From fab135ba057d2615817765dc72812e58126da340 Mon Sep 17 00:00:00 2001
From: Aleksandr Zimin <alexandr.zimin@flant.com>
Date: Wed, 25 Sep 2024 15:04:00 +0300
Subject: [PATCH] [controller] Fix CSI NFS v3(tcp) support (#37)

Signed-off-by: Aleksandr Zimin <alexandr.zimin@flant.com>
---
 .werf/bundle.yaml                             |    2 +-
 charts/deckhouse_lib_helm-1.22.0.tgz          |  Bin 24121 -> 0 bytes
 charts/helm_lib/Chart.yaml                    |    5 +
 charts/helm_lib/LICENSE                       |  201 +++
 charts/helm_lib/README.md                     | 1167 +++++++++++++++++
 .../templates/_api_version_and_kind.tpl       |   36 +
 charts/helm_lib/templates/_csi_controller.tpl |  763 +++++++++++
 charts/helm_lib/templates/_csi_node.tpl       |  206 +++
 .../templates/_enable_ds_eviction.tpl         |    6 +
 charts/helm_lib/templates/_envs_for_proxy.tpl |   30 +
 .../helm_lib/templates/_high_availability.tpl |   39 +
 .../helm_lib/templates/_kube_rbac_proxy.tpl   |   21 +
 .../templates/_module_documentation_uri.tpl   |   15 +
 .../templates/_module_ephemeral_storage.tpl   |   15 +
 .../_module_generate_common_name.tpl          |   13 +
 charts/helm_lib/templates/_module_https.tpl   |  160 +++
 charts/helm_lib/templates/_module_image.tpl   |   76 ++
 .../templates/_module_ingress_class.tpl       |   13 +
 .../templates/_module_init_container.tpl      |   56 +
 charts/helm_lib/templates/_module_labels.tpl  |   15 +
 charts/helm_lib/templates/_module_name.tpl    |   11 +
 .../templates/_module_public_domain.tpl       |   11 +
 .../templates/_module_security_context.tpl    |  199 +++
 .../templates/_module_storage_class.tpl       |   38 +
 .../_monitoring_grafana_dashboards.tpl        |   68 +
 .../_monitoring_prometheus_rules.tpl          |   96 ++
 charts/helm_lib/templates/_node_affinity.tpl  |  256 ++++
 .../templates/_pod_disruption_budget.tpl      |    6 +
 charts/helm_lib/templates/_priority_class.tpl |    9 +
 .../templates/_resources_management.tpl       |  160 +++
 .../templates/_spec_for_high_availability.tpl |  138 ++
 images/csi-nfs/werf.inc.yaml                  |   13 +-
 images/wait-rpcbind/src/cmd/main.go           |   70 +
 images/wait-rpcbind/src/go.mod                |    3 +
 images/wait-rpcbind/src/go.sum                |    0
 images/wait-rpcbind/werf.inc.yaml             |   36 +
 templates/csi/controller.yaml                 |   61 +
 37 files changed, 4007 insertions(+), 7 deletions(-)
 delete mode 100644 charts/deckhouse_lib_helm-1.22.0.tgz
 create mode 100644 charts/helm_lib/Chart.yaml
 create mode 100644 charts/helm_lib/LICENSE
 create mode 100644 charts/helm_lib/README.md
 create mode 100644 charts/helm_lib/templates/_api_version_and_kind.tpl
 create mode 100644 charts/helm_lib/templates/_csi_controller.tpl
 create mode 100644 charts/helm_lib/templates/_csi_node.tpl
 create mode 100644 charts/helm_lib/templates/_enable_ds_eviction.tpl
 create mode 100644 charts/helm_lib/templates/_envs_for_proxy.tpl
 create mode 100644 charts/helm_lib/templates/_high_availability.tpl
 create mode 100644 charts/helm_lib/templates/_kube_rbac_proxy.tpl
 create mode 100644 charts/helm_lib/templates/_module_documentation_uri.tpl
 create mode 100644 charts/helm_lib/templates/_module_ephemeral_storage.tpl
 create mode 100644 charts/helm_lib/templates/_module_generate_common_name.tpl
 create mode 100644 charts/helm_lib/templates/_module_https.tpl
 create mode 100644 charts/helm_lib/templates/_module_image.tpl
 create mode 100644 charts/helm_lib/templates/_module_ingress_class.tpl
 create mode 100644 charts/helm_lib/templates/_module_init_container.tpl
 create mode 100644 charts/helm_lib/templates/_module_labels.tpl
 create mode 100644 charts/helm_lib/templates/_module_name.tpl
 create mode 100644 charts/helm_lib/templates/_module_public_domain.tpl
 create mode 100644 charts/helm_lib/templates/_module_security_context.tpl
 create mode 100644 charts/helm_lib/templates/_module_storage_class.tpl
 create mode 100644 charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl
 create mode 100644 charts/helm_lib/templates/_monitoring_prometheus_rules.tpl
 create mode 100644 charts/helm_lib/templates/_node_affinity.tpl
 create mode 100644 charts/helm_lib/templates/_pod_disruption_budget.tpl
 create mode 100644 charts/helm_lib/templates/_priority_class.tpl
 create mode 100644 charts/helm_lib/templates/_resources_management.tpl
 create mode 100644 charts/helm_lib/templates/_spec_for_high_availability.tpl
 create mode 100644 images/wait-rpcbind/src/cmd/main.go
 create mode 100644 images/wait-rpcbind/src/go.mod
 create mode 100644 images/wait-rpcbind/src/go.sum
 create mode 100644 images/wait-rpcbind/werf.inc.yaml

diff --git a/.werf/bundle.yaml b/.werf/bundle.yaml
index dbeaadf..caa6e06 100644
--- a/.werf/bundle.yaml
+++ b/.werf/bundle.yaml
@@ -2,7 +2,7 @@
 ---
 image: bundle
 from: registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc
-fromCacheVersion: "2024-05-14.1"
+fromCacheVersion: "2024-09-22.1"
 import:
 # Rendering .werf/images-digests.yaml is required!
 - image: images-digests
diff --git a/charts/deckhouse_lib_helm-1.22.0.tgz b/charts/deckhouse_lib_helm-1.22.0.tgz
deleted file mode 100644
index 7a6b077dc75833f62190350aa20b469f08b953f1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 24121
zcmV)$K#sp3iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POwyb{jXcD2(sF^%R(PW{s4eNL_rJ(HUp`6iG>RV$1p@C)u+y
z`8r@XNMhUsIsjTS$M#z1A<h%-C;1i%KsWlzCPm6lM%-&>tZsDOP^c;Zg+ffCw^N=;
z5+-yMPDwJ`JDFmkhI2ei{%bwI{r&y@XHTBM|L*VaSO0ha@Zj*j4xT(a+<*M!@w2DT
z|7-u?>HhxX|3dp~!r%GJq{8CA_V0|V%G~edhg13^5t4Ftgl-PEVj?3!Qw4v2N0J%J
z6ip;jWR@ma5fqa#WmLbHXv_sVb^3#5JkAm#hg%HK$Pub5)|Q&5<On5nB(Ruo-8i%d
z!^6Yj{?@0K#DC_mVf?$kmV03&X&7;)1WytohALgjBy^AeXZwfGD&zlf|M~O%hw*<O
zzxVG4W=s<lV5M+0B_b3=@=QcT2I%9*ttico(82y}Yer^V%#YCF(^qs$e@IxY8*KSN
zQo(Pi9@uw;BZ#E`z9S6Da4M%<sXM|+=nY{+%2e<Xxf7&fFf9V}biV=2-k0bHi6`U;
zy?>7=i;^rRDA1!8hHrVehBM6Qm`Ei9w4G3?&=7qQaW<xt9rW=d`f?8qK7K5b*8|eW
zk6Q@oZ!{=H-YInS0#O!|cW8+Afzsmrm`?oH2j17?EJ?Jd(C=;2VgBrcrU++=LO~?y
zprFLZ@Ad8(!=r@68dgjvrH;3+0;EJna-s?-R?n&s%8y&WRy^eipUkVDSDv?iPu?kk
zPXxh=ydnz6Sm7$D_9g)u<3u)rEd+Kx!;_MXtFJyFL4M1qATbKs+EAG{@;ksA>Tl?b
z@J#uL8s2){`fPu{q)g8CGytl;>VRT<tpP~oO$Q85cN*X{yzPMH$>1k0-Vz~OB;?+D
zunzW{<kJAA`l=O%l|ciD%9~aQ9`_AU8s4_^6UPum;^ZV(wlj89W~{AEH<)8FSqKK&
zbc6YkC)tcFgyfp_0rrY#O!b6l+qQwllvUNB>3#9J^I@0Thh1_}((3xlqT~Md*Zsfx
zX8mn8B7zY`<TaW7NQ8zX$?S%R+$9Wu#7RcvaFXy5PKGg+5x*f~J}kbqlMWxSHypt1
zTv+e$FHRW>oDb6u;q09vg5l({_#&tiHhhKu#YNL|%DC8R9;Ugytb128!3iTin{gIW
z-7sW49Ala|;&PwZ$jpw<tsAvHSv|JR@5E;b=Ng!-@lfK>8kL?5UYXW+;?Kvp2KK59
zl(_SZT~7|Li!biPWfk)pIBjC4#BC`8Ucm25zwMnktz%sSug$FZ+|qG_NdT(y_uDO|
zj+n^om01fxAJ7y_6x<M@XoQnN%Hsjf6qgZBh!{j74gm3BFxc`}Vq6=_Cd0RXl|#z+
zZVtBIQWhVfA1$y;9v|nRwq`aoJlaCYEWo^f?*-XFz5bU>aYT+#{MUhg@0c)4eiwO5
z;Id832_BI|)&#p9(@3EJr)f}++Jjpz-X<K!12^p%q&%U~e3&ml3@Hy#FvC)hkDVR#
z0Wm#qU<w^-qGU=U&78twLev!*A3=ZkQq#EQ-pxS(Z;Z4~Nt*Eaj4%Zc+eDM4F;?Uf
zNHT!UlUF<@M<~#O)=(Yse#6LlTX;x`G>-?xiwi*N&x{R)2+b%vP7;1g;v@T{BKwxv
zbT0HlNPl%2iqH(dt3ieN<>CG;e^8odHWTd3dv9u+77#W;svD%0xtoPrXT-Ma%}2x9
z!=~7<vwNSbhIwr(XI|Uh+_kKV+yjSo`b);RHwUfjG50erJj2$P;^uXqHIjR<-yrj<
zTQMfLa3z;KKBZD*u-^Z57Eg%!%pJ+j4r+4@GyLuchHo%U^q4t92U`e9l8{JoVFWnC
zDw@6oq)wtZP3sJ5vDLgs$vqoC^ZCoFMO1>M35~EcLK4KdnD3}mT+Cn68C6H<aAol!
zB$dF5Oss=6+dfw$f;BAd!tDlw1?ve>|B@1hRvfv#oML$?$e6xEL6q<;9)Qn`i5LX!
zvIfA6afM+k%Nt+-!c2<?(Ue4QWi~4<w{E9`vZ4!yZ!9;%udyVTSWQu|mqW3AF_>Y7
zCq(Q?Ed{f=8tnMvUrzDi(`Pc9`P_M?({-KxO}SJTMCp*~2o@IY^O#8+n4ps+({a={
zR7mv`RnzaxC$=F($d_4?Tmv~d`vX+jyBi2Hp;C$YR)bB;RWucp3##T}lwhfKRAp&G
z3hn|qmx{~=ks)dj2?`Nx;4A2}qGOt|Fdmc8X=DQu7db8iQ}KidqXG>OF`ExGRvo@l
zH63IOwmxw}|4rgLBIm!CnHlII%f@cau$@qA1yUY|l0=!2w!ssMj43)Jp<S>E(6EUz
zl1Oq#EFqR*CW#1h{b<8g=&d#);)X`#IEr}2lyRYvr1ov@TWd<_g}%)`wLbl`pc;rL
zI1V{W=AqzRg=3l!qmyL@Jm+f%iLpGj$>0a{TgDafn`1HY%*X%*gMl&&#4jo!+`93{
zk3qTp&5Ng%Ct5vl919}li!Zj1PfxGTuCI3jZ=PD+fbb{+2xEd(Cdgod6_GFA*w!z!
z)u`Z-O3+9R96*PptT)|IVLKxKkkzTNDmoZT?G#>+cj`%niiBWox?z}8&YB3VG#TU`
z_Qe<57ss#8t}l;I&UPvvnc+8xaEc?U=2bb{#{+)Lh!A8vNXQLIUL5+O?%1oT@(E1`
z#^DW|gUfkolg=$Hnh(@etE;T4jayRp)rPPeU+2ugv1*b(N9aadq9e2yNvi*UD0%d@
z_Sxm@(@=}A`rS8z&yKu@2#qO8;(P{P{7Shb2bGubk#>(qxyK)B#5FqdF1%+#K!x(Q
zH{K$AUBp^|L=9ppJm53k*Z|%u3|z5jAbm0g`7I+-$ujAk_Kl=dG9v;fp^nq=goFv7
z$WXhc5EL#z2m78iJ2>>>$}wVGq3z|o)53MDR@(coTliF#28ENgTU7YePN2MazPtyh
zZe!lb{CkZyWicD9QFW(rQ>N&_1pEO^K+na%*75IwY+dRry2HNz)JCGT1GT)3sAMVp
zK1_u4Nq;a652j(EY3R4U-or9<7>xE+bg!d|HlNyX)HZdOHy#bCNxu&RQi?Gel87E`
z$@*={AIO^Y-_KgsqPR{d?KgdDOVN-N(a%=&8tGG|(g9&{$|+MXzS#cm_4S+Z{Bq~W
zM_r_eZE9#*w5tzHZ|q5hRVIg1E|mxI!G+&x&@HnCyKstMY?Q2N5q<T+Nwfs8B5^3^
zGQ{zWvM?3&h9+b};)W60v_^U#mZ8Chc}Ak1<=tT+oXoouWee8Y8-75F{{zpGCNtKO
z?a-a%+hAF`(}$O!K>tb>%^#}T4t`5idGw}c>`w_!)b!uwS6ryFefEvyCajJ<5AqEc
z2s4ziw~XI1BnXzAp_}V;N(4dWEn#%a*<X}4h(aN4R&<Q`>z<mWzoM85*jbyqb0H;V
z9wYKw<8Eqo&-F$E;-I{^ZP-(@w1qGK%@TT2&y-%EBBc+ORF(fkE8jb9rNzWIcb=b{
z-qKyRNkbPsYwaR4wrcx`4TFlzQZ+xN;t0L>Y1sT|y6aeK8c8k8EH#9>JEPpPcb|BF
z_~+PGILIbOIMOa~xkGE_tA;eFJpbvsv^Cw3&SUItErsVUsXN0Zb9S~Kp%=w(>rrW6
zy!!4MhA22Md9=4Tp=z3qh7q6b70K3m9<WDjPWr%uwl_-nXwRfk?8T7z<bAfM#R-Wk
zUVfBKGr8gkDM=XG;!I7sp#O&a3NMYhF6Q{JM>VM)MUoyBk~wOkc(alh+J+u&4fG`c
zTfwtb9-*Iu;Fm4m7oeYmRC6sAVai${XmUfu2wqQ!3U+nCEa87|v5KbpA7*!0|0^a5
zQ6%_fc~nt?>8vL{lhE7;i%C-I1GWatx-{F{4WP|?NEGTNs2=2!8^Ws8c1YXGVHX8y
z3lDZZVYrAH+ugQ#2RG|N0Y0O~Yd59^2qH-tkJr@|{XsoK$5BM2M2cI-ZT5?1nm<G(
z($gTs2#HCIZl{DHH6`fe`W(fA-hk=Tv5kIs`NP*Q&#%7=f4Fe}`tkM4A6}h#(@GTK
z6pv^^)qJ@12%T$aSfL0@vWuE53%aFAf`HgMd0US()iF^-%(Mpr@~F~OOFSm#r5@4<
z+mDCKc1sOszy4`5%wJO$Q#SeI*=L!J{zW1MCc4p|FXzPtPl#PesynweNW%4hhxEM;
zysJy?N7E;bY^;BMgkI~R&KW^`3<G-1lZ4+=HbKw?>dd$$Nr|{X3Bi&`|5!R2VM$`d
z+14X;tB1B8i$uYvzt%S=)I24>4$)Z-6bpi4k_r-GMPfu58si%-G(|4~S#1P2_#p?a
zajfQ^$PHTS^-CVfda0VFjW`!EWq!BU@f)eE0r?|zsV$q7d6l1&>+@@4u}*BJ97xQ!
z(J=MYeWrUb%|;28Q*Cx0X&G8`hg_Z=qHN5?%<!{<%W`3a0Y{e)xvD{cAB8<aZ>9u&
zd-evUo)|_X;kUrGWmwDQ7AJ2t&shp=L-wGY(iBBgOtmgH3vZ|~7!k^BJf;!VgF?5B
z^8*LyhGHGjE3C*kORkAR+qt~KZBB?nmptA<n8n^n1+?wA(4EO+Xri>6x-zN%8l2*2
zOwDue^PL`=p7OXs;x(<sX)5a<yTb>K5#}!y6SxNF^*gYHoAzWS7q&ic<xM}g9u;|d
zrKii!NFAKt$#m39PyGGPMHkPBHaLygL@c}xo@#ja%uZq%efl}Y-uI)7pMBu%iQ)5z
zx;=tEhmiY|Mwj>I;6E3ke-_?-$stiV@vTRBZms`pdB1L<{7&3@kx%^l_3ABtZ;i{!
zePB1v6;^`ONM*NE-u&9}=iv75MOi<4uU|;v^KkkFJr6$rzI^^?BJ<C}<u5lLO0#x9
zG5(Izc@NYA*RQ4Ox7M@{Di1%0(4c&3;4=sh*1Z9`!jACTb~snx7+&k1Y9Xz~%L|3&
zTknRlqpUH)`Aj2`dm9^{eKb;*#OD!_lxcd1O71Hv`HbZLSwtqwj}0$@@KfKI@W=Ws
zzW;;qn5=s9hxv8i|8em2+4IMh`+uH4ee!Vs$G!agL|Uk@WzwrcTlfn%-&1ke^STRw
zxC($C`N07Dj#pe%VU%xBxSz`{Oog%HTm5(K)`sF?(|rxa+m@ReOs9VH|D0a<K)t6;
zP`%eJV9TYwN>>4t-*_xHUjlH!W71y!KY!cyX?w~4{B7H(on`+02HgO<O8eJZ6`&}i
zDnIXV!e=wgVjoE3`<BmZO4IOmlXd({x_0I4$AV(vS~jQUFYZ(_yb1dniiWo_wNpBq
z(~P}*3WE!@of8ul)+pgw9C8s(=OaPm(AG*U4%_T3S#vxh>2wfD8Z7;xJx#fTs>fCy
zik>g7zv}8m_AGZ!^l&mCt*_)cCNs{i$)~S)uK606F)_#kirzJo7ltFNmQQ}VRJCX5
zoTX^qFo~4{&(%)<ofIlwpz}r<ubT=9^F*77AE3b<iWIM@3b9|97mwj`%z5#d=JL4q
z6y?#>X(lL}Tt`z9XPT??3FG<Wvv(xQ;40422~7?2+A{ryh*{<E>A=X~>|H8|$z841
zMi?NT5`neM&^fETMCdJ<9|4k*vD(wpueF7$3^fEA#ff%kXYQ<PTZ2m?W|+C#85$Z~
zE39Z#d+Rw<@|)KwxoQo>NV}P~x7s^`k85gBc78rd9n_SLqJE+R%Z9a;sw*#737K&l
zS}cK~Z*gJ4c~cEz1NzRTuiNVlH#)1$m2?R6BT1CVFcv%wagr?Z7^NZ)jnQVmS}=?1
zK%HElhi4b3m#@z+-c(D(=pZ~HDi;!*s7SGzzW8GM^y>V_v#apx?A!4A^~v|)<?);E
zb{3R~@p0Ab!~~^6F+uI?CX7u`Zm`%(=xEPU54(+Nl1(U+dxbDzw)^p82fpur`1&lo
zczt?y$6~pDftr*=Fo(bJ>*02niZG=2EEQ1{N%VTG{Zqf$J(NFy(UI_p>{0mOp6VW~
z5_&GIa-)IfD4n4=F>rhV7UgD2CayH}ixr=iab7?3UtS3*S~WH4Dvi;=VKcI2s<`Cs
zm&Ckim^fS2uIv@NP-`W4iYM4yh#q`RO<@P1xo#U)8k8})p%Ll$C?+>8WgMCpmRbee
zyZXszU;pGj&A<wy-t|=b>KzPc|E(8}M5bY7tTe*v?!=PCXkH8~HPivCi=xiQ7hGKm
zBK_Dr-_<jbrUp64W1r7TQ95p*u=O^p3)GdUsp-~=KHs$zp=tHJI-rGd?mK`+%d}^s
z73YxVd)_BzYJBRd&Q!2BS;78@d!uPEe@n2}9gwvX@mid?i-l0PS?wUk+1PeAyR2_}
z`5eDZSK*w-nmr3D>8xe{uY3QOup1eUxd>Ci-_2Lu1@7Me-G6-ee80T^dw8&a`1E1_
z_db3-He1U|P_M(Z_a!=xWAxpdH<#h%)$9NM$1eQ)+WY}Wk1t-^KM1>_f-`f#84IfY
zwK-y*`;iLhn52Zo5^;up1_F>IN>MhEzihiS)Y3Xt%%e=h2V1*$b5Ojs*LuOlH6~z~
zs#)?V#RAWWB0>&~=aB<Iw9~nLT$M`W*6~n(?`n&=i^7m=pgkF~A<VALtl33GMMcrD
z?sAxRljy{<1sqq4e)a!yXvABK>X(Hu)ZKFFVC5BEbM@HDXXXAP^9s;C=j*WOm!?NH
zfu+$>-%(JqQBv1y6P4_gm0X*!>UcV&^#$Xm`Oynxwt^21pAYwk`@@3(1qaXmHavX#
zWN804Sc)S1@RZLmWy|rx<Lhk1h&nkxy;|x^8x(q9-(5GHgsM|I_xy!6BN0}`lQrP*
zx0YOy^w&+Q=)U}5xAb>|CJke}Nxiziz0ct1;kO|Eo6^ZNw0EkS>RGFVfQ#b4Cr_VL
z<G&||5BY!h^6L@*Q5jBgsCWotxJa~{6NwnF=GpCii3CxZVA70v6wHYXv<<X|2vLc&
zUL|vs-`2ZpN@)Mj|M|c9#{uI(X8=|uYeDYb8UnE|<|a?9$oTVs{)0G%%il1L{BI8Z
zZ!UQG6Zef>05O}Z`s;1;dBwteiA1#>DLf-dge3{JCHAt2cDxiYb9wIfWM0J>=>9qO
zhJBFNuyy{d^ue&&K4%g{=Kg>_&fhRzykM~>GHB+}*67yy(Aew`*H3FdyhZk0;gOZ#
z$z_5WIhWtTkT`ZD;%-#gzq+z&O-5H;fu=aL%cubwb_{MPJ8aZ<7u`;2G}QxJ!BR|&
zMsqabd5Q(X62aY|odep(youS=A8K^jfGuEL*{+aEP&Nrl0n{fQR4b9Vsj;*)F_j@S
z_=Cor-SOYsY($`r_MH|07sP)DPoExC<G+K$gNOL<K7Kvozlsus5e_3F6dltDD=!`l
z@(jYD!Eam<784<nS%aJ5)EI0Hd;llC&Fa(1G4g<0$C6263I!8E$8#uHSp6<aC}Bzt
zJ3Y)IPCRm#cP}ocb3#D3aA$yK$YVK4(1@VOy2(nc*mmf|g_1ew>amlC3imFVF~Y-0
zs3Y{j8oD-<N|`yFH?(V@kmG;#_3;Tz)=!RyT2kKD#S@L!o|OguUg5NqXNno)W)arz
zh84;CuuMy2Bxq_j)<0PDY&R$+!dh;ljKv9YrJ9)*Tqa4}QxjH8RIMeXB5x1PLo+aP
zE$7X`>PFs4zl#NnZu@UVRa#OHGeMVg1Pkr|lV=tC|9Jn&lLz~MAHN><zfB1|%m4Qj
ztErxgyGCC%xd1nH5a0?(j7lI;CMe1zWfN0AI5JDPxgmz?xWzsXis7~FviI$jdk2Qh
z!8F|{Oa&R!ciOrJy|$KuCgTmiwJ$w@fKx6&Qf+Gxmsm};b<}3j(OQ9{g{=7tdTlT{
zU(nbgE~w7ozCfv<OpQ_SXDzxv%Rg)L+Nw~QprMSWq%?!-Xm5xJO~2O;7zCxx33hfW
zGONrpI*HeGHz`IdL_0y)G7eUQ`&}6SzV^SCiL+k&|KwS9|Nrp$^N0Qad-?UZ|NYXj
zYDWL*{wrG9;Md=wUlTqV@Knj+48I$UX+qGKsPs(If0JL)EzgozhkiJYP3)IqsiVNs
z%4v0R%F#M-mFG1uAOnzt)dixFiPd^|kskbel$?3MDMK?dqNBMY(qXDm2*Ss4jE3l`
z7US}V;`=06H{@=tt%GceABmUm6ew&DSXb%@kHI@l;Tk#xPTl=3Ect4`UiN=N7!g?I
zho$u#X9*Xu$o?NZude?*e)9BT|L<OY{q0JV68KX9{rAAeMxEimj!q2>I8vIYUx6ja
zB-l&1?8#dPiZZGAEKe=oj)+i$8D@AwM0cK6C-wIgy=!a>qjw_>+o-Z<VS?VyLI&O8
zafyVT2H0Uj*hEbsBZsgYV`-L<kZS8^PoPE7o%Up!`M7IC>QgKJ!w-JF>_1F~SFZup
zZT}CR9UNBkKlYzIeOUjwmtTMT?@!ko!boG?k!cKTIi|5$N(m4bc2T7}tD^x~^8)!=
zQft4M@tAn)A@{OHTr#O`Tf|0EmEF+B#wPm`1v5CGUA}AB@b{weiy^%8F_f>dFMZ#=
zJmkSEReBn<=JR=&)`rKQE)@bMzoFoiN}E^kMTuz*uW9oc@N{eh*Jop2m}J^QVHy%E
zycXts`&jT990*xZsjU2E$8fl3^{tK`M->t3l?l!4S^RS;GgD8cKGr^?G2rWr`6@Um
zcnO+r#fQ^~og{hE2zE*!43G#b6#U(M`jw^1`^F_Wcp{_{%`l5GTrUoHk5)bh((MI^
zilY(_AJ7=nq{d2-{7_=AgEOB<6x65;8d&YtjFukimPL&Ze;9w>Lash(Ais@thr5$P
z-N2ZVxJFTXzKdr#Axq|qnwMDKR#!&w!qL@BSNdS@r#pRw;l{b8+}5uv{7RXX-~^_t
zCw^{0@R}v_bN0j4d9brn!VNwA1AEK(EklLaj-0nD^<6W0n8l`&O<k@#XnXl1)Bg0j
zkzB8L^#^7x)<cU%nL<7k7Z^hRmCN#L=L`e@jumkD5mSr$=vip-H)K9kd)%IG=~ApZ
zCEb3%Ifv4pHigC~b){08;R-yBc`m6QQL>L<lTq@r!HsuLK96x)z!er^fuOsEtUEQd
zs^)4Zh7|hMMlh{Y7U?CX>-Lb)f%=PoG3wuI*DN-lcOD#F!lN>bncP1JqbW`j!X_k?
