From 4389a379c3a10cfa2218296e04993e7bbc10a4f2 Mon Sep 17 00:00:00 2001
From: Kristian Zhelyazkov <kzhelyazkov@Kristians-MacBook-Pro.local>
Date: Thu, 10 Aug 2023 13:58:49 +0300
Subject: [PATCH] Add MetalLB chart

---
 assets/metallb/metallb-0.13.10.tgz            |  Bin 0 -> 24511 bytes
 charts/metallb/.helmignore                    |   23 +
 charts/metallb/Chart.lock                     |    6 +
 charts/metallb/Chart.yaml                     |   17 +
 charts/metallb/README.md                      |  158 +++
 charts/metallb/charts/crds/.helmignore        |   23 +
 charts/metallb/charts/crds/Chart.yaml         |   10 +
 charts/metallb/charts/crds/README.md          |   14 +
 .../metallb/charts/crds/templates/crds.yaml   | 1233 +++++++++++++++++
 charts/metallb/policy/controller.rego         |   16 +
 charts/metallb/policy/rbac.rego               |   27 +
 charts/metallb/policy/speaker.rego            |   30 +
 charts/metallb/templates/NOTES.txt            |    4 +
 charts/metallb/templates/_helpers.tpl         |  113 ++
 charts/metallb/templates/controller.yaml      |  181 +++
 .../templates/deprecated_configInline.yaml    |    3 +
 .../metallb/templates/exclude-l2-config.yaml  |   22 +
 charts/metallb/templates/podmonitor.yaml      |  106 ++
 charts/metallb/templates/prometheusrules.yaml |   84 ++
 charts/metallb/templates/rbac.yaml            |  206 +++
 .../metallb/templates/service-accounts.yaml   |   28 +
 charts/metallb/templates/servicemonitor.yaml  |  188 +++
 charts/metallb/templates/speaker.yaml         |  505 +++++++
 charts/metallb/templates/webhooks.yaml        |  168 +++
 charts/metallb/values.schema.json             |  427 ++++++
 charts/metallb/values.yaml                    |  345 +++++
 index.html                                    |   22 +
 index.yaml                                    |   22 +
 28 files changed, 3981 insertions(+)
 create mode 100644 assets/metallb/metallb-0.13.10.tgz
 create mode 100644 charts/metallb/.helmignore
 create mode 100644 charts/metallb/Chart.lock
 create mode 100644 charts/metallb/Chart.yaml
 create mode 100644 charts/metallb/README.md
 create mode 100644 charts/metallb/charts/crds/.helmignore
 create mode 100644 charts/metallb/charts/crds/Chart.yaml
 create mode 100644 charts/metallb/charts/crds/README.md
 create mode 100644 charts/metallb/charts/crds/templates/crds.yaml
 create mode 100644 charts/metallb/policy/controller.rego
 create mode 100644 charts/metallb/policy/rbac.rego
 create mode 100644 charts/metallb/policy/speaker.rego
 create mode 100644 charts/metallb/templates/NOTES.txt
 create mode 100644 charts/metallb/templates/_helpers.tpl
 create mode 100644 charts/metallb/templates/controller.yaml
 create mode 100644 charts/metallb/templates/deprecated_configInline.yaml
 create mode 100644 charts/metallb/templates/exclude-l2-config.yaml
 create mode 100644 charts/metallb/templates/podmonitor.yaml
 create mode 100644 charts/metallb/templates/prometheusrules.yaml
 create mode 100644 charts/metallb/templates/rbac.yaml
 create mode 100644 charts/metallb/templates/service-accounts.yaml
 create mode 100644 charts/metallb/templates/servicemonitor.yaml
 create mode 100644 charts/metallb/templates/speaker.yaml
 create mode 100644 charts/metallb/templates/webhooks.yaml
 create mode 100644 charts/metallb/values.schema.json
 create mode 100644 charts/metallb/values.yaml

diff --git a/assets/metallb/metallb-0.13.10.tgz b/assets/metallb/metallb-0.13.10.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..8a5f7e5b4a394671ec92c7719b06aacee31b1c8b
GIT binary patch
literal 24511
zcmV)IK)k;niwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POwgdK)>DAPV>2msf$NtEZM0DUw=T=Ct4WB$1Tmk|>FrEP1L`
zU?xbWiA-bxASHVFp1F{7Zf>sRJOFavDao>{Ugi&5%me~~Kp+qi2n0;TA;#nFqZy>U
zx`HPDw<mvUwOVa|cUS&jtJR|a*Y;n&{I~k<?#ufA?%vMJ+P~H6js2bde*?9rM<xC&
z7>D%VYL9L!+PS~T18rl3C^LxF1j|MV+P43*R;}+;>$Q@OY-H)k(hS6!r3%o9r5jw9
z(WuU<$bw^x^b!CTG?98)0)Qf$FoP4iYJzgP1i;dT>;q;RHEady09c6M5jqE$K)o`C
z7+M;lz%Xr$Ok{B=%7F=?;J3vXQ44Xzz=9dp6fh1g9a4b;B?~TI*_3di5zI<6B9NMK
zZnNh0w!`q%g=GkQP?b+gh9(fmD6wsraEjPACR5^muiVWHj;gjbEzK8W<dN;if4&Cw
zYW-EUR;m41QWSBjlo(l1O%c&;ZEEn@VqDdT=>m5DFY%R)ngH51HZ<A!QjCI+9{=$C
z$3&Yy30sApy!pRVtHtJjZD%w8pW}(n?R96cF-43w0h__b-hLBK#trmJ-y6TIy+SW_
zr0@T#HR_XBdTnP1)?j@X)*CyGF>1W5jcc#=_t74jG+s6udoTCkM0@$NG({GokR!bb
z%8goMr&8Oi?9>PKz2<JMxwl_!{MxA3YW0^p|5<A^Yqj#@C&0h><Ievj#0$i}jslQ9
z{~J5|_2~M)Q+v6Y|IhNg04+3u3(SGy0J*-pD`4pb7|aX?3<e;$J~%tAOb9h0=ST+=
z10zwOg)|H)0!v5@p$0I(2^b?_L&lH}42u)6A`1#QGHnbwV%1VfE~gg@jQdEVh_fbm
z|GQi&&zFc&Lq}5HOcof&UcLZl0=v^gz!tVmC}-f5K>g5B7mhGwYzy4Y3~dG=#^jCx
zbAh>GV<Z&|kfK;fyfsom_XgutP<jDQEI_D^sQADT2YjX=cmOofmXFSiEU+%Rjt$0<
zC6tf}p<A+ErGm#5S^o8Z9i1NZ`?uYLv-UqlGd85qL>y6IE*O`jqhx95NSBl(d?q0<
z8^JlE09v~Itr3e;f-$1i5{?o;Qc8@T=#n)trVEN(M7P9nsJ57mG-I*?=iN3S6A5-g
z1kD8Q{En1f03x+BF=liOwPp!`7eJ#3a^%!D5CeBJ#Ak|7hQ$Q$NHiA=f!^W45ugh!
zh8;LHn}E{=DwS+XOi^*c6kMiJXd?hEi@0Nw*ap;faN*Sz+)52iLVycSDw?2*CY8k?
zC{BP)bXEm@gk<3a4a~<V_~#gt@is*mL53=gYJFQL+QMU;ZFCO>Ck3li=AMRHU71)m
zCngpI8le<1TWHYMG}sGwoFvRDIKUiH3vy$L@JbGu1Y*J!xPulKy%FRULlyvXZj05E
zP+9h;gbr$iA`-%sI8}aDGoMfdY;uR_WTDVDi6t}ufo%lElZoV{1T<Wjg7*!kcm`T>
zYM==Rkb?=t3<-`<V}9U|Q&W8_$y#E5t0~~KyJRhQHryE)JM#@V#(`o7(W>*;1);nN
zUhckZD4@nfOy@12%oYX&V~aU=zY-wAb1T#sCji~sgemqB1)Uba(tv<t$>J{nL)wC(
zvtZ+|>Wx~-t0iQbJKvZTfR4;G$-?4NXojY|O>|Y)Z9mkuY7VdDfLMeBn<9oRz6Bs)
z2u}brrWR5VG(@>E5!M89np`lX%W+U`Iam))`${q^L9#C50s1`$?tXLW==&TGbb>7Q
zBL_3MRM^;vng$b!trYc+6v9~cm)TH53@`%j5SSWE1Pq>B!&x<dWPn(LMFd~@lfo5x
zE-e|NOG85dYMLOP><k#M0*K0@6#cm{DAI-evp^YCM@muii&ewzfY+~OOQ0-yH?f9I
z^fNWBUEBS&tU_p@`Kp6qVo6~PINuLc2jZL}DJSrzC`f*T0Ug<xtekQEj(h0!BHTHt
zy##nriXHJmO8qg^lrRx&2@MNTpBL^|Vx@~1RuoMQ#_6g`Y-F(oLsdej+Xh>1iyzxa
zpCZpS;P@d#LlptDBAY5ppd3z{puDVA>$}y4dSx##z987pR!wj+=@NdS=9lVA!omSA
zJi-b7^U0|2e&GmBSND=VPhNk3Q&bNKbOAsq6cCG5Tso1&-x!V&R=TGhLI8NhAU>6a
zn&8uyIIO@rp9mzlzWDXulCf%9R&u5>hjfa#Eb)PiWur|{hPGV|Eb0c?7R*t0A@x;V
z!{Uf8A@<~%TxcSzqwXl&EL=xS3|FE7?`_j<;U7w70*VyIYB82-4YX~%l7dJnB4CUr
zVjVXuVVsM#TEb8OdaAx*O_kQIpjQCYlpAi2knOw_d^$z<P4J`W`Rz|SL?*Eq;-A$7
z7AnwZo9LgtdGgsJI{M5w<Y=<M4Dp|<|M{Z_O?kiEVSImkE9%|e{_b`0;eDeiy^1v{
zCep1xkheC`Zw1m4m*0I<kx<J8--G`drN)2%RQ=`WAH27UUv9Bt6ah<s3RJQ&)TEu!
z1V7Zh_b$Di@98tL9}-fmDwKLx@IVHj1)#4hx@)aJ0k(WQNv*c-;#>7a_|wjDN0m^}
z5~qB4#s^iMFhUN5L=lh$JSq<ITZqVq7;ugw8hQ@gEuji&kRcCLnD{`L%ntFYP8p8b
zk!-@HoR9*lT7PcXBSekK%2y+Tde2(44rpgzkKDP9Je=aGpr3{4n^j}8YWxLO4Turt
zCbZxbIX|R6=auX&Fp9|g<SGx=<3de6Mwd$hl&sG=9<Dxz7^zvU79{_-JIlR3$%(Dr
zDdc@Qz|ay=gRh$44pPgorjce8#4h2d1nSb50S*s(@1C-`16`+xu?s?Q`+f!&j5}?@
zgbxpESPptA3UtWe6lDSAGm6-ZU_Ah|B5Y($vhT}1?`^#C<en!$`SnSlyebYQKn!mT
z4v#PTNZS1^a%ahJ<Eb5Z^=P`IdrskjoP1Iwm0kqbJIADqu8fYCR1*?UEE}#%TEl`F
zXb48N6jmFen7#m&3OMqc#AFIES|VHpXO4fGSO}0w6Z`=&{$mULp`-C)D*iC62@(H`
z0TBNqN(uc#7~OwZ#6o|RfB<(Ypf!OgtQ<SUG@+$8!M2Z?{BVcHGeYKPL`O~F2N_5k
z_-X8DcPrm-IBH7oRO_`ITN;2DFTnp#y77Z_Uf4S1sLv_nXu7KMmF)}+9tVfiUlajz
z$^ucgs^C&I@goz$s)SB7CP=0so3rgZLg$!3odu}KwteW^FI?~nFse#n_~M1vtn(A7
zu!A1KVqqN0UN~Q9@SR&602AK#7j%l6pt1KK!M8&TE}?<N!1>>V*%4?lt-XkM$<>%*
z`vK53kerf%eHgXd;0Wg6&VzzAh<G$3aFmBVsFO)|le76@Fb9eNxCNksWH8|EU^}5H
za#O|G$ny5UWL>q@UM?rDXh7+%249J}i0&N<(1mrty2R=c!b6?0$e8FWzs!&!+64Q1
zdpo=G<%AtmvatPE6uH4DuKN7~V8b*x^Nk73UNk|yRx`afCNkw@tJi90MhQs8rH?Su
zq|ze+ae@(bdm@!8n;Jy+1VhHUey{1m;)aQ$ui<23SW+%Zcs9`wV#L8g%LE%sWQoO!
zlCdKg;_`O_4ZNUe;I36ou;ZxA1~(vXAq-c2q!CMJqI+t}BWe&m`j#y;4KWsgr1Ue<
z7qZ}faY<#U8{Z{vr5B#*y5_3lR4cszo@!q$1&sdqisDOnx306!^c@Vo_9El(Bszm)
zJ@ha$kvT>b8;qxojEN5oOLumVUhVEXFV*hCZ)kM^`K$@b+lXu1CcaghBDZrSU9#w2
z!wVgq2%~HQW!zU%D_>zfbIAP2#ms?{xRSXe=dnO|^(wY_ameOuTbUdc1!-F~=KQKK
z#JAm5BaDW#BD?_Zi-BrZzB^L8jZAG&g_ah<DCbrSVZ`0yn^h=%6?!29M1%;FTXJ&G
zPXbBs#&F`b3t(V!0c2@(Wh<c~K`6k7E8nXjU#msn(<e}NBT!tN%iznGiVx9ci5J0&
z-^ZdBS-k{<N>I#+NpTiECwN5eU%TGi@k(t+66wuJSsgda;a9?qaY*^XUKg{(=J!;@
z2VHw@?eu#7zTuV^H{!0;bYaQ3B8Z7KWrmJK1;H#6O4D!-EH95=U?$XARNQ6d*XpkO
zB4bU7$71X_>s@fZIukY;p8<mr8lux0q&|_{m<>Nj!}V(U;Ra$L5<)f7gEi_U$*jVj
za-HijR43F8H%Kg?QRNPa4#*N>Lzhg@QOx9$O#FQQaMnotC(~xggw+p>SWnkRPW<P7
zt=@>lf9~$=)Hm^;&+&XJ0Z{%y4STr>%C5F1IH2NigOCb3g%e(>z1&vsUX+D!DszKl
zB&w+h4Cm#_mhZ^;1Jby9rz5#4iY2Su1fS%DDf^yX>G1MCB*Sp4*obliu|R16%FZkc
zy$paE6M_-6%HFpxTYg=&c&1g2U?9Kwe(Z}7K7K96sbNja;EUg4DbjM;4SXp#!F#_4
zKy4>D#YBh4=vz@Hy4<A!F)WUzh$aI`ShXJnC$z*q2trgFco2}V>QEd+=J02bJcp90
z1j_1ndUu=;VII_oX%h=s-)@FF_Iz4pXSRjrD6$r&npqIz@|F-m<Hc0`VOSF){=b9N
z68}pFg80KC7INob6a}gOtRo{*=->>!tA)kB#d{U{{ADW)iNk3U2xzU&Cn3gipClQz
zl~u}GU>uZV>iInrD_;{_6S>$M5J4nXAPM;_C<(0MmGN2T0N=qC6Fd=AWX10;S|VDG
z^dAH!xcfvXR7(0gB%DHa|5I_A@)KlnS#08ggaMT%_#;_0;9JN7<@9h(>Uqj{4&f3j
z2krfb)DJiZ(yBvB;VL|A21jPXh^5mZx#uxIL^2AoAqr71;%ayR2-ofL5c-8(8V`XG
za(P4n{6LWqH{}=G0WEY}DOM@W6!cO&3|ztGUM(x>Vj#R8mmGjeQ@$KMQx#mS0|%`I
z>P`ticv%Q+!<s5zfv-EHux|qErVFTa@suo8GGt2H)DNoB%31h(kTa8&brsAK1njCi
z!6RoGM0AS)Z3d}wipB{S?1T${vcR~zW*ef;3jDc%*q9hd2hg_HXi@o|POMYI%4*FE
z8wk3p;w=OxqT5331X^5GOvH?ip_YM>JUvznom>SpaVd;8*jAxXqTR5xPS;ZtdB`_y
zGkO<1!xlYd_3(biPE>_0Q?~=5ITY~Dg-g43Ohi?Q_{<8_2_NAofKpr^%G6xTUNm8T
zQSUHD4l_hfS)?#x)*xjK6o^{_xw^Tl?`Jt0QWXU+Bs{0vImbetrsDx~Fq;uTScZF8
zgep3%$LhJExW$O;M$bOjqDtcYgklddsbXQcSvquF+XU$vC&<&jqqa>HHTqp3mCOI(
zSn&tUfyhCOZ!r%x{2c1vzcfFG<DwtH&k6C~e<j%-i0W1qQVp}vCPNHPBxL(hu#!Tt
zp9-K1!!F=CiE(7cP(_C;_A$><1d?5FWj`c54{Y)@0@+ikNWY8q-Yum9#50N{IQNrV
zltoR$GEC`BtYwvg_fDyLt(H<Ofx1rZ#C@w2lrw1rGR)*0RWpQX;`<c*BWAlx{{+Ws
z65!~YSR>h+Ybn*r;aL7hP24~n|97&8gv58EHwpx$L58%=5uin6VxE}G9+<$#-{XdO
z$_8t|{@IGHo{=3dH-1uZfC~*`9MPCkxx?Qu3zGd)s>8(zrhJ;!HyrEwXxG0VboW<T
zd;FN)Jg~7{+HA0)sNX!;Nn0WyNpxjWKNdp#T@J!pT?&WsevSS(^`B;Va#j`zFK1cF
z*<Q)TE2jB+F|Ut>G@*$CA|j?voSa^v;6z|pUd)|;$|ycq-<&xUrn0x0pDVz(ee_fa
zWTGv+p8wRV^#DJrSJ#g=OtF@}j)vr%<S2tjGM*b-`8B40XfL<`W%6c-GeF-Ts)e+>
zm_m@CGDX6DsGhZJanx%))s{?3Oi=Qk%u%nE;-AQj9ZHF}&1usq3v5}~&9--E@R=9D
zYfaq)swrq?M<tz1Ekcn{MMYalqvGr+d7Hk0L#m!$8q-SG(n-@bQvU#OC|K+Po4hP-
zq0gQ?*;6NdiO*T!^E`jqOM7^hrOLvrE$k44zyas=prr81?;fwj?7JZMM2wu0sQ6`*
zN%>#$apV8J?7Z9E^Fg~`<@fx_+Q`fQ-iYOY-rZ?z?tgfe#})Vn0~WdS4j8$KJXHdT
zYN^yEcQV_n2CYC!VS~%_GzMqjsK=_{LgvT?6iw7|KquFy%y~d26GJl~20GDLiCADp
z?t*D-1%QnZdhRDa|8Hjq+laC%x1T5#e9rveZ#4EI^M9|=*xk(k=XgGS+WrMB4YMha
z7EcU}gxc}i6lBq6s0n`A{_>?HN|oC8wwruBcwkwEzg0_4xeAa<C-RT*s))Rb|5YCN
zt*Q%0x&n}!zcm<m2R;K%7nTP0cjTXj*<Va1#yu!k%D{nzEM5Gmusc#GqM_G9TF6|r
zbcGabS)Pj)L?0L!BMk~^#E6N4cg(2s&IZD|N+Bmt6sz>?d}c84lXGyl)$NP2@<JLL
zX+Kv>Cllc04Oc+?)1Y3=ppc=VQ^1e`D3N!tO(m><HrgewG4W^_&7JSkEcJU4dSm9n
z`9b2|d|iA%eH=Y1C?M6IB9W@=;u(6mCUQ14EIt9{|6rB>VC4ub)o5|{O8zs%bb-+n
zGsL+iMT}(dT(>GEckMDpRhIIHG}@IQmDS(Q#Y5n;n-mU||FaCrx8?Px5HU?+Ifu#9
zF?9AFC5khI%_^I1ORVM5eZ!I->sW`Xs>%3w=0x6~I$)~-PI0<;;N40kzQvO&de_o?
z`jk-RGx&2sIEr*R4n>7R=#}wG0dl#<iTg<;nR{#?muS&mRuWOL+yn?QDyfNHO~zba
zx?pK2jCXK4C2?&`kjL_BddbO^nwG(|e%h;W+-5gTKBd;EI;kxp>%~uji4ZVl!A~(t
z`C_s9^Unp^vw~y_2obmCvhzoIU0B&NBbHA;oJY1W>D?qP1?iq#ya3T%Z$V*-r?j*_
zxr+c=lh%lH!<sVC_bxG5u&kvvu;U_$3IGsO&7)ILOb0ehA3!U&oub0KqWT&_S!Q=u
z=?`?9P@bwJgi_&0_9A3?7n(d3UiQZ<_^lkmr6^t#N;6S&DKeon4YvuUS?Kwn%jrCl
zNw<g5Oo-qjWrK4dy`Gs+BSPw8lzt$U16XAj&gf3CVoHC)e|~GD=wIlG+y8;p?TK!K
z%eMdPd;9ylQTzYper;p_KgW}<mN}bqO5^k|iG{Y!wwLwN+_3Z}Xn8yTCBaEL<gn@8
z1N-Tdmuf6=0R&&ZR6;3VgBfxqV$szTdp5#nU>TN<EDm;ovmnRyVsFo@2}12C=oDI0
z1b&#K)fV_c=D!j4Yyu^mtk(XzFY16VUt|xRngJujh3^P6W+QoTT80AbX3mq9z2vB}
z1}E3h#F@2XqzE()fNOXts+y2%v(r!_;zUBnjWWNLeYcbAklbYi2aN!)csNV|p@~ap
z^gvq@HNt0z0~iK!rFpw%8B2PstuOv&TcDglwpGz4D08|9ocs+JvSmi8a*?&Y974|<
zKmV27eO{yMZatTU0z>#~6n3b&*o$c9>a|%W)ZRMt^pSJ5@O(|^wmWb0$RCaF@<GNk
z_z6CUH=Q^Dq2{7zyZxfEn>0(shd$PB+=fgM;yLzy)d$HDH4RI$<}rmDx(FxAt7ZBH
zLJ5$AXht$43mntsWCYA-5Trzm23~-hM@sKf<Tz`p+<G7|y#o!)k5&JKr{KV>k{nLK
z=cqq5?D|R(U@=gB0+wJck5}B3b6MCVgGdog$+$QH62Zc5Cg6aGs-&QiP&=V@NT;D&
z2PzdIa$grRrh;J8X1AMqC|F*!g2}WZGZxFHa*z}iG(>sDnJg8-P_Mmv<W&@i`!S8M
zu_N{|l-wI;1D(&TwANq-VpXCIyB#ozj$S7ZW=ib@43M>qE!2VyqQ<1Fo<`sM?w6nj
z>!YjY@>zRuaC&-pdv<!;Zy)vA19=~BfGg!Hk?e{MI)kcNz+3H$)AQ@Ic6X2ncs<>?
