From 8732e2bfd0d3236a7306e22805de8654caec597e Mon Sep 17 00:00:00 2001
From: Yoan Blanc <yoan.blanc@adfinis.com>
Date: Fri, 7 Aug 2020 16:07:34 +0200
Subject: [PATCH 1/8] feat(sentry): enable sentry ingest consumer

Signed-off-by: Yoan Blanc <yoan.blanc@adfinis.com>
---
 sentry/Chart.yaml                             |   2 +-
 .../deployment-sentry-ingest-consumer.yaml    | 114 ++++++++++++++++++
 sentry/values.yaml                            |  18 +++
 3 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 sentry/templates/deployment-sentry-ingest-consumer.yaml

diff --git a/sentry/Chart.yaml b/sentry/Chart.yaml
index c5c038acc..09005dd5f 100644
--- a/sentry/Chart.yaml
+++ b/sentry/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: sentry
 description: A Helm chart for Kubernetes
 type: application
-version: 4.8.0
+version: 4.8.1
 appVersion: 20.7.0
 dependencies:
   - name: redis
diff --git a/sentry/templates/deployment-sentry-ingest-consumer.yaml b/sentry/templates/deployment-sentry-ingest-consumer.yaml
new file mode 100644
index 000000000..b9e7cb5c7
--- /dev/null
+++ b/sentry/templates/deployment-sentry-ingest-consumer.yaml
@@ -0,0 +1,114 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "sentry.fullname" . }}-ingest-consumer
+  labels:
+    app: {{ template "sentry.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "sentry.fullname" . }}
+      release: "{{ .Release.Name }}"
+      role: ingest-consumer
+{{- if not .Values.sentry.ingestConsumer.autoscaling.enabled }}
+  replicas: {{ .Values.sentry.ingestConsumer.replicas }}
+{{- end }}
+  template:
+    metadata:
+      annotations:
+        checksum/configYml: {{ .Values.config.configYml | sha256sum }}
+        checksum/sentryConfPy: {{ .Values.config.sentryConfPy | sha256sum }}
+        checksum/config.yaml: {{ include (print $.Template.BasePath "/configmap-sentry.yaml") . | sha256sum }}
+        {{- if .Values.sentry.ingestConsumer.annotations }}
+{{ toYaml .Values.sentry.ingestConsumer.annotations | indent 8 }}
+        {{- end }}
+      labels:
+        app: {{ template "sentry.fullname" . }}
+        release: "{{ .Release.Name }}"
+        role: ingest-consumer
+        {{- if .Values.sentry.ingestConsumer.podLabels }}
+{{ toYaml .Values.sentry.ingestConsumer.podLabels | indent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+      {{- if .Values.sentry.ingestConsumer.affinity }}
+{{ toYaml .Values.sentry.ingestConsumer.affinity | indent 8 }}
+      {{- end }}
+      {{- if .Values.sentry.ingestConsumer.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.sentry.ingestConsumer.nodeSelector | indent 8 }}
+      {{- end }}
+      {{- if .Values.sentry.ingestConsumer.tolerations }}
+      tolerations:
+{{ toYaml .Values.sentry.ingestConsumer.tolerations | indent 8 }}
+      {{- end }}
+      {{- if .Values.images.sentry.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.images.sentry.imagePullSecrets | indent 8 }}
+      {{- end }}
+      containers:
+      - name: {{ .Chart.Name }}-ingest-consumer
+        image: "{{ .Values.images.sentry.repository }}:{{ .Values.images.sentry.tag }}"
+        imagePullPolicy: {{ .Values.images.sentry.pullPolicy }}
+        command: ["sentry"]
+        args:
+          - "run"
+          - "ingest-consumer"
+          - "--all-consumer-types"
+          {{- if .Values.sentry.ingestConsumer.concurrency }}
+          - "-c"
+          - "{{ .Values.sentry.ingestConsumer.concurrency }}"
+          {{- end }}
+        env:
+        - name: SNUBA
+          value: http://{{ template "sentry.fullname" . }}-snuba:{{ template "snuba.port" }}
+        - name: C_FORCE_ROOT
+          value: "true"
+        {{- if .Values.postgresql.enabled }}
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "sentry.postgresql.fullname" . }}
+              key: postgresql-password
+        {{- end }}
+        {{ if eq .Values.filestore.backend "gcs" }}
+        - name: GOOGLE_APPLICATION_CREDENTIALS
+          value: /var/run/secrets/google/{{ .Values.filestore.gcs.credentialsFile }}
+        {{ end }}
+{{- if .Values.sentry.ingestConsumer.env }}
+{{ toYaml .Values.sentry.ingestConsumer.env | indent 8 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /etc/sentry
+          name: config
+          readOnly: true
+        - mountPath: {{ .Values.filestore.filesystem.path }}
+          name: sentry-data
+        {{- if eq .Values.filestore.backend "gcs" }}
+        - name: sentry-google-cloud-key
+          mountPath: /var/run/secrets/google
+        {{ end }}
+        resources:
+{{ toYaml .Values.sentry.ingestConsumer.resources | indent 12 }}
+      volumes:
+      - name: config
+        configMap:
+          name: {{ template "sentry.fullname" . }}-sentry
+      - name: sentry-data
+      {{- if and (eq .Values.filestore.backend "filesystem") .Values.filestore.filesystem.persistence.enabled (.Values.filestore.filesystem.persistence.persistentWorkers) }}
+        persistentVolumeClaim:
+          claimName: {{ template "sentry.fullname" . }}-data
+      {{- else }}
+        emptyDir: {}
+      {{ end }}
+      {{- if eq .Values.filestore.backend "gcs" }}
+      - name: sentry-google-cloud-key
+        secret:
+          secretName: {{ .Values.filestore.gcs.secretName }}
+      {{ end }}
+      {{- if .Values.sentry.ingestConsumer.priorityClassName }}
+      priorityClassName: "{{ .Values.sentry.ingestConsumer.priorityClassName }}"
+      {{- end }}
diff --git a/sentry/values.yaml b/sentry/values.yaml
index 772fbca4d..e7e2e64ea 100644
--- a/sentry/values.yaml
+++ b/sentry/values.yaml
@@ -52,6 +52,24 @@ sentry:
       maxReplicas: 5
       targetCPUUtilizationPercentage: 50
 
+  ingestConsumer:
+    replicas: 1
+    # concurrency: 4
+    env: []
+    resources: {}
+    affinity: {}
+    nodeSelector: {}
+    # tolerations: []
+    # podLabels: []
+
+    # it's better to use prometheus adapter and scale based on
+    # the size of the rabbitmq queue
+    autoscaling:
+      enabled: false
+      minReplicas: 1
+      maxReplicas: 3
+      targetCPUUtilizationPercentage: 50
+
   cron:
     env: []
     resources: {}

From 999a68599d14e0c1954d436454cb048c9d354c27 Mon Sep 17 00:00:00 2001
From: Yoan Blanc <yoan.blanc@adfinis.com>
Date: Mon, 10 Aug 2020 11:10:15 +0200
Subject: [PATCH 2/8] feat(sentry): add nginx

Signed-off-by: Yoan Blanc <yoan.blanc@adfinis.com>
---
 sentry/Chart.lock                     |   7 +++++--
 sentry/Chart.yaml                     |   4 ++++
 sentry/charts/nginx-6.0.5.tgz         | Bin 0 -> 15107 bytes
 sentry/templates/_helper.tpl          |   4 +++-
 sentry/templates/configmap-nginx.yaml |  17 +++++++++++++++++
 sentry/values.yaml                    |   8 ++++++++
 6 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 sentry/charts/nginx-6.0.5.tgz
 create mode 100644 sentry/templates/configmap-nginx.yaml