zJh{<>y*8Rw@1hPY8|*g|Tir=KmB8HjB*8O9o<0tAOvbZ#oM557PfRCN;e<y7GxsiL
zUZJzb%-H@Dpk)}r(aZ_im%2UHTdw`}Wc7|-gl4ndyCKal`Ww#KK{JzH2lw~JM6AbL
z<|3)h*$3dS99GIEf=GFiU@5yX+m^0|oo9%=vw!dFhy7NzEe@edWWOT~)e)ePs6-+;
zg)L4416;HPy@Z!&BxWNTSe=~r3QuzU<+#$;S1d<b0C~s0s0X_CwF?=mLS3s>;psdy
zTSE&|l99c{C^Q=(kkHeWr)*jqasO<$pFA8JEIt5$2L`2wai>BkWiAt<NI3;+?Nghx
z)Zcct33E|`^13$28d94pyJMwX4f|!iS6h$UnPQwKzAH=T&O@eYc2XZ2)oJvm7wPIE
z>cO4Yy1t88m$t#xkbv%Pm(d@z6d?8q%Tuk}a;evo&TUHjlvB}FB2Buyn{axIP<dK>
zRPD}FtT5E{`QMUvY;~?=*nGj{wydB1$|p57lVudYw>>E7!F||(?vZ@(2}g3%GF2PN
zgU<78z08AYU8JMdeL>KHx^*QH)>{0Pn^`6m8WB_@Mf?3$rvEd~$^B7(z4rg1I^d@E
z|M#CiKX_W(|KC4+*#EzeUw_X8O5i7a<@urmZG<{gzTn&5{>NfkcrNbF9;bBGL)qDU
zKuXZragw0mpKxc9LzdUjEU{CH=^V5bBDc~?_e48?!t|W=F=|Az436zQCWd3`j-S`5
zsZ^LR(AT&k<tvAD=bX|BkzRjv@5Vs2Q8|p^BUxgg(gi;Edg55ZR?t9%;Ba5jwsVrE
zpy{9G@Xrz!))+?yUC@Qj6E`?V3%G@IS9kMkEc0uY7BcNV8ji5^_}lvup(%#rjqX-N
z+X2$m3Z0`b_k4LY&klU<%Av;M_JP9`)aq3&^>Lti3u=|BrrfAVK9Kf;wmD8G;GG)e
z6q`gvA9Cw$CEj<X9(1=+?d5X@AQ*t}EM1qg8ngZX;S5m;VO5#muaw^3cv02r=9rGr
zm}e~RZI=tw5BB*#+CJB9^P27C@|N$8wr^e5Z<F?Kbqjb08(6b~-DYtGTiCerzno$8
zFY>#)T^tKOv!@i6*pM&N@H;e+cefsakwI`Dp<NrUrQ*7(o-S{#*5lZ_E}~qk9xvna
zn~8c*?A|_cGaA-nE?1cU_gnw*w{DkT2U>jo?|Jq7_rcT059>eo@mpfzQQp7r$ft6<
z<IvJrAZvPD@&)3;`2q5d>d^(QY!y0tw|1WyNtvci@278eziwedyq{~)wV62d8&)?Y
z7S#ZBcBm6wck*o;`iHH8&+pgM{!>+4a=5euSYZF39voKBe;+<Rcv%0xm!CC@j~+cj
zujs^HA#rdpJUAR4?jP<Sp(`@uHw39Em1s(mln7%oagrdaB+9hskO+?z5vG-nlc++1
z;Al!>bj72$*F2%svJkyoj<0uNH08G}WPHTqd1x+L@&aV@0D|Mr*x0`Z%hneJz!C`(
zWkS*$lFWfUxU3U$>tlNr5GB&fyD=F1`KiT>^eABM-kVRngbo)Qn_LWcPnX6ruwr@t
zzWf;gE3OAyYF6#t3!9{r<tr5K;xhDeAg94D3I>t>FVKMoSLoT(r;nc;!GF=7nx%Vn
zqJm$xTJA;^89SC2oLzCQj!ZS-;`tAfh$FOLJor}dEHzK67X%Kx1eBUY$~W&d)3{Z;
z;;eePS!bfkg8D3#%b`|WByQ5T!qor%$4;G>|A681<muz5NATZ=;d8&kheU6~gtF{i
z_?8Gp{B@bHUZ5w#zYPzbFF$Zd^wv~EF+kCc$(}>p)IVYFKv2YIX+klJ2vQtLGP@yA
ztw}0@X;I;CsX<id=sqq`Ftmpr?X~e&q<FQkS&UB-y&V7#1H;2Qh9p4!9>CdT#$cyM
z_Tj=?&2xiQR#IDH)?SU9-!Xl5b#eAGJb8U_{pRY}U5o8qp;MP*DT{t%<E!BU)ao$%
z)B)|oZ>e9e`Jc(HT{!`4;ricUE&uE3ljjffzx(+0cZ%f%>mk~XX{2MAG!0Oo^8J{U
zGs2X8MA;<R>F|rW_8|kkk1KO@Y~Ed&i!JR<u8u<B+BP$fv{{`JK^2HFXK4%BRnPLJ
zdezO@_jzKl%OyB0?WPw4w76B)%Ai&T-hCu6n-KKHTQc88UzoGmM=!cTSz6#D^zoyO
z@8Hvi%h~?Gzh3r#$$F2~-vax;|K#v-)&3to-2Zz&zs}9y%6>(Dl%<kK6%=Jx=@@Ol
zr7S*|D6q$fwMlcY%ehg*>RxWXJKzp4G<@UP&xT_*rPd#iAZdalf`UPSf-pcIP|g$j
zfHJ12N=Wsv>8I|Jd;Rqq|E1EB>)-!9d|bW%;qc(#Vf^3AuYdg4SYLFh!ms(g4~^Fe
zz|scXql?DB#jH;#SRtt%5yJ1YtLEzJ2}SO<n_zKTNaGa@J4H-pPj{UO!Ns5c^e5Ek
z0tYz%Wr;xl4E`+t8K4v^MFi8mVY;i-DSryOlc-j?Mxrdvhd}avf4%H~b!BTw7tn40
z51v1JT&@3l`26uh{nvZ>En)u`EpeJts)c7b*x%oW|8%&7OCDdBw=0Tz;1U+UFL`VX
zvpvwPQNg~_MDQ%_<t6$OK3K!`Z$D`AYJ1(VpW;1k*rF+K&?u3St<vrcbWLfl@9)%j
zZx2`B_gE+?vt`|x{Ix`nR=P59(AUwY4%VIebcJq$-R(-}m}eX95_1j7t)L2z5)zKP
z6ZF>5NAObPBM3(kk#IjFZ2sk&yS-NPR_E{Y=~;xv_tMp+J)})^u7_Y9UFU(j_s)9q
z^zqYbXTh^g_szYHL{GZ+HW<6O{Cv9DACH^tbHTaVQ19-qrMnD)o9!5vN>WKADW{RF
zw*wTNk<gZZUzhwPi6TBrQ7SlGb#-OXoZ2Gucj%2Wwd?K-OZTNA+wAb08b@UgRz8&E
zQbua5F|I<KB>Xl^1-+pOnUIjk2q)$O#;$%@&?#P~jLkIVx0epbS&qV}UcXaJD|68z
z_BNW_cv!o%1;Me&#L$B}g!H<(RAgo>u_TZPvqq_Fgyvp0jSv+G!AfyBm25t|K6|Ng
zLz)s+bVL)X=6CCrzTB?ev=JP?X31Qewr_Hzx%XMr>v}kXEX<*8n{bnm8<HHMzsUW+
zc*FBAGL1s@mwVKddr^)J_4{Yn)obsz-2BAr=_ipf26rjvaPQbRK7lPVEt*(4u3bvj
zG?O@#a~a}zM%jHx&fFJTcphy6a{}%t*F`KX?SZTYM>xe`i>b>4#Bpr?F+kV<xDJm`
zU!7mvORp6eHf^2S`fgJOs~>0Uwq3OzTVT%aF&go;E{p|Fb#%2<-!2`C;3O$2JJM)V
z68EakyiO)RGZ)ol0yMGC1{}Y9`N=gS#4HYR90#b#D>QZNzdwKZGC+YgRF`kAj!(`y
z6A9N8zU+cBIsE}E&u8xH>5`7!t7;WeTE`Z}OD$hMZsh0FXrXgX<xLL1w(i>X^fS`N
z`%$^iPqF@Rnse99&`lVzT~H~1@AUk1W194NZmO=bf7-VEe6Jq)KKB3n<$u_dK%1%m
z^7zS<dj8*&XAk)w_wnm*5=%-DV#c_+<)Wy$kG`-KQEXEv05W8FMp})YD-3h(eStjK
zeN0scVa)|$%GrSE?xz}~(12_|%xFlo6>&_P8jR|B<U<3Z8AfYy%gx{V>UYo43v(dG
zFO*}C`;vDlW|DFSRrW(Z9w)l{j$YVx`vRgpuHqdwfLrJx@Pdn~2JUX70seOe*I88_
z&#~sT{`^L!Q_}RoO%w;^B9rcN$DD+I7bcbpA}(P41^9_Y=V-iYV%^~UQ$nGZm?Wy)
zJAoY<#%`A`s<G$VbI=2G6+&Qv*Yi9VR42+W%0PkL>+*+mfEuqsXu4;k;p<{_l%?H=
z>GDk<R1Pfsfh`#o=q?G``y{DVBh|F$BYwYDdbCAtVk#qkL&Ut1!FmZ&jb#-`by00l
zT<w)XOE-yc5dZsr)tSM6xC4v6gYZe&fq6rIBjWr2h$A73;y*?e7nDuHiNIsba2R7b
z9dRt;{(<0v`0v@1=hga8Pxkj8&i~%auSfh>>-i8OF*rafLtFTTdq+b44inOtim%Ym
zQ6>ao@YgRLQ(rw}Ra1g;90P-c*==UQXCBzS3KS0sqS9_o;{^TB|M|aq&Ktw@IVTkE
zCZ6*QMVRT=h?+&`6bnUhlFZSBFe0#`Y*G-^9g6mr(V~cS4aZZom`<svo(^_!PYaHm
zKx@aIy*9pVD-{v#D~l@#%Ei%D=|FSsix;H{x9>F?n&v#YmZg})YkThE@NJom(6$fd
z1CnV%6)aK(dja}@62f-S!49g4t_sCr?*n4Ylh{;-l?50a#|LHTJ0ATu{!Ou(?pimQ
z`+itu7=D}Zk*$bal1#Ao<?vs!s8Ql*pk9%CQ!BiIbSxFxshl-;I%~eH5JCLP;2t*M
z*qd;4iG8O*LX~rxNK*$VGj}R=<xN$SoHIct<lU9|^f*agQbmLgK>ztq5Xu*Ut&<)E
z9e^~Sr3W50`u_%j|72Ku62g;i1Tvu!spIJ(7*n2o5q$5eu+m8~@2qU;n;jbyH5hwI
z*(4!_9jjjfSVHbP-&38PwyDDxG8>&zA@j*ybpq%QfSU5Pj{r9W$}-Zxu0igtgP{C@
zqwWR5X{ssDpV<EMK<>kkt{a}ioxIQXf>uFTb`5w#o<sEkWsLr|V-~LO?u)%%vnI@9
zs?+9^*=M1=lakI2-!30t1e|*o!JzQKd#k(P_S(Sfx$L>;YQYCsW(ZQjXGBd&CI^uo
zVmqz_*4N=drz9J6bJ_lHGZaG<6di1qkpg2R0`x`xrZE&W7w=+ZKo@$_+3j^YdW2ZT
z<nc~{R>dKeqODpe)wE<+xXw~ARHpA6)2RGq*;Tu*AKS0rzb|3-8pEAZ)!SOjD?{$;
z)^Cm4<X}#7C=J)S#(#wxi6xONE}PbTX{(#57sI5yc2(2oK)d+bRj)E7ktWax`3MD?
zKr8W&AA>FA$>j)rXbgkO7t#L#k0$q?{}-JR3OLN&e;a7Q`QL+QwfX<!XNLz5^Z)z!
z^|18So^PD;=T|j<b(iUXfeHbtPdM>6_`5t$mt6Y!pu0MtmRr+3?^E2G4uwPoX<)8>
z+2F8D=asphuyN6#X)&PU$4<P?+IC&FQ;Vg%g@ec43kQ!^UO0GIH~4b+evW6!u1b@S
z8(BRF8uomepbZ_g9TccEsosL^Lw$i%nshBo<YUd>4k&F!)IqjEYuHj~Wc5WQUMLm@
z!t0Z(<IA(~{Nl~o)sM$7!!Yos>ah-c7H;trHs(4KI3?#y5pjbP^a0tO5%hQ;LZ1%2
z{~aDS;GSj4+6aI<3m4Gvc+)gIUQEN2P1EpX$E~gGeW|tO602y6$h%Y!X<QK2ZizGW
zYy8)cP8b&?<Sfk67%TFtm-+yKx>LD|#yJMSARqmc{TXzrF>F0-8>81sWD$5JJ$o&E
ztDP=vgYA?@aP8~iS#hr#@^6{nZfp7hDSi!g;dUDL>`I1BdnsGEvI6YN?Y(=5?ME?*
z;ST%w%6+ZD3`Kdj-sj0{KlFDdYdffVqOYykMB9k=?}CP&4R-9-W#ux*+SX{9{6K4t
zr?K0AmOGHp_xfUc2W@Z9@Vjk|O&T;H)<3<_j)e=;29G3Rs@iBLs4}1tHC!}V+SzT}
z?5$YG^55;ovecLP)@#YmF0<sjt^L^tl_on63%{KUzt!1)G07W7To5jY5uX*y0GGMt
z(>>KN^>3c{=dr12P=u;?T@^3|hYNdL{lnCPE0rRK!QZh$0B7!PKIVcIfcst8_G7gF
zgyrqUQ_W&UyU?ihFK$=qXq@P-JfHQJX1$eQXwbdHT_@}JH_u#twVbDVPR_+(iDmQE
z6e;NFnFUMc%PEz@VnS3XA(RXioe`d?P?CtV*jG0Drc>48e`Qi3+tOST0kt#%Hli+0
z?X6i0XzQbKchxt?Oq;g70TOebDMOaLT2d|WkjubqQLDw7bv>i~%CbdHcMY+Td;R&x
zkJ3*xbj=(b@Aal?taq>fG9Hr<kHHzvH+28Q;nU|&_iOh*Jl}s<|Gkf&9Z^3LLC14*
z<&Y!^T-b%A5?GPReAsC^T;{I5R0veYfe0Ol!fxc%Z?$dD&)1EG9+4~#d>b5~z@4BD
zW>_jB0#puz%w*F=!5MqY_$|xnM*j@{eDlu$Dv&pqtsRy!Jv}>qWvy#jAlkRxa`86d
zIF=|T5Jz#=Q&1(z+{Y!_xg09@XV+a*&ps?@a?f@VX9V%_5<M7THXksPZGKCWID!ql
z1xFbm^!LqeQeGu)xd|7o_Yg#DT6hg><uF;p(zC`AM!M_r6AvrURL;zY)O6SBrEaJ!