z=#T}C?E(ZiJifRcTwf$~eL^#vl~;;2V{rXM1_6kkOjQXs*P5J_Xzf?KyE_5cs@dQi
z3Xn^xW1MINH^JcO!h63YcwwS5v0{b#An!3%IlZ^JX>ZSeWtA}KZ8=M=shrO&hKG0?
zcu5h|&n>(P-2;*}%R-54lEyC~xvzR=oZH8Uhi@~nRag8gaRZ+uF%yR?G0$%Dybj}=
zP%*5IM$+UKff=e2h8E4@TLfIVP8eQ1TW}GG(OO}c@r=PmU`A^_SZaq;86`1PQcC7;
z$x#uEpN6F(Kp)Lh5qM9*R1uI*!&MQW4`8cQtH+I85A%|HC?Vejt=Do|PrUy`J@Q`v
z3u-J4jHal~G>D<P7cH382?PXij}YE5Fk&mlkr@%k0BF#LV*?x9K#}{PbV}^-n+iBM
zJq`OUiu(Iq0BWs>q?gGsD&kim->=dQi^S5xxF~1}B-T$h2g2I7rx|m?xQ-}|d{H#1
zsO#D*&Y92GDX3=<(1o|K8K(%EuZ5&)Zg1BcFRQg`ty)h38P+hiBhWZz70s|`h*sFb
z;E25*oc3?qN3A#Q+g|_R_UdHt=Juf7zpXcZy*)lUyY0U@XzcB8`K8)Nt(<Z(I7f#^
zh2SKX%YatE)s=p0dYsaNHa0bukfX{Rttt}(qu1)v6IFMcV^*D`RT52w;geiJ3n)wZ
zDrSN%_#oDCb+zE;VYUdP=+6aWJR%yLizLj@OZP5`hPp~ZJpm`k8DdOKJum4y#$%|>
z2jrAY*}2uGl+Y&|yks>upscI9F<lmf6yd<Ah00_ow-Ikv_;=`f4X;``>=Gob+yvOL
z7Wajgqae&D@_?o_<z~7J_?X=*KOW<I%W5)^U^L)a3tUN(*YN%W8;&Ix^{XY^e^Su9
zskk!kUJIH|%Ek`ztm79`mjUiJg6T4Xm&b&ywMqc!<0ez~l!>DoxzOf;t$zLO@%a9)
zj%<oF$dP{Q=8eRLg&wgPoO}LbKXU&=qqeiVx7q)Fjwfz9dL!;~ov<1}xz8b$haM-C
zm_XeoRs*5(@(c;U#F`@N-X4#1?^Fmw$h!>8^>{5TV~Hq3RX*8%Ar`_rNcD<FOdE1T
zYUHbEtm?O>*x&1k&wnT7L<Ki0YIGkR29h`b_g>Z_@gMsyUp6-L|2du%?{O^eNLo0E
z7YU+r1D!!TArQpf>2RRpM#=r|y^&1T1fS)?2Q7;%EDh;?`vcNeMb#o(0XoqHqQ5vl
zwXy%VzA(*|_iJg;z&Cs!EV)E{=6@p2AOEdEY<RE#n=dTv{hDBCS;+q_jd;UeG9MEw
zP*>=sm}n5|mMGziv2Q)@?h~K?Hqjj)-t)wN)%IV;?tj{Qxxcyp=~<q1t=P|(l{WW%
zS8r7#6cM35n0{=SpELNc7aNvK5<gwusTXk)4?`$e*9%G5O^6>WicmBJC=~fr7_|VD
zC{_tEZEil=G#e)X*)1A25Wkb?G%tC0KaP*E;h4MXM9<gAN~%TCS7pexE!`%D<8!Gb
z?~5etqZAruH>a=LOZRty5r|fe7?-(C$5QsXfMOq-rG(JMqCg|FcU>%L96$OX%xEE;
zDwWE!%0&MH?XM^h{YEy@@Lxk3`Xjy(g&R@$a8a0!SNH;us46MGR^fur2sJ*+8CRYE
zs?PShqO(UZdZ5ts(J0XcMh-JV+c>6VVFx_X&Nb+<O(4O!x?;^GqT|5(DdOJW&ducN
z$DNokvE`v)KMxH{7t`bM-6a_H&_vXCyPJVT34j2tAJ`;Y$b4Q7krlk~rS_6W9&9&N
z6(}ce<%Mp;Hy4b9F>;Q&>ELdLtb(@7>(_Fds+_!G7;43tE1o3GN7F0%wJ@}T0`@6)
z1rqFkuT?o$p1=u^Yya=pBliEx+U~~wf0id>Aqi#3ey9&11mt1z?9sYz;Xbaf#^%(2
zxGEa~{0Mb69Z~_6cIqvVmEr?dm4ZX9r0#ONMrQ-5=A!|N6?IQZ6F6zh`hHPY%S}4(
zWvZYHf&3poe)<G{Q0yYKaPZ{|sJP%j;G3W5_{$eStl%e`=z*QyFJHh+=IoJpJ3C_X
zR>gmUIxr1u!O@R@cxpJhx2fk5zn%ZeZZ&Kmi#waGw-U<jm=OHw0~x<AXD0(Ge-X<@
z-GMzJv<d2F+Qxn{l1EQaB^~}+E4CrwXCXd_+$)gB3rFGN-<lsR!hy_jtUsI=RQ)xX
zq4rp2h|>MLVTh!gB=Wf8Afe8;W)0*b0-PQJn-CnXMucrzlye})M1!2rTL&Oww}y4Q
zVCa?;4l(%WYe1}@1k|51E6LK2<)6f1`kGAiU@nq(jYK)fKW_Q}SpL071sGCR`Sb}?
zo!f7~moFFUuW!wvd3<R@#=#$7zJ!tg^y!cP01JU!9^?L0oOQR?;9T%C_yyE!HSkXm
z#w^Cf&mq$uBI3dq-Q)?k!{duU>2J+6hsPIyDRe?*k%FL;JFBQb8&B<92h{Dte#W&g
zLjUJrlY*E9E|dz^PG~)9Yh=0!;`YDv4n5J%zj|`=zwGWd_M`cqcVE8T*#FP*L?n|O
zd?y)PWqlv*k;)hSa93^fiT3;*yEEwI1@Ft{-%CN~E_m-=3d_n{fg7ZmET<g3;C*?D
zxcDqHx^027bnKRY&xdUhJqk*~C{Wc!YnyS%7ZD)p0;M8g&=OfZQro!(eG8QB<c>hy
zG^7NiXllqLGyX`&oA7VLa3ZfmSA$5pnhTy$AP7<IFM;>v=+XG_eIqIT(Gf=KugHk0
zj&8YEPh||^H|TqqH!@JO4Rp_uC9q?uC}|7EiRr!y-2ahGXGeb$>XkemB`1|Z%3I~}
zM7JrK7#KxAOl_zy5#<I$reLqoXE{|x8L{d|Y8rNWbGVTKRNl0)u;l5y;D@is2Twrk
z)PY^|&|nm`1)m{{8(KDRaxzC2MN0$SB@2LfpA#f|f@D&=J5ZiZ&4!;5CGjjv$y0<%
zJY*d~?w+??ROBM?=+#9xm`0X}u2KiaYZV($wt^K~KQ{dQxb5q#9I<k5mFVisY=D)&
z5*yn@f3U_P(@#AO->GHNg!Y5rMOKIq<lqYQ)UX3f=97bV7SyMP8(nt40^VP@fv`^T
z)X)QZM={XPDHf6}rH6@ylrtd7nUo$T3H(*#p)w%|Hmb+wXKC`o><UOXXxl7~fPcwp
ziZZ=kNPC>2!Yj-p$@~OL@VAnqUw2ODi_)(p;l7e&{t6Q9>#cr|5tRXp;8F2$Pvv9s
z1Km=?+%j+~mO?WegO(g``@k5#pn>&3>V3;Wd<yICaU+;@^Tzi(d@kL-Mr7)9STau&
z(7Fbu>o7@N3(4b=Z!ru{p*cR!Fa$7t)G!ngwx0r5Ykccnndf`r`+shZTIT|yCkOz}
ziT|y~_y0EWzt8ogr;bd$Au1}eJi!#1kOkNEVv5jn9skYBh7_Slc2I8q27PiEe~K~w
zT%%Dysd<)zhp}-;A;i}igl|17pYKVP|4*0$A}9W1ukkV}|Mx}ljr@OxCu{RY^1<VB
zK=eaE9(U%s;<WWWoPCZE#}!U%A0R0T=fMX_(i(X9fsz6c3mhy#!Gpp6(cmaMBwuA1
z$htoxmV5F!l!vk~MN*IQCLZREhy6XEfy_X`O6X0YE+m}ujhys-0NTlCe)BR|7Q#1r
z`a1vUb}oQVp?eY6&&fPSkRm!Db7XZ4jGCaly@Yg|F05_G(Y_s)7!F2`k+dzhr`;Qz
zm^MQ~wv_|-Qm!>SIcDlKi;tl9>S43fhZws4M!^oNpE-(X!o3njCU5Az&&>H79=_a5
zC%+%w+b~m{nUem@Pm~d9H#u2G!9*1~sVZ_)Zai2`@$U1<v(Q3XQOtbFxpeNaEB{wq
z>ceW<<LUSmFkJN`JnU<yRasY+)ReRS<e~|>#6qP|Zu7L0wYj=aF_kHN9UG)m#4pyV
zxXwC|-;uO+pzsRvpzeh0ehS}@DFc2F+#KHS0P&TWXGiY9t()lSNemy~_w*gxKEc%J
zk2HU>Ks}WO6l~+kjGz>t&u9m2?45r}dnZ$me!$%{--qfNy!znDwAVzS#TD4UtJWG{
zW4<%RHC<qTT?zeA^)-W_PXy*!mDtek*k4(XT~F2f`zNv!Kip$0-V0A1k#9D+?*0O~
z?o#$?zO#IH55V%P<-FTG{*$o(>lpY?mjWPr|95w9_vOoI{{P0#X8-qDo?_me7ogMY
z0d#K*VFx$?Gq^;6&k#dEhI|8ZCuaY61tyd>CzJwW0YO>5u&bpP;0;_F)>PCmfnfpY
zUl*b-^JHKl;hID@CMz&TGq^MeWlfne1l>c^#t2A^1RRr41ayc@p~D4RTKj5}A_9Lx
zX~k*bdHgRficSyRYf)Z+!OUQi;D95HnV_d2IIy8Mhf@UZW`;KN2*ZgYOjXr(VDuF&
z!$;92nbml@wKZr7!9F1iO9zJK)ZSh&y3J;gqHUdM+Y?H+ozY?2;dTxNgLZdta^7u*
zUSEj?0&3h?%7gI$It{uQfQdmFm-p~)0qCXEGcei$Xo)Prtp*1MbKoJ<=Bq84fQA!+
zuuTyYB>x3k`Y+;z$C?8Af*~sJlb4wdL3u)Hc?%%-*4P)akb}{kfw9cvHb#n&3XHrE
zQD~4=UG%>S1~UX~M4i+D46qqlVBLW?Mqu%p-fc}^(=GD48l=L42?CUte8pyEz!usp
z++koa05K!LLP$q?6`XJfcCcFxM87{vzADQuGQ<T<7E{qac@6lCET*$6IGQ1CuDW4E
zQ}tpCa6-ZZD7qyzJHcTB-bXa1(BltC5rFs(u9!=lVD<6T)?cq2&5|&CqQAC?_haAt
zMGZUnw>9;C8O&hb58E)kzp?IDv1Zi&fsAS3*H}zL@0Va%|C>Fgez}S6V>*FjYG~fK
zC3Px=2y-$4Tuek_i@764Nm6=-qO1X!Mh%+-xZuQu+|VG#E14CL1-Q)_@udMBUI3MG
zSt(NDv%1Mp(K}4&#DNs^V?`Fy#boJn{26kY?B4_ZkZ*34koWp8hxk@?jJ+-cP&okJ
zwYs3fz$<5cD|@3HEFCFs1E-v1fHbh>09ypgR1QG1>3kGilG;u=z&t7SB`;;SFE}ix
z3Bh<dMI=9FH>9{UjA*2YV%^Llik~x!2qw=#mvO<Bfl>*$O!Pb`&ZNnLA}3NhT^xQ6
ztx3Q+P8OVc6H0HL*RRW*LU)g#obXvJq8hR|qUBOVt{F^BS~0mycyE{s6Ics#j3^)z
z&}scBK0&U;{}=(dga#I~#GQ6S+gCZ1Bruq~4cA>{9G{7!8VS+4z=mmXr@kQ;SB!;3
zA6gnQO|e|bQVanoATc7RC0GirOs<S8vY<|NhD5v0G#64q>1Ap$#gI->pgZ!cqrZGJ
zxB`dA7fw&k4&L2%TK(7cT4T2qkov;77nK8wgj@*Zf)tWvQ)D3uxxc;&;pd1wrxAAv
z@kieqZ_zOwjTh6YK;B+Zn=r(-WXFX1!EB@nbr6E`9ffuo2x37c)g=9aVKI)NyVjD4
zdhMv1?mDg;6lol<wg9S5tFA~~LOi90r3?L0$|pxp@x+yA@^x7%JY&P!cFULD#;Av<
zl&}!vTZN_Q7R1;kU$|Kt(FvePBQ(&UTQ|^Lpd6@F1hp$u3hf!FlmlyrMW_kgmOSzp
zGJ_+MbdvlD)$)WaxpYX$FVnm>!RP-}f<T$)a@Cm10j<bVPUfW&5Nc+)%D)G+(JA5#
zkR_tj(4A$=SL4(wrc_%%k)_Mk%$e*}2Uec|Xs!5644o?mkPc>uN;QaBcqJ8eLLptL
zN@B5FDrFzMtnO9o-dpFcU<LvrLVlbPCf$#qM;6@K=#*ENF1ga9FmY5bxu^>5R`grE
zHLQuCwF4~s+6(U%#pIY-Xxq&9fwkn=^-<vv{qNyMAeA8XhdEkpfghBVYQB#3Kb$`C
z(<fO0eEA|f=2VN^7oD(0nnGN4e!b5Hw@#hgxWn(7Njrck)w2!;d><F{xQyW75a1Qy
zZ$=WD=zNo#F9(5rk0>>4q8~(e!$Ddy(TuH|SVJD9+zp`+Y+-d3h&YLZReK5L<Q+OQ
zwB;FYG_;$V`YQ2AN*eLNW3HbMy-3PCx)!^I+ABQMA2Ztv&-jE6yE8w5+1$qH!V+ss
z!o~E_FQM(){OXB=5gK;Ggi~~}z*ybZ9_VrO%OeuSdP{QP1lGfkY>9^>Y8sa0(PIiV
zbb+Wr^ghyvrL(4&I#(=_UBvGQorePIBe(Xil{3brf`5s=TPiS9;&<rBZqd(4@)DYO
zz|{iIh>n_Iw^7R);B~J+j`t{f!?BNt=DHu7>F71~_Cp`Dp%(2zio|r0mVQm5%@JpT
z#-&58WzZ)0lv2fWh353|p&r(FlcIs5C{iS^O`t`~2k)IrEuOLDDOx+xG=tN=n)@kC
zBFa=WL_-uW!1)hpIL0NyHal{YdIyBl3vfhi12NBlGawH7A(@hY;wv?#GahnwN)rP~
ze+1GUDN&7eU9;sFOK5?9N`aXupatv7uT_d{!VFHRTt_mCaySK_-H8RNM>9xy^}x0r
z%{we0WE7OaSArtwK0<!FunyReA=(7>S}p#`*<G&J>Y-^M&95eSUzR2ulX;dZn)p|<
zL4}@9z&1B+X;=K>n;0@*j{7JIp2?&4VVtt(pm<DC>q1?p=(LjxAu^?+)g9cDdBmM!
ziGvTuh~FXCdFhya!YXxZC2~i?tW9T*f{gJ1rpOz@2@q8Au&uJ0N2*)*<+|gU(Djtj
zxQ!JJ4T~dR0J;}iaG+Fx&T(n?9h2GZkk^0b#kv%ZcRG#0;gXWCFDTKF(h{BMh{!R+
zkc`!0^3_Ems#rfi-BYv#1;<`sd_l0Gt%6lNjaGfiKsUL5iW!xFh3mTtlyteI6dch6
z1QMzyv<vApz#bJ)sfbzfx`?HiZvtX6Jw;1|!^?i9g2}Xk#Ru8WdXy1U{SabkX^2Wg
zB?f$4(Zu^;A2KT?w27=`GbSg_+Jl4B)5F{Dd8>WfJveIzXPaoJLx~xlY7+xt-HE=6
zy;qY=Sans4=rUtsYMXD)`-7)xPNvSU3VY_{B9Hru*)1-PXQ#J^C*9WVL95k!N?dKC
z2T)CD_4MGdecF#U*#zadNiXWY&b~8cE5i}++M!H2mk1Z<z1V<-JunGGHu0fh=`lx4
zLL2?|QLjC?{jGg{dvP#$^MIC=Ui=$c30fEN`>bzCb$Y$qqw{X(<oLF8avGa12`l)v
z>rYRF)oY)gAGF%N+l!M{VThhmVjFrYMGucJZU@&F2>^rIUIJkPfxbbwk-NOr<1K<-
zfbM!C_6Zyd6|UKZFv?@j01%rJPBem>U~m+lrh&E>`d4gw*t&QC17l-}EX3FaCF9tY
zXFzU)1PTO2)r@odIBK3I+}R#vloY;jY|9qHaOF9k66g^|HlbF8HepXzF2GRvFeq-A
zh%9(<Sm6p03v(f}$`9N-;R=9@RtW=~Km#u*S_fdX%EOd1ilA;}vQN0gH|C!Rx=+AB
z5r~iDpa`%>vrq)y6Yx+3;scl{QA_rYBZN68az+89`^)RKoTf9JIx^1mf*MN$qbX`L
z4PxmGZ-NPQ!~c9<KDY3yM+om27_k-O$PC$i;?bZD#|D<klq0TPO6;g5dT@FgdINPm
zTBO?^-1ZKxqLVSOr<bIT6j&)A<l0U%s~@yLCoPj8)ct@pzOF(SK`z1)>*{nlj+sJk
zne`AUG#thD8shjlrL$3c)P_R9t5{?nrcaxcDRIy`JL%?374^1%-A^qoZIynzH##|L
z7x2M+ZU1uyfgkIS$%B#S1@K37aMC@w?GF!o?SqSUFGN(=_zLgdr^$@$9j7qUy626<
z&g)Fqb++SrAS3d;$f!=Q_apNL30a)3<dHY<KfoO{WbBw5ita@NaRQ)iBd8qN92)Wz
zg2AhSW@J=wppL<;A30EoI(1-JV814&g<RuBK><as#wtS4jT=-quF8PIP_!@bV;AoT
zokObP@|hDH9z2vGW1ujZG5{H{A(gRw!p_$?R_`mCEc0KkQ}Wg(`mGF%`e!xU{pPr9
zL+>hD=;!Cq*laUVgBz9sDiw8n02^bu@1YA$aP~65{|Ji$&XH+z_By=xvaq;;!Ta~p
zLmZ9J`urLE;MM~b^rs;B@4x>~pp%H>g<*tjP>;Ozn*8CXp8|mX6V$=aKZlohb!^ms
z<WMG{l&=wqf{)jV8V}Rzzm82PDt%1Q=u;$BiW}fbt-5b!H#ysMsRRywe{T8~B1)(O
zSu`m!ULjzq!xf`$syen=z10)kO-u4K2Dd8%J7?eFV*M1lcZT)pP~mF}++g>k9*%Fv
zvq@ay?xzMY4KPS}$4u=xxiKu!y|V%$C*naC@bX=wnIa6NJE6a8=1y{Z<?lvks}W8d
z&{t>fwbCG^<{5G+A+*v89Yd{RQ*yt`m?rTI9QUjAnUYvqOqPPuII(`RKu($^m`pig
zTt|`NuT&IG)ZH>x#kuJ0bqeYk1a#poY{n^q=4+ucG`F{Z_$j!N`g024@Qm7yz~q=!
zG{c?=-F#ti#9j|h`?u|*)|>WiuYYiRbuxH!d(iIR)*HXx9v_|E_TL;d_V%~@QthKw
zPPrJIqr;;@a1zU9KucS**9+nE31d@Z2|23F(MpE1y>`7UQjl`Ys&lkTA}FFfrGiFz
z*7ClV+$_#LAS{ezj;=h1K*}b4>ehGq=68Xu`b42c(Vq*%qJch|y=a1Z%?wLaWD>e+
zf=2Dk@IC~hpwAFvLIOCmzXLHILv21Fr)0{`tv02EJ`MNeEk<d9p^4tS*vjF$t0NBT
z1VLTc$G5)Zt^`-QuO__<syg4PWG_fz@V6GjYcE^rn&9@om~3Bze>TGXUtG9bM31DH
z6i+!E?L}C*39w-;?(<EIAi(&p)`O0?CAI^d?0kMv_syeDQ>E{va)RX%_A|&hO8p!@
z*%x@3b08`LJ+O?<(W)tjsX_@xkvKdPvS0u=noN+!o1jbj+6?In>~jLK1$;uApnY#J
z&WgczG89y73<JLGHJWkXXVE)xd=u%JI;8tKLt3m&n;Jy!M#hi(#Xc#C8$YD@H%&kn
z&;NFZ#xp|ZPjK&}`{dmJ_;PP&Cz}6lx8B&~e|wH6l$StvPIXZ<H5jMKIXg!X8@kNh
zb)`7vD44Y+A&G$-ui!9NC6wjmQE3ZYR&AClKJq=ZG|-*XDJL`MvM!U?8pz^q>S*8}
zu?;6pj-u-)?**|WnQ8f%fxlg|ROCVx7p_4n%la5`Sg!=`xi5JeG6^<|Ms-$o02##U
z1PiJL73u+aercy4RsZt#5&-GhV=Ew3Q07t%5>t^=;$QL?hTzwuUi)Csc76;mTJDdC
z%2x@ZE0!&0=%_7MAm*gz{VR@YqcWb_Hj<0?<44qi^$ergc<g98sQ!IMvR*Olr=Fo9
zh<}AS8bbK*G`8cZ4fQ3W++fH=GEwuBOxF<5zrqMdasE3EvPMjEA#BGd8C?(BUtw5X
zWDWFp8qo1X_tOGC!F=_=eJ?}WYM-`KXR3$o-)Ts3<LTva1m^cLxLNZxf^y0TuX7_y
z-bg;&?sD@pdERUH+N#~%9SJUYJ;y8c^0_Z7$sm<R6O-))DTJu>*FK6$-`cb<^tk??