diff --git a/sentry/Chart.lock b/sentry/Chart.lock
index cd19623d3..21da05b1c 100644
--- a/sentry/Chart.lock
+++ b/sentry/Chart.lock
@@ -14,5 +14,8 @@ dependencies:
 - name: postgresql
   repository: https://kubernetes-charts.storage.googleapis.com/
   version: 8.2.1
-digest: sha256:b0c03af78854426fbb32803b55427b4c6aadb98a753f1163f8ed906ade6e69d9
-generated: "2020-07-23T08:54:02.125539557+02:00"
+- name: nginx
+  repository: https://charts.bitnami.com/bitnami
+  version: 6.0.5
+digest: sha256:95a04a0fd6722f2f1b2d1750355060369a7d8e1cee6fd0e26974a4c402aff998
+generated: "2020-08-10T10:58:35.648936347+02:00"
diff --git a/sentry/Chart.yaml b/sentry/Chart.yaml
index 09005dd5f..ce5ef4d35 100644
--- a/sentry/Chart.yaml
+++ b/sentry/Chart.yaml
@@ -26,3 +26,7 @@ dependencies:
     repository: https://kubernetes-charts.storage.googleapis.com/
     version: 8.2.1
     condition: postgresql.enabled
+  - name: nginx
+    repository: https://charts.bitnami.com/bitnami
+    version: 6.0.5
+    condition: nginx.enabled
diff --git a/sentry/charts/nginx-6.0.5.tgz b/sentry/charts/nginx-6.0.5.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..31729473bcd221daa04714fc202af85e82045c71
GIT binary patch
literal 15107
zcmV+eJN(2SiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMYeSKK(VFn<5`r>LjNeFC%C-9VDb_HOq42w^guNeBl>=FTrO
zC#Y?8w-&eMv1AAvxS#zwDoM8Nw)+K|%w!ku*$i##rAn$Ql}e?mWW<us-Mul%WN<|$
z@qgXJ)9dwm-#>kd|Lyg9_5b#sJ$?FLTRY!x?QEHHTiZL^-~Si%?gN<mlM6|*|LWbj
zuR3zy$U~BZOClLhMBf7liKHW*UG?E08D>PtEDvR#QIDkT1I+~ENgpn@Jd&ox&#hqV
zufdiVQ4wY=mG}+`3WhubIi`R_27+c6H1nwXMf)(~GL5}4pU^&xrA+(X?&alWfMo-o
zjXV~rmeeQF?{)`FCS<~bkWacq2r5NaND`ilt|nnN8R@@#eC=;<_daj$JPFcd<ek&2
zOP)od@A(=Q&&PH>A1>)Y{d;-o`H;~Inh6SN#y?+q6T%WnSVA+bM<;~EeF(XI`Tsc(
zc>oDfh`iMAJpD`eC3v2N6dSR~jF=qf1H{F&V*l$$JUpkFud80zF@6^Gf~Vd+%)cJI
z3lis4+?N2D&Hp=3w|1uZ|LL=55B&c%p0zc29rFQ+;S~}dun8GaNJ&N}RMJd%Yin>6
zQzGalBwSLEV<JJ0nSe_c$G|UWma&K;qt`2M0!zX;k61E-h^91&Xc96iHWeQY*(lFw
z1d>B8bp4SA1<6r$yq9MgO(c*D!eTOrixMrs_Vt@%I$}a*S3r_Tzd6d|_=JWTl?owm
z&9u|^)&Qz?`Y^e&e;<+wElW6U=z0LYQ}`!(rN3e=1-%glaQOP*@P7=fhNIQzj1Eij
zro@3}eUu7WAr~}*N-`2%1v$2&Bz0E6YpOAhZ&NOqL<wGL!2^(FWQDaK(E%fgzt!`z
z?HvzbZ4FLR8nWRPkP_P?9<%UDe||-WB#)&~)Ae{az9d)TF|eUQOOg>V0gq!MsgRF1
zfyRP@pc0E83=g?H%BY};e5{)*kneZ9=lOtU36)d?jCUg*if%4w=8tj~(Jpo%x@&1h
z{WOnbmW+J;4qNg7(gM^zxLxU<-r<r&;`j=LMKJ-AW#kI@aB6A;GaC9AOmZP%Kw(0X
z9NP#pN+gYdC3<Ni6Dm>?(x8TyXhuvDaW1+A_4_H0{9;Y%DoiwTewwihBB^iZxofdq
zLwpNDR4?Wc;)%=@2THD3MKZ*r;9I@m4)ZuxxPYXSRLvr+BYWFb5RuI&3IarWL-UdP
z^POp`U+YY@Ilm*_j(uHiOJSfUiGF56s#f=K;NFrHE}0x7P+F}3p|qF~1d|jOX*K`Y
zvi@+wB-NECByDc{=)>NEt-|5E)BQf2P7A@N&T3E`eb~ePUn}OA>dABh!;DXWz=%nQ
zr<d&-<zKbuwKXq{c|uQ$w?AZj@|sCSNi<P1HtNHW#DZ#qwnFSRlQj`GP4BHjY{aAy
zVTOncG1ex?nnl@&N&JSQY&+O~9`syM_6$GHk!35FW~-EEW_V`GwA)Ix+sn24muv;z
zQ_^jod_&ld3tCY#gaqEiP^AcUh|7?9Mv`z0ED=_hsj*&Bb$}&JwSz>`?1IF&)lpSL
zl9hV|#6`2R7N7Ojn5o`}XFX3VJVNq`l?j8Ghvy2T0R<98T36EAgdJzxx}lEt<B|Wv
z(OaOO$s~<wrHQ^OpkKVi-*D}#S71wh(Z2v<CL~Ru7vTT;&wI~%f3x2*&Lwn7nig+j
z9%BE{En84XMf9`&HyF!FZ2nBgWyPDR7XBB0RV5y|4GoEq;fQ@oi4c&E(_uRCHNgG9
z_If2?Wl6Vdw?8m?D77U6HGXw)Zj7jQ21-v#b<qiLJxA@byX;cKU>Bv6@<Soj&C-}p
z1~gN=p3yXBAwgLd(KP02o$$=tJ)S4B4_jF06@Hy4cGxRu^oVD;QWjLJUi3jtJytpx
z!WGZqlIL**F*~QK9|Ra=EUdf;<6KC!j8R$A|7k2t>i`;UCLp7~=S=DSie>0$nGqL#
zq4yWMeUvr<j>y_nt9^L><jD?#c*G-c3>j0(b%V4Dc@ol8imsZ23q~)ympnUHvRKWr
z&j<gcp%h)GRaC!I9_>076Zmq20PGHjEMf8raY_|5La<RXG3vtcqQF!rrmGu4L7MQ0
zcGrmM#wSVSlSDG#zEQB*zYC}ic|;*50~(74zyjD;`z#dtL;xuivS1OAodr$7<_j9r
z5TRC}s8=WWhGzvhr#z+_v(<ysGJ=X=B#xFWI!6G@pXDSLOlu50k0GPlc7rrag%qez
z#caZ4mB{9fQOGB0j%%K=26Z)$7PcX^viwXT7kV|$XvilMnnY^PjSOcN`A91+1!x*1
z$swjhain509KMhzB4j+rT@r+2&O%xk<P>Cq=139?uB2n8G<yNzm?WY8Zzcs~c>+8E
znq07q<2(s11Y;&;OwC$qK-mP5hhx?KTb3|2Ac2)05r<2XR4{R><%z~tE5t({$NZ8d
zBWyipi7G;(e=3bdj_E{okkF6{L9(k&#6P1GexaA`Fwf#EwMgUG43$iJT#oZ&rOxOH
z#Cg}+MVRJ&*y{Br=J$k7Q0?5>e*Tu>u3At3!d05dDP|Wmp+XptNyPA1n(+Z$PG~7v
z6>}1aZp!sPe$0k6yb5F5T`T(Zi>5u>_mO&|$W4aniPE>FR<cr*sAv>bizQRL#8)&X
zO4Z^?B>J$^Q?=NH@>~`#pL%NXWpSR-({V<{n8#5co_Pg!x9{(1Lw7rBw@)+1Bd1t7
z*lM*@WS(X`rI}<Jb)nz(?Z#f0kyk0TYMA=F4{tb$UXobRf9C1JKc1c*=>^i78qC`0
zd_Soaz}eHw6Ru8`?FcH?JfiCRy4cWmF7=1yOBV#Bl0#D(gafu%(AH3pi>WO9gi5o_
z*>~MF)grDhse^`v(x~7l<Dk<iehB<!M^sJ&@4~CN9yQ&B#K4pIYNhbomVLz#{=iOP
zp|8gdSO-Ua1N2eGFO=p*k}IXQF}<5|wFtNzvv3R(a-~!|tF;)Z8InZ3%?0Xvx=Hb8
z9tTp_TCnGR-0(vfGbMb@Vs~%^soHF27g}+(FwR)%^xltzN+|mzMa@&y^^IEC)w@fd
zer|#h_ri!rGV<k^`WhZz!{f8mB4MkaW=huy?f!UAcjBQWc=Kxa2zGNhhF646c%o+7
z5e7;N*6&fzL^T}GdvrxB=~cM_m6wzzMz$z!BrsB9R2S8%Im*_Eq`Fb0u9_94YDUqG
zO#z8J<7F%=`lw6w?2}xM{RrDxiIJtb>C*1f3$}aPz24T=v#Ryw`Oa+1g+>oiH(00B
zlJ)uX=WaoFjP@$qDa+q$a5|=fLd1qciiZWI^jF#vOQ_K*vWea;8C5Q&nR-Vf-3l2I
zmS_#bon>=qS@!mF|L5J~eK`Gb_Y_Wl+&|fe54&&P@1MZW2XEfM%Y8U_efaKp{}mkk
z0K2gF{^a!CTSGAW#~=2O;pLlmdq3&6cHbQD@4os4PLB5X4t_Y;KT$2d4a(k>vJ#P0
zV~)gC4$b@H1GpU148_XtInAydbD}NzRw+$dp~9~zk&1=D{|7ewQT*2L{(a1antA$<
z{@>Ls`~xfJ8M89J>{C#Zg<}{HLE+UQeo}wGI-D*#U`bSzVM)|l=7<P!$+M^^X<xK<
zKV-2qDC$3_ODe)uDpouxmaJp-Yr15}`8m_}uA=B3zB|M-++vy2oLeD6_<_aLs(5Jh
z9xFo3)K2Jv3Rp)Oqlr*AGUk_6K?5YCB`I!bZJx%lF#S1)V-DvSk`-EX1@Mvz7AZBE
z+3tk4IPqLk;fOl3j44Ja#z{BE65v@xGi%B~SxzH|7?m!Ml^hHadcBlJo2ttz-H#;a
z>H`gFM3a!Br9(HOz~Tx%y$@j8<XBR9P~mKADH%|pZQH|=Ta@CWgx5*U)CI1ktHI3m
z<qHHK^bvT)3IaDbe>2nqzwjJa{nRQB8UYf6$OlJ6j=|_~8RyzcTiCW<pnc33qHxGR