z<dk#ob!S{V9sl@o%m3TV-a6X*XDv%>u68NE^QLt#m;JBTDT(NqMi)FLCp=^7>-iN=
zNQ0=f2CE&DdtahePdj-`27)J~yk-3UeZ$=N<HsWu1RJ6{?}yc>b)RpN#(Zq9K%zVO
z=+jo31v*N(fJHM;FLO(=Q+;FU*?CacKZ?3Gszk+1S-(*3^Zs0+AWAX~;uQb_uKKEU
z`M8NjBzQ7N6U@j4hn?ei1ySD@i5syD3zuYE)TMYr1THGf^^Um~%)mXk0oqnsnh-Rs
z1SD!Y$QUgC;e`I1#P%W2)WDup8l-}c5;BvuyDn-WUkTwoOq^Ga_&h=z<Gm4<WQCxw
zN2pg^MRsk#Qxox--YF<ZY;lRAy`zT`IYe)`ep7`0(41PyrGkv<JKMX#uDRR-t~FoW
zUUz&jtgT^{ZI~-|P+Z5+5~4OtTu{)+5~30=?xcdmLGxx=V<g%rPbbcxrowIU=|&F|
zcbpTc?g3&zZdRyuIPKb2k6li&ye#!Hd|Ew%*dm-+Ce^WB6>n^^tpuIb;qNqVgmuvc
z+O#ZbKba5v(w5_BC$G&YduHIMI1TiZ9lA$oLT`vfDG@UY+u72rG)@T|;)lX`b`il;
zwqbLmFl9=j?M&K-5zfppf$kwy*b6@}aLN|u+UDAoZLOaP(lS!^zC_2C+M|MQYVKaP
zAw|K4Sy`~m<dnD2UYNbII@GDhY;I=TUDOwT!S{=1CjkT>aW<xtBc$EBpfQnXL=t}M
zS(9B&q?!^zv|WLI$zdUBqJW}8WHqL!1k}EJE@#%Xx6Ai;i~Y3yDtoVT7jlGjL}HwO
z;aE_<rzelRt(9G56M}b<j^_qaVMPWrq6Cd3c*$WKV+$wDtsUoO#`fyEZ>*>EIiqYM
zh?D~x)FnjJRI8cL!tE|1)3xkJ<h2dm3KDIZy*9zeOzxtH2sM~th9`cOdKdjJJXl1%
zt%=r3ds_xV`Qld3r&g$QKBmd64jPHe*BZScT->GVM^TWIGpyf1xYLrR)-yyt(cxNd
zp42=g)d09yx>ShFQZ+~BB1U5YC<GQz4MR`Or}L4ZaSpE`mMs{Ck3ud&^HFF&Dj)l-
zOg3zr6EIMjwKp}>+2bSk@Xb6WC^*ric={7mnGJkh_z5heq%jeQaW*jATY%CQcQsp&
zs8T0n_@%S4SfcMr!fGC?C9Sdgbpt1j`jruB3LGjl1sY;0Q>TUfMHxGNb+5cfP?`!<
zmG2u&6RFA12fHSXGE*9h#3s&OVmqOEV$!{t;G*%xYtoJLlTB|iI9Yw|3lglY_RATI
zxQIC;aUPIZg<I!Lw{7OSC^Gr@ach9ylKD~VB8pkuSk$Vtj^P^T8EK^jg)M|!2EY*t
z&fZa}WKjF0v(+g{h-TmfvzW$Mk=NrBBh%wdaT(#Hp!f~{nm~IJe?70aYBO~C6^Gi^
z&j?dPqlHDt_C1-)h6&DFGH);s{lQtX-PPTt%eosRvgDXA>!_My<pM_nSuShP$$a1~
z*2(5rAB51r>ay%Gh<d;q1kI}G=gI|;huPZDnHV!;Sc8~6%!>up7M&LQ(qpWh{g&Zm
z3z?J>AlA<-^b~DnkUmp)fMR96kq$3h$l7|++y7Y9kImux=hllkLmTOVwT~okm#JI&
zP1BFhP4-Q?ztuVin(GLrw75Me&dHrzoc~3FRfB1CD)_rOQrv`YC}Px`2Ih-Cuoe%2
z3Lfhj#L3Aklp`>a`=%G@d&Dx$Q?!aG%CSv(Q=`<h&9jp6m_+Ib1sD9<iYF)nhKBiV
z>x^o+V9~3EA;!Z<(){z9pI-)2Ou}N3c-RsiG-?>ce8sn(hDp0n7zwIqgcDz(K#kZy
z5FF2~UEsq0BZG^m;S5bCY7^cyC{&r`l@+QYwTeQOBVfjrVYZ_U&(wgA2QigzJ6g@i
zjEnieiKnBb2GplrO5;AwGA0O)rg|dV#VAp?T)Z7*4BudyK<mD$RNt;xMw@cq5{prc
z9E>4)Go`X&A8DR10*vN)nkO}D+NDV^BJU!SDlc?hze+B(-?&gQU5VT#-PFPvCX|h+
zf`cCkmum1^#zi)3Ycl2{A_K|?L<lb0TA4FY13iHr@EanQFdzdkV_sjE_Z1jNC)el2
zs{JmyoziHEZm~q3oi_bwt@tjS{+{9+qCbx$1!<#L&>JF<AQP%hukmM8ZN$a^S9dTj
z#<+L6DZ`c;j5t?Xo@u(Ix9ZzPl_jb6prYtF=picYf>5cGPEKBJK;WG;uG|gAXFI43
zF+}e0HKWZdo9FUtuY;;R3K$%Mn#pa8Lrljmoi5&;|DEzUjHwhEoYoIVSv(=j-u}O^
z{^$Oa{c8UA;p4-H`k(jm>oMHYcofE%%s7*z`My=R<#2iWHJagf$aD4Gr%uX{8xv%P
zejWAY6Juuh-46vdN9bVx&;KEnef#|ujDJD7x%*?an;*<?!T3MefBd8}{tx!|pFWKL
z`}p-4|0N~xJ+6CWs&kuaZ{S$>zHB<G=9;@}5XPtsz-_hJFnkwrH6`MfN|J+MTumvP
zEI7+nrguT!-JQ&fJB@2mLJjuLa&VVr8PsdStx`?U7oy1(s}W>&2<mjU?EyU4#{Z08
zxBYj=`ekVHJ76bj&G-KtJbQBZymtT3vxoX`_wwsu|C^KmW(N5ScVhYP`4gLxW|KF*
zLO+vqN@h^2!>&a@ax0NacGZP5H9<*?3c!*?s#Hj)gb5Z}m7ZpHd5At7mCreQ81%1x
ziIB^YxIE5jtx)zed533dLVnqvDwWEky}i=ZJ?2rS>43(2HwSxm3wZC~V1GcRGMnaJ
zLd;anl1IfAaW0DtcGL$sBL#yywJPstt$k9h^q%*gTS<ZnUr+a6(V&*YS!DD2$uSKe
zd=EJ&`5_;5sasl3$u;&T7j#1P?7h;lmF_Ic9qp7^ad{<h*G-v<z{x4tDKlBr@oD?O
zR596UV7ME^Fz=cmm!w-D44S0dF2mMaPI^@_SW4FI24NFJJ{3d~)}3Co6#1<-AfK21
zp2od*u~eDDhFs<{${E)xaII;KiW?m(jU>D-Ygc0)XcO!oFOO@L|4O6Y)c&arqadL(
zS{YXL`<Og*Hz^)QY3AWt&~iAVtkk+TPMgMPlxDWPUkgOP5L%U%!Xosc4<vA<pEZ#g
zrP)i};1x|08gXHyDR{<WD1A5XZBL^#3o}NQ3>6P&Ik>7p^|{<xO!E%fH;2rgJ?SfD
z)8$UaMKQlw(8TT{@m73Jx4g|(ThGohjaSnj^KG*Vd2rXGMHXPUBAG@Y+^^?qbu}_@
z3QZbmV2w&t@Y$$GHLCBRO1ZcTZ3^lvFQZBo3)W#3%il*>q2TQ5>h;wTa>=H-V=2Ul
zW^in!CO5FAA57BfppxQS4>_8WMwa&dHz^KfN}_xcU<wE!oYEUpV(zQ_*;~ru;xC40
zr1&eparmo_u%XXf;U>j!q@^uhz$``<ryye@2#dOxsTZ*A7cK&@$Cu}}xL*52!Im&O
zzC1@(O4S-j(BON@VykaQm3X-d3Ys>-fOVc4jKd}v7xgO&42<IL>GE|04KVV4Y`XBE
zHkI<AJ^B4bR7N;gWDNJ2do>lIic?h?Kn$j+V(}ij4c-*h6uo|{POcip`;HBtK7QOX
z#YQiALZi7R$^88aY=s8gU`36=$TQI#y9JEAKjD$Rw|Y=KzNnC0sEV~eGyLw@Wd9#o
zLl>o48$A#?;CHB;$P8e>8n^OcodteZ{c=XxlIX#)u7th*Wq!6RHcPoj=*l|zV-|yJ
zk(Kj_U40n59*={&l{Q>1w)?w|mEldplx<3ql$feW5ob3<K+V7W3#2$IU@dQ9TZ!`Q
zi9rO@u_6{K&*P_9UT0%CNTVY}^M&slm7ue>7Bw%eA7I6)YxV)nvc%l(Kj?FQYw50O
ziI@IvL(%2>#{Won4**-fXIf}lwOigU?3SVh`e4N0EO$H0^kBbQ2>VqB?1kXJT?qc$
zZtx2+yjh6h%|Z+dkz6iBa@hyTLOf>+@tpO<vk=wybRjOUNd?#8lLcC}82GC$;C=CY
zyBN>6J@NEK`DQW7H_M~!i~Vvj_RBkA?@P$pVnWW=MMx)2Q1Sc~Tq6+tzd!E}{`SlN
z?~6v#7W=KHxux|8V=iV`9eE6SQ^*#V*2AOeNz&VFL_#sbQ3xjr{Pop_R3guB`7;1>
z8odIl({U|8U0_^()4vw{!g&de#~hm2st29#8><xOV7i4=D?wh3s3D*|+@Edvk?P^o
zS9IC_>PgUoXv2p8tM^?mGVaoYAh3h|*;bpdKJ~Wjz5TlP|7A*|aLh$GrITrB)97fj
zWHI0c`~L@r`_HQPza2h5eAxfLk6#a?kn%XhOwqg$w9yD$)G06B%%F%==C*>Cg}Ri-
z$bm8ob)DH<t=PS7s5NJG0a$YjMcXav#v|J{aETm`kC~#!jxl&uln$=tc-7@R#i32`
zsuXy2oNHrWL1XN{s}pvb>3NpT=BI3O4ks||<Fj`pg33$gn}MOwFX(4iIy7f5fw7~8
z!|J=}3sYnM=tVB0%3`}YiT?4USuHWGE6XD9t7Rz^PkF*8^Y6*r_|qcieafX`ct-9N
ziNqvL_}uLFvd|PM$O}q@n8l$WX+k3`J^gCCz&M9hoQS|IMh*h#!xa1HkwnIro&s}*
z3~qZosY~-$B6)S6*jF`&)$*)G#mUu6bUIFK?=27P<Hs#08m+Zzo{}SU#S=XYet;FU
zErf*s_mNwiyv~GHoBi_c-yOL+^j1Gh3FwFZW|3Dhrk1GQQLm*|>T_LHNSEk_KA=BA
zr!2wo#=EE_(8KkJqM3&GZDk<~{0E!Ezh<j!DxEB_bd}JfC=HbVGt@kG1|psvH<bwi
z@%`KMUJQ3eJMN{sRrOd*N@erkSBt|2rLNDR>mf#}^*HO0%OTNLrT@)B3Z%`Iz6$)p
zvbBn}FUqZl`HMP&jk>o|<ke_;?p~0(!OX4(w9&xAMKhlCN*1(Sh_9{%J?-(j#j?;A
z_qWCk!DTNWy6%eJD|GV8KJ_#0@^w1njVQoE550N8E)!HN@8O&1-#qnoV(%Iq-2Y6C
zakZ*v-`pInVpD2G-KBPAikkwwMUZr8uNq%wg14b)u~{2F^(xqZ?yq6}_vQJ?*~RtQ
z`fzlw{~kU&cw9OEfAD1gVg2`herVC}IK|PFpqDfvOp>jRmM+chaJavV{x@bB7ISpC
zzyGB5qp4Eq(ca$e?d=c)njsgHy~LoBdypvm=IrX#H9EdHMJKN>PS4+*zrMIe-@Lv;
zKU|;fqN}sZtJkMLoao29(CYO3`pwn(*FWed0N`MVPV?)0<<KR02bQA%$tg|}G$YuQ
zepf`yOc}I@GgAV@_z5T?BS<QEoWX&VT?<OLjj2?Ejxv*BDy@Hj>L%Cb_=-daNKFOL
zCR6k`#BDKVm#kQ&i;Egz5l`oWPNoX+TSf%p0uiRDnj@U4DHpbyid#@^_yVf$QHdr3
zGsp*0MbCN!kO@xE8Gx=4kul96P)`t!0E(l6#Rw;f1p{Zd%_~ZzL2Z-ab`ciD%Zx*#
z`L5<hKQ*PkB0igO=F;^{L*pF*jzKs?-*92B+08`CC6R?x^A2}?6j&$$up-em-7%l?
zTOxK*Oa+M)f}-r^-*8JvgfmHWI}63U0tpB|8=H@j%%Z6!Y!}^539vt!8|pE@_9b&m
zwKj2qwkh2)-6N+o)sV(?tmY^sBGRC@pYHz|u5+JpL9E~%piD`HS*-g&PO;EIgMmnQ
z(1<WHrV+(S8M;Sj(dGZ(S%9{=fPaZ#$M1E_Kqfad&NM86eEqNh$U7n;Dm5Yg<q)7}
zW)MKP)Ku*nHgf|=Kd5S23dz~R)DfDQs{rs@$YSHMo>G{CJg$RHOru|qG6m5aB=?gT
zuBhN+b*t4Y&nJ$_E-EDoTQH`<t{eYe*6|pw>&{7kJ^B}kRGoCpOg04)L}m$$4|7!m
ziKdv*2)hBI1ZL9YU08*JCyD)Yj4(3d0dTuz1}%&Vn>vi8P?HgevusWXgL0d3nPK00
znH0hNMh`P~XC$T=Vn2`VpSXBiGYYp{yakHE4rxs*h5%)bjeGzY(OI@;I3}nl7h}f1
zXP0&n6!o%&F|{h;+%7ol#<-#p$<3P$Z)1&Hn-!(BZvhE8YAuLu%#ckcHwOrz=u+%%
z0Wo*N(0ArKjh#XYr$o>jtmq9v0mvOU;#wdwsA_=5(JTYYy@h0C;0VtTEa;&aYaCkp
z1)mvPrBOk5!JSx8PpdEnB!)`5I6;EkQ0Pjn#f&REP7q1(hzs`@7p|NA(PV*XF9&BS
zLHZcoPI&@@0=c7-4Sim>$IecTOT&K`RmEqeXDWl4smU!o2f+w3!!#eCB*g+WMau=)
zm=QseIZ7yd3xXR_271EqjO@5hhqCfx9D$SA^?YP5)EZH6T?!u;y?&xix%KglJzgCH
z`H=PS<pOlaKCCaz>CnJReF8dci;>BEyVS@AzT%>l_+4*MC~fsQ!%5=Iw#-H|s;u#F
zafiK{BuX+M&khAZ1a`a@R=8dUch~7H{6IxpWk9d>eMF`>86!S!4_^9tdlck61$pMa
z_V>A2=3@j~-hwk4?do0_;RN*PR_N~-1Roi*(nop}_(CUzptPKnECvh6U+#9gqTF`*
zI5_iYLNiSDyc(`bkh{Li%0nSj^;h~PoJyGy?Ls2(k+y~De(m{8w35eKzR-6)Gg8t5
zPuf~;F_lp!!OH{28Q4o3M*ajAuW(J|ofATtSEr8=XELQx#xt4B(F}{XB+iYJj*eW&
zMI@atu>F)lAAw*SHBlR@;DRfJkv~?4L462U;_IAkHv$)iJiY+6eVkR0LT#QAAq)u;
z5wPT=c?nN32qpO~BTOY4ZNx>&jl0$XuQ&XRAvzqQZ*^Fu(Vpb&yT}S%XU4f&U2UAq
zc*D%M$^=JK<Ov9A6Ed2cC=TL+fA9=p9pR-!WjJx_cgsZ*-%=fGFwO?h^OD}cpMz+M
z#Y9h>_#7u{J{Su^b`ceV-0%pB!B)Mwo&T9z`pj&L?CNkZ)p}gBbcH!jvr$5$WUdu8
zP4IlTc#;xfT&;vBHn8yLZGM=a+hPcoYZx2cIoKA{L65x-y2RS({sDSt+m^h=62bLa
zHbkO%afTg~8eYBLo8h-)*OXk<QJy0R=FxmS)^Q$3k|fEl{V$!RTqx5qMeQ#WDBGwI
z%#7m<?lXfva#(SiCVINbSu!_L*0#%%7A2U@q;2alH<}wDzI1cD$w)+`#Dc=;91F@O
zZbn0>^L_rn-<CTFCvZciodC{8l;u%9d{+IyF=S@A*4rv>gS;|v7R9aZ3g_#F=zOgE
zKc5RpMU~d+yi*jN*we2QtY3qXvlI92!eQmHwct_?Kwt=xdNUnAnZGGR7$x{tW>jfb
z6EZPQ0IQt%A||L<#V!K}KEV(!?Nqyf6BV5^cWk--m_ekfro@C|WleM;lbej%k>VyA
z#Tc_L&qY<nJLn;*d(Y_#mM&n6vC5S%moAksPmGNzcrrv+#9tX20_qu_7nZGRg(99(
z7u%HVQAd>Ls#NP4TQ=J@dc@7`g*^Aj<!Q5V;VqVIx0ninKnm5G5n_6I%#(!Q8vpKW
z*U?r!ui7!3W>UeWkwBiAZwM06l$t8tUg(?84)w3bC<gyfok{#JaH9_A$irzCZi-M^
z&!hDG-7M+|twMs&DARgkW{=WC52Z|;N^6*U>OKKs5Cf--Ir1<IqA+E<E^hXw@Gv`I
z^BQv=;v8Y25W9MW72a{zYWJ=-i!sr0)2<gxfQqVOxLMxJ5<~+%Rg+qd+>G^fFo3w2
zLqMAnq1lA%Az;J_RX8qWBls$#Wue78+GyqdZzq1btAmTzZ_ZE70tB04THbotSscim
zm~}sYba^JAVWiX~3;pGRa#K%?1i>-PF$<+5jbe2N6@2kqqXw42Faj*>_K~Xxrdh&`
zas_3>3MB+fJ)QDb>Fp=QXoVZ4<dGv2I~ogF7ZNIImF%S9fBD9|q-6fME-yft3ZT}`
zXqP!DJYXF@7rS*SV;Adrt6X+&&>*F8Wu!m=aYKaZEH$Mf9%v@#dEYQDW_rS`0}F!1
z5WSh&?OIk+Ln{@pzae-qQ|Ww>4=3K_RYxdga_rawi#0E;&F5|d$Fcsm(DNN%BRwdN
zbSt4gBVpG_U(&dwIxwHYOd};M&SoxbEoqE1EN1@ay0dE2K)~LW3yp&bR;$p++}5Z>
zR@FZvn6`b3MiCXW3J6<avEBp#m4z>_D>M+xhfgvWD5hhm7ve>^4H0~?wAZj@WWacP
zMSR>q&2BMlToL`|sffQimk%X?r%`*Wc?AKr-Kvro&ZF*#&rB$-^{BKglh0HtGl5cv
zJcY@Q-3c&r)glU%L-Yenh?LN2<XxK3i0bJtK=d|9^7V~*HH!2Wv%F=j)}^Z=($^TP
z3ppm#8~Llx%S_E|m<42d3S&T+&^30ukLLReuJlLw?hW{t5jT@EQ{h;fChbOmG?}GD
zND>pX5u}HK*CiH_i7w0nsUpRcXd;MF{J9+=Fe4*y93&rNV0d$Z2r|LK>?>909(FI_
z*$};P0f@U&#l_JvC+3<52)Vr-AuV{jp=QDtw~c{kM0yd8)DuE+L!smm{K*BfI&2y{
zrF9hV7OPHnn(EHPfKCX4C5QYL)1{Dbi^UwMp$x@DMuLuPSLBlpI-&LTSvQ(ozgch4
z-~x=Ko)6I}l`wT8Lbv(}3oVy<J_vGBM{_fQg_*aWVijfpdJ!fs#VXit(P4J%%YxKx
zO)J6Cv^qugTT>;=ox5W$aYw=NH9Efz(AUS;=hsfSKb^n%?)49E&`-x#SH~A`&d;vV
z>nnd-{`EKL_~IYv`}2#_T|}ta0e%NJ2^E}Buq&~*Oj?W}SSQ8KPR-G+5fvqsaa3$9
zyg7gK@@yAfyuKKmUwm_Qe(~+utFwzYyXe)~)ya3q7jKTgK7V=s<{zL!-<-d>IJ-9K
z1IHG|<?+><^OGN59$%r$AFeK6U!NIoYjz70lIXdbOgWPjb{$}6#>@)K>Vnf$@KjJ8
zo&&>Ul)+jl=wD%Rz4cPF+9+i<gSm<`*HnUKmpr2RG}#z+yUz-%vHnJDeKKow@2^Aj
zG8d`-=p}XMH_^HFyolUr-PLp$7>uI?7CY6Ha549mTHH>S;zIdL28>J+Iw33~JG=RA
z_ikw^H(&W#sPEe*P>?7l2^~Q|2gFSTmoneCa3~eRk&>`G-aI~x^(?s$F3`wzSwaD^
zT@iq;#WOr9ui@*jT}nWa8~}Ib7mI9^MKsodt=US@0gPGGr8sdworR93Sc`}VgoW8N
z*IqpL)iO&|b)pN>%yJu(nJ1Ll&h+f6zhbc6xhL+Z(rhQ(DC~su_?9OA+TmLy6;D$<
zA-fP0WSa0Xrb#A@H^Rv{V?}TSPOu>pB;vD~R$gBo1~HL4yP$_~Z**lL&cetS({X%5
zVUu)h(>J7~RtPS+!Gbp<;BP~89BH4RrQj^D#_U~d<PD0SraE*l57+8uVdr+6i$bF*
z=VlcYRys?Y?Xc#GFd7rEC%Xs(g_uReFp-*NP;33>pm$`(sLID<zI&TE+7TZmb`=WZ
zmOX8DbmVKcTBua{ITx*2rR^RvMBnjSJrgoh$y{I{PY-axA7r$!#M=$YV{W@G0*koz
zu{NZI83lTGU52e`URd;ErN~nQyC$sXOmuAQvmWqfyn}4Uxol!GCM-5zOnDMFES+O9
z154zB>s*S(aL$A%cFXL_F_w}DJ$&pU>TZ4Acr>@cM#0crOQ4Wx9?ai*+USLiIW0zk
z&n`~2Uu{Z*gZIammuDBJ=l^}AyAW0j(lnXd^aVe4Prn0FZu7k)gwUIwAMDyRit=iL
z3#&Ozh%mX#W;VB5%;d+EB(X$<MG2S2=#K=B-V!BI@bfQ0F-b{q<h<S7DHB*#JL~gi
z(nGX;%GqD?d;xEaI^ciWK`>i~X{wy^EQxi9pVMJy2cFyZ_GTete9jbpmv4l^q}~uP
zL_ZOP6UmVvrnOxsbyghO8ohCse898|!pzh;W4E<BB1Osy?2tN2r2a5~nxrH~DU|xg
zva<7OlV3EM1WTIl$6Lv{eb;<>rdZ^_BAU`0XDN%#L@l+m8(5(|d#6p2c2y>=0a{x9
zh`s4jS#x&%Tu`*F8|3MhJO4|Aa8nU&1B~agE9WkPr_9bk!7Ap;lt(w-grARKp$wN+
z>zoc_<urX!wy8~f9vlw$;gdeWd0W_F)6KU01<I1V9C=ih8ngx9cZ|GU%nf3@CZt4y
z({E`{>YxO(Nroo`P52EFteVtk7fOmyUDo*;K4kR&PJRvf|5s<nr?1Y2vv^%Ny7T{^
zKixlgT+RP~{B-{z|NlOIkI;7{nW2P^1U7ZR(5X`idmoqF+IsW|y#cew$HnUR)`$8-
z^kM76U@-Ww^#OhP<r%w?khOIw_`CU+U+S0W=lskOVK?Sf6qI)QW&2Ufn;m4peMcu#
zbnMk2szEHDfAS%g-|SSrD^5T8-xN<B1>a{Qg04n5YT>9_tt!G{M1*z1C3?DBI(+7$
zFLdhfnxG#9tsyoY6_&PF!c0&fWm}sHvf@&hYjcxG8?xG!BVocPGSsd*B=3~K4agUM
zQ|+17@AOmvKJJAjZ(U*bTf1q5PT;@+)W2@y*KII`=5Ru&qq+v<P0cD;zf&reZD=w<
zLm6oX8h{rsTLc9KvGpHKUl%Vszt)OqtGx<$C4C6#g`$n=ejj#XrEH?3l~5(JX)rEo
z+szSA=dQ{^%Yf|Dz7vNekszvDKwg`QN}SI+MjF*G8-T*|7NX!?$apx$G-><Ry>EeG
zHMkAE|GEc+4q}>`RRv_a9Kp?nt%9<80n@G~rv3Ld1XQ8Cc6mDns=V@q(Ujk^kns_Z
z=iv=cvc}F|{83vcHhow`Y|A06e%BW#iQa|@W!by%EfI_~D$}BGDzY}!#oA<Sii$O$
zF)u2xE+L^4o$?u`tPP~e0}W$n)Bw5kzJlPIL>b)Jd16j!x8mTj9^jd|depQHMaDub
z!%XI7UYfA?`?96O7Jh9sZ56!c%e&z<&RtK9wVe*fO&z-`s8uP;hr%kf<R9M|`&vZP
z4sBKX1m|iMO7wS2;#71-!kCP4mMnwP|E$&XIBQe`z_<!=lJMIw74(KCWI{qBBWzCI
zHM*x2VJ%OaAUHPBs+ML5xrT6(!}P8sU{#l+u^-Ge(z+({mZvE1gQn22*LTa~w7pH@
zP|jtD;~8Zu)6os<F7jAcXZ3-&POXn{Y9{-X$S@W>)uU})>fZ=_<J3b{7#uID8Y?1M
zo|`q&d~cNXin7)Oxf&hX>sCAGC2ko4<{hDTD7S&k*0u#=1}A;l1br*;7&DAcv7C-L
z7IB?|iD?qXu1Q#&mXx8;l8_az*YlHV2X=ne8-5k4q->IqqOA|8`mRAjmx9lTnvzVS
zt1KaP`J{P+Q0NBDB57|`rMKF$3rfeg<|?gFMgpfK)bS3_lvZ5M;x?F_-#FP^@R%T1
zJ-WVt$`la{Cw2<QcuYc9!a6T&Ra#f=^Ffu*QY#-?=|%M`#S<dx!^V4TzX*$a1QMRb
zAs69vJ`yx`Yf`^#KU&zPioL?9hqaGfnwr<B#cXaQQ0BC|K@G|+P2xxosx~N14Qfzk
z`4DP_)7+#6X)IuCpq-wk1~n+w*R{c@zphI+&#)-<M#jMM;Dr7gqP68d=!*q<Efsu}
zkeTd*rSw5xEY5W-gQ)sVe~!XP(tfPymVM!x;b;?7#q!<L^}Vx!mpn$NREo@GVtk#&
z6H;H+N#ju%V>07RlG5a~^dg5TC^xG_je$UFU)Pr=%WoXGtNiYiS9z788qmhO*-BTK
z`-m2|uG+jM?n+;XsQI&A7~M^)3vsxHy`Z+-F1Qd$%XhtSHr|`J5M$$4ReYV-9r-9a
z8&;wAxQNGx-J`iv@avRBus6JTSGVm3kkTk>X;Wor={psCBujtX3ww|1-wTQ80i%PK
z6;Ln2wDsr_DsTVmM~_ertGva(wS|u37=8EV&1HCb_4>d6u?zpcHh)0w+{J7A2Vpl<
za0V%QH&{Rlx2#+}wS{7m5*ACu8T#2=I3<ZvlucycTZ8kr16K!(3~Yhp>V?5JPhw!x
z6@b-8rnK$W)~}7FTFd;~OSOKrUmlAI&?2|C256Zwu^{)_h^mOboC~qFl~>C(H?;(F
zA_GLn$VS45N;IXDX)-U$bnTk*!~gSt{%`(qz<AJ$^R^<jb2v1#(;^4m=xAAK3=sMU
zaeV2&F1Y)nB9kK5!;=S@rD|?I*tMk?s6<K-cg%Fck-IDlVTs0A3#BH5-ZgjE)c=(%
zl?tcbnI~IY=nC#pcQ>!kaBA>X?zlrI$H@E6iYJrii2V%_?g(r3yC{LP|HEFo(oJlk
zI{_RDOL0Vkbt}+?gKW!<Xudtkm~(@X)d|x9ZD~7|o@h(R@iZ{M)4tRQWrEtXMP}pD
zY<}j9!4ajxv>~&tDf<Y#jV4dje^0TR>hbFueU;1HW4@L~)Xe<CgrKc0^mP9ft=M<n
z2>qJy$$+Oy4rln?0FsBlM5Skv{+s-YZe8j(j$@Onn_?+R>`Xy1-W@RmOAOKg>;ajH
zISGq^Dr7Wb35hObG(ZRY?Ka@d!%7*Nkr6d_H&+eW;uNTLN>rG;%t_o&ig11dFx^RV
zIV)>*n;j`(%`$Gv^zz28$<o(v;3EG#TyO`&-2sFX&x+a`Xk4_st&QElW>ocyD>`WN
z$FTl;kaD5N_g5RSnaDyf2^TWonx$E!w&gOk`KMs+%qtY=*e%c&4*n(kg&Z{$>r<RY
zUW!CJPaoi+X32~N%Uc8ajln_<@)~1?4jvYz^m+Uh;i7(P4!tbXJN*#eOV2gr7kZ2`
zu54&1&As+?j8r1s86)$7Ek$6G)>iA~1}g5U)0@*Dz1YwsG8*_lTccG<tlZcX3jhxc
z%2I0PmbRzXv9ls((-hjLsUTzeZUvQW7Dr?Bi2^UjGc*`C7?SG0u1#OSc*|Mr=v|LM
zfArQm(Lh{US|0d9K=&Y&Mllqg2NG<X#X`-iTomy4(%i#WzKhLctAPf!ekYsfsyb5J
znR7X{%}mlU8uN_BOLObMetum03B}D!L){|Ntiu(zvG2qGyt(i0`UWYiq76+5KdD%}
zaqs7iw+s<KE8Lfp{nQ-dHAValP`8u_M=QrBAb3ZmvaO5@v&#fajVhm#O-ydeN$zdp
zSd^{4wT1MDujs^Hjc{-<JUAR4?jP<Sp(`@uH}*j9lq4xJWhkMFAypD(5^6u-v2qnl
zwDwSi1Tj_muXyzKnkUqsQ)-%uPBv>zK$t`}6XS*?bHHKBJend`0ul)*kzQ<ISXi!C
z774`Db@Kr9yjT|LFXw8K{?_L#gDSD>5kvLtz(Ns_$Q0l}rhQRZ-^{O>n{j#P$)WD>
z?1l(iY7SGT?j(*X(Vi&2dV!t{|28~$zJZXZi3L<TWYH}2#J=+`%5!Hv?Un9J2*Z3)
zyOI~DX@CMnqzX`wU$AE%Q8uwx^R7`IUP%|r1yJG(rF2@PSvIA!AWdtrjccx;QKn?s
z__vrXBfk>D&tQ?Jdf=r+O#Ke6cmllSu>)-(7mH$M1MiZ@rJI;F99RA+OP7*qKk5o;
zAMEe%!++K-<{vZ<+L;Xy`WD#Gf2=4|<8@Y(X+@ZUfwj~ET2J~myhgL?X`%Is4PI*K
z1Zw+8*!P-2opk45m$IU(a`mZ&oqLY;h&KnfUd8mlekS7Dka~KI-n)jj^Y*EwE;v_f