z>I`Aim|BFQCvPLi|5MxB*^Bspc50ja|IhQh02h#RL{%mq#Q-Yz^mt)lUFKy~$>mwK
z<iww|g)L`3U^9d<m|`+kIS~zOx+O1S<Hiz6*&lchExq&tSZJ!U`~GB8G%@axu3WbN
z{&N+aTX+SCC2I<lfQ_h3&si;1Tm9QUClr-lfFoj>!~&zEKF|%yO4X^sx8=VI{Ze)O
zk#5U>-50azw)n^W$(Gi(4`>Xv`NCG2j!M5&*_~bbr8<W5(l1qRioXdprlnv0|D_jT
z1gSw544kyutW>or`G7QDsv0_i+p0JvA4=6F(}<3?{|XYoo&UY|LF=qtHTAF1M)v$~
z)a$jV|F==!+u6+j=XhSY3PP#$@9(|EvR19{RO_|hf07%=&FyW&oL1S)Kv<Vc?ilJ*
zwCxnHIHfD06uJM4@fAj|Cm8Yy`*Q&)`WgKD`+>Y_3)(g|G+8jG2~oZhC|;xuKPIFJ
zmc@GFSE($E_NG)i0G3LWC{y}Z#!lK5V3;<RN}Q5(6GFjnp2p(b`oK7}bVzkT$wHnv
zau4{kQt6jp-VhVnaEhA0`~v>V#oSdm7M8I@l%Xo0{IgVg@dEUvCJBy+j!LCKg{i@3
zi?O_y)}7|g|EgY3UGb#U&61B|6a4Yd*PvdlzpB<MwLeOw&!Fdr>U;)r2kkR(18+W;
zK34+I=g@!RuhM4#J_Dh<gU>E&fzJ{JrPqrVenSGZ7;o?yw45j(@s~;_9&9MyLM4Pi
z=`#pk_vdaXe+ER})&)L;KR$i=0|>0bMcoq`pTU?AEXr}ZKuINI5&EA2<5Y~}XYhw*
z;Pg5)NJ+m=`OgJh$(>(kr2LBIbYLnbDz|0qUZI;ufaDWF`Q*qsJM$SBmTYw=zjD%H
zeXoAKmJc9&uw<>Ov6J(D?flA-WBfT)-F#6Y9uOi&j`opPQl2N28KkP<%(-h#s7Pee
z1b;w`|JVY5$Q1hG4^dzIe+Q{0{zsG&`UfBs{9zGGj9eItP)tWYcSQ0W7pM^1cMo+p
zk+D-!P2}@nUe1DSCM=LLB8QbSQ$(y+cTGOb&L@#q*F7$fKb*0o$@!xhIR{>ysLYu@
zQu}**JG(_{%CwtZV)Y2&1-K!x`j8=7sOexL<;Z=pc|?j-R_A{UAsnh_6{N3|zrM=V
z!Wk&vBN!XjbSU%OCsq!I;(S(@etZUhy#L)VOLdkz1G8LmA%w&y9}hPJ@VRqqL|SKK
z*|rlgji<d!0av8SK>VLityl<Pe&t}as>gLNcV9M=3j4QR<^#5g?p~ysa8G_Bho;od
zXYJ&Qai)+-RB~#0_n4>YEXmaZH)#hblbrG{k6uZ)(<ks#a%H+sHSf>f0;30wQw#zX
zGM*6JzMsJb<4Dh&oNGc;dSaEKC8A1W4$>PV%9F{P3VO(dmiiP(DoEU25!w6N@7d@I
z9muez4?;NHjE$&<tl$*hdnC~M^Wa`j!2Q?9;@-%?{o!m9ZX|~Jt3sHsC(y!`$5Xqn
zt_W|DJL}<W8-epQ<Wf;{UBXWZ)E_hRqkx`@6W3W1A~o+hg$IHVYl~IJAx3I9^WhW;
z0(mesBG<y_BawLesKCOQcz!B`=2W9%ITVYdbmAkr9XYL))dTOSRRH3$R;@RxwZv-i
zJAVprK;#DUe3d71e|XTpv;NAO0c<V#kq(Dr<}j3DsiQjmxnYkGH72V9ypeKSdU3)&
zMB|E7eYDmUfw#Wq6#=l0_7$n>9WHq^uXvCi!zkWah(~fs%HgDx*(Bz7jy)PXgp<;>
z=mmE<;L;P^<x~vjn=4SXuva!S=SHGic0wITz4)t~0VpOrf35CT8_6}&48)zp(z&jh
z%xn-jb=D@`dfsd|n|KPCEI)SSda;~-tmVNjnEENfb67l6agyh+NCK<k^@?~43neek
zs+aAr?mO4KJh`(vBfDtMm?r1c_Gj6v-Tmx3;Vh$}eyh`(_*PxgbUR0@IAa&_t*2Zd
zm{+=}S3M_ta}EI?;7?y8|8f?4ukA@Mng}_A!PoYoXJnPi8NcEM3;Nr={Az3aty5|i
zQxewjSZC(L%WEbx1)a}@adybaH|JH`i`9yp*v-K%*N5&F4Bt0f)L&n!to4)*7M%EZ
za!)8Rfi{Dbd-ugU;Ro+$2%8n1Xbddt)q1TOh>!?`4OoQU5u$(C_KI&)73|Bloq9k2
z6{4IrPuk-uXtvb)wnICEQ}Q%z<ivm0>y6m?-^M2X^LZX8xD%Mruu7#Dz>U;TxPG>z
zBWv~EWYgclrxE~$WiNPjZdf{a{Th^8$i`%4B8!(xNtf4x=4+>lya&oXZ?1kNGzR1y
z&<SuvW4-oi`=H;hbPvwj-kE|x#7qeQlTE>Ez-($*eDYJ-|Cj{x$NykI0-Ycx8<jDu
z0NvY26H-*BKPhj4_wkCq|6KYKqMFe9yij*HR-DOLT5eb>uvS|zPE4T~GXN<P7X8xD
zk-iRn1)8bU462^*<0(IWm+)lT51&v$0)<ppk1B59`;Y%S2J(NqX+(Z3m;NGg@0&+G
z5&18DL{BIA)srXxcN(>5{Qt|nmmB&298XmKk6cN1(Z2vlrFt<eaD*2^8}1Q|Kr?X4
zCR1buDwVyjt|F@J1yRgl!Dd)~tJ3ml*83ePvObmmQTEPfm7CywSut(-_pQ=D%AQr_
ze9_$qAX&&jEL=>URg*;%mJeBSiRf6BSTH2B;(qa^Wsn|m{NqAXP*e1!tk#PnRCezR
zeM%AsF7^BC(bqvfo4DV4KK<36i2V0`6i>JW<jDU<W495J|GRs&{f+#8j_2w0e~3(C
z_0cy|{{yluqWimo<7+DZi8q#lpL~z<&mr>tBb|Ex$kgrq`=#I4ey<{H`F`(rU(ToB
zn_4dY!x616HITLRd+vbExOf#n4pejH=d*c&JoP=BJV9~<J%TO(K0_`&*z*u1fW`Zo
zTHZl<j#lL+C}$@fEN_9bN(3m%`l$fLdp8T9_@eRvmV>KyfS^Gt#ORrgKr_(hW<~$X
zk9XW?1}SIT8r9jhO0E24>Hl)ifA759jr#v;yBquOS)NdeghmM_oSiJ`{u#U`I1>zW
zdI*ksEmoQl6E#7`0mYJ`iAotIwq*nW+s0(-g$q>fW(G%9+nSb~%sW(PB`;w{1>~P_
zEb-_`)6z0>x^*L2Qs%#(3sfHNc(fqMod5Oxy}g+JzyETtwweFW@r3e!+6KDk$dc)8
zVtGH0q{h;7?E4my5n|DdpMgDRl`_Rw2`W=$RRb}p5_mw?ysXwrK;4&U5NlwVh;eAz
zO<*lBPD*jff?0grlr&RH7Irh7wnrYVQRt|y9QdK<@~zO%e~W%OHJD1>ZsP@oxEW1X
z2>>&!=>kI<`XsC$jR@J}r9;w7k`8WXRb6KzxCxvrs`9Oqg2v6o<X4L1a{}+n%R0pN
z4AzBO=A<C<u5OAac>?nGNIo+dFc^SJTLm^UfjZ>A1qh!ZdS@`DtU}vRX>h=ufia*+
z1`miYI>Jbv#wO~%ODUTDCS)>?@<MLy15SVqDMMhq;z-^`dC@)tV@$MpdCR$%)6*Db
zL$<WQ46fh^_|%xrlzoCM4&a0%D!$9TeZOH19xf~$qb4}**Z66_e$*T4ZwJO<t2cT(
z><@3=Ue-Fpp8QthtxLPxAL8RH+-qId+IMHBeyG>*(dCu?b~M~O?p@X2X@j$!vyuIq
zemtjVChlK;oY${R`*2i0yT94d+rtt5t>1VB`&YBZb#3o(I2@g|F72b?u(LC~vO9xz
z{Seml!?V$-b7{`Hmv#O4W@mOhYIla0rhYz}zdgLJ)!V(%TXtpEkI$~&o(!+_-kEuK
zcQfjBu50z9u~WZwX}4~6^x<%>UyVojdSrFym$kR;>klXQdL6&(4n}W#@1}QG^WNdj
z@Mh=i4er8u`{Q8Lqk8StaPSUy(R^>#v$O$xAA{gKG_3!5Ip}pq$NEm|(!LnA>wAND
z_WAX&-s!)awa~otn~UGosCPI%p4|*aZ%2A<v~xA=T@6Q_lU}>C+Z);MuFTndv@^Zy
z4@c+Paqk4~%*3~upu<gV@9J{iSq_H7yP<gx$HVLU>-nsAQ*W=%-}OH9YB%+pQTJ$Y
z)q691r&~8QY!8O*yI!q3(1!Y;e|7S)*XeXF=bheY*g5RBajSJ{xAj_Q=cb{*?bkZX
z{;+#E9Cq(V9sB<5>ZYe1y;@$+b&RZ8yI&(a=cB`&?&{Sp{P^|`VZ4C2`|%9VKaT4+
z*L`!3^~|%~>klK`y0lH$xVgEst{Y=ZXWCVLj;{7DP8;^@s&fc0&E93d|7!zw^z&is
zaITMLP;c|AVXb>K9NMd!kL}g@arfPLr&BvS?hd*;_UX7jvRjw-QXAI!W$kj=dp9~n
zolf`W!>o7H>NK?abUDI!ep9o_XmE4bd-wMArfr|VcXsD|_?8dn-T9z(czkwMKObG~
z?e*rrHilM@Uv+MVtxMa`=l5*T8eOA-*67tb@N#r`dfqwQg(KX8wJsmG^!sjYWDTym
z#`!yZdWH3)YZKpJ?u_PxckR8w@!Qj`ssGmf*xA3H-&p;3qutgesh`&EcfU2>QaCtl
z^stSu=C5wfTf_Tt-DcXnGwgnRyF6>1>~`OD2Ul0G7Tuct=4Ny=zuxJRp*7p<)kk)}
zWA_Ii^*MZZGa9r;13}-j##^)B>RgYnuIo3g%a4Ov_iAv}TMUPzM)zt2&yRooh^|Jb
zaOZ}O=Qo$b<I&r*;j6>(2mN^5!kylz+wC><+4*q?_K)ksUZ0D3%uYYzv%aafu0I@F
zmnOd$)Xr*G)@XNpHEY0j@3&FC{qf3rd(_{t&n|Iyc=N7X>t5m0?g-y$?|N6G(Y!Hu
z(_8hfUUd*24SuU**1ELst}OlCbz^jS^#;E|Z_f5^hCSBX!QGL0N#Rv}?|P>@7}kf&
zkwqG3=KcPeb#v5j)VqUshx2Q!w=S<{3%%B3y}{_uVMAY?edzUCmv#*uci)|^Sfjh6
z@BQ|1wz$M6JHvPSpQAzNWMJu|-iO1FsNK8L+jsP)-hDG__pE+<bkoPP8-%ZygWBH5
zv(>BJ!Q3XJPWPfezwfp#ZGzr)NBW9$c&tNhuFu9p{hjt^bTS&&TSJ2{2Ul-Do(;76
zaIVqI4{xnur}JjC;uiz)_n@~rf7fk{Yd448H;0Fp=CAj9T|aGI+P&)!z1j7SZKBbL
zX>ELXKI)LZ*<m;B>z)3Ne$jt3!a@f0hF#iyH?0jCd^u_zF0V#*P5;<2dbPJ7ddD30
z&CX7L*gG5!J4a$(oDJ(cqfzhhrv26$;G2`-px5b{dT(^~sy4*klcD+Q<Z94f^*T4Z
zy;}E3Z_n&;ecHG&N1e-e`iWl0?GZk?gY&mXH#_?AxYij7xO(U9px=4B?04q(XY<|_
zYU`~_t9JsgUR`(18{8Xqc6x90n_lOpf7TKBOqZAQ&Pd3W-tc6J=AH9PQ>WV1jKZO|
zr++*Y_#O`5b&oHHor}v_$Lb9`{qfvpS696cXM@fgy*9ePvS$0eR;SV1Ic)VBcB|VM
zT@CQ%4jf(A^_`Q|_#Ix2-{=?D#w$3y>a=0){#xKW>T`HL8oe9TN4Wp)?LhxHT<I;{
zyd2ug(dgi=Z|)h_^Rp!yozP(&|2aIKEr;*A#^{Z{I3H+@8>}B*4fMs?PUr0W-RwxO
zU)Nff_6*H;>*w#fAJEXQ>3DXAhWz}r(cOdddJnaFr|`q!$ysMw8(+QMAAcO(bcg)o
z)fK-U4QtEucIQIBx;fL@daYmY9*>TvwBPOs`3uMO%e`ys=1sq`2X(9aMz8Vfn@*>8
zWzA}EK7+##qd$M!8SdO1^UL$W+rvR^uioo);kf@Ry&8>n#|?h?TkX}`@khPi+c~`J
zzv;dca_45Ccdu)m!RTF&kL#WD-aCC?A9cuR{ucJGF6-yV{I}~5LprLBuExjRkI=&J
zx>j#6{@A8BjXgfN>i*fQAF{Kn>3y#;8;w5*d1iO6Yxt^X9iCjhJKMXyBK59mAND`Y
z>u00O<;{oL8N9kT2Y6&b>+tllrq#z5uJwm}2buS?^EX|tAL9$%tPi_w`+EHD@UA~U
zX|yiM?%34d^hS6w`Y@!!!S&r$=WXM>J?r<6?fU5W)lu)wXa?IoI%*v>diA%*=dEE~
zuf6K@8l&Cu{Kh_ecXNF;ygwabd^N6*8fWi%zX`bdNFVm<_FWg_R)6#s>-g}`@yF@j
z&5B<Q@Y_Bdb*_hl*;~D)ug34%ds?kWMg#ok;KM<!|3M#})_codt7CWHw0A}pX1$@d
z*SaKhR39C8=iO7-)(_F(?Fnqp?naij8XR}XdH)q2e$;QyhBx)=VUJ#!vx}SKI)=yf
z!}BBlr~amU1I@Qkw|aYLX1#xfJGJ5P=40#99uDiH;qXJRJs$QN<I(7%H|m+F&+XnD
z{o`+q-u&v_s5`LU9;4CddeqS8XO?|<Iow_8BU~T8=^S4-?4H)?UYxf&A4h|?gW*nZ
zr*%p0M;{MXXvnY6kKeYh&6|$?;qc>lINKS1#Kxu7!Tn>h*KMEG&pu3R*Y9km4-QQ@
z)a`*;KOeTwcD4E2)1Emyytu6W=IDf-!TfT1SsV37ZG0?rhf#Yd^}*B2*RMTQGLjE<
zy?m!dGpGh~qbem|m>SDax>g<86lstnJ#hDr`_drRl{$<Vv~_@M6a?)Uq44{#N<M~e
zVP%hKGh{-y)5J#B!NtjFryqJP+7GybB8>=bU6uDP&<~nS;NarKzg*s?#72}G;R~Pw
z)@a~uq}d+@W=`%YU6`Rrwe64(=}u>qg(7d#w<%(7KCTd8APPatiH@$yJgSH?z-DBD
zb;khXfFg}dE#spHTV_j?*Zo6|7>~e|r|v9>)ee$OeF#jra?PlP6@a%?nQg%tp$Hh(
zgfxTRE!PV7QctT0O=G;^gtBcNEfL;k#<T*dHZwTV_=2KsXd4xYx+N{~s;R&5w(oxo
z;i|l3DhfI9L7K@KBOr`rWk@;!%(53gp~WjfonE^?@KW8%!H7~{MWuTcnLh-AV1_k8
zR1KnxWfm}zrQ5`?lr^d>-3U;&7@G!X-gRPtlPWlpt_d(kKt*EfRd8Z~BWNOgBqsCM
z9sogURuP0PHUvShO0=+|THu50{YV+Fz(noaNDIvx9WjFnzUGi4F&hGft09odQ&v3A
zG>?CX;-LcM$poBSxRn5f))X;7q_bgWXfw~nJcA6t1)s^&F4Y)l0ItabXwXtn%?0L$
zjgbq`umpP=))XTk1kje~?n=2CAjW{rAVmp41yL9@5nzZ5MrKvehT2SlmCcP2Kn9;7
z3LrQ-Y4w0gWx53j1u!aK#Dnf_Y-q06qJk{lfhH-z;$1U1G82fI$}GW;kW#pc4$y*=
z1ICQ0l{7*!*Iwj;x#aQlz<>#cQ?Ou2mrfpv1gooo!-s0FiZ)Hi4K1M?5M!eG*%6@}
zpg0*+hsK0p6r<~SY9E9WX6NwU)eKoe(w|&N!KDyz&qzoKqnKny?p*0_L<Ng%7XeP8
z#jvbxSe$^v;|uBdTv(by<$o0)(DX^=P-;4*PRiU<WKH=jxmaKrcN(cB0^}Ho)!Bz#
z!4fzK<sb({<z2+lOVWeSiY&nY{XhQ?B^ZN+{eS<@|0^fZ_D+K-;y{2Qog(T?lB8)Y
z9_5B?iaMzsFb&Hv7iJUGQwk`45v%VM(PHEr?dKA--uSf$MbB+@vV6;}DRqQ;<5%#L
zQAJf?kzngTrxMhdsL&T1X~x7r`eP`TPmsVh5$S{o^iuG8_-cv7KBTdG5Ums`7A%q^
z%hV&LFTS8jcaNrEeR_U$aC&>uYj*(TY6VBmf@3fx%El{Mavay_{6}WBhIlF#rJ1<}
z<mpi9t)3avnLGolK`fYEfEE8ED%MxAzNG>s7E&-UxeJ2$nq!}$N(4V9k>AZzn<H*7
zoMP^R=`Iy2PDn~wX&?l|CWvW=5-PD!oD9fX#BQUNw<y3BqH&7ITW(T1nZSlrCB}`Y
zz!hK5iM)4dQb<*k*Wnga)@0d`x<<xwU#5t@mWV*SYZWPKN~yI}dja);aYE(&-ZBY^
zdbJqGF7$Oe3O;>#ggGnswbHHGEn%TCLq}AdYjm1ExrpxYxfZW~RmWouUf*PK)R(YY
zD~Ahmm;F6`BQQdofYU(QLf7%Ys_FfemgE=-^NJ!HLrn^;0L)O&H`eyX+745HV{LD&
z?Txh^t+27S108xAYr92_C1O&|Q#N;+!R^X^-=<FJK(dv+#z1bYZ1rrcZ1?#~S=pkC
zLWyLIXoj3bUU<~hSfV5$sGbm`rFC&*tZ$6<jj{fBH`e_(*|xghWvFS$=1A{G!)ME7
z`NNHil|MCNsnnXR3Eux+QVk<L5V87u>`KPJLcDR{&eaEp8y|LB7v80{!DwUuLoC=h
zeAjC*);M$pZc?amIE>(FJRd%$LC1$w-W|Q&jRzi2bih>hYtI7`;Pf$a^c{%tDz>6Q
zDbk(l8~4S=eG#Vq#(nV&?hAja=X)>wvPGR2IuhMJQ{Dpu(HzZ0oncr|4*^kI%w^Mq
zASRc1PfbH!9jeVyl0t|HV^wL8QDhSC?BY7tWdkoywscsGkq=)gnhDG(9>vI^_PILL
zU^!@tRs&db!$dT$AZ2TaCcIY$Sz~W6{?WD8;`Oq0N~F!miPPuxhCnt5v4kK*9Ws_F
zv`qB&K(1yeTQQDIAr>@f%fljM0%p+Cu@DD_1xy2DgQ;|lRrf-`q(R^W?A6Tpmx4sy
zuhnX`bh6gt-}2~sMs$=z)3!Vx!vLW`H<<cciYr0X5HU@nqpG}iH=*m|qud}+FeIxw
zX0cjFq=~C;>lIdwGi|_(*i0<k3p>GylH~?+$THx0O!H%hP`@#EMQ4CmcqOmtRxIUn
z)WY=gE+lkxFgR7NE5ThFF$Iqtc3Q5s=gj)*j}M<&yBRF776;gnF=L4eFu{*!kj_0_
z2{N~86F~P*@2eC`7D*CpkaJ|(T-s|KQXUmSf)8Z%J7{o8#W2;97)!37HbNAP(L^qF
zVlkW=meh~%%CM#h#LnUzM^Y4&IfDROc%nH+c&HYVofMHCr^^>X#hqHsOqdtnM4mXZ
zfIon4$?Mxs7%>Ju7@Q;evm|MvnD&W$2Q5XG1w+awVCe~SFHX}0xG^e!4@7>b=^xOO
zidg<>s#0R}8@v9i+x1gB<Q#p3b$@&j+8T-4_>s?XOFxQ9)ZUMLe@?4Eg1g+sxs%h^
zLrJpx$pr(>vh12(!KozOh)54dCor%yq`kl8`Vb^28&YTrb=vbN93EeQgJehc#xbyQ
z3~U?&8AI@-j)90YDBvE5)F>R`kiQ+9wGsQMEm*K3iv-nWoz2&<p3|s;D?;Z?=r##}
zPcD|b{$9n}YUjg@ltLS{nOn2ZMB{qn*CIr&H-2@foMg-pDyY2wa4Kh!GIMJ;My28#
zyTQ%2BwboY$rwUIcS8(4z$<s<6ukoV#?Ee2`~#drc`{odnIxH#7J%4*t}3ewonF*9
z@&F(8T3<hY#;}9iYED+Z{AedH1)+QTFrsd#?c+PSBu^3d*)z%GAaoPCVuZKQ!N~+z
zBn(+BVV;VU?kpr!eMC|@+;YxG24{$9%~n1~!SEO-^kNO_M}xuSWqy91Mkc3}c=zW5
z(Ul4bgF+Wm*0i(IC+})2KPp>bSy<-HbZ*pBS_;=@?R&8rE4L4%2pn`<V!1r905WZ!