zndyfvN?4r5zj@jeHC4AP;<RE{djlT|UR6XJ%gjo>wf#L}xaDG4u2w->!BKO?ou0BC
z_~qSuIQjA2`!}y(@5kN4*GgpW!w>J?ym|NY!QpE-eW!{XYl_-?clg7>>-WdIrw8v2
z0oGOqj|0&A<2T4%h_q6;L!Kmxj`d+x!C{U7Ek{*Q`Dsjv;*bCF->9WgHP=yN+3$80
zBA-;{Pg=%*IymZ2y*qk$eA;n`8eTeLbXHd{QN%(g3SSuO?q(Fe;Mu6woFj2(Hiyy}
zI$`pHL=%>5F4Au5O6hs6D+vxAY~0rCSn@82d~FTh3#EXUCve)V4{8&sev+h7=nj?8
zRU%C{Qk*!5s$>n!31++K*r>|3QjQI{98XCSZTl(Yl&fYaDab|%&m4Jakvgn3qjBuF
zC^?VC94o<c8-^wA1Xks!+X|+3?^azyCDG9j+YJZJrh{hV0a{$@_Jg~@@U#&Gqp&s^
z6b_P6hQm%WG9kth#$)<z-`V(bkXep8nAZEjltB|-7Qu)nw5qZ;?ho`Pnu(%8cReOi
zq-|R~%cw|sV%VeHtD-!kne-<lA)``ZRqx*FSJnQ09#d_&x8O2i0ow!uN+pDpv!oP{
z&Qfg73d=pV)gb%!_$g2eSnL%FI<B}%>rf>%X{SVvh0!)br5~UsfLmlUfO$*>upvx%
zh76x5#X+~A8|E2qqb<B>m?YS+LMNfrXeIjK!Jdy=O-x8Tkv=p5kDmaW>qFPG2Ywnj
zckm+x77=hxuli`xft0Y!!1x2tfS`LrF$O6Yg1MyPG`0z;_OTGOX+P*V4wii1HSK7p
z!R{dDgYJajzI)16k9)h?F+<sVFo~)%5l?u8J^EIJx#>V_5eTX>NYF6Ps6Qa#IYpN0
zsEQp;J|vfXLL>{(&ON|m^`bk6TxWG#?M}wRCn4(U^ZTjWLC|_zZO<YV#zY9~#930Z
z8j`TOAQ{ciR9t~k$F$U4lW`%HWo(Rbeo4Ff@uvt^E4=oMyhhl*YSi<_l*Dp;uz*C<
zCBHSnR)hKu@@=+s`%(AvAQ=AB1%sVM$DC{_r@qb^H!~)hdCS;^-zp-F**T51X~(t(
zWWX<IxiL<7J{oVrAeZ(uo?g&I>UGmBxEZ~l^>DUCtYY_V2u54L4u(F#d|Vhhl)$*+
zc?SG4LAqo^77|HI4%G%5E%FKp=M+>T!StcKIH%fG*(n5Kj1Ct<lFVo}zItBnzdksG
zz5V0UgC7p|c2D>5EpTI9ampN@?84FU!H3<`efVkr7yRPzFcOmKBxVVPJhcjxjD^{W
zDLxzKnH<v$^0Yo4xlm)_O6QWe^2CxG5x|V~Ny}AZro;{up<MACUGF3+ZCn<NZ~DXc
zcuZZ$N6BqlYS?t=)5FYjiQZg%Xn8H3=!0!@22==CINslV^>#m)Xs;Ax9F`1uHYpak
zW~T5B9Ri?`w}-<e6xvzmDB}|<$21qP|5<HYXa-$)OJ&AF+*nNXpAAl!O~(gK&E4_@
zftva&JUOsUx+exTN6jZ&4^EEDI5`$)mUi0h7=zl^KX#Wuv{InY&ywPH2}h{n$fn{9
z<r%Y(fe{z{Fe7QP{x%fQTlmgjx3+dVGqAL$sLr(%1A}w8?^x-ZM=FyQ4_oY7^=#|z
z*7QzAA~T?I8zc2`SYRYt#=<ex8mSPN4z0bmdLq#T;Y`ORSk7O$!F9=?U2$K!R|ls1
zbz!=1C#HLHW2!kaP5UJ^J2OqWGc8teiaFn<YWv4C>rwNTCu%vUdA(NI)RfWmGIiTP
z6SbAeN=R!L45w3u^O+RmYUODm$@?(TeW)U~&B9BYNbA+1Im;?QY8QYE8a1y3&h9GY
z8Reo|vaZj~KvecuuXva%VlX?Ylm(M$jV2N9IjgXjPT*TTQNVnvZIx#3HPom$A)I<U
z8`0?NgR22B;8kI+QGzfYpyhfr6I823Xuj>rj8Y4p{nUWQn)9wsdM?z~8?_+svR)r1
zSAO|Zd-Ud#i;%=h!>wF~^ho)o`OXYXSaNK9viq>5Uy;wws~*0SBpXq=cl5pwPu(|f
z4c|T0{@1&x?wGBF_LsikajrI%>#YYHYik}B{h&+s;p1;@jZJv2MB;j)v|S~-(Wwa~
zq}#-1`zcDbv$xnD_V`C%Zhd&>KIVF<nM=_<e0REk63EYTg?-G4|FE;YwOzaa{iL_O
z^>F|DYdrQAqShtfAHV5)-j^@F+K^i<)SA7Fq=OqgzWs&g&gx0bu3Wo~X!}S)FYVRm
zL`V|HdV?az8P7*!JOOR#sW5ci+<4ZKV{}zVJ8mwmnpA3M@gpP2h{7YZ`1W5k))uy-
zvV5SAry2pkwgS_o0?4gi>D&Ck5yd-%Y-rtu1aw?S(M|!FRrb+i^yUWZKEl1hi+T~<
z4_t%f=FY928GXy>K%(m^I^qx*(o3~0p*K*Yv+==^b^Nhc?SsOM_A`-I`H)2BT7B-r
zW2GF2GKLYAATC1i{Xz``H7v*ax^PgcbT>EPU#f4#E#pr0R&WOg^D(+n;${ZD<_`Au
zKOG#sc(i`29_MxkzF!vj@<r{yG!d-p`(%MeJ8(UTE&V`m1BoC&O3?G&xw+|VC=9|e
zhfc{^mV_RaI2i^=sGefzJnwbj=En8cscrs>Ub>w&x-$N-2S*)frK%a=m0m;7d(V4a
zwOO^}u3+$oJi8=WwAkQ_i?BO?0#rvcaBf4?ddIgjPf16I?_TYr4^EAY79&~?{}en?
zGT}w%OQ3dt2%GrW`z^4(@;4p3%@OlyZlea-6nU#w#jT)Yl1>mXL$)M}6s1ypXMW5f
zPy<r`Q88)-wK)>a-l;SQUXYkYL{dE!8qKD1;h2W!#~g1ypOTR+`A4sW|Cvu+|NAti
zaY{20$aH0)fM)A|+fTQj_3HZH_YeBt*Ll8t>3#<nY|__fJuIe5biSCVVF|~y58ri>
zi@V=>`=3)Z)fvONK31XH%ocd2oNs;Z4YO;B=a=8m_!sDaa~Oidif%Xhhf->?JPG01
z4*tm|C;4#5K10VZ8&jgl*RrVlowsMsgNi<M^pW3l5^FDGlBNiE;QdT>>sVf@J`@fD
z1~eqOpdk2!!cT=!RAW12G>-H^Dw^H&MQ=1$t`GG2?5o2QRaR+YYK7Qn9h7n@u(&u%
za6J-AQKq%PLW89iPy6E$V$^@J_<T5U7R#@0rLrWIuvXqK4PctFL=K_z-@^ZIwLVl@
z)BP?(A#HzGC<p0S&$S|R6XgVm&;}7R$GQ|6v|6VZ%XC_iamQN!Z9?h6HQwb{t9s`z
z9q4@O+=dVMWWp0`a%+K5f7MNpG_AR5=yT35U+N2Ysl9k(8czZ-*0#E)vStjh@N^Hj
zAxuKuOLcY|%j*-~$RAu)YuL-2jU(|!-+VVWD0pImBWUf-+5>}$+T56;7%t}`td?jS
zL#N^$26EZ4nMU)N$~@EOnc5|}5^oIewX|S>B}zJalsRF~DqCe$F0fzS^7aV0tws@*
zrKlsxXu6<!>1<<tyW;#v;|XjBTU#LV6!mRHvkV%5?l$@wEm|Mof@BPB5gJoG=_StH
zFcI>UZhC`Uf@%D(IP2TNRu3XhMe<nM&Vb2H5F9SG>kQuBoTM=|XFN;*8~P}=Vm@MF
z;O)kOZ>r)UQOzi-BOq8ZigDj!mzS9Q>&hBa(N{`)J&*)Ao_Cki<*W)O?ww<3nEDu0
zW8W2~3thaFLf!useH28qYS$+hC(d{699CY>?xado^ILVLwA;g-TAwZdrx~b>b=Ay1
z%@MQ~=BHWJmtwOy4bA1gne`u-@_{M;OiWoaB&-)E%*K1v8?9<jdG&2kUaePIia#4F
z&*jOfIuCsKz=wZ!KD6!>v)RwOGcC${mGVn5UcKgAuB%pfV7UjD`!lheiFSQ}oL3Bq
z@zKVkfSFr7$3?dDhZ3{)?p^^kV?*~u&ogM*8Aw%fIx4txemuWA6fWiV4B0tgaSyzB
zR@*N--oq^ttf|CIZ9iQewZ@8bk*c<_3`|Ql-98`-jeVW*ALikYpNFcUb4<f?H7yc@
z;E;?$rVkZCl2H+u)Pz=UHPzP7A{|S&l3nZNX|r`g?6jJ>Heg*zn)R91t!v2Wh<^To
zB@uM|?AKqTzdX7YW3v79S--Qfp%DLh_xSMO@O2-KON1bzl7^B-u<rW6)D@hn??4H_
z&CNz}KdDUPpzquWnek-gI&EutOfEQ!%q^e#&=R#aMLCB2bbYG>?=LJF^1{C};-LuK
z+%085#O|11`jU6^B%+y+B#C^}i?4d|osxB`SY&b*G>+8gY#E!#N~dyBV@`F3=Ysp6
zH}P%Ce|@HB>ijF6+SctzbuOm?`uCc=W;GY@gey(c&9zW^7NUD{d1b2>Rkcm7=fYu%
zicohJ@fO~(evXAtQA1*d>2F6L_KMw*ud!N6)z?1VMZ7Pr5ih*%?7%EH3?+ElH@oq`
zdCoB0+<0`7%BxpQhjMl`qFF<9bK`|JaC*N;kmWjgHCLM5z8U6}W&&e)NsZWEOxOey
zn5jPw+q*LL7otqOhJ&%*^>9}rzK0g()?;AN5WD@b?bLr(!1tC-X9w108ZXwuqm4zj
zu_n5{j~I4fy>@Krc(83ON8Ihh=-dN-^J@2~VKC!}q(MCxlU5-cN76B%&W^#f*sw0%
z+=655#4B3C5Tg_>x9MtmDAvX@MBaOW_j#vJqGcK*o*h_^SSX=$p?_KIQzFNK<bfPh
z{R%pmP~)@gD12{j+K9hw*st1%<W))!1at(hvmFRD<Tb+$&Vc?Bm=2+C>}ja7ZtAFo
z{1-BbH=1j=G5#K(q%5XD;utPTmaqhuO*DQOJHvzuHJ19mUZ@HV32S!+sry70_D9o>
zfc^^|IHK_jNmB)3`L0ec)%IINd4-tn)V_NmsJ+!oCdWLN&dbg;=BnU7IZL4PYtnIw
z`h|Dtuq<mUL%~SDCMN9ahut>^uP|<4|JMX<aJJGlPR)ESf)55s%|rtD&`2sD_Ar%9
zIifn5%WEcU0WTJs{?_TK?Ku}*nAdrxHQG7lr!?R><#mFa4L!MtM<1GtB1d7s9fS#^
zLBt$G_*9e@lg#RMC8LfBv!|Aa>Ibl1hU&Ejrnt#(WAy3E2_}Gp4ateOY6n*!sFXGu
z>)G5vIm7<i%IW^koI8NQ?WyS?!9Yi$tlZ<X@QMYgsLF(OdqvPtsy6Ram-Q-BJz+x0
zIv-2<8bn`T62w8ri$6u|*6M}CK`znOs&!YqJX+j0nFM9P4U@%dOkoNZll-x5jQ?nV
