathType: Prefix
+              backend:
                 service:
                   name: exampleService
                   port:

From f85dd79221a72e20a80acab0272474a0d8f0d1fe Mon Sep 17 00:00:00 2001
From: Goran <purpleritza@gmail.com>
Date: Mon, 21 Feb 2022 20:52:01 +0100
Subject: [PATCH 330/376] Updated confusing error (#8262)

---
 docs/user-guide/monitoring.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 9be22a5ad..a89e11087 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -211,7 +211,7 @@ This document assumes you're using helm and using the kube-prometheus-stack pack
   ```
   controller.metrics.enabled=true
   controller.metrics.serviceMonitor.enabled=true
-  controller.metrics.serviceMonitor.enabled=true 
+  controller.metrics.serviceMonitor.additionalLabels.release="prometheus" 
   ```
 - The easiest way of doing this is to helm upgrade 
   ```
@@ -338,4 +338,4 @@ This document assumes you're using helm and using the kube-prometheus-stack pack
   - Click "Import"
 
   ![Grafana Dashboard](../images/grafana-dashboard1.png)
- 
\ No newline at end of file
+ 

From 1e66a54974856cd31fea0e203a7b97b955ebe792 Mon Sep 17 00:00:00 2001
From: Thibault Jamet <tjamet@users.noreply.github.com>
Date: Thu, 24 Feb 2022 16:08:32 +0100
Subject: [PATCH 331/376] Add a certificate info metric (#8253)

When the ingress controller loads certificates  (new ones or following a
secret update), it performs a series of check to ensure its validity.

In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.

This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.

This generates a random error on the client side, depending on the
actual pod instance it reaches.

In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.

This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`

This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...

Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>

Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
---
 internal/ingress/controller/controller.go     |  35 +++-
 internal/ingress/controller/nginx.go          |   1 +
 .../ingress/metric/collectors/controller.go   |  93 +++++++++-
 .../metric/collectors/controller_test.go      | 166 +++++++++++++++++-
 internal/ingress/metric/dummy.go              |   5 +-
 internal/ingress/metric/main.go               |  14 +-
 internal/ingress/sslcert.go                   |  11 ++
 7 files changed, 311 insertions(+), 14 deletions(-)

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 607bb5cb9..651e983a8 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -146,6 +146,7 @@ func (n *NGINXController) syncIngress(interface{}) error {
 	hosts, servers, pcfg := n.getConfiguration(ings)
 
 	n.metricCollector.SetSSLExpireTime(servers)
+	n.metricCollector.SetSSLInfo(servers)
 
 	if n.runningConfig.Equal(pcfg) {
 		klog.V(3).Infof("No configuration change detected, skipping backend reload")
@@ -211,7 +212,8 @@ func (n *NGINXController) syncIngress(interface{}) error {
 
 	ri := getRemovedIngresses(n.runningConfig, pcfg)
 	re := getRemovedHosts(n.runningConfig, pcfg)
-	n.metricCollector.RemoveMetrics(ri, re)
+	rc := getRemovedCertificateSerialNumbers(n.runningConfig, pcfg)
+	n.metricCollector.RemoveMetrics(ri, re, rc)
 
 	n.runningConfig = pcfg
 
@@ -1625,6 +1627,37 @@ func getRemovedHosts(rucfg, newcfg *ingress.Configuration) []string {
 	return old.Difference(new).List()
 }
 
+func getRemovedCertificateSerialNumbers(rucfg, newcfg *ingress.Configuration) []string {
+	oldCertificates := sets.NewString()
+	newCertificates := sets.NewString()
+
+	for _, server := range rucfg.Servers {
+		if server.SSLCert == nil {
+			continue
+		}
+		identifier := server.SSLCert.Identifier()
+		if identifier != "" {
+			if !oldCertificates.Has(identifier) {
+				oldCertificates.Insert(identifier)
+			}
+		}
+	}
+
+	for _, server := range newcfg.Servers {
+		if server.SSLCert == nil {
+			continue
+		}
+		identifier := server.SSLCert.Identifier()
+		if identifier != "" {
+			if !newCertificates.Has(identifier) {
+				newCertificates.Insert(identifier)
+			}
+		}
+	}
+
+	return oldCertificates.Difference(newCertificates).List()
+}
+
 func getRemovedIngresses(rucfg, newcfg *ingress.Configuration) []string {
 	oldIngresses := sets.NewString()
 	newIngresses := sets.NewString()
diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
index ed5590c3e..e4037dfb0 100644
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@@ -275,6 +275,7 @@ func (n *NGINXController) Start() {
 			// manually update SSL expiration metrics
 			// (to not wait for a reload)
 			n.metricCollector.SetSSLExpireTime(n.runningConfig.Servers)
+			n.metricCollector.SetSSLInfo(n.runningConfig.Servers)
 		},
 		OnStoppedLeading: func() {
 			n.metricCollector.OnStoppedLeading(electionID)
diff --git a/internal/ingress/metric/collectors/controller.go b/internal/ingress/metric/collectors/controller.go
index 135e74b9b..e4e2655c8 100644
--- a/internal/ingress/metric/collectors/controller.go
+++ b/internal/ingress/metric/collectors/controller.go
@@ -30,7 +30,8 @@ import (
 var (
 	operation        = []string{"controller_namespace", "controller_class", "controller_pod"}
 	ingressOperation = []string{"controller_namespace", "controller_class", "controller_pod", "namespace", "ingress"}
-	sslLabelHost     = []string{"namespace", "class", "host"}
+	sslLabelHost     = []string{"namespace", "class", "host", "secret_name"}
+	sslInfoLabels    = []string{"namespace", "class", "host", "secret_name", "identifier", "issuer_organization", "issuer_common_name", "serial_number", "public_key_algorithm"}
 )
 
 // Controller defines base metrics about the ingress controller
@@ -46,6 +47,7 @@ type Controller struct {
 	checkIngressOperation       *prometheus.CounterVec
 	checkIngressOperationErrors *prometheus.CounterVec
 	sslExpireTime               *prometheus.GaugeVec
+	sslInfo                     *prometheus.GaugeVec
 
 	constLabels prometheus.Labels
 	labels      prometheus.Labels
@@ -152,6 +154,14 @@ func NewController(pod, namespace, class string) *Controller {
 			},
 			sslLabelHost,
 		),
+		sslInfo: prometheus.NewGaugeVec(
+			prometheus.GaugeOpts{
+				Namespace: PrometheusNamespace,
+				Name:      "ssl_certificate_info",
+				Help:      `Hold all labels associated to a certificate`,
+			},
+			sslInfoLabels,
+		),
 		leaderElection: prometheus.NewGaugeVec(
 			prometheus.GaugeOpts{
 				Namespace:   PrometheusNamespace,
@@ -229,6 +239,7 @@ func (cm Controller) Describe(ch chan<- *prometheus.Desc) {
 	cm.checkIngressOperation.Describe(ch)
 	cm.checkIngressOperationErrors.Describe(ch)
 	cm.sslExpireTime.Describe(ch)
+	cm.sslInfo.Describe(ch)
 	cm.leaderElection.Describe(ch)
 	cm.buildInfo.Describe(ch)
 }
@@ -243,6 +254,7 @@ func (cm Controller) Collect(ch chan<- prometheus.Metric) {
 	cm.checkIngressOperation.Collect(ch)
 	cm.checkIngressOperationErrors.Collect(ch)
 	cm.sslExpireTime.Collect(ch)
+	cm.sslInfo.Collect(ch)
 	cm.leaderElection.Collect(ch)
 	cm.buildInfo.Collect(ch)
 }
@@ -256,20 +268,89 @@ func (cm *Controller) SetSSLExpireTime(servers []*ingress.Server) {
 				labels[k] = v
 			}
 			labels["host"] = s.Hostname
+			labels["secret_name"] = s.SSLCert.Name
 
 			cm.sslExpireTime.With(labels).Set(float64(s.SSLCert.ExpireTime.Unix()))
 		}
 	}
 }
 
-// RemoveMetrics removes metrics for hostnames not available anymore
-func (cm *Controller) RemoveMetrics(hosts []string, registry prometheus.Gatherer) {
-	cm.removeSSLExpireMetrics(true, hosts, registry)
+// SetSSLInfo creates a metric with all certificates informations
+func (cm *Controller) SetSSLInfo(servers []*ingress.Server) {
+	for _, s := range servers {
+		if s.SSLCert != nil && s.SSLCert.Certificate != nil && s.SSLCert.Certificate.SerialNumber != nil {
+			labels := make(prometheus.Labels, len(cm.labels)+1)
+			for k, v := range cm.labels {
+				labels[k] = v
+			}
+			labels["identifier"] = s.SSLCert.Identifier()
+			labels["host"] = s.Hostname
+			labels["secret_name"] = s.SSLCert.Name
+			labels["namespace"] = s.SSLCert.Namespace
+			labels["issuer_common_name"] = s.SSLCert.Certificate.Issuer.CommonName
+			labels["issuer_organization"] = ""
+			if len(s.SSLCert.Certificate.Issuer.Organization) > 0 {
+				labels["issuer_organization"] = s.SSLCert.Certificate.Issuer.Organization[0]
+			}
+			labels["serial_number"] = s.SSLCert.Certificate.SerialNumber.String()
+			labels["public_key_algorithm"] = s.SSLCert.Certificate.PublicKeyAlgorithm.String()
+
+			cm.sslInfo.With(labels).Set(1)
+		}
+	}
 }
 
-// RemoveAllSSLExpireMetrics removes metrics for expiration of SSL Certificates
-func (cm *Controller) RemoveAllSSLExpireMetrics(registry prometheus.Gatherer) {
+// RemoveMetrics removes metrics for hostnames not available anymore
+func (cm *Controller) RemoveMetrics(hosts, certificates []string, registry prometheus.Gatherer) {
+	cm.removeSSLExpireMetrics(true, hosts, registry)
+	cm.removeCertificatesMetrics(true, certificates, registry)
+}
+
+// RemoveAllSSLMetrics removes metrics for expiration of SSL Certificates
+func (cm *Controller) RemoveAllSSLMetrics(registry prometheus.Gatherer) {
 	cm.removeSSLExpireMetrics(false, []string{}, registry)
+	cm.removeCertificatesMetrics(false, []string{}, registry)
+}
+
+func (cm *Controller) removeCertificatesMetrics(onlyDefinedHosts bool, certificates []string, registry prometheus.Gatherer) {
+	mfs, err := registry.Gather()
+	if err != nil {
+		klog.Errorf("Error gathering metrics: %v", err)
+		return
+	}
+
+	toRemove := sets.NewString(certificates...)
+
+	for _, mf := range mfs {
+		metricName := mf.GetName()
+		if fmt.Sprintf("%v_ssl_certificate_info", PrometheusNamespace) != metricName {
+			continue
+		}
+
+		for _, m := range mf.GetMetric() {
+			labels := make(map[string]string, len(m.GetLabel()))
+			for _, labelPair := range m.GetLabel() {
+				labels[*labelPair.Name] = *labelPair.Value
+			}
+
+			// remove labels that are constant
+			deleteConstants(labels)
+
+			identifier, ok := labels["identifier"]
+			if !ok {
+				continue
+			}
+			if onlyDefinedHosts && !toRemove.Has(identifier) {
+				continue
+			}
+
+			klog.V(2).Infof("Removing prometheus metric from gauge %v for identifier %v", metricName, identifier)
+			removed := cm.sslInfo.Delete(labels)
+			if !removed {
+				klog.V(2).Infof("metric %v for identifier %v with labels not removed: %v", metricName, identifier, labels)
+			}
+		}
+	}
 }
 
 func (cm *Controller) removeSSLExpireMetrics(onlyDefinedHosts bool, hosts []string, registry prometheus.Gatherer) {
diff --git a/internal/ingress/metric/collectors/controller_test.go b/internal/ingress/metric/collectors/controller_test.go
index e10dafdfe..bc9f21c60 100644
--- a/internal/ingress/metric/collectors/controller_test.go
+++ b/internal/ingress/metric/collectors/controller_test.go
@@ -17,6 +17,9 @@ limitations under the License.
 package collectors
 
 import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
 	"testing"
 	"time"
 
@@ -96,10 +99,111 @@ func TestControllerCounters(t *testing.T) {
 			want: `
 				# HELP nginx_ingress_controller_ssl_expire_time_seconds Number of seconds since 1970 to the SSL Certificate expire.\n			An example to check if this certificate will expire in 10 days is: "nginx_ingress_controller_ssl_expire_time_seconds < (time() + (10 * 24 * 3600))"
 				# TYPE nginx_ingress_controller_ssl_expire_time_seconds gauge
-				nginx_ingress_controller_ssl_expire_time_seconds{class="nginx",host="demo",namespace="default"} 1.351807721e+09
+				nginx_ingress_controller_ssl_expire_time_seconds{class="nginx",host="demo",namespace="default",secret_name=""} 1.351807721e+09
 			`,
 			metrics: []string{"nginx_ingress_controller_ssl_expire_time_seconds"},
 		},
+		{
+			name: "should set SSL certificates infos metrics",
+			test: func(cm *Controller) {
+
+				servers := []*ingress.Server{
+					{
+						Hostname: "demo",
+						SSLCert: &ingress.SSLCert{
+							Name:      "secret-name",
+							Namespace: "ingress-namespace",
+							Certificate: &x509.Certificate{
+								PublicKeyAlgorithm: x509.ECDSA,
+								Issuer: pkix.Name{
+									CommonName:   "certificate issuer",
+									SerialNumber: "abcd1234",
+									Organization: []string{"issuer org"},
+								},
+								SerialNumber: big.NewInt(100),
+							},
+						},
+					},
+					{
+						Hostname: "invalid",
+						SSLCert: &ingress.SSLCert{
+							ExpireTime: time.Unix(0, 0),
+						},
+					},
+				}
+				cm.SetSSLInfo(servers)
+			},
+			want: `
+				# HELP nginx_ingress_controller_ssl_certificate_info Hold all labels associated to a certificate
+				# TYPE nginx_ingress_controller_ssl_certificate_info gauge
+				nginx_ingress_controller_ssl_certificate_info{class="nginx",host="demo",identifier="abcd1234-100",issuer_common_name="certificate issuer",issuer_organization="issuer org",namespace="ingress-namespace",public_key_algorithm="ECDSA",secret_name="secret-name",serial_number="100"} 1
+			`,
+			metrics: []string{"nginx_ingress_controller_ssl_certificate_info"},
+		},
+		{
+			name: "should ignore certificates without serial number",
+			test: func(cm *Controller) {
+
+				servers := []*ingress.Server{
+					{
+						Hostname: "demo",
+						SSLCert: &ingress.SSLCert{
+							Name:      "secret-name",
+							Namespace: "ingress-namespace",
+							Certificate: &x509.Certificate{
+								PublicKeyAlgorithm: x509.ECDSA,
+								Issuer: pkix.Name{
+									CommonName:   "certificate issuer",
+									SerialNumber: "abcd1234",
+								},
+							},
+						},
+					},
+				}
+				cm.SetSSLInfo(servers)
+			},
+			want:    ``,
+			metrics: []string{"nginx_ingress_controller_ssl_certificate_info"},
+		},
+		{
+			name: "should ignore certificates with nil x509 pointer",
+			test: func(cm *Controller) {
+
+				servers := []*ingress.Server{
+					{
+						Hostname: "demo",
+						SSLCert: &ingress.SSLCert{
+							Name:      "secret-name",
+							Namespace: "ingress-namespace",
+							Certificate: &x509.Certificate{
+								PublicKeyAlgorithm: x509.ECDSA,
+								Issuer: pkix.Name{
+									CommonName:   "certificate issuer",
+									SerialNumber: "abcd1234",
+								},
+							},
+						},
+					},
+				}
+				cm.SetSSLInfo(servers)
+			},
+			want:    ``,
+			metrics: []string{"nginx_ingress_controller_ssl_certificate_info"},
+		},
+		{
+			name: "should ignore servers without certificates",
+			test: func(cm *Controller) {
+
+				servers := []*ingress.Server{
+					{
+						Hostname: "demo",
+					},
+				}
+				cm.SetSSLInfo(servers)
+			},
+			want:    ``,
+			metrics: []string{"nginx_ingress_controller_ssl_certificate_info"},
+		},
 	}
 
 	for _, c := range cases {
@@ -137,6 +241,13 @@ func TestRemoveMetrics(t *testing.T) {
 			Hostname: "demo",
 			SSLCert: &ingress.SSLCert{
 				ExpireTime: t1,
+				Certificate: &x509.Certificate{
+					Issuer: pkix.Name{
+						CommonName:   "certificate issuer",
+						SerialNumber: "abcd1234",
+					},
+					SerialNumber: big.NewInt(100),
+				},
 			},
 		},
 		{
@@ -147,12 +258,63 @@ func TestRemoveMetrics(t *testing.T) {
 		},
 	}
 	cm.SetSSLExpireTime(servers)
+	cm.SetSSLInfo(servers)
 
-	cm.RemoveMetrics([]string{"demo"}, reg)
+	cm.RemoveMetrics([]string{"demo"}, []string{"abcd1234-100"}, reg)
 
 	if err := GatherAndCompare(cm, "", []string{"nginx_ingress_controller_ssl_expire_time_seconds"}, reg); err != nil {
 		t.Errorf("unexpected collecting result:\n%s", err)
 	}
+	if err := GatherAndCompare(cm, "", []string{"nginx_ingress_controller_ssl_certificate_info"}, reg); err != nil {
+		t.Errorf("unexpected collecting result:\n%s", err)
+	}
+
+	reg.Unregister(cm)
+}
+
+func TestRemoveAllSSLMetrics(t *testing.T) {
+	cm := NewController("pod", "default", "nginx")
+	reg := prometheus.NewPedanticRegistry()
+	if err := reg.Register(cm); err != nil {
+		t.Errorf("registering collector failed: %s", err)
+	}
+
+	t1, _ := time.Parse(
+		time.RFC3339,
+		"2012-11-01T22:08:41+00:00")
+
+	servers := []*ingress.Server{
+		{
+			Hostname: "demo",
+			SSLCert: &ingress.SSLCert{
+				ExpireTime: t1,
+				Certificate: &x509.Certificate{
+					Issuer: pkix.Name{
+						CommonName:   "certificate issuer",
+						SerialNumber: "abcd1234",
+					},
+					SerialNumber: big.NewInt(100),
+				},
+			},
+		},
+		{
+			Hostname: "invalid",
+			SSLCert: &ingress.SSLCert{
+				ExpireTime: time.Unix(0, 0),
+			},
+		},
+	}
+	cm.SetSSLExpireTime(servers)
+	cm.SetSSLInfo(servers)
+
+	cm.RemoveAllSSLMetrics(reg)
+
+	if err := GatherAndCompare(cm, "", []string{"nginx_ingress_controller_ssl_expire_time_seconds"}, reg); err != nil {
+		t.Errorf("unexpected collecting result:\n%s", err)
+	}
+	if err := GatherAndCompare(cm, "", []string{"nginx_ingress_controller_ssl_certificate_info"}, reg); err != nil {
+		t.Errorf("unexpected collecting result:\n%s", err)
+	}
 
 	reg.Unregister(cm)
 }
diff --git a/internal/ingress/metric/dummy.go b/internal/ingress/metric/dummy.go
index 922a21604..8360dc87d 100644
--- a/internal/ingress/metric/dummy.go
+++ b/internal/ingress/metric/dummy.go
@@ -48,7 +48,7 @@ func (dc DummyCollector) IncCheckCount(string, string) {}
 func (dc DummyCollector) IncCheckErrorCount(string, string) {}
 
 // RemoveMetrics ...
-func (dc DummyCollector) RemoveMetrics(ingresses, endpoints []string) {}
+func (dc DummyCollector) RemoveMetrics(ingresses, endpoints, certificates []string) {}
 
 // Start ...
 func (dc DummyCollector) Start(admissionStatus string) {}
@@ -56,6 +56,9 @@ func (dc DummyCollector) Start(admissionStatus string) {}
 // Stop ...
 func (dc DummyCollector) Stop(admissionStatus string) {}
 
+// SetSSLInfo ...
+func (dc DummyCollector) SetSSLInfo([]*ingress.Server) {}
+
 // SetSSLExpireTime ...
 func (dc DummyCollector) SetSSLExpireTime([]*ingress.Server) {}
 
diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go
index 644a9b690..97a8ca7d4 100644
--- a/internal/ingress/metric/main.go
+++ b/internal/ingress/metric/main.go
@@ -44,9 +44,10 @@ type Collector interface {
 	IncCheckCount(string, string)
 	IncCheckErrorCount(string, string)
 
-	RemoveMetrics(ingresses, endpoints []string)
+	RemoveMetrics(ingresses, endpoints, certificates []string)
 
 	SetSSLExpireTime([]*ingress.Server)
+	SetSSLInfo(servers []*ingress.Server)
 
 	// SetHosts sets the hostnames that are being served by the ingress controller
 	SetHosts(sets.String)
@@ -128,9 +129,9 @@ func (c *collector) IncReloadErrorCount() {
 	c.ingressController.IncReloadErrorCount()
 }
 
-func (c *collector) RemoveMetrics(ingresses, hosts []string) {
+func (c *collector) RemoveMetrics(ingresses, hosts, certificates []string) {
 	c.socket.RemoveMetrics(ingresses, c.registry)
-	c.ingressController.RemoveMetrics(hosts, c.registry)
+	c.ingressController.RemoveMetrics(hosts, certificates, c.registry)
 }
 
 func (c *collector) Start(admissionStatus string) {
@@ -175,6 +176,11 @@ func (c *collector) SetSSLExpireTime(servers []*ingress.Server) {
 	c.ingressController.SetSSLExpireTime(servers)
 }
 
+func (c *collector) SetSSLInfo(servers []*ingress.Server) {
+	klog.V(2).Infof("Updating ssl certificate info metrics")
+	c.ingressController.SetSSLInfo(servers)
+}
+
 func (c *collector) SetHosts(hosts sets.String) {
 	c.socket.SetHosts(hosts)
 }
@@ -200,7 +206,7 @@ func (c *collector) OnStartedLeading(electionID string) {
 func (c *collector) OnStoppedLeading(electionID string) {
 	setLeader(false)
 	c.ingressController.OnStoppedLeading(electionID)
-	c.ingressController.RemoveAllSSLExpireMetrics(c.registry)
+	c.ingressController.RemoveAllSSLMetrics(c.registry)
 }
 
 var (
diff --git a/internal/ingress/sslcert.go b/internal/ingress/sslcert.go
index 9265b07ac..7dee3880d 100644
--- a/internal/ingress/sslcert.go
+++ b/internal/ingress/sslcert.go
@@ -18,6 +18,7 @@ package ingress
 
 import (
 	"crypto/x509"
+	"fmt"
 	"time"
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -69,6 +70,16 @@ func (s SSLCert) GetObjectKind() schema.ObjectKind {
 	return schema.EmptyObjectKind
 }
 
+// Identifier returns a the couple issuer / serial number if they both exist, an empty string otherwise
+func (s SSLCert) Identifier() string {
+	if s.Certificate != nil {
+		if s.Certificate.SerialNumber != nil {
+			return fmt.Sprintf("%s-%s", s.Certificate.Issuer.SerialNumber, s.Certificate.SerialNumber.String())
+		}
+	}
+	return ""
+}
+
 // HashInclude defines if a field should be used or not to calculate the hash
 func (s SSLCert) HashInclude(field string, v interface{}) (bool, error) {
 	switch field {

From fd87363b5e8d3ac78cc058544ed2d4e66980e53c Mon Sep 17 00:00:00 2001
From: Indhu Kumar <kamalakumar.indhu@gmail.com>
Date: Sat, 26 Feb 2022 14:53:17 -0800
Subject: [PATCH 332/376] Issue#8241 (#8273)

* replace daemon set for deployment manifest

* nit
---
 docs/user-guide/monitoring.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index a89e11087..99039d635 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -61,13 +61,21 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
 
        ```
        
-      - DaemonSet manifest:
-           ```
-           ..
+      - Deployment manifest:
+         ```
+         apiVersion: v1
+         metadata:
+         kind: Deployment
+          annotations:
+            prometheus.io/scrape: "true"
+            prometheus.io/port: "10254"
+         ..
+         spec:
            ports:
              - name: prometheus
                containerPort: 10254
-             ..
+               ..
+
            ```
 