z5-1SHQNls;w2re{u_`!_ihN4ZM5q?=YA1Zpiw%l)rcew+i~@?>PCQ-&cW0Y7C8#M(
za=&DNs3~=F0z0z#BhZwiqq$#FoCfaWq!MM0PPzpkn4^_aUxkkBq>xnZ9Ezms8!;H7
z&m65}bw|rhEtxlz9<;2_5yFVJox{zFLgIzviVCDXRTDQofJ;4`q$3ZC#o7R6y-6Cb
z(G8F6p}6%qTK&k>AP6p<8S%J_Xa{@|;o2NBnYq`1;>#0j3v>w=|EWBoIdH}3wg_Tf
z!e#j<A(KLI4I-%ulHDz}GKqc$jT0tUfNX9Bfe{k0PAnn&9coAuQ#GR+Fr9nyEMirp
zV9f41aM};GphzrQ3DPjwSRVO9s3<h#ri1fEnZN41fxeLBfH@$Y1ZRc@Ohl(hW%kPM
zTaLU^Pr<Rz4@v{6u|vV9BIZcOS9cgvi)2P_6~i>Jyrv=QUu=6(Kn50|VSF`n)_1uU
zn9vq8<C75VlEJ<J8yZxu&MF8zwe4UXN4*S!7my7G#JDUW7K@J%ITk?JcdjKpt`-tl
zbGN|Vj4&hx_QXI~`Wj>o<gL&QN`)zkpIBwJbj2pFx6Tm@uRvKP3$MnO=~U>s%Xbdv
zJTN3Mq+Ay<S^Pr;A#FP315DPIw-T@pD$2qT`TEvGM(}B(dG_eg)5ipz0%9dionqmp
z4>w|i>Cf|cq8lt5@CakWG?Y>#peY7%Y*+x3rh$d-x!Q_$4Yts6xRZ;jI<zmBqb<)K
zQqX5`DOMqne5%B4SO<{#?QCqPjqS9tol>5S?UdS$jqOx`NE_Q}V>?BjjqS9to&Hv~
zlZ{ZWdVC?uC}mi!eB-GtBk5v66Nc@EIAqyLwqtFDm0`K05~z=TZCQz4NAFGQv%jTq
zczmJI^a3#x2>G;j*n^|2qMOczVy!awoi`Cz-zwrt&Y#BwS_!U|Z$j}^;%!n`m26Ip
zR4|&#RzRNVmIie*gLg?oV{=Kv=8}fZB@LTP8a9_SY%XcoT+*<)q+xSO!{(BP%_R+g
z)k_+l?3{(LVNxzpkY>#0_Jqy3ht0W%Z*}fL%+CDd4x&`iBM#$<?i>e<yVx=uY-l{S
zW%7hK#Lhcoet3ML&hQ#c9mTH5&31T~;405Lx;rCS9~frdaps=l7o^MB2vJF<JJ<p?
zqM+9~+HJh7r=2!W?CTsM8)9RL)^6OZ`A7`R)j_|T7kAzV*1{Ys2k(L*Pi)IT4Kd$b
zCrm7@jr$Zl^t#)4wfk!SW#d&w7Krsu7q1icac<$2d#qfEZ-XiJB9<HRF@s#~B*+|T
ziAN0h3^9M}_bGEY7L7H?*(rOXeefsUjef#C+o#<pG!5%S0!&R783g#v_Y*65JGy_-
z4acvv+XWfBBQ#+^qG@VpVx@L6%(}It9He9+Px2ybLZ~M6n!(WpIBUfvn9Q2%!a-gN
zvG`DBkV8nLH3hcHIpV8FPHv#@T58K~s!+_lt~yDdIRUx>F}RaEh>XKAHrUKnGgEt*
zL+T4cdERCyq5Pq(dlani@BEsPo@G7aDULj8<sdG!2vroEv?5!##IwrQp_tO*i;Y`f
zY5dS1KA~7V)##-q%#_+r<ef96lHMxho@$d<YS=~gcH>I+WA}5{y2c`C@HaLF|Hj}4
z8-ssi@O#h04F1?T1m}ph3fAegfSY?&9T%5p5L{s)K09kbl2YZLEO%yLFu|%i&CCHq
zPQYUT7`P+Wk0}@6F~q^bUQ1zE!*MYnvH@cfj8#f-VpKsFAzhIo0nbjarxN553nv7I
zZaf|vkH>fJ@z@+f@kVWP2qh2U%^{Q&!fXzqggdY~gt9q=vN?p}ecc>F*&IUoYaK%Q
z%em#9ru#^vD9>XYE-XecXbZz|r<f{~Z2t+fNE+zQIxma55>mih*$9;9i!q`W;z+tJ
z#*i6WMYK{*N?st?NFH<WQ=`ed3%$@I0F|QQ-l?b~8<UmF95zT?bG&gem~+s>gRC%i
zAc{Fqb_<u|9G9&*Nv~xhmxhn_i_RDfEG*;Cg}UTQ-s|Z1j}svC6(D)4KZWld%v}p4
zd3xlCFh82B7}^TGptnZ7ar&V0H~3^t!Cdm1%Oi>k55PWSVsEynzKbm?H?if*SJ~KY
z_OHC>``Nz&U`cb6xp+RrJ0w%s%VSPRo?vp$EV+(Fd2zV9S%M=vfm)K79wSVwsl-_r
zP&2}~z@j+Pn@u<M;yXJ;`IkINY1q!p`v2Iwy56>JE}U!q3KqV28>5lrd^9)jI;2Ul
z1?YyL>3UNP11&MK8d=mt*;#h6-#+kDluSvq>KREuUc{|U9)45jIec^udpCIW`;?ne
z^6R%M8^3M5TiI*?pGNhDW#h*^I;(H`Wc?4r^Q%1WQr2C{x=Y!fDcI$uY-4*5U(GhM
zyU6-3vi?(ztPj^Xjo+`5<nj8(xb8%+YL-%Ww{%gmGempjp**Ii8dHJ&kR9p1DX1XO
zi3an>QT-B+%L_F^Lwia*f<I%hg!gpa7yP-cjd6u#!1ky%5SZ;W0aj0J-{{0(C7dX*
zI+TA!s@BuTfI%p}14Ws#Jxupx1PNRBYP*UHOdnimGIOj78AMWuA_Gpcv1XP?L44qj
zUzikCZv^xIRWi5fB)M)kh|YJ*b0;hjfNPj$%>6?unh-5ebZ?L-FZV@>G!yX!=n^Bi
zRFBDy+DusLQFZ7IKS}hsLEK3usg!cUX2sWgX6kpdiwn3$^#NGd7A<hfj6!_OOPI%a
zImVdAR$dR00Cd`@YS)?O%VbgqUhgqdF;TC{A)6ktQ{M3S4NPsT7!?EyaND<6fYAHR
zcCOwVo$ui%bXwJG-olm~1q(a9;x5?n6gnmL@D~QS3c&J`+m^GiF%8@B7J6iYCZ}Np
zcLCVl2ae=0^vV=*X2<Xt2IV4aE(5UUGXNV-0~p6^7?cSl^I?$N0JgcjwdFW$bZbXE
z2QZ53U?Ego)o;gl0NV|n4etSr;XYXO&%jRT<v&=6++;}fav&@ucCjS7c@Q@Hppz*v
zh6@2~`4C{cwPDAL09M=xFvyPpb{q*{$CI#ay#-$aY|WVf_TxN~JJDOU<W+3VpXl$9
z&aJTJQ1nVP@GC5N6un~mITm*6gf$bVCrkhGQ;PCdDt)cWH&k;hubqW{-qB=fg03nU
zExHDv_aqry)%~58@W`UeHxh^{M4F^)l<O#j_L;)ULIds{?Z(WqB|v&l!_7CLpf)mW
z1H^7yMY=e>LnusCEiqVQrsbTf7d0BA;gFU?T6%Iw%P7|&Er+xm(sD@4AuV&W9MbAY
z4rx7kq}5rtizcV;Fg*(~gVeVsm%xSq*Fz^THe$0MN9^j->n!!;sdCSaC6^sHf)S4A
z$$dO-1e0LD)J(b7uNz#sb~E@)Dz;qf=RNY}S`F7C`8C6ow1V;xs%o#(xWSbZfz4Y%
zOV%j_ACDbh&hh1%qwn}~d*I8pw)Ze&u2sO6GpAVd_N2MGNFzunoo%kLe0&eCZx~C%
zpjph37T%L7J93#2q={C@N4+^HJ)Ib2J|OMT<E$?cDoJZA<|^a@n=t6EnQo0Ry|x}J
zE^2#@r0ukbG2Be~zz(_uRdugT5u?meeTCPU7T-E0jnKY^ZBG*}<)b1~c(Ng!9WcyF
z66*o0n!Ru?G@J_!=R%_+ITsq8-Eb~6EC$KB&~Pp^TFJT4a4s}nlnaf9ay_I}e-_&6
zh8eJBD=}-!CbXd|$~jybxDUHV6Wh4G`&G}YS%p|gTebv*?>h~;LDLlH=&uSeZ;cX+
zv`k6OkhW6S=h7E&O;1>0ez&OxfRNPnI9%Xxfx`tI$>D;|Za7?EF-Q&<I9$+54i`9F
z@Pcr`ST;fXrp1O&(0kePLVW8yH^P9t?n}{luE3?dGGyP?ECKcX20uWnmCu=?21J^y
zeUSoGJNa1_(cz8QyZ87Gz$}FXaX6<B7Wj>zl7Oh;1Awo8)~r~S)Z7Y)^G$l;y8LwI
zhyso%&>Ve76xah%KyCS9ih#;$OAgRZiA{}bbfm{_Z>9sGRM;`3tWlA<H|_E4Q3ct;
zwr<J$pKj_p#iodGSt3$k?wCa!8|<B`PTk0CF|=y&Ue%&{UD+r^9ZTy4s6q!%Itg_q
zh!(J{ND!4V3H$}hmT8jX678gpFbu=Dr>E>Q48!(kcy@AjFgraxpS?XjJ2?*z!r9sJ
z*~tM2cT)R6T9FEt2jO?u)$ZIgNfU4bE2@w%rG-yA_teUCX?iLZFuI2cBEC1_b`P>D
z3S3rH5kgr8k_^w4`=2+$Vzy>hjfM6-%wul?a+GjiPOrJMF%)wbN3RZj9&iWetR!s`
zi(-_eIr2UK>h_OYy0^RuJ1TGvzFgjdI4z0iCutS1zr6XLKmWT7*kAd@A_?dp`Cqcm
zgIdrWM)#`%+@%>J-qa@#g*Wx*@ZOvH)sp@jmuccn|M4c^3oKK-BH;S!1M&Q##Ow(2
z(-^^kXD{(L&tH=W$0&H>Tc0J<{{Qsh;_8<V{xaTC9RvG+Hk+Nd_W$Y0`I+1Q`$!W&
zr`+>ieN|XJ^k*mjEd2eo)O6Ej;*&*+vRF9Dj}sJ#>_;N^5mk=MCFF*-A4&C?p&#xt
zSRIi+SFl8f;MLd9T*D}eOgQi#sDkD{(z4ssaZwasG~{p7le);!+O{{IC!IT9e!3!_
zH=X{Bm#CmR$8-w*FYA-Wf>oYU*n<4(?w#jNCelOpC61BjX$6wBTCC=NgqO0c{CvlJ
z6>pKei&cdal%tZxD_{_b?Q(@4gm<v7^l^U_<A{Lu%%6q6HegzNa$G)O9DfT`_Mk)=
iqPRW~<qn_2iRY3_F1h3qP5%Y}0RR7Uve@4MngRf#yr7x@

literal 0
HcmV?d00001

diff --git a/charts/metallb/.helmignore b/charts/metallb/.helmignore
new file mode 100644
index 00000000..0e8a0eb3
--- /dev/null
+++ b/charts/metallb/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/metallb/Chart.lock b/charts/metallb/Chart.lock
new file mode 100644
index 00000000..7d3b2e40
--- /dev/null
+++ b/charts/metallb/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: crds
+  repository: ""
+  version: 0.13.10
+digest: sha256:afb2e9d5b709e7ded68c21f9d033a0a14a1232be270b0966e5ef2722575afc77
+generated: "2023-05-31T15:40:56.282100173+02:00"
diff --git a/charts/metallb/Chart.yaml b/charts/metallb/Chart.yaml
new file mode 100644
index 00000000..f7ffd3a8
--- /dev/null
+++ b/charts/metallb/Chart.yaml
@@ -0,0 +1,17 @@
+apiVersion: v2
+appVersion: v0.13.10
+dependencies:
+- condition: crds.enabled
+  name: crds
+  repository: ""
+  version: 0.13.10
+description: A network load-balancer implementation for Kubernetes using standard
+  routing protocols
+home: https://metallb.universe.tf
+icon: https://metallb.universe.tf/images/logo/metallb-white.png
+kubeVersion: '>= 1.19.0-0'
+name: metallb
+sources:
+- https://github.com/metallb/metallb
+type: application
+version: 0.13.10
diff --git a/charts/metallb/README.md b/charts/metallb/README.md
new file mode 100644
index 00000000..f5973375
--- /dev/null
+++ b/charts/metallb/README.md
@@ -0,0 +1,158 @@
+# metallb
+
+![Version: 0.13.10](https://img.shields.io/badge/Version-0.13.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.10](https://img.shields.io/badge/AppVersion-v0.13.10-informational?style=flat-square)
+
+A network load-balancer implementation for Kubernetes using standard routing protocols
+
+**Homepage:** <https://metallb.universe.tf>
+
+## Source Code
+
+* <https://github.com/metallb/metallb>
+
+## Requirements
+
+Kubernetes: `>= 1.19.0-0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+|  | crds | 0.13.10 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| controller.affinity | object | `{}` |  |
+| controller.enabled | bool | `true` |  |
+| controller.image.pullPolicy | string | `nil` |  |
+| controller.image.repository | string | `registry.opensuse.org/isv/suse/edge/metallb/images/metallb-controller"` |  |
+| controller.image.tag | string | `nil` |  |
+| controller.labels | object | `{}` |  |
+| controller.livenessProbe.enabled | bool | `true` |  |
+| controller.livenessProbe.failureThreshold | int | `3` |  |
+| controller.livenessProbe.initialDelaySeconds | int | `10` |  |
+| controller.livenessProbe.periodSeconds | int | `10` |  |
+| controller.livenessProbe.successThreshold | int | `1` |  |
+| controller.livenessProbe.timeoutSeconds | int | `1` |  |
+| controller.logLevel | string | `"info"` | Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
+| controller.nodeSelector | object | `{}` |  |
+| controller.podAnnotations | object | `{}` |  |
+| controller.priorityClassName | string | `""` |  |
+| controller.readinessProbe.enabled | bool | `true` |  |
+| controller.readinessProbe.failureThreshold | int | `3` |  |
+| controller.readinessProbe.initialDelaySeconds | int | `10` |  |
+| controller.readinessProbe.periodSeconds | int | `10` |  |
+| controller.readinessProbe.successThreshold | int | `1` |  |
+| controller.readinessProbe.timeoutSeconds | int | `1` |  |
+| controller.resources | object | `{}` |  |
+| controller.runtimeClassName | string | `""` |  |
+| controller.securityContext.fsGroup | int | `65534` |  |
+| controller.securityContext.runAsNonRoot | bool | `true` |  |
+| controller.securityContext.runAsUser | int | `65534` |  |
+| controller.serviceAccount.annotations | object | `{}` |  |
+| controller.serviceAccount.create | bool | `true` |  |
+| controller.serviceAccount.name | string | `""` |  |
+| controller.strategy.type | string | `"RollingUpdate"` |  |
+| controller.tolerations | list | `[]` |  |
+| crds.enabled | bool | `true` |  |
+| crds.validationFailurePolicy | string | `"Fail"` |  |
+| fullnameOverride | string | `""` |  |
+| imagePullSecrets | list | `[]` |  |
+| loadBalancerClass | string | `""` |  |
+| nameOverride | string | `""` |  |
+| prometheus.controllerMetricsTLSSecret | string | `""` |  |
+| prometheus.metricsPort | int | `7472` |  |
+| prometheus.namespace | string | `""` |  |
+| prometheus.podMonitor.additionalLabels | object | `{}` |  |
+| prometheus.podMonitor.annotations | object | `{}` |  |
+| prometheus.podMonitor.enabled | bool | `false` |  |
+| prometheus.podMonitor.interval | string | `nil` |  |
+| prometheus.podMonitor.jobLabel | string | `"app.kubernetes.io/name"` |  |
+| prometheus.podMonitor.metricRelabelings | list | `[]` |  |
+| prometheus.podMonitor.relabelings | list | `[]` |  |
+| prometheus.prometheusRule.additionalLabels | object | `{}` |  |
+| prometheus.prometheusRule.addressPoolExhausted.enabled | bool | `true` |  |
+| prometheus.prometheusRule.addressPoolExhausted.labels.severity | string | `"alert"` |  |
+| prometheus.prometheusRule.addressPoolUsage.enabled | bool | `true` |  |
+| prometheus.prometheusRule.addressPoolUsage.thresholds[0].labels.severity | string | `"warning"` |  |
+| prometheus.prometheusRule.addressPoolUsage.thresholds[0].percent | int | `75` |  |
+| prometheus.prometheusRule.addressPoolUsage.thresholds[1].labels.severity | string | `"warning"` |  |
+| prometheus.prometheusRule.addressPoolUsage.thresholds[1].percent | int | `85` |  |
+| prometheus.prometheusRule.addressPoolUsage.thresholds[2].labels.severity | string | `"alert"` |  |
+| prometheus.prometheusRule.addressPoolUsage.thresholds[2].percent | int | `95` |  |
+| prometheus.prometheusRule.annotations | object | `{}` |  |
+| prometheus.prometheusRule.bgpSessionDown.enabled | bool | `true` |  |
+| prometheus.prometheusRule.bgpSessionDown.labels.severity | string | `"alert"` |  |
+| prometheus.prometheusRule.configNotLoaded.enabled | bool | `true` |  |
+| prometheus.prometheusRule.configNotLoaded.labels.severity | string | `"warning"` |  |
+| prometheus.prometheusRule.enabled | bool | `false` |  |
+| prometheus.prometheusRule.extraAlerts | list | `[]` |  |
+| prometheus.prometheusRule.staleConfig.enabled | bool | `true` |  |
+| prometheus.prometheusRule.staleConfig.labels.severity | string | `"warning"` |  |
+| prometheus.rbacPrometheus | bool | `true` |  |
+| prometheus.rbacProxy.pullPolicy | string | `nil` |  |
+| prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` |  |
+| prometheus.rbacProxy.tag | string | `"v0.12.0"` |  |
+| prometheus.scrapeAnnotations | bool | `false` |  |
+| prometheus.serviceAccount | string | `""` |  |
+| prometheus.serviceMonitor.controller.additionalLabels | object | `{}` |  |
+| prometheus.serviceMonitor.controller.annotations | object | `{}` |  |
+| prometheus.serviceMonitor.controller.tlsConfig.insecureSkipVerify | bool | `true` |  |
+| prometheus.serviceMonitor.enabled | bool | `false` |  |
+| prometheus.serviceMonitor.interval | string | `nil` |  |
+| prometheus.serviceMonitor.jobLabel | string | `"app.kubernetes.io/name"` |  |
+| prometheus.serviceMonitor.metricRelabelings | list | `[]` |  |
+| prometheus.serviceMonitor.relabelings | list | `[]` |  |
+| prometheus.serviceMonitor.speaker.additionalLabels | object | `{}` |  |
+| prometheus.serviceMonitor.speaker.annotations | object | `{}` |  |
+| prometheus.serviceMonitor.speaker.tlsConfig.insecureSkipVerify | bool | `true` |  |
+| prometheus.speakerMetricsTLSSecret | string | `""` |  |
+| rbac.create | bool | `true` |  |
+| speaker.affinity | object | `{}` |  |
+| speaker.enabled | bool | `true` |  |
+| speaker.excludeInterfaces.enabled | bool | `true` |  |
+| speaker.frr.enabled | bool | `true` |  |
+| speaker.frr.image.pullPolicy | string | `nil` |  |
+| speaker.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` |  |
+| speaker.frr.image.tag | string | `"8.4.2"` |  |
+| speaker.frr.metricsPort | int | `7473` |  |
+| speaker.frr.resources | object | `{}` |  |
+| speaker.frrMetrics.resources | object | `{}` |  |
+| speaker.image.pullPolicy | string | `nil` |  |
+| speaker.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/metallb-speaker"` |  |
+| speaker.image.tag | string | `nil` |  |
+| speaker.labels | object | `{}` |  |
+| speaker.livenessProbe.enabled | bool | `true` |  |
+| speaker.livenessProbe.failureThreshold | int | `3` |  |
+| speaker.livenessProbe.initialDelaySeconds | int | `10` |  |
+| speaker.livenessProbe.periodSeconds | int | `10` |  |
+| speaker.livenessProbe.successThreshold | int | `1` |  |
+| speaker.livenessProbe.timeoutSeconds | int | `1` |  |
+| speaker.logLevel | string | `"info"` | Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
+| speaker.memberlist.enabled | bool | `true` |  |
+| speaker.memberlist.mlBindPort | int | `7946` |  |
+| speaker.memberlist.mlSecretKeyPath | string | `"/etc/ml_secret_key"` |  |
+| speaker.nodeSelector | object | `{}` |  |
+| speaker.podAnnotations | object | `{}` |  |
+| speaker.priorityClassName | string | `""` |  |
+| speaker.readinessProbe.enabled | bool | `true` |  |
+| speaker.readinessProbe.failureThreshold | int | `3` |  |
+| speaker.readinessProbe.initialDelaySeconds | int | `10` |  |
+| speaker.readinessProbe.periodSeconds | int | `10` |  |
+| speaker.readinessProbe.successThreshold | int | `1` |  |
+| speaker.readinessProbe.timeoutSeconds | int | `1` |  |
+| speaker.reloader.resources | object | `{}` |  |
+| speaker.resources | object | `{}` |  |
+| speaker.runtimeClassName | string | `""` |  |
+| speaker.serviceAccount.annotations | object | `{}` |  |
+| speaker.serviceAccount.create | bool | `true` |  |
+| speaker.serviceAccount.name | string | `""` |  |
+| speaker.startupProbe.enabled | bool | `true` |  |
+| speaker.startupProbe.failureThreshold | int | `30` |  |
+| speaker.startupProbe.periodSeconds | int | `5` |  |
+| speaker.tolerateMaster | bool | `true` |  |
+| speaker.tolerations | list | `[]` |  |
+| speaker.updateStrategy.type | string | `"RollingUpdate"` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)
diff --git a/charts/metallb/charts/crds/.helmignore b/charts/metallb/charts/crds/.helmignore
new file mode 100644
index 00000000..0e8a0eb3
--- /dev/null
+++ b/charts/metallb/charts/crds/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/metallb/charts/crds/Chart.yaml b/charts/metallb/charts/crds/Chart.yaml
new file mode 100644
index 00000000..0b504402
--- /dev/null
+++ b/charts/metallb/charts/crds/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: v0.13.10
+description: MetalLB CRDs
+home: https://metallb.universe.tf
+icon: https://metallb.universe.tf/images/logo/metallb-white.png
+name: crds
+sources:
+- https://github.com/metallb/metallb
+type: application
+version: 0.13.10
diff --git a/charts/metallb/charts/crds/README.md b/charts/metallb/charts/crds/README.md
new file mode 100644
index 00000000..18f80eb0
--- /dev/null
+++ b/charts/metallb/charts/crds/README.md
@@ -0,0 +1,14 @@
+# crds
+
+![Version: 0.13.10](https://img.shields.io/badge/Version-0.13.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.10](https://img.shields.io/badge/AppVersion-v0.13.10-informational?style=flat-square)
+
+MetalLB CRDs
+
+**Homepage:** <https://metallb.universe.tf>
+
+## Source Code
+
+* <https://github.com/metallb/metallb>
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)
diff --git a/charts/metallb/charts/crds/templates/crds.yaml b/charts/metallb/charts/crds/templates/crds.yaml
new file mode 100644
index 00000000..9b415acf
--- /dev/null
+++ b/charts/metallb/charts/crds/templates/crds.yaml
@@ -0,0 +1,1233 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: addresspools.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: AddressPool
+    listKind: AddressPoolList
+    plural: addresspools
+    singular: addresspool
+  scope: Namespaced
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions: ["v1alpha1", "v1beta1"]
+      clientConfig:
+        # this is a valid pem format, otherwise the apiserver will reject the deletion of the crds
+        # with "unable to parse bytes as PEM block", The controller will patch it with the right content after it starts
+        caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
+        service:
+          namespace: {{ .Release.Namespace }}
+          name: metallb-webhook-service
+          path: /convert
+  versions:
+  - deprecated: true
+    deprecationWarning: metallb.io v1alpha1 AddressPool is deprecated
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AddressPool is the Schema for the addresspools API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AddressPoolSpec defines the desired state of AddressPool.