z*?+gE?*APXDS}p)4R((IcW?Xq?`!_wPoF$_$p89P9yhNuNmJ3i*z(R<67`*AQQm|~
z5)nx%+ql{HTRbo>sC}*YRn-dXe;U9wBrJ(&BH@Xur36bK;{~|awH;T>#^x%nm~NZT
zG$dJZ_1f7Jx(Tv$F^iGu)Il19Ei8x5^HM*ZwmeiLr@*?q>RT&N-3(#hSL<$6D?5A6
zy3B9i9cpuyhP5G($<*;~4f>iM-oC?t<}F6GwaWgYaX4%DEGr=1ejx9PMoX)!L+5r=
z>o$sq9U`A}-EDp~XhOwXc^#E)codx4jpR!rD8@SPG_^4yDJ~kF4deuEEfx7>Ca$#?
zS^zXm!1PJB>Z8i%4YX>LqB#^^rb(MQ&5g5MG&g@<8!>etb91DXg=(48mWQy??A@Vs
z5~Y=8s@c<)htX~H?jX*$U+QXV;)=9~l_-IFO&c-kV_SYDQKx-$OtgwO|7<_tz@>Yr
zXQHjFMRSi|bse~d-*YZ$wc(IYCM1da&MSpfcfgYFfQWJJy-&m1o9oJNz|5yQhw6L~
zD~B22`)0p3zoIF4bAu^G9SAPmC?YjT^+f5drP^860LN{|k&aJUHX6>EbA^I0u1vP1
z|GeqG9AiNJET?~ih}S-1j}Z<h{NMkJq=89odB#R8S!SLa8Wu67=^_JT<2OyU67huI
zC+$od8>gwMVfnVb+0^^?DT%7CJugp0i&0BjCUL6+XOiz#X1baKc1B*5N=3ya!|9?X
zQER=l+rL;IfR<K^xCoy6u6i=y<~696tfoBB_GGjmw^S|{s;%wmKIZ{a&2CUFTFZRU
z1WK*?U170t_-bI-SaZz~*h))wKA%B#4AF{qiJ@3#uq#hxHL58F=rkJYCu~F1Xr;a(
zbCv6b4%Av`dK&sW!rcw=KIatpQzJV~?askfT@{);<f`&rA)jhvHr(~2huRT-u+awo
zk|KSXF`TweHkDs;r#Rhciw<1ps98J3#b(_OSv_Zpe%e>3>5DT<EL2lBTJErBH3JSa
zSB~j~R|^c@-PVe>cG~84sd>HQ>e1fP63_wA<f3_s@UR0DUmd+WKK*p~{_V^C<Jx2)
zN6efgLl`YAU-p6jygxozrUNJ0T%NIJ8f@+B<?hM;Cnw9+a{cLSiOY6*aQNyDUFvjS
zx9IX{_vGZ~cgL@qI##NAe@dm--W)&Ct7AHx{<^U7*l%ZZFp<_>NuY}>JpHLOWixR6
z;o!~ba+K+es!lw)_^AGPdV2Kfcz^fJ+go;6q_AAF&%Jl=emdCybh!I={|-Hu88Mr>
zpD(`Zw%CR>$rM>=J*wR#TVgSq_C{Z1uMHm`cXN^99@_@le!K~fedFncA#wdYW9nsd
z7&RS?>+x@kt#i|Z0n=+-5xZPJ4Qbo#qd<CHCQd5=(7I7`XF42t)3?S9Yg<n%Wty|S
z>8B~V+gF5iHlSPWTO~_7x7spIS6*uCH1*0Hxlfz47T7>l{4&dDQR&>ey}`(H^{Ml<
zyml)I4UyW@52xh2p6WTpSFnR?a+FwZ6SCTE<U(7>c{5i7zug5jXxaI+AX6*6=tM6%
z!_(y!VS(Fi9cOME8}@V4KGg0p?^bW_=~nZ8Qq&6FeiM1?Gn847F1C-HZ#fVq-Kjgb
zZUQEkW@mc(292=)(e4x9{8RV;(HXmZ8y$HiK0tHge{XMX*W-Ub+xouu;Q#YAo*LU%
zl0v$i@A?VR&ypqrQvqFU4X7m6WysWP_7`gRbXPis?)a8oLk(^#Gx2h>2^y&~J9D7d
zATqy{vBl5n)h0aBuIElriE5{0+SlaE7px06H#kC%tn+$hC*pK#y`wNQ?gDt$<EZNd
zd6oUp><U^RFQqr?VXiRui*$glfHw&q>k5L2j;sZLXQrO{2-6%jR@Zx<;_#|<R@yNX
zP2+JZw7+~QLTGln9UU~jt}FdvgE5mdWNb!3#?AYc>EcsN*Kn8OVM+eRo~iXeC98A%
zHP4*&f9uKjTT}Tzb{^tCf0d{1E>|WuYFquCBHfE^clrO3XY5}*kt9CikxigPvp>Rp
zSap1g*^~-Pbd#quuKaaxXIR`6;z2dple4h8Bk7bemE3etZI#M0rc#+BblT0)saWKd
zDwjEVmC`;O8`G0nN~|TST$wc1VVW0jbX&U@G$SMWUb2||tMn6HsPl&Pc_!RC`_(N$
z*D34n3cUfL0fT?PWv(v&SGw^t&%FI#Z)ayZ{{O@MkFWB4nVakBo_Butw&i1AceBU7
z<~FY_QC7nSuRW*Mx4*S(%;EJPwW(u^Zs*v;M(*Khc<SrF>sBF5TJ^i?0&~{?-uF-H
z>;Ly#TMzrcuktipG;2Qkan*q0j;KDIxy=Tz=Hhc36+rI{-lgRCoO-tV*=|7#x=S6I
z;&2UvXHRGnI__xp$kDxlw{VOYa}cS@e=-3Gc{1$7weP7BYYsb8KM})`DByBO<Q8(g
z&i^y6_1&7r=JNmcvpWAj+unZQ|F7{hvh|+zGPo6I*IXBF!`imXHZKt57(fRf-5_)p
z_et-5hi!EJcB>Y&KYrQ9if`&pc|};^(A0P<_b)#GP5jS7YLe)GmGj@N>Gl8F&d$yQ
z|9_3=7Wd{wCCh)Cj$kN=C8HqZ8RY`wNIIH>+sG|V#4Y}LH2@PQSE^|qe>VDs&aPY8
zirvm^v4}091sGAgEq+_O!pz_r%f{BANu=Za^v&+O$s4oLeRHwdo4)&L-z+kJ)3xV0
zKDCWKy7-=IXVJ29<@F)}wX{=#svx?P>50N<|JLl_x8?-Cz5aI*e(m$WohRQ<*?)V_
z9{hj4%G0u~Lz?}H2X}4$r!1rui|SI5avB=gSj=|Z)U|tnwWPCVQ*$jon@?t+o81xp
zyC5;E*`<(aSdsKrz99j;&ExLU$2$GJxm@Rslc2w|F{5CSINs0${VZvgkoYts!yyYB
z?v2>`jU}sVZj-$hL-Q>RH-;(4pvzMgVyEcAk&WC`ecK3lwMYY`&TW*22mxvRR%Ja!
zzb>W^P-_P4>L|>dL1$tX9j@8qWs~y@yvF24y0Tvyv8q;U)gGEc8MKZR7CM?aT;fkQ
zUgDMmCR#^qv3p_7*Py0Gwl0#|Y0+({0+E;%YpGTDee!Q}K2q2JWGq%@_qWeH``^>8
zy8id{>GsnH{qJi$^Uwd=k6lHX$7jW-19v(Rm^$4r%!x7<L1<-2NHfWXEL1=g_H=uO
z8sJqXRZMNL-Os-7-^R}VXMHsP2V)vf*eKx{y@x*L^Z(Nt|8GCt{{Dggzs9o$M?@->
z78B)b5`fDwO<<6-IAX~NQWBn%5fy>A2B%{t%6x%hOyd|vF&}8-1WQJnkkOb(c0tkT
z<Gd$H<gGzMM>=BqdYaK8`%EJY7Z3kuBY<~Fd<8tgnhGRHX$CP%Xy65}PClJTo>6ZN
z_Rs<kANEclVwv!Q5tCi~SA*{bgMVdR{MWu1kGkp~`%_#b-Ljzp3D5HshAgJS`z{cd
zsrOwlAm`q9ft;k?cmM0H!3UBto(nj5wJ*FN&G<iQD7}D1lyr5ujQ{gnlmMFlkN0<9
zz1<Hc(Y^FBoBy9Z?LDjW|JJi-5B&dCo;4jW!t*}je}7xIDWLRH%d^pjVpX2-JPBz8
z9jZQ1|8r*pn9xZzX#(0E7czQ5GaZrt^Oa5XGUOTjczSxYiT|E#!pU3p<LKSdj!vU-
z@OJk|Rgpa8vDgG6;8F<|B7or576xYbqMLw_gkzI}gTN&n*q+u+R6_l8Bk;VnH8_3q
zw^zrWcXoD$(GeekTI(>~0FWpGbKqB`z6!@g?PA>ISLSb9l_f%wIEKlUpJ~%8R89?5
zSJ?AGB8zNWp7+vpq&v`~qM9Qag^*-aX+T$?hnHqF+5{3RIT~NVgfJcWA<{T!nCk$3
z&slg*g~XSX2&VqNBv(q3>p1RCv_jws5csLkjUbG3A!(*_#$fhDN+PT~CP@@iH&xgr
z&(76Eh`{r32|y%Zz_}DMBdMAwO+fHYk;4g+LrF{{Cdc`}9ZdUQKf>I$I*`T&l;P(!
zydO(|b!+`@x1!%|6nN;2XKGwNs&OqlSCbZq@rGT<V4}T2gQ+<QNdf~3xv;Aec2Ck&
zl&zhcH;BvzPNM^~nhD*!&7g~Oyr<h|iG@}KdMU-PdN9XCz<|;OBo&fI3V+E{)x<{&
zrZam-<>VaaiDVO61yN0&QhzsK{pC+b#~XpU;Q;EFn&c6cc$H&9RA;AePQX!!#U{jj
zG{Q_C3ZvpI5AnU?c?KlKy9sFj(~NeM(Tx6{Gr=Skp69#ZZUtN0fAM^q7kF#?FJS3^
zC+PVDD#^}Y4AUTY*}24#^So1DupQ=;!V$wMQa>#lqPyo=$(LvSug~|VV=AZ(93w0r
zPVoj#@0d0*q)G8+eNZd$xdYGp2YmP4DNDcmt`BdRV*WU`10W0&oFTk16H*JJ_X%qo
z)!csSMl_~U3l?_>9qOJQO;e{VUW|bq0m$ftUr+&d>Rg2RB;^TBqyQoW4;hkTF{^r#
zRU5h+;m)-oxgslz?sUlGm|yCQhl7|390Ogi7{-ATZACrBUu8l)cY@09<(RUpm=B%S
zCGfoKvU`~OT*E6W!i-@C>iNZ&eN^)ryxUdxuKgvRr3x?q+_Cv<?;6gUlE|O64Bcy;
z``ct$$0}eGx!-MCu=%ru#m!wWQoW9h69T`X(K<2(8Ya&k9xbC{l>o^yvLt@jaQ5-H
zGgvQ@xhqMk2MnV^TZ>SkfY1n19*GSH8Jh%k)|}YhG*_;8MjT|c@)0n8i}|S_QznyY
z?@c44llbFGwaVuj&MJ%1k_b7-NHUsRxr&S=qdP#}*!<a-)7{q?wC-m4sd11g1H8?j
z8HbKjeXO^V=NirqhKF1pWmM2aE{jeLnReE<y`5lgt}8H#^=c)+Dg=On;N1nyG8WO<
zqj3!;8?)qU$(D?$EfP0%p=voUP0C9kb7#?Pd!LVxi;UjutqhS>A=8kNx23^rz*vxc
z2-c^ybQ&%-II}G`sQ}SOAX!L5SuHY0ANFQ8)qu>=hrJb`u{vaC=Qug5^!A#{8DN`S
zjH7DG#buBgl32`P+*={jpcq_Z4#<02|5u{{ESR?ctcuLa*Z+zJFk(wDGYcS7Q4CyU
zR=)nPMgv$d%Svr#R=)ltGQ065xoTgvSAa~R7<>a7zydj0i{6e)Atkv<OVlLNZa1{|
zCz@^I*h+6Nbut{52$Qe&)^hmkB4gdC&)nV)tZ(&@XP^)YNmd%1H8tSWXtT|7I9|iq
zv)-+7F&aR5Rc200*Ra=`p?(F=DrRQZ-J!EuZ|&+#dm{d?ij13kbKVx<FrN%)rqHoz