 

From bab0fbab0c1a7c3641bd379f27857113d574d904 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Sun, 27 Feb 2022 22:45:18 +0800
Subject: [PATCH 333/376] Start Release process for v1.1.2 (#8275)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 56130fb3a..0f1acbd56 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.1.1
+v1.1.2

From 4ecb3520c880cf1458753c436928ad167598bb36 Mon Sep 17 00:00:00 2001
From: dylan-bitovi <67594226+dylan-bitovi@users.noreply.github.com>
Date: Mon, 28 Feb 2022 10:10:57 -0500
Subject: [PATCH 334/376] Add fsGroup value to admission-webhooks/job-patch
 charts (#8267)

* added fsGroup to admission createSecret and patchWebhook job

* added fsGroup to admission createSecret and patchWebhook job

* modified helm/README.md to add value for fsGroup

* fixed patch job values ordering

* remove manually edited README for replacement with helm-docs generated version

* re-adding charts/README.md generated by helm-docs
---
 charts/ingress-nginx/README.md                                   | 1 +
 .../templates/admission-webhooks/job-patch/job-createSecret.yaml | 1 +
 .../templates/admission-webhooks/job-patch/job-patchWebhook.yaml | 1 +
 charts/ingress-nginx/values.yaml                                 | 1 +
 4 files changed, 4 insertions(+)

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index e5e93a146..8336e0912 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -250,6 +250,7 @@ Kubernetes: `>=1.19.0-0`
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
+| controller.admissionWebhooks.patch.fsGroup | int | `2000` |  |
 | controller.admissionWebhooks.patch.image.digest | string | `"sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
index e57bfde49..f20e247f9 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -72,4 +72,5 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
+        fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
index 4f8ba14db..8583685fa 100644
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -74,4 +74,5 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
+        fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
 {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index eb6db4a05..bae135c3e 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -641,6 +641,7 @@ controller:
       # -- Labels to be added to patch job resources
       labels: {}
       runAsUser: 2000
+      fsGroup: 2000
 
   metrics:
     port: 10254

From f3698d04453f1dfc5849b0cbe7b6735b1781f7d8 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Mon, 28 Feb 2022 23:27:47 -0500
Subject: [PATCH 335/376] Add OpenSSF Best practices badge (#8277)

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index f132be8a8..718c115ff 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # Ingress NGINX Controller
 
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5691/badge)](https://bestpractices.coreinfrastructure.org/projects/5691)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx)
 [![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers)

From 1e2ce80846c91f3c034ea62915bfe6d756c9cea3 Mon Sep 17 00:00:00 2001
From: Maksim Nabokikh <maksim.nabokikh@flant.com>
Date: Tue, 1 Mar 2022 14:13:51 +0400
Subject: [PATCH 336/376] fix: deny locations with invalid auth-url annotation
 (#8256)

* fix: deny locations with invalid auth-url annotation

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Delete duplicate test

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
---
 .../ingress/annotations/annotations_test.go   | 45 -------------------
 .../ingress/annotations/auth/main_test.go     |  3 +-
 internal/ingress/annotations/authreq/main.go  |  2 +-
 test/e2e/annotations/auth.go                  | 33 ++++++++++++++
 4 files changed, 35 insertions(+), 48 deletions(-)

diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go
index 8eec999cc..a253355a2 100644
--- a/internal/ingress/annotations/annotations_test.go
+++ b/internal/ingress/annotations/annotations_test.go
@@ -294,48 +294,3 @@ func TestCustomHTTPErrors(t *testing.T) {
 		}
 	}
 }
-
-/*
-func TestMergeLocationAnnotations(t *testing.T) {
-	// initial parameters
-	keys := []string{"BasicDigestAuth", "CorsConfig", "ExternalAuth", "RateLimit", "Redirect", "Rewrite", "Whitelist", "Proxy", "UsePortInRedirects"}
-
-	loc := ingress.Location{}
-	annotations := &Ingress{
-		BasicDigestAuth:    &auth.Config{},
-		CorsConfig:         &cors.Config{},
-		ExternalAuth:       &authreq.Config{},
-		RateLimit:          &ratelimit.Config{},
-		Redirect:           &redirect.Config{},
-		Rewrite:            &rewrite.Config{},
-		Whitelist:          &ipwhitelist.SourceRange{},
-		Proxy:              &proxy.Config{},
-		UsePortInRedirects: true,
-	}
-
-	// create test table
-	type fooMergeLocationAnnotationsStruct struct {
-		fName string
-		er    interface{}
-	}
-	fooTests := []fooMergeLocationAnnotationsStruct{}
-	for name, value := range keys {
-		fva := fooMergeLocationAnnotationsStruct{name, value}
-		fooTests = append(fooTests, fva)
-	}
-
-	// execute test
-	MergeWithLocation(&loc, annotations)
-
-	// check result
-	for _, foo := range fooTests {
-		fv := reflect.ValueOf(loc).FieldByName(foo.fName).Interface()
-		if !reflect.DeepEqual(fv, foo.er) {
-			t.Errorf("Returned %v but expected %v for the field %s", fv, foo.er, foo.fName)
-		}
-	}
-	if _, ok := annotations[DeniedKeyName]; ok {
-		t.Errorf("%s should be removed after mergeLocationAnnotations", DeniedKeyName)
-	}
-}
-*/
diff --git a/internal/ingress/annotations/auth/main_test.go b/internal/ingress/annotations/auth/main_test.go
index c552851ae..d4ec53459 100644
--- a/internal/ingress/annotations/auth/main_test.go
+++ b/internal/ingress/annotations/auth/main_test.go
@@ -17,13 +17,12 @@ limitations under the License.
 package auth
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"testing"
 	"time"
 
-	"errors"
-
 	api "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go
index 6cfcc383d..36af0e208 100644
--- a/internal/ingress/annotations/authreq/main.go
+++ b/internal/ingress/annotations/authreq/main.go
@@ -164,7 +164,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) {
 
 	authURL, err := parser.StringToURL(urlString)
 	if err != nil {
-		return nil, ing_errors.InvalidContent{Name: err.Error()}
+		return nil, ing_errors.LocationDenied{Reason: fmt.Errorf("could not parse auth-url annotation: %v", err)}
 	}
 
 	authMethod, _ := parser.GetStringAnnotation("auth-method", ing)
diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go
index f2c1a59d6..7ca2fff45 100644
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@@ -692,6 +692,39 @@ http {
 				Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", thisHost, thisHost, url.QueryEscape("/?a=b&c=d")))
 		})
 	})
+
+	ginkgo.Context("with invalid auth-url should deny whole location", func() {
+		host := "auth"
+		var annotations map[string]string
+		var ing *networking.Ingress
+
+		ginkgo.BeforeEach(func() {
+			annotations = map[string]string{
+				"nginx.ingress.kubernetes.io/auth-url": "https://invalid..auth.url",
+			}
+
+			ing = framework.NewSingleIngress(host, "/denied-auth", host, f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, "server_name auth")
+			})
+		})
+
+		ginkgo.It("should return 503 (location was denied)", func() {
+			f.HTTPTestClient().
+				GET("/denied-auth").
+				WithHeader("Host", host).
+				Expect().
+				Status(http.StatusServiceUnavailable)
+		})
+
+		ginkgo.It("should add error to the config", func() {
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, "could not parse auth-url annotation: invalid url host")
+			})
+		})
+	})
 })
 
 // TODO: test Digest Auth

From 49761416e1c01792adac354916ac3f6ec747f25e Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Tue, 1 Mar 2022 12:35:55 -0500
Subject: [PATCH 337/376] force prow job by changing something in images/ot dir
 (#8281)

Images dir was merged in before the test-infra prow job, so the image was never built.

https://github.com/kubernetes/ingress-nginx/pull/8013 Jan 16

https://github.com/kubernetes/test-infra/pull/25344/files Prow job 4 days ago.
---
 images/opentelemetry/cloudbuild.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml
index d507b8f1a..5a4e1b3c0 100644
--- a/images/opentelemetry/cloudbuild.yaml
+++ b/images/opentelemetry/cloudbuild.yaml
@@ -21,4 +21,4 @@ steps:
       && make push
 substitutions:
   _GIT_TAG: "12345"
-  _PULL_BASE_REF: "master"
+  _PULL_BASE_REF: "main"

From 7b96999eb9f7f83a5b8d0a36dc737cd090dff886 Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Wed, 2 Mar 2022 17:39:14 +0100
Subject: [PATCH 338/376] Fix OpenTelemetry sidecar image build (#8286)

* fix wrong checksum for nginx image

* fix wrong platform. Arm64 has grpc, when arm doesn't
---
 images/opentelemetry/Makefile        | 2 +-
 images/opentelemetry/rootfs/build.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile
index bc5876525..10a8dd9ed 100644
--- a/images/opentelemetry/Makefile
+++ b/images/opentelemetry/Makefile
@@ -30,7 +30,7 @@ IMAGE = $(REGISTRY)/opentelemetry
 export DOCKER_CLI_EXPERIMENTAL=enabled
 
 # build with buildx
-PLATFORMS?=linux/amd64,linux/arm
+PLATFORMS?=linux/amd64,linux/arm64
 OUTPUT=
 PROGRESS=plain
 build: ensure-buildx
diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh
index 60ace8bae..a79fdf950 100755
--- a/images/opentelemetry/rootfs/build.sh
+++ b/images/opentelemetry/rootfs/build.sh
@@ -60,7 +60,7 @@ get_src()
 }
 
 
-get_src e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49 \
+get_src 2e35dff06a9826e8aca940e9e8be46b7e4b12c19a48d55bfc2dc28fc9cc7d841 \
         "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
 
 get_src 45c52498788e47131b20a4786dbb08f4390b8cb419bd3d61c88b503cafff3324 \

From 6064a1cd72d8e7b7a8055d9b3b6588a4f021fe8e Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 2 Mar 2022 14:07:13 -0500
Subject: [PATCH 339/376] update tag for image (#8290)

---
 images/opentelemetry/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile
index 10a8dd9ed..20fb7ec63 100644
--- a/images/opentelemetry/Makefile
+++ b/images/opentelemetry/Makefile
@@ -21,7 +21,7 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
 INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
 
 # 0.0.0 shouldn't clobber any released builds
-TAG ?= 0.0
+TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD)
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 
 IMAGE = $(REGISTRY)/opentelemetry

From c5c35881c031fae2bfd26075f61e6ad895ee37d3 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 2 Mar 2022 14:49:01 -0500
Subject: [PATCH 340/376] remove git tag env from cloud build

the latest git tag is from helm, so force the make file use of TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD)
---
 images/opentelemetry/cloudbuild.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml
index 5a4e1b3c0..947eacbbb 100644
--- a/images/opentelemetry/cloudbuild.yaml
+++ b/images/opentelemetry/cloudbuild.yaml
@@ -8,7 +8,6 @@ steps:
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
-      - TAG=$_GIT_TAG
       - BASE_REF=$_PULL_BASE_REF
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
       # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx

From fb72fcd81772fb3eca923897aec2d92fa5bdff41 Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Sat, 5 Mar 2022 01:18:52 +0530
Subject: [PATCH 341/376] release-v1.1.2-continued (#8294)

* v1.1.2 release

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

* release-v1.1.2-continued

Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 Changelog.md                                  |  42 ++
 README.md                                     |   1 +
 RELEASE.md                                    |  10 +-
 charts/ingress-nginx/CHANGELOG.md             |  35 +
 charts/ingress-nginx/Chart.yaml               |  44 +-
 charts/ingress-nginx/README.md                |   6 +-
 charts/ingress-nginx/values.yaml              |   4 +-
 deploy/static/provider/aws/1.19/deploy.yaml   |  85 +--
 deploy/static/provider/aws/1.20/deploy.yaml   |  85 +--
 deploy/static/provider/aws/1.21/deploy.yaml   |  85 +--
 deploy/static/provider/aws/1.22/deploy.yaml   |  85 +--
 deploy/static/provider/aws/1.23/deploy.yaml   | 685 +++++++++++++++++
 .../provider/aws/1.23/kustomization.yaml      |  11 +
 deploy/static/provider/aws/deploy.yaml        |  85 +--
 .../nlb-with-tls-termination/1.19/deploy.yaml |  85 +--
 .../nlb-with-tls-termination/1.20/deploy.yaml |  85 +--
 .../nlb-with-tls-termination/1.21/deploy.yaml |  85 +--
 .../nlb-with-tls-termination/1.22/deploy.yaml |  85 +--
 .../nlb-with-tls-termination/1.23/deploy.yaml | 697 ++++++++++++++++++
 .../1.23/kustomization.yaml                   |  11 +
 .../aws/nlb-with-tls-termination/deploy.yaml  |  85 +--
 .../provider/baremetal/1.19/deploy.yaml       |  86 +--
 .../provider/baremetal/1.20/deploy.yaml       |  86 +--
 .../provider/baremetal/1.21/deploy.yaml       |  86 +--
 .../provider/baremetal/1.22/deploy.yaml       |  86 +--
 .../provider/baremetal/1.23/deploy.yaml       | 679 +++++++++++++++++
 .../baremetal/1.23/kustomization.yaml         |  11 +
 deploy/static/provider/baremetal/deploy.yaml  |  86 +--
 deploy/static/provider/cloud/1.19/deploy.yaml |  86 +--
 deploy/static/provider/cloud/1.20/deploy.yaml |  86 +--
 deploy/static/provider/cloud/1.21/deploy.yaml |  86 +--
 deploy/static/provider/cloud/1.22/deploy.yaml |  86 +--
 deploy/static/provider/cloud/1.23/deploy.yaml | 681 +++++++++++++++++
 .../provider/cloud/1.23/kustomization.yaml    |  11 +
 deploy/static/provider/cloud/deploy.yaml      |  86 +--
 deploy/static/provider/do/1.19/deploy.yaml    |  85 +--
 deploy/static/provider/do/1.20/deploy.yaml    |  85 +--
 deploy/static/provider/do/1.21/deploy.yaml    |  85 +--
 deploy/static/provider/do/1.22/deploy.yaml    |  85 +--
 deploy/static/provider/do/1.23/deploy.yaml    | 685 +++++++++++++++++
 .../provider/do/1.23/kustomization.yaml       |  11 +
 deploy/static/provider/do/deploy.yaml         |  85 +--
 .../static/provider/exoscale/1.19/deploy.yaml |  85 +--
 .../static/provider/exoscale/1.20/deploy.yaml |  85 +--
 .../static/provider/exoscale/1.21/deploy.yaml |  85 +--
 .../static/provider/exoscale/1.22/deploy.yaml |  85 +--
 .../static/provider/exoscale/1.23/deploy.yaml | 691 +++++++++++++++++
 .../provider/exoscale/1.23/kustomization.yaml |  11 +
 deploy/static/provider/exoscale/deploy.yaml   |  85 +--
 deploy/static/provider/kind/1.19/deploy.yaml  |  86 +--
 deploy/static/provider/kind/1.20/deploy.yaml  |  86 +--
 deploy/static/provider/kind/1.21/deploy.yaml  |  86 +--
 deploy/static/provider/kind/1.22/deploy.yaml  |  86 +--
 deploy/static/provider/kind/1.23/deploy.yaml  | 692 +++++++++++++++++
 .../provider/kind/1.23/kustomization.yaml     |  11 +
 deploy/static/provider/kind/deploy.yaml       |  86 +--
 deploy/static/provider/scw/1.19/deploy.yaml   |  85 +--
 deploy/static/provider/scw/1.20/deploy.yaml   |  85 +--
 deploy/static/provider/scw/1.21/deploy.yaml   |  85 +--
 deploy/static/provider/scw/1.22/deploy.yaml   |  85 +--
 deploy/static/provider/scw/1.23/deploy.yaml   | 684 +++++++++++++++++
 .../provider/scw/1.23/kustomization.yaml      |  11 +
 deploy/static/provider/scw/deploy.yaml        |  85 +--
 hack/generate-deploy-scripts.sh               |   2 +-
 64 files changed, 7436 insertions(+), 1705 deletions(-)
 create mode 100644 deploy/static/provider/aws/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/aws/1.23/kustomization.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml
 create mode 100644 deploy/static/provider/baremetal/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/baremetal/1.23/kustomization.yaml
 create mode 100644 deploy/static/provider/cloud/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/cloud/1.23/kustomization.yaml
 create mode 100644 deploy/static/provider/do/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/do/1.23/kustomization.yaml
 create mode 100644 deploy/static/provider/exoscale/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/exoscale/1.23/kustomization.yaml
 create mode 100644 deploy/static/provider/kind/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/kind/1.23/kustomization.yaml
 create mode 100644 deploy/static/provider/scw/1.23/deploy.yaml
 create mode 100644 deploy/static/provider/scw/1.23/kustomization.yaml

diff --git a/Changelog.md b/Changelog.md
index ccc60e746..8aed9ff0f 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,47 @@
 # Changelog
 
+### 1.1.2
+
+**Image:** 
+- k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+
+This release bumps grpc version to 1.44.0 & runc to version 1.1.0. The release also re-introduces the ingress.class annotation, which was previously declared as deprecated. Besides that, several bug fixes and improvements are listed below.
+
+Changes:
+
+[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build
+[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build
+[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge
+[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241
+[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts
+[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error
+[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation
+[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric
+[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code.
+[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image
+[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests
+[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint
+[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1
+[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0
+[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint
+[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial
+[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera
+[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment
+[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation
+[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell
+[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor
+[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations
+[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0
+[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account
+[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description
+[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests
+[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values
+[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1
+[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs
+[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits
+[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations
+
+
 ### 1.1.1
 
 **Image:** 
diff --git a/README.md b/README.md
index 718c115ff..96268a8f9 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version |
 |-----------------------|------------------------------|----------------|---------------|
+| v1.1.2                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
 | v1.0.5                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
diff --git a/RELEASE.md b/RELEASE.md
index 74fd3f1e4..f954199a2 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -205,10 +205,10 @@ Promoting the images basically means that images, that were pushed to staging co
             done <$file
 
             ```
-          - If you saved the bash script content above, in a file called `prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`
+          - If you saved the bash script content above, in a file like `$HOME/bin/prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`
 
           ```
-          prlist_to_changelog.sh prlist.txt > changelog_content.txt`
+          prlist_to_changelog.sh prlist.txt > /tmp/changelog_content.txt`
           ```
 
 ### d. Edit the values.yaml and run helm-docs
@@ -233,13 +233,9 @@ Promoting the images basically means that images, that were pushed to staging co
   - This script depends on kustomize and helm. The versions are pinned in `hack/.tool-versions` and you can use [asdf](https://github.com/asdf-vm/asdf#asdf) to install them
 
   - Execute the script to update static manifests using that script [hack/generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
-
   - Open some of the manifests and check if the script worked properly
 
-  - Use grep -ir to search for any misses by the script or undesired changes
-
-  - The script should properly set the image and the digest fields to the desired tag and semver
-
+  - Use `grep -ir image: | less` on the deploy directory, to view for any misses by the script on image digest value or other undesired changes. The script should properly set the image and the digest fields to the desired tag and semver
 
 
 ### f. Edit the changelog
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
index 616948228..f3f44c336 100644
--- a/charts/ingress-nginx/CHANGELOG.md
+++ b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,41 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.0.18
+"[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build"
+"[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build"
+"[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge"
+"[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241"
+"[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts"
+"[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error"
+"[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation"
+"[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric"
+"[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code."
+"[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image"
+"[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests"
+"[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint"
+"[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1"
+"[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0"
+"[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint"
+"[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial"
+"[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera"
+"[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment"
+"[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation"
+"[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell"
+"[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor"
+"[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations"
+"[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0"
+"[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account"
+"[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description"
+"[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests"
+"[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values"
+"[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1"
+"[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs"
+"[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits"
+"[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations"
+"[8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT"
+
+
 ### 4.0.15
 