+            properties:
+              addresses:
+                description: A list of IP address ranges over which MetalLB has authority.
+                  You can list multiple ranges in a single pool, they will all share
+                  the same settings. Each range can be either a CIDR prefix, or an
+                  explicit start-end range of IPs.
+                items:
+                  type: string
+                type: array
+              autoAssign:
+                default: true
+                description: AutoAssign flag used to prevent MetallB from automatic
+                  allocation for a pool.
+                type: boolean
+              bgpAdvertisements:
+                description: When an IP is allocated from this pool, how should it
+                  be translated into BGP announcements?
+                items:
+                  properties:
+                    aggregationLength:
+                      default: 32
+                      description: The aggregation-length advertisement option lets
+                        you “roll up” the /32s into a larger prefix.
+                      format: int32
+                      minimum: 1
+                      type: integer
+                    aggregationLengthV6:
+                      default: 128
+                      description: Optional, defaults to 128 (i.e. no aggregation)
+                        if not specified.
+                      format: int32
+                      type: integer
+                    communities:
+                      description: BGP communities
+                      items:
+                        type: string
+                      type: array
+                    localPref:
+                      description: BGP LOCAL_PREF attribute which is used by BGP best
+                        path algorithm, Path with higher localpref is preferred over
+                        one with lower localpref.
+                      format: int32
+                      type: integer
+                  type: object
+                type: array
+              protocol:
+                description: Protocol can be used to select how the announcement is
+                  done.
+                enum:
+                - layer2
+                - bgp
+                type: string
+            required:
+            - addresses
+            - protocol
+            type: object
+          status:
+            description: AddressPoolStatus defines the observed state of AddressPool.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - deprecated: true
+    deprecationWarning: metallb.io v1beta1 AddressPool is deprecated, consider using
+      IPAddressPool
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: AddressPool represents a pool of IP addresses that can be allocated
+          to LoadBalancer services. AddressPool is deprecated and being replaced by
+          IPAddressPool.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AddressPoolSpec defines the desired state of AddressPool.
+            properties:
+              addresses:
+                description: A list of IP address ranges over which MetalLB has authority.
+                  You can list multiple ranges in a single pool, they will all share
+                  the same settings. Each range can be either a CIDR prefix, or an
+                  explicit start-end range of IPs.
+                items:
+                  type: string
+                type: array
+              autoAssign:
+                default: true
+                description: AutoAssign flag used to prevent MetallB from automatic
+                  allocation for a pool.
+                type: boolean
+              bgpAdvertisements:
+                description: Drives how an IP allocated from this pool should translated
+                  into BGP announcements.
+                items:
+                  properties:
+                    aggregationLength:
+                      default: 32
+                      description: The aggregation-length advertisement option lets
+                        you “roll up” the /32s into a larger prefix.
+                      format: int32
+                      minimum: 1
+                      type: integer
+                    aggregationLengthV6:
+                      default: 128
+                      description: Optional, defaults to 128 (i.e. no aggregation)
+                        if not specified.
+                      format: int32
+                      type: integer
+                    communities:
+                      description: BGP communities to be associated with the given
+                        advertisement.
+                      items:
+                        type: string
+                      type: array
+                    localPref:
+                      description: BGP LOCAL_PREF attribute which is used by BGP best
+                        path algorithm, Path with higher localpref is preferred over
+                        one with lower localpref.
+                      format: int32
+                      type: integer
+                  type: object
+                type: array
+              protocol:
+                description: Protocol can be used to select how the announcement is
+                  done.
+                enum:
+                - layer2
+                - bgp
+                type: string
+            required:
+            - addresses
+            - protocol
+            type: object
+          status:
+            description: AddressPoolStatus defines the observed state of AddressPool.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: bfdprofiles.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: BFDProfile
+    listKind: BFDProfileList
+    plural: bfdprofiles
+    singular: bfdprofile
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: BFDProfile represents the settings of the bfd session that can
+          be optionally associated with a BGP session.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BFDProfileSpec defines the desired state of BFDProfile.
+            properties:
+              detectMultiplier:
+                description: Configures the detection multiplier to determine packet
+                  loss. The remote transmission interval will be multiplied by this
+                  value to determine the connection loss detection timer.
+                format: int32
+                maximum: 255
+                minimum: 2
+                type: integer
+              echoInterval:
+                description: Configures the minimal echo receive transmission interval
+                  that this system is capable of handling in milliseconds. Defaults
+                  to 50ms
+                format: int32
+                maximum: 60000
+                minimum: 10
+                type: integer
+              echoMode:
+                description: Enables or disables the echo transmission mode. This
+                  mode is disabled by default, and not supported on multi hops setups.
+                type: boolean
+              minimumTtl:
+                description: 'For multi hop sessions only: configure the minimum expected
+                  TTL for an incoming BFD control packet.'
+                format: int32
+                maximum: 254
+                minimum: 1
+                type: integer
+              passiveMode:
+                description: 'Mark session as passive: a passive session will not
+                  attempt to start the connection and will wait for control packets
+                  from peer before it begins replying.'
+                type: boolean
+              receiveInterval:
+                description: The minimum interval that this system is capable of receiving
+                  control packets in milliseconds. Defaults to 300ms.
+                format: int32
+                maximum: 60000
+                minimum: 10
+                type: integer
+              transmitInterval:
+                description: The minimum transmission interval (less jitter) that
+                  this system wants to use to send BFD control packets in milliseconds.
+                  Defaults to 300ms
+                format: int32
+                maximum: 60000
+                minimum: 10
+                type: integer
+            type: object
+          status:
+            description: BFDProfileStatus defines the observed state of BFDProfile.
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: bgpadvertisements.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: BGPAdvertisement
+    listKind: BGPAdvertisementList
+    plural: bgpadvertisements
+    singular: bgpadvertisement
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: BGPAdvertisement allows to advertise the IPs coming from the
+          selected IPAddressPools via BGP, setting the parameters of the BGP Advertisement.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BGPAdvertisementSpec defines the desired state of BGPAdvertisement.
+            properties:
+              aggregationLength:
+                default: 32
+                description: The aggregation-length advertisement option lets you
+                  “roll up” the /32s into a larger prefix. Defaults to 32. Works for
+                  IPv4 addresses.
+                format: int32
+                minimum: 1
+                type: integer
+              aggregationLengthV6:
+                default: 128
+                description: The aggregation-length advertisement option lets you
+                  “roll up” the /128s into a larger prefix. Defaults to 128. Works
+                  for IPv6 addresses.
+                format: int32
+                type: integer
+              communities:
+                description: The BGP communities to be associated with the announcement.
+                  Each item can be a community of the form 1234:1234 or the name of
+                  an alias defined in the Community CRD.
+                items:
+                  type: string
+                type: array
+              ipAddressPoolSelectors:
+                description: A selector for the IPAddressPools which would get advertised
+                  via this advertisement. If no IPAddressPool is selected by this
+                  or by the list, the advertisement is applied to all the IPAddressPools.
+                items:
+                  description: A label selector is a label query over a set of resources.
+                    The result of matchLabels and matchExpressions are ANDed. An empty
+                    label selector matches all objects. A null label selector matches
+                    no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: A label selector requirement is a selector that
+                          contains values, a key, and an operator that relates the
+                          key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: operator represents a key's relationship
+                              to a set of values. Valid operators are In, NotIn, Exists
+                              and DoesNotExist.
+                            type: string
+                          values:
+                            description: values is an array of string values. If the
+                              operator is In or NotIn, the values array must be non-empty.
+                              If the operator is Exists or DoesNotExist, the values
+                              array must be empty. This array is replaced during a
+                              strategic merge patch.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: matchLabels is a map of {key,value} pairs. A single
+                        {key,value} in the matchLabels map is equivalent to an element
+                        of matchExpressions, whose key field is "key", the operator
+                        is "In", and the values array contains only "value". The requirements
+                        are ANDed.
+                      type: object
+                  type: object
+                type: array
+              ipAddressPools:
+                description: The list of IPAddressPools to advertise via this advertisement,
+                  selected by name.
+                items:
+                  type: string
+                type: array
+              localPref:
+                description: The BGP LOCAL_PREF attribute which is used by BGP best
+                  path algorithm, Path with higher localpref is preferred over one
+                  with lower localpref.
+                format: int32
+                type: integer
+              nodeSelectors:
+                description: NodeSelectors allows to limit the nodes to announce as
+                  next hops for the LoadBalancer IP. When empty, all the nodes having  are
+                  announced as next hops.
+                items:
+                  description: A label selector is a label query over a set of resources.
+                    The result of matchLabels and matchExpressions are ANDed. An empty
+                    label selector matches all objects. A null label selector matches
+                    no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: A label selector requirement is a selector that
+                          contains values, a key, and an operator that relates the
+                          key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: operator represents a key's relationship
+                              to a set of values. Valid operators are In, NotIn, Exists
+                              and DoesNotExist.
+                            type: string
+                          values:
+                            description: values is an array of string values. If the
+                              operator is In or NotIn, the values array must be non-empty.
+                              If the operator is Exists or DoesNotExist, the values
+                              array must be empty. This array is replaced during a
+                              strategic merge patch.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: matchLabels is a map of {key,value} pairs. A single
+                        {key,value} in the matchLabels map is equivalent to an element
+                        of matchExpressions, whose key field is "key", the operator
+                        is "In", and the values array contains only "value". The requirements
+                        are ANDed.
+                      type: object
+                  type: object
+                type: array
+              peers:
+                description: Peers limits the bgppeer to advertise the ips of the
+                  selected pools to. When empty, the loadbalancer IP is announced
+                  to all the BGPPeers configured.
+                items:
+                  type: string
+                type: array
+            type: object
+          status:
+            description: BGPAdvertisementStatus defines the observed state of BGPAdvertisement.
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: bgppeers.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: BGPPeer
+    listKind: BGPPeerList
+    plural: bgppeers
+    singular: bgppeer
+  scope: Namespaced
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions: ["v1beta1", "v1beta2"]
+      clientConfig:
+        # this is a valid pem format, otherwise the apiserver will reject the deletion of the crds
+        # with "unable to parse bytes as PEM block", The controller will patch it with the right content after it starts
+        caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
+        service:
+          namespace: {{ .Release.Namespace }}
+          name: metallb-webhook-service
+          path: /convert
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: BGPPeer is the Schema for the peers API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BGPPeerSpec defines the desired state of Peer.
+            properties:
+              bfdProfile:
+                type: string
+              ebgpMultiHop:
+                description: EBGP peer is multi-hops away
+                type: boolean
+              holdTime:
+                description: Requested BGP hold time, per RFC4271.
+                type: string
+              keepaliveTime:
+                description: Requested BGP keepalive time, per RFC4271.
+                type: string
+              myASN:
+                description: AS number to use for the local end of the session.
+                format: int32
+                maximum: 4294967295
+                minimum: 0
+                type: integer
+              nodeSelectors:
+                description: Only connect to this peer on nodes that match one of
+                  these selectors.
+                items:
+                  properties:
+                    matchExpressions:
+                      items:
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                          values:
+                            items:
+                              type: string
+                            minItems: 1
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        - values
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                type: array
+              password:
+                description: Authentication password for routers enforcing TCP MD5
+                  authenticated sessions
+                type: string
+              peerASN:
+                description: AS number to expect from the remote end of the session.
+                format: int32
+                maximum: 4294967295
+                minimum: 0
+                type: integer
+              peerAddress:
+                description: Address to dial when establishing the session.
+                type: string
+              peerPort:
+                description: Port to dial when establishing the session.
+                maximum: 16384
+                minimum: 0
+                type: integer
+              routerID:
+                description: BGP router ID to advertise to the peer
+                type: string
+              sourceAddress:
+                description: Source address to use when establishing the session.
+                type: string
+            required:
+            - myASN
+            - peerASN
+            - peerAddress
+            type: object
+          status:
+            description: BGPPeerStatus defines the observed state of Peer.
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: BGPPeer is the Schema for the peers API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BGPPeerSpec defines the desired state of Peer.
+            properties:
+              bfdProfile:
+                description: The name of the BFD Profile to be used for the BFD session
+                  associated to the BGP session. If not set, the BFD session won't
+                  be set up.
+                type: string
+              ebgpMultiHop:
+                description: To set if the BGPPeer is multi-hops away. Needed for
+                  FRR mode only.
+                type: boolean
+              holdTime:
+                description: Requested BGP hold time, per RFC4271.
+                type: string
+              keepaliveTime:
+                description: Requested BGP keepalive time, per RFC4271.
+                type: string
+              myASN:
+                description: AS number to use for the local end of the session.
+                format: int32
+                maximum: 4294967295
+                minimum: 0
+                type: integer
+              nodeSelectors:
+                description: Only connect to this peer on nodes that match one of
+                  these selectors.
+                items:
+                  description: A label selector is a label query over a set of resources.
+                    The result of matchLabels and matchExpressions are ANDed. An empty
+                    label selector matches all objects. A null label selector matches
+                    no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: A label selector requirement is a selector that
+                          contains values, a key, and an operator that relates the
+                          key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: operator represents a key's relationship
+                              to a set of values. Valid operators are In, NotIn, Exists
+                              and DoesNotExist.
+                            type: string
+                          values:
+                            description: values is an array of string values. If the
+                              operator is In or NotIn, the values array must be non-empty.
+                              If the operator is Exists or DoesNotExist, the values
+                              array must be empty. This array is replaced during a
+                              strategic merge patch.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: matchLabels is a map of {key,value} pairs. A single
+                        {key,value} in the matchLabels map is equivalent to an element
+                        of matchExpressions, whose key field is "key", the operator
+                        is "In", and the values array contains only "value". The requirements
+                        are ANDed.
+                      type: object
+                  type: object
+                type: array
+              password:
+                description: Authentication password for routers enforcing TCP MD5
+                  authenticated sessions
+                type: string
+              passwordSecret:
+                description: passwordSecret is name of the authentication secret for
+                  BGP Peer. the secret must be of type "kubernetes.io/basic-auth",
+                  and created in the same namespace as the MetalLB deployment. The
+                  password is stored in the secret as the key "password".
+                properties:
+                  name:
+                    description: Name is unique within a namespace to reference a
+                      secret resource.
+                    type: string
+                  namespace:
+                    description: Namespace defines the space within which the secret
+                      name must be unique.
+                    type: string
+                type: object
+              peerASN:
+                description: AS number to expect from the remote end of the session.
+                format: int32
+                maximum: 4294967295
+                minimum: 0
+                type: integer
+              peerAddress:
+                description: Address to dial when establishing the session.
+                type: string
+              peerPort:
+                default: 179
+                description: Port to dial when establishing the session.
+                maximum: 16384
+                minimum: 0
+                type: integer
+              routerID:
+                description: BGP router ID to advertise to the peer
+                type: string
+              sourceAddress:
+                description: Source address to use when establishing the session.
+                type: string
+              vrf:
+                description: To set if we want to peer with the BGPPeer using an interface
+                  belonging to a host vrf
+                type: string
+            required:
+            - myASN
+            - peerASN
+            - peerAddress
+            type: object
+          status:
+            description: BGPPeerStatus defines the observed state of Peer.
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: ipaddresspools.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: IPAddressPool
+    listKind: IPAddressPoolList
+    plural: ipaddresspools
+    singular: ipaddresspool
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: IPAddressPool represents a pool of IP addresses that can be allocated
+          to LoadBalancer services.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPAddressPoolSpec defines the desired state of IPAddressPool.
+            properties:
+              addresses:
+                description: A list of IP address ranges over which MetalLB has authority.
+                  You can list multiple ranges in a single pool, they will all share
+                  the same settings. Each range can be either a CIDR prefix, or an
+                  explicit start-end range of IPs.
+                items:
+                  type: string
+                type: array
+              autoAssign:
+                default: true
+                description: AutoAssign flag used to prevent MetallB from automatic
+                  allocation for a pool.
+                type: boolean
+              avoidBuggyIPs:
+                default: false
+                description: AvoidBuggyIPs prevents addresses ending with .0 and .255
+                  to be used by a pool.
+                type: boolean
+              serviceAllocation:
+                description: AllocateTo makes ip pool allocation to specific namespace
+                  and/or service. The controller will use the pool with lowest value
+                  of priority in case of multiple matches. A pool with no priority
+                  set will be used only if the pools with priority can't be used.
+                  If multiple matching IPAddressPools are available it will check
+                  for the availability of IPs sorting the matching IPAddressPools
+                  by priority, starting from the highest to the lowest. If multiple
+                  IPAddressPools have the same priority, choice will be random.
+                properties:
+                  namespaceSelectors:
+                    description: NamespaceSelectors list of label selectors to select
+                      namespace(s) for ip pool, an alternative to using namespace
+                      list.
+                    items:
+                      description: A label selector is a label query over a set of
+                        resources. The result of matchLabels and matchExpressions
+                        are ANDed. An empty label selector matches all objects. A
+                        null label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: A label selector requirement is a selector
+                              that contains values, a key, and an operator that relates
+                              the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: operator represents a key's relationship
+                                  to a set of values. Valid operators are In, NotIn,
+                                  Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: values is an array of string values.
+                                  If the operator is In or NotIn, the values array
+                                  must be non-empty. If the operator is Exists or
+                                  DoesNotExist, the values array must be empty. This
+                                  array is replaced during a strategic merge patch.
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: matchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                  namespaces:
+                    description: Namespaces list of namespace(s) on which ip pool
+                      can be attached.
+                    items:
+                      type: string
+                    type: array
+                  priority:
+                    description: Priority priority given for ip pool while ip allocation
+                      on a service.
+                    type: integer
+                  serviceSelectors:
+                    description: ServiceSelectors list of label selector to select
+                      service(s) for which ip pool can be used for ip allocation.
+                    items:
+                      description: A label selector is a label query over a set of
+                        resources. The result of matchLabels and matchExpressions
+                        are ANDed. An empty label selector matches all objects. A
+                        null label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: A label selector requirement is a selector
+                              that contains values, a key, and an operator that relates
+                              the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: operator represents a key's relationship
+                                  to a set of values. Valid operators are In, NotIn,
+                                  Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: values is an array of string values.
+                                  If the operator is In or NotIn, the values array
+                                  must be non-empty. If the operator is Exists or
+                                  DoesNotExist, the values array must be empty. This
+                                  array is replaced during a strategic merge patch.
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: matchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                type: object
+            required:
+            - addresses
+            type: object
+          status:
+            description: IPAddressPoolStatus defines the observed state of IPAddressPool.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: l2advertisements.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: L2Advertisement
+    listKind: L2AdvertisementList
+    plural: l2advertisements
+    singular: l2advertisement
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: L2Advertisement allows to advertise the LoadBalancer IPs provided
+          by the selected pools via L2.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: L2AdvertisementSpec defines the desired state of L2Advertisement.
+            properties:
+              interfaces:
+                description: A list of interfaces to announce from. The LB IP will
+                  be announced only from these interfaces. If the field is not set,
+                  we advertise from all the interfaces on the host.