zk?;Om1*XaRM56JJ(5)sJNg^H9p;U0#DZDa3PYuj<$jPU1!(v+bh@U6B1%mS?E_Oc5
zZ!aChvm9Vs7D?CY%ZjuYGF@6I{mvAwEF2Bq>=tYAr~q%u0H!Lxl=b@TrN#u4JFKXe
z@N{S4_2co=DP}8u8xZ@3CHm=vSR80vMQZM{_yWqBBvk;s!yxTGPP!(3O;Su@zTny{
zhi*;M=w{>&66$lDb)9nB^Z@I_&u3_`nh#)h2!3go0e9$lNRUR7x{SR|`ie%@em8yK
zPV27UrI>q-TsMH#;4_z_SL&)y(nF5%02S++@V~+L=PzFdD7gN|b$I#a>iFbr{R^2d
zH6lK)iecHl-b|0)Z@2vic24Ia>Ly0tu6HShned*UZoK<Gr^Q%r?b|=j-`uCI2lQ)s
zixwEb@~`4vMz*ckoV30`Ur-j4cjyc0p&ObSb8FsjvcfSN;s$H|xxWS9QK_IJ+@3`T
zypaI6Gr~QL_KSh}g4xNT;4}1hQ2UsQulCRuf|~9O{zg>VX(UeI7)vJet70rFxHDnS
zGZbNF@^wwzkz%1J+&g5GY&Cy55&b&1C%46jC>TLMdu;r&?k+C+2RV$@=e`uHX0MYk
zf4i}x&x&*9dluZFknY~y#k;B4t6Gf$*fr^r7@3y^-@VwVLiF|q3jvy>*kH_)n1}#<
z;Z?)fkZRZwK0xRjKw5cQh`MG4s?|6u5^S%s(J<_b#t0hU^ME%v`}ATvSKjc>Gf2O>
zx1nBSkwS8WASK2I$aGQJ44ilZ-FD*KsSSlH%e}kL8~a6r0W|10@~fB|MSQ=KY?n=E
z!4_X;@xL;ukZoX(Eh&!7hj1C5xWNfpT11@$c%rj!)-Jd=fInx9GGuWZ%TcOTQxRjY
z!ZTZ2=tpxB5t4x1d*t2^QEknr1PC(TUDCe~K=<=47jF}eV`<MCBhE^I*Ciwea~Hv#
z;$sxJiYWmKiUAX#z^(5D=2Uoq0?g(E28TrgSN0{SX{1*^!(-Tc+MnG{#q%HrXj^4z
zLbNL@(Ws__QppbckY~!BCL6d)C2LQJ8DU9Qkan|-2M8s0qUhc2W1&+bhj8;w9Onp4
zb83mS8SF+P!LA<d!X#EMZm)$E3|%)btaP-sg--Ms$`A0Uc}j-JSN(?bE>kMCO9hyS
z3uIvCFlytfM?s`ww3d28lkyFwiG=IH9QT?i%FHeriH$I}YAiQZOxoH)U;FU$OQ13q
zaS?MyVl&z)bL^}~zsq@$-36IyM4H?6O#=dM^iD+On%YKGb9JXhWNAL_IoTj4F`Ofb
zhyEd;BjgVv%;NTjZh$FFdmk8YVb{ai#&A;^s&%kin2$B^kppYvqFxAV9XzbDCoHHo
z`uh~!GQ~nFCUuU2isKj*A^yq5`Cm*vG*lxng$NWk)&oV1qC7uU!b#IOOU!LdU<gdE
z`pL;Flq0a0kZsKEEh(Q;xv)0*=thP2^yMQB$0!n1(Fl$%<l+D!uz?^ro?B(%!v4eD
z`vkX4WrD0#9A#pc6i2nFS(`*^A;nTc$;VABMlo_Q>|Mxpr$4tRL!okr&1wM`#wrfa
zU4d2@>2*rBGnDGBZeb*8yPgdqNlUWSJi<@{c`=SouFsG1r>?llEtbd|1V&EQ4(-D1
z9B!^=97U1>Pbe1jhQNK*R6A-jXsKGWDgr-C%BZUlU7O_Kn}PeL8VNVb(^aK0@lZ*2
zCnvAgDu+(${1PCI_4TULV84i-H|@AQ{Tj{iJCw1!*igS&tq*UlN2kh_{c5v$zj~iH
zXLm2$V);0KGB8i<9)Yz9yWY+F-Z^u)34VPuoXav%#Y%lsxxosji^~T#ot4O6>X|)g
zgEn<AO5KrflQu%fdM-ozEvYT0#Vua^y&#~3?<@3kURMOUIwiK6iCnzY_T%Mo&RT_$
zpUFEsOOxJb;O)Woy@P}O0hNmKy%N0IL3rKMf+uN$85!i<6>`{to<3`3t~UK&qFm#8
zdRWH`r0037C5Q_;I=j^veBK?|r>9)e%cj1$NikgO+14dGA~tJ)NRTlRg!L?H)JaJ`
z_AF?eQhOxttNhtp%HrZLI2D}#m2W41)zPDi7k><}<ID5>K%n>dd&*+}?+dr3@uosU
zvDxwaSCy91rCVF>psp<mbwdO!U`J_&pgkNM$lI^3AuR+1=<hkIubNZ&`WHrR<;Juw
z7;^QqR^+7-d4T@zqiJELvjl6IeqZU#I&9^`UJP_1+|+((k7BU3zH;f4cjmYU^0fwu
z?d5E%0b@&{T0eB;F>-H>`R)|}w*c-sm%H}ds8?7;Q+N0l_D*?x%oKH-IObKck5bi{
zr7P@~jxf7#iy4)6aPAABXNvu4yi3#N3>jQ@R^Lb7OOqOGWR$I14!Bux{^8qCCd3}p
z*Ob~d4vK$<YMzop#oOh!dHvFp^E-;?9yIGyUq$`!d-y&49)1tMd;I->0RRC1|3IR3
I;{bXB0Gzaq9smFU

diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml
new file mode 100644
index 0000000..4e10745
--- /dev/null
+++ b/charts/helm_lib/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+type: library
+name: deckhouse_lib_helm
+version: 1.31.0
+description: "Helm utils template definitions for Deckhouse modules."
diff --git a/charts/helm_lib/LICENSE b/charts/helm_lib/LICENSE
new file mode 100644
index 0000000..13fe0e3
--- /dev/null
+++ b/charts/helm_lib/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright The Events Exporter authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md
new file mode 100644
index 0000000..b9e7f66
--- /dev/null
+++ b/charts/helm_lib/README.md
@@ -0,0 +1,1167 @@
+# Helm library for Deckhouse modules
+
+## Table of contents
+
+| Table of contents |
+|---|
+| **Api Version And Kind** |
+| [helm_lib_kind_exists](#helm_lib_kind_exists) |
+| [helm_lib_get_api_version_by_kind](#helm_lib_get_api_version_by_kind) |
+| **Enable Ds Eviction** |
+| [helm_lib_prevent_ds_eviction_annotation](#helm_lib_prevent_ds_eviction_annotation) |
+| **Envs For Proxy** |
+| [helm_lib_envs_for_proxy](#helm_lib_envs_for_proxy) |
+| **High Availability** |
+| [helm_lib_is_ha_to_value](#helm_lib_is_ha_to_value) |
+| [helm_lib_ha_enabled](#helm_lib_ha_enabled) |
+| **Kube Rbac Proxy** |
+| [helm_lib_kube_rbac_proxy_ca_certificate](#helm_lib_kube_rbac_proxy_ca_certificate) |
+| **Module Documentation Uri** |
+| [helm_lib_module_documentation_uri](#helm_lib_module_documentation_uri) |
+| **Module Ephemeral Storage** |
+| [helm_lib_module_ephemeral_storage_logs_with_extra](#helm_lib_module_ephemeral_storage_logs_with_extra) |
+| [helm_lib_module_ephemeral_storage_only_logs](#helm_lib_module_ephemeral_storage_only_logs) |
+| **Module Generate Common Name** |
+| [helm_lib_module_generate_common_name](#helm_lib_module_generate_common_name) |
+| **Module Https** |
+| [helm_lib_module_uri_scheme](#helm_lib_module_uri_scheme) |
+| [helm_lib_module_https_mode](#helm_lib_module_https_mode) |
+| [helm_lib_module_https_cert_manager_cluster_issuer_name](#helm_lib_module_https_cert_manager_cluster_issuer_name) |
+| [helm_lib_module_https_ingress_tls_enabled](#helm_lib_module_https_ingress_tls_enabled) |
+| [helm_lib_module_https_copy_custom_certificate](#helm_lib_module_https_copy_custom_certificate) |
+| [helm_lib_module_https_secret_name](#helm_lib_module_https_secret_name) |
+| **Module Image** |
+| [helm_lib_module_image](#helm_lib_module_image) |
+| [helm_lib_module_image_no_fail](#helm_lib_module_image_no_fail) |
+| [helm_lib_module_common_image](#helm_lib_module_common_image) |
+| [helm_lib_module_common_image_no_fail](#helm_lib_module_common_image_no_fail) |
+| **Module Ingress Class** |
+| [helm_lib_module_ingress_class](#helm_lib_module_ingress_class) |
+| **Module Init Container** |
+| [helm_lib_module_init_container_chown_nobody_volume](#helm_lib_module_init_container_chown_nobody_volume) |
+| [helm_lib_module_init_container_chown_deckhouse_volume](#helm_lib_module_init_container_chown_deckhouse_volume) |
+| [helm_lib_module_init_container_check_linux_kernel](#helm_lib_module_init_container_check_linux_kernel) |
+| **Module Labels** |
+| [helm_lib_module_labels](#helm_lib_module_labels) |
+| **Module Public Domain** |
+| [helm_lib_module_public_domain](#helm_lib_module_public_domain) |
+| **Module Security Context** |
+| [helm_lib_module_pod_security_context_run_as_user_custom](#helm_lib_module_pod_security_context_run_as_user_custom) |
+| [helm_lib_module_pod_security_context_run_as_user_nobody](#helm_lib_module_pod_security_context_run_as_user_nobody) |
+| [helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs](#helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs) |
+| [helm_lib_module_pod_security_context_run_as_user_deckhouse](#helm_lib_module_pod_security_context_run_as_user_deckhouse) |
+| [helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs](#helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs) |
+| [helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted](#helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted) |
+| [helm_lib_module_pod_security_context_run_as_user_root](#helm_lib_module_pod_security_context_run_as_user_root) |
+| [helm_lib_module_pod_security_context_runtime_default](#helm_lib_module_pod_security_context_runtime_default) |
+| [helm_lib_module_container_security_context_not_allow_privilege_escalation](#helm_lib_module_container_security_context_not_allow_privilege_escalation) |
+| [helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux](#helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux) |
+| [helm_lib_module_container_security_context_read_only_root_filesystem](#helm_lib_module_container_security_context_read_only_root_filesystem) |
+| [helm_lib_module_container_security_context_privileged](#helm_lib_module_container_security_context_privileged) |
+| [helm_lib_module_container_security_context_escalated_sys_admin_privileged](#helm_lib_module_container_security_context_escalated_sys_admin_privileged) |
+| [helm_lib_module_container_security_context_privileged_read_only_root_filesystem](#helm_lib_module_container_security_context_privileged_read_only_root_filesystem) |
+| [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all) |
+| [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add) |
+| [helm_lib_module_container_security_context_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_capabilities_drop_all_and_add) |
+| [helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom](#helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom) |
+| **Module Storage Class** |
+| [helm_lib_module_storage_class_annotations](#helm_lib_module_storage_class_annotations) |
+| **Monitoring Grafana Dashboards** |
+| [helm_lib_grafana_dashboard_definitions_recursion](#helm_lib_grafana_dashboard_definitions_recursion) |
+| [helm_lib_grafana_dashboard_definitions](#helm_lib_grafana_dashboard_definitions) |
+| [helm_lib_single_dashboard](#helm_lib_single_dashboard) |
+| **Monitoring Prometheus Rules** |
+| [helm_lib_prometheus_rules_recursion](#helm_lib_prometheus_rules_recursion) |
+| [helm_lib_prometheus_rules](#helm_lib_prometheus_rules) |
+| [helm_lib_prometheus_target_scrape_timeout_seconds](#helm_lib_prometheus_target_scrape_timeout_seconds) |
+| **Node Affinity** |
+| [helm_lib_internal_check_node_selector_strategy](#helm_lib_internal_check_node_selector_strategy) |
+| [helm_lib_node_selector](#helm_lib_node_selector) |
+| [helm_lib_tolerations](#helm_lib_tolerations) |
+| [_helm_lib_cloud_or_hybrid_cluster](#_helm_lib_cloud_or_hybrid_cluster) |
+| [helm_lib_internal_check_tolerations_strategy](#helm_lib_internal_check_tolerations_strategy) |
+| [_helm_lib_any_node_tolerations](#_helm_lib_any_node_tolerations) |
+| [_helm_lib_wildcard_tolerations](#_helm_lib_wildcard_tolerations) |
+| [_helm_lib_monitoring_tolerations](#_helm_lib_monitoring_tolerations) |
+| [_helm_lib_frontend_tolerations](#_helm_lib_frontend_tolerations) |
+| [_helm_lib_system_tolerations](#_helm_lib_system_tolerations) |
+| [_helm_lib_additional_tolerations_uninitialized](#_helm_lib_additional_tolerations_uninitialized) |
+| [_helm_lib_additional_tolerations_node_problems](#_helm_lib_additional_tolerations_node_problems) |
+| [_helm_lib_additional_tolerations_storage_problems](#_helm_lib_additional_tolerations_storage_problems) |
+| [_helm_lib_additional_tolerations_no_csi](#_helm_lib_additional_tolerations_no_csi) |
+| [_helm_lib_additional_tolerations_cloud_provider_uninitialized](#_helm_lib_additional_tolerations_cloud_provider_uninitialized) |
+| **Pod Disruption Budget** |
+| [helm_lib_pdb_daemonset](#helm_lib_pdb_daemonset) |
+| **Priority Class** |
+| [helm_lib_priority_class](#helm_lib_priority_class) |
+| **Resources Management** |
+| [helm_lib_resources_management_pod_resources](#helm_lib_resources_management_pod_resources) |
+| [helm_lib_resources_management_original_pod_resources](#helm_lib_resources_management_original_pod_resources) |
+| [helm_lib_resources_management_vpa_spec](#helm_lib_resources_management_vpa_spec) |
+| [helm_lib_resources_management_cpu_units_to_millicores](#helm_lib_resources_management_cpu_units_to_millicores) |
+| [helm_lib_resources_management_memory_units_to_bytes](#helm_lib_resources_management_memory_units_to_bytes) |
+| [helm_lib_vpa_kube_rbac_proxy_resources](#helm_lib_vpa_kube_rbac_proxy_resources) |
+| [helm_lib_container_kube_rbac_proxy_resources](#helm_lib_container_kube_rbac_proxy_resources) |
+| **Spec For High Availability** |
+| [helm_lib_pod_anti_affinity_for_ha](#helm_lib_pod_anti_affinity_for_ha) |
+| [helm_lib_deployment_on_master_strategy_and_replicas_for_ha](#helm_lib_deployment_on_master_strategy_and_replicas_for_ha) |
+| [helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha](#helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha) |
+| [helm_lib_deployment_strategy_and_replicas_for_ha](#helm_lib_deployment_strategy_and_replicas_for_ha) |
+
+## Api Version And Kind
+
+### helm_lib_kind_exists
+
+ returns true if the specified resource kind (case-insensitive) is represented in the cluster 
+
+#### Usage
+
+`{{ include "helm_lib_kind_exists" (list . "<kind-name>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Kind name portion 
+
+
+### helm_lib_get_api_version_by_kind
+
+ returns current apiVersion string, based on available helm capabilities, for the provided kind (not all kinds are supported) 
+
+#### Usage
+
+`{{ include "helm_lib_get_api_version_by_kind" (list . "<kind-name>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Kind name portion 
+
+## Enable Ds Eviction
+
+### helm_lib_prevent_ds_eviction_annotation
+
+ Adds `cluster-autoscaler.kubernetes.io/enable-ds-eviction` annotation to manage DaemonSet eviction by the Cluster Autoscaler. 
+ This is important to prevent the eviction of DaemonSet pods during cluster scaling.  
+
+#### Usage
+
+`{{ include "helm_lib_prevent_ds_eviction_annotation" . }} `
+
+
+## Envs For Proxy
+
+### helm_lib_envs_for_proxy
+
+ Add HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables for container 
+ depends on [proxy settings](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-proxy) 
+
+#### Usage
+
+`{{ include "helm_lib_envs_for_proxy" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+## High Availability
+
+### helm_lib_is_ha_to_value
+
+ returns value "yes" if cluster is highly available, else — returns "no" 
+
+#### Usage
+
+`{{ include "helm_lib_is_ha_to_value" (list . yes no) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Yes value 
+-  No value 
+
+
+### helm_lib_ha_enabled
+
+ returns empty value, which is treated by go template as false 
+
+#### Usage
+
+`{{- if (include "helm_lib_ha_enabled" .) }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+## Kube Rbac Proxy
+
+### helm_lib_kube_rbac_proxy_ca_certificate
+
+ Renders configmap with kube-rbac-proxy CA certificate which uses to verify the kube-rbac-proxy clients. 