zJe~86yFS-&wsm_dGd$x)<({KxmSKjVNJR(e6S#us8qS{gp5K~ls>ql$OSASfjmVtF
zVkHQzg3PM9IA@!hj(Fs{h2OT{w&u^i+(L~hsw-q{>dE=dT!Y$$@gaI_c2k9zuFL2u
z@G{7(pN>tAb6^6f`U~y%cxr36up2GNxLGRa3IHBa;|_*P4I(528zqya_F?yijFZlC
z?mBboq`tflWKcJ|3o=D~`UQ-DHYyin^!J<!DY`M6u$9QN)$mLuCBovO`HiUtIxo%&
zo@+Rv6wb`q(G{62C)v!*xM>q+OEU+VV_R)y*sKB>*F$}t0C0{B&CMjdFmhKkZ1ZQX
zfBdb?v#$U7T#Kf`03BJ<6|MYb^JlkT|7*w;*A-^jnjK_LR*lUyoIQE6b4Md!<Mo85
zHY;R?mp)XTmEm*^XPwT9W~O%6qVX88hKyJ#HmgLY@j_K?+q{ovP6%VB1e#fM4vrwr
zsA`7X=}i3^&i1tD#jP-^AXB|$)l6otw6PJt6fz`=G9{(&^sI7b$XwOA6ae?4Ij=+m
zm<ndp)?h(qZ(i*l!EP?cpeq`0#ydW%Fq}_iQfxg%zcyIBFR?gSp%r}<hVuqwT29fg
zr>A6<r|9*ga~(H|<Z^5RNzGZ(8<A-}MQ=rBHCFUh7|v%T>|AtaR%1n9#nE{!vE+<4
z8jx9~Mx%7I=g*(t$vV@T#Ij8QXlo(7KR(#hwLgmA`rW_VV4(l#|6QT@kL6E`R<O>@
z%8*&NXd*Hh=Mr8Wg5)ruBjYA1D9OSx?xoewTrA>^_tlWW+?#b|UL67-YDg6-EQ!>A
z5yiVd_lt~;jCWS_R>aDy%)pB9x<6!e{?0}+vlOK>eB$8-zWEDcq}BzRNaOna=Rl^&
z4SF_(3~n<O%#dO7&{aM6i%gkr^vv|8?|tBFz3ih9(60I{aU}Pj0GWEg#;HZK;rIn_
zVOSq!Dl|eNpG@+^kXiuN$4ImcogJ&YTW1yyXnEFf*rdPc^Cr@WD_8S|oHdQ+)Xd!Z
z6re2|_jIcb8o(+|fh(SwIrhK?WL9YkTm>?<+vYQMGqX7}Rq&iS<8h2W&c-5e7i8|f
zIctbF-@0wyjjD%DiWO8n-&{?)11hUU#)ik3<#1|Z{}-V&G&*=-V~==%-}c^vInuc8
zQ$c1CgN8-sz6=^GLk45sf9(B+AqpGYyoMib%zw%Cr7h#=tZ)3>&1{CES%+ibAz5BT
zHzSi0Ic`Dbh{!Q6Dn{|ovlxWT@=)g4ovi@ZaMr!6AAl2LU!h`gYBbNDzBvJ%wcs9}
zRnCk-rcBw|u+AuC%%Z>UULtHbV!SIdzKoaiqN_<W^i7+=H5FtISMH>_3U#Id8E4R|
zuD}j5drr8M)jaov%sFjzai}2k6J4bnFsulf#^k9j(#)tcy2`4xnpJ23tr=4r1i+tO
zov9)-OR2erAN7>nk5;n^4WKoxY{SgdkXfx(vwCD^DK+1KI@5wogHrPis54UuU|W@%
zZ$O=CM5a-x`3BUPx-@H7YQ6z=rWKhfrREz@XIhb&Qfj^db*2`ZbEb9XL}IW6yawQh
zB!e{L6Dr3v7eGI!JX<J8LTmGP*8nUs^KYM9^XyRr1}nIUwu+<kIx_9I&*vj^r!(}a
zqjTH%Vwg1`Gwb&Gd}Qu)hQ5lU^C~j4ZlBLb=1ynmt2jEJMyBod`8ROq%px=YP5|y_
znEFiOsclXBq@_GsUqnYxWL8SYfbp)*31QQZZbJ2|j(Xhr>(<sz=jN=6%zS6<S!9;o
z-F<r%E?Tqm%2W*+dl^-#7!VhscPY(?+K*L}%D_5_1xMsqMn%Jdrq2-1)UcmztahDg
z%Oi8<AX6snU<q7~SvYpFVgj-}Nmz0_k+w<=pe3nFMQbi@0}^R)F||RAc^*e<q&1;O
z!L5;5Z<_T=V5UX}oP|s!AxoiXn*1zesQ5&qgU%*c7;jZ15shv+wD*Y2^p%?H3Qei4
zauU+Qs$uWd-1=DsnYkI*XDge9-OQ=th-D`b-))h(vjAwx``>74ddm_v$tRFBUU5{d
zP>fD{TVz%`GZXT8HZtV%Tx1ka{V9;qxdHZ$-nW=%Pw_kK9leKKvY7o#TbELrg*1^$
z@wmftKghhLla?)jK}Hu?H9o7k+blEkfyen|-nFx9*hTG8>L89-5iWF1SYQ0ATRSp$
zwrD!YyybZ^GgearG83!=>j}>$81ATyM(PgJ=KOnocSgpuN<AgvxQv<TL|Q%beL*Fh
z)2kP_V13*y{`~C>NH)q*7)x$KQW{h3SpYxq4CrSvNn^S>6;`q#(&n!ofbOh_f~R*@
zFLY=PEC4M5Ie`rLMH!M(P!kjKtkxE4gf>=3;CZ_--c8X_csGH-FS~EwV4!gAuO)DN
zn2AiOU1178NGHami7T6C{DLX9;d0E-m8BAs6XQ)TKQR6f93Pyf0dN9_{=#zvCKt34
zWAvlb#Bb})j|~j7x#xx;#gLd4n|nkhVX;s}*WlwZ*EoGRfrH5;$3UEFWA4Pzjd)m%
zv|5HK?vDATFL^glBAO{>CGs=fps(8Sost`#cOaE6CS=BwQG5j%Ra2~0Gvj2&Dj+CD
zo4A3EX>!3bj(2ZOL|&Q*bil&{21lVN_MYJwlVO<HxhzB`Wjczez|#pbQc&e-RK_zU
z5V7HqW~wE<oi2k9U$QcSD-cNNrHMU?EvTVnQn-<v+0Ycb&?z@;4ATi=Nm*_a1REu2
zBTX#SViR}<Va5<{xX9y#W@Nx(eK#Ck_yRqTdm2rxSecG6V(f%RN+y&+Q!NzM7gLr2
zqOT0S2_r}dQW}d&bBz<GIUfYZGNwo(tEJ*q)7RZ_WshSpDtN8RKTeq!{}cQY{QqZW
zl1Z9oTnRPxx7s9{XvRn<9Jm}?D~y1cozr5^EX?TW`?U%bq!SZX<B|^CxX4=e=s_~k
zWaF4$B5gS_EJ#argDX#{o!~OOty1WDB>JA`!(PmBm)IEDs}Cns&W|6a<Q{H=!3fBD
z&=&PthqQ60V1YnBs^Z)rIi;)&V7G`RgN%XGgH|5ZBPJ;-s2SNgDH4Jr+=HvB-o#WG
zo51tcw&;Rkf(uf{uG7PXxYdK<y(Q_Hxm7Q@UZ&leHf*z=?y;Q2YPuqtslMI|9ZI_r
zk)^ROj8#|fC4nQwV?xqI>h*swCT!wFsM7(F1e4T8MG8F6O8bJ&3}3Vmnj)O2pzDS(
z+a>vx^QB`#hddEHrrvBad!Z<-txQQXFB+o8PokuYcRmuD`D$=|g{v>*RZOE`#AI8u
zn!;X8h>$e1k@?pulW(}sbx}4^?#E?x_9Ewr9xGF)p{lbT)k}~w5q8<FMkXp|+vo?)
zAWgRmryL@V;&u~4G>ic$v=A0kp{EWdRHZ3r1$X9IW5!IFZ?*b+4xA?Cx@qSNYFjaq
zB=iFOU;laUc~2)*kGY|&t|<wSQJH56Z1;N58PhoC|HmX?zwy-nji&N5$&@VXL#ee{
zqGe|J<&%_1rX;miiWO}kN0nxd!t%tDkOGrHhC>=!rLU{FB^PH!>f*rj4icq;qtSP>
zShY~}D4BwctFI|Hg}JOmXvdK^%M23`De*nHQq9OhY|f75<Sb@~TpCpq7gZF9MbuDK
zGBbLCiD|SeidmiZ?U=lIwR?of2|l49LYk0_aiLM1kSl8(#Y;Q5Pj{}jpjnb<k-p9|
zQpyDhLn?%!RY^mo-xN0J0A5~|)1kWFGz5!qPslm;qZTugpkF%A>_*f$sOyG5EA4_S
z<t<X646T^5W@;b`7$I@7yP%1C)lJW30X225^ww_f6uOBO!cA9&(~PGylY0Hr@=p~O
zO61a1Nx!WC-dnbwc?YCu%Heda8<w<(YgqkONI81uE=3-WwHEvN3f4v43x6Yk+P=kN
zYJ1fRT7_uya)B~*ZjPo+{QDC6CGLg<p0^#q9#`yZG7FF)&oDIx;|Yzb$SN+;dSanh
zxpx>to+LDMHyleLAJH&2iBl$y3e$*}bEQV-8F-(LGNP6X&0kN0XF<=~jnqEFEDY}T
zH$~wJ^1znv1wGGuNy76>l0~8rVM^`3vT|*dlZ+&i(g^Y-R$PWWS}NPdQj1!)Ngjc6
z`>}AgDI)MJHD2=UoMb##iW^0`<&YyDRI7?cZx^Kykz4~CKsA|y6~ROZG_)9rR7<>}
z5K)9sRS6zpKE6=KHd%zTr^4dk`ymk_iRcS7zS_O6g;f`7%&@bjmcXrVX?VBpZ+KH8
z!*SE-%Bz&V_^03r`00zsAHQ^X+UY|_C+6sELMJ71tlo4L`*rQnK-bBBs<WeXZhm`=
zL;pu7t$KJ?_UO%Z$hx8Q9YMO%KIY|r?CsR^zwSJJy8V#<?Q1;d0I^KMZerma96fOP
zf5KDnzh-`4X{5fnj^LYpluwe#*Qy$7YRgK9dHnzV_qF_w+uJ)2`Cq@zvj(SBNY`qB
zn(T-s7^YHf3e=uc+aK|SLG1{_F*UmrZ_Q{bNklQb1#T^}jE2&iV?JoJ9$=V{E=g1T
zHEl{@Nkl*Ee*?6$=|9u4u5eSS^}q0|`trzD9ugtL5&M)9As`*6!*pUuyZ_f-&zLWY
zQf^naeJIjVn^J+=N)=t-c%ES&B~#5tvJYtb!qn1z`1qUW8P;klv$lrO+b&3qhYrbO
zi3b~_gb7-Aal)fNZBqZ~xd1-EytDvoQ1uMy<GXra1^=6sUxZ^iA%W5rS4m@Y_<!f=
zPOrB9Kk02hd*J`C@hG<FJkk@d_5dcwrXm5~kOR*~UH#`;XHykdih?SusZGB#`)Ec*
zr*C+zWB8zW(OebZ4|z7}XsRsUNhV_~Y;P}_ZGTy-p;LTssJ!yh>3qO>Oi5C-(*{8m
ziub~?%-R4-)i$Cs#h<ESe3g`Zv={semrI>>wQ?L}jcdgrf_umsbc&8{%04><94)8{
zOgXe9rav|!H)c^plUhdr9h4oNKH%nkv--{MEDicyJ26hF8?XMC{;$EZ<A#cFq9m3`
zI-=Qvq%<8&zN}cAy;*VRI~5R}Wv&Ur+8oRVaBtf3-wI(vS>w`5B69?84j)}xUln$<
z4&9kY8?5j5%C6;r>4T4k{_UCVOdj2{=O)F?l`?~c<k*I2YQ2@E8rihE7`Gu>8}M0U
zHe=l8j@`WRYjLNZZli4|YdVVLATtu47ZancuMIs;chMrNV1__~IYJ3s!DK*c5=>AL
lPW4}{VhdHkn}^Nw!}IVwJb(J<{{;X5|Nk}t5Xb;n0RXJVeq{gv