 - [8120] https://github.com/kubernetes/ingress-nginx/pull/8120    Update go in runner and release v1.1.1
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 6a8510284..69db0be31 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.17
-appVersion: 1.1.1
+version: 4.0.18
+appVersion: 1.1.2
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,38 +24,8 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - "#8120    Update go in runner and release v1.1.1"
-    - "#8119    Update to go v1.17.6"
-    - "#8118    Remove deprecated libraries, update other libs"
-    - "#8117    Fix codegen errors"
-    - "#8115    chart/ghaction: set the correct permission to have access to push a release"
-    - "#8098    generating SHA for CA only certs in backend_ssl.go + comparision of P…"
-    - "#8088    Fix Edit this page link to use main branch"
-    - "#8072    Expose GeoIP2 Continent code as variable"
-    - "#8061    docs(charts): using helm-docs for chart"
-    - "#8058    Bump github.com/spf13/cobra from 1.2.1 to 1.3.0"
-    - "#8054    Bump google.golang.org/grpc from 1.41.0 to 1.43.0"
-    - "#8051    align bug report with feature request regarding kind documentation"
-    - "#8046    Report expired certificates (#8045)"
-    - "#8044    remove G109 check till gosec resolves issues"
-    - "#8042    docs_multiple_instances_one_cluster_ticket_7543"
-    - "#8041    docs: fix typo'd executible name"
-    - "#8035    Comment busy owners"
-    - "#8029    Add stream-snippet as a ConfigMap and Annotation option"
-    - "#8023    fix nginx compilation flags"
-    - "#8021    Disable default modsecurity_rules_file if modsecurity-snippet is specified"
-    - "#8019    Revise main documentation page"
-    - "#8018    Preserve order of plugin invocation"
-    - "#8015    Add newline indenting to admission webhook annotations"
-    - "#8014    Add link to example error page manifest in docs"
-    - "#8009    Fix spelling in documentation and top-level files"
-    - "#8008    Add relabelings in controller-servicemonitor.yaml"
-    - "#8003    Minor improvements (formatting, consistency) in install guide"
-    - "#8001    fix: go-grpc Dockerfile"
-    - "#7999    images: use k8s-staging-test-infra/gcb-docker-gcloud"
-    - "#7996    doc: improvement"
-    - "#7983    Fix a couple of misspellings in the annotations documentation."
-    - "#7979    allow set annotations for admission Jobs"
-    - "#7977    Add ssl_reject_handshake to defaul server"
-    - "#7975    add legacy version update v0.50.0 to main changelog"
-    - "#7972    updated service upstream definition"
+    - "#8253 Add a certificate info metric"
+    - "#8225 fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests"
+    - "#8162 Versioned static manifests"
+    - "#8159 Adding some geoip variables and default values"
+    - "#8221 Do not validate ingresses with unknown ingress class in admission webhook endpoint"
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index 8336e0912..ad641f726 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.0.17](https://img.shields.io/badge/Version-4.0.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.1](https://img.shields.io/badge/AppVersion-1.1.1-informational?style=flat-square)
+![Version: 4.0.18](https://img.shields.io/badge/Version-4.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.2](https://img.shields.io/badge/AppVersion-1.1.2-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -306,12 +306,12 @@ Kubernetes: `>=1.19.0-0`
 | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
-| controller.image.digest | string | `"sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de"` |  |
+| controller.image.digest | string | `"sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"k8s.gcr.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.1.1"` |  |
+| controller.image.tag | string | `"v1.1.2"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index bae135c3e..c887dc051 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -21,8 +21,8 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.1.1"
-    digest: sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+    tag: "v1.1.2"
+    digest: sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/1.19/deploy.yaml b/deploy/static/provider/aws/1.19/deploy.yaml
index c73b0e7e1..710cfcafd 100644
--- a/deploy/static/provider/aws/1.19/deploy.yaml
+++ b/deploy/static/provider/aws/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -359,8 +359,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -389,8 +389,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -413,8 +413,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -438,6 +438,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -453,7 +454,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -529,8 +530,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -542,8 +543,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -566,6 +567,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -582,8 +584,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -595,8 +597,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -621,6 +623,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -634,8 +637,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -649,8 +652,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.20/deploy.yaml b/deploy/static/provider/aws/1.20/deploy.yaml
index c8117bf51..440861a53 100644
--- a/deploy/static/provider/aws/1.20/deploy.yaml
+++ b/deploy/static/provider/aws/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -359,8 +359,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -394,8 +394,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -419,8 +419,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -444,6 +444,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -459,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -535,8 +536,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -548,8 +549,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -572,6 +573,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -588,8 +590,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,8 +603,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -627,6 +629,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -640,8 +643,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,8 +658,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.21/deploy.yaml b/deploy/static/provider/aws/1.21/deploy.yaml
index c8117bf51..440861a53 100644
--- a/deploy/static/provider/aws/1.21/deploy.yaml
+++ b/deploy/static/provider/aws/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -359,8 +359,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -394,8 +394,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -419,8 +419,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -444,6 +444,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -459,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -535,8 +536,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -548,8 +549,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -572,6 +573,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -588,8 +590,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,8 +603,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -627,6 +629,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -640,8 +643,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,8 +658,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.22/deploy.yaml b/deploy/static/provider/aws/1.22/deploy.yaml
index c8117bf51..440861a53 100644
--- a/deploy/static/provider/aws/1.22/deploy.yaml
+++ b/deploy/static/provider/aws/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -359,8 +359,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -394,8 +394,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -419,8 +419,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -444,6 +444,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -459,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -535,8 +536,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -548,8 +549,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -572,6 +573,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -588,8 +590,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,8 +603,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -627,6 +629,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -640,8 +643,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,8 +658,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.23/deploy.yaml b/deploy/static/provider/aws/1.23/deploy.yaml
new file mode 100644
index 000000000..440861a53
--- /dev/null
+++ b/deploy/static/provider/aws/1.23/deploy.yaml
@@ -0,0 +1,685 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/1.23/kustomization.yaml b/deploy/static/provider/aws/1.23/kustomization.yaml
new file mode 100644
index 000000000..d18ef3896
--- /dev/null
+++ b/deploy/static/provider/aws/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 3ade4013b..374823462 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -360,8 +360,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -395,8 +395,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -420,8 +420,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -445,6 +445,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -460,7 +461,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -536,8 +537,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -549,8 +550,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -573,6 +574,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -589,8 +591,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -602,8 +604,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -628,6 +630,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -641,8 +644,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -656,8 +659,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
index eee0f093a..426c72b06 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -348,8 +348,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -368,8 +368,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -398,8 +398,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -422,8 +422,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -447,6 +447,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -462,7 +463,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -541,8 +542,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -554,8 +555,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -578,6 +579,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -594,8 +596,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,8 +609,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -633,6 +635,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -646,8 +649,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,8 +664,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
index cc52b3114..21ea91d49 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -348,8 +348,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -368,8 +368,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -403,8 +403,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -428,8 +428,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -453,6 +453,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -468,7 +469,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -547,8 +548,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -560,8 +561,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -584,6 +585,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -600,8 +602,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -613,8 +615,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,6 +641,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -652,8 +655,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -667,8 +670,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
index cc52b3114..21ea91d49 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -348,8 +348,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -368,8 +368,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -403,8 +403,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -428,8 +428,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -453,6 +453,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -468,7 +469,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -547,8 +548,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -560,8 +561,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -584,6 +585,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -600,8 +602,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -613,8 +615,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,6 +641,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -652,8 +655,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -667,8 +670,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
index cc52b3114..21ea91d49 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -348,8 +348,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -368,8 +368,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -403,8 +403,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -428,8 +428,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -453,6 +453,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -468,7 +469,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -547,8 +548,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -560,8 +561,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -584,6 +585,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -600,8 +602,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -613,8 +615,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,6 +641,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -652,8 +655,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -667,8 +670,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml
new file mode 100644
index 000000000..21ea91d49
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml
@@ -0,0 +1,697 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  http-snippet: |
+    server {
+      listen 2443;
+      return 308 https://$host$request_uri;
+    }
+  proxy-real-ip-cidr: XXX.XXX.XXX/XX
+  use-forwarded-headers: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: tohttps
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: http
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 80
+          name: https
+          protocol: TCP
+        - containerPort: 2443
+          name: tohttps
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml
new file mode 100644
index 000000000..ca2086ea9
--- /dev/null
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
index 21aae7795..97c4697d5 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -349,8 +349,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -369,8 +369,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -404,8 +404,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -429,8 +429,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -454,6 +454,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -469,7 +470,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -548,8 +549,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -561,8 +562,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -585,6 +586,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -601,8 +603,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -614,8 +616,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,6 +642,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -653,8 +656,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -668,8 +671,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.19/deploy.yaml b/deploy/static/provider/baremetal/1.19/deploy.yaml
index ec21480bb..c03765456 100644
--- a/deploy/static/provider/baremetal/1.19/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -385,8 +384,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -409,8 +408,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -433,6 +432,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -448,7 +448,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -524,8 +524,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -537,8 +537,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -561,6 +561,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -577,8 +578,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -590,8 +591,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -616,6 +617,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -629,8 +631,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -644,8 +646,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.20/deploy.yaml b/deploy/static/provider/baremetal/1.20/deploy.yaml
index f4c419ed9..943d0ff49 100644
--- a/deploy/static/provider/baremetal/1.20/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,8 +389,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,8 +414,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -439,6 +438,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -454,7 +454,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -530,8 +530,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -543,8 +543,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -567,6 +567,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -583,8 +584,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,8 +597,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -622,6 +623,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -635,8 +637,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -650,8 +652,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.21/deploy.yaml b/deploy/static/provider/baremetal/1.21/deploy.yaml
index f4c419ed9..943d0ff49 100644
--- a/deploy/static/provider/baremetal/1.21/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,8 +389,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,8 +414,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -439,6 +438,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -454,7 +454,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -530,8 +530,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -543,8 +543,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -567,6 +567,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -583,8 +584,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,8 +597,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -622,6 +623,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -635,8 +637,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -650,8 +652,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.22/deploy.yaml b/deploy/static/provider/baremetal/1.22/deploy.yaml
index f4c419ed9..943d0ff49 100644
--- a/deploy/static/provider/baremetal/1.22/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,8 +389,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,8 +414,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -439,6 +438,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -454,7 +454,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -530,8 +530,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -543,8 +543,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -567,6 +567,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -583,8 +584,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,8 +597,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -622,6 +623,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -635,8 +637,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -650,8 +652,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.23/deploy.yaml b/deploy/static/provider/baremetal/1.23/deploy.yaml
new file mode 100644
index 000000000..943d0ff49
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.23/deploy.yaml
@@ -0,0 +1,679 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/baremetal/1.23/kustomization.yaml b/deploy/static/provider/baremetal/1.23/kustomization.yaml
new file mode 100644
index 000000000..d13af0f82
--- /dev/null
+++ b/deploy/static/provider/baremetal/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index 8aea1fd40..cdba346c1 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,23 +342,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,8 +390,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,8 +415,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -440,6 +439,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -455,7 +455,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -531,8 +531,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -544,8 +544,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -568,6 +568,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -584,8 +585,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -597,8 +598,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -623,6 +624,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -636,8 +638,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -651,8 +653,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.19/deploy.yaml b/deploy/static/provider/cloud/1.19/deploy.yaml
index 8930e5c6d..af5e89f04 100644
--- a/deploy/static/provider/cloud/1.19/deploy.yaml
+++ b/deploy/static/provider/cloud/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,8 +385,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -410,8 +409,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -435,6 +434,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -450,7 +450,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,8 +526,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -539,8 +539,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -563,6 +563,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -579,8 +580,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -592,8 +593,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -618,6 +619,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -631,8 +633,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -646,8 +648,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.20/deploy.yaml b/deploy/static/provider/cloud/1.20/deploy.yaml
index ef71edab1..ae18d5938 100644
--- a/deploy/static/provider/cloud/1.20/deploy.yaml
+++ b/deploy/static/provider/cloud/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,8 +390,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,8 +415,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -441,6 +440,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -456,7 +456,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -532,8 +532,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,8 +545,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -569,6 +569,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -585,8 +586,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -598,8 +599,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -624,6 +625,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -637,8 +639,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -652,8 +654,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.21/deploy.yaml b/deploy/static/provider/cloud/1.21/deploy.yaml
index ef71edab1..ae18d5938 100644
--- a/deploy/static/provider/cloud/1.21/deploy.yaml
+++ b/deploy/static/provider/cloud/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,8 +390,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,8 +415,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -441,6 +440,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -456,7 +456,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -532,8 +532,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,8 +545,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -569,6 +569,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -585,8 +586,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -598,8 +599,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -624,6 +625,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -637,8 +639,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -652,8 +654,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.22/deploy.yaml b/deploy/static/provider/cloud/1.22/deploy.yaml
index ef71edab1..ae18d5938 100644
--- a/deploy/static/provider/cloud/1.22/deploy.yaml
+++ b/deploy/static/provider/cloud/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,8 +390,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,8 +415,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -441,6 +440,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -456,7 +456,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -532,8 +532,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,8 +545,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -569,6 +569,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -585,8 +586,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -598,8 +599,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -624,6 +625,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -637,8 +639,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -652,8 +654,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.23/deploy.yaml b/deploy/static/provider/cloud/1.23/deploy.yaml
new file mode 100644
index 000000000..ae18d5938
--- /dev/null
+++ b/deploy/static/provider/cloud/1.23/deploy.yaml
@@ -0,0 +1,681 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/cloud/1.23/kustomization.yaml b/deploy/static/provider/cloud/1.23/kustomization.yaml
new file mode 100644
index 000000000..a92167fad
--- /dev/null
+++ b/deploy/static/provider/cloud/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index aafd9fde7..206883b6e 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,23 +342,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -392,8 +391,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -417,8 +416,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -442,6 +441,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -457,7 +457,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -533,8 +533,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,8 +546,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -570,6 +570,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -586,8 +587,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,8 +600,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -625,6 +626,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -638,8 +640,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -653,8 +655,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.19/deploy.yaml b/deploy/static/provider/do/1.19/deploy.yaml
index 6f63e5806..69504e702 100644
--- a/deploy/static/provider/do/1.19/deploy.yaml
+++ b/deploy/static/provider/do/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -388,8 +388,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,8 +412,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -437,6 +437,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -452,7 +453,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -528,8 +529,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -541,8 +542,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -565,6 +566,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -581,8 +583,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -594,8 +596,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -620,6 +622,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -633,8 +636,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -648,8 +651,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.20/deploy.yaml b/deploy/static/provider/do/1.20/deploy.yaml
index 6e5ef30ee..98bfe291a 100644
--- a/deploy/static/provider/do/1.20/deploy.yaml
+++ b/deploy/static/provider/do/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -393,8 +393,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -418,8 +418,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +443,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -458,7 +459,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,8 +535,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,8 +548,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,6 +572,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -587,8 +589,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,8 +602,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -626,6 +628,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -639,8 +642,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,8 +657,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.21/deploy.yaml b/deploy/static/provider/do/1.21/deploy.yaml
index 6e5ef30ee..98bfe291a 100644
--- a/deploy/static/provider/do/1.21/deploy.yaml
+++ b/deploy/static/provider/do/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -393,8 +393,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -418,8 +418,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +443,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -458,7 +459,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,8 +535,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,8 +548,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,6 +572,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -587,8 +589,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,8 +602,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -626,6 +628,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -639,8 +642,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,8 +657,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.22/deploy.yaml b/deploy/static/provider/do/1.22/deploy.yaml
index 6e5ef30ee..98bfe291a 100644
--- a/deploy/static/provider/do/1.22/deploy.yaml
+++ b/deploy/static/provider/do/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -393,8 +393,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -418,8 +418,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +443,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -458,7 +459,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,8 +535,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,8 +548,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,6 +572,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -587,8 +589,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,8 +602,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -626,6 +628,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -639,8 +642,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,8 +657,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.23/deploy.yaml b/deploy/static/provider/do/1.23/deploy.yaml
new file mode 100644
index 000000000..98bfe291a
--- /dev/null
+++ b/deploy/static/provider/do/1.23/deploy.yaml
@@ -0,0 +1,685 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
+  timeoutSeconds: 29
diff --git a/deploy/static/provider/do/1.23/kustomization.yaml b/deploy/static/provider/do/1.23/kustomization.yaml
new file mode 100644
index 000000000..c7bb8d250
--- /dev/null
+++ b/deploy/static/provider/do/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 996fb7ea3..324ae79e6 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -343,8 +343,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -359,8 +359,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -394,8 +394,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -419,8 +419,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -444,6 +444,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -459,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -535,8 +536,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -548,8 +549,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -572,6 +573,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -588,8 +590,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,8 +603,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -627,6 +629,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -640,8 +643,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,8 +658,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.19/deploy.yaml b/deploy/static/provider/exoscale/1.19/deploy.yaml
index ea82a935c..3c22a0118 100644
--- a/deploy/static/provider/exoscale/1.19/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,8 +365,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -395,8 +395,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -419,8 +419,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -444,6 +444,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -459,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -535,8 +536,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -548,8 +549,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -572,6 +573,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -588,8 +590,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,8 +603,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -627,6 +629,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -640,8 +643,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,8 +658,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.20/deploy.yaml b/deploy/static/provider/exoscale/1.20/deploy.yaml
index f933c41b5..136b466c9 100644
--- a/deploy/static/provider/exoscale/1.20/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,8 +365,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -400,8 +400,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -425,8 +425,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -450,6 +450,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -465,7 +466,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -541,8 +542,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -554,8 +555,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -578,6 +579,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -594,8 +596,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,8 +609,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -633,6 +635,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -646,8 +649,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,8 +664,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.21/deploy.yaml b/deploy/static/provider/exoscale/1.21/deploy.yaml
index f933c41b5..136b466c9 100644
--- a/deploy/static/provider/exoscale/1.21/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,8 +365,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -400,8 +400,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -425,8 +425,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -450,6 +450,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -465,7 +466,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -541,8 +542,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -554,8 +555,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -578,6 +579,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -594,8 +596,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,8 +609,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -633,6 +635,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -646,8 +649,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,8 +664,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.22/deploy.yaml b/deploy/static/provider/exoscale/1.22/deploy.yaml
index f933c41b5..136b466c9 100644
--- a/deploy/static/provider/exoscale/1.22/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,8 +341,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,8 +365,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -400,8 +400,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -425,8 +425,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -450,6 +450,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -465,7 +466,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -541,8 +542,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -554,8 +555,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -578,6 +579,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -594,8 +596,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,8 +609,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -633,6 +635,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -646,8 +649,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,8 +664,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.23/deploy.yaml b/deploy/static/provider/exoscale/1.23/deploy.yaml
new file mode 100644
index 000000000..136b466c9
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.23/deploy.yaml
@@ -0,0 +1,691 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/exoscale-loadbalancer-description: NGINX Ingress Controller
+      load balancer
+    service.beta.kubernetes.io/exoscale-loadbalancer-name: nginx-ingress-controller
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-interval: 10s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-mode: http
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-retries: "1"
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-uri: /
+    service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/exoscale/1.23/kustomization.yaml b/deploy/static/provider/exoscale/1.23/kustomization.yaml
new file mode 100644
index 000000000..8466627e2
--- /dev/null
+++ b/deploy/static/provider/exoscale/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index e03f2a9d2..d65ba8628 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -366,8 +366,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -401,8 +401,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -426,8 +426,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -451,6 +451,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -466,7 +467,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -542,8 +543,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -555,8 +556,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -579,6 +580,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -595,8 +597,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -608,8 +610,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -634,6 +636,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -647,8 +650,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -662,8 +665,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.19/deploy.yaml b/deploy/static/provider/kind/1.19/deploy.yaml
index cfe8c44fe..171725751 100644
--- a/deploy/static/provider/kind/1.19/deploy.yaml
+++ b/deploy/static/provider/kind/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -385,8 +384,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -409,8 +408,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -437,6 +436,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -454,7 +454,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -537,8 +537,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -550,8 +550,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -574,6 +574,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -590,8 +591,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -603,8 +604,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -629,6 +630,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -642,8 +644,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -657,8 +659,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.20/deploy.yaml b/deploy/static/provider/kind/1.20/deploy.yaml
index e2a18a480..030092a55 100644
--- a/deploy/static/provider/kind/1.20/deploy.yaml
+++ b/deploy/static/provider/kind/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,8 +389,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,8 +414,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +442,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -460,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -543,8 +543,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -556,8 +556,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,6 +580,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -596,8 +597,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -609,8 +610,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -635,6 +636,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -648,8 +650,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -663,8 +665,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.21/deploy.yaml b/deploy/static/provider/kind/1.21/deploy.yaml
index e2a18a480..030092a55 100644
--- a/deploy/static/provider/kind/1.21/deploy.yaml
+++ b/deploy/static/provider/kind/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,8 +389,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,8 +414,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +442,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -460,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -543,8 +543,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -556,8 +556,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,6 +580,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -596,8 +597,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -609,8 +610,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -635,6 +636,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -648,8 +650,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -663,8 +665,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.22/deploy.yaml b/deploy/static/provider/kind/1.22/deploy.yaml
index e2a18a480..030092a55 100644
--- a/deploy/static/provider/kind/1.22/deploy.yaml
+++ b/deploy/static/provider/kind/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -341,23 +341,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,8 +389,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,8 +414,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +442,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -460,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -543,8 +543,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -556,8 +556,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,6 +580,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -596,8 +597,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -609,8 +610,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -635,6 +636,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -648,8 +650,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -663,8 +665,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.23/deploy.yaml b/deploy/static/provider/kind/1.23/deploy.yaml
new file mode 100644
index 000000000..030092a55
--- /dev/null
+++ b/deploy/static/provider/kind/1.23/deploy.yaml
@@ -0,0 +1,692 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: NodePort
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        - --watch-ingress-without-class=true
+        - --publish-status-address=localhost
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          hostPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        ingress-ready: "true"
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/kind/1.23/kustomization.yaml b/deploy/static/provider/kind/1.23/kustomization.yaml
new file mode 100644
index 000000000..94b7c887d
--- /dev/null
+++ b/deploy/static/provider/kind/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 9d2711dae..1725f1347 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,23 +342,22 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,8 +390,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,8 +415,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -444,6 +443,7 @@ spec:
         - /nginx-ingress-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -461,7 +461,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -544,8 +544,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -557,8 +557,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,6 +581,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -597,8 +598,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -610,8 +611,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -636,6 +637,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -649,8 +651,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -664,8 +666,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.19/deploy.yaml b/deploy/static/provider/scw/1.19/deploy.yaml
index 8b52a7298..8e29c5564 100644
--- a/deploy/static/provider/scw/1.19/deploy.yaml
+++ b/deploy/static/provider/scw/1.19/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -388,8 +388,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,8 +412,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -437,6 +437,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -452,7 +453,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -528,8 +529,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -541,8 +542,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -565,6 +566,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -581,8 +583,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -594,8 +596,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -620,6 +622,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -633,8 +636,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -648,8 +651,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.20/deploy.yaml b/deploy/static/provider/scw/1.20/deploy.yaml
index bcffca757..82cee679d 100644
--- a/deploy/static/provider/scw/1.20/deploy.yaml
+++ b/deploy/static/provider/scw/1.20/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -393,8 +393,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -418,8 +418,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +443,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -458,7 +459,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,8 +535,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,8 +548,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,6 +572,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -587,8 +589,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,8 +602,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -626,6 +628,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -639,8 +642,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,8 +657,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.21/deploy.yaml b/deploy/static/provider/scw/1.21/deploy.yaml
index bcffca757..82cee679d 100644
--- a/deploy/static/provider/scw/1.21/deploy.yaml
+++ b/deploy/static/provider/scw/1.21/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -393,8 +393,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -418,8 +418,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +443,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -458,7 +459,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,8 +535,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,8 +548,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,6 +572,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -587,8 +589,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,8 +602,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -626,6 +628,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -639,8 +642,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,8 +657,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.22/deploy.yaml b/deploy/static/provider/scw/1.22/deploy.yaml
index bcffca757..82cee679d 100644
--- a/deploy/static/provider/scw/1.22/deploy.yaml
+++ b/deploy/static/provider/scw/1.22/deploy.yaml
@@ -16,8 +16,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -33,8 +33,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -47,8 +47,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -134,8 +134,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -155,8 +155,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -227,8 +227,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -248,8 +248,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -273,8 +273,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -294,8 +294,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -318,8 +318,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -342,8 +342,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -358,8 +358,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -393,8 +393,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -418,8 +418,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -443,6 +443,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -458,7 +459,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,8 +535,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,8 +548,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,6 +572,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -587,8 +589,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,8 +602,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -626,6 +628,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -639,8 +642,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,8 +657,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.23/deploy.yaml b/deploy/static/provider/scw/1.23/deploy.yaml
new file mode 100644
index 000000000..82cee679d
--- /dev/null
+++ b/deploy/static/provider/scw/1.23/deploy.yaml
@@ -0,0 +1,684 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  name: ingress-nginx
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - ingress-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - secrets
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+- kind: ServiceAccount
+  name: ingress-nginx-admission
+  namespace: ingress-nginx
+---
+apiVersion: v1
+data:
+  allow-snippet-annotations: "true"
+  use-proxy-protocol: "true"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: "true"
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  externalTrafficPolicy: Local
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - appProtocol: https
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  ports:
+  - appProtocol: https
+    name: https-webhook
+    port: 443
+    targetPort: webhook
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/name: ingress-nginx
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  minReadySeconds: 0
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+      - args:
+        - /nginx-ingress-controller
+        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --election-id=ingress-controller-leader
+        - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: LD_PRELOAD
+          value: /usr/local/lib/libmimalloc.so
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /wait-shutdown
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: controller
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        - containerPort: 8443
+          name: webhook
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 90Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          runAsUser: 101
+        volumeMounts:
+        - mountPath: /usr/local/certificates/
+          name: webhook-cert
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-create
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-create
+    spec:
+      containers:
+      - args:
+        - create
+        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+        - --namespace=$(POD_NAMESPACE)
+        - --secret-name=ingress-nginx-admission
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: create
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission-patch
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: admission-webhook
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/part-of: ingress-nginx
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
+      name: ingress-nginx-admission-patch
+    spec:
+      containers:
+      - args:
+        - patch
+        - --webhook-name=ingress-nginx-admission
+        - --namespace=$(POD_NAMESPACE)
+        - --patch-mutating=false
+        - --secret-name=ingress-nginx-admission
+        - --patch-failure-policy=Fail
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
+        imagePullPolicy: IfNotPresent
+        name: patch
+        securityContext:
+          allowPrivilegeEscalation: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: OnFailure
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+      serviceAccountName: ingress-nginx-admission
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/component: admission-webhook
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
+  name: ingress-nginx-admission
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: ingress-nginx-controller-admission
+      namespace: ingress-nginx
+      path: /networking/v1/ingresses
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validate.nginx.ingress.kubernetes.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  sideEffects: None
diff --git a/deploy/static/provider/scw/1.23/kustomization.yaml b/deploy/static/provider/scw/1.23/kustomization.yaml
new file mode 100644
index 000000000..da792b8f5
--- /dev/null
+++ b/deploy/static/provider/scw/1.23/kustomization.yaml
@@ -0,0 +1,11 @@
+# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases.
+# https://kubectl.docs.kubernetes.io/references/kustomize/bases/
+#
+# ```
+# namespace: ingress-nginx
+# bases:
+#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+# ```
+
+resources:
+  - deploy.yaml
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 8fff56b99..138a9fcf1 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -17,8 +17,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -34,8 +34,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -48,8 +48,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -135,8 +135,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -156,8 +156,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -228,8 +228,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -249,8 +249,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -274,8 +274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -295,8 +295,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -319,8 +319,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -343,8 +343,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -359,8 +359,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -394,8 +394,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -419,8 +419,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -444,6 +444,7 @@ spec:
         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
         - --election-id=ingress-controller-leader
         - --controller-class=k8s.io/ingress-nginx
+        - --ingress-class=nginx
         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
         - --validating-webhook=:8443
         - --validating-webhook-certificate=/usr/local/certificates/cert
@@ -459,7 +460,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -535,8 +536,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -548,8 +549,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -572,6 +573,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -588,8 +590,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,8 +603,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.1
-        helm.sh/chart: ingress-nginx-4.0.16
+        app.kubernetes.io/version: 1.1.2
+        helm.sh/chart: ingress-nginx-4.0.18
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -627,6 +629,7 @@ spec:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
+        fsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
@@ -640,8 +643,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,8 +658,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.1
-    helm.sh/chart: ingress-nginx-4.0.16
+    app.kubernetes.io/version: 1.1.2
+    helm.sh/chart: ingress-nginx-4.0.18
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index 4ec213792..a697b13e2 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -26,7 +26,7 @@ set -o pipefail
 # with enough docs updates, this could be removed
 # see     # DEFAULT VERSION HANDLING
 K8S_DEFAULT_VERSION=1.20
-K8S_TARGET_VERSIONS=("1.19" "1.20" "1.21" "1.22")
+K8S_TARGET_VERSIONS=("1.19" "1.20" "1.21" "1.22" "1.23")
 
 DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)
 

From 3bd32316babefb3f04827154dcdda593803516b8 Mon Sep 17 00:00:00 2001
From: Niclas Mietz <solidnerd@users.noreply.github.com>
Date: Mon, 7 Mar 2022 17:32:55 +0100
Subject: [PATCH 342/376] docs: fix changelog formatting (#8302)

---
 Changelog.md | 64 ++++++++++++++++++++++++++--------------------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 8aed9ff0f..40a4aaaf9 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -7,39 +7,39 @@
 
 This release bumps grpc version to 1.44.0 & runc to version 1.1.0. The release also re-introduces the ingress.class annotation, which was previously declared as deprecated. Besides that, several bug fixes and improvements are listed below.
 
-Changes:
+_Changes:_
 
-[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build
-[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build
-[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge
-[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241
-[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts
-[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error
-[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation
-[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric
-[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code.
-[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image
-[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests
-[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint
-[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1
-[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0
-[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint
-[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial
-[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera
-[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment
-[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation
-[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell
-[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor
-[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations
-[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0
-[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account
-[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description
-[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests
-[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values
-[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1
-[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs
-[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits
-[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations
+- [8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build
+- [8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build
+- [8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge
+- [8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241
+- [8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts
+- [8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error
+- [8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation
+- [8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric
+- [8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code.
+- [8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image
+- [8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests
+- [8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint
+- [8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1
+- [8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0
+- [8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint
+- [8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial
+- [8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera
+- [8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment
+- [8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation
+- [8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell
+- [8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor
+- [8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations
+- [8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0
+- [8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account
+- [8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description
+- [8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests
+- [8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values
+- [8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1
+- [8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs
+- [8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits
+- [8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations
 
 
 ### 1.1.1

From a43346d975a6350f48e5420782e5051b7805e106 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Mon, 7 Mar 2022 12:38:53 -0500
Subject: [PATCH 343/376] leaving it the git tag (#8311)

fixing the git tag for the image version, it is what it is .
---
 images/opentelemetry/cloudbuild.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml
index 947eacbbb..5a4e1b3c0 100644
--- a/images/opentelemetry/cloudbuild.yaml
+++ b/images/opentelemetry/cloudbuild.yaml
@@ -8,6 +8,7 @@ steps:
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
+      - TAG=$_GIT_TAG
       - BASE_REF=$_PULL_BASE_REF
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
       # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx

From 5a9fe30a5dbdecb675da740b632bed2f9e1449e7 Mon Sep 17 00:00:00 2001
From: hongkunyoo <hongkunyoo@gmail.com>
Date: Wed, 9 Mar 2022 23:54:13 +0900
Subject: [PATCH 344/376] Missing annotations (#8288)

Not quite sure but It seems that `nginx.ingress.kubernetes.io/canary-by-header` is missing.
---
 docs/user-guide/nginx-configuration/annotations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 57542f25f..a0086abec 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -134,7 +134,7 @@ In some cases, you may want to "canary" a new set of changes by sending a small
 
 * `nginx.ingress.kubernetes.io/canary-by-header`: The header to use for notifying the Ingress to route the request to the service specified in the Canary Ingress. When the request header is set to `always`, it will be routed to the canary. When the header is set to `never`, it will never be routed to the canary. For any other value, the header will be ignored and the request compared against the other canary rules by precedence.
 
-* `nginx.ingress.kubernetes.io/canary-by-header-value`: The header value to match for notifying the Ingress to route the request to the service specified in the Canary Ingress. When the request header is set to this value, it will be routed to the canary. For any other header value, the header will be ignored and the request compared against the other canary rules by precedence. This annotation has to be used together with . The annotation is an extension of the `nginx.ingress.kubernetes.io/canary-by-header` to allow customizing the header value instead of using hardcoded values. It doesn't have any effect if the `nginx.ingress.kubernetes.io/canary-by-header` annotation is not defined.
+* `nginx.ingress.kubernetes.io/canary-by-header-value`: The header value to match for notifying the Ingress to route the request to the service specified in the Canary Ingress. When the request header is set to this value, it will be routed to the canary. For any other header value, the header will be ignored and the request compared against the other canary rules by precedence. This annotation has to be used together with `nginx.ingress.kubernetes.io/canary-by-header`. The annotation is an extension of the `nginx.ingress.kubernetes.io/canary-by-header` to allow customizing the header value instead of using hardcoded values. It doesn't have any effect if the `nginx.ingress.kubernetes.io/canary-by-header` annotation is not defined.
 
 * `nginx.ingress.kubernetes.io/canary-by-header-pattern`: This works the same way as `canary-by-header-value` except it does PCRE Regex matching. Note that when `canary-by-header-value` is set this annotation will be ignored. When the given Regex causes error during request processing, the request will be considered as not matching.
 

From e1eff7816005b3fad21a091e306132d11e0ca61e Mon Sep 17 00:00:00 2001
From: Daniel Lim <lahuman@daum.net>
Date: Wed, 9 Mar 2022 23:56:13 +0900
Subject: [PATCH 345/376] Names cannot contain _ (underscore)! So I changed it
 to -. (#8300)

* The name can't use _(underscore)! So fix it!

The name can't use _(underscore)! So fix it!

* Fix configMap name can't use _(underscore)

Fix configMap name can't use _(underscore)
---
 .../custom-default-backend-error_pages.configMap.yaml       | 2 +-
 .../custom-errors/custom-default-backend.helm.values.yaml   | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml b/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
index 86b1c44e8..303734c90 100644
--- a/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
+++ b/docs/examples/customization/custom-errors/custom-default-backend-error_pages.configMap.yaml
@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: custom_error_pages
+  name: custom-error-pages
 data:
   404: |
     <!DOCTYPE html>
diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
index ce42bb9b5..fc00707ce 100644
--- a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
+++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
@@ -7,14 +7,14 @@ defaultBackend:
     image: ingress-nginx/nginx-errors
     tag: "0.48.1"
   extraVolumes:
-  - name: custom_error_pages
+  - name: custom-error-pages
     configMap:
-      name: custom_error_pages
+      name: custom-error-pages
       items:
       - key: "404"
         path: "404.html"
       - key: "503"
         path: "503.html"
   extraVolumeMounts:
-  - name: custom_error_pages
+  - name: custom-error-pages
     mountPath: /www

From 974d038c2a83dbba1802fddd7105127faf2589ca Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Mon, 14 Mar 2022 10:29:58 -0500
Subject: [PATCH 346/376] Pinned GitHub workflows by SHA (#8334)

- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- Included permissions for some of the actions. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

Dependabot can upgrade pinned version of actions.
---
 .github/workflows/ci.yaml   | 58 ++++++++++++++++++++++---------------
 .github/workflows/docs.yaml | 13 +++++----
 .github/workflows/helm.yaml | 11 ++++---
 3 files changed, 50 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 25b8d5e14..cec6488ff 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -9,9 +9,15 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
 
   changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     outputs:
       go: ${{ steps.filter.outputs.go }}
@@ -20,9 +26,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -43,10 +49,10 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
+        uses: securego/gosec@b99b5f7838e43a4104354ad92a6a1774302ee1f9 # master
         with:
           # G601 for zz_generated.deepcopy.go
           # G306 TODO: Expect WriteFile permissions to be 0600 or less
@@ -61,17 +67,17 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Set up Go 1.17
         id: go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: '1.17.6'
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: crazy-max/ghaction-docker-buildx@v1
+        uses: crazy-max/ghaction-docker-buildx@e01797ad2ea9a981005ad58c99afa8d842e3d3eb # v1
         with:
           buildx-version: latest
           qemu-version: latest
@@ -104,7 +110,7 @@ jobs:
             | pigz > docker.tar.gz
 
       - name: cache
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
         with:
           name: docker.tar.gz
           path: docker.tar.gz
@@ -121,15 +127,15 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: '1.17.6'
 
       - name: cache
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869 # v2
         with:
           name: docker.tar.gz
 
@@ -162,12 +168,12 @@ jobs:
 
       - name: Create Kubernetes cluster
         id: kind
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           version: v0.11.1
           image: kindest/node:v1.21.1
 
-      - uses: geekyeggo/delete-artifact@v1
+      - uses: geekyeggo/delete-artifact@a6ab43859c960a8b74cbc6291f362c7fb51829ba # v1
         with:
           name: docker.tar.gz
           failOnError: false
@@ -202,22 +208,22 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: cache
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869 # v2
         with:
           name: docker.tar.gz
 
       - name: Create Kubernetes ${{ matrix.k8s }} cluster
         id: kind
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           version: v0.11.1
           config: test/e2e/kind.yaml
           image: kindest/node:${{ matrix.k8s }}
 
-      - uses: geekyeggo/delete-artifact@v1
+      - uses: geekyeggo/delete-artifact@a6ab43859c960a8b74cbc6291f362c7fb51829ba # v1
         with:
           name: docker.tar.gz
           failOnError: false
@@ -245,14 +251,17 @@ jobs:
           make kind-e2e-test
 
   test-image-build:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     env:
       PLATFORMS: linux/amd64
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter-images
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -302,14 +311,17 @@ jobs:
           cd images/kube-webhook-certgen && make build
 
   test-image:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     env:
       PLATFORMS: linux/amd64
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter-images
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -320,7 +332,7 @@ jobs:
       - name: Create Kubernetes cluster
         id: kind
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           version: v0.11.1
           image: kindest/node:v1.21.1
@@ -328,7 +340,7 @@ jobs:
       - name: Set up Go 1.17
         id: go
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: '1.17.6'
 
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 420808443..df398b3f1 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -8,6 +8,9 @@ on:
 jobs:
 
   changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     if: |
       (github.repository == 'kubernetes/ingress-nginx')
@@ -18,15 +21,15 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           filters: |
             docs:
-              - 'docs/**/*'
+             - 'docs/**/*'
 
   docs:
     name: Update
@@ -43,9 +46,9 @@ jobs:
     steps:
 
       - name: Checkout master
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Deploy
         uses: ./.github/actions/mkdocs
         env:
-          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 
diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index b0adb644e..dd8e6d752 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -9,6 +9,9 @@ on:
 jobs:
 
   changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     if: |
       (github.repository == 'kubernetes/ingress-nginx')
@@ -19,9 +22,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -46,7 +49,7 @@ jobs:
     steps:
 
       - name: Checkout master
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
         with:
           # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
           fetch-depth: 0
@@ -58,7 +61,7 @@ jobs:
           git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
       
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.2.1
+        uses: helm/chart-releaser-action@c25b74a986eb925b398320414b576227f375f946 # v1.2.1
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"

From 1fb0aea2c51fdd9e7f224c54326aa0620bdfb8fa Mon Sep 17 00:00:00 2001
From: Rodrigo Riccitelli Vieira <mcbacker@gmail.com>
Date: Mon, 14 Mar 2022 12:47:58 -0300
Subject: [PATCH 347/376] Update monitoring.md (#8324)

Added missing repo on "helm upgrade" command
---
 docs/user-guide/monitoring.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 99039d635..b8df59980 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -20,7 +20,8 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
 