+
+#### Usage
+
+`{{ include "helm_lib_kube_rbac_proxy_ca_certificate" (list . "namespace") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Namespace where CA configmap will be created  
+
+## Module Documentation Uri
+
+### helm_lib_module_documentation_uri
+
+ returns rendered documentation uri using publicDomainTemplate or deckhouse.io domains
+
+#### Usage
+
+`{{ include "helm_lib_module_documentation_uri" (list . "<path_to_document>") }} `
+
+
+## Module Ephemeral Storage
+
+### helm_lib_module_ephemeral_storage_logs_with_extra
+
+ 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be added to passed value 
+ returns ephemeral-storage size for logs with extra space 
+
+#### Usage
+
+`{{ include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 }} `
+
+#### Arguments
+
+-  Extra space in mebibytes 
+
+
+### helm_lib_module_ephemeral_storage_only_logs
+
+ 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be requested 
+ returns ephemeral-storage size for only logs 
+
+#### Usage
+
+`{{ include "helm_lib_module_ephemeral_storage_only_logs" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+## Module Generate Common Name
+
+### helm_lib_module_generate_common_name
+
+ returns the commonName parameter for use in the Certificate custom resource(cert-manager) 
+
+#### Usage
+
+`{{ include "helm_lib_module_generate_common_name" (list . "<name-portion>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Name portion 
+
+## Module Https
+
+### helm_lib_module_uri_scheme
+
+ return module uri scheme "http" or "https" 
+
+#### Usage
+
+`{{ include "helm_lib_module_uri_scheme" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_https_mode
+
+ returns https mode for module 
+
+#### Usage
+
+`{{ if (include "helm_lib_module_https_mode" .) }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_https_cert_manager_cluster_issuer_name
+
+ returns cluster issuer name  
+
+#### Usage
+
+`{{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_https_ingress_tls_enabled
+
+ returns not empty string if tls should enable for ingress  
+
+#### Usage
+
+`{{ if (include "helm_lib_module_https_ingress_tls_enabled" .) }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_https_copy_custom_certificate
+
+ Renders secret with [custom certificate](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-https-customcertificate) 
+ in passed namespace with passed prefix 
+
+#### Usage
+
+`{{ include "helm_lib_module_https_copy_custom_certificate" (list . "namespace" "secret_name_prefix") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Namespace 
+-  Secret name prefix 
+
+
+### helm_lib_module_https_secret_name
+
+ returns custom certificate name 
+
+#### Usage
+
+`{{ include "helm_lib_module_https_secret_name (list . "secret_name_prefix") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Secret name prefix 
+
+## Module Image
+
+### helm_lib_module_image
+
+ returns image name 
+
+#### Usage
+
+`{{ include "helm_lib_module_image" (list . "<container-name>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Container name 
+
+
+### helm_lib_module_image_no_fail
+
+ returns image name if found 
+
+#### Usage
+
+`{{ include "helm_lib_module_image_no_fail" (list . "<container-name>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Container name 
+
+
+### helm_lib_module_common_image
+
+ returns image name from common module 
+
+#### Usage
+
+`{{ include "helm_lib_module_common_image" (list . "<container-name>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Container name 
+
+
+### helm_lib_module_common_image_no_fail
+
+ returns image name from common module if found 
+
+#### Usage
+
+`{{ include "helm_lib_module_common_image_no_fail" (list . "<container-name>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Container name 
+
+## Module Ingress Class
+
+### helm_lib_module_ingress_class
+
+ returns ingress class from module settings or if not exists from global config 
+
+#### Usage
+
+`{{ include "helm_lib_module_ingress_class" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+## Module Init Container
+
+### helm_lib_module_init_container_chown_nobody_volume
+
+ ### Migration 11.12.2020: Remove this helper with all its usages after this commit reached RockSolid 
+ returns initContainer which chowns recursively all files and directories in passed volume 
+
+#### Usage
+
+`{{ include "helm_lib_module_init_container_chown_nobody_volume" (list . "volume-name") }} `
+
+
+
+### helm_lib_module_init_container_chown_deckhouse_volume
+
+ returns initContainer which chowns recursively all files and directories in passed volume 
+
+#### Usage
+
+`{{ include "helm_lib_module_init_container_chown_deckhouse_volume" (list . "volume-name") }} `
+
+
+
+### helm_lib_module_init_container_check_linux_kernel
+
+ returns initContainer which checks the kernel version on the node for compliance to semver constraint 
+
+#### Usage
+
+`{{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Semver constraint 
+
+## Module Labels
+
+### helm_lib_module_labels
+
+ returns deckhouse labels 
+
+#### Usage
+
+`{{ include "helm_lib_module_labels" (list . (dict "app" "test" "component" "testing")) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Additional labels dict 
+
+## Module Public Domain
+
+### helm_lib_module_public_domain
+
+ returns rendered publicDomainTemplate to service fqdn 
+
+#### Usage
+
+`{{ include "helm_lib_module_public_domain" (list . "<name-portion>") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Name portion 
+
+## Module Security Context
+
+### helm_lib_module_pod_security_context_run_as_user_custom
+
+ returns PodSecurityContext parameters for Pod with custom user and group 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_run_as_user_custom" (list . 1000 1000) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  User id 
+-  Group id 
+
+
+### helm_lib_module_pod_security_context_run_as_user_nobody
+
+ returns PodSecurityContext parameters for Pod with user and group "nobody" 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_run_as_user_nobody" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs
+
+ returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_pod_security_context_run_as_user_deckhouse
+
+ returns PodSecurityContext parameters for Pod with user and group "deckhouse" 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs
+
+ returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted
+
+ returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_pod_security_context_run_as_user_root
+
+ returns PodSecurityContext parameters for Pod with user and group 0 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_run_as_user_root" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_pod_security_context_runtime_default
+
+ returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_runtime_default" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_container_security_context_not_allow_privilege_escalation
+
+ returns SecurityContext parameters for Container with allowPrivilegeEscalation false 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }} `
+
+
+
+### helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux
+
+ returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_container_security_context_read_only_root_filesystem
+
+ returns SecurityContext parameters for Container with read only root filesystem 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_container_security_context_privileged
+
+ returns SecurityContext parameters for Container running privileged 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_privileged" . }} `
+
+
+
+### helm_lib_module_container_security_context_escalated_sys_admin_privileged
+
+ returns SecurityContext parameters for Container running privileged with escalation and sys_admin 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} `
+
+
+
+### helm_lib_module_container_security_context_privileged_read_only_root_filesystem
+
+ returns SecurityContext parameters for Container running privileged with read only root filesystem 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all
+
+ returns SecurityContext for Container with read only root filesystem and all capabilities dropped  
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add
+
+ returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add"  (list . (list "KILL" "SYS_PTRACE")) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  List of capabilities 
+
+
+### helm_lib_module_container_security_context_capabilities_drop_all_and_add
+
+ returns SecurityContext parameters for Container with all dropped and some added capabilities 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_add"  (list . (list "KILL" "SYS_PTRACE")) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  List of capabilities 
+
+
+### helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom
+
+ returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  User id 
+-  Group id 
+
+## Module Storage Class
+
+### helm_lib_module_storage_class_annotations
+
+ return module StorageClass annotations 
+
+#### Usage
+
+`{{ include "helm_lib_module_storage_class_annotations" (list $ $index $storageClass.name) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Storage class index 
+-  Storage class name 
+
+## Monitoring Grafana Dashboards
+
+### helm_lib_grafana_dashboard_definitions_recursion
+
+ returns all the dashboard-definintions from <root dir>/ 
+ current dir is optional — used for recursion but you can use it for partially generating dashboards 
+
+#### Usage
+
+`{{ include "helm_lib_grafana_dashboard_definitions_recursion" (list . <root dir> [current dir]) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Dashboards root dir 
+-  Dashboards current dir 
+
+
+### helm_lib_grafana_dashboard_definitions
+
+ returns dashboard-definintions from monitoring/grafana-dashboards/ 
+
+#### Usage
+
+`{{ include "helm_lib_grafana_dashboard_definitions" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_single_dashboard
+
+ renders a single dashboard 
+
+#### Usage
+
+`{{ include "helm_lib_single_dashboard" (list . "dashboard-name" "folder" $dashboard) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Dashboard name 
+-  Folder 
+-  Dashboard definition 
+
+## Monitoring Prometheus Rules
+
+### helm_lib_prometheus_rules_recursion
+
+ returns all the prometheus rules from <root dir>/ 
+ current dir is optional — used for recursion but you can use it for partially generating rules 
+
+#### Usage
+
+`{{ include "helm_lib_prometheus_rules_recursion" (list . <namespace> <root dir> [current dir]) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Namespace for creating rules 
+-  Rules root dir 
+-  Current dir (optional) 
+
+
+### helm_lib_prometheus_rules
+
+ returns all the prometheus rules from monitoring/prometheus-rules/ 
+
+#### Usage
+
+`{{ include "helm_lib_prometheus_rules" (list . <namespace>) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Namespace for creating rules 
+
+
+### helm_lib_prometheus_target_scrape_timeout_seconds
+
+ returns adjust timeout value to scrape interval / 
+
+#### Usage
+
+`{{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list . <timeout>) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Target timeout in seconds 
+
+## Node Affinity
+
+### helm_lib_internal_check_node_selector_strategy
+
+ Verify node selector strategy. 
+
+
+
+### helm_lib_node_selector
+
+ Returns node selector for workloads depend on strategy. 
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  strategy, one of "frontend" "monitoring" "system" "master" "any-node" "wildcard" 
+
+
+### helm_lib_tolerations
+
+ Returns tolerations for workloads depend on strategy. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized" "without-storage-problems") }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  base strategy, one of "frontend" "monitoring" "system" any-node" "wildcard" 
+-  list of additional strategies. To add strategy list it with prefix "with-", to remove strategy list it with prefix "without-". 
+
+
+### _helm_lib_cloud_or_hybrid_cluster
+
+ Check cluster type. 
+ Returns not empty string if this is cloud or hybrid cluster 
+
+
+
+### helm_lib_internal_check_tolerations_strategy
+
+ Verify base strategy. 
+ Fails if strategy not in allowed list 
+
+
+
+### _helm_lib_any_node_tolerations
+
+ Base strategy for any uncordoned node in cluster. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "any-node") }} `
+
+
+
+### _helm_lib_wildcard_tolerations
+
+ Base strategy that tolerates all. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "wildcard") }} `
+
+
+
+### _helm_lib_monitoring_tolerations
+
+ Base strategy that tolerates nodes with "dedicated.deckhouse.io: monitoring" and "dedicated.deckhouse.io: system" taints. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "monitoring") }} `
+
+
+
+### _helm_lib_frontend_tolerations
+
+ Base strategy that tolerates nodes with "dedicated.deckhouse.io: frontend" taints. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "frontend") }} `
+
+
+
+### _helm_lib_system_tolerations
+
+ Base strategy that tolerates nodes with "dedicated.deckhouse.io: system" taints. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "system") }} `
+
+
+
+### _helm_lib_additional_tolerations_uninitialized
+
+ Additional strategy "uninitialized" - used for CNI's and kube-proxy to allow cni components scheduled on node after CCM initialization. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") }} `
+
+
+
+### _helm_lib_additional_tolerations_node_problems
+
+ Additional strategy "node-problems" - used for shedule critical components on non-ready nodes or nodes under pressure. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-node-problems") }} `
+
+
+
+### _helm_lib_additional_tolerations_storage_problems
+
+ Additional strategy "storage-problems" - used for shedule critical components on nodes with drbd problems. This additional strategy enabled by default in any base strategy except "wildcard". 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "any-node" "without-storage-problems") }} `
+
+
+
+### _helm_lib_additional_tolerations_no_csi
+
+ Additional strategy "no-csi" - used for any node with no CSI: any node, which was initialized by deckhouse, but have no csi-node driver registered on it. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-no-csi") }} `
+
+
+
+### _helm_lib_additional_tolerations_cloud_provider_uninitialized
+
+ Additional strategy "cloud-provider-uninitialized" - used for any node which is not initialized by CCM. 
+
+#### Usage
+
+`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-cloud-provider-uninitialized") }} `
+
+
+## Pod Disruption Budget
+
+### helm_lib_pdb_daemonset
+
+ Returns PDB max unavailable 
+
+#### Usage
+
+`{{ include "helm_lib_pdb_daemonset" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+## Priority Class
+
+### helm_lib_priority_class
+
+ returns priority class if priority-class module enabled, otherwise returns nothing 
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Priority class name 
+
+## Resources Management
+
+### helm_lib_resources_management_pod_resources
+
+ returns rendered resources section based on configuration if it is 
+
+#### Usage
+
+`{{ include "helm_lib_resources_management_pod_resources" (list <resources configuration> [ephemeral storage requests]) }} `
+
+#### Arguments
+
+list:
+-  VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) 
+-  Ephemeral storage requests 
+
+
+### helm_lib_resources_management_original_pod_resources
+
+ returns rendered resources section based on configuration if it is present 
+
+#### Usage
+
+`{{ include "helm_lib_resources_management_original_pod_resources" <resources configuration> }} `
+
+#### Arguments
+
+-  VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) 
+
+
+### helm_lib_resources_management_vpa_spec
+
+ returns rendered vpa spec based on configuration and target reference 
+
+#### Usage
+
+`{{ include "helm_lib_resources_management_vpa_spec" (list <target apiversion> <target kind> <target name> <target container> <resources configuration> ) }} `
+
+#### Arguments
+
+list:
+-  Target API version 
+-  Target Kind 
+-  Target Name 
+-  Target container name 
+-  VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) 
+
+
+### helm_lib_resources_management_cpu_units_to_millicores
+
+ helper for converting cpu units to millicores 
+
+#### Usage
+
+`{{ include "helm_lib_resources_management_cpu_units_to_millicores" <cpu units> }} `
+
+
+
+### helm_lib_resources_management_memory_units_to_bytes
+
+ helper for converting memory units to bytes 
+
+#### Usage
+
+`{{ include "helm_lib_resources_management_memory_units_to_bytes" <memory units> }} `
+
+
+
+### helm_lib_vpa_kube_rbac_proxy_resources
+
+ helper for VPA resources for kube_rbac_proxy 
+
+#### Usage
+
+`{{ include "helm_lib_vpa_kube_rbac_proxy_resources" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_container_kube_rbac_proxy_resources
+
+ helper for container resources for kube_rbac_proxy 
+
+#### Usage
+
+`{{ include "helm_lib_container_kube_rbac_proxy_resources" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+## Spec For High Availability
+
+### helm_lib_pod_anti_affinity_for_ha
+
+ returns pod affinity spec 
+
+#### Usage
+
+`{{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "test")) }} `
+
+#### Arguments
+
+list:
+-  Template context with .Values, .Chart, etc 
+-  Match labels for podAntiAffinity label selector 
+
+
+### helm_lib_deployment_on_master_strategy_and_replicas_for_ha
+
+ returns deployment strategy and replicas for ha components running on master nodes 
+
+#### Usage
+
+`{{ include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
+### helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha
+
+ returns deployment with custom strategy and replicas for ha components running on master nodes 
+
+#### Usage
+
+`{{ include "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" (list . (dict "strategy" "strategy_type")) }} `
+
+
+
+### helm_lib_deployment_strategy_and_replicas_for_ha
+
+ returns deployment strategy and replicas for ha components running not on master nodes 
+
+#### Usage
+
+`{{ include "helm_lib_deployment_strategy_and_replicas_for_ha" }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
diff --git a/charts/helm_lib/templates/_api_version_and_kind.tpl b/charts/helm_lib/templates/_api_version_and_kind.tpl
new file mode 100644
index 0000000..4de8a8a
--- /dev/null
+++ b/charts/helm_lib/templates/_api_version_and_kind.tpl
@@ -0,0 +1,36 @@
+{{- /* Usage: {{ include "helm_lib_kind_exists" (list . "<kind-name>") }} */ -}}
+{{- /* returns true if the specified resource kind (case-insensitive) is represented in the cluster */ -}}
+{{- define "helm_lib_kind_exists" }}
+  {{- $context      := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $kind_name := index . 1 -}} {{- /* Kind name portion */ -}}
+  {{- if eq (len $context.Capabilities.APIVersions) 0 -}}
+    {{- fail "Helm reports no capabilities" -}}
+  {{- end -}}
+  {{ range $cap := $context.Capabilities.APIVersions }}
+    {{- if hasSuffix (lower (printf "/%s" $kind_name)) (lower $cap) }}
+      found
+      {{- break }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{- /* Usage: {{ include "helm_lib_get_api_version_by_kind" (list . "<kind-name>") }} */ -}}
+{{- /* returns current apiVersion string, based on available helm capabilities, for the provided kind (not all kinds are supported) */ -}}
+{{- define "helm_lib_get_api_version_by_kind" }}
+  {{- $context      := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $kind_name := index . 1 -}} {{- /* Kind name portion */ -}}
+  {{- if eq (len $context.Capabilities.APIVersions) 0 -}}
+    {{- fail "Helm reports no capabilities" -}}
+  {{- end -}}
+  {{- if or (eq $kind_name "ValidatingAdmissionPolicy") (eq $kind_name "ValidatingAdmissionPolicyBinding") -}}
+    {{- if $context.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1/ValidatingAdmissionPolicy" -}}
+admissionregistration.k8s.io/v1
+    {{- else if $context.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1beta1/ValidatingAdmissionPolicy" -}}
+admissionregistration.k8s.io/v1beta1
+    {{- else -}}
+admissionregistration.k8s.io/v1alpha1
+    {{- end -}}
+  {{- else -}}
+    {{- fail (printf "Kind '%s' isn't supported by the 'helm_lib_get_api_version_by_kind' helper" $kind_name) -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl
new file mode 100644
index 0000000..9bc0d8c
--- /dev/null
+++ b/charts/helm_lib/templates/_csi_controller.tpl
@@ -0,0 +1,763 @@
+{{- define "attacher_resources" }}
+cpu: 10m
+memory: 25Mi
+{{- end }}
+
+{{- define "provisioner_resources" }}
+cpu: 10m
+memory: 25Mi
+{{- end }}
+
+{{- define "resizer_resources" }}
+cpu: 10m
+memory: 25Mi
+{{- end }}
+
+{{- define "syncer_resources" }}
+cpu: 10m
+memory: 25Mi
+{{- end }}
+
+{{- define "snapshotter_resources" }}
+cpu: 10m
+memory: 25Mi
+{{- end }}
+
+{{- define "livenessprobe_resources" }}
+cpu: 10m
+memory: 25Mi
+{{- end }}
+
+{{- define "controller_resources" }}
+cpu: 10m
+memory: 50Mi
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_csi_controller_manifests" (list . $config) }} */ -}}
+{{- define "helm_lib_csi_controller_manifests" }}
+  {{- $context := index . 0 }}
+
+  {{- $config := index . 1 }}
+  {{- $fullname := $config.fullname | default "csi-controller" }}
+  {{- $snapshotterEnabled := dig "snapshotterEnabled" true $config }}
+  {{- $resizerEnabled := dig "resizerEnabled" true $config }}
+  {{- $syncerEnabled := dig "syncerEnabled" false $config }}
+  {{- $topologyEnabled := dig "topologyEnabled" true $config }}
+  {{- $extraCreateMetadataEnabled := dig "extraCreateMetadataEnabled" false $config }}
+  {{- $controllerImage := $config.controllerImage | required "$config.controllerImage is required" }}
+  {{- $provisionerTimeout := $config.provisionerTimeout | default "600s" }}
+  {{- $attacherTimeout := $config.attacherTimeout | default "600s" }}
+  {{- $resizerTimeout := $config.resizerTimeout | default "600s" }}
+  {{- $snapshotterTimeout := $config.snapshotterTimeout | default "600s" }}
+  {{- $provisionerWorkers := $config.provisionerWorkers | default "10" }}
+  {{- $attacherWorkers := $config.attacherWorkers | default "10" }}
+  {{- $resizerWorkers := $config.resizerWorkers | default "10" }}
+  {{- $snapshotterWorkers := $config.snapshotterWorkers | default "10" }}
+  {{- $additionalControllerEnvs := $config.additionalControllerEnvs }}
+  {{- $additionalSyncerEnvs := $config.additionalSyncerEnvs }}
+  {{- $additionalControllerArgs := $config.additionalControllerArgs }}
+  {{- $additionalControllerVolumes := $config.additionalControllerVolumes }}
+  {{- $additionalControllerVolumeMounts := $config.additionalControllerVolumeMounts }}
+  {{- $additionalContainers := $config.additionalContainers }}
+  {{- $livenessProbePort := $config.livenessProbePort | default 9808 }}
+  {{- $initContainerCommand := $config.initContainerCommand }}
+  {{- $initContainerImage := $config.initContainerImage }}
+  {{- $initContainerVolumeMounts := $config.initContainerVolumeMounts }}
+
+  {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }}
+
+  {{- $provisionerImageName := join "" (list "csiExternalProvisioner" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+  {{- $provisionerImage := include "helm_lib_module_common_image_no_fail" (list $context $provisionerImageName) }}
+
+  {{- $attacherImageName := join "" (list "csiExternalAttacher" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+  {{- $attacherImage := include "helm_lib_module_common_image_no_fail" (list $context $attacherImageName) }}
+
+  {{- $resizerImageName := join "" (list "csiExternalResizer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+  {{- $resizerImage := include "helm_lib_module_common_image_no_fail" (list $context $resizerImageName) }}
+
+  {{- $syncerImageName := join "" (list "csiVsphereSyncer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+  {{- $syncerImage := include "helm_lib_module_common_image_no_fail" (list $context $syncerImageName) }}
+
+  {{- $snapshotterImageName := join "" (list "csiExternalSnapshotter" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+  {{- $snapshotterImage := include "helm_lib_module_common_image_no_fail" (list $context $snapshotterImageName) }}
+
+  {{- $livenessprobeImageName := join "" (list "csiLivenessprobe" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+  {{- $livenessprobeImage := include "helm_lib_module_common_image_no_fail" (list $context $livenessprobeImageName) }}
+
+  {{- if $provisionerImage }}
+    {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ $fullname }}
+  namespace: d8-{{ $context.Chart.Name }}
+  {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller" "workload-resource-policy.deckhouse.io" "master")) | nindent 2 }}
+spec:
+  targetRef:
+    apiVersion: "apps/v1"
+    kind: Deployment
+    name: {{ $fullname }}
+  updatePolicy:
+    updateMode: "Auto"
+  resourcePolicy:
+    containerPolicies:
+    - containerName: "provisioner"
+      minAllowed:
+        {{- include "provisioner_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 20m
+        memory: 50Mi
+    - containerName: "attacher"
+      minAllowed:
+        {{- include "attacher_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 20m
+        memory: 50Mi
+    {{- if $resizerEnabled }}
+    - containerName: "resizer"
+      minAllowed:
+        {{- include "resizer_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 20m
+        memory: 50Mi
+    {{- end }}
+    {{- if $syncerEnabled }}
+    - containerName: "syncer"
+      minAllowed:
+        {{- include "syncer_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 20m
+        memory: 50Mi
+    {{- end }}
+    {{- if $snapshotterEnabled }}
+    - containerName: "snapshotter"
+      minAllowed:
+        {{- include "snapshotter_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 20m
+        memory: 50Mi
+    {{- end }}
+    - containerName: "livenessprobe"
+      minAllowed:
+        {{- include "livenessprobe_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 20m
+        memory: 50Mi
+    - containerName: "controller"
+      minAllowed:
+        {{- include "controller_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 20m
+        memory: 100Mi
+    {{- end }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ $fullname }}
+  namespace: d8-{{ $context.Chart.Name }}
+  {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller"))  | nindent 2 }}
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: {{ $fullname }}
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ $fullname }}
+  namespace: d8-{{ $context.Chart.Name }}
+  {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller")) | nindent 2 }}
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: {{ $fullname }}
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: {{ $fullname }}
+    {{- if hasPrefix "cloud-provider-" $context.Chart.Name }}
+      annotations:
+        cloud-config-checksum: {{ include (print $context.Template.BasePath "/cloud-controller-manager/secret.yaml") $context | sha256sum }}
+    {{- end }}
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      imagePullSecrets:
+      - name: deckhouse-registry
+      {{- include "helm_lib_priority_class" (tuple $context "system-cluster-critical") | nindent 6 }}
+      {{- include "helm_lib_node_selector" (tuple $context "master") | nindent 6 }}
+      {{- include "helm_lib_tolerations" (tuple $context "any-node" "with-uninitialized") | nindent 6 }}
+{{- if $context.Values.global.enabledModules | has "csi-nfs" }}
+      {{- include "helm_lib_module_pod_security_context_runtime_default" . | nindent 6 }}
+{{- else }}
+      {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }}
+{{- end }}
+      serviceAccountName: csi
+      containers:
+      - name: provisioner
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        image: {{ $provisionerImage | quote }}
+        args:
+        - "--timeout={{ $provisionerTimeout }}"
+        - "--v=5"
+        - "--csi-address=$(ADDRESS)"
+  {{- if $topologyEnabled }}
+        - "--feature-gates=Topology=true"
+        - "--strict-topology"
+  {{- else }}
+        - "--feature-gates=Topology=false"
+  {{- end }}
+        - "--default-fstype=ext4"
+        - "--leader-election=true"
+        - "--leader-election-namespace=$(NAMESPACE)"
+        - "--enable-capacity"
+        - "--capacity-ownerref-level=2"
+  {{- if $extraCreateMetadataEnabled }}
+        - "--extra-create-metadata=true"
+  {{- end }}
+        - "--worker-threads={{ $provisionerWorkers }}"
+        env:
+        - name: ADDRESS
+          value: /csi/csi.sock
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "provisioner_resources" $context | nindent 12 }}
+  {{- end }}
+      - name: attacher
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        image: {{ $attacherImage | quote }}
+        args:
+        - "--timeout={{ $attacherTimeout }}"
+        - "--v=5"
+        - "--csi-address=$(ADDRESS)"
+        - "--leader-election=true"
+        - "--leader-election-namespace=$(NAMESPACE)"
+        - "--worker-threads={{ $attacherWorkers }}"
+        env:
+        - name: ADDRESS
+          value: /csi/csi.sock
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "attacher_resources" $context | nindent 12 }}
+  {{- end }}
+            {{- if $resizerEnabled }}
+      - name: resizer
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        image: {{ $resizerImage | quote }}
+        args:
+        - "--timeout={{ $resizerTimeout }}"
+        - "--v=5"
+        - "--csi-address=$(ADDRESS)"
+        - "--leader-election=true"
+        - "--leader-election-namespace=$(NAMESPACE)"
+        - "--workers={{ $resizerWorkers }}"
+        env:
+        - name: ADDRESS
+          value: /csi/csi.sock
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "resizer_resources" $context | nindent 12 }}
+  {{- end }}
+            {{- end }}
+            {{- if $syncerEnabled }}
+      - name: syncer
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        image: {{ $syncerImage | quote }}
+        args:
+        - "--leader-election"
+        - "--leader-election-lease-duration=30s"
+        - "--leader-election-renew-deadline=20s"
+        - "--leader-election-retry-period=10s"
+    {{- if $additionalControllerArgs }}
+        {{- $additionalControllerArgs | toYaml | nindent 8 }}
+    {{- end }}
+    {{- if $additionalSyncerEnvs }}
+        env:
+        {{- $additionalSyncerEnvs | toYaml | nindent 8 }}
+    {{- end }}
+    {{- if $additionalControllerVolumeMounts }}
+        volumeMounts:
+        {{- $additionalControllerVolumeMounts | toYaml | nindent 8 }}
+    {{- end }}
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "syncer_resources" $context | nindent 12 }}
+  {{- end }}
+            {{- end }}
+            {{- if $snapshotterEnabled }}
+      - name: snapshotter
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        image: {{ $snapshotterImage | quote }}
+        args:
+        - "--timeout={{ $snapshotterTimeout }}"
+        - "--v=5"
+        - "--csi-address=$(ADDRESS)"
+        - "--leader-election=true"
+        - "--leader-election-namespace=$(NAMESPACE)"
+        - "--worker-threads={{ $snapshotterWorkers }}"
+        env:
+        - name: ADDRESS
+          value: /csi/csi.sock
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi
+        resources:
+          requests:
+              {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "snapshotter_resources" $context | nindent 12 }}
+  {{- end }}
+            {{- end }}
+      - name: livenessprobe
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        image: {{ $livenessprobeImage | quote }}
+        args:
+        - "--csi-address=$(ADDRESS)"
+        - "--http-endpoint=$(HOST_IP):{{ $livenessProbePort }}"
+        env:
+        - name: ADDRESS
+          value: /csi/csi.sock
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "livenessprobe_resources" $context | nindent 12 }}
+  {{- end }}
+      - name: controller
+{{- if $context.Values.global.enabledModules | has "csi-nfs" }}
+        {{- include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . | nindent 8 }}
+{{- else }}
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+{{- end }}
+        image: {{ $controllerImage | quote }}
+        args:
+    {{- if $additionalControllerArgs }}
+        {{- $additionalControllerArgs | toYaml | nindent 8 }}
+    {{- end }}
+    {{- if $additionalControllerEnvs }}
+        env:
+        {{- $additionalControllerEnvs | toYaml | nindent 8 }}
+    {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ $livenessProbePort }}
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi
+        {{- /* For an unknown reason vSphere csi-controller won't start without `/tmp` directory */ -}}
+        {{- if eq $context.Chart.Name "cloud-provider-vsphere" }}
+        - name: tmp
+          mountPath: /tmp
+        {{- end }}
+    {{- if $additionalControllerVolumeMounts }}
+        {{- $additionalControllerVolumeMounts | toYaml | nindent 8 }}
+    {{- end }}
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "controller_resources" $context | nindent 12 }}
+  {{- end }}
+    {{- if $additionalContainers }}
+      {{- $additionalContainers | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if $initContainerCommand }}
+      initContainers:
+      - command:
+        {{- $initContainerCommand | toYaml | nindent 8 }}
+        image: {{ $initContainerImage }}
+        imagePullPolicy: IfNotPresent
+        name: csi-controller-init-container
+        {{- if $initContainerVolumeMounts }}
+        volumeMounts:
+        {{- $initContainerVolumeMounts | toYaml | nindent 8 }}
+        {{- end }}
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+    {{- end }}
+      volumes:
+      - name: socket-dir
+        emptyDir: {}
+      {{- /* For an unknown reason vSphere csi-controller won't start without `/tmp` directory */ -}}
+      {{- if eq $context.Chart.Name "cloud-provider-vsphere" }}
+      - name: tmp
+        emptyDir: {}
+      {{- end }}
+    {{- if $additionalControllerVolumes }}
+      {{- $additionalControllerVolumes | toYaml | nindent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+
+{{- /* Usage: {{ include "helm_lib_csi_controller_rbac" . }} */ -}}
+{{- define "helm_lib_csi_controller_rbac" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+
+# ===========
+# provisioner
+# ===========
+# Source https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "create", "delete"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["get", "list", "watch", "update"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["list", "watch", "create", "update", "patch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshots"]
+  verbs: ["get", "list"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents"]
+  verbs: ["get", "list"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["csinodes"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch"]
+# Access to volumeattachments is only needed when the CSI driver
+# has the PUBLISH_UNPUBLISH_VOLUME controller capability.