literal 0
HcmV?d00001

diff --git a/sentry/templates/_helper.tpl b/sentry/templates/_helper.tpl
index 2c03e32d0..d68c543af 100644
--- a/sentry/templates/_helper.tpl
+++ b/sentry/templates/_helper.tpl
@@ -1,3 +1,5 @@
+{{/* vim: set filetype=mustache: */}}
+
 {{- define "sentry.prefix" -}}
     {{- if .Values.prefix -}}
         {{.Values.prefix}}-
@@ -5,10 +7,10 @@
     {{- end -}}
 {{- end -}}
 
+{{- define "nginx.port" -}}{{ default "8080" .Values.nginx.containerPort }}{{- end -}}
 {{- define "sentry.port" -}}9000{{- end -}}
 {{- define "snuba.port" -}}1218{{- end -}}
 
-{{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
diff --git a/sentry/templates/configmap-nginx.yaml b/sentry/templates/configmap-nginx.yaml
new file mode 100644
index 000000000..bee7fda4c
--- /dev/null
+++ b/sentry/templates/configmap-nginx.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "sentry.fullname" . }}-nginx
+data:
+  server-block.conf: |
+    upstream sentry {
+      server {{ template "sentry.fullname" . }}-web:{{ template "sentry.port" }};
+    }
+
+    server {
+      listen {{ template "nginx.port" }};
+
+      location / {
+        proxy_pass http://sentry;
+      }
+    }
diff --git a/sentry/values.yaml b/sentry/values.yaml
index e7e2e64ea..04f2df2d2 100644
--- a/sentry/values.yaml
+++ b/sentry/values.yaml
@@ -220,6 +220,14 @@ slack: {}
 #   # ref : https://github.com/getsentry/sentry/pull/19446
 #   legacyApp:
 
+nginx:
+  enabled: true
+  containerPort: 8080
+  existingServerBlockConfigmap: sentry-nginx
+  resources: {}
+  service:
+    type: ClusterIP
+
 ingress:
   enabled: false
   # annotations:

From 50b6c47cf91054395137c4df93c9dba4a419d816 Mon Sep 17 00:00:00 2001
From: Yoan Blanc <yoan.blanc@adfinis.com>
Date: Mon, 10 Aug 2020 12:32:27 +0200
Subject: [PATCH 3/8] feat(sentry): add relay

Signed-off-by: Yoan Blanc <yoan.blanc@adfinis.com>
---
 sentry/templates/_helper.tpl           |   1 +
 sentry/templates/configmap-nginx.yaml  |  12 +++
 sentry/templates/configmap-relay.yaml  |  29 ++++++
 sentry/templates/configmap-sentry.yaml |   9 +-
 sentry/templates/deployment-relay.yaml | 117 +++++++++++++++++++++++++
 sentry/templates/hpa-relay.yaml        |  14 +++
 sentry/templates/service-relay.yaml    |  27 ++++++
 sentry/values.yaml                     |  24 ++++-
 8 files changed, 231 insertions(+), 2 deletions(-)
 create mode 100644 sentry/templates/configmap-relay.yaml
 create mode 100644 sentry/templates/deployment-relay.yaml
 create mode 100644 sentry/templates/hpa-relay.yaml
 create mode 100644 sentry/templates/service-relay.yaml

diff --git a/sentry/templates/_helper.tpl b/sentry/templates/_helper.tpl
index d68c543af..aa75a3384 100644
--- a/sentry/templates/_helper.tpl
+++ b/sentry/templates/_helper.tpl
@@ -8,6 +8,7 @@
 {{- end -}}
 
 {{- define "nginx.port" -}}{{ default "8080" .Values.nginx.containerPort }}{{- end -}}
+{{- define "relay.port" -}}3000{{- end -}}
 {{- define "sentry.port" -}}9000{{- end -}}
 {{- define "snuba.port" -}}1218{{- end -}}
 
diff --git a/sentry/templates/configmap-nginx.yaml b/sentry/templates/configmap-nginx.yaml
index bee7fda4c..1939a39c9 100644
--- a/sentry/templates/configmap-nginx.yaml
+++ b/sentry/templates/configmap-nginx.yaml
@@ -4,6 +4,10 @@ metadata:
   name: {{ template "sentry.fullname" . }}-nginx
 data:
   server-block.conf: |
+    upstream relay {
+      server {{ template "sentry.fullname" . }}-relay:{{ template "relay.port" }};
+    }
+
     upstream sentry {
       server {{ template "sentry.fullname" . }}-web:{{ template "sentry.port" }};
     }
@@ -11,6 +15,14 @@ data:
     server {
       listen {{ template "nginx.port" }};
 
+      location /api/store/ {
+        proxy_pass http://relay;
+      }
+
+      location ~ ^/api/[1-9]\d*/ {
+        proxy_pass http://relay;
+      }
+
       location / {
         proxy_pass http://sentry;
       }
diff --git a/sentry/templates/configmap-relay.yaml b/sentry/templates/configmap-relay.yaml
new file mode 100644
index 000000000..7829fae2f
--- /dev/null
+++ b/sentry/templates/configmap-relay.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "sentry.fullname" . }}-relay
+  labels:
+    app: sentry
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  config.yml: |-
+    relay:
+      mode: managed
+      upstream: "http://{{ template "sentry.fullname" . }}-web:{{ template "sentry.port" }}/"
+      host: 0.0.0.0
+      port: {{ template "relay.port" }}
+
+    processing:
+      enabled: true
+
+      kafka_config:
+        - name: "bootstrap.servers"
+          value: {{ template "sentry.fullname" . }}-kafka:9092
+        - name: "message.max.bytes"
+          value: 50000000  # 50MB or bust
+
+      redis: "redis://{{ template "sentry.fullname" . }}-sentry-redis-master:6379"
+
+{{ .Values.config.relay | indent 4 }}
diff --git a/sentry/templates/configmap-sentry.yaml b/sentry/templates/configmap-sentry.yaml
index a79591091..cafe24b02 100644
--- a/sentry/templates/configmap-sentry.yaml
+++ b/sentry/templates/configmap-sentry.yaml
@@ -295,6 +295,7 @@ data:
                 "organizations:performance-view",
                 "organizations:repos",
                 "organizations:require-2fa",
+                "organizations:relay",
                 "organizations:sentry10",
                 "organizations:sso-basic",
                 "organizations:sso-rippling",
@@ -333,7 +334,13 @@ data:
     ########################
 