   - The easiest way to configure the controller for metrics is via helm upgrade. Assuming you have installed the ingress-nginx controller as a helm release named ingress-controller, then you can simply type the command show below :
   ```
-  helm upgrade ingress-controller ingress-nginx/ingress-nginx \
+  helm upgrade ingress-nginx ingress-nginx \
+  --repo https://kubernetes.github.io/ingress-nginx \
   --namespace ingress-nginx \
   --set controller.metrics.enabled=true \
   --set-string controller.podAnnotations."prometheus\.io/scrape"="true" \

From 9180ef1ee4728dc772f35f9d5afe54c414f3585c Mon Sep 17 00:00:00 2001
From: thomasbruggink <thomasbruggink@users.noreply.github.com>
Date: Tue, 15 Mar 2022 00:51:57 +0900
Subject: [PATCH 348/376] Add the shareProcessNamespace as a configurable
 setting. (#8287)

---
 charts/ingress-nginx/README.md                            | 1 +
 charts/ingress-nginx/templates/controller-daemonset.yaml  | 3 +++
 charts/ingress-nginx/templates/controller-deployment.yaml | 3 +++
 charts/ingress-nginx/values.yaml                          | 4 ++++
 4 files changed, 11 insertions(+)

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index ad641f726..c0ef8109d 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -409,6 +409,7 @@ Kubernetes: `>=1.19.0-0`
 | controller.service.targetPorts.http | string | `"http"` |  |
 | controller.service.targetPorts.https | string | `"https"` |  |
 | controller.service.type | string | `"LoadBalancer"` |  |
+| controller.shareProcessNamespace | bool | `false` |  This can be used for example to signal log rotation using `kill -USR1` from a sidecar. |
 | controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
 | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
 | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 72811fbe4..09852d041 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -67,6 +67,9 @@ spec:
         - name: {{ $sysctl | quote }}
           value: {{ $value | quote }}
     {{- end }}
+    {{- end }}
+    {{- if .Values.controller.shareProcessNamespace }}
+      shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
     {{- end }}
       containers:
         - name: {{ .Values.controller.containerName }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index a1943cd91..effd5b06c 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -71,6 +71,9 @@ spec:
         - name: {{ $sysctl | quote }}
           value: {{ $value | quote }}
     {{- end }}
+    {{- end }}
+    {{- if .Values.controller.shareProcessNamespace }}
+      shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
     {{- end }}
       containers:
         - name: {{ .Values.controller.containerName }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index c887dc051..a8b002516 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -529,6 +529,10 @@ controller:
       ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
       # externalTrafficPolicy: ""
 
+  # shareProcessNamespace enables process namespace sharing within the pod.
+  # This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
+  shareProcessNamespace: false
+
   # -- Additional containers to be added to the controller pod.
   # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
   extraContainers: []

From 01b92b8b3aca887b257851dbbc89e4c57815a4ab Mon Sep 17 00:00:00 2001
From: sskserk <78915702+sskserk@users.noreply.github.com>
Date: Mon, 14 Mar 2022 16:55:57 +0100
Subject: [PATCH 349/376] Nginx v1.19.10 (#8307)

---
 images/nginx/rootfs/build.sh         | 4 ++--
 images/opentelemetry/rootfs/build.sh | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index bee2561d0..2ee308d68 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -18,7 +18,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-export NGINX_VERSION=1.19.9
+export NGINX_VERSION=1.19.10
 
 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master
 export NDK_VERSION=0.3.1
@@ -197,7 +197,7 @@ mkdir --verbose -p "$BUILD_PATH"
 cd "$BUILD_PATH"
 
 # download, verify and extract the source files
-get_src 2e35dff06a9826e8aca940e9e8be46b7e4b12c19a48d55bfc2dc28fc9cc7d841 \
+get_src e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88 \
         "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
 
 get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \
diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh
index a79fdf950..aab2abbd0 100755
--- a/images/opentelemetry/rootfs/build.sh
+++ b/images/opentelemetry/rootfs/build.sh
@@ -18,7 +18,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-export NGINX_VERSION=1.19.9
+export NGINX_VERSION=1.19.10
 
 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main
 export OPENTELEMETRY_CPP_VERSION=1.0.0
@@ -60,7 +60,7 @@ get_src()
 }
 
 
-get_src 2e35dff06a9826e8aca940e9e8be46b7e4b12c19a48d55bfc2dc28fc9cc7d841 \
+get_src e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88 \
         "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
 
 get_src 45c52498788e47131b20a4786dbb08f4390b8cb419bd3d61c88b503cafff3324 \

From ba7f295538f6d0e0c1b5cde70c827b4e9796178f Mon Sep 17 00:00:00 2001
From: Ana Claudia Riekstin <17534478+anaclaudiar@users.noreply.github.com>
Date: Wed, 16 Mar 2022 09:25:49 -0400
Subject: [PATCH 350/376] Fix 50% split between canary and mainline tests
 (#8315)

* fix 50% canary test

* fix past tense

* after code review

* revert go.sum and go.mod

* run gofmt
---
 test/e2e/annotations/canary.go | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go
index 4f1bdcad6..99d164f98 100644
--- a/test/e2e/annotations/canary.go
+++ b/test/e2e/annotations/canary.go
@@ -18,7 +18,6 @@ package annotations
 
 import (
 	"fmt"
-	"math"
 	"net/http"
 	"reflect"
 	"regexp"
@@ -806,7 +805,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 				Contains(canaryService)
 		})
 
-		ginkgo.It("should route requests evenly split between mainline and canary if canary weight is 50", func() {
+		ginkgo.It("should route requests split between mainline and canary if canary weight is 50", func() {
 			host := "foo"
 			annotations := map[string]string{}
 
@@ -829,7 +828,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 				f.Namespace, canaryService, 80, canaryAnnotations)
 			f.EnsureIngress(canaryIng)
 
-			TestEvenMainlineCanaryDistribution(f, host)
+			TestMainlineCanaryDistribution(f, host)
 		})
 	})
 
@@ -1079,18 +1078,24 @@ var _ = framework.DescribeAnnotation("canary-*", func() {
 				}
 			}
 
-			TestEvenMainlineCanaryDistribution(f, host)
+			TestMainlineCanaryDistribution(f, host)
 		})
 	})
 
 })
 
 // This method assumes canary weight being configured at 50%.
-func TestEvenMainlineCanaryDistribution(f *framework.Framework, host string) {
+func TestMainlineCanaryDistribution(f *framework.Framework, host string) {
 	re := regexp.MustCompile(fmt.Sprintf(`%s.*`, framework.EchoService))
 	replicaRequestCount := map[string]int{}
 
-	for i := 0; i < 200; i++ {
+	// The implementation of choice by weight doesn't guarantee exact
+	// number of requests, so verify if mainline and canary have at
+	// least some requests
+	requestsToGet := 200
+	requestsNumberToTest := (40 * requestsToGet) / 100
+
+	for i := 0; i < requestsToGet; i++ {
 		body := f.HTTPTestClient().
 			GET("/").
 			WithHeader("Host", host).
@@ -1111,8 +1116,6 @@ func TestEvenMainlineCanaryDistribution(f *framework.Framework, host string) {
 
 	assert.Equal(ginkgo.GinkgoT(), 2, len(keys))
 
-	// The implmentation of choice by weight doesn't guarantee exact
-	// number of requests, so verify if request imbalance is within an
-	// acceptable range.
-	assert.LessOrEqual(ginkgo.GinkgoT(), math.Abs(float64(replicaRequestCount[keys[0].String()]-replicaRequestCount[keys[1].String()]))/math.Max(float64(replicaRequestCount[keys[0].String()]), float64(replicaRequestCount[keys[1].String()])), 0.2)
+	assert.GreaterOrEqual(ginkgo.GinkgoT(), int(replicaRequestCount[keys[0].String()]), requestsNumberToTest)
+	assert.GreaterOrEqual(ginkgo.GinkgoT(), int(replicaRequestCount[keys[1].String()]), requestsNumberToTest)
 }

From 1953efa9d8cc3fdc7f2fff2f1148355047ace244 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 16 Mar 2022 11:52:38 -0400
Subject: [PATCH 351/376] Bumping alpine base to 3.15

---
 images/nginx/rootfs/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index a9e180315..9cc5539ae 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 
-FROM alpine:3.14.2 as builder
+FROM alpine:3.15.0 as builder
 
 COPY . /
 
@@ -23,7 +23,7 @@ RUN apk update \
   && /build.sh
 
 # Use a multi-stage build
-FROM alpine:3.14.2
+FROM alpine:3.15.0
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 

From 2fefd714bdb76779365636b9ae91e63eac2198f1 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 16 Mar 2022 12:57:48 -0400
Subject: [PATCH 352/376] update tag and force a new build

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 TAG                            | 2 +-
 images/nginx/rootfs/Dockerfile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/TAG b/TAG
index 0f1acbd56..99a4aef0c 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.1.2
+v1.1.3
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index 9cc5539ae..d39863aec 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -11,8 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-
 FROM alpine:3.15.0 as builder
 
 COPY . /
@@ -74,4 +72,5 @@ RUN apk update \
 EXPOSE 80 443
 
 ENTRYPOINT ["/usr/local/entrypoint.sh"]
+
 CMD ["nginx", "-g", "daemon off;"]

From 952a6dc22ca4a01d62162245e539daf4e827c014 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 16 Mar 2022 14:52:06 -0400
Subject: [PATCH 353/376] control tag with short sha

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 images/nginx/cloudbuild.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index d507b8f1a..1e524af21 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -8,7 +8,7 @@ steps:
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
-      - TAG=$_GIT_TAG
+      - TAG=$SHORT_SHA
       - BASE_REF=$_PULL_BASE_REF
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
       # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx

From 0e2447ed0e41dd441dfb2b2a44559c35b40c1de4 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 16 Mar 2022 15:07:38 -0400
Subject: [PATCH 354/376] add the date per request

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 images/nginx/cloudbuild.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index 1e524af21..6c1f844ec 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -8,7 +8,7 @@ steps:
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
-      - TAG=$SHORT_SHA
+      - TAG=v$(date "+%Y%m%d")-$SHORT_SHA
       - BASE_REF=$_PULL_BASE_REF
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
       # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx

From 5c47803d0f0d37cd83dc942a7e1c3ccd8565681a Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 16 Mar 2022 15:13:24 -0400
Subject: [PATCH 355/376] fix the cloud build

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 images/nginx/cloudbuild.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index 6c1f844ec..b5b906a8d 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -8,7 +8,7 @@ steps:
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
-      - TAG=v$(date "+%Y%m%d")-$SHORT_SHA
+      - COMMIT=$SHORT_SHA
       - BASE_REF=$_PULL_BASE_REF
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
       # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx
@@ -18,7 +18,7 @@ steps:
     - -c
     - |
       gcloud auth configure-docker \
-      && make push
+      && TAG=v$(date "+%Y%m%d")-${COMMIT} make push
 substitutions:
   _GIT_TAG: "12345"
   _PULL_BASE_REF: "master"

From 569b3c2a70cd3f08792e699446b3edae77049f16 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Wed, 16 Mar 2022 15:32:45 -0400
Subject: [PATCH 356/376] update cloud build image

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 images/nginx/cloudbuild.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index b5b906a8d..d6347e437 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -4,7 +4,7 @@ options:
   # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
   machineType: N1_HIGHCPU_32
 steps:
-  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
+  - name: gcr.io/k8s-staging-test-infra/image-builder:v20220309-4b32800b2d
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled

From 40bb6c3d2ea0d3b99a4c1644d2194816fd1a5d7d Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Thu, 17 Mar 2022 15:02:41 -0400
Subject: [PATCH 357/376] update cloud build (#8349)

---
 images/nginx/cloudbuild.yaml   | 9 +++------
 images/nginx/rootfs/Dockerfile | 3 ++-
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index d6347e437..3a646fc88 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -4,21 +4,18 @@ options:
   # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
   machineType: N1_HIGHCPU_32
 steps:
-  - name: gcr.io/k8s-staging-test-infra/image-builder:v20220309-4b32800b2d
+  - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90'
     entrypoint: bash
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
-      - COMMIT=$SHORT_SHA
       - BASE_REF=$_PULL_BASE_REF
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
-      # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx
-      # set the home to /root explicitly to if using docker buildx
-      - HOME=/root
+       - HOME=/root
     args:
     - -c
     - |
       gcloud auth configure-docker \
-      && TAG=v$(date "+%Y%m%d")-${COMMIT} make push
+      && TAG=v$(date "+%Y%m%d")-$(git rev-parse --short HEAD) make push
 substitutions:
   _GIT_TAG: "12345"
   _PULL_BASE_REF: "master"
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index d39863aec..a3c4831bb 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -41,7 +41,8 @@ RUN apk update \
     pcre \
     zlib \
     geoip \
-    curl ca-certificates \
+    curl \
+    ca-certificates \
     patch \
     yajl \
     lmdb \

From 3f19fd646fb2da4a44578861a26486f947894db2 Mon Sep 17 00:00:00 2001
From: Ana Claudia Riekstin <17534478+anaclaudiar@users.noreply.github.com>
Date: Thu, 17 Mar 2022 21:19:40 -0400
Subject: [PATCH 358/376] bump Alpine image in Dockerfile (#8350)

---
 images/opentelemetry/rootfs/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile
index bef5b5562..cea4270d6 100644
--- a/images/opentelemetry/rootfs/Dockerfile
+++ b/images/opentelemetry/rootfs/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 
-FROM alpine:3.14.2 as builder
+FROM alpine:3.15.0 as builder
 
 COPY . /
 

From e51c15160e9b4d641fc9e289601676e1adc70e19 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Fri, 18 Mar 2022 13:04:41 -0400
Subject: [PATCH 359/376] fix indent on env (#8352)

* fix indent on env

* revert tag to      - TAG=$_GIT_TAG
---
 images/nginx/cloudbuild.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index 3a646fc88..0b81aa8d6 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -9,13 +9,14 @@ steps:
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
       - BASE_REF=$_PULL_BASE_REF
+      - TAG=$_GIT_TAG
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
-       - HOME=/root
+      - HOME=/root
     args:
     - -c
     - |
       gcloud auth configure-docker \
-      && TAG=v$(date "+%Y%m%d")-$(git rev-parse --short HEAD) make push
+      && make push
 substitutions:
   _GIT_TAG: "12345"
   _PULL_BASE_REF: "master"

From d27d7c20b415c2e313e61aa3d032f82ca14c504e Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Mon, 21 Mar 2022 22:46:47 +0000
Subject: [PATCH 360/376] Updated semver in install docs URLs (#8368)

---
 docs/deploy/index.md | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 9f613308b..966703afb 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -28,6 +28,8 @@ On most Kubernetes clusters, the ingress controller will work without requiring
   - ... [Bare-metal](#bare-metal-clusters)
 - [Miscellaneous](#miscellaneous)
 
+## TODO : We have subdirectories for kubernetes versions now because of a PR https://github.com/kubernetes/ingress-nginx/pull/8162 . You can see this here https://github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud . We need to add documentation here that is clear and unambiguous in guiding users to pick the deployment manifest under a subdirectory, based on the K8S version being used. But until the explicit clear docs land here, users are recommended to feel free to use those subdirectories and get the manifest(s) related to their K8S version.
+
 ## Quick start
 
 **If you have Helm,** you can deploy the ingress controller with the following command:
@@ -49,7 +51,7 @@ It will install the controller in the `ingress-nginx` namespace, creating that n
 **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead:
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! info
@@ -184,17 +186,17 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (NLB)
 
 By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB.
 
-1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template
+1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template
 
   ```console
-  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
   ```
 
 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
@@ -236,7 +238,7 @@ Then, the ingress controller can be installed like this:
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! warning
@@ -250,7 +252,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -258,13 +260,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -278,7 +280,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -290,7 +292,7 @@ This section is applicable to Kubernetes clusters deployed on bare metal servers
 For quick testing, you can use a [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport). This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), see [bare-metal considerations](./baremetal.md).

From 5c07c862e1f69e39da1e6b4121bba631f55e5651 Mon Sep 17 00:00:00 2001
From: Nishant Jain <nishantkumarajain@gmail.com>
Date: Tue, 22 Mar 2022 16:53:44 +0530
Subject: [PATCH 361/376] Removed s390x, linux/arm platform as docker build was
 crashing (#8121)

Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
---
 .github/workflows/ci.yaml                     |   8 +-
 .../external-auth-headers/Makefile            |  23 --
 .../{deploy => }/auth-service.yaml            |   2 +-
 .../external-auth-headers/authsvc/Dockerfile  |   5 -
 .../{deploy => }/echo-service.yaml            |   2 +-
 .../external-auth-headers/echosvc/Dockerfile  |   5 -
 .../external-auth-headers/echosvc/echosvc.go  |  32 ---
 images/echo/Makefile                          |   2 +-
 images/ext-auth-example-authsvc/Makefile      |  55 +++++
 .../ext-auth-example-authsvc/cloudbuild.yaml  |  24 ++
 .../rootfs/Dockerfile                         |  10 +
 .../rootfs}/authsvc.go                        |   0
 images/ext-auth-example-authsvc/rootfs/go.mod |   8 +
 images/ext-auth-example-authsvc/rootfs/go.sum | 215 ++++++++++++++++++
 14 files changed, 322 insertions(+), 69 deletions(-)
 delete mode 100644 docs/examples/customization/external-auth-headers/Makefile
 rename docs/examples/customization/external-auth-headers/{deploy => }/auth-service.yaml (90%)
 delete mode 100644 docs/examples/customization/external-auth-headers/authsvc/Dockerfile
 rename docs/examples/customization/external-auth-headers/{deploy => }/echo-service.yaml (96%)
 delete mode 100644 docs/examples/customization/external-auth-headers/echosvc/Dockerfile
 delete mode 100644 docs/examples/customization/external-auth-headers/echosvc/echosvc.go
 create mode 100644 images/ext-auth-example-authsvc/Makefile
 create mode 100644 images/ext-auth-example-authsvc/cloudbuild.yaml
 create mode 100644 images/ext-auth-example-authsvc/rootfs/Dockerfile
 rename {docs/examples/customization/external-auth-headers/authsvc => images/ext-auth-example-authsvc/rootfs}/authsvc.go (100%)
 create mode 100644 images/ext-auth-example-authsvc/rootfs/go.mod
 create mode 100644 images/ext-auth-example-authsvc/rootfs/go.sum

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index cec6488ff..63d41b588 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -256,7 +256,7 @@ jobs:
       pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     env:
-      PLATFORMS: linux/amd64
+      PLATFORMS: linux/amd64,linux/arm64
     steps:
       - name: Checkout
         uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
@@ -280,6 +280,8 @@ jobs:
               - 'images/httpbin/**'
             kube-webhook-certgen:
               - 'images/kube-webhook-certgen/**'
+            ext-auth-example-authsvc:
+              - 'images/ext-auth-example-authsvc/**'
 
       - name: custom-error-pages image build
         if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }}
@@ -309,6 +311,10 @@ jobs:
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
         run: |
           cd images/kube-webhook-certgen && make build
+      - name: ext-auth-example-authsvc
+        if: ${{ steps.filter-images.outputs.ext-auth-example-authsvc == 'true' }}
+        run: |
+          cd images/ext-auth-example-authsvc && make build
 
   test-image:
     permissions:
diff --git a/docs/examples/customization/external-auth-headers/Makefile b/docs/examples/customization/external-auth-headers/Makefile
deleted file mode 100644
index 1ee7e06ac..000000000
--- a/docs/examples/customization/external-auth-headers/Makefile
+++ /dev/null
@@ -1,23 +0,0 @@
-all: push
-
-TAG=0.1
-PREFIX?=electroma/ingress-demo-
-ARCH?=amd64
-GOLANG_VERSION=1.9
-TEMP_DIR:=$(shell mktemp -d)
-
-build: clean
-	CGO_ENABLED=0 GOOS=linux GOARCH=$(ARCH) go build -o authsvc/authsvc authsvc/authsvc.go
-	CGO_ENABLED=0 GOOS=linux GOARCH=$(ARCH) go build -o echosvc/echosvc echosvc/echosvc.go
-
-container: build
-	docker build --pull -t $(PREFIX)authsvc-$(ARCH):$(TAG) authsvc
-	docker build --pull -t $(PREFIX)echosvc-$(ARCH):$(TAG) echosvc
-
-push: container
-	docker push $(PREFIX)authsvc-$(ARCH):$(TAG)
-	docker push $(PREFIX)echosvc-$(ARCH):$(TAG)
-
-clean:
-	rm -f authsvc/authsvc echosvc/echosvc
-
diff --git a/docs/examples/customization/external-auth-headers/deploy/auth-service.yaml b/docs/examples/customization/external-auth-headers/auth-service.yaml
similarity index 90%
rename from docs/examples/customization/external-auth-headers/deploy/auth-service.yaml
rename to docs/examples/customization/external-auth-headers/auth-service.yaml
index 3a5dff12c..faa345921 100644
--- a/docs/examples/customization/external-auth-headers/deploy/auth-service.yaml
+++ b/docs/examples/customization/external-auth-headers/auth-service.yaml
@@ -18,7 +18,7 @@ spec:
       terminationGracePeriodSeconds: 60
       containers:
       - name: auth-service
-        image: electroma/ingress-demo-authsvc-amd64:0.1
+        image: gcr.io/k8s-staging-ingress-nginx/ext-auth-example-authsvc:v1.0.0
         ports:
         - containerPort: 8080
         resources:
diff --git a/docs/examples/customization/external-auth-headers/authsvc/Dockerfile b/docs/examples/customization/external-auth-headers/authsvc/Dockerfile
deleted file mode 100644
index 90e6ec2cb..000000000
--- a/docs/examples/customization/external-auth-headers/authsvc/Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-FROM alpine:3.10
-MAINTAINER Roman Safronov <electroma@gmail.com>
-COPY authsvc /
-EXPOSE 8080
-ENTRYPOINT ["/authsvc"]
diff --git a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml b/docs/examples/customization/external-auth-headers/echo-service.yaml
similarity index 96%
rename from docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
rename to docs/examples/customization/external-auth-headers/echo-service.yaml
index 9881ac8d0..636aaded1 100644
--- a/docs/examples/customization/external-auth-headers/deploy/echo-service.yaml
+++ b/docs/examples/customization/external-auth-headers/echo-service.yaml
@@ -18,7 +18,7 @@ spec:
       terminationGracePeriodSeconds: 60
       containers:
       - name: echo-service
-        image: electroma/ingress-demo-echosvc-amd64:0.1
+        image: gcr.io/k8s-staging-ingress-nginx/e2e-test-echo:v1.0.0
         ports:
         - containerPort: 8080
         resources:
diff --git a/docs/examples/customization/external-auth-headers/echosvc/Dockerfile b/docs/examples/customization/external-auth-headers/echosvc/Dockerfile
deleted file mode 100644
index 04e4ead42..000000000
--- a/docs/examples/customization/external-auth-headers/echosvc/Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-FROM alpine:3.10
-MAINTAINER Roman Safronov <electroma@gmail.com>
-COPY echosvc /
-EXPOSE 8080
-ENTRYPOINT ["/echosvc"]
diff --git a/docs/examples/customization/external-auth-headers/echosvc/echosvc.go b/docs/examples/customization/external-auth-headers/echosvc/echosvc.go
deleted file mode 100644
index ba9702aa0..000000000
--- a/docs/examples/customization/external-auth-headers/echosvc/echosvc.go
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"fmt"
-	"net/http"
-)
-
-func handler(w http.ResponseWriter, r *http.Request) {
-	fmt.Fprintf(w, "UserID: %s, UserRole: %s", r.Header.Get("UserID"), r.Header.Get("UserRole"))
-}
-
-// Sample  "echo" service displaying UserID and UserRole HTTP request headers
-func main() {
-	http.HandleFunc("/", handler)
-	http.ListenAndServe(":8080", nil)
-}
diff --git a/images/echo/Makefile b/images/echo/Makefile
index 7a93aec25..38a341146 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -18,7 +18,7 @@ SHELL=/bin/bash -o pipefail -o errexit
 DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
 INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
 
-TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD)
+TAG ?=v1.0.0
 REGISTRY ?= local
 
 IMAGE = $(REGISTRY)/e2e-test-echo
diff --git a/images/ext-auth-example-authsvc/Makefile b/images/ext-auth-example-authsvc/Makefile
new file mode 100644
index 000000000..85d2f8e6b
--- /dev/null
+++ b/images/ext-auth-example-authsvc/Makefile
@@ -0,0 +1,55 @@
+# Copyright 2022 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# set default shell
+SHELL=/bin/bash -o pipefail -o errexit
+
+DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))))
+INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
+
+TAG ?=v1.0.0
+REGISTRY ?= local
+
+IMAGE = $(REGISTRY)/ext-auth-example-authsvc
+
+# required to enable buildx
+export DOCKER_CLI_EXPERIMENTAL=enabled
+
+# build with buildx
+PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x
+OUTPUT=
+PROGRESS=plain
+
+build: ensure-buildx
+	docker buildx build \
+		--platform=${PLATFORMS} $(OUTPUT) \
+		--progress=$(PROGRESS) \
+		--pull \
+		-t $(IMAGE):$(TAG) rootfs
+
+# push the cross built image
+push: OUTPUT=--push
+push: build
+
+# enable buildx
+ensure-buildx:
+# this is required for cloudbuild
+ifeq ("$(wildcard $(INIT_BUILDX))","")
+	@curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash
+else
+	@exec $(INIT_BUILDX)
+endif
+	@echo "done"
+
+.PHONY: build push ensure-buildx
diff --git a/images/ext-auth-example-authsvc/cloudbuild.yaml b/images/ext-auth-example-authsvc/cloudbuild.yaml
new file mode 100644
index 000000000..b92b9c877
--- /dev/null
+++ b/images/ext-auth-example-authsvc/cloudbuild.yaml
@@ -0,0 +1,24 @@
+timeout: 1200s
+options:
+  substitution_option: ALLOW_LOOSE
+  # job builds a multi-arch docker image for amd64,arm,arm64 and s390x.
+  machineType: N1_HIGHCPU_8
+steps:
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90
+    entrypoint: bash
+    env:
+      - DOCKER_CLI_EXPERIMENTAL=enabled
+      - TAG=$_GIT_TAG
+      - BASE_REF=$_PULL_BASE_REF
+      - REGISTRY=gcr.io/k8s-staging-ingress-nginx
+      # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx
+      # set the home to /root explicitly to if using docker buildx
+      - HOME=/root
+    args:
+    - -c
+    - |
+      gcloud auth configure-docker \
+      && make push
+substitutions:
+  _GIT_TAG: "12345"
+  _PULL_BASE_REF: "master"
diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile
new file mode 100644
index 000000000..ee2737286
--- /dev/null
+++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile
@@ -0,0 +1,10 @@
+FROM golang:1.17.6-alpine3.15 as builder
+RUN mkdir /authsvc
+WORKDIR /authsvc
+COPY . ./
+RUN CGO_ENABLED=0 GOOS=linux go build -o authsvc authsvc.go
+
+FROM gcr.io/distroless/base-debian11
+COPY --from=builder /authsvc/authsvc /
+EXPOSE 8080
+ENTRYPOINT ["/authsvc"]
\ No newline at end of file
diff --git a/docs/examples/customization/external-auth-headers/authsvc/authsvc.go b/images/ext-auth-example-authsvc/rootfs/authsvc.go
similarity index 100%
rename from docs/examples/customization/external-auth-headers/authsvc/authsvc.go
rename to images/ext-auth-example-authsvc/rootfs/authsvc.go
diff --git a/images/ext-auth-example-authsvc/rootfs/go.mod b/images/ext-auth-example-authsvc/rootfs/go.mod
new file mode 100644
index 000000000..72f2a1049
--- /dev/null
+++ b/images/ext-auth-example-authsvc/rootfs/go.mod
@@ -0,0 +1,8 @@
+module example.com/authsvc
+
+go 1.17
+
+require (
+	github.com/google/uuid v1.1.2 // indirect
+	k8s.io/apimachinery v0.23.1 // indirect
+)
diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum
new file mode 100644
index 000000000..6e3fab295
--- /dev/null
+++ b/images/ext-auth-example-authsvc/rootfs/go.sum
@@ -0,0 +1,215 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
+github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/apimachinery v0.23.1 h1:sfBjlDFwj2onG0Ijx5C+SrAoeUscPrmghm7wHP+uXlo=
+k8s.io/apimachinery v0.23.1/go.mod h1:SADt2Kl8/sttJ62RRsi9MIV4o8f5S3coArm0Iu3fBno=
+k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
+k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk=
+k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
+sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
+sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

From f192ed0ed75dd3315bab782743078ba858bf828b Mon Sep 17 00:00:00 2001
From: Tim Borkhodoev <38668303+SomalianIvan@users.noreply.github.com>
Date: Tue, 22 Mar 2022 21:53:58 -0400
Subject: [PATCH 362/376] bump luarocks to 3.8.0 (#8379)

---
 images/echo/Makefile        | 4 ++--
 images/test-runner/Makefile | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/images/echo/Makefile b/images/echo/Makefile
index 38a341146..9131d608d 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -37,8 +37,8 @@ build: ensure-buildx
 		--progress=$(PROGRESS) \
 		--pull \
 		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9 \
-		--build-arg LUAROCKS_VERSION=3.3.1 \
-		--build-arg LUAROCKS_SHA=837481e408f7c06b59befe7ec194537c657687d624894bca7f79034302141a34 \
+		--build-arg LUAROCKS_VERSION=3.8.0 \
+		--build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \
 		-t $(IMAGE):$(TAG) rootfs
 
 # push the cross built image
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index 4caebebd3..bf7df8625 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -44,8 +44,8 @@ build: ensure-buildx
 		--build-arg K8S_RELEASE=v1.21.3 \
 		--build-arg RESTY_CLI_VERSION=0.27 \
 		--build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \
-		--build-arg LUAROCKS_VERSION=3.3.1 \
-		--build-arg LUAROCKS_SHA=837481e408f7c06b59befe7ec194537c657687d624894bca7f79034302141a34 \
+		--build-arg LUAROCKS_VERSION=3.8.0 \
+		--build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \
 		--build-arg CHART_TESTING_VERSION=3.0.0 \
 		--build-arg YAML_LINT_VERSION=1.13.0 \
 		--build-arg YAMALE_VERSION=1.8.0 \

From b6c7061e07423938410a175a5c295497ffe5f4ba Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 23 Mar 2022 12:45:20 -0700
Subject: [PATCH 363/376] Bump github.com/stretchr/testify from 1.7.0 to 1.7.1
 (#8360)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.7.0 to 1.7.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.7.0...v1.7.1)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index 98d374bf0..0def711f4 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/prometheus/common v0.32.1
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.7.1
 	github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a
 	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
 	golang.org/x/net v0.0.0-20211209124913-491a49abca63
diff --git a/go.sum b/go.sum
index 573fc3f84..f82322a19 100644
--- a/go.sum
+++ b/go.sum
@@ -636,8 +636,9 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=

From 5298448865bd6bc742ca3eacd52e8bdb9a3eda81 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Fri, 25 Mar 2022 13:21:58 -0400
Subject: [PATCH 364/376] downgrade to 3.14.4 and fix tag (#8386)

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 TAG                            | 2 +-
 images/nginx/rootfs/Dockerfile | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/TAG b/TAG
index 99a4aef0c..0f1acbd56 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.1.3
+v1.1.2
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index a3c4831bb..0cb0119a4 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM alpine:3.15.0 as builder
+FROM alpine:3.14.4 as builder
 
 COPY . /
 
@@ -21,7 +21,7 @@ RUN apk update \
   && /build.sh
 
 # Use a multi-stage build
-FROM alpine:3.15.0
+FROM alpine:3.14.4
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 

From 08fcd942c7fa141d806cf689a57e0e2b65f235a7 Mon Sep 17 00:00:00 2001
From: Tomoyuki KOYAMA <tomoyk@users.noreply.github.com>
Date: Mon, 28 Mar 2022 18:29:23 +0900
Subject: [PATCH 365/376] fix code highlight (#8392)

---
 docs/user-guide/monitoring.md | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index b8df59980..56eac8048 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -40,7 +40,7 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
       service:
         annotations:
           prometheus.io/port: "10254"
-          prometheus.io/scrape: "true" 
+          prometheus.io/scrape: "true"
   ..
   ```
    - If you are **not using helm**, you will have to edit your manifests like this:
@@ -61,7 +61,6 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
              ..
 