+# In that case, external-provisioner will watch volumeattachments
+# to determine when it is safe to delete a volume.
+- apiGroups: ["storage.k8s.io"]
+  resources: ["volumeattachments"]
+  verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: ClusterRole
+  name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-provisioner
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+# Only one of the following rules for endpoints or leases is required based on
+# what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases.
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+# Permissions for CSIStorageCapacity are only needed enabling the publishing
+# of storage capacity information.
+- apiGroups: ["storage.k8s.io"]
+  resources: ["csistoragecapacities"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# The GET permissions below are needed for walking up the ownership chain
+# for CSIStorageCapacity. They are sufficient for deployment via
+# StatefulSet (only needs to get Pod) and Deployment (needs to get
+# Pod and then ReplicaSet to find the Deployment).
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-provisioner
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: Role
+  name: csi:controller:external-provisioner
+  apiGroup: rbac.authorization.k8s.io
+
+# ========
+# attacher
+# ========
+# Source https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-attacher
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["csinodes"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["volumeattachments"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["volumeattachments/status"]
+  verbs: ["patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-attacher
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: ClusterRole
+  name: d8:{{ .Chart.Name }}:csi:controller:external-attacher
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-attacher
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-attacher
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: Role
+  name: csi:controller:external-attacher
+  apiGroup: rbac.authorization.k8s.io
+
+# =======
+# resizer
+# =======
+# Source https://github.com/kubernetes-csi/external-resizer/blob/master/deploy/kubernetes/rbac.yaml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-resizer
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "patch"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims/status"]
+  verbs: ["patch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["list", "watch", "create", "update", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-resizer
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: ClusterRole
+  name: d8:{{ .Chart.Name }}:csi:controller:external-resizer
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-resizer
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-resizer
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: Role
+  name: csi:controller:external-resizer
+  apiGroup: rbac.authorization.k8s.io
+# ========
+# snapshotter
+# ========
+# Source https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["list", "watch", "create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents"]
+  verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents/status"]
+  verbs: ["update", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: ClusterRole
+  name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-snapshotter
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi:controller:external-snapshotter
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }}
+subjects:
+- kind: ServiceAccount
+  name: csi
+  namespace: d8-{{ .Chart.Name }}
+roleRef:
+  kind: Role
+  name: csi:controller:external-snapshotter
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl
new file mode 100644
index 0000000..254bc40
--- /dev/null
+++ b/charts/helm_lib/templates/_csi_node.tpl
@@ -0,0 +1,206 @@
+{{- define "node_driver_registrar_resources" }}
+cpu: 12m
+memory: 25Mi
+{{- end }}
+
+{{- define "node_resources" }}
+cpu: 12m
+memory: 25Mi
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_csi_node_manifests" (list . $config) }} */ -}}
+{{- define "helm_lib_csi_node_manifests" }}
+  {{- $context := index . 0 }}
+
+  {{- $config := index . 1 }}
+  {{- $fullname := $config.fullname | default "csi-node" }}
+  {{- $nodeImage := $config.nodeImage | required "$config.nodeImage is required" }}
+  {{- $driverFQDN := $config.driverFQDN | required "$config.driverFQDN is required" }}
+  {{- $serviceAccount := $config.serviceAccount | default "" }}
+  {{- $additionalNodeEnvs := $config.additionalNodeEnvs }}
+  {{- $additionalNodeArgs := $config.additionalNodeArgs }}
+  {{- $additionalNodeVolumes := $config.additionalNodeVolumes }}
+  {{- $additionalNodeVolumeMounts := $config.additionalNodeVolumeMounts }}
+  {{- $additionalNodeLivenessProbesCmd := $config.additionalNodeLivenessProbesCmd }}
+  {{- $initContainerCommand := $config.initContainerCommand }}
+  {{- $initContainerImage := $config.initContainerImage }}
+  {{- $initContainerVolumeMounts := $config.initContainerVolumeMounts }}
+
+  {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }}
+  {{- $driverRegistrarImageName := join "" (list "csiNodeDriverRegistrar" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
+  {{- $driverRegistrarImage := include "helm_lib_module_common_image_no_fail" (list $context $driverRegistrarImageName) }}
+  {{- if $driverRegistrarImage }}
+    {{- if or (include "_helm_lib_cloud_or_hybrid_cluster" $context) ($context.Values.global.enabledModules | has "ceph-csi") ($context.Values.global.enabledModules | has "csi-nfs") ($context.Values.global.enabledModules | has "csi-ceph") ($context.Values.global.enabledModules | has "csi-yadro") }}
+      {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ $fullname }}
+  namespace: d8-{{ $context.Chart.Name }}
+  {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-node" "workload-resource-policy.deckhouse.io" "every-node")) | nindent 2 }}
+spec:
+  targetRef:
+    apiVersion: "apps/v1"
+    kind: DaemonSet
+    name: {{ $fullname }}
+  updatePolicy:
+    updateMode: "Auto"
+  resourcePolicy:
+    containerPolicies:
+    - containerName: "node-driver-registrar"
+      minAllowed:
+        {{- include "node_driver_registrar_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 25m
+        memory: 50Mi
+    - containerName: "node"
+      minAllowed:
+        {{- include "node_resources" $context | nindent 8 }}
+      maxAllowed:
+        cpu: 25m
+        memory: 50Mi
+    {{- end }}
+---
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ $fullname }}
+  namespace: d8-{{ $context.Chart.Name }}
+  {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-node")) | nindent 2 }}
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: {{ $fullname }}
+  template:
+    metadata:
+      labels:
+        app: {{ $fullname }}
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - operator: In
+                key: node.deckhouse.io/type
+                values:
+                - CloudEphemeral
+                - CloudPermanent
+                - CloudStatic
+                {{- if or (eq $fullname "csi-node-rbd") (eq $fullname "csi-node-cephfs") (eq $fullname "csi-nfs") (eq $fullname "csi-yadro") }}
+                - Static
+                {{- end }}
+      imagePullSecrets:
+      - name: deckhouse-registry
+      {{- include "helm_lib_priority_class" (tuple $context "system-node-critical") | nindent 6 }}
+      {{- include "helm_lib_tolerations" (tuple $context "any-node" "with-no-csi") | nindent 6 }}
+      {{- include "helm_lib_module_pod_security_context_run_as_user_root" . | nindent 6 }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: node-driver-registrar
+        {{- include "helm_lib_module_container_security_context_not_allow_privilege_escalation" $context | nindent 8 }}
+        image: {{ $driverRegistrarImage | quote }}
+        args:
+        - "--v=5"
+        - "--csi-address=$(CSI_ENDPOINT)"
+        - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)"
+        env:
+        - name: CSI_ENDPOINT
+          value: "/csi/csi.sock"
+        - name: DRIVER_REG_SOCK_PATH
+          value: "/var/lib/kubelet/csi-plugins/{{ $driverFQDN }}/csi.sock"
+        - name: KUBE_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+      {{- if $additionalNodeLivenessProbesCmd }}
+        livenessProbe:
+          initialDelaySeconds: 3
+          exec:
+            command:
+        {{- $additionalNodeLivenessProbesCmd | toYaml | nindent 12 }}
+      {{- end }}
+        volumeMounts:
+        - name: plugin-dir
+          mountPath: /csi
+        - name: registration-dir
+          mountPath: /registration
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_only_logs" 10 | nindent 12 }}
+  {{- if not ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "node_driver_registrar_resources" $context | nindent 12 }}
+  {{- end }}
+      - name: node
+        securityContext:
+          privileged: true
+        image: {{ $nodeImage }}
+        args:
+      {{- if $additionalNodeArgs }}
+        {{- $additionalNodeArgs | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if $additionalNodeEnvs }}
+        env:
+        {{- $additionalNodeEnvs | toYaml | nindent 8 }}
+      {{- end }}
+        volumeMounts:
+        - name: kubelet-dir
+          mountPath: /var/lib/kubelet
+          mountPropagation: "Bidirectional"
+        - name: plugin-dir
+          mountPath: /csi
+        - name: device-dir
+          mountPath: /dev
+    {{- if $additionalNodeVolumeMounts }}
+        {{- $additionalNodeVolumeMounts | toYaml | nindent 8 }}
+      {{- end }}
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- if not ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
+            {{- include "node_resources" $context | nindent 12 }}
+  {{- end }}
+  {{- if $initContainerCommand }}
+      initContainers:
+      - command:
+        {{- $initContainerCommand | toYaml | nindent 8 }}
+        image: {{ $initContainerImage }}
+        imagePullPolicy: IfNotPresent
+        name: csi-node-init-container
+        {{- if $initContainerVolumeMounts }}
+        volumeMounts:
+        {{- $initContainerVolumeMounts | toYaml | nindent 8 }}
+        {{- end }}
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
+  {{- end }}
+      serviceAccount: {{ $serviceAccount | quote }}
+      serviceAccountName: {{ $serviceAccount | quote }}
+      volumes:
+      - name: registration-dir
+        hostPath:
+          path: /var/lib/kubelet/plugins_registry/
+          type: Directory
+      - name: kubelet-dir
+        hostPath:
+          path: /var/lib/kubelet
+          type: Directory
+      - name: plugin-dir
+        hostPath:
+          path: /var/lib/kubelet/csi-plugins/{{ $driverFQDN }}/
+          type: DirectoryOrCreate
+      - name: device-dir
+        hostPath:
+          path: /dev
+          type: Directory
+    {{- if $additionalNodeVolumes }}
+      {{- $additionalNodeVolumes | toYaml | nindent 6 }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_enable_ds_eviction.tpl b/charts/helm_lib/templates/_enable_ds_eviction.tpl
new file mode 100644
index 0000000..b912c05
--- /dev/null
+++ b/charts/helm_lib/templates/_enable_ds_eviction.tpl
@@ -0,0 +1,6 @@
+{{- /* Usage: {{ include "helm_lib_prevent_ds_eviction_annotation" . }} */ -}}
+{{- /* Adds `cluster-autoscaler.kubernetes.io/enable-ds-eviction` annotation to manage DaemonSet eviction by the Cluster Autoscaler. */ -}}
+{{- /* This is important to prevent the eviction of DaemonSet pods during cluster scaling.  */ -}}
+{{- define "helm_lib_prevent_ds_eviction_annotation" -}}
+cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+{{- end }}
diff --git a/charts/helm_lib/templates/_envs_for_proxy.tpl b/charts/helm_lib/templates/_envs_for_proxy.tpl
new file mode 100644
index 0000000..177bb1c
--- /dev/null
+++ b/charts/helm_lib/templates/_envs_for_proxy.tpl
@@ -0,0 +1,30 @@
+{{- /* Usage: {{ include "helm_lib_envs_for_proxy" . }} */ -}}
+{{- /* Add HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables for container */ -}}
+{{- /* depends on [proxy settings](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-proxy) */ -}}
+{{- define "helm_lib_envs_for_proxy" }}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- if $context.Values.global.clusterConfiguration }}
+    {{- if $context.Values.global.clusterConfiguration.proxy }}
+      {{- if $context.Values.global.clusterConfiguration.proxy.httpProxy }}
+- name: HTTP_PROXY
+  value: {{ $context.Values.global.clusterConfiguration.proxy.httpProxy | quote }}
+- name: http_proxy
+  value: {{ $context.Values.global.clusterConfiguration.proxy.httpProxy | quote }}
+      {{- end }}
+      {{- if $context.Values.global.clusterConfiguration.proxy.httpsProxy }}
+- name: HTTPS_PROXY
+  value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }}
+- name: https_proxy
+  value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }}
+      {{- end }}
+      {{- $noProxy := list "127.0.0.1" "169.254.169.254" $context.Values.global.clusterConfiguration.clusterDomain $context.Values.global.clusterConfiguration.podSubnetCIDR $context.Values.global.clusterConfiguration.serviceSubnetCIDR }}
+      {{- if $context.Values.global.clusterConfiguration.proxy.noProxy }}
+        {{- $noProxy = concat $noProxy $context.Values.global.clusterConfiguration.proxy.noProxy }}
+      {{- end }}
+- name: NO_PROXY
+  value: {{ $noProxy | join "," | quote }}
+- name: no_proxy
+  value: {{ $noProxy | join "," | quote }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_high_availability.tpl b/charts/helm_lib/templates/_high_availability.tpl
new file mode 100644
index 0000000..8c7da23
--- /dev/null
+++ b/charts/helm_lib/templates/_high_availability.tpl
@@ -0,0 +1,39 @@
+{{- /* Usage: {{ include "helm_lib_is_ha_to_value" (list . yes no) }} */ -}}
+{{- /* returns value "yes" if cluster is highly available, else — returns "no" */ -}}
+{{- define "helm_lib_is_ha_to_value" }}
+  {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $yes := index . 1 -}} {{- /* Yes value */ -}}
+  {{- $no  := index . 2 -}} {{- /* No value */ -}}
+
+  {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }}
+
+  {{- if hasKey $module_values "highAvailability" -}}
+    {{- if $module_values.highAvailability -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}}
+  {{- else if hasKey $context.Values.global "highAvailability" -}}
+    {{- if $context.Values.global.highAvailability -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}}
+  {{- else -}}
+    {{- if $context.Values.global.discovery.clusterControlPlaneIsHighlyAvailable -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}}
+  {{- end -}}
+{{- end }}
+
+{{- /* Usage: {{- if (include "helm_lib_ha_enabled" .) }} */ -}}
+{{- /* returns empty value, which is treated by go template as false */ -}}
+{{- define "helm_lib_ha_enabled" }}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+
+  {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }}
+
+  {{- if hasKey $module_values "highAvailability" -}}
+    {{- if $module_values.highAvailability -}}
+      "not empty string"
+    {{- end -}}
+  {{- else if hasKey $context.Values.global "highAvailability" -}}
+    {{- if $context.Values.global.highAvailability -}}
+      "not empty string"
+    {{- end -}}
+  {{- else -}}
+    {{- if $context.Values.global.discovery.clusterControlPlaneIsHighlyAvailable -}}
+      "not empty string"
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/helm_lib/templates/_kube_rbac_proxy.tpl b/charts/helm_lib/templates/_kube_rbac_proxy.tpl
new file mode 100644
index 0000000..af9f7a4
--- /dev/null
+++ b/charts/helm_lib/templates/_kube_rbac_proxy.tpl
@@ -0,0 +1,21 @@
+{{- /* Usage: {{ include "helm_lib_kube_rbac_proxy_ca_certificate" (list . "namespace") }} */ -}}
+{{- /* Renders configmap with kube-rbac-proxy CA certificate which uses to verify the kube-rbac-proxy clients. */ -}}
+{{- define "helm_lib_kube_rbac_proxy_ca_certificate" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+{{- /* Namespace where CA configmap will be created  */ -}}
+  {{- $context := index . 0 }}
+  {{- $namespace := index . 1 }}
+---
+apiVersion: v1
+data:
+  ca.crt: |
+    {{ $context.Values.global.internal.modules.kubeRBACProxyCA.cert | nindent 4 }}
+kind: ConfigMap
+metadata:
+  annotations:
+    kubernetes.io/description: |
+      Contains a CA bundle that can be used to verify the kube-rbac-proxy clients.