     # BITBUCKET_CONSUMER_KEY = 'YOUR_BITBUCKET_CONSUMER_KEY'
-    # BITBUCKET_CONSUMER_SECRET = 'YOUR_BITBUCKET_CONSUMER_SECRET'
+    # BITBUCKET_CONSUMER_SECRET = 'YOUR_BITBUCKET_CONSUMER_SECRET
+
+    #########
+    # Relay #
+    #########
+    SENTRY_RELAY_WHITELIST_PK = []
+    SENTRY_RELAY_OPEN_REGISTRATION = True
 
 {{- if .Values.metrics.enabled }}
     SENTRY_METRICS_BACKEND = 'sentry.metrics.statsd.StatsdMetricsBackend'
diff --git a/sentry/templates/deployment-relay.yaml b/sentry/templates/deployment-relay.yaml
new file mode 100644
index 000000000..3261cb6fc
--- /dev/null
+++ b/sentry/templates/deployment-relay.yaml
@@ -0,0 +1,117 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "sentry.fullname" . }}-relay
+  labels:
+    app: {{ template "sentry.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "sentry.fullname" . }}
+      release: "{{ .Release.Name }}"
+      role: relay
+{{- if not .Values.relay.autoscaling.enabled }}
+  replicas: {{ .Values.relay.replicas }}
+{{- end }}
+  template:
+    metadata:
+      annotations:
+        checksum/relay: {{ .Values.config.relay | sha256sum }}
+        checksum/config.yaml: {{ include (print $.Template.BasePath "/configmap-relay.yaml") . | sha256sum }}
+        {{- if .Values.relay.annotations }}
+{{ toYaml .Values.relay.annotations | indent 8 }}
+        {{- end }}
+      labels:
+        app: {{ template "sentry.fullname" . }}
+        release: "{{ .Release.Name }}"
+        role: relay
+        {{- if .Values.relay.podLabels }}
+{{ toYaml .Values.relay.podLabels | indent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+      {{- if .Values.relay.affinity }}
+{{ toYaml .Values.relay.affinity | indent 8 }}
+      {{- end }}
+      {{- if .Values.relay.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.relay.nodeSelector | indent 8 }}
+      {{- end }}
+      {{- if .Values.relay.tolerations }}
+      tolerations:
+{{ toYaml .Values.relay.tolerations | indent 8 }}
+      {{- end }}
+      {{- if .Values.images.relay.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.images.relay.imagePullSecrets | indent 8 }}
+      {{- end }}
+      initContainers:
+        - name: {{ .Chart.Name }}-relay-init
+          image: {{ .Values.images.relay.repository }}:{{ .Values.images.relay.tag }}
+          args:
+            - "credentials"
+            - "generate"
+          env:
+            - name: RELAY_PORT
+              value: '{{ template "relay.port" }}'
+          volumeMounts:
+            - name: credentials
+              mountPath: /work/.relay
+            - name: config
+              mountPath: /work/.relay/config.yml
+              subPath: config.yml
+              readOnly: true
+      containers:
+      - name: {{ .Chart.Name }}-relay
+        image: "{{ .Values.images.relay.repository }}:{{ .Values.images.relay.tag }}"
+        imagePullPolicy: {{ .Values.images.relay.pullPolicy }}
+        ports:
+        - containerPort: {{ template "relay.port" }}
+        env:
+        - name: RELAY_PORT
+          value: '{{ template "relay.port" }}'
+{{- if .Values.relay.env }}
+{{ toYaml .Values.relay.env | indent 8 }}
+{{- end }}
+        volumeMounts:
+          - name: credentials
+            mountPath: /work/.relay
+          - name: config
+            mountPath: /work/.relay/config.yml
+            subPath: config.yml
+            readOnly: true
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /api/relay/healthcheck/ready/
+            port: {{ template "relay.port" }}
+            scheme: HTTP
+          initialDelaySeconds: {{ .Values.relay.probeInitialDelaySeconds }}
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /api/relay/healthcheck/ready/
+            port: {{ template "relay.port" }}
+            scheme: HTTP
+          initialDelaySeconds: {{ .Values.relay.probeInitialDelaySeconds }}
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 2
+        resources:
+{{ toYaml .Values.relay.resources | indent 12 }}
+      volumes:
+      - name: config
+        configMap:
+          name: {{ template "sentry.fullname" . }}-relay
+          defaultMode: 0644
+      - name: credentials
+        emptyDir: {}
+      {{- if .Values.relay.priorityClassName }}
+      priorityClassName: "{{ .Values.relay.priorityClassName }}"
+      {{- end }}
diff --git a/sentry/templates/hpa-relay.yaml b/sentry/templates/hpa-relay.yaml
new file mode 100644
index 000000000..6b3403feb
--- /dev/null
+++ b/sentry/templates/hpa-relay.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.relay.autoscaling.enabled }}
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "sentry.fullname" . }}-relay
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ template "sentry.fullname" . }}-relay
+  minReplicas: {{ .Values.relay.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.relay.autoscaling.maxReplicas }}
+  targetCPUUtilizationPercentage: {{ .Values.relay.autoscaling.targetCPUUtilizationPercentage }}
+{{- end }}
diff --git a/sentry/templates/service-relay.yaml b/sentry/templates/service-relay.yaml
new file mode 100644
index 000000000..4ff82d1dd
--- /dev/null
+++ b/sentry/templates/service-relay.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "sentry.fullname" . }}-relay
+  annotations:
+   {{- range $key, $value := .Values.service.annotations }}
+     {{ $key }}: {{ $value | quote }}
+   {{- end }}
+  labels:
+    app: {{ template "sentry.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- if .Values.service.annotations }}
+  annotations:
+{{ toYaml .Values.service.annotations | indent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+  - port: {{ template "relay.port" . }}
+    targetPort: {{ template "relay.port" }}
+    protocol: TCP
+    name: {{ .Values.service.name }}-relay
+  selector:
+    app: {{ template "sentry.fullname" . }}
+    role: relay
diff --git a/sentry/values.yaml b/sentry/values.yaml
index 04f2df2d2..ff3b56e10 100644
--- a/sentry/values.yaml
+++ b/sentry/values.yaml
@@ -16,6 +16,27 @@ images:
     tag: e944bc414bfc97c9836febbfb2f310a3237f91cf
     pullPolicy: IfNotPresent
     # imagePullSecrets: []
+  relay:
+    repository: getsentry/relay
+    tag: 20.7.0
+    pullPolicy: IfNotPresent
+    # imagePullSecrets: []
+
+relay:
+  replicas: 1
+  env: []
+  probeInitialDelaySeconds: 10
+  resources: {}
+  affinity: {}
+  nodeSelector: {}
+  # tolerations: []
+  # podLabels: []
+
+  autoscaling:
+    enabled: false
+    minReplicas: 2
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 50
 
 sentry:
   web:
@@ -298,7 +319,8 @@ config:
     # No Python Extension Config Given
   snubaSettingsPy: |
     # No Python Extension Config Given
-
+  relay: |
+    # No YAML relay config given
 
 clickhouse:
   enabled: true

From 9be03b1ccfe3757264b3e6c8d372c313d01a1a57 Mon Sep 17 00:00:00 2001
From: Yoan Blanc <yoan.blanc@adfinis.com>
Date: Mon, 10 Aug 2020 13:56:48 +0200
Subject: [PATCH 4/8] feat(sentry): ingress or nginx

Signed-off-by: Yoan Blanc <yoan.blanc@adfinis.com>
---
 sentry/templates/ingress.yaml | 15 +++++++++++++++
 sentry/values.yaml            |  8 ++++++++
 2 files changed, 23 insertions(+)

diff --git a/sentry/templates/ingress.yaml b/sentry/templates/ingress.yaml
index 9cc484341..d6800d06d 100644
--- a/sentry/templates/ingress.yaml
+++ b/sentry/templates/ingress.yaml
@@ -17,10 +17,25 @@ spec:
     - host: {{ .Values.ingress.hostname }}
       http:
         paths:
+    {{- if .Values.nginx.enabled }}
+          - path: {{ default "/" .Values.ingress.path | quote }}
+            backend:
+              serviceName: {{ template "sentry.fullname" . }}-nginx
+              servicePort: {{ .Values.nginx.service.port }}
+    {{- else }}
+          - path: {{ default "/" .Values.ingress.path }}api/store
+            backend:
+              serviceName: {{ template "sentry.fullname" . }}-relay
+              servicePort: {{ template "relay.port" . }}
+          - path: {{ default "/" .Values.ingress.path }}api/[1-9][0-9]*/(.*)
+            backend:
+              serviceName: {{ template "sentry.fullname" . }}-relay
+              servicePort: {{ template "relay.port" . }}
           - path: {{ default "/" .Values.ingress.path | quote }}
             backend:
               serviceName: {{ template "sentry.fullname" . }}-web
               servicePort: {{ .Values.service.externalPort }}
+    {{- end }}
 {{- if .Values.ingress.tls }}
   tls:
 {{ toYaml .Values.ingress.tls | indent 4 }}
diff --git a/sentry/values.yaml b/sentry/values.yaml
index ff3b56e10..3b8efd886 100644
--- a/sentry/values.yaml
+++ b/sentry/values.yaml
@@ -248,13 +248,21 @@ nginx:
   resources: {}
   service:
     type: ClusterIP
+    port: 80
 
 ingress:
   enabled: false
   # annotations:
   #   kubernetes.io/tls-acme:
   #   certmanager.k8s.io/issuer:
+  #
   #   nginx.ingress.kubernetes.io/proxy-body-size:
+  #   nginx.ingress.kubernetes.io/use-regex: "true"
+  #
+  #   nginx.ingress.kubernetes.io/enable-cors: "true"
+  #   nginx.ingress.kubernetes.io/cors-allow-methods: "PUT,GET,POST,OPTIONS"
+  #   nginx.ingress.kubernetes.io/cors-allow-origin: "*"
+  #   nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
   #
   # hostname:
   #

From 76b9f051d4542c8731932d8642857aaf98f96f07 Mon Sep 17 00:00:00 2001
From: Yoan Blanc <yoan.blanc@adfinis.com>
Date: Mon, 10 Aug 2020 14:36:41 +0200
Subject: [PATCH 5/8] fix(sentry): ignore nginx config when disabled