        ```
-       
       - Deployment manifest:
          ```
          apiVersion: v1
@@ -76,8 +75,7 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
              - name: prometheus
                containerPort: 10254
                ..
-
-           ```
+         ```
 
 
 ### Deploy and configure Prometheus Server

From 9960efe1e9a9c6e944967b52e1a8a7b7b659874d Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Mon, 28 Mar 2022 10:49:23 -0400
Subject: [PATCH 366/376] remove (#8394)

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 images/nginx/cloudbuild.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml
index 0b81aa8d6..3e3d13579 100644
--- a/images/nginx/cloudbuild.yaml
+++ b/images/nginx/cloudbuild.yaml
@@ -9,7 +9,7 @@ steps:
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
       - BASE_REF=$_PULL_BASE_REF
-      - TAG=$_GIT_TAG
+      - TAG=$_PULL_BASE_SHA
       - REGISTRY=gcr.io/k8s-staging-ingress-nginx
       - HOME=/root
     args:
@@ -20,3 +20,4 @@ steps:
 substitutions:
   _GIT_TAG: "12345"
   _PULL_BASE_REF: "master"
+  _PULL_BASE_SHA: '12345'

From 244d1dbcb0741b226d86c782c05ad4189af617d3 Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Tue, 29 Mar 2022 10:28:48 +0200
Subject: [PATCH 367/376] ensure module directory exists before moving the
 library there

---
 images/opentelemetry/rootfs/init_module.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/images/opentelemetry/rootfs/init_module.sh b/images/opentelemetry/rootfs/init_module.sh
index f1e4b27d7..bac5e64aa 100755
--- a/images/opentelemetry/rootfs/init_module.sh
+++ b/images/opentelemetry/rootfs/init_module.sh
@@ -18,4 +18,5 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+mkdir -p /modules_mount/etc/nginx/modules
 cp -R /etc/nginx/modules /modules_mount/etc/nginx/modules

From 79aa43540c67037ceae494a2f655adb00671ead3 Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Tue, 29 Mar 2022 12:07:43 +0200
Subject: [PATCH 368/376] fix build and upgrade otel to latest version

---
 images/opentelemetry/rootfs/Dockerfile |  2 +-
 images/opentelemetry/rootfs/build.sh   | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile
index cea4270d6..84f5a3e7c 100644
--- a/images/opentelemetry/rootfs/Dockerfile
+++ b/images/opentelemetry/rootfs/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 
-FROM alpine:3.15.0 as builder
+FROM alpine:3.14.4 as builder
 
 COPY . /
 
diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh
index aab2abbd0..67d1e67b2 100755
--- a/images/opentelemetry/rootfs/build.sh
+++ b/images/opentelemetry/rootfs/build.sh
@@ -20,11 +20,11 @@ set -o pipefail
 
 export NGINX_VERSION=1.19.10
 
-# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.0.0...main
-export OPENTELEMETRY_CPP_VERSION=1.0.0
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.2.0...main
+export OPENTELEMETRY_CPP_VERSION=1.2.0
 
-# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/f4850...main
-export OPENTELEMETRY_CONTRIB_COMMIT=f48500884b1b32efc456790bbcdc2e6cf7a8e630
+# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/2656a4...main
+export OPENTELEMETRY_CONTRIB_COMMIT=2656a4072e257b6794da86ddd1b773b49f5517b3
 
 export BUILD_PATH=/tmp/build
 
@@ -63,7 +63,7 @@ get_src()
 get_src e8d0290ff561986ad7cd6c33307e12e11b137186c4403a6a5ccdb4914c082d88 \
         "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz"
 
-get_src 45c52498788e47131b20a4786dbb08f4390b8cb419bd3d61c88b503cafff3324 \
+get_src 360cdcbd1a235ec62119cc53956b2d31b6ff5f41d44415be53acc544709d58b8 \
         "https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/$OPENTELEMETRY_CONTRIB_COMMIT.tar.gz"
 
 # improve compilation times

From 5402d35663917ccbbf77ff48a22b8c6f77097f48 Mon Sep 17 00:00:00 2001
From: Aditya Kamath <theunrealgeek@gmail.com>
Date: Thu, 31 Mar 2022 03:37:01 -0700
Subject: [PATCH 369/376] Add execute permissions to nginx image entrypoint.sh
 (#8403)

---
 images/nginx/rootfs/entrypoint.sh | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 images/nginx/rootfs/entrypoint.sh

diff --git a/images/nginx/rootfs/entrypoint.sh b/images/nginx/rootfs/entrypoint.sh
old mode 100644
new mode 100755

From 87979099fd53ea1557da4b72cbc07a0e5fd1373b Mon Sep 17 00:00:00 2001
From: Long Wu Yuan <longwuyuan@gmail.com>
Date: Thu, 31 Mar 2022 16:55:00 +0530
Subject: [PATCH 370/376] set execute bit on entrypoint.sh (#8404)

---
 images/nginx/rootfs/Dockerfile | 55 +++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 27 deletions(-)

diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
index 0cb0119a4..ccf70f143 100644
--- a/images/nginx/rootfs/Dockerfile
+++ b/images/nginx/rootfs/Dockerfile
@@ -33,41 +33,42 @@ COPY --from=builder /opt /opt
 COPY --from=builder /etc/nginx /etc/nginx
 COPY --from=builder entrypoint.sh /usr/local/entrypoint.sh
 
-RUN apk update \
+RUN chmod +x /usr/local/entrypoint.sh \
+  && apk update \
   && apk upgrade \
   && apk add -U --no-cache \
-    bash \
-    openssl \
-    pcre \
-    zlib \
-    geoip \
-    curl \
-    ca-certificates \
-    patch \
-    yajl \
-    lmdb \
-    libxml2 \
-    libmaxminddb \
-    yaml-cpp \
-    dumb-init \
-    nano \
-    tzdata \
+  bash \
+  openssl \
+  pcre \
+  zlib \
+  geoip \
+  curl \
+  ca-certificates \
+  patch \
+  yajl \
+  lmdb \
+  libxml2 \
+  libmaxminddb \
+  yaml-cpp \
+  dumb-init \
+  nano \
+  tzdata \
   && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
   && adduser -S -D -H -u 101 -h /usr/local/nginx \
-    -s /sbin/nologin -G www-data -g www-data www-data \
+  -s /sbin/nologin -G www-data -g www-data www-data \
   && bash -eu -c ' \
   writeDirs=( \
-    /var/log/nginx \
-    /var/lib/nginx/body \
-    /var/lib/nginx/fastcgi \
-    /var/lib/nginx/proxy \
-    /var/lib/nginx/scgi \
-    /var/lib/nginx/uwsgi \
-    /var/log/audit \
+  /var/log/nginx \
+  /var/lib/nginx/body \
+  /var/lib/nginx/fastcgi \
+  /var/lib/nginx/proxy \
+  /var/lib/nginx/scgi \
+  /var/lib/nginx/uwsgi \
+  /var/log/audit \
   ); \
   for dir in "${writeDirs[@]}"; do \
-    mkdir -p ${dir}; \
-    chown -R www-data.www-data ${dir}; \
+  mkdir -p ${dir}; \
+  chown -R www-data.www-data ${dir}; \
   done'
 
 EXPOSE 80 443

From f1cb2b73cae4f68f5fcf7df74654adef045910ff Mon Sep 17 00:00:00 2001
From: Aditya Kamath <theunrealgeek@gmail.com>
Date: Thu, 31 Mar 2022 13:43:04 -0700
Subject: [PATCH 371/376] update nginx base image to new alpine 3.14.4 build -
 try 2 (#8409)

* update nginx base image to new alpine 3.14.4 build

Signed-off-by: James Strong <strong.james.e@gmail.com>

* update test image

Signed-off-by: James Strong <strong.james.e@gmail.com>

* Update nginx base image

Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>

Co-authored-by: James Strong <strong.james.e@gmail.com>
---
 Makefile                         | 2 +-
 images/echo/Makefile             | 2 +-
 images/nginx/README.md           | 2 +-
 images/nginx/rc.yaml             | 2 +-
 images/test-runner/Makefile      | 2 +-
 test/e2e-image/Dockerfile        | 2 +-
 test/e2e/framework/deployment.go | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index b1c90e0f1..d7ae2adfb 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ endif
 
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 
-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
+BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180
 
 GOARCH=$(ARCH)
 
diff --git a/images/echo/Makefile b/images/echo/Makefile
index 9131d608d..01d532731 100644
--- a/images/echo/Makefile
+++ b/images/echo/Makefile
@@ -36,7 +36,7 @@ build: ensure-buildx
 		--platform=${PLATFORMS} $(OUTPUT) \
 		--progress=$(PROGRESS) \
 		--pull \
-		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9 \
+		--build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180 \
 		--build-arg LUAROCKS_VERSION=3.8.0 \
 		--build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \
 		-t $(IMAGE):$(TAG) rootfs
diff --git a/images/nginx/README.md b/images/nginx/README.md
index 376948743..8bd1469dd 100644
--- a/images/nginx/README.md
+++ b/images/nginx/README.md
@@ -20,6 +20,6 @@ This image provides a default configuration file with no backend servers.
 _Using docker_
 
 ```console
-docker run -v /some/nginx.conf:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
+docker run -v /some/nginx.conf:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180
 ```
 
diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml
index 043d7bfe4..cf9c59d15 100644
--- a/images/nginx/rc.yaml
+++ b/images/nginx/rc.yaml
@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
         - name: nginx
-          image: k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
+          image: k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180
           ports:
             - containerPort: 80
             - containerPort: 443
diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile
index bf7df8625..038d689b7 100644
--- a/images/test-runner/Makefile
+++ b/images/test-runner/Makefile
@@ -23,7 +23,7 @@ REGISTRY ?= local
 
 IMAGE = $(REGISTRY)/e2e-test-runner
 
-NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9
+NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180
 
 # required to enable buildx
 export DOCKER_CLI_EXPERIMENTAL=enabled
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index e53d02242..4daece323 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,6 +1,6 @@
 FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220110-gfd820db46@sha256:273f7d9b1b2297cd96b4d51600e45d932186a1cc79d00d179dfb43654112fe8f AS BASE
 
-FROM alpine:3.12
+FROM alpine:3.14.4
 
 RUN apk add -U --no-cache \
     ca-certificates \
diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index 3775af8bc..0e886aff5 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -38,7 +38,7 @@ const SlowEchoService = "slow-echo"
 const HTTPBinService = "httpbin"
 
 // NginxBaseImage use for testing
-const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210926-g5662db450@sha256:1ef404b5e8741fe49605a1f40c3fdd8ef657aecdb9526ea979d1672eeabd0cd9"
+const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180"
 
 type deploymentOptions struct {
 	namespace string

From e5b028a75d2f905117fe278c240632e3307b367a Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Thu, 31 Mar 2022 17:08:30 -0400
Subject: [PATCH 372/376] update tag to 1.1.3 to kick off controller-v1.1.3
 build

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 TAG | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TAG b/TAG
index 0f1acbd56..99a4aef0c 100644
--- a/TAG
+++ b/TAG
@@ -1 +1 @@
-v1.1.2
+v1.1.3

From 230d8e67921c5747cc29baf230ba09431bcbfc4c Mon Sep 17 00:00:00 2001
From: David Jansen <39294842+dajsn@users.noreply.github.com>
Date: Fri, 1 Apr 2022 03:18:38 +0200
Subject: [PATCH 373/376] doc: fix deployment manifest example (#8407)

---
 docs/user-guide/monitoring.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md
index 56eac8048..048607cd5 100644
--- a/docs/user-guide/monitoring.md
+++ b/docs/user-guide/monitoring.md
@@ -64,8 +64,8 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/)
       - Deployment manifest:
          ```
          apiVersion: v1
-         metadata:
          kind: Deployment
+         metadata:
           annotations:
             prometheus.io/scrape: "true"
             prometheus.io/port: "10254"

From b9f50e691d36af5ad1194a6855fb1df0c0d8af53 Mon Sep 17 00:00:00 2001
From: LongWuYuan <longwuyuan@gmail.com>
Date: Fri, 1 Apr 2022 17:07:08 +0530
Subject: [PATCH 374/376] base img update for e2e-test-runner & opentelemetry

---
 build/run-in-docker.sh           |  2 +-
 charts/ingress-nginx/values.yaml |  4 ++--
 test/e2e-image/Dockerfile        | 14 +++++++-------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
index e89abe9d8..60c566941 100755
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@@ -37,7 +37,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220110-gfd820db46@sha256:273f7d9b1b2297cd96b4d51600e45d932186a1cc79d00d179dfb43654112fe8f}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220331-controller-v1.1.2-31-gf1cb2b73c@sha256:baa326f5c726d65be828852943a259c1f0572883590b9081b7e8fa982d64d96e}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index a8b002516..f355e5eaa 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -575,8 +575,8 @@ controller:
 
   extraModules: []
   ## Modules, which are mounted into the core nginx image
-  # - name: opentelemetry
-  #   image: busybox
+  # - name: opentelemetry:v20220331-controller-v1.1.2-36-g7517b7ecf@sha256:e3f635474b5da24ccd0ea6b078fb190dae68b8b4a44b52bea19ec2561f0102ec
+  #   image: k8s.gcr.io/ingress-nginx/opentelemetry:
   #
   # The image must contain a `/usr/local/bin/init_module.sh` executable, which
   # will be executed as initContainers, to move its config files within the
diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile
index 4daece323..002a002cd 100644
--- a/test/e2e-image/Dockerfile
+++ b/test/e2e-image/Dockerfile
@@ -1,14 +1,14 @@
-FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220110-gfd820db46@sha256:273f7d9b1b2297cd96b4d51600e45d932186a1cc79d00d179dfb43654112fe8f AS BASE
+FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20220331-controller-v1.1.2-31-gf1cb2b73c@sha256:baa326f5c726d65be828852943a259c1f0572883590b9081b7e8fa982d64d96e AS BASE
 
 FROM alpine:3.14.4
 
 RUN apk add -U --no-cache \
-    ca-certificates \
-    bash \
-    curl \
-    tzdata \
-    libc6-compat \
-    openssl
+  ca-certificates \
+  bash \
+  curl \
+  tzdata \
+  libc6-compat \
+  openssl
 
 COPY --from=BASE /go/bin/ginkgo /usr/local/bin/
 COPY --from=BASE /usr/local/bin/helm /usr/local/bin/

From ac3b86b2c386c9a27297fdfb91ebf09dbe6056ed Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Fri, 1 Apr 2022 12:14:46 -0400
Subject: [PATCH 375/376] release 1.1.3 details (#8411)

* release 1.1.3 details
fix the readme with right sha and version
remove helm label
fix issue 8329
fix the 1.20 service after the fix for ipv6
udpate readme and change for patches

* update helm doc

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 .gitignore                                    |   1 +
 Changelog.md                                  |  38 +++++++
 README.md                                     |  32 +++---
 charts/ingress-nginx/Chart.yaml               |  11 +-
 charts/ingress-nginx/README.md                |   6 +-
 .../templates/controller-service.yaml         |   4 +-
 charts/ingress-nginx/values.yaml              |   4 +-
 deploy/static/provider/aws/1.19/deploy.yaml   | 103 ++++-------------
 .../provider/aws/1.19/kustomization.yaml      |   2 +-
 deploy/static/provider/aws/1.20/deploy.yaml   | 106 ++++-------------
 .../provider/aws/1.20/kustomization.yaml      |   2 +-
 deploy/static/provider/aws/1.21/deploy.yaml   | 103 ++++-------------
 .../provider/aws/1.21/kustomization.yaml      |   2 +-
 deploy/static/provider/aws/1.22/deploy.yaml   | 103 ++++-------------
 .../provider/aws/1.22/kustomization.yaml      |   2 +-
 deploy/static/provider/aws/1.23/deploy.yaml   | 103 ++++-------------
 .../provider/aws/1.23/kustomization.yaml      |   2 +-
 deploy/static/provider/aws/deploy.yaml        | 107 ++++--------------
 deploy/static/provider/aws/kustomization.yaml |   2 +-
 .../nlb-with-tls-termination/1.19/deploy.yaml | 103 ++++-------------
 .../1.19/kustomization.yaml                   |   2 +-
 .../nlb-with-tls-termination/1.20/deploy.yaml | 106 ++++-------------
 .../1.20/kustomization.yaml                   |   2 +-
 .../nlb-with-tls-termination/1.21/deploy.yaml | 103 ++++-------------
 .../1.21/kustomization.yaml                   |   2 +-
 .../nlb-with-tls-termination/1.22/deploy.yaml | 103 ++++-------------
 .../1.22/kustomization.yaml                   |   2 +-
 .../nlb-with-tls-termination/1.23/deploy.yaml | 103 ++++-------------
 .../1.23/kustomization.yaml                   |   2 +-
 .../aws/nlb-with-tls-termination/deploy.yaml  | 107 ++++--------------
 .../kustomization.yaml                        |   2 +-
 .../provider/baremetal/1.19/deploy.yaml       | 103 ++++-------------
 .../baremetal/1.19/kustomization.yaml         |   2 +-
 .../provider/baremetal/1.20/deploy.yaml       | 106 ++++-------------
 .../baremetal/1.20/kustomization.yaml         |   2 +-
 .../provider/baremetal/1.21/deploy.yaml       | 103 ++++-------------
 .../baremetal/1.21/kustomization.yaml         |   2 +-
 .../provider/baremetal/1.22/deploy.yaml       | 103 ++++-------------
 .../baremetal/1.22/kustomization.yaml         |   2 +-
 .../provider/baremetal/1.23/deploy.yaml       | 103 ++++-------------
 .../baremetal/1.23/kustomization.yaml         |   2 +-
 deploy/static/provider/baremetal/deploy.yaml  | 107 ++++--------------
 .../provider/baremetal/kustomization.yaml     |   2 +-
 deploy/static/provider/cloud/1.19/deploy.yaml | 103 ++++-------------
 .../provider/cloud/1.19/kustomization.yaml    |   2 +-
 deploy/static/provider/cloud/1.20/deploy.yaml | 106 ++++-------------
 .../provider/cloud/1.20/kustomization.yaml    |   2 +-
 deploy/static/provider/cloud/1.21/deploy.yaml | 103 ++++-------------
 .../provider/cloud/1.21/kustomization.yaml    |   2 +-
 deploy/static/provider/cloud/1.22/deploy.yaml | 103 ++++-------------
 .../provider/cloud/1.22/kustomization.yaml    |   2 +-
 deploy/static/provider/cloud/1.23/deploy.yaml | 103 ++++-------------
 .../provider/cloud/1.23/kustomization.yaml    |   2 +-
 deploy/static/provider/cloud/deploy.yaml      | 107 ++++--------------
 .../static/provider/cloud/kustomization.yaml  |   2 +-
 deploy/static/provider/do/1.19/deploy.yaml    | 103 ++++-------------
 .../provider/do/1.19/kustomization.yaml       |   2 +-
 deploy/static/provider/do/1.20/deploy.yaml    | 106 ++++-------------
 .../provider/do/1.20/kustomization.yaml       |   2 +-
 deploy/static/provider/do/1.21/deploy.yaml    | 103 ++++-------------
 .../provider/do/1.21/kustomization.yaml       |   2 +-
 deploy/static/provider/do/1.22/deploy.yaml    | 103 ++++-------------
 .../provider/do/1.22/kustomization.yaml       |   2 +-
 deploy/static/provider/do/1.23/deploy.yaml    | 103 ++++-------------
 .../provider/do/1.23/kustomization.yaml       |   2 +-
 deploy/static/provider/do/deploy.yaml         | 107 ++++--------------
 deploy/static/provider/do/kustomization.yaml  |   2 +-
 .../static/provider/exoscale/1.19/deploy.yaml | 103 ++++-------------
 .../provider/exoscale/1.19/kustomization.yaml |   2 +-
 .../static/provider/exoscale/1.20/deploy.yaml | 106 ++++-------------
 .../provider/exoscale/1.20/kustomization.yaml |   2 +-
 .../static/provider/exoscale/1.21/deploy.yaml | 103 ++++-------------
 .../provider/exoscale/1.21/kustomization.yaml |   2 +-
 .../static/provider/exoscale/1.22/deploy.yaml | 103 ++++-------------
 .../provider/exoscale/1.22/kustomization.yaml |   2 +-
 .../static/provider/exoscale/1.23/deploy.yaml | 103 ++++-------------
 .../provider/exoscale/1.23/kustomization.yaml |   2 +-
 deploy/static/provider/exoscale/deploy.yaml   | 107 ++++--------------
 .../provider/exoscale/kustomization.yaml      |   2 +-
 deploy/static/provider/kind/1.19/deploy.yaml  | 103 ++++-------------
 .../provider/kind/1.19/kustomization.yaml     |   2 +-
 deploy/static/provider/kind/1.20/deploy.yaml  | 106 ++++-------------
 .../provider/kind/1.20/kustomization.yaml     |   2 +-
 deploy/static/provider/kind/1.21/deploy.yaml  | 103 ++++-------------
 .../provider/kind/1.21/kustomization.yaml     |   2 +-
 deploy/static/provider/kind/1.22/deploy.yaml  | 103 ++++-------------
 .../provider/kind/1.22/kustomization.yaml     |   2 +-
 deploy/static/provider/kind/1.23/deploy.yaml  | 103 ++++-------------
 .../provider/kind/1.23/kustomization.yaml     |   2 +-
 deploy/static/provider/kind/deploy.yaml       | 107 ++++--------------
 .../static/provider/kind/kustomization.yaml   |   2 +-
 deploy/static/provider/scw/1.19/deploy.yaml   | 103 ++++-------------
 .../provider/scw/1.19/kustomization.yaml      |   2 +-
 deploy/static/provider/scw/1.20/deploy.yaml   | 106 ++++-------------
 .../provider/scw/1.20/kustomization.yaml      |   2 +-
 deploy/static/provider/scw/1.21/deploy.yaml   | 103 ++++-------------
 .../provider/scw/1.21/kustomization.yaml      |   2 +-
 deploy/static/provider/scw/1.22/deploy.yaml   | 103 ++++-------------
 .../provider/scw/1.22/kustomization.yaml      |   2 +-
 deploy/static/provider/scw/1.23/deploy.yaml   | 103 ++++-------------
 .../provider/scw/1.23/kustomization.yaml      |   2 +-
 deploy/static/provider/scw/deploy.yaml        | 107 ++++--------------
 deploy/static/provider/scw/kustomization.yaml |   2 +-
 docs/deploy/index.md                          |  18 +--
 hack/generate-deploy-scripts.sh               |   8 +-
 .../static-kustomization-template.yaml        |   2 +-
 stable.txt                                    |   2 +-
 107 files changed, 1139 insertions(+), 4083 deletions(-)

diff --git a/.gitignore b/.gitignore
index 921ba6aec..0943c3b1a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+helm-docs
 # OSX
 ._*
 .DS_Store
diff --git a/Changelog.md b/Changelog.md
index 40a4aaaf9..0f3656b22 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,43 @@
 # Changelog
 