+  {{- include "helm_lib_module_labels" (list $context) | nindent 2 }}
+  name: kube-rbac-proxy-ca.crt
+  namespace: {{ $namespace }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_documentation_uri.tpl b/charts/helm_lib/templates/_module_documentation_uri.tpl
new file mode 100644
index 0000000..a02cf45
--- /dev/null
+++ b/charts/helm_lib/templates/_module_documentation_uri.tpl
@@ -0,0 +1,15 @@
+{{- /* Usage: {{ include "helm_lib_module_documentation_uri" (list . "<path_to_document>") }} */ -}}
+{{- /* returns rendered documentation uri using publicDomainTemplate or deckhouse.io domains*/ -}}
+{{- define "helm_lib_module_documentation_uri" }}
+  {{- $default_doc_prefix := "https://deckhouse.io/documentation/v1" -}}
+  {{- $context      := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $path_portion := index . 1 -}} {{- /* Path to the document */ -}}
+  {{- $uri := "" -}}
+  {{- if $context.Values.global.modules.publicDomainTemplate }}
+     {{- $uri = printf "%s://%s%s" (include "helm_lib_module_uri_scheme" $context) (include "helm_lib_module_public_domain" (list $context "documentation")) $path_portion -}}
+  {{- else }}
+     {{- $uri = printf "%s%s" $default_doc_prefix $path_portion -}}
+  {{- end -}}
+
+  {{ $uri }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_ephemeral_storage.tpl b/charts/helm_lib/templates/_module_ephemeral_storage.tpl
new file mode 100644
index 0000000..4b2dd02
--- /dev/null
+++ b/charts/helm_lib/templates/_module_ephemeral_storage.tpl
@@ -0,0 +1,15 @@
+{{- /* Usage: {{ include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 }} */ -}}
+{{- /* 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be added to passed value */ -}}
+{{- /* returns ephemeral-storage size for logs with extra space */ -}}
+{{- define "helm_lib_module_ephemeral_storage_logs_with_extra" -}}
+{{- /* Extra space in mebibytes */ -}}
+ephemeral-storage: {{ add . 50 }}Mi
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_ephemeral_storage_only_logs" . }} */ -}}
+{{- /* 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be requested */ -}}
+{{- /* returns ephemeral-storage size for only logs */ -}}
+{{- define "helm_lib_module_ephemeral_storage_only_logs" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+ephemeral-storage: 50Mi
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_generate_common_name.tpl b/charts/helm_lib/templates/_module_generate_common_name.tpl
new file mode 100644
index 0000000..fb142f8
--- /dev/null
+++ b/charts/helm_lib/templates/_module_generate_common_name.tpl
@@ -0,0 +1,13 @@
+{{- /* Usage: {{ include "helm_lib_module_generate_common_name" (list . "<name-portion>") }} */ -}}
+{{- /* returns the commonName parameter for use in the Certificate custom resource(cert-manager) */ -}}
+{{- define "helm_lib_module_generate_common_name" }}
+  {{- $context      := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $name_portion := index . 1 -}} {{- /* Name portion */ -}}
+
+  {{- $domain := include "helm_lib_module_public_domain" (list $context $name_portion) -}}
+
+  {{- $domain_length := len $domain -}}
+  {{- if le $domain_length 64 -}}
+commonName: {{ $domain }}
+  {{- end -}}
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_https.tpl b/charts/helm_lib/templates/_module_https.tpl
new file mode 100644
index 0000000..8ee41ef
--- /dev/null
+++ b/charts/helm_lib/templates/_module_https.tpl
@@ -0,0 +1,160 @@
+{{- /* Usage: {{ include "helm_lib_module_uri_scheme" . }} */ -}}
+{{- /* return module uri scheme "http" or "https" */ -}}
+{{- define "helm_lib_module_uri_scheme" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $mode := "" -}}
+
+  {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}}
+  {{- if hasKey $module_values "https" -}}
+    {{- if hasKey $module_values.https "mode" -}}
+      {{- $mode = $module_values.https.mode -}}
+    {{- else }}
+      {{- $mode = $context.Values.global.modules.https.mode | default "" -}}
+    {{- end }}
+  {{- else }}
+    {{- $mode = $context.Values.global.modules.https.mode | default "" -}}
+  {{- end }}
+
+
+  {{- if eq "Disabled" $mode -}}
+    http
+  {{- else -}}
+    https
+  {{- end -}}
+{{- end -}}
+
+{{- /* Usage: {{ $https_values := include "helm_lib_https_values" . | fromYaml }} */ -}}
+{{- define "helm_lib_https_values" -}}
+  {{- $context := . -}}
+  {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}}
+  {{- $mode := "" -}}
+  {{- $certManagerClusterIssuerName := "" -}}
+
+  {{- if hasKey $module_values "https" -}}
+    {{- if hasKey $module_values.https "mode" -}}
+      {{- $mode = $module_values.https.mode -}}
+      {{- if eq $mode "CertManager" -}}
+        {{- if not (hasKey $module_values.https "certManager") -}}
+          {{- cat "<module>.https.certManager.clusterIssuerName is mandatory when <module>.https.mode is set to CertManager" | fail -}}
+        {{- end -}}
+        {{- if hasKey $module_values.https.certManager "clusterIssuerName" -}}
+          {{- $certManagerClusterIssuerName = $module_values.https.certManager.clusterIssuerName -}}
+        {{- else -}}
+          {{- cat "<module>.https.certManager.clusterIssuerName is mandatory when <module>.https.mode is set to CertManager" | fail -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- cat "<module>.https.mode is mandatory when <module>.https is defined" | fail -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if empty $mode -}}
+    {{- $mode = $context.Values.global.modules.https.mode -}}
+    {{- if eq $mode "CertManager" -}}
+      {{- $certManagerClusterIssuerName = $context.Values.global.modules.https.certManager.clusterIssuerName -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if not (has $mode (list "Disabled" "CertManager" "CustomCertificate" "OnlyInURI")) -}}
+    {{- cat "Unknown https.mode:" $mode | fail -}}
+  {{- end -}}
+
+  {{- if and (eq $mode "CertManager") (not ($context.Values.global.enabledModules | has "cert-manager")) -}}
+    {{- cat "https.mode has value CertManager but cert-manager module not enabled" | fail -}}
+  {{- end -}}
+
+mode: {{ $mode }}
+  {{- if eq $mode "CertManager" }}
+certManager:
+  clusterIssuerName: {{ $certManagerClusterIssuerName }}
+  {{- end -}}
+
+{{- end -}}
+
+{{- /* Usage: {{ if (include "helm_lib_module_https_mode" .) }} */ -}}
+{{- /* returns https mode for module */ -}}
+{{- define "helm_lib_module_https_mode" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $https_values := include "helm_lib_https_values" $context | fromYaml -}}
+  {{- $https_values.mode -}}
+{{- end -}}
+
+{{- /* Usage: {{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" . }} */ -}}
+{{- /* returns cluster issuer name  */ -}}
+{{- define "helm_lib_module_https_cert_manager_cluster_issuer_name" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $https_values := include "helm_lib_https_values" $context | fromYaml -}}
+  {{- $https_values.certManager.clusterIssuerName -}}
+{{- end -}}
+
+{{- /* Usage: {{ if (include "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" .) }} */ -}}
+{{- define "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- if has (include "helm_lib_module_https_cert_manager_cluster_issuer_name" $context) (list "route53" "cloudflare" "digitalocean" "clouddns") }}
+    "not empty string"
+  {{- end -}}
+{{- end -}}
+
+{{- /* Usage: {{ include "helm_lib_module_https_cert_manager_acme_solver_challenge_settings" . | nindent 4 }} */ -}}
+{{- define "helm_lib_module_https_cert_manager_acme_solver_challenge_settings" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- if (include "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" $context) }}
+- dns01:
+    provider: {{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" $context }}
+  {{- else }}
+- http01:
+    ingressClass: {{ include "helm_lib_module_ingress_class" $context | quote }}
+  {{- end }}
+{{- end -}}
+
+{{- /* Usage: {{ if (include "helm_lib_module_https_ingress_tls_enabled" .) }} */ -}}
+{{- /* returns not empty string if tls should enable for ingress  */ -}}
+{{- define "helm_lib_module_https_ingress_tls_enabled" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+
+  {{- $mode := include "helm_lib_module_https_mode" $context -}}
+
+  {{- if or (eq "CertManager" $mode) (eq "CustomCertificate" $mode) -}}
+    not empty string
+  {{- end -}}
+{{- end -}}
+
+{{- /* Usage: {{ include "helm_lib_module_https_copy_custom_certificate" (list . "namespace" "secret_name_prefix") }} */ -}}
+{{- /* Renders secret with [custom certificate](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-https-customcertificate) */ -}}
+{{- /* in passed namespace with passed prefix */ -}}
+{{- define "helm_lib_module_https_copy_custom_certificate" -}}
+  {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $namespace := index . 1 -}} {{- /* Namespace */ -}}
+  {{- $secret_name_prefix := index . 2 -}} {{- /* Secret name prefix */ -}}
+  {{- $mode := include "helm_lib_module_https_mode" $context -}}
+  {{- if eq $mode "CustomCertificate" -}}
+    {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}}
+    {{- $secret_name := include "helm_lib_module_https_secret_name" (list $context $secret_name_prefix) -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secret_name }}
+  namespace: {{ $namespace }}
+  {{- include "helm_lib_module_labels" (list $context) | nindent 2 }}
+type: kubernetes.io/tls
+data: {{ $module_values.internal.customCertificateData | toJson }}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Usage: {{ include "helm_lib_module_https_secret_name (list . "secret_name_prefix") }} */ -}}
+{{- /* returns custom certificate name */ -}}
+{{- define "helm_lib_module_https_secret_name" -}}
+  {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $secret_name_prefix := index . 1 -}} {{- /* Secret name prefix */ -}}
+  {{- $mode := include "helm_lib_module_https_mode" $context -}}
+  {{- if eq $mode "CertManager" -}}
+    {{- $secret_name_prefix -}}
+  {{- else -}}
+    {{- if eq $mode "CustomCertificate" -}}
+      {{- printf "%s-customcertificate" $secret_name_prefix -}}
+    {{- else -}}
+      {{- fail "https.mode must be CustomCertificate or CertManager" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl
new file mode 100644
index 0000000..bdf29f0
--- /dev/null
+++ b/charts/helm_lib/templates/_module_image.tpl
@@ -0,0 +1,76 @@
+{{- /* Usage: {{ include "helm_lib_module_image" (list . "<container-name>") }} */ -}}
+{{- /* returns image name */ -}}
+{{- define "helm_lib_module_image" }}
+  {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}}
+  {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }}
+  {{- if ge (len .) 3 }}
+  {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}}
+  {{- end }}
+  {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }}
+  {{- if not $imageDigest }}
+  {{- $error := (printf "Image %s.%s has no digest" $moduleName $containerName ) }}
+  {{- fail $error }}
+  {{- end }}
+  {{- $registryBase := $context.Values.global.modulesImages.registry.base }}
+  {{- /*  handle external modules registry */}}
+  {{- if index $context.Values $moduleName }}
+    {{- if index $context.Values $moduleName "registry" }}
+      {{- if index $context.Values $moduleName "registry" "base" }}
+        {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }}
+        {{- $path := trimAll "/" $context.Chart.Name }}
+        {{- $registryBase = join "/" (list $host $path) }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  {{- printf "%s@%s" $registryBase $imageDigest }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_image_no_fail" (list . "<container-name>") }} */ -}}
+{{- /* returns image name if found */ -}}
+{{- define "helm_lib_module_image_no_fail" }}
+  {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}}
+  {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }}
+  {{- if ge (len .) 3 }}
+  {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}}
+  {{- end }}
+  {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }}
+  {{- if $imageDigest }}
+    {{- $registryBase := $context.Values.global.modulesImages.registry.base }}
+    {{- if index $context.Values $moduleName }}
+      {{- if index $context.Values $moduleName "registry" }}
+        {{- if index $context.Values $moduleName "registry" "base" }}
+          {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }}
+          {{- $path := trimAll "/" $context.Chart.Name }}
+          {{- $registryBase = join "/" (list $host $path) }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- printf "%s@%s" $registryBase $imageDigest }}
+  {{- end }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_common_image" (list . "<container-name>") }} */ -}}
+{{- /* returns image name from common module */ -}}
+{{- define "helm_lib_module_common_image" }}
+  {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}}
+  {{- $imageDigest := index $context.Values.global.modulesImages.digests "common" $containerName }}
+  {{- if not $imageDigest }}
+  {{- $error := (printf "Image %s.%s has no digest" "common" $containerName ) }}
+  {{- fail $error }}
+  {{- end }}
+  {{- printf "%s@%s" $context.Values.global.modulesImages.registry.base $imageDigest }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_common_image_no_fail" (list . "<container-name>") }} */ -}}
+{{- /* returns image name from common module if found */ -}}
+{{- define "helm_lib_module_common_image_no_fail" }}
+  {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}}
+  {{- $imageDigest := index $context.Values.global.modulesImages.digests "common" $containerName }}
+  {{- if $imageDigest }}
+  {{- printf "%s@%s" $context.Values.global.modulesImages.registry.base $imageDigest }}
+  {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/helm_lib/templates/_module_ingress_class.tpl b/charts/helm_lib/templates/_module_ingress_class.tpl
new file mode 100644
index 0000000..db7f50b
--- /dev/null
+++ b/charts/helm_lib/templates/_module_ingress_class.tpl
@@ -0,0 +1,13 @@
+{{- /* Usage: {{ include "helm_lib_module_ingress_class" . }} */ -}}
+{{- /* returns ingress class from module settings or if not exists from global config */ -}}
+{{- define "helm_lib_module_ingress_class" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+
+  {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}}
+
+  {{- if hasKey $module_values "ingressClass" -}}
+    {{- $module_values.ingressClass -}}
+  {{- else if hasKey $context.Values.global.modules "ingressClass" -}}
+    {{- $context.Values.global.modules.ingressClass -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/helm_lib/templates/_module_init_container.tpl b/charts/helm_lib/templates/_module_init_container.tpl
new file mode 100644
index 0000000..9b3fe00
--- /dev/null
+++ b/charts/helm_lib/templates/_module_init_container.tpl
@@ -0,0 +1,56 @@
+{{- /* ### Migration 11.12.2020: Remove this helper with all its usages after this commit reached RockSolid */ -}}
+{{- /* Usage: {{ include "helm_lib_module_init_container_chown_nobody_volume" (list . "volume-name") }} */ -}}
+{{- /* returns initContainer which chowns recursively all files and directories in passed volume */ -}}
+{{- define "helm_lib_module_init_container_chown_nobody_volume"  }}
+  {{- $context := index . 0 -}}
+  {{- $volume_name := index . 1  -}}
+- name: chown-volume-{{ $volume_name }}
+  image: {{ include "helm_lib_module_common_image" (list $context "alpine") }}
+  command: ["sh", "-c", "chown -R 65534:65534 /tmp/{{ $volume_name }}"]
+  securityContext:
+    runAsNonRoot: false
+    runAsUser: 0
+    runAsGroup: 0
+  volumeMounts:
+  - name: {{ $volume_name }}
+    mountPath: /tmp/{{ $volume_name }}
+  resources:
+    requests:
+      {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 6 }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_init_container_chown_deckhouse_volume" (list . "volume-name") }} */ -}}
+{{- /* returns initContainer which chowns recursively all files and directories in passed volume */ -}}
+{{- define "helm_lib_module_init_container_chown_deckhouse_volume"  }}
+  {{- $context := index . 0 -}}
+  {{- $volume_name := index . 1  -}}
+- name: chown-volume-{{ $volume_name }}
+  image: {{ include "helm_lib_module_common_image" (list $context "alpine") }}
+  command: ["sh", "-c", "chown -R 64535:64535 /tmp/{{ $volume_name }}"]
+  securityContext:
+    runAsNonRoot: false
+    runAsUser: 0
+    runAsGroup: 0
+  volumeMounts:
+  - name: {{ $volume_name }}
+    mountPath: /tmp/{{ $volume_name }}
+  resources:
+    requests:
+      {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 6 }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} */ -}}
+{{- /* returns initContainer which checks the kernel version on the node for compliance to semver constraint */ -}}
+{{- define "helm_lib_module_init_container_check_linux_kernel"  }}
+  {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $semver_constraint := index . 1  -}} {{- /* Semver constraint */ -}}
+- name: check-linux-kernel
+  image: {{ include "helm_lib_module_common_image" (list $context "checkKernelVersion") }}
+  {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 2 }}
+  env:
+  - name: KERNEL_CONSTRAINT
+    value: {{ $semver_constraint | quote }}
+  resources:
+    requests:
+      {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 6 }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_labels.tpl b/charts/helm_lib/templates/_module_labels.tpl
new file mode 100644
index 0000000..228dcf3
--- /dev/null
+++ b/charts/helm_lib/templates/_module_labels.tpl
@@ -0,0 +1,15 @@
+{{- /* Usage: {{ include "helm_lib_module_labels" (list . (dict "app" "test" "component" "testing")) }} */ -}}
+{{- /* returns deckhouse labels */ -}}
+{{- define "helm_lib_module_labels" }}
+  {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- /* Additional labels dict */ -}}
+labels:
+  heritage: deckhouse
+  module: {{ $context.Chart.Name }}
+  {{- if eq (len .) 2 }}
+    {{- $deckhouse_additional_labels := index . 1 }}
+    {{- range $key, $value := $deckhouse_additional_labels }}
+  {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_name.tpl b/charts/helm_lib/templates/_module_name.tpl
new file mode 100644
index 0000000..0fecf05
--- /dev/null
+++ b/charts/helm_lib/templates/_module_name.tpl
@@ -0,0 +1,11 @@
+{{- define "helm_lib_module_camelcase_name" -}}
+
+{{- $moduleName := "" -}}
+{{- if (kindIs "string" .) -}}
+{{- $moduleName = . | trimAll "\"" -}}
+{{- else -}}
+{{- $moduleName = .Chart.Name -}}
+{{- end -}}
+
+{{ $moduleName | replace "-" "_" | camelcase | untitle }}
+{{- end -}}
diff --git a/charts/helm_lib/templates/_module_public_domain.tpl b/charts/helm_lib/templates/_module_public_domain.tpl
new file mode 100644
index 0000000..bfbaae7
--- /dev/null
+++ b/charts/helm_lib/templates/_module_public_domain.tpl
@@ -0,0 +1,11 @@
+{{- /* Usage: {{ include "helm_lib_module_public_domain" (list . "<name-portion>") }} */ -}}
+{{- /* returns rendered publicDomainTemplate to service fqdn */ -}}
+{{- define "helm_lib_module_public_domain" }}
+  {{- $context      := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $name_portion := index . 1 -}} {{- /* Name portion */ -}}
+
+  {{- if not (contains "%s" $context.Values.global.modules.publicDomainTemplate) }}
+    {{ fail "Error!!! global.modules.publicDomainTemplate must contain \"%s\" pattern to render service fqdn!" }}
+  {{- end }}
+  {{- printf $context.Values.global.modules.publicDomainTemplate $name_portion }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_security_context.tpl b/charts/helm_lib/templates/_module_security_context.tpl
new file mode 100644
index 0000000..c726277
--- /dev/null
+++ b/charts/helm_lib/templates/_module_security_context.tpl
@@ -0,0 +1,199 @@
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_custom" (list . 1000 1000) }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with custom user and group */ -}}
+{{- define "helm_lib_module_pod_security_context_run_as_user_custom" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+{{- /* User id */ -}}
+{{- /* Group id */ -}}
+securityContext:
+  runAsNonRoot: true
+  runAsUser: {{ index . 1 }}
+  runAsGroup: {{ index . 2 }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_nobody" . }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with user and group "nobody" */ -}}
+{{- define "helm_lib_module_pod_security_context_run_as_user_nobody" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 65534
+  runAsGroup: 65534
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes */ -}}
+{{- define "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 65534
+  runAsGroup: 65534
+  fsGroup: 65534
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with user and group "deckhouse" */ -}}
+{{- define "helm_lib_module_pod_security_context_run_as_user_deckhouse" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 64535
+  runAsGroup: 64535
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes */ -}}
+{{- define "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 64535
+  runAsGroup: 64535
+  fsGroup: 64535
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards */ -}}
+{{- define "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+  drop:
+  - all
+  runAsGroup: 64535
+  runAsNonRoot: true
+  runAsUser: 64535
+  seccompProfile:
+    type: RuntimeDefault
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_root" . }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with user and group 0 */ -}}
+{{- define "helm_lib_module_pod_security_context_run_as_user_root" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  runAsNonRoot: false
+  runAsUser: 0
+  runAsGroup: 0
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_runtime_default" . }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault */ -}}
+{{- define "helm_lib_module_pod_security_context_runtime_default" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container with allowPrivilegeEscalation false */ -}}
+{{- define "helm_lib_module_container_security_context_not_allow_privilege_escalation" -}}
+securityContext:
+  allowPrivilegeEscalation: false
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility*/ -}}
+{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  seLinuxOptions:
+    level: 's0'
+    type: 'spc_t'
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container with read only root filesystem */ -}}
+{{- define "helm_lib_module_container_security_context_read_only_root_filesystem" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_privileged" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container running privileged */ -}}
+{{- define "helm_lib_module_container_security_context_privileged" -}}
+securityContext:
+  privileged: true
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container running privileged with escalation and sys_admin */ -}}
+{{- define "helm_lib_module_container_security_context_escalated_sys_admin_privileged" -}}
+securityContext:
+  allowPrivilegeEscalation: true
+  capabilities:
+    add:
+    - SYS_ADMIN
+  privileged: true
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container running privileged with read only root filesystem */ -}}
+{{- define "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  privileged: true
+  readOnlyRootFilesystem: true
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }} */ -}}
+{{- /* returns SecurityContext for Container with read only root filesystem and all capabilities dropped  */ -}}
+{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add"  (list . (list "KILL" "SYS_PTRACE")) }} */ -}}
+{{- /* returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities */ -}}
+{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+{{- /* List of capabilities */ -}}
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+    add: {{ index . 1 | toJson }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_add"  (list . (list "KILL" "SYS_PTRACE")) }} */ -}}
+{{- /* returns SecurityContext parameters for Container with all dropped and some added capabilities */ -}}
+{{- define "helm_lib_module_container_security_context_capabilities_drop_all_and_add" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+{{- /* List of capabilities */ -}}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+    add: {{ index . 1 | toJson }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }} */ -}}
+{{- /* returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID */ -}}
+{{- define "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+{{- /* User id */ -}}
+{{- /* Group id */ -}}
+securityContext:
+  runAsUser: {{ index . 1 }}
+  runAsGroup: {{ index . 2 }}
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+{{- end }}
diff --git a/charts/helm_lib/templates/_module_storage_class.tpl b/charts/helm_lib/templates/_module_storage_class.tpl
new file mode 100644
index 0000000..cf761a5
--- /dev/null
+++ b/charts/helm_lib/templates/_module_storage_class.tpl
@@ -0,0 +1,38 @@
+{{- /* Usage: {{ include "helm_lib_module_storage_class_annotations" (list $ $index $storageClass.name) }} */ -}}
+{{- /* return module StorageClass annotations */ -}}
+{{- define "helm_lib_module_storage_class_annotations" -}}
+  {{- $context := index . 0 -}}   {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $sc_index := index . 1  -}} {{- /* Storage class index */ -}}
+  {{- $sc_name := index . 2  -}}  {{- /* Storage class name */ -}}
+  {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}}
+  {{- $annotations := dict -}}
+
+  {{- $volume_expansion_mode_offline := false -}}
+  {{- range $module_name := list "cloud-provider-azure" "cloud-provider-yandex" "cloud-provider-vsphere" "cloud-provider-vcd"}}