+                items:
+                  type: string
+                type: array
+              ipAddressPoolSelectors:
+                description: A selector for the IPAddressPools which would get advertised
+                  via this advertisement. If no IPAddressPool is selected by this
+                  or by the list, the advertisement is applied to all the IPAddressPools.
+                items:
+                  description: A label selector is a label query over a set of resources.
+                    The result of matchLabels and matchExpressions are ANDed. An empty
+                    label selector matches all objects. A null label selector matches
+                    no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: A label selector requirement is a selector that
+                          contains values, a key, and an operator that relates the
+                          key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: operator represents a key's relationship
+                              to a set of values. Valid operators are In, NotIn, Exists
+                              and DoesNotExist.
+                            type: string
+                          values:
+                            description: values is an array of string values. If the
+                              operator is In or NotIn, the values array must be non-empty.
+                              If the operator is Exists or DoesNotExist, the values
+                              array must be empty. This array is replaced during a
+                              strategic merge patch.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: matchLabels is a map of {key,value} pairs. A single
+                        {key,value} in the matchLabels map is equivalent to an element
+                        of matchExpressions, whose key field is "key", the operator
+                        is "In", and the values array contains only "value". The requirements
+                        are ANDed.
+                      type: object
+                  type: object
+                type: array
+              ipAddressPools:
+                description: The list of IPAddressPools to advertise via this advertisement,
+                  selected by name.
+                items:
+                  type: string
+                type: array
+              nodeSelectors:
+                description: NodeSelectors allows to limit the nodes to announce as
+                  next hops for the LoadBalancer IP. When empty, all the nodes having  are
+                  announced as next hops.
+                items:
+                  description: A label selector is a label query over a set of resources.
+                    The result of matchLabels and matchExpressions are ANDed. An empty
+                    label selector matches all objects. A null label selector matches
+                    no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: A label selector requirement is a selector that
+                          contains values, a key, and an operator that relates the
+                          key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: operator represents a key's relationship
+                              to a set of values. Valid operators are In, NotIn, Exists
+                              and DoesNotExist.
+                            type: string
+                          values:
+                            description: values is an array of string values. If the
+                              operator is In or NotIn, the values array must be non-empty.
+                              If the operator is Exists or DoesNotExist, the values
+                              array must be empty. This array is replaced during a
+                              strategic merge patch.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: matchLabels is a map of {key,value} pairs. A single
+                        {key,value} in the matchLabels map is equivalent to an element
+                        of matchExpressions, whose key field is "key", the operator
+                        is "In", and the values array contains only "value". The requirements
+                        are ANDed.
+                      type: object
+                  type: object
+                type: array
+            type: object
+          status:
+            description: L2AdvertisementStatus defines the observed state of L2Advertisement.
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: communities.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: Community
+    listKind: CommunityList
+    plural: communities
+    singular: community
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Community is a collection of aliases for communities. Users can
+          define named aliases to be used in the BGPPeer CRD.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: CommunitySpec defines the desired state of Community.
+            properties:
+              communities:
+                items:
+                  properties:
+                    name:
+                      description: The name of the alias for the community.
+                      type: string
+                    value:
+                      description: The BGP community value corresponding to the given
+                        name.
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: CommunityStatus defines the observed state of Community.
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/metallb/policy/controller.rego b/charts/metallb/policy/controller.rego
new file mode 100644
index 00000000..716eeb7a
--- /dev/null
+++ b/charts/metallb/policy/controller.rego
@@ -0,0 +1,16 @@
+package main
+
+# validate serviceAccountName
+deny[msg] {
+  input.kind == "Deployment"
+  serviceAccountName := input.spec.template.spec.serviceAccountName
+  not serviceAccountName == "RELEASE-NAME-metallb-controller"
+  msg = sprintf("controller serviceAccountName '%s' does not match expected value", [serviceAccountName])
+}
+
+# validate node selector includes builtin when custom ones are provided
+deny[msg] {
+  input.kind == "Deployment"
+  not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
+  msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
+}
diff --git a/charts/metallb/policy/rbac.rego b/charts/metallb/policy/rbac.rego
new file mode 100644
index 00000000..047345eb
--- /dev/null
+++ b/charts/metallb/policy/rbac.rego
@@ -0,0 +1,27 @@
+package main
+
+# Validate PSP exists in ClusterRole :controller
+deny[msg] {
+  input.kind == "ClusterRole"
+  input.metadata.name == "metallb:controller"
+  input.rules[3] == {
+	"apiGroups": ["policy"],
+	"resources": ["podsecuritypolicies"],
+	"resourceNames": ["metallb-controller"],
+	"verbs": ["use"]
+  }
+  msg = "ClusterRole metallb:controller does not include PSP rule"
+}
+
+# Validate PSP exists in ClusterRole :speaker
+deny[msg] {
+  input.kind == "ClusterRole"
+  input.metadata.name == "metallb:speaker"
+  input.rules[3] == {
+	"apiGroups": ["policy"],
+	"resources": ["podsecuritypolicies"],
+	"resourceNames": ["metallb-controller"],
+	"verbs": ["use"]
+  }
+  msg = "ClusterRole metallb:speaker does not include PSP rule"
+}
diff --git a/charts/metallb/policy/speaker.rego b/charts/metallb/policy/speaker.rego
new file mode 100644
index 00000000..d4d8137f
--- /dev/null
+++ b/charts/metallb/policy/speaker.rego
@@ -0,0 +1,30 @@
+package main
+
+# validate serviceAccountName
+deny[msg] {
+  input.kind == "DaemonSet"
+  serviceAccountName := input.spec.template.spec.serviceAccountName
+  not serviceAccountName == "RELEASE-NAME-metallb-speaker"
+  msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName])
+}
+
+# validate METALLB_ML_SECRET_KEY (memberlist)
+deny[msg] {
+	input.kind == "DaemonSet"
+	not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH"
+	msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]"
+}
+
+# validate node selector includes builtin when custom ones are provided
+deny[msg] {
+  input.kind == "DaemonSet"
+  not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
+  msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
+}
+
+# validate tolerations include the builtins when custom ones are provided
+deny[msg] {
+  input.kind == "DaemonSet"
+  not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" }
+  msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule"
+}
diff --git a/charts/metallb/templates/NOTES.txt b/charts/metallb/templates/NOTES.txt
new file mode 100644
index 00000000..23d1d5bc
--- /dev/null
+++ b/charts/metallb/templates/NOTES.txt
@@ -0,0 +1,4 @@
+MetalLB is now running in the cluster.
+
+Now you can configure it via its CRs. Please refer to the metallb official docs
+on how to use the CRs.
diff --git a/charts/metallb/templates/_helpers.tpl b/charts/metallb/templates/_helpers.tpl
new file mode 100644
index 00000000..53d9528d
--- /dev/null
+++ b/charts/metallb/templates/_helpers.tpl
@@ -0,0 +1,113 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "metallb.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "metallb.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "metallb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "metallb.labels" -}}
+helm.sh/chart: {{ include "metallb.chart" . }}
+{{ include "metallb.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "metallb.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "metallb.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the controller service account to use
+*/}}
+{{- define "metallb.controller.serviceAccountName" -}}
+{{- if .Values.controller.serviceAccount.create }}
+{{- default (printf "%s-controller" (include "metallb.fullname" .)) .Values.controller.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.controller.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the speaker service account to use
+*/}}
+{{- define "metallb.speaker.serviceAccountName" -}}
+{{- if .Values.speaker.serviceAccount.create }}
+{{- default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.speaker.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.speaker.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the settings Secret to use.
+*/}}
+{{- define "metallb.secretName" -}}
+    {{ default ( printf "%s-memberlist" (include "metallb.fullname" .)) .Values.speaker.secretName | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{- define "metrics.exposedportname" -}}
+{{- if .Values.prometheus.secureMetricsPort -}}
+"metricshttps"
+{{- else -}}
+"metrics"
+{{- end -}}
+{{- end -}}
+
+{{- define "metrics.exposedfrrportname" -}}
+{{- if .Values.speaker.frr.secureMetricsPort -}}
+"frrmetricshttps"
+{{- else -}}
+"frrmetrics"
+{{- end }}
+{{- end }}
+
+{{- define "metrics.exposedport" -}}
+{{- if .Values.prometheus.secureMetricsPort -}}
+{{ .Values.prometheus.secureMetricsPort }}
+{{- else -}}
+{{ .Values.prometheus.metricsPort }}
+{{- end -}}
+{{- end }}
+
+{{- define "metrics.exposedfrrport" -}}
+{{- if .Values.speaker.frr.secureMetricsPort -}}
+{{ .Values.speaker.frr.secureMetricsPort }}
+{{- else -}}
+{{ .Values.speaker.frr.metricsPort }}
+{{- end }}
+{{- end }}
diff --git a/charts/metallb/templates/controller.yaml b/charts/metallb/templates/controller.yaml
new file mode 100644
index 00000000..5ba71891
--- /dev/null
+++ b/charts/metallb/templates/controller.yaml
@@ -0,0 +1,181 @@
+{{- if .Values.controller.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "metallb.fullname" . }}-controller
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+    {{- range $key, $value := .Values.controller.labels }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  {{- if .Values.controller.strategy }}
+  strategy: {{- toYaml .Values.controller.strategy | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "metallb.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: controller
+  template:
+    metadata:
+      {{- if or .Values.prometheus.scrapeAnnotations .Values.controller.podAnnotations }}
+      annotations:
+        {{- if .Values.prometheus.scrapeAnnotations }}
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
+        {{- end }}
+        {{- with .Values.controller.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      labels:
+        {{- include "metallb.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: controller
+        {{- range $key, $value := .Values.controller.labels }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+    spec:
+      {{- with .Values.controller.runtimeClassName }}
+      runtimeClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ template "metallb.controller.serviceAccountName" . }}
+      terminationGracePeriodSeconds: 0
+{{- if .Values.controller.securityContext }}
+      securityContext:
+{{ toYaml .Values.controller.securityContext | indent 8 }}
+{{- end }}
+      containers:
+      - name: controller
+        image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}
+        {{- if .Values.controller.image.pullPolicy }}
+        imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+        {{- end }}
+        {{- if .Values.controller.command }}
+        command:
+          - {{ .Values.controller.command }}
+        {{- end }}
+        args:
+        - --port={{ .Values.prometheus.metricsPort }}
+        {{- with .Values.controller.logLevel }}
+        - --log-level={{ . }}
+        {{- end }}
+        - --cert-service-name=metallb-webhook-service
+        {{- if .Values.loadBalancerClass }}
+        - --lb-class={{ .Values.loadBalancerClass }}
+        {{- end }}
+        {{- if .Values.controller.webhookMode }}
+        - --webhook-mode={{ .Values.controller.webhookMode }}
+        {{- end }}
+        env:
+        {{- if and .Values.speaker.enabled .Values.speaker.memberlist.enabled }}
+        - name: METALLB_ML_SECRET_NAME
+          value: {{ include "metallb.secretName" . }}
+        - name: METALLB_DEPLOYMENT
+          value: {{ template "metallb.fullname" . }}-controller
+        {{- end }}
+        {{- if .Values.speaker.frr.enabled }}
+        - name: METALLB_BGP_TYPE
+          value: frr
+        {{- end }}
+        ports:
+        - name: monitoring
+          containerPort: {{ .Values.prometheus.metricsPort }}
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+        {{- if .Values.controller.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
+        {{- end }}
+        {{- if .Values.controller.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
+        {{- end }}
+        {{- with .Values.controller.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+      {{- if .Values.prometheus.secureMetricsPort }}
+      - name: kube-rbac-proxy
+        image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
+        imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
+        args:
+          - --logtostderr
+          - --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
+          - --upstream=http://127.0.0.1:{{ .Values.prometheus.metricsPort }}/
+          - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        {{- if .Values.prometheus.controllerMetricsTLSSecret }}
+          - --tls-private-key-file=/etc/metrics/tls.key
+          - --tls-cert-file=/etc/metrics/tls.crt
+        {{- end }}
+        ports:
+          - containerPort: {{ .Values.prometheus.secureMetricsPort }}
+            name: metricshttps
+        resources:
+          requests:
+            cpu: 10m
+            memory: 20Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        {{- if .Values.prometheus.controllerMetricsTLSSecret }}
+        volumeMounts:
+          - name: metrics-certs
+            mountPath: /etc/metrics
+            readOnly: true
+        {{- end }}
+      {{ end }}
+      nodeSelector:
+        "kubernetes.io/os": linux
+        {{- with .Values.controller.nodeSelector }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.controller.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.controller.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
+      {{- if .Values.prometheus.controllerMetricsTLSSecret }}
+      - name: metrics-certs
+        secret:
+          secretName: {{ .Values.prometheus.controllerMetricsTLSSecret }}
+      {{- end }}
+{{- end }}
diff --git a/charts/metallb/templates/deprecated_configInline.yaml b/charts/metallb/templates/deprecated_configInline.yaml
new file mode 100644
index 00000000..8a1a551c
--- /dev/null
+++ b/charts/metallb/templates/deprecated_configInline.yaml
@@ -0,0 +1,3 @@
+{{- if .Values.configInline }}
+{{- fail "Starting from v0.13.0 configInline is no longer supported. Please see https://metallb.universe.tf/#backward-compatibility" }}
+{{- end }}
diff --git a/charts/metallb/templates/exclude-l2-config.yaml b/charts/metallb/templates/exclude-l2-config.yaml
new file mode 100644
index 00000000..7cc2ff34
--- /dev/null
+++ b/charts/metallb/templates/exclude-l2-config.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.speaker.excludeInterfaces.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: metallb-excludel2
+data:
+  excludel2.yaml: |
+    announcedInterfacesToExclude:
+    - docker.*
+    - cbr.*
+    - dummy.*
+    - virbr.*
+    - lxcbr.*
+    - veth.*
+    - lo
+    - ^cali.*
+    - ^tunl.*
+    - flannel.*
+    - kube-ipvs.*
+    - cni.*
+    - ^nodelocaldns.*
+{{- end }}
\ No newline at end of file
diff --git a/charts/metallb/templates/podmonitor.yaml b/charts/metallb/templates/podmonitor.yaml
new file mode 100644
index 00000000..93a7fd69
--- /dev/null
+++ b/charts/metallb/templates/podmonitor.yaml
@@ -0,0 +1,106 @@
+{{- if .Values.prometheus.podMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "metallb.fullname" . }}-controller
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+    {{- if .Values.prometheus.podMonitor.additionalLabels }}
+{{ toYaml .Values.prometheus.podMonitor.additionalLabels | indent 4 }}
+    {{- end }}
+  {{- if .Values.prometheus.podMonitor.annotations }}
+  annotations:
+{{ toYaml .Values.prometheus.podMonitor.annotations | indent 4 }}
+  {{- end }}
+spec:
+  jobLabel: {{ .Values.prometheus.podMonitor.jobLabel | quote }}
+  selector:
+    matchLabels:
+      {{- include "metallb.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: controller
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  podMetricsEndpoints:
+  - port: monitoring
+    path: /metrics
+    {{- if .Values.prometheus.podMonitor.interval }}
+    interval: {{ .Values.prometheus.podMonitor.interval }}
+    {{- end }}
+{{- if .Values.prometheus.podMonitor.metricRelabelings }}
+    metricRelabelings:
+{{- toYaml .Values.prometheus.podMonitor.metricRelabelings | nindent 4 }}
+{{- end }}
+{{- if .Values.prometheus.podMonitor.relabelings }}
+    relabelings:
+{{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
+{{- end }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "metallb.fullname" . }}-speaker
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: speaker
+    {{- if .Values.prometheus.podMonitor.additionalLabels }}
+{{ toYaml .Values.prometheus.podMonitor.additionalLabels | indent 4 }}
+    {{- end }}
+  {{- if .Values.prometheus.podMonitor.annotations }}
+  annotations:
+{{ toYaml .Values.prometheus.podMonitor.annotations | indent 4 }}
+  {{- end }}
+spec:
+  jobLabel: {{ .Values.prometheus.podMonitor.jobLabel | quote }}
+  selector:
+    matchLabels:
+      {{- include "metallb.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: speaker
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  podMetricsEndpoints:
+  - port: monitoring
+    path: /metrics
+    {{- if .Values.prometheus.podMonitor.interval }}
+    interval: {{ .Values.prometheus.podMonitor.interval }}
+    {{- end }}
+{{- if .Values.prometheus.podMonitor.metricRelabelings }}
+    metricRelabelings:
+{{- toYaml .Values.prometheus.podMonitor.metricRelabelings | nindent 4 }}
+{{- end }}
+{{- if .Values.prometheus.podMonitor.relabelings }}
+    relabelings:
+{{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
+{{- end }}
+---
+{{- if .Values.prometheus.rbacPrometheus }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "metallb.fullname" . }}-prometheus
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "metallb.fullname" . }}-prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "metallb.fullname" . }}-prometheus
+subjects:
+  - kind: ServiceAccount
+    name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.podMonitor.enabled == true" .Values.prometheus.serviceAccount }}
+    namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.podMonitor.enabled == true" .Values.prometheus.namespace }}
+{{- end }}
+{{- end }}
diff --git a/charts/metallb/templates/prometheusrules.yaml b/charts/metallb/templates/prometheusrules.yaml
new file mode 100644
index 00000000..463aacaf
--- /dev/null
+++ b/charts/metallb/templates/prometheusrules.yaml
@@ -0,0 +1,84 @@
+{{- if .Values.prometheus.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "metallb.fullname" . }}
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    {{- if .Values.prometheus.prometheusRule.additionalLabels }}
+{{ toYaml .Values.prometheus.prometheusRule.additionalLabels | indent 4 }}
+    {{- end }}
+  {{- if .Values.prometheus.prometheusRule.annotations }}
+  annotations:
+{{ toYaml .Values.prometheus.prometheusRule.annotations | indent 4 }}
+  {{- end }}
+spec:
+  groups:
+  - name: {{ template "metallb.fullname" . }}.rules
+    rules:
+    {{- if .Values.prometheus.prometheusRule.staleConfig.enabled }}
+    - alert: MetalLBStaleConfig
+      annotations:
+        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
+          }} has a stale config for > 1 minute'`}}
+      expr: metallb_k8s_client_config_stale_bool{job="{{ include "metallb.name" . }}"} == 1
+      for: 1m
+      {{- with .Values.prometheus.prometheusRule.staleConfig.labels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.prometheus.prometheusRule.configNotLoaded.enabled }}
+    - alert: MetalLBConfigNotLoaded
+      annotations:
+        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
+          }} has not loaded for > 1 minute'`}}
+      expr: metallb_k8s_client_config_loaded_bool{job="{{ include "metallb.name" . }}"} == 0
+      for: 1m
+      {{- with .Values.prometheus.prometheusRule.configNotLoaded.labels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.prometheus.prometheusRule.addressPoolExhausted.enabled }}
+    - alert: MetalLBAddressPoolExhausted
+      annotations:
+        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
+          }} has exhausted address pool {{ $labels.pool }} for > 1 minute'`}}
+      expr: metallb_allocator_addresses_in_use_total >= on(pool) metallb_allocator_addresses_total
+      for: 1m
+      {{- with .Values.prometheus.prometheusRule.addressPoolExhausted.labels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+
+    {{- if .Values.prometheus.prometheusRule.addressPoolUsage.enabled }}
+    {{- range .Values.prometheus.prometheusRule.addressPoolUsage.thresholds }}
+    - alert: MetalLBAddressPoolUsage{{ .percent }}Percent
+      annotations:
+        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
+          }} has address pool {{ $labels.pool }} past `}}{{ .percent }}{{`% usage for > 1 minute'`}}