+### 1.1.3
+
+**Image:**
+- k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
+
+This release upgrades Alpine to 3.14.4 and nginx to 1.19.10 
+
+Patches [OpenSSL CVE-2022-0778](https://github.com/kubernetes/ingress-nginx/issues/8339)
+
+Patches [Libxml2 CVE-2022-23308](https://github.com/kubernetes/ingress-nginx/issues/8321)
+
+_Changes:_
+
+[8415](https://github.com/kubernetes/ingress-nginx/pull/8415) base img update for e2e-test-runner & opentelemetry
+[8403](https://github.com/kubernetes/ingress-nginx/pull/8403) Add execute permissions to nginx image entrypoint.sh
+[8392](https://github.com/kubernetes/ingress-nginx/pull/8392) fix document for monitoring
+[8386](https://github.com/kubernetes/ingress-nginx/pull/8386) downgrade to 3.14.4 and fix tag
+[8379](https://github.com/kubernetes/ingress-nginx/pull/8379) bump luarocks to 3.8.0
+[8368](https://github.com/kubernetes/ingress-nginx/pull/8368) Updated semver in install docs URLs
+[8360](https://github.com/kubernetes/ingress-nginx/pull/8360) Bump github.com/stretchr/testify from 1.7.0 to 1.7.1
+[8334](https://github.com/kubernetes/ingress-nginx/pull/8334) Pinned GitHub workflows by SHA
+[8324](https://github.com/kubernetes/ingress-nginx/pull/8324) Added missing "repo" option on "helm upgrade" command
+[8315](https://github.com/kubernetes/ingress-nginx/pull/8315) Fix 50% split between canary and mainline tests
+[8311](https://github.com/kubernetes/ingress-nginx/pull/8311) leaving it the git tag
+[8307](https://github.com/kubernetes/ingress-nginx/pull/8307) Nginx v1.19.10
+[8302](https://github.com/kubernetes/ingress-nginx/pull/8302) docs: fix changelog formatting for 1.1.2
+[8300](https://github.com/kubernetes/ingress-nginx/pull/8300) Names cannot contain _ (underscore)! So I changed it to -.
+[8288](https://github.com/kubernetes/ingress-nginx/pull/8288) [docs] Missing annotations
+[8287](https://github.com/kubernetes/ingress-nginx/pull/8287) Add the shareProcessNamespace as a configurable setting in the helm chart
+[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build
+[8281](https://github.com/kubernetes/ingress-nginx/pull/8281) force prow job by changing something in images/ot dir
+[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241
+[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts
+[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error
+[8258](https://github.com/kubernetes/ingress-nginx/pull/8258) remove 0.46.0 from supported versions table
+[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation
+[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric
+
 ### 1.1.2
 
 **Image:** 
diff --git a/README.md b/README.md
index 96268a8f9..c653e4c70 100644
--- a/README.md
+++ b/README.md
@@ -31,22 +31,22 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version |
 |-----------------------|------------------------------|----------------|---------------|
-| v1.1.2                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
-| v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v1.0.5                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v1.0.4                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v1.0.3                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v1.0.2                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v1.0.1                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
-| v1.0.0                | 1.22, 1.21, 1.20, 1.19       | 3.13.5         |  1.20.1       |
-| v0.50.0               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
-| v0.49.3               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
-| v0.49.2               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
-| v0.49.1               | 1.21, 1.20, 1.19             | 3.14.2         |  1.19.9†      |
-| v0.49.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
-| v0.48.1               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
-| v0.47.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
+| v1.1.3                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4         | 1.19.10†      |
+| v1.1.2                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         | 1.19.9†       |
+| v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         | 1.19.9†       |
+| v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
+| v1.0.5                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
+| v1.0.4                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
+| v1.0.3                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
+| v1.0.2                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
+| v1.0.1                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         | 1.19.9†       |
+| v1.0.0                | 1.22, 1.21, 1.20, 1.19       | 3.13.5         | 1.20.1        |
+| v0.50.0               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
+| v0.49.3               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
+| v0.49.2               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
+| v0.49.1               | 1.21, 1.20, 1.19             | 3.14.2         | 1.19.9†       |
+| v0.49.0               | 1.21, 1.20, 1.19             | 3.13.5         | 1.20.1        |
+| v0.48.1               | 1.21, 1.20, 1.19             | 3.13.5         | 1.20.1        |
 
 † _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
 
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index 69db0be31..f8203e33e 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.0.18
-appVersion: 1.1.2
+version: 4.0.19
+appVersion: 1.1.3
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -24,8 +24,5 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - "#8253 Add a certificate info metric"
-    - "#8225 fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests"
-    - "#8162 Versioned static manifests"
-    - "#8159 Adding some geoip variables and default values"
-    - "#8221 Do not validate ingresses with unknown ingress class in admission webhook endpoint"
+    - "#8307 Nginx v1.19.10"
+    - "#8386 Alpine 3.14.4"
diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index c0ef8109d..0647db915 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.0.18](https://img.shields.io/badge/Version-4.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.2](https://img.shields.io/badge/AppVersion-1.1.2-informational?style=flat-square)
+![Version: 4.0.19](https://img.shields.io/badge/Version-4.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.3](https://img.shields.io/badge/AppVersion-1.1.3-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -306,12 +306,12 @@ Kubernetes: `>=1.19.0-0`
 | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
-| controller.image.digest | string | `"sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c"` |  |
+| controller.image.digest | string | `"sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"k8s.gcr.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.1.2"` |  |
+| controller.image.tag | string | `"v1.1.3"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml
index 05fb2041e..0f47f131c 100644
--- a/charts/ingress-nginx/templates/controller-service.yaml
+++ b/charts/ingress-nginx/templates/controller-service.yaml
@@ -37,12 +37,12 @@ spec:
 {{- if .Values.controller.service.healthCheckNodePort }}
   healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
 {{- end }}
-{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.ipFamilyPolicy }}
   ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}
 {{- end }}
 {{- end }}
-{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.ipFamilies }}
   ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }}
 {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index f355e5eaa..cea8cebe8 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -21,8 +21,8 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.1.2"
-    digest: sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+    tag: "v1.1.3"
+    digest: sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
diff --git a/deploy/static/provider/aws/1.19/deploy.yaml b/deploy/static/provider/aws/1.19/deploy.yaml
index 710cfcafd..30d40e77b 100644
--- a/deploy/static/provider/aws/1.19/deploy.yaml
+++ b/deploy/static/provider/aws/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -356,11 +319,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,11 +347,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -410,11 +369,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -454,7 +411,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -521,17 +478,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -540,11 +492,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -575,17 +525,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -594,11 +539,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -634,11 +577,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -649,11 +590,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.19/kustomization.yaml b/deploy/static/provider/aws/1.19/kustomization.yaml
index d18ef3896..18c6bb6a3 100644
--- a/deploy/static/provider/aws/1.19/kustomization.yaml
+++ b/deploy/static/provider/aws/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/1.20/deploy.yaml b/deploy/static/provider/aws/1.20/deploy.yaml
index 440861a53..0afe26fa2 100644
--- a/deploy/static/provider/aws/1.20/deploy.yaml
+++ b/deploy/static/provider/aws/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -356,18 +319,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -391,11 +349,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,11 +372,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +414,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -527,17 +481,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,11 +495,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,17 +528,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,11 +542,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,11 +580,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,11 +593,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.20/kustomization.yaml b/deploy/static/provider/aws/1.20/kustomization.yaml
index d18ef3896..18c6bb6a3 100644
--- a/deploy/static/provider/aws/1.20/kustomization.yaml
+++ b/deploy/static/provider/aws/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/1.21/deploy.yaml b/deploy/static/provider/aws/1.21/deploy.yaml
index 440861a53..b73d21f8f 100644
--- a/deploy/static/provider/aws/1.21/deploy.yaml
+++ b/deploy/static/provider/aws/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -356,11 +319,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,11 +352,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,11 +375,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +417,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -527,17 +484,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,11 +498,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,17 +531,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,11 +545,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,11 +583,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,11 +596,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.21/kustomization.yaml b/deploy/static/provider/aws/1.21/kustomization.yaml
index d18ef3896..18c6bb6a3 100644
--- a/deploy/static/provider/aws/1.21/kustomization.yaml
+++ b/deploy/static/provider/aws/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/1.22/deploy.yaml b/deploy/static/provider/aws/1.22/deploy.yaml
index 440861a53..b73d21f8f 100644
--- a/deploy/static/provider/aws/1.22/deploy.yaml
+++ b/deploy/static/provider/aws/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -356,11 +319,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,11 +352,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,11 +375,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +417,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -527,17 +484,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,11 +498,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,17 +531,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,11 +545,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,11 +583,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,11 +596,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.22/kustomization.yaml b/deploy/static/provider/aws/1.22/kustomization.yaml
index d18ef3896..18c6bb6a3 100644
--- a/deploy/static/provider/aws/1.22/kustomization.yaml
+++ b/deploy/static/provider/aws/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/1.23/deploy.yaml b/deploy/static/provider/aws/1.23/deploy.yaml
index 440861a53..b73d21f8f 100644
--- a/deploy/static/provider/aws/1.23/deploy.yaml
+++ b/deploy/static/provider/aws/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -356,11 +319,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -391,11 +352,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,11 +375,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +417,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -527,17 +484,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,11 +498,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,17 +531,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,11 +545,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,11 +583,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,11 +596,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/1.23/kustomization.yaml b/deploy/static/provider/aws/1.23/kustomization.yaml
index d18ef3896..18c6bb6a3 100644
--- a/deploy/static/provider/aws/1.23/kustomization.yaml
+++ b/deploy/static/provider/aws/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml
index 374823462..0afe26fa2 100644
--- a/deploy/static/provider/aws/deploy.yaml
+++ b/deploy/static/provider/aws/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -357,18 +319,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -392,11 +349,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -417,11 +372,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -461,7 +414,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -528,17 +481,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,11 +495,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -582,17 +528,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,11 +542,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -641,11 +580,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -656,11 +593,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/kustomization.yaml b/deploy/static/provider/aws/kustomization.yaml
index d18ef3896..18c6bb6a3 100644
--- a/deploy/static/provider/aws/kustomization.yaml
+++ b/deploy/static/provider/aws/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
index 426c72b06..e2232bd6e 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -345,11 +310,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,11 +328,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -395,11 +356,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -419,11 +378,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -463,7 +420,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -533,17 +490,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -552,11 +504,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -587,17 +537,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -606,11 +551,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -646,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,11 +602,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml
index ca2086ea9..51c1513c9 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws/nlb-with-tls-termination
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
index 21ea91d49..07be32ffe 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -345,11 +310,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,18 +328,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -400,11 +358,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -425,11 +381,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -469,7 +423,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -539,17 +493,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -558,11 +507,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -593,17 +540,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -612,11 +554,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -652,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -667,11 +605,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml
index ca2086ea9..51c1513c9 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws/nlb-with-tls-termination
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
index 21ea91d49..d86ddc4fd 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -345,11 +310,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,11 +328,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -400,11 +361,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -425,11 +384,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -469,7 +426,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -539,17 +496,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -558,11 +510,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -593,17 +543,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -612,11 +557,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -652,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -667,11 +608,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml
index ca2086ea9..51c1513c9 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws/nlb-with-tls-termination
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
index 21ea91d49..d86ddc4fd 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -345,11 +310,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,11 +328,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -400,11 +361,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -425,11 +384,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -469,7 +426,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -539,17 +496,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -558,11 +510,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -593,17 +543,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -612,11 +557,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -652,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -667,11 +608,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml
index ca2086ea9..51c1513c9 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws/nlb-with-tls-termination
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml
index 21ea91d49..d86ddc4fd 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -345,11 +310,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -365,11 +328,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -400,11 +361,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -425,11 +384,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -469,7 +426,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -539,17 +496,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -558,11 +510,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -593,17 +543,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -612,11 +557,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -652,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -667,11 +608,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml
index ca2086ea9..51c1513c9 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws/nlb-with-tls-termination
 # ```
 
 resources:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
index 97c4697d5..07be32ffe 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -346,11 +310,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -366,18 +328,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -401,11 +358,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -426,11 +381,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -470,7 +423,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -540,17 +493,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -559,11 +507,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -594,17 +540,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -613,11 +554,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -653,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -668,11 +605,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml
index ca2086ea9..51c1513c9 100644
--- a/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml
+++ b/deploy/static/provider/aws/nlb-with-tls-termination/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/aws/nlb-with-tls-termination?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/aws/nlb-with-tls-termination
 # ```
 
 resources:
diff --git a/deploy/static/provider/baremetal/1.19/deploy.yaml b/deploy/static/provider/baremetal/1.19/deploy.yaml
index c03765456..49c11b1bd 100644
--- a/deploy/static/provider/baremetal/1.19/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -381,11 +342,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -405,11 +364,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -448,7 +405,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -515,17 +472,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -534,11 +486,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -569,17 +519,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -588,11 +533,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -628,11 +571,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -643,11 +584,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.19/kustomization.yaml b/deploy/static/provider/baremetal/1.19/kustomization.yaml
index d13af0f82..d585f85c6 100644
--- a/deploy/static/provider/baremetal/1.19/kustomization.yaml
+++ b/deploy/static/provider/baremetal/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/baremetal
 # ```
 
 resources:
diff --git a/deploy/static/provider/baremetal/1.20/deploy.yaml b/deploy/static/provider/baremetal/1.20/deploy.yaml
index 943d0ff49..aa9898d99 100644
--- a/deploy/static/provider/baremetal/1.20/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,17 +315,12 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -386,11 +344,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +367,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -454,7 +408,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -521,17 +475,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -540,11 +489,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -575,17 +522,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -594,11 +536,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -634,11 +574,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -649,11 +587,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.20/kustomization.yaml b/deploy/static/provider/baremetal/1.20/kustomization.yaml
index d13af0f82..d585f85c6 100644
--- a/deploy/static/provider/baremetal/1.20/kustomization.yaml
+++ b/deploy/static/provider/baremetal/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/baremetal
 # ```
 
 resources:
diff --git a/deploy/static/provider/baremetal/1.21/deploy.yaml b/deploy/static/provider/baremetal/1.21/deploy.yaml
index 943d0ff49..c101d538b 100644
--- a/deploy/static/provider/baremetal/1.21/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,11 +347,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +370,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -454,7 +411,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -521,17 +478,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -540,11 +492,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -575,17 +525,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -594,11 +539,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -634,11 +577,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -649,11 +590,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.21/kustomization.yaml b/deploy/static/provider/baremetal/1.21/kustomization.yaml
index d13af0f82..d585f85c6 100644
--- a/deploy/static/provider/baremetal/1.21/kustomization.yaml
+++ b/deploy/static/provider/baremetal/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/baremetal
 # ```
 
 resources:
diff --git a/deploy/static/provider/baremetal/1.22/deploy.yaml b/deploy/static/provider/baremetal/1.22/deploy.yaml
index 943d0ff49..c101d538b 100644
--- a/deploy/static/provider/baremetal/1.22/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,11 +347,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +370,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -454,7 +411,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -521,17 +478,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -540,11 +492,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -575,17 +525,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -594,11 +539,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -634,11 +577,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -649,11 +590,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.22/kustomization.yaml b/deploy/static/provider/baremetal/1.22/kustomization.yaml
index d13af0f82..d585f85c6 100644
--- a/deploy/static/provider/baremetal/1.22/kustomization.yaml
+++ b/deploy/static/provider/baremetal/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/baremetal
 # ```
 
 resources:
diff --git a/deploy/static/provider/baremetal/1.23/deploy.yaml b/deploy/static/provider/baremetal/1.23/deploy.yaml
index 943d0ff49..c101d538b 100644
--- a/deploy/static/provider/baremetal/1.23/deploy.yaml
+++ b/deploy/static/provider/baremetal/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,11 +347,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +370,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -454,7 +411,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -521,17 +478,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -540,11 +492,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -575,17 +525,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -594,11 +539,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -634,11 +577,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -649,11 +590,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/1.23/kustomization.yaml b/deploy/static/provider/baremetal/1.23/kustomization.yaml
index d13af0f82..d585f85c6 100644
--- a/deploy/static/provider/baremetal/1.23/kustomization.yaml
+++ b/deploy/static/provider/baremetal/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/baremetal
 # ```
 
 resources:
diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml
index cdba346c1..aa9898d99 100644
--- a/deploy/static/provider/baremetal/deploy.yaml
+++ b/deploy/static/provider/baremetal/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -353,17 +315,12 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -387,11 +344,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,11 +367,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -455,7 +408,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -522,17 +475,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -541,11 +489,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -576,17 +522,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -595,11 +536,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -635,11 +574,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -650,11 +587,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/baremetal/kustomization.yaml b/deploy/static/provider/baremetal/kustomization.yaml
index d13af0f82..d585f85c6 100644
--- a/deploy/static/provider/baremetal/kustomization.yaml
+++ b/deploy/static/provider/baremetal/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/baremetal?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/baremetal
 # ```
 
 resources:
diff --git a/deploy/static/provider/cloud/1.19/deploy.yaml b/deploy/static/provider/cloud/1.19/deploy.yaml
index af5e89f04..f6000c6a6 100644
--- a/deploy/static/provider/cloud/1.19/deploy.yaml
+++ b/deploy/static/provider/cloud/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -382,11 +343,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -406,11 +365,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -450,7 +407,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -517,17 +474,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -536,11 +488,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -571,17 +521,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -590,11 +535,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -630,11 +573,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -645,11 +586,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.19/kustomization.yaml b/deploy/static/provider/cloud/1.19/kustomization.yaml
index a92167fad..d477ec405 100644
--- a/deploy/static/provider/cloud/1.19/kustomization.yaml
+++ b/deploy/static/provider/cloud/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud
 # ```
 
 resources:
diff --git a/deploy/static/provider/cloud/1.20/deploy.yaml b/deploy/static/provider/cloud/1.20/deploy.yaml
index ae18d5938..d87b1331d 100644
--- a/deploy/static/provider/cloud/1.20/deploy.yaml
+++ b/deploy/static/provider/cloud/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,18 +315,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -387,11 +345,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,11 +368,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -456,7 +410,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -523,17 +477,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -542,11 +491,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -577,17 +524,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,11 +538,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -636,11 +576,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -651,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.20/kustomization.yaml b/deploy/static/provider/cloud/1.20/kustomization.yaml
index a92167fad..d477ec405 100644
--- a/deploy/static/provider/cloud/1.20/kustomization.yaml
+++ b/deploy/static/provider/cloud/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud
 # ```
 
 resources:
diff --git a/deploy/static/provider/cloud/1.21/deploy.yaml b/deploy/static/provider/cloud/1.21/deploy.yaml
index ae18d5938..a1f096f6b 100644
--- a/deploy/static/provider/cloud/1.21/deploy.yaml
+++ b/deploy/static/provider/cloud/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -387,11 +348,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,11 +371,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -456,7 +413,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -523,17 +480,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -542,11 +494,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -577,17 +527,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,11 +541,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -636,11 +579,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -651,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.21/kustomization.yaml b/deploy/static/provider/cloud/1.21/kustomization.yaml
index a92167fad..d477ec405 100644
--- a/deploy/static/provider/cloud/1.21/kustomization.yaml
+++ b/deploy/static/provider/cloud/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud
 # ```
 
 resources:
diff --git a/deploy/static/provider/cloud/1.22/deploy.yaml b/deploy/static/provider/cloud/1.22/deploy.yaml
index ae18d5938..a1f096f6b 100644
--- a/deploy/static/provider/cloud/1.22/deploy.yaml
+++ b/deploy/static/provider/cloud/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -387,11 +348,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,11 +371,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -456,7 +413,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -523,17 +480,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -542,11 +494,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -577,17 +527,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,11 +541,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -636,11 +579,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -651,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.22/kustomization.yaml b/deploy/static/provider/cloud/1.22/kustomization.yaml
index a92167fad..d477ec405 100644
--- a/deploy/static/provider/cloud/1.22/kustomization.yaml
+++ b/deploy/static/provider/cloud/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud
 # ```
 
 resources:
diff --git a/deploy/static/provider/cloud/1.23/deploy.yaml b/deploy/static/provider/cloud/1.23/deploy.yaml
index ae18d5938..a1f096f6b 100644
--- a/deploy/static/provider/cloud/1.23/deploy.yaml
+++ b/deploy/static/provider/cloud/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -387,11 +348,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,11 +371,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -456,7 +413,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -523,17 +480,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -542,11 +494,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -577,17 +527,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -596,11 +541,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -636,11 +579,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -651,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/1.23/kustomization.yaml b/deploy/static/provider/cloud/1.23/kustomization.yaml
index a92167fad..d477ec405 100644
--- a/deploy/static/provider/cloud/1.23/kustomization.yaml
+++ b/deploy/static/provider/cloud/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud
 # ```
 
 resources:
diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml
index 206883b6e..d87b1331d 100644
--- a/deploy/static/provider/cloud/deploy.yaml
+++ b/deploy/static/provider/cloud/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -353,18 +315,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -388,11 +345,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -413,11 +368,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -457,7 +410,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -524,17 +477,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -543,11 +491,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -578,17 +524,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -597,11 +538,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -637,11 +576,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -652,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/cloud/kustomization.yaml b/deploy/static/provider/cloud/kustomization.yaml
index a92167fad..d477ec405 100644
--- a/deploy/static/provider/cloud/kustomization.yaml
+++ b/deploy/static/provider/cloud/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/cloud
 # ```
 
 resources:
diff --git a/deploy/static/provider/do/1.19/deploy.yaml b/deploy/static/provider/do/1.19/deploy.yaml
index 69504e702..e746a93db 100644
--- a/deploy/static/provider/do/1.19/deploy.yaml
+++ b/deploy/static/provider/do/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -385,11 +346,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -409,11 +368,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -453,7 +410,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -520,17 +477,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -539,11 +491,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -574,17 +524,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -593,11 +538,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -633,11 +576,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -648,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.19/kustomization.yaml b/deploy/static/provider/do/1.19/kustomization.yaml
index c7bb8d250..f20d445c7 100644
--- a/deploy/static/provider/do/1.19/kustomization.yaml
+++ b/deploy/static/provider/do/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/do
 # ```
 
 resources:
diff --git a/deploy/static/provider/do/1.20/deploy.yaml b/deploy/static/provider/do/1.20/deploy.yaml
index 98bfe291a..815e70374 100644
--- a/deploy/static/provider/do/1.20/deploy.yaml
+++ b/deploy/static/provider/do/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,18 +318,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -390,11 +348,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +371,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +413,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +480,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +494,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +527,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +541,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +579,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.20/kustomization.yaml b/deploy/static/provider/do/1.20/kustomization.yaml
index c7bb8d250..f20d445c7 100644
--- a/deploy/static/provider/do/1.20/kustomization.yaml
+++ b/deploy/static/provider/do/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/do
 # ```
 