Signed-off-by: Yoan Blanc <yoan.blanc@adfinis.com>
---
 sentry/templates/configmap-nginx.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sentry/templates/configmap-nginx.yaml b/sentry/templates/configmap-nginx.yaml
index 1939a39c9..821a6f9cc 100644
--- a/sentry/templates/configmap-nginx.yaml
+++ b/sentry/templates/configmap-nginx.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.nginx.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -27,3 +28,4 @@ data:
         proxy_pass http://sentry;
       }
     }
+{{- end }}

From d2107bba44e38a618424767b1935f91881d9d612 Mon Sep 17 00:00:00 2001
From: Yoan Blanc <yoan.blanc@adfinis.com>
Date: Mon, 10 Aug 2020 15:09:55 +0200
Subject: [PATCH 6/8] feat(sentry): bump sentry version

Signed-off-by: Yoan Blanc <yoan.blanc@adfinis.com>
---
 sentry/Chart.yaml                      | 4 ++--
 sentry/templates/configmap-sentry.yaml | 2 +-
 sentry/values.yaml                     | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/sentry/Chart.yaml b/sentry/Chart.yaml
index ce5ef4d35..76f4b4082 100644
--- a/sentry/Chart.yaml
+++ b/sentry/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: sentry
 description: A Helm chart for Kubernetes
 type: application
-version: 4.8.1
-appVersion: 20.7.0
+version: 4.9.99
+appVersion: 20.7.2
 dependencies:
   - name: redis
     repository: https://charts.bitnami.com/bitnami
diff --git a/sentry/templates/configmap-sentry.yaml b/sentry/templates/configmap-sentry.yaml
index cafe24b02..6b441cfa7 100644
--- a/sentry/templates/configmap-sentry.yaml
+++ b/sentry/templates/configmap-sentry.yaml
@@ -334,7 +334,7 @@ data:
     ########################
 
     # BITBUCKET_CONSUMER_KEY = 'YOUR_BITBUCKET_CONSUMER_KEY'
-    # BITBUCKET_CONSUMER_SECRET = 'YOUR_BITBUCKET_CONSUMER_SECRET
+    # BITBUCKET_CONSUMER_SECRET = 'YOUR_BITBUCKET_CONSUMER_SECRET'
 
     #########
     # Relay #
diff --git a/sentry/values.yaml b/sentry/values.yaml
index 3b8efd886..c355a17bb 100644
--- a/sentry/values.yaml
+++ b/sentry/values.yaml
@@ -8,17 +8,17 @@ user:
 images:
   sentry:
     repository: getsentry/sentry
-    tag: cc9f7d1
+    tag: 20.7.2
     pullPolicy: IfNotPresent
     # imagePullSecrets: []
   snuba:
     repository: getsentry/snuba
-    tag: e944bc414bfc97c9836febbfb2f310a3237f91cf
+    tag: 20.7.2
     pullPolicy: IfNotPresent
     # imagePullSecrets: []
   relay:
     repository: getsentry/relay
-    tag: 20.7.0
+    tag: 20.7.2
     pullPolicy: IfNotPresent
     # imagePullSecrets: []
 

From 6dc8e8d307827b0517cb00bfa62b6c1037c58fd4 Mon Sep 17 00:00:00 2001
From: Yoan Blanc <yoan.blanc@adfinis.com>
Date: Tue, 11 Aug 2020 06:33:46 +0200
Subject: [PATCH 7/8] chore(sentry): explain ingress vs nginx

Signed-off-by: Yoan Blanc <yoan.blanc@adfinis.com>
---
 sentry/Chart.yaml | 2 +-
 sentry/README.md  | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/sentry/Chart.yaml b/sentry/Chart.yaml
index 76f4b4082..04986fcfd 100644
--- a/sentry/Chart.yaml
+++ b/sentry/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: sentry
 description: A Helm chart for Kubernetes
 type: application
-version: 4.9.99
+version: 5.0.0
 appVersion: 20.7.2
 dependencies:
   - name: redis
diff --git a/sentry/README.md b/sentry/README.md
index ab40bc32c..5d68c6c87 100644
--- a/sentry/README.md
+++ b/sentry/README.md
@@ -7,6 +7,7 @@ From the previous upgrade, make sure to get the following from your previous ins
 Both should be in the `secrets` of your original 9.0 release. Make a note of both of these values.
 
 #### Upgrade Steps
+
 Due to an issue where transferring from Helm 2 to 3. Statefulsets that use the following: `heritage: {{ .Release.Service }}` in the metadata field will error out with a `Forbidden` error during the upgrade. The only workaround is to delete the existing statefulsets (Don't worry, PVC will be retained):
 
 > kubectl delete --all sts -n <Sentry Namespace>
@@ -33,6 +34,8 @@ Parameter                          | Description
 `user.create` | if `true`, creates a default admin user defined from `email` and `password` | `true`
 `user.email` | Admin user email | `admin@sentry.local`
 `user.password` | Admin user password| `aaaa`
+`ingess.enabled` | Enabling Ingress | `false`
+`nginx.enabled` | Enabling NGINX | `true`
 `metrics.enabled`| if `true`, enable Prometheus metrics | `false`
 `metrics.image.repository`         | Metrics exporter image repository                                                                          | `prom/statsd-exporter`
 `metrics.image.tag`                | Metrics exporter image tag                                                                                 | `v0.10.5`
@@ -57,6 +60,10 @@ Parameter                          | Description
 `metrics.serviceMonitor.scrapeInterval` | interval between Prometheus scraping | `30s`
 `system.secretKey` | secret key for the session cookie ([documentation](https://develop.sentry.dev/config/#general)) | `nil`
 
+## NGINX and/or Ingress
+
+By default, NGINX is enabled to allow sending the incoming requests to [Sentry Relay](https://getsentry.github.io/relay/) or the Django backend depending on the path. When Sentry is meant to be exposed outside of the Kubernetes cluster, it is recommended to disable NGINX and let the Ingress do the same. It's recommended to go with the go to Ingress Controller, [NGINX Ingress](https://kubernetes.github.io/ingress-nginx/) but others should work as well.
+
 ## Sentry secret key
 
 For your security, the [`system.secret-key`](https://develop.sentry.dev/config/#general) is generated for you on the first installation. Another one will be regenerated on each upgrade invalidating all the current sessions unless it's been provided. The value is stored in the `sentry-sentry` configmap.

From 28a1328ed5ffea57a9f6ac9a1956d19f285897fe Mon Sep 17 00:00:00 2001
From: Theo Mathieu <tmathieu.github@fastmail.com>
Date: Tue, 11 Aug 2020 09:34:00 +0200
Subject: [PATCH 8/8] feat: finalize pr

---
 README.md                             | 12 ++++++++++++
 sentry/README.md                      |  2 +-
 sentry/templates/configmap-relay.yaml | 11 +++++++++--
 sentry/values.yaml                    |  1 +
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e77da7c86..d2a28f41d 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,18 @@ Big thanks to the maintainers of the [deprecated chart](https://github.com/helm/
 
 For now the full list of values is not documented but you can get inspired by the values.yaml specific to each directory.
 
+
+## Upgrading from 4.x.x version of this Chart to 5.0.0
+
+As Relay is now part of this chart your need to make sure you enable either Nginx or the Ingress. Please read the next paragraph for more informations.
+
+If you are using an ingress gateway (like istio), you have to change your inbound path from sentry-web to nginx.
+
+## NGINX and/or Ingress
+
+By default, NGINX is enabled to allow sending the incoming requests to [Sentry Relay](https://getsentry.github.io/relay/) or the Django backend depending on the path. When Sentry is meant to be exposed outside of the Kubernetes cluster, it is recommended to disable NGINX and let the Ingress do the same. It's recommended to go with the go to Ingress Controller, [NGINX Ingress](https://kubernetes.github.io/ingress-nginx/) but others should work as well.
+
+
 ## Upgrading from 3.1.0 version of this Chart to 4.0.0
 
 Following Helm Chart best practices the new version introduces some breaking changes, all configuration for external
diff --git a/sentry/README.md b/sentry/README.md
index 5d68c6c87..f79649d11 100644
--- a/sentry/README.md
+++ b/sentry/README.md
@@ -34,7 +34,7 @@ Parameter                          | Description
 `user.create` | if `true`, creates a default admin user defined from `email` and `password` | `true`
 `user.email` | Admin user email | `admin@sentry.local`
 `user.password` | Admin user password| `aaaa`
-`ingess.enabled` | Enabling Ingress | `false`
+`ingress.enabled` | Enabling Ingress | `false`
 `nginx.enabled` | Enabling NGINX | `true`
 `metrics.enabled`| if `true`, enable Prometheus metrics | `false`
 `metrics.image.repository`         | Metrics exporter image repository                                                                          | `prom/statsd-exporter`
diff --git a/sentry/templates/configmap-relay.yaml b/sentry/templates/configmap-relay.yaml
index 7829fae2f..275a49042 100644
--- a/sentry/templates/configmap-relay.yaml
+++ b/sentry/templates/configmap-relay.yaml
@@ -1,3 +1,6 @@
+{{- $redisHost := include "sentry.redis.host" . -}}
+{{- $redisPort := include "sentry.redis.port" . -}}
+{{- $redisPass := include "sentry.redis.password" . -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -20,10 +23,14 @@ data:
 
       kafka_config:
         - name: "bootstrap.servers"
-          value: {{ template "sentry.fullname" . }}-kafka:9092
+          value: {{ printf "%s:%s" (include "sentry.kafka.host" .) (include "sentry.kafka.port" .) }}
         - name: "message.max.bytes"
           value: 50000000  # 50MB or bust
 
-      redis: "redis://{{ template "sentry.fullname" . }}-sentry-redis-master:6379"
+      {{- if $redisPass }}
+      redis: "redis://:{{ $redisPass }}@{{ $redisHost }}:{{ $redisPort }}"
+      {{- else }}
+      redis: "redis://{{ $redisHost }}:{{ $redisPort }}"
+      {{- end }}
 
 {{ .Values.config.relay | indent 4 }}
diff --git a/sentry/values.yaml b/sentry/values.yaml
index c355a17bb..8bebd189d 100644
--- a/sentry/values.yaml
+++ b/sentry/values.yaml
@@ -246,6 +246,7 @@ nginx:
   containerPort: 8080
   existingServerBlockConfigmap: sentry-nginx
   resources: {}
+  replicaCount: 1
   service:
     type: ClusterIP
     port: 80