+      expr: ( metallb_allocator_addresses_in_use_total / on(pool) metallb_allocator_addresses_total ) * 100 > {{ .percent }}
+      {{- with .labels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- end }}
+    {{- if .Values.prometheus.prometheusRule.bgpSessionDown.enabled }}
+    - alert: MetalLBBGPSessionDown
+      annotations:
+        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
+          }} has BGP session {{ $labels.peer }} down for > 1 minute'`}}
+      expr: metallb_bgp_session_up{job="{{ include "metallb.name" . }}"} == 0
+      for: 1m
+      {{- with .Values.prometheus.prometheusRule.bgpSessionDown.labels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- with .Values.prometheus.prometheusRule.extraAlerts }}
+    {{- toYaml . | nindent 4 }}
+    {{- end}}
+{{- end }}
diff --git a/charts/metallb/templates/rbac.yaml b/charts/metallb/templates/rbac.yaml
new file mode 100644
index 00000000..6a38304b
--- /dev/null
+++ b/charts/metallb/templates/rbac.yaml
@@ -0,0 +1,206 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "metallb.fullname" . }}:controller
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["services", "namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list"]
+- apiGroups: [""]
+  resources: ["services/status"]
+  verbs: ["update"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+  resourceNames: ["metallb-webhook-configuration"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+  verbs: ["list", "watch"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  resourceNames: ["addresspools.metallb.io","bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
+    "bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["list", "watch"]
+{{- if .Values.prometheus.secureMetricsPort }}
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "metallb.fullname" . }}:speaker
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["services", "endpoints", "nodes", "namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["discovery.k8s.io"]
+  resources: ["endpointslices"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+{{- if .Values.prometheus.secureMetricsPort }}
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "metallb.fullname" . }}-pod-lister
+  labels: {{- include "metallb.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["list"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["addresspools"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["bfdprofiles"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["bgppeers"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["l2advertisements"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["bgpadvertisements"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["ipaddresspools"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["communities"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "metallb.fullname" . }}-controller
+  labels: {{- include "metallb.labels" . | nindent 4 }}
+rules:
+{{- if .Values.speaker.memberlist.enabled }}
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: [{{ include "metallb.secretName" . | quote }}]
+  verbs: ["list"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
+  verbs: ["get"]
+{{- end }}
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["addresspools"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["ipaddresspools"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["bgppeers"]
+  verbs: ["get", "list"]
+- apiGroups: ["metallb.io"]
+  resources: ["bgpadvertisements"]
+  verbs: ["get", "list"]
+- apiGroups: ["metallb.io"]
+  resources: ["l2advertisements"]
+  verbs: ["get", "list"]
+- apiGroups: ["metallb.io"]
+  resources: ["communities"]
+  verbs: ["get", "list","watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["bfdprofiles"]
+  verbs: ["get", "list","watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "metallb.fullname" . }}:controller
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "metallb.controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "metallb.fullname" . }}:controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "metallb.fullname" . }}:speaker
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "metallb.speaker.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "metallb.fullname" . }}:speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "metallb.fullname" . }}-pod-lister
+  labels: {{- include "metallb.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "metallb.fullname" . }}-pod-lister
+subjects:
+- kind: ServiceAccount
+  name: {{ include "metallb.speaker.serviceAccountName" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "metallb.fullname" . }}-controller
+  labels: {{- include "metallb.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "metallb.fullname" . }}-controller
+subjects:
+- kind: ServiceAccount
+  name: {{ include "metallb.controller.serviceAccountName" . }}
+{{- end -}}
diff --git a/charts/metallb/templates/service-accounts.yaml b/charts/metallb/templates/service-accounts.yaml
new file mode 100644
index 00000000..95609e5e
--- /dev/null
+++ b/charts/metallb/templates/service-accounts.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.controller.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "metallb.controller.serviceAccountName" . }}
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  {{- with .Values.controller.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- if .Values.speaker.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "metallb.speaker.serviceAccountName" . }}
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: speaker
+  {{- with .Values.speaker.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/metallb/templates/servicemonitor.yaml b/charts/metallb/templates/servicemonitor.yaml
new file mode 100644
index 00000000..1d8563d2
--- /dev/null
+++ b/charts/metallb/templates/servicemonitor.yaml
@@ -0,0 +1,188 @@
+{{- if .Values.prometheus.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "metallb.fullname" . }}-speaker-monitor
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: speaker
+    {{- if .Values.prometheus.serviceMonitor.speaker.additionalLabels }}
+{{ toYaml .Values.prometheus.serviceMonitor.speaker.additionalLabels | indent 4 }}
+    {{- end }}
+  {{- if .Values.prometheus.serviceMonitor.speaker.annotations }}
+  annotations:
+{{ toYaml .Values.prometheus.serviceMonitor.speaker.annotations | indent 4 }}
+  {{- end }}
+spec:
+  endpoints:
+    - port: {{ template "metrics.exposedportname" . }}
+      honorLabels: true
+      {{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+      {{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
+      {{- end -}}
+      {{- if .Values.prometheus.serviceMonitor.relabelings }}
+      relabelings:
+      {{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
+      {{- end }}
+      {{- if .Values.prometheus.serviceMonitor.interval }}
+      interval: {{ .Values.prometheus.serviceMonitor.interval }}
+      {{- end -}}
+{{ if .Values.prometheus.secureMetricsPort }}
+      bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      scheme: "https"
+{{- if .Values.prometheus.serviceMonitor.speaker.tlsConfig }}
+      tlsConfig:
+{{ toYaml .Values.prometheus.serviceMonitor.speaker.tlsConfig | indent 8 }}      
+{{- end }}
+{{ end }}
+{{- if .Values.speaker.frr.enabled }}
+    - port: {{ template "metrics.exposedfrrportname" . }}
+      honorLabels: true
+{{ if .Values.speaker.frr.secureMetricsPort }}
+      {{- if .Values.prometheus.serviceMonitor.interval }}
+      interval: {{ .Values.prometheus.serviceMonitor.interval }}
+      {{- end }}
+      bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      scheme: "https"
+{{- if .Values.prometheus.serviceMonitor.speaker.tlsConfig }}
+      tlsConfig:
+{{ toYaml .Values.prometheus.serviceMonitor.speaker.tlsConfig | indent 8 }}      
+{{- end }}
+{{- end }}
+{{- end }}
+  jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      name: {{ template "metallb.fullname" . }}-speaker-monitor-service
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/scrape: "true"
+  {{- if .Values.prometheus.serviceMonitor.speaker.annotations }}
+{{ toYaml .Values.prometheus.serviceMonitor.speaker.annotations | indent 4 }}
+  {{- end }}
+  labels:
+    name: {{ template "metallb.fullname" . }}-speaker-monitor-service
+  name: {{ template "metallb.fullname" . }}-speaker-monitor-service
+spec:
+  selector:
+    {{- include "metallb.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: speaker
+  clusterIP: None
+  ports:
+    - name: {{ template "metrics.exposedportname" . }}
+      port: {{ template "metrics.exposedport" . }}
+      targetPort: {{ template "metrics.exposedport" . }}
+{{- if .Values.speaker.frr.enabled }}
+    - name: {{ template "metrics.exposedfrrportname" . }}
+      port: {{ template "metrics.exposedfrrport" . }}
+      targetPort: {{ template "metrics.exposedfrrport" . }}
+{{- end }}
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "metallb.fullname" . }}-controller-monitor
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: speaker
+    {{- if .Values.prometheus.serviceMonitor.controller.additionalLabels }}
+{{ toYaml .Values.prometheus.serviceMonitor.controller.additionalLabels | indent 4 }}
+    {{- end }}
+  {{- if .Values.prometheus.serviceMonitor.controller.annotations }}
+  annotations:
+{{ toYaml .Values.prometheus.serviceMonitor.controller.annotations | indent 4 }}
+  {{- end }}
+spec:
+  endpoints:
+    - port: {{ template "metrics.exposedportname" . }}
+      {{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+      {{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
+      {{- end -}}
+      {{- if .Values.prometheus.serviceMonitor.relabelings }}
+      relabelings:
+      {{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
+      {{- end }}
+      {{- if .Values.prometheus.serviceMonitor.interval }}
+      interval: {{ .Values.prometheus.serviceMonitor.interval }}
+      {{- end }}
+      honorLabels: true
+{{- if .Values.prometheus.secureMetricsPort }}
+      bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      scheme: "https"
+{{- if .Values.prometheus.serviceMonitor.controller.tlsConfig }}
+      tlsConfig:
+{{ toYaml .Values.prometheus.serviceMonitor.controller.tlsConfig | indent 8 }}      
+{{- end }}
+{{- end }}
+  jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      name: {{ template "metallb.fullname" . }}-controller-monitor-service
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/scrape: "true"
+  {{- if .Values.prometheus.serviceMonitor.controller.annotations }}
+{{ toYaml .Values.prometheus.serviceMonitor.controller.annotations | indent 4 }}
+  {{- end }}
+  labels:
+    name: {{ template "metallb.fullname" . }}-controller-monitor-service
+  name: {{ template "metallb.fullname" . }}-controller-monitor-service
+spec:
+  selector:
+    {{- include "metallb.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  clusterIP: None
+  ports:
+    - name: {{ template "metrics.exposedportname" . }}
+      port: {{ template "metrics.exposedport" . }}
+      targetPort: {{ template "metrics.exposedport" . }}
+  sessionAffinity: None
+  type: ClusterIP
+---
+{{- if .Values.prometheus.rbacPrometheus }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "metallb.fullname" . }}-prometheus
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - services
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "metallb.fullname" . }}-prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "metallb.fullname" . }}-prometheus
+subjects:
+  - kind: ServiceAccount
+    name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.serviceAccount }}
+    namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.namespace }}
+{{- end }}
+{{- end }}
diff --git a/charts/metallb/templates/speaker.yaml b/charts/metallb/templates/speaker.yaml
new file mode 100644
index 00000000..4bbbfb1d
--- /dev/null
+++ b/charts/metallb/templates/speaker.yaml
@@ -0,0 +1,505 @@
+{{- if .Values.speaker.frr.enabled }}
+# FRR expects to have these files owned by frr:frr on startup.
+# Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "metallb.fullname" . }}-frr-startup
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: speaker
+data:
+  daemons: |
+    # This file tells the frr package which daemons to start.
+    #
+    # Sample configurations for these daemons can be found in
+    # /usr/share/doc/frr/examples/.
+    #
+    # ATTENTION:
+    #
+    # When activating a daemon for the first time, a config file, even if it is
+    # empty, has to be present *and* be owned by the user and group "frr", else
+    # the daemon will not be started by /etc/init.d/frr. The permissions should
+    # be u=rw,g=r,o=.
+    # When using "vtysh" such a config file is also needed. It should be owned by
+    # group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
+    #
+    # The watchfrr and zebra daemons are always started.
+    #
+    bgpd=yes
+    ospfd=no
+    ospf6d=no
+    ripd=no
+    ripngd=no
+    isisd=no
+    pimd=no
+    ldpd=no
+    nhrpd=no
+    eigrpd=no
+    babeld=no
+    sharpd=no
+    pbrd=no
+    bfdd=yes
+    fabricd=no
+    vrrpd=no
+
+    #
+    # If this option is set the /etc/init.d/frr script automatically loads
+    # the config via "vtysh -b" when the servers are started.
+    # Check /etc/pam.d/frr if you intend to use "vtysh"!
+    #
+    vtysh_enable=yes
+    zebra_options="  -A 127.0.0.1 -s 90000000"
+    bgpd_options="   -A 127.0.0.1 -p 0"
+    ospfd_options="  -A 127.0.0.1"
+    ospf6d_options=" -A ::1"
+    ripd_options="   -A 127.0.0.1"
+    ripngd_options=" -A ::1"
+    isisd_options="  -A 127.0.0.1"
+    pimd_options="   -A 127.0.0.1"
+    ldpd_options="   -A 127.0.0.1"
+    nhrpd_options="  -A 127.0.0.1"
+    eigrpd_options=" -A 127.0.0.1"
+    babeld_options=" -A 127.0.0.1"
+    sharpd_options=" -A 127.0.0.1"
+    pbrd_options="   -A 127.0.0.1"
+    staticd_options="-A 127.0.0.1"
+    bfdd_options="   -A 127.0.0.1"
+    fabricd_options="-A 127.0.0.1"
+    vrrpd_options="  -A 127.0.0.1"
+
+    # configuration profile
+    #
+    #frr_profile="traditional"
+    #frr_profile="datacenter"
+
+    #
+    # This is the maximum number of FD's that will be available.
+    # Upon startup this is read by the control files and ulimit
+    # is called. Uncomment and use a reasonable value for your
+    # setup if you are expecting a large number of peers in
+    # say BGP.
+    #MAX_FDS=1024
+
+    # The list of daemons to watch is automatically generated by the init script.
+    #watchfrr_options=""
+
+    # for debugging purposes, you can specify a "wrap" command to start instead
+    # of starting the daemon directly, e.g. to use valgrind on ospfd:
+    #   ospfd_wrap="/usr/bin/valgrind"
+    # or you can use "all_wrap" for all daemons, e.g. to use perf record:
+    #   all_wrap="/usr/bin/perf record --call-graph -"
+    # the normal daemon command is added to this at the end.
+  vtysh.conf: |+
+    service integrated-vtysh-config
+  frr.conf: |+
+    ! This file gets overriden the first time the speaker renders a config.
+    ! So anything configured here is only temporary.
+    frr version 7.5.1
+    frr defaults traditional
+    hostname Router
+    line vty
+    log file /etc/frr/frr.log informational
+{{- end }}
+---
+{{- if .Values.speaker.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "metallb.fullname" . }}-speaker
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+    app.kubernetes.io/component: speaker
+    {{- range $key, $value := .Values.speaker.labels }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  {{- if .Values.speaker.updateStrategy }}
+  updateStrategy: {{- toYaml .Values.speaker.updateStrategy | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "metallb.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: speaker
+  template:
+    metadata:
+      {{- if or .Values.prometheus.scrapeAnnotations .Values.speaker.podAnnotations }}
+      annotations:
+        {{- if .Values.prometheus.scrapeAnnotations }}
+        prometheus.io/scrape: "true"
+        {{- if not .Values.speaker.frr.enabled }}
+        prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
+        {{- end }}
+        {{- end }}
+        {{- with .Values.speaker.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      labels:
+        {{- include "metallb.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: speaker
+        {{- range $key, $value := .Values.speaker.labels }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+    spec:
+      {{- if .Values.speaker.runtimeClassName }}
+      runtimeClassName: {{ .Values.speaker.runtimeClassName }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ template "metallb.speaker.serviceAccountName" . }}
+      terminationGracePeriodSeconds: 0
+      hostNetwork: true
+      volumes:
+      {{- if .Values.speaker.memberlist.enabled }}
+        - name: memberlist
+          secret:
+            secretName: {{ include "metallb.secretName" . }}
+            defaultMode: 420
+      {{- end }}
+      {{- if .Values.speaker.excludeInterfaces.enabled }}
+        - name: metallb-excludel2
+          configMap:
+            defaultMode: 256
+            name: metallb-excludel2
+      {{- end }}
+      {{- if .Values.speaker.frr.enabled }}
+        - name: frr-sockets
+          emptyDir: {}
+        - name: frr-startup
+          configMap:
+            name: {{ template "metallb.fullname" . }}-frr-startup
+        - name: frr-conf
+          emptyDir: {}
+        - name: reloader
+          emptyDir: {}
+        - name: metrics
+          emptyDir: {}
+      {{- if .Values.prometheus.speakerMetricsTLSSecret }}
+        - name: metrics-certs
+          secret:
+            secretName: {{ .Values.prometheus.speakerMetricsTLSSecret }}
+      {{- end }}
+      initContainers:
+        # Copies the initial config files with the right permissions to the shared volume.
+        - name: cp-frr-files
+          image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
+          securityContext:
+            runAsUser: 100
+            runAsGroup: 101
+          command: ["/bin/sh", "-c", "cp -rLf /tmp/frr/* /etc/frr/"]
+          volumeMounts:
+            - name: frr-startup
+              mountPath: /tmp/frr
+            - name: frr-conf
+              mountPath: /etc/frr
+        # Copies the reloader to the shared volume between the speaker and reloader.
+        - name: cp-reloader
+          image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
+          command: ["/bin/sh", "-c", "cp -f /frr-reloader.sh /etc/frr_reloader/"]
+          volumeMounts:
+            - name: reloader
+              mountPath: /etc/frr_reloader
+        # Copies the metrics exporter
+        - name: cp-metrics
+          image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
+          command: ["/bin/sh", "-c", "cp -f /frr-metrics /etc/frr_metrics/"]
+          volumeMounts:
+            - name: metrics
+              mountPath: /etc/frr_metrics
+      shareProcessNamespace: true
+      {{- end }}
+      containers:
+      - name: speaker
+        image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
+        {{- if .Values.speaker.image.pullPolicy }}
+        imagePullPolicy: {{ .Values.speaker.image.pullPolicy }}
+        {{- end }}
+        {{- if .Values.speaker.command }}
+        command:
+          - {{ .Values.speaker.command }}
+        {{- end }}
+        args:
+        - --port={{ .Values.prometheus.metricsPort }}
+        {{- with .Values.speaker.logLevel }}
+        - --log-level={{ . }}
+        {{- end }}
+        {{- if .Values.loadBalancerClass }}
+        - --lb-class={{ .Values.loadBalancerClass }}
+        {{- end }}
+        env:
+        - name: METALLB_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: METALLB_HOST
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        {{- if .Values.speaker.memberlist.enabled }}
+        - name: METALLB_ML_BIND_ADDR
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: METALLB_ML_LABELS
+          value: "app.kubernetes.io/name={{ include "metallb.name" . }},app.kubernetes.io/component=speaker"
+        - name: METALLB_ML_BIND_PORT
+          value: "{{ .Values.speaker.memberlist.mlBindPort }}"
+        - name: METALLB_ML_SECRET_KEY_PATH
+          value: "{{ .Values.speaker.memberlist.mlSecretKeyPath }}"
+        {{- end }}
+        {{- if .Values.speaker.frr.enabled }}
+        - name: FRR_CONFIG_FILE
+          value: /etc/frr_reloader/frr.conf
+        - name: FRR_RELOADER_PID_FILE
+          value: /etc/frr_reloader/reloader.pid
+        - name: METALLB_BGP_TYPE
+          value: frr
+        {{- end }}
+        ports:
+        - name: monitoring
+          containerPort: {{ .Values.prometheus.metricsPort }}
+        {{- if .Values.speaker.memberlist.enabled }}
+        - name: memberlist-tcp
+          containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
+          protocol: TCP
+        - name: memberlist-udp
+          containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
+          protocol: UDP
+        {{- end }}
+        {{- if .Values.speaker.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
+        {{- end }}
+        {{- if .Values.speaker.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: {{ .Values.speaker.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.speaker.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.speaker.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.speaker.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.speaker.readinessProbe.failureThreshold }}
+        {{- end }}
+        {{- with .Values.speaker.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - NET_RAW
+        {{- if or .Values.speaker.frr.enabled .Values.speaker.memberlist.enabled .Values.speaker.excludeInterfaces.enabled }}
+        volumeMounts:
+          {{- if .Values.speaker.memberlist.enabled }}
+          - name: memberlist 
+            mountPath: {{ .Values.speaker.memberlist.mlSecretKeyPath }}
+          {{- end }}
+          {{- if .Values.speaker.frr.enabled }}
+          - name: reloader
+            mountPath: /etc/frr_reloader
+          {{- end }}
+          {{- if .Values.speaker.excludeInterfaces.enabled }}
+          - name: metallb-excludel2
+            mountPath: /etc/metallb
+          {{- end }}
+        {{- end }}
+      {{- if .Values.speaker.frr.enabled }}
+      - name: frr
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+            - SYS_ADMIN
+            - NET_BIND_SERVICE
+        image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
+        {{- if .Values.speaker.frr.image.pullPolicy }}
+        imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
+        {{- end }}
+        env:
+          - name: TINI_SUBREAPER
+            value: "true"
+        volumeMounts:
+          - name: frr-sockets
+            mountPath: /var/run/frr
+          - name: frr-conf
+            mountPath: /etc/frr
+        # The command is FRR's default entrypoint & waiting for the log file to appear and tailing it.
+        # If the log file isn't created in 60 seconds the tail fails and the container is restarted.
+        # This workaround is needed to have the frr logs as part of kubectl logs -c frr < speaker_pod_name >.