 resources:
diff --git a/deploy/static/provider/do/1.21/deploy.yaml b/deploy/static/provider/do/1.21/deploy.yaml
index 98bfe291a..df2dce367 100644
--- a/deploy/static/provider/do/1.21/deploy.yaml
+++ b/deploy/static/provider/do/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,11 +351,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +374,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +416,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +483,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +497,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +530,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +544,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +582,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.21/kustomization.yaml b/deploy/static/provider/do/1.21/kustomization.yaml
index c7bb8d250..f20d445c7 100644
--- a/deploy/static/provider/do/1.21/kustomization.yaml
+++ b/deploy/static/provider/do/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/do
 # ```
 
 resources:
diff --git a/deploy/static/provider/do/1.22/deploy.yaml b/deploy/static/provider/do/1.22/deploy.yaml
index 98bfe291a..df2dce367 100644
--- a/deploy/static/provider/do/1.22/deploy.yaml
+++ b/deploy/static/provider/do/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,11 +351,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +374,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +416,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +483,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +497,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +530,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +544,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +582,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.22/kustomization.yaml b/deploy/static/provider/do/1.22/kustomization.yaml
index c7bb8d250..f20d445c7 100644
--- a/deploy/static/provider/do/1.22/kustomization.yaml
+++ b/deploy/static/provider/do/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/do
 # ```
 
 resources:
diff --git a/deploy/static/provider/do/1.23/deploy.yaml b/deploy/static/provider/do/1.23/deploy.yaml
index 98bfe291a..df2dce367 100644
--- a/deploy/static/provider/do/1.23/deploy.yaml
+++ b/deploy/static/provider/do/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,11 +351,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +374,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +416,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +483,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +497,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +530,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +544,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +582,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/1.23/kustomization.yaml b/deploy/static/provider/do/1.23/kustomization.yaml
index c7bb8d250..f20d445c7 100644
--- a/deploy/static/provider/do/1.23/kustomization.yaml
+++ b/deploy/static/provider/do/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/do
 # ```
 
 resources:
diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml
index 324ae79e6..815e70374 100644
--- a/deploy/static/provider/do/deploy.yaml
+++ b/deploy/static/provider/do/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -340,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -356,18 +318,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -391,11 +348,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,11 +371,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +413,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -527,17 +480,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,11 +494,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,17 +527,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,11 +541,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,11 +579,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/do/kustomization.yaml b/deploy/static/provider/do/kustomization.yaml
index c7bb8d250..f20d445c7 100644
--- a/deploy/static/provider/do/kustomization.yaml
+++ b/deploy/static/provider/do/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/do?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/do
 # ```
 
 resources:
diff --git a/deploy/static/provider/exoscale/1.19/deploy.yaml b/deploy/static/provider/exoscale/1.19/deploy.yaml
index 3c22a0118..61e084249 100644
--- a/deploy/static/provider/exoscale/1.19/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -362,11 +325,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -392,11 +353,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,11 +375,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +417,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -527,17 +484,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,11 +498,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,17 +531,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,11 +545,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,11 +583,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,11 +596,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.19/kustomization.yaml b/deploy/static/provider/exoscale/1.19/kustomization.yaml
index 8466627e2..e79016cf3 100644
--- a/deploy/static/provider/exoscale/1.19/kustomization.yaml
+++ b/deploy/static/provider/exoscale/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/exoscale
 # ```
 
 resources:
diff --git a/deploy/static/provider/exoscale/1.20/deploy.yaml b/deploy/static/provider/exoscale/1.20/deploy.yaml
index 136b466c9..e3712ce33 100644
--- a/deploy/static/provider/exoscale/1.20/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -362,18 +325,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -397,11 +355,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -422,11 +378,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -466,7 +420,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -533,17 +487,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -552,11 +501,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -587,17 +534,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -606,11 +548,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -646,11 +586,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,11 +599,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.20/kustomization.yaml b/deploy/static/provider/exoscale/1.20/kustomization.yaml
index 8466627e2..e79016cf3 100644
--- a/deploy/static/provider/exoscale/1.20/kustomization.yaml
+++ b/deploy/static/provider/exoscale/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/exoscale
 # ```
 
 resources:
diff --git a/deploy/static/provider/exoscale/1.21/deploy.yaml b/deploy/static/provider/exoscale/1.21/deploy.yaml
index 136b466c9..7c214d0f0 100644
--- a/deploy/static/provider/exoscale/1.21/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -362,11 +325,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -397,11 +358,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -422,11 +381,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -466,7 +423,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -533,17 +490,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -552,11 +504,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -587,17 +537,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -606,11 +551,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -646,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,11 +602,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.21/kustomization.yaml b/deploy/static/provider/exoscale/1.21/kustomization.yaml
index 8466627e2..e79016cf3 100644
--- a/deploy/static/provider/exoscale/1.21/kustomization.yaml
+++ b/deploy/static/provider/exoscale/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/exoscale
 # ```
 
 resources:
diff --git a/deploy/static/provider/exoscale/1.22/deploy.yaml b/deploy/static/provider/exoscale/1.22/deploy.yaml
index 136b466c9..7c214d0f0 100644
--- a/deploy/static/provider/exoscale/1.22/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -362,11 +325,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -397,11 +358,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -422,11 +381,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -466,7 +423,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -533,17 +490,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -552,11 +504,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -587,17 +537,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -606,11 +551,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -646,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,11 +602,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.22/kustomization.yaml b/deploy/static/provider/exoscale/1.22/kustomization.yaml
index 8466627e2..e79016cf3 100644
--- a/deploy/static/provider/exoscale/1.22/kustomization.yaml
+++ b/deploy/static/provider/exoscale/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/exoscale
 # ```
 
 resources:
diff --git a/deploy/static/provider/exoscale/1.23/deploy.yaml b/deploy/static/provider/exoscale/1.23/deploy.yaml
index 136b466c9..7c214d0f0 100644
--- a/deploy/static/provider/exoscale/1.23/deploy.yaml
+++ b/deploy/static/provider/exoscale/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -362,11 +325,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -397,11 +358,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -422,11 +381,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -466,7 +423,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -533,17 +490,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -552,11 +504,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -587,17 +537,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -606,11 +551,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -646,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -661,11 +602,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/1.23/kustomization.yaml b/deploy/static/provider/exoscale/1.23/kustomization.yaml
index 8466627e2..e79016cf3 100644
--- a/deploy/static/provider/exoscale/1.23/kustomization.yaml
+++ b/deploy/static/provider/exoscale/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/exoscale
 # ```
 
 resources:
diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml
index d65ba8628..e3712ce33 100644
--- a/deploy/static/provider/exoscale/deploy.yaml
+++ b/deploy/static/provider/exoscale/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -363,18 +325,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -398,11 +355,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -423,11 +378,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -467,7 +420,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,17 +487,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -553,11 +501,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -588,17 +534,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,11 +548,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -647,11 +586,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -662,11 +599,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/exoscale/kustomization.yaml b/deploy/static/provider/exoscale/kustomization.yaml
index 8466627e2..e79016cf3 100644
--- a/deploy/static/provider/exoscale/kustomization.yaml
+++ b/deploy/static/provider/exoscale/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/exoscale?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/exoscale
 # ```
 
 resources:
diff --git a/deploy/static/provider/kind/1.19/deploy.yaml b/deploy/static/provider/kind/1.19/deploy.yaml
index 171725751..8122b831c 100644
--- a/deploy/static/provider/kind/1.19/deploy.yaml
+++ b/deploy/static/provider/kind/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -381,11 +342,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -405,11 +364,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -454,7 +411,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -528,17 +485,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -547,11 +499,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -582,17 +532,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -601,11 +546,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -641,11 +584,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -656,11 +597,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.19/kustomization.yaml b/deploy/static/provider/kind/1.19/kustomization.yaml
index 94b7c887d..bd605a188 100644
--- a/deploy/static/provider/kind/1.19/kustomization.yaml
+++ b/deploy/static/provider/kind/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/kind
 # ```
 
 resources:
diff --git a/deploy/static/provider/kind/1.20/deploy.yaml b/deploy/static/provider/kind/1.20/deploy.yaml
index 030092a55..934c81a01 100644
--- a/deploy/static/provider/kind/1.20/deploy.yaml
+++ b/deploy/static/provider/kind/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,17 +315,12 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -386,11 +344,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +367,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +414,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,17 +488,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -553,11 +502,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -588,17 +535,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,11 +549,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -647,11 +587,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -662,11 +600,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.20/kustomization.yaml b/deploy/static/provider/kind/1.20/kustomization.yaml
index 94b7c887d..bd605a188 100644
--- a/deploy/static/provider/kind/1.20/kustomization.yaml
+++ b/deploy/static/provider/kind/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/kind
 # ```
 
 resources:
diff --git a/deploy/static/provider/kind/1.21/deploy.yaml b/deploy/static/provider/kind/1.21/deploy.yaml
index 030092a55..6d3e5ba7a 100644
--- a/deploy/static/provider/kind/1.21/deploy.yaml
+++ b/deploy/static/provider/kind/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,11 +347,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +370,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +417,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,17 +491,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -553,11 +505,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -588,17 +538,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,11 +552,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -647,11 +590,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -662,11 +603,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.21/kustomization.yaml b/deploy/static/provider/kind/1.21/kustomization.yaml
index 94b7c887d..bd605a188 100644
--- a/deploy/static/provider/kind/1.21/kustomization.yaml
+++ b/deploy/static/provider/kind/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/kind
 # ```
 
 resources:
diff --git a/deploy/static/provider/kind/1.22/deploy.yaml b/deploy/static/provider/kind/1.22/deploy.yaml
index 030092a55..6d3e5ba7a 100644
--- a/deploy/static/provider/kind/1.22/deploy.yaml
+++ b/deploy/static/provider/kind/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,11 +347,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +370,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +417,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,17 +491,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -553,11 +505,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -588,17 +538,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,11 +552,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -647,11 +590,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -662,11 +603,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.22/kustomization.yaml b/deploy/static/provider/kind/1.22/kustomization.yaml
index 94b7c887d..bd605a188 100644
--- a/deploy/static/provider/kind/1.22/kustomization.yaml
+++ b/deploy/static/provider/kind/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/kind
 # ```
 
 resources:
diff --git a/deploy/static/provider/kind/1.23/deploy.yaml b/deploy/static/provider/kind/1.23/deploy.yaml
index 030092a55..6d3e5ba7a 100644
--- a/deploy/static/provider/kind/1.23/deploy.yaml
+++ b/deploy/static/provider/kind/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -338,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -352,11 +315,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -386,11 +347,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -411,11 +370,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +417,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -534,17 +491,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -553,11 +505,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -588,17 +538,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -607,11 +552,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -647,11 +590,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -662,11 +603,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/1.23/kustomization.yaml b/deploy/static/provider/kind/1.23/kustomization.yaml
index 94b7c887d..bd605a188 100644
--- a/deploy/static/provider/kind/1.23/kustomization.yaml
+++ b/deploy/static/provider/kind/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/kind
 # ```
 
 resources:
diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml
index 1725f1347..934c81a01 100644
--- a/deploy/static/provider/kind/deploy.yaml
+++ b/deploy/static/provider/kind/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +303,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -353,17 +315,12 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -387,11 +344,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -412,11 +367,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -461,7 +414,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -535,17 +488,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -554,11 +502,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -589,17 +535,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -608,11 +549,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -648,11 +587,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -663,11 +600,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/kind/kustomization.yaml b/deploy/static/provider/kind/kustomization.yaml
index 94b7c887d..bd605a188 100644
--- a/deploy/static/provider/kind/kustomization.yaml
+++ b/deploy/static/provider/kind/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/kind?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/kind
 # ```
 
 resources:
diff --git a/deploy/static/provider/scw/1.19/deploy.yaml b/deploy/static/provider/scw/1.19/deploy.yaml
index 8e29c5564..d8dc86368 100644
--- a/deploy/static/provider/scw/1.19/deploy.yaml
+++ b/deploy/static/provider/scw/1.19/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -385,11 +346,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -409,11 +368,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -453,7 +410,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -520,17 +477,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -539,11 +491,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -574,17 +524,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -593,11 +538,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -633,11 +576,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -648,11 +589,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.19/kustomization.yaml b/deploy/static/provider/scw/1.19/kustomization.yaml
index da792b8f5..d8535dbde 100644
--- a/deploy/static/provider/scw/1.19/kustomization.yaml
+++ b/deploy/static/provider/scw/1.19/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/scw
 # ```
 
 resources:
diff --git a/deploy/static/provider/scw/1.20/deploy.yaml b/deploy/static/provider/scw/1.20/deploy.yaml
index 82cee679d..19bfb55a8 100644
--- a/deploy/static/provider/scw/1.20/deploy.yaml
+++ b/deploy/static/provider/scw/1.20/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,18 +318,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -390,11 +348,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +371,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +413,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +480,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +494,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +527,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +541,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +579,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.20/kustomization.yaml b/deploy/static/provider/scw/1.20/kustomization.yaml
index da792b8f5..d8535dbde 100644
--- a/deploy/static/provider/scw/1.20/kustomization.yaml
+++ b/deploy/static/provider/scw/1.20/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/scw
 # ```
 
 resources:
diff --git a/deploy/static/provider/scw/1.21/deploy.yaml b/deploy/static/provider/scw/1.21/deploy.yaml
index 82cee679d..25a56f11a 100644
--- a/deploy/static/provider/scw/1.21/deploy.yaml
+++ b/deploy/static/provider/scw/1.21/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,11 +351,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +374,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +416,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +483,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +497,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +530,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +544,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +582,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.21/kustomization.yaml b/deploy/static/provider/scw/1.21/kustomization.yaml
index da792b8f5..d8535dbde 100644
--- a/deploy/static/provider/scw/1.21/kustomization.yaml
+++ b/deploy/static/provider/scw/1.21/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/scw
 # ```
 
 resources:
diff --git a/deploy/static/provider/scw/1.22/deploy.yaml b/deploy/static/provider/scw/1.22/deploy.yaml
index 82cee679d..25a56f11a 100644
--- a/deploy/static/provider/scw/1.22/deploy.yaml
+++ b/deploy/static/provider/scw/1.22/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,11 +351,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +374,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +416,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +483,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +497,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +530,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +544,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +582,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.22/kustomization.yaml b/deploy/static/provider/scw/1.22/kustomization.yaml
index da792b8f5..d8535dbde 100644
--- a/deploy/static/provider/scw/1.22/kustomization.yaml
+++ b/deploy/static/provider/scw/1.22/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/scw
 # ```
 
 resources:
diff --git a/deploy/static/provider/scw/1.23/deploy.yaml b/deploy/static/provider/scw/1.23/deploy.yaml
index 82cee679d..25a56f11a 100644
--- a/deploy/static/provider/scw/1.23/deploy.yaml
+++ b/deploy/static/provider/scw/1.23/deploy.yaml
@@ -13,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -44,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -125,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -152,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -218,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -245,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -264,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -309,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -339,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -355,11 +318,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -390,11 +351,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -415,11 +374,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -459,7 +416,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -526,17 +483,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -545,11 +497,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -580,17 +530,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -599,11 +544,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -639,11 +582,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -654,11 +595,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/1.23/kustomization.yaml b/deploy/static/provider/scw/1.23/kustomization.yaml
index da792b8f5..d8535dbde 100644
--- a/deploy/static/provider/scw/1.23/kustomization.yaml
+++ b/deploy/static/provider/scw/1.23/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/scw
 # ```
 
 resources:
diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml
index 138a9fcf1..19bfb55a8 100644
--- a/deploy/static/provider/scw/deploy.yaml
+++ b/deploy/static/provider/scw/deploy.yaml
@@ -1,4 +1,3 @@
-#GENERATED FOR K8S 1.20
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -14,28 +13,21 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -45,11 +37,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -126,17 +116,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -153,11 +138,9 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -219,17 +202,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -246,11 +224,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -265,17 +241,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -292,11 +263,9 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,17 +279,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -340,11 +304,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -356,18 +318,13 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
   externalTrafficPolicy: Local
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
   ports:
   - appProtocol: http
     name: http
@@ -391,11 +348,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -416,11 +371,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -460,7 +413,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+        image: k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -527,17 +480,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -546,11 +494,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-create
     spec:
       containers:
@@ -581,17 +527,12 @@ spec:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -600,11 +541,9 @@ spec:
       labels:
         app.kubernetes.io/component: admission-webhook
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.1.2
-        helm.sh/chart: ingress-nginx-4.0.18
+        app.kubernetes.io/version: 1.1.3
       name: ingress-nginx-admission-patch
     spec:
       containers:
@@ -640,11 +579,9 @@ metadata:
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -655,11 +592,9 @@ metadata:
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.1.2
-    helm.sh/chart: ingress-nginx-4.0.18
+    app.kubernetes.io/version: 1.1.3
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
diff --git a/deploy/static/provider/scw/kustomization.yaml b/deploy/static/provider/scw/kustomization.yaml
index da792b8f5..d8535dbde 100644
--- a/deploy/static/provider/scw/kustomization.yaml
+++ b/deploy/static/provider/scw/kustomization.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/provider/scw?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/scw
 # ```
 
 resources:
diff --git a/docs/deploy/index.md b/docs/deploy/index.md
index 966703afb..849040574 100644
--- a/docs/deploy/index.md
+++ b/docs/deploy/index.md
@@ -186,17 +186,17 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll
 ##### Network Load Balancer (NLB)
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/aws/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/aws/deploy.yaml
 ```
 
 ##### TLS termination in AWS Load Balancer (NLB)
 
 By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB.
 
-1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template
+1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template
 
   ```console
-  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
+  wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
   ```
 
 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster:
@@ -238,7 +238,7 @@ Then, the ingress controller can be installed like this:
 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/cloud/deploy.yaml
 ```
 
 !!! warning
@@ -252,7 +252,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont
 #### Azure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/cloud/deploy.yaml
 ```
 
 More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller).
@@ -260,13 +260,13 @@ More information with regards to Azure annotations for ingress controller can be
 #### Digital Ocean
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/do/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/do/deploy.yaml
 ```
 
 #### Scaleway
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/scw/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/scw/deploy.yaml
 ```
 
 #### Exoscale
@@ -280,7 +280,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale
 #### Oracle Cloud Infrastructure
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/cloud/deploy.yaml
 ```
 
 A [complete list of available annotations for Oracle Cloud Infrastructure](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) can be found in the [OCI Cloud Controller Manager](https://github.com/oracle/oci-cloud-controller-manager) documentation.
@@ -292,7 +292,7 @@ This section is applicable to Kubernetes clusters deployed on bare metal servers
 For quick testing, you can use a [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport). This should work on almost every cluster, but it will typically use a port in the range 30000-32767.
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/baremetal/deploy.yaml
 ```
 
 For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), see [bare-metal considerations](./baremetal.md).
diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh
index a697b13e2..598e60fc4 100755
--- a/hack/generate-deploy-scripts.sh
+++ b/hack/generate-deploy-scripts.sh
@@ -18,7 +18,7 @@ if [ -n "$DEBUG" ]; then
 	set -x
 fi
 
-set -o errexit
+#set -o errexit
 set -o nounset
 set -o pipefail
 
@@ -42,6 +42,7 @@ for K8S_VERSION in "${K8S_TARGET_VERSIONS[@]}"
 do
   for TARGET in ${TARGETS}
   do
+    echo "Running ${K8S_VERSION} for target ${TARGET}"
     TARGET_DIR="${TEMPLATE_DIR}/${TARGET}"
     MANIFEST="${TEMPLATE_DIR}/common/manifest.yaml" # intermediate manifest
     OUTPUT_DIR="${DIR}/deploy/static/${TARGET}/${K8S_VERSION}"
@@ -54,6 +55,9 @@ do
       --namespace ingress-nginx \
       --kube-version ${K8S_VERSION} \
       > $MANIFEST
+    sed -i '' '/app.kubernetes.io\/managed-by: Helm/d' $MANIFEST
+    sed -i '' '/helm.sh/d' $MANIFEST
+
     kustomize --load-restrictor=LoadRestrictionsNone build . > ${OUTPUT_DIR}/deploy.yaml
     rm $MANIFEST
     cd ~-
@@ -64,7 +68,7 @@ do
     if [[ ${K8S_VERSION} = ${K8S_DEFAULT_VERSION} ]]
     then
       cp ${OUTPUT_DIR}/*.yaml ${OUTPUT_DIR}/../
-      sed -i "1s/^/#GENERATED FOR K8S ${K8S_VERSION}\n/" ${OUTPUT_DIR}/../deploy.yaml
+      sed -i "s/^/#GENERATED FOR K8S ${K8S_VERSION}\n/" ${OUTPUT_DIR}/../deploy.yaml
     fi
   done
 done
diff --git a/hack/manifest-templates/static-kustomization-template.yaml b/hack/manifest-templates/static-kustomization-template.yaml
index fd273c7c4..18118a0ce 100644
--- a/hack/manifest-templates/static-kustomization-template.yaml
+++ b/hack/manifest-templates/static-kustomization-template.yaml
@@ -4,7 +4,7 @@
 # ```
 # namespace: ingress-nginx
 # bases:
-#   - github.com/kubernetes/ingress-nginx/deploy/static/{TARGET}?ref=master
+#   - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/{TARGET}
 # ```
 
 resources:
diff --git a/stable.txt b/stable.txt
index e6c5acf0d..3e5a2f306 100644
--- a/stable.txt
+++ b/stable.txt
@@ -1 +1 @@
-controller-v1.1.0
\ No newline at end of file
+controller-v1.1.3
\ No newline at end of file

From ad47d49216b9460c299b267a69b710659044b863 Mon Sep 17 00:00:00 2001
From: James Strong <strong.james.e@gmail.com>
Date: Fri, 1 Apr 2022 16:14:13 -0400
Subject: [PATCH 376/376] force helm release to artifact hub (#8417)

* force helm release to artifact hub

Signed-off-by: James Strong <strong.james.e@gmail.com>

* update releaser version

Signed-off-by: James Strong <strong.james.e@gmail.com>
---
 .github/workflows/helm.yaml     | 5 +++--
 charts/ingress-nginx/Chart.yaml | 6 +++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
index dd8e6d752..c20716065 100644
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@@ -60,9 +60,10 @@ jobs:
           git config --global user.name "$GITHUB_ACTOR"
           git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
       
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@c25b74a986eb925b398320414b576227f375f946 # v1.2.1
+      - name: Helm Chart Releaser
+        uses: helm/chart-releaser-action@v1.4.0
         env:
+          CR_SKIP_EXISTING: "false"
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
         with:
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
index f8203e33e..bf9006e58 100644
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@@ -14,7 +14,9 @@ sources:
   - https://github.com/kubernetes/ingress-nginx
 type: application
 maintainers:
-  - name: ChiefAlexander
+  - name: rikatz
+  - name: strongjz
+  - name: tao12345666333
 engine: gotpl
 kubeVersion: ">=1.19.0-0"
 annotations:
@@ -26,3 +28,5 @@ annotations:
   artifacthub.io/changes: |
     - "#8307 Nginx v1.19.10"
     - "#8386 Alpine 3.14.4"
+    - "#8339 Patch OpenSSL CVE-2022-0778"
+    - "#8321 Vulnerability CVE-2022-23308 for libxml2"