+        command:
+          - /bin/sh
+          - -c
+          - |
+            /sbin/tini -- /usr/lib/frr/docker-start &
+            attempts=0
+            until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do
+              sleep 1
+              attempts=$(( $attempts + 1 ))
+            done
+            tail -f /etc/frr/frr.log
+        {{- with .Values.speaker.frr.resources }}
+        resources:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- if .Values.speaker.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /livez
+            port: {{ .Values.speaker.frr.metricsPort }}
+          periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
+          failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
+        {{- end }}
+        {{- if .Values.speaker.startupProbe.enabled }}
+        startupProbe:
+          httpGet:
+            path: /livez
+            port: {{ .Values.speaker.frr.metricsPort }}
+          failureThreshold: {{ .Values.speaker.startupProbe.failureThreshold }}
+          periodSeconds: {{ .Values.speaker.startupProbe.periodSeconds }}
+        {{- end }}
+      - name: reloader
+        image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
+        {{- if .Values.speaker.frr.image.pullPolicy }}
+        imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
+        {{- end }}
+        command: ["/etc/frr_reloader/frr-reloader.sh"]
+        volumeMounts:
+          - name: frr-sockets
+            mountPath: /var/run/frr
+          - name: frr-conf
+            mountPath: /etc/frr
+          - name: reloader
+            mountPath: /etc/frr_reloader
+        {{- with .Values.speaker.reloader.resources }}
+        resources:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      - name: frr-metrics
+        image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
+        command: ["/etc/frr_metrics/frr-metrics"]
+        args:
+          - --metrics-port={{ .Values.speaker.frr.metricsPort }}
+        ports:
+          - containerPort: {{ .Values.speaker.frr.metricsPort }}
+            name: monitoring
+        volumeMounts:
+          - name: frr-sockets
+            mountPath: /var/run/frr
+          - name: frr-conf
+            mountPath: /etc/frr
+          - name: metrics
+            mountPath: /etc/frr_metrics
+        {{- with .Values.speaker.frrMetrics.resources }}
+        resources:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.prometheus.secureMetricsPort }}
+      - name: kube-rbac-proxy
+        image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
+        imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
+        args:
+          - --logtostderr
+          - --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
+          - --upstream=http://$(METALLB_HOST):{{ .Values.prometheus.metricsPort }}/
+          - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        {{- if .Values.prometheus.speakerMetricsTLSSecret }}
+          - --tls-private-key-file=/etc/metrics/tls.key
+          - --tls-cert-file=/etc/metrics/tls.crt
+        {{- end }}
+        ports:
+          - containerPort: {{ .Values.prometheus.secureMetricsPort }}
+            name: metricshttps
+        env:
+          - name: METALLB_HOST
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+        resources:
+          requests:
+            cpu: 10m
+            memory: 20Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        {{- if .Values.prometheus.speakerMetricsTLSSecret }}
+        volumeMounts:
+          - name: metrics-certs
+            mountPath: /etc/metrics
+            readOnly: true
+        {{- end }}
+      {{ end }}
+      {{- if .Values.speaker.frr.secureMetricsPort }}
+      - name: kube-rbac-proxy-frr
+        image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
+        args:
+          - --logtostderr
+          - --secure-listen-address=:{{ .Values.speaker.frr.secureMetricsPort }}
+          - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+          - --upstream=http://$(METALLB_HOST):{{ .Values.speaker.frr.metricsPort }}/
+        {{- if .Values.prometheus.speakerMetricsTLSSecret }}
+          - --tls-private-key-file=/etc/metrics/tls.key
+          - --tls-cert-file=/etc/metrics/tls.crt
+        {{- end }}
+        ports:
+          - containerPort: {{ .Values.speaker.frr.secureMetricsPort }}
+            name: metricshttps
+        env:
+          - name: METALLB_HOST
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+        resources:
+          requests:
+            cpu: 10m
+            memory: 20Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        {{- if .Values.prometheus.speakerMetricsTLSSecret }}
+        volumeMounts:
+          - name: metrics-certs
+            mountPath: /etc/metrics
+            readOnly: true
+        {{- end }}
+      {{ end }}
+      nodeSelector:
+        "kubernetes.io/os": linux
+        {{- with .Values.speaker.nodeSelector }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.speaker.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.speaker.tolerateMaster .Values.speaker.tolerations }}
+      tolerations:
+      {{- if .Values.speaker.tolerateMaster }}
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+        operator: Exists
+      - key: node-role.kubernetes.io/control-plane
+        effect: NoSchedule
+        operator: Exists        
+      {{- end }}
+      {{- with .Values.speaker.tolerations }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- end }}
+      {{- with .Values.speaker.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+{{- end }}
diff --git a/charts/metallb/templates/webhooks.yaml b/charts/metallb/templates/webhooks.yaml
new file mode 100644
index 00000000..3f3d5ed7
--- /dev/null
+++ b/charts/metallb/templates/webhooks.yaml
@@ -0,0 +1,168 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: metallb-webhook-configuration
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: metallb-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-metallb-io-v1beta1-addresspool
+  failurePolicy: {{ .Values.crds.validationFailurePolicy }}
+  name: addresspoolvalidationwebhook.metallb.io
+  rules:
+  - apiGroups:
+    - metallb.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - addresspools
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: metallb-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-metallb-io-v1beta2-bgppeer
+  failurePolicy: {{ .Values.crds.validationFailurePolicy }}
+  name: bgppeervalidationwebhook.metallb.io
+  rules:
+  - apiGroups:
+    - metallb.io
+    apiVersions:
+    - v1beta2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - bgppeers
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: metallb-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-metallb-io-v1beta1-ipaddresspool
+  failurePolicy: {{ .Values.crds.validationFailurePolicy }}
+  name: ipaddresspoolvalidationwebhook.metallb.io
+  rules:
+  - apiGroups:
+    - metallb.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ipaddresspools
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: metallb-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-metallb-io-v1beta1-bgpadvertisement
+  failurePolicy: {{ .Values.crds.validationFailurePolicy }}
+  name: bgpadvertisementvalidationwebhook.metallb.io
+  rules:
+  - apiGroups:
+    - metallb.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - bgpadvertisements
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: metallb-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-metallb-io-v1beta1-community
+  failurePolicy: {{ .Values.crds.validationFailurePolicy }}
+  name: communityvalidationwebhook.metallb.io
+  rules:
+  - apiGroups:
+    - metallb.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - communities
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: metallb-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-metallb-io-v1beta1-bfdprofile
+  failurePolicy: {{ .Values.crds.validationFailurePolicy }}
+  name: bfdprofilevalidationwebhook.metallb.io
+  rules:
+  - apiGroups:
+    - metallb.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - DELETE
+    resources:
+    - bfdprofiles
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: metallb-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-metallb-io-v1beta1-l2advertisement
+  failurePolicy: {{ .Values.crds.validationFailurePolicy }}
+  name: l2advertisementvalidationwebhook.metallb.io
+  rules:
+  - apiGroups:
+    - metallb.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - l2advertisements
+  sideEffects: None
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: metallb-webhook-service
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+  selector:
+    {{- include "metallb.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-server-cert
+  labels:
+    {{- include "metallb.labels" . | nindent 4 }}
diff --git a/charts/metallb/values.schema.json b/charts/metallb/values.schema.json
new file mode 100644
index 00000000..5a92e56a
--- /dev/null
+++ b/charts/metallb/values.schema.json
@@ -0,0 +1,427 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema#",
+  "title": "Values",
+  "type": "object",
+  "definitions": {
+    "prometheusAlert": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": { "type": "string" }
+        }
+      },
+      "required": [ "enabled" ]
+    },
+    "probe": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "failureThreshold": {
+          "type": "integer"
+        },
+        "initialDelaySeconds": {
+          "type": "integer"
+        },
+        "periodSeconds": {
+          "type": "integer"
+        },
+        "successThreshold": {
+          "type": "integer"
+        },
+        "timeoutSeconds": {
+          "type": "integer"
+        }
+      },
+      "required": [
+        "failureThreshold",
+        "initialDelaySeconds",
+        "periodSeconds",
+        "successThreshold",
+        "timeoutSeconds"
+      ]
+    },
+    "component": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "logLevel": {
+          "type": "string",
+          "enum": [ "all", "debug", "info", "warn", "error", "none" ]
+        },
+        "image": {
+          "type": "object",
+          "properties": {
+            "repository": {
+              "type": "string"
+            },
+            "tag": {
+              "anyOf": [
+                { "type": "string" },
+                { "type": "null" }
+              ]
+            },
+            "pullPolicy": {
+              "anyOf": [
+                {
+                  "type": "null"
+                },
+                {
+                  "type": "string",
+                  "enum": [ "Always", "IfNotPresent", "Never" ]
+                }
+              ]
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "create": {
+              "type": "boolean"
+            },
+            "name": {
+              "type": "string"
+            },
+            "annotations": {
+              "type": "object"
+            }
+          }
+        },
+        "resources": {
+          "type": "object"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "tolerations": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "priorityClassName": {
+          "type":"string"
+        },
+        "runtimeClassName": {
+          "type":"string"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object"
+        },
+        "livenessProbe": {
+          "$ref": "#/definitions/probe"
+        },
+        "readinessProbe": {
+          "$ref": "#/definitions/probe"
+        }
+      },
+      "required": [
+        "image",
+        "serviceAccount"
+      ]
+    }
+  },
+  "properties": {
+    "imagePullSecrets": {
+      "description": "Secrets used for pulling images",
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string"
+          }
+        },
+        "required": [ "name" ],
+        "additionalProperties": false
+      }
+    },
+    "nameOverride": {
+      "description": "Override chart name",
+      "type": "string"
+    },
+    "fullNameOverride": {
+      "description": "Override fully qualified app name",
+      "type": "string"
+    },
+    "configInLine": {
+      "description": "MetalLB configuration",
+      "type": "object"
+    },
+    "loadBalancerClass": {
+      "type":"string"
+    },
+    "rbac": {
+      "description": "RBAC configuration",
+      "type": "object",
+      "properties": {
+        "create": {
+          "description": "Enable RBAC",
+          "type": "boolean"
+        }
+      }
+    },
+    "prometheus": {
+      "description": "Prometheus monitoring config",
+      "type": "object",
+      "properties": {
+        "scrapeAnnotations": { "type": "boolean" },
+        "metricsPort": { "type": "integer" },
+        "secureMetricsPort": { "type": "integer" },
+        "rbacPrometheus": { "type": "boolean" },
+        "serviceAccount": { "type": "string" },
+        "namespace": { "type": "string" },
+        "rbacProxy": {
+          "description": "kube-rbac-proxy configuration",
+          "type": "object",
+          "properties": {
+            "repository": { "type": "string" },
+            "tag": { "type": "string" }
+          }
+        },
+        "podMonitor": {
+          "description": "Prometheus Operator PodMonitors",
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "additionalMonitors": { "type": "object" },
+            "jobLabel": { "type": "string" },
+            "interval": {
+              "anyOf": [
+                { "type": "integer" },
+                { "type": "null" }
+              ]
+            },
+            "metricRelabelings": {
+              "type": "array",
+              "items": {
+                "type": "object"
+              }
+            },
+            "relabelings": {
+              "type": "array",
+              "items": {
+                "type": "object"
+              }
+            }
+          }
+        },
+        "serviceMonitor": {
+          "description": "Prometheus Operator ServiceMonitors",
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "jobLabel": { "type": "string" },
+            "interval": {
+              "anyOf": [
+                { "type": "integer" },
+                { "type": "null" }
+              ]
+            },
+            "metricRelabelings": {
+              "type": "array",
+              "items": {
+                "type": "object"
+              }
+            },
+            "relabelings": {
+              "type": "array",
+              "items": {
+                "type": "object"
+              }
+            }
+          }
+        },
+        "prometheusRule": {
+          "description": "Prometheus Operator alertmanager alerts",
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "additionalMonitors": { "type": "object" },
+            "staleConfig": { "$ref": "#/definitions/prometheusAlert" },
+            "configNotLoaded": { "$ref": "#/definitions/prometheusAlert" },
+            "addressPoolExhausted": { "$ref": "#/definitions/prometheusAlert" },
+            "addressPoolUsage": {
+              "type": "object",
+              "properties": {
+                "enabled": {
+                  "type": "boolean"
+                },
+                "thresholds": {
+                  "type": "array",
+                  "items": {
+                    "type": "object",
+                    "properties": {
+                      "percent": {
+                        "type": "integer",
+                        "minimum": 0,
+                        "maximum": 100
+                      },
+                      "labels": {
+                        "type": "object",
+                        "additionalProperties": { "type": "string" }
+                      }
+                    },
+                    "required": [ "percent" ]
+                  }
+                }
+              },
+              "required": [ "enabled" ]
+            },
+            "bgpSessionDown": { "$ref": "#/definitions/prometheusAlert" },
+            "extraAlerts": {
+              "type": "array",
+              "items": {
+                "type": "object"
+              }
+            }
+          },
+          "required": [
+            "enabled",
+            "staleConfig",
+            "configNotLoaded",
+            "addressPoolExhausted",
+            "addressPoolUsage",
+            "bgpSessionDown"
+          ]
+        }
+      },
+      "required": [ "podMonitor", "prometheusRule" ]
+    },
+    "speaker": { 
+      "allOf": [
+        { "$ref": "#/definitions/component" },
+        { "description": "MetalLB Speaker",
+          "type": "object",
+          "properties": {
+            "tolerateMaster": {
+              "type": "boolean"
+            },
+            "memberlist": {
+              "type": "object",
+              "properties": {
+                "enabled": {
+                  "type": "boolean"
+                },
+                "mlBindPort": {
+                  "type": "integer"
+                },
+                "mlSecretKeyPath": {
+                  "type": "string"
+                }
+              }
+            },
+            "excludeInterfaces": {
+              "type": "object",
+              "properties": {
+                "enabled": {
+                  "type": "boolean"
+                }
+              }
+            },
+            "updateStrategy": {
+              "type": "object",
+              "properties": {
+                "type": {
+                  "type": "string"
+                }
+              },
+              "required": [ "type" ]
+            },
+            "runtimeClassName": {
+              "type": "string"
+            },
+            "secretName": {
+              "type": "string"
+            },
+            "frr": {
+              "description": "Install FRR container in speaker deployment",
+              "type": "object",
+              "properties": {
+                "enabled": {
+                  "type": "boolean"
+                },
+                "image": { "$ref": "#/definitions/component/properties/image" },
+                "metricsPort": { "type": "integer" },
+                "secureMetricsPort": { "type": "integer" },
+                "resources:": { "type": "object" }
+              },
+              "required": [ "enabled" ]
+            },
+            "command" : {
+              "type": "string"
+            },
+            "reloader": {
+              "type": "object",
+              "properties": {
+                "resources": { "type": "object" }
+              }
+            },
+            "frrMetrics": {
+              "type": "object",
+              "properties": {
+                "resources": { "type": "object" }
+              }
+            }
+          },
+          "required": [ "tolerateMaster" ]
+        }
+      ]
+    },
+    "crds": {
+      "description": "CRD configuration",
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "description": "Enable CRDs",
+          "type": "boolean"
+        },
+        "validationFailurePolicy": {
+          "description": "Failure policy to use with validating webhooks",
+          "type": "string",
+          "enum": [ "Ignore", "Fail" ]
+        }
+      }
+    }
+  },
+  "controller": { 
+    "allOf": [
+      { "$ref": "#/definitions/component" },
+      { "description": "MetalLB Controller",
+        "type": "object",
+        "properties": {
+          "strategy": {
+            "type": "object",
+            "properties": {
+              "type": {
+                "type": "string"
+              }
+            },
+            "required": [ "type" ]
+          },
+          "command" : {
+            "type": "string"
+          },
+          "webhookMode" : {
+            "type": "string"
+          }
+        }
+      }
+    ]
+  },
+  "required": [
+    "controller",
+    "speaker"
+  ]
+}
diff --git a/charts/metallb/values.yaml b/charts/metallb/values.yaml
new file mode 100644
index 00000000..b14b906e
--- /dev/null
+++ b/charts/metallb/values.yaml
@@ -0,0 +1,345 @@
+# Default values for metallb.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+# MetalLB supports LoadBalancerClass, which allows multiple load balancer implementations to co-exist. 
+# In order to set the loadbalancer class MetalLB should be listening for, the --lb-class=<CLASS_NAME> 
+# parameter must be provided to both the speaker and the controller.
+loadBalancerClass: ""
+
+# To configure MetalLB, you must specify ONE of the following two
+# options.
+
+rbac:
+  # create specifies whether to install and use RBAC rules.
+  create: true
+
+prometheus:
+  # scrape annotations specifies whether to add Prometheus metric
+  # auto-collection annotations to pods. See
+  # https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
+  # for a corresponding Prometheus configuration. Alternatively, you
+  # may want to use the Prometheus Operator
+  # (https://github.com/coreos/prometheus-operator) for more powerful
+  # monitoring configuration. If you use the Prometheus operator, this
+  # can be left at false.
+  scrapeAnnotations: false
+
+  # port both controller and speaker will listen on for metrics
+  metricsPort: 7472
+
+  # if set, enables rbac proxy on the controller and speaker to expose
+  # the metrics via tls.
+  # secureMetricsPort: 9120
+
+  # the name of the secret to be mounted in the speaker pod
+  # to expose the metrics securely. If not present, a self signed
+  # certificate to be used.
+  speakerMetricsTLSSecret: ""
+
+  # the name of the secret to be mounted in the controller pod
+  # to expose the metrics securely. If not present, a self signed
+  # certificate to be used.
+  controllerMetricsTLSSecret: ""
+
+  # prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
+  rbacPrometheus: true
+
+  # the service account used by prometheus
+  # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
+  serviceAccount: ""
+
+  # the namespace where prometheus is deployed
+  # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
+  namespace: ""
+
+  # the image to be used for the kuberbacproxy container
+  rbacProxy:
+    repository: "registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"
+    tag: "v0.14.2"
+    pullPolicy: IfNotPresent
+
+  # Prometheus Operator PodMonitors
+  podMonitor:
+    # enable support for Prometheus Operator
+    enabled: false
+
+    # optional additionnal labels for podMonitors
+    additionalLabels: {}
+
+    # optional annotations for podMonitors
+    annotations: {}
+
+    # Job label for scrape target
+    jobLabel: "app.kubernetes.io/name"
+
+    # Scrape interval. If not set, the Prometheus default scrape interval is used.
+    interval:
+
+    # 	metric relabel configs to apply to samples before ingestion.
+    metricRelabelings: []
+    # - action: keep
+    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+    #   sourceLabels: [__name__]
+
+    # 	relabel configs to apply to samples before ingestion.
+    relabelings: []
+    # - sourceLabels: [__meta_kubernetes_pod_node_name]
+    #   separator: ;
+    #   regex: ^(.*)$
+    #   target_label: nodename
+    #   replacement: $1
+    #   action: replace
+
+  # Prometheus Operator ServiceMonitors. To be used as an alternative
+  # to podMonitor, supports secure metrics.
+  serviceMonitor:
+    # enable support for Prometheus Operator
+    enabled: false
+
+    speaker:
+      # optional additional labels for the speaker serviceMonitor
+      additionalLabels: {}
+      # optional additional annotations for the speaker serviceMonitor
+      annotations: {}
+      # optional tls configuration for the speaker serviceMonitor, in case
+      # secure metrics are enabled.
+      tlsConfig:
+        insecureSkipVerify: true
+
+    controller:
+      # optional additional labels for the controller serviceMonitor
+      additionalLabels: {}
+      # optional additional annotations for the controller serviceMonitor
+      annotations: {}
+      # optional tls configuration for the controller serviceMonitor, in case
+      # secure metrics are enabled.
+      tlsConfig:
+        insecureSkipVerify: true
+
+    # Job label for scrape target
+    jobLabel: "app.kubernetes.io/name"
+
+    # Scrape interval. If not set, the Prometheus default scrape interval is used.
+    interval:
+
+    # 	metric relabel configs to apply to samples before ingestion.
+    metricRelabelings: []
+    # - action: keep
+    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+    #   sourceLabels: [__name__]
+
+    # 	relabel configs to apply to samples before ingestion.
+    relabelings: []
+    # - sourceLabels: [__meta_kubernetes_pod_node_name]
+    #   separator: ;
+    #   regex: ^(.*)$
+    #   target_label: nodename
+    #   replacement: $1
+    #   action: replace
+
+  # Prometheus Operator alertmanager alerts
+  prometheusRule:
+    # enable alertmanager alerts
+    enabled: false
+
+    # optional additionnal labels for prometheusRules
+    additionalLabels: {}
+
+    # optional annotations for prometheusRules
+    annotations: {}
+
+    # MetalLBStaleConfig
+    staleConfig:
+      enabled: true
+      labels:
+        severity: warning
+
+    # MetalLBConfigNotLoaded
+    configNotLoaded:
+      enabled: true
+      labels:
+        severity: warning
+
+    # MetalLBAddressPoolExhausted
+    addressPoolExhausted:
+      enabled: true
+      labels:
+        severity: alert
+
+    addressPoolUsage:
+      enabled: true
+      thresholds:
+        - percent: 75
+          labels:
+            severity: warning
+        - percent: 85
+          labels:
+            severity: warning
+        - percent: 95
+          labels:
+            severity: alert
+
+    # MetalLBBGPSessionDown
+    bgpSessionDown:
+      enabled: true
+      labels:
+        severity: alert
+
+    extraAlerts: []
+
+# controller contains configuration specific to the MetalLB cluster
+# controller.
+controller:
+  enabled: true
+  # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
+  logLevel: info
+  # command: /controller
+  # webhookMode: enabled
+  image:
+    repository: "registry.opensuse.org/isv/suse/edge/metallb/images/metallb-controller"
+    tag: "v0.13.10"
+    pullPolicy: IfNotPresent
+  ## @param controller.updateStrategy.type Metallb controller deployment strategy type.
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  ## e.g:
+  ## strategy:
+  ##  type: RollingUpdate
+  ##  rollingUpdate:
+  ##    maxSurge: 25%
+  ##    maxUnavailable: 25%
+  ##
+  strategy:
+    type: RollingUpdate
+  serviceAccount:
+    # Specifies whether a ServiceAccount should be created
+    create: true
+    # The name of the ServiceAccount to use. If not set and create is
+    # true, a name is generated using the fullname template
+    name: ""
+    annotations: {}
+  securityContext:
+    runAsNonRoot: true
+    # nobody
+    runAsUser: 65534
+    fsGroup: 65534
+  resources: {}
+    # limits:
+      # cpu: 100m
+      # memory: 100Mi
+  nodeSelector: {}
+  tolerations: []
+  priorityClassName: ""
+  runtimeClassName: ""
+  affinity: {}
+  podAnnotations: {}
+  labels: {}
+  livenessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+  readinessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+
+# speaker contains configuration specific to the MetalLB speaker
+# daemonset.
+speaker:
+  enabled: true
+  # command: /speaker
+  # -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
+  logLevel: info
+  tolerateMaster: true
+  memberlist:
+    enabled: true
+    mlBindPort: 7946
+    mlSecretKeyPath: "/etc/ml_secret_key"
+  excludeInterfaces:
+    enabled: true
+  image:
+    repository: "registry.opensuse.org/isv/suse/edge/metallb/images/metallb-speaker"
+    tag: "v0.13.10"
+    pullPolicy: IfNotPresent
+  ## @param speaker.updateStrategy.type Speaker daemonset strategy type
+  ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
+  ##
+  updateStrategy:
+    ## StrategyType
+    ## Can be set to RollingUpdate or OnDelete
+    ##
+    type: RollingUpdate
+  serviceAccount:
+    # Specifies whether a ServiceAccount should be created
+    create: true
+    # The name of the ServiceAccount to use. If not set and create is
+    # true, a name is generated using the fullname template
+    name: ""
+    annotations: {}
+  ## Defines a secret name for the controller to generate a memberlist encryption secret
+  ## By default secretName: {{ "metallb.fullname" }}-memberlist
+  ##
+  # secretName:
+  resources: {}
+    # limits:
+      # cpu: 100m
+      # memory: 100Mi
+  nodeSelector: {}
+  tolerations: []
+  priorityClassName: ""
+  affinity: {}
+  ## Selects which runtime class will be used by the pod.
+  runtimeClassName: ""
+  podAnnotations: {}
+  labels: {}
+  livenessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+  readinessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+  startupProbe:
+    enabled: true
+    failureThreshold: 30
+    periodSeconds: 5
+  # frr contains configuration specific to the MetalLB FRR container,
+  # for speaker running alongside FRR.
+  frr:
+    enabled: true
+    image:
+      repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr"
+      tag: "8.4"
+      pullPolicy: IfNotPresent
+    metricsPort: 7473
+    resources: {}
+
+    # if set, enables a rbac proxy sidecar container on the speaker to
+    # expose the frr metrics via tls.
+    # secureMetricsPort: 9121
+
+  reloader:
+    resources: {}
+
+  frrMetrics:
+    resources: {}
+
+crds:
+  enabled: true
+  validationFailurePolicy: Fail
diff --git a/index.html b/index.html
index 001c001f..76721945 100755
--- a/index.html
+++ b/index.html
@@ -221,6 +221,28 @@ <h2>Charts</h2>
           </div>
         
 			
+        
+          <div class="chart">
+            <a href="assets/metallb/metallb-0.13.10.tgz" title="assets/metallb/metallb-0.13.10.tgz">
+              <div class="icon">
+                <img class="chart-item-logo" alt="metallb's logo" src="https://raw.githubusercontent.com/metallb/metallb/main/website/static/images/logo/metallb-blue-with-name.svg">
+              </div>
+              <div class="body">
+                <p class="info">
+                  metallb
+                  (0.13.10@v0.13.10)
+                  <a href="https://github.com/suse-edge/charts/tree/main/charts/metallb">
+                    <img src="https://raw.githubusercontent.com/suse-edge/charts/main/_images/GitHub-Mark-32px.png" alt="github link" style="height: 16px; width: 16px; vertical-align: middle;" />
+                  </a>
+                </p>
+                <p class="description">
+                  A network load-balancer implementation for Kubernetes using standard routing protocols
+                </p>
+              </div>
+            </a>
+          </div>
+        
+			
       </div>
     Generated on: <time datetime="2023-04-12T15:13:36" pubdate id="generated">Wed Apr 12 2023 03:13:36PM CEST&#43;02:00</time>
     </section>
diff --git a/index.yaml b/index.yaml
index b3a76da3..b17c79ad 100755
--- a/index.yaml
+++ b/index.yaml
@@ -66,6 +66,28 @@ entries:
     urls:
     - assets/metal3-deploy/metal3-deploy-0.1.0.tgz
     version: 0.1.0
+  metallb:
+  - apiVersion: v2
+    appVersion: v0.13.10
+    created: "2023-08-10T13:47:07.109173+03:00"
+    dependencies:
+    - condition: crds.enabled
+      name: crds
+      repository: ""
+      version: 0.13.10
+    description: A network load-balancer implementation for Kubernetes using standard
+      routing protocols
+    digest: 98066de601d7f6feb44707c6e0d57156d2fe90611a2014dc79f33435a9abb740
+    home: https://metallb.universe.tf
+    icon: https://raw.githubusercontent.com/metallb/metallb/main/website/static/images/logo/metallb-blue-with-name.svg
+    kubeVersion: '>= 1.19.0-0'
+    name: metallb
+    sources:
+    - https://github.com/metallb/metallb
+    type: application
+    urls:
+    - assets/metallb/metallb-0.13.10.tgz
+    version: 0.13.10
   kubevirt-dashboard-extension:
   - annotations:
       catalog.cattle.io/certified: rancher