+    {{- if has $module_name $context.Values.global.enabledModules }}
+      {{- $volume_expansion_mode_offline = true }}
+    {{- end }}
+  {{- end }}
+
+  {{- if $volume_expansion_mode_offline }}
+    {{- $_ := set $annotations "storageclass.deckhouse.io/volume-expansion-mode" "offline" }}
+  {{- end }}
+
+  {{- if hasKey $module_values.internal "defaultStorageClass" }}
+    {{- if eq $module_values.internal.defaultStorageClass $sc_name }}
+      {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }}
+    {{- end }}
+  {{- else }}
+    {{- if eq $sc_index 0 }}
+      {{- if $context.Values.global.discovery.defaultStorageClass }}
+        {{- if eq $context.Values.global.discovery.defaultStorageClass $sc_name }}
+          {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }}
+        {{- end }}
+      {{- else }}
+        {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+{{- (dict "annotations" $annotations) | toYaml -}}
+{{- end -}}
diff --git a/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl b/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl
new file mode 100644
index 0000000..ebbcefb
--- /dev/null
+++ b/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl
@@ -0,0 +1,68 @@
+{{- /* Usage: {{ include "helm_lib_grafana_dashboard_definitions_recursion" (list . <root dir> [current dir]) }} */ -}}
+{{- /* returns all the dashboard-definintions from <root dir>/ */ -}}
+{{- /* current dir is optional — used for recursion but you can use it for partially generating dashboards */ -}}
+{{- define "helm_lib_grafana_dashboard_definitions_recursion" -}}
+  {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $rootDir := index . 1 }} {{- /* Dashboards root dir */ -}}
+  {{- /* Dashboards current dir */ -}}
+
+  {{- $currentDir := "" }}
+  {{- if gt (len .) 2 }} {{- $currentDir = index . 2 }} {{- else }} {{- $currentDir = $rootDir }} {{- end }}
+
+  {{- $currentDirIndex := (sub ($currentDir | splitList "/" | len) 1) }}
+  {{- $rootDirIndex := (sub ($rootDir | splitList "/" | len) 1) }}
+  {{- $folderNamesIndex := (add1 $rootDirIndex) }}
+
+  {{- range $path, $_ := $context.Files.Glob (print $currentDir "/*.json") }}
+    {{- $fileName := ($path | splitList "/" | last ) }}
+    {{- $definition := ($context.Files.Get $path) }}
+
+    {{- $folder := (index ($currentDir | splitList "/") $folderNamesIndex | replace "-" " " | title) }}
+    {{- $resourceName := (regexReplaceAllLiteral "\\.json$" $path "") }}
+    {{- $resourceName = ($resourceName | replace " " "-" | replace "." "-" | replace "_" "-") }}
+    {{- $resourceName = (slice ($resourceName | splitList "/") $folderNamesIndex | join "-") }}
+    {{- $resourceName = (printf "%s-%s" $context.Chart.Name $resourceName) }}
+
+{{ include "helm_lib_single_dashboard" (list $context $resourceName $folder $definition) }}
+  {{- end }}
+
+  {{- $subDirs := list }}
+  {{- range $path, $_ := ($context.Files.Glob (print $currentDir "/**.json")) }}
+    {{- $pathSlice := ($path | splitList "/") }}
+    {{- $subDirs = append $subDirs (slice $pathSlice 0 (add $currentDirIndex 2) | join "/") }}
+  {{- end }}
+
+  {{- range $subDir := ($subDirs | uniq) }}
+{{ include "helm_lib_grafana_dashboard_definitions_recursion" (list $context $rootDir $subDir) }}
+  {{- end }}
+{{- end }}
+
+
+{{- /* Usage: {{ include "helm_lib_grafana_dashboard_definitions" . }} */ -}}
+{{- /* returns dashboard-definintions from monitoring/grafana-dashboards/ */ -}}
+{{- define "helm_lib_grafana_dashboard_definitions" -}}
+  {{- $context := . }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- if ( $context.Values.global.enabledModules | has "prometheus-crd" ) }}
+{{- include "helm_lib_grafana_dashboard_definitions_recursion" (list $context "monitoring/grafana-dashboards") }}
+  {{- end }}
+{{- end }}
+
+
+{{- /* Usage: {{ include "helm_lib_single_dashboard" (list . "dashboard-name" "folder" $dashboard) }} */ -}}
+{{- /* renders a single dashboard */ -}}
+{{- define "helm_lib_single_dashboard" -}}
+  {{- $context := index . 0 }}       {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $resourceName := index . 1 }}  {{- /* Dashboard name */ -}}
+  {{- $folder := index . 2 }}        {{- /* Folder */ -}}
+  {{- $definition := index . 3 }}    {{/* Dashboard definition */}}
+---
+apiVersion: deckhouse.io/v1
+kind: GrafanaDashboardDefinition
+metadata:
+  name: d8-{{ $resourceName }}
+  {{- include "helm_lib_module_labels" (list $context (dict "prometheus.deckhouse.io/grafana-dashboard" "")) | nindent 2 }}
+spec:
+  folder: "{{ $folder }}"
+  definition: |
+    {{- $definition | nindent 4 }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl
new file mode 100644
index 0000000..794fe30
--- /dev/null
+++ b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl
@@ -0,0 +1,96 @@
+{{- /* Usage: {{ include "helm_lib_prometheus_rules_recursion" (list . <namespace> <root dir> [current dir]) }} */ -}}
+{{- /* returns all the prometheus rules from <root dir>/ */ -}}
+{{- /* current dir is optional — used for recursion but you can use it for partially generating rules */ -}}
+{{- define "helm_lib_prometheus_rules_recursion" -}}
+  {{- $context := index . 0 }}    {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $namespace := index . 1 }}  {{- /* Namespace for creating rules */ -}}
+  {{- $rootDir := index . 2 }}    {{- /* Rules root dir */ -}}
+  {{- $currentDir := "" }}        {{- /* Current dir (optional) */ -}}
+  {{- if gt (len .) 3 }} {{- $currentDir = index . 3 }} {{- else }} {{- $currentDir = $rootDir }} {{- end }}
+  {{- $currentDirIndex := (sub ($currentDir | splitList "/" | len) 1) }}
+  {{- $rootDirIndex := (sub ($rootDir | splitList "/" | len) 1) }}
+  {{- $folderNamesIndex := (add1 $rootDirIndex) }}
+
+  {{- range $path, $_ := $context.Files.Glob (print $currentDir "/*.{yaml,tpl}") }}
+    {{- $fileName := ($path | splitList "/" | last ) }}
+    {{- $definition := "" }}
+    {{- if eq ($path | splitList "." | last) "tpl" -}}
+      {{- $definition = tpl ($context.Files.Get $path) $context }}
+    {{- else }}
+      {{- $definition = $context.Files.Get $path }}
+    {{- end }}
+
+    {{- $definition = $definition | replace "__SCRAPE_INTERVAL__" (printf "%ds" ($context.Values.global.discovery.prometheusScrapeInterval | default 30)) | replace "__SCRAPE_INTERVAL_X_2__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 2)) | replace "__SCRAPE_INTERVAL_X_3__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 3)) | replace "__SCRAPE_INTERVAL_X_4__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 4)) }}
+
+{{/*    Patch expression based on `d8_ignore_on_update` annotation*/}}
+
+
+    {{ $definition = printf "Rules:\n%s" ($definition | nindent 2) }}
+    {{- $definitionStruct :=  ( $definition | fromYaml )}}
+    {{- if $definitionStruct.Error }}
+      {{- fail ($definitionStruct.Error | toString) }}
+    {{- end }}
+    {{- range $rule := $definitionStruct.Rules }}
+
+      {{- range $dedicatedRule := $rule.rules }}
+        {{- if $dedicatedRule.annotations }}
+          {{- if (eq (get $dedicatedRule.annotations "d8_ignore_on_update") "true") }}
+            {{- $_ := set $dedicatedRule "expr" (printf "(%s) and ON() ((max(d8_is_updating) != 1) or ON() absent(d8_is_updating))" $dedicatedRule.expr) }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+
+    {{- end }}
+
+    {{ $definition = $definitionStruct.Rules | toYaml }}
+
+    {{- $resourceName := (regexReplaceAllLiteral "\\.(yaml|tpl)$" $path "") }}
+    {{- $resourceName = ($resourceName | replace " " "-" | replace "." "-" | replace "_" "-") }}
+    {{- $resourceName = (slice ($resourceName | splitList "/") $folderNamesIndex | join "-") }}
+    {{- $resourceName = (printf "%s-%s" $context.Chart.Name $resourceName) }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ $resourceName }}
+  namespace: {{ $namespace }}
+  {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }}
+spec:
+  groups:
+    {{- $definition | nindent 4 }}
+  {{- end }}
+
+  {{- $subDirs := list }}
+  {{- range $path, $_ := ($context.Files.Glob (print $currentDir "/**.{yaml,tpl}")) }}
+    {{- $pathSlice := ($path | splitList "/") }}
+    {{- $subDirs = append $subDirs (slice $pathSlice 0 (add $currentDirIndex 2) | join "/") }}
+  {{- end }}
+
+  {{- range $subDir := ($subDirs | uniq) }}
+{{ include "helm_lib_prometheus_rules_recursion" (list $context $namespace $rootDir $subDir) }}
+  {{- end }}
+{{- end }}
+
+
+{{- /* Usage: {{ include "helm_lib_prometheus_rules" (list . <namespace>) }} */ -}}
+{{- /* returns all the prometheus rules from monitoring/prometheus-rules/ */ -}}
+{{- define "helm_lib_prometheus_rules" -}}
+  {{- $context := index . 0 }}    {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $namespace := index . 1 }}  {{- /* Namespace for creating rules */ -}}
+  {{- if ( $context.Values.global.enabledModules | has "operator-prometheus-crd" ) }}
+{{- include "helm_lib_prometheus_rules_recursion" (list $context $namespace "monitoring/prometheus-rules") }}
+  {{- end }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list . <timeout>) }} */ -}}
+{{- /* returns adjust timeout value to scrape interval / */ -}}
+{{- define "helm_lib_prometheus_target_scrape_timeout_seconds" -}}
+  {{- $context := index . 0 }}  {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $timeout := index . 1 }}  {{- /* Target timeout in seconds */ -}}
+  {{- $scrape_interval := (int $context.Values.global.discovery.prometheusScrapeInterval | default 30) }}
+  {{- if gt $timeout $scrape_interval -}}
+{{ $scrape_interval }}s
+  {{- else -}}
+{{ $timeout }}s
+  {{- end }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_node_affinity.tpl b/charts/helm_lib/templates/_node_affinity.tpl
new file mode 100644
index 0000000..cbdd0f9
--- /dev/null
+++ b/charts/helm_lib/templates/_node_affinity.tpl
@@ -0,0 +1,256 @@
+{{- /* Verify node selector strategy. */ -}}
+{{- define "helm_lib_internal_check_node_selector_strategy" -}}
+  {{ if not (has . (list "frontend" "monitoring" "system" "master" )) }}
+    {{- fail (printf "unknown strategy \"%v\"" .) }}
+  {{- end }}
+  {{- . -}}
+{{- end }}
+
+{{- /* Returns node selector for workloads depend on strategy. */ -}}
+{{- define "helm_lib_node_selector" }}
+  {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $strategy := index . 1 | include "helm_lib_internal_check_node_selector_strategy" }} {{- /* strategy, one of "frontend" "monitoring" "system" "master" "any-node" "wildcard" */ -}}
+  {{- $module_values := dict }}
+  {{- if lt (len .) 3 }}
+    {{- $module_values = (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }}
+  {{- else }}
+    {{- $module_values = index . 2 }}
+  {{- end }}
+  {{- $camel_chart_name := (include "helm_lib_module_camelcase_name" $context) }}
+
+  {{- if eq $strategy "monitoring" }}
+    {{- if $module_values.nodeSelector }}
+nodeSelector: {{ $module_values.nodeSelector | toJson }}
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $camel_chart_name | int) 0 }}
+nodeSelector:
+  node-role.deckhouse.io/{{$context.Chart.Name}}: ""
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $strategy | int) 0 }}
+nodeSelector:
+  node-role.deckhouse.io/{{$strategy}}: ""
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "system" | int) 0 }}
+nodeSelector:
+  node-role.deckhouse.io/system: ""
+    {{- end }}
+
+  {{- else if or (eq $strategy "frontend") (eq $strategy "system") }}
+    {{- if $module_values.nodeSelector }}
+nodeSelector: {{ $module_values.nodeSelector | toJson }}
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $camel_chart_name | int) 0 }}
+nodeSelector:
+  node-role.deckhouse.io/{{$context.Chart.Name}}: ""
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $strategy | int) 0 }}
+nodeSelector:
+  node-role.deckhouse.io/{{$strategy}}: ""
+    {{- end }}
+
+  {{- else if eq $strategy "master" }}
+    {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 0 }}
+nodeSelector:
+  node-role.kubernetes.io/control-plane: ""
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }}
+nodeSelector:
+  node-role.deckhouse.io/control-plane: ""
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "system" | int) 0 }}
+nodeSelector:
+  node-role.deckhouse.io/system: ""
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+
+{{- /* Returns tolerations for workloads depend on strategy. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized" "without-storage-problems") }} */ -}}
+{{- define "helm_lib_tolerations" }}
+  {{- $context := index . 0 }}  {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $strategy := index . 1 | include "helm_lib_internal_check_tolerations_strategy" }} {{- /* base strategy, one of "frontend" "monitoring" "system" any-node" "wildcard" */ -}}
+  {{- $additionalStrategies := tuple }} {{- /* list of additional strategies. To add strategy list it with prefix "with-", to remove strategy list it with prefix "without-". */ -}}
+  {{- if eq $strategy "custom" }}
+    {{ if lt (len .) 3 }}
+        {{- fail (print "additional strategies is required") }}
+    {{- end }}
+  {{- else }}
+    {{- $additionalStrategies = tuple "storage-problems" }}
+  {{- end }}
+  {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }}
+  {{- if gt (len .) 2 }}
+    {{- range $as := slice . 2 (len .) }}
+      {{- if hasPrefix "with-" $as }}
+        {{- $additionalStrategies = mustAppend $additionalStrategies (trimPrefix "with-" $as) }}
+      {{- end }}
+      {{- if hasPrefix "without-" $as }}
+        {{- $additionalStrategies = mustWithout $additionalStrategies (trimPrefix "without-" $as) }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+tolerations:
+  {{- /* Wildcard: gives permissions to schedule on any node with any taints (use with caution) */ -}}
+  {{- if eq $strategy "wildcard" }}
+    {{- include "_helm_lib_wildcard_tolerations" $context }}
+
+  {{- else }}
+    {{- /* Any node: any node in the cluster with any known taints */ -}}
+    {{- if eq $strategy "any-node" }}
+      {{- include "_helm_lib_any_node_tolerations" $context }}
+
+    {{- /* Tolerations from module config: overrides below strategies, if there is any toleration specified */ -}}
+    {{- else if $module_values.tolerations }}
+      {{- $module_values.tolerations | toYaml | nindent 0 }}
+
+    {{- /* Monitoring: Nodes for monitoring components: prometheus, grafana, kube-state-metrics, etc. */ -}}
+    {{- else if eq $strategy "monitoring" }}
+      {{- include "_helm_lib_monitoring_tolerations" $context }}
+
+    {{- /* Frontend: Nodes for ingress-controllers */ -}}
+    {{- else if eq $strategy "frontend" }}
+      {{- include "_helm_lib_frontend_tolerations" $context }}
+
+    {{- /* System: Nodes for system components: prometheus, dns, cert-manager */ -}}
+    {{- else if eq $strategy "system" }}
+      {{- include "_helm_lib_system_tolerations" $context }}
+    {{- end }}
+
+    {{- /* Additional strategies */ -}}
+    {{- range $additionalStrategies -}}
+      {{- include (printf "_helm_lib_additional_tolerations_%s" (. | replace "-" "_")) $context }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+
+{{- /* Check cluster type. */ -}}
+{{- /* Returns not empty string if this is cloud or hybrid cluster */ -}}
+{{- define "_helm_lib_cloud_or_hybrid_cluster" }}
+  {{- if .Values.global.clusterConfiguration }}
+    {{- if eq .Values.global.clusterConfiguration.clusterType "Cloud" }}
+      "not empty string"
+    {{- /* We consider non-cloud clusters with enabled cloud-provider-.* module as Hybrid clusters */ -}}
+    {{- else }}
+      {{- range $v := .Values.global.enabledModules }}
+        {{- if hasPrefix "cloud-provider-" $v }}
+          "not empty string"
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- /* Verify base strategy. */ -}}
+{{- /* Fails if strategy not in allowed list */ -}}
+{{- define "helm_lib_internal_check_tolerations_strategy" -}}
+  {{ if not (has . (list "custom" "frontend" "monitoring" "system" "any-node" "wildcard" )) }}
+    {{- fail (printf "unknown strategy \"%v\"" .) }}
+  {{- end }}
+  {{- . -}}
+{{- end }}
+
+
+{{- /* Base strategy for any uncordoned node in cluster. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node") }} */ -}}
+{{- define "_helm_lib_any_node_tolerations" }}
+- key: node-role.kubernetes.io/master
+- key: node-role.kubernetes.io/control-plane
+- key: dedicated.deckhouse.io
+  operator: "Exists"
+- key: dedicated
+  operator: "Exists"
+- key: DeletionCandidateOfClusterAutoscaler
+- key: ToBeDeletedByClusterAutoscaler
+  {{- if .Values.global.modules.placement.customTolerationKeys }}
+    {{- range $key := .Values.global.modules.placement.customTolerationKeys }}
+- key: {{ $key | quote }}
+  operator: "Exists"
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- /* Base strategy that tolerates all. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "wildcard") }} */ -}}
+{{- define "_helm_lib_wildcard_tolerations" }}
+- operator: "Exists"
+{{- end }}
+
+{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: monitoring" and "dedicated.deckhouse.io: system" taints. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "monitoring") }} */ -}}
+{{- define "_helm_lib_monitoring_tolerations" }}
+- key: dedicated.deckhouse.io
+  operator: Equal
+  value: {{ .Chart.Name | quote }}
+- key: dedicated.deckhouse.io
+  operator: Equal
+  value: "monitoring"
+- key: dedicated.deckhouse.io
+  operator: Equal
+  value: "system"
+{{- end }}
+
+{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: frontend" taints. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "frontend") }} */ -}}
+{{- define "_helm_lib_frontend_tolerations" }}
+- key: dedicated.deckhouse.io
+  operator: Equal
+  value: {{ .Chart.Name | quote }}
+- key: dedicated.deckhouse.io
+  operator: Equal
+  value: "frontend"
+{{- end }}
+
+{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: system" taints. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "system") }} */ -}}
+{{- define "_helm_lib_system_tolerations" }}
+- key: dedicated.deckhouse.io
+  operator: Equal
+  value: {{ .Chart.Name | quote }}
+- key: dedicated.deckhouse.io
+  operator: Equal
+  value: "system"
+{{- end }}
+
+
+{{- /* Additional strategy "uninitialized" - used for CNI's and kube-proxy to allow cni components scheduled on node after CCM initialization. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") }} */ -}}
+{{- define "_helm_lib_additional_tolerations_uninitialized" }}
+- key: node.deckhouse.io/uninitialized
+  operator: "Exists"
+  effect: "NoSchedule"
+  {{- if include "_helm_lib_cloud_or_hybrid_cluster" . }}
+    {{- include "_helm_lib_additional_tolerations_no_csi" . }}
+  {{- end }}
+  {{- include "_helm_lib_additional_tolerations_node_problems" . }}
+{{- end }}
+
+{{- /* Additional strategy "node-problems" - used for shedule critical components on non-ready nodes or nodes under pressure. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-node-problems") }} */ -}}
+{{- define "_helm_lib_additional_tolerations_node_problems" }}
+- key: node.kubernetes.io/not-ready
+- key: node.kubernetes.io/out-of-disk
+- key: node.kubernetes.io/memory-pressure
+- key: node.kubernetes.io/disk-pressure
+- key: node.kubernetes.io/pid-pressure
+- key: node.kubernetes.io/unreachable
+- key: node.kubernetes.io/network-unavailable
+{{- end }}
+
+{{- /* Additional strategy "storage-problems" - used for shedule critical components on nodes with drbd problems. This additional strategy enabled by default in any base strategy except "wildcard". */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "without-storage-problems") }} */ -}}
+{{- define "_helm_lib_additional_tolerations_storage_problems" }}
+- key: drbd.linbit.com/lost-quorum
+- key: drbd.linbit.com/force-io-error
+- key: drbd.linbit.com/ignore-fail-over
+{{- end }}
+
+{{- /* Additional strategy "no-csi" - used for any node with no CSI: any node, which was initialized by deckhouse, but have no csi-node driver registered on it. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-no-csi") }} */ -}}
+{{- define "_helm_lib_additional_tolerations_no_csi" }}
+- key: node.deckhouse.io/csi-not-bootstrapped
+  operator: "Exists"
+  effect: "NoSchedule"
+{{- end }}
+
+{{- /* Additional strategy "cloud-provider-uninitialized" - used for any node which is not initialized by CCM. */ -}}
+{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-cloud-provider-uninitialized") }} */ -}}
+{{- define "_helm_lib_additional_tolerations_cloud_provider_uninitialized" }}
+  {{- if not .Values.global.clusterIsBootstrapped }}
+- key: node.cloudprovider.kubernetes.io/uninitialized
+  operator: Exists
+  {{- end }}
+{{- end }}
diff --git a/charts/helm_lib/templates/_pod_disruption_budget.tpl b/charts/helm_lib/templates/_pod_disruption_budget.tpl
new file mode 100644
index 0000000..ccd4f21
--- /dev/null
+++ b/charts/helm_lib/templates/_pod_disruption_budget.tpl
@@ -0,0 +1,6 @@
+{{- /* Usage: {{ include "helm_lib_pdb_daemonset" . }} */ -}}
+{{- /* Returns PDB max unavailable */ -}}
+{{- define "helm_lib_pdb_daemonset" }}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+maxUnavailable: 10%
+{{- end -}}
diff --git a/charts/helm_lib/templates/_priority_class.tpl b/charts/helm_lib/templates/_priority_class.tpl
new file mode 100644
index 0000000..5935445
--- /dev/null
+++ b/charts/helm_lib/templates/_priority_class.tpl
@@ -0,0 +1,9 @@
+{{- /* Usage: {{ include "helm_lib_priority_class" (tuple . "priority-class-name") }} /* -}}
+{{- /* returns priority class if priority-class module enabled, otherwise returns nothing */ -}}
+{{- define "helm_lib_priority_class" }}
+  {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- $priorityClassName := index . 1 }}  {{- /* Priority class name */ -}}
+  {{- if ( $context.Values.global.enabledModules | has "priority-class") }}
+priorityClassName: {{ $priorityClassName }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/helm_lib/templates/_resources_management.tpl b/charts/helm_lib/templates/_resources_management.tpl
new file mode 100644
index 0000000..dff75c1
--- /dev/null
+++ b/charts/helm_lib/templates/_resources_management.tpl
@@ -0,0 +1,160 @@
+{{- /* Usage: {{ include "helm_lib_resources_management_pod_resources" (list <resources configuration> [ephemeral storage requests]) }} */ -}}
+{{- /* returns rendered resources section based on configuration if it is */ -}}
+{{- define "helm_lib_resources_management_pod_resources" -}}
+  {{- $configuration     := index . 0 -}}  {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}}
+  {{- /* Ephemeral storage requests */ -}}
+
+  {{- $ephemeral_storage := "50Mi" -}}
+  {{- if eq (len .) 2 -}}
+    {{- $ephemeral_storage = index . 1 -}}
+  {{- end -}}
+
+  {{- $pod_resources := (include "helm_lib_resources_management_original_pod_resources" $configuration | fromYaml) -}}
+  {{- if not (hasKey $pod_resources "requests") -}}
+    {{- $_ := set $pod_resources "requests" (dict) -}}
+  {{- end -}}
+  {{- $_ := set $pod_resources.requests "ephemeral-storage" $ephemeral_storage -}}
+
+  {{- $pod_resources | toYaml -}}
+{{- end -}}
+
+
+{{- /* Usage: {{ include "helm_lib_resources_management_original_pod_resources" <resources configuration> }} */ -}}
+{{- /* returns rendered resources section based on configuration if it is present */ -}}
+{{- define "helm_lib_resources_management_original_pod_resources" -}}
+  {{- $configuration := . -}}  {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}}
+
+  {{- if $configuration -}}
+    {{- if eq $configuration.mode "Static" -}}
+{{- $configuration.static | toYaml -}}
+
+    {{- else if eq $configuration.mode "VPA" -}}
+      {{- $resources := dict "requests" (dict) "limits" (dict) -}}
+
+      {{- if $configuration.vpa.cpu -}}
+        {{- if $configuration.vpa.cpu.min -}}
+          {{- $_ := set $resources.requests "cpu" ($configuration.vpa.cpu.min | toString) -}}
+        {{- end -}}
+        {{- if $configuration.vpa.cpu.limitRatio -}}
+          {{- $cpuLimitMillicores := round (mulf (include "helm_lib_resources_management_cpu_units_to_millicores" $configuration.vpa.cpu.min) $configuration.vpa.cpu.limitRatio) 0 | int64 -}}
+          {{- $_ := set $resources.limits "cpu" (printf "%dm" $cpuLimitMillicores) -}}
+        {{- end -}}
+      {{- end -}}
+
+      {{- if $configuration.vpa.memory -}}
+        {{- if $configuration.vpa.memory.min -}}
+          {{- $_ := set $resources.requests "memory" ($configuration.vpa.memory.min | toString) -}}
+        {{- end -}}
+        {{- if $configuration.vpa.memory.limitRatio -}}
+          {{- $memoryLimitBytes := round (mulf (include "helm_lib_resources_management_memory_units_to_bytes" $configuration.vpa.memory.min) $configuration.vpa.memory.limitRatio) 0 | int64 -}}
+          {{- $_ := set $resources.limits "memory" (printf "%d" $memoryLimitBytes) -}}
+        {{- end -}}
+      {{- end -}}
+{{- $resources | toYaml -}}
+
+    {{- else -}}
+      {{- cat "ERROR: unknown resource management mode: " $configuration.mode | fail -}}
+    {{- end -}}
+  {{- end -}}
+{{- end }}
+
+
+{{- /* Usage: {{ include "helm_lib_resources_management_vpa_spec" (list <target apiversion> <target kind> <target name> <target container> <resources configuration> ) }} */ -}}
+{{- /* returns rendered vpa spec based on configuration and target reference */ -}}
+{{- define "helm_lib_resources_management_vpa_spec" -}}
+  {{- $targetAPIVersion := index . 0 -}}  {{- /* Target API version */ -}}
+  {{- $targetKind       := index . 1 -}}  {{- /* Target Kind */ -}}
+  {{- $targetName       := index . 2 -}}  {{- /* Target Name */ -}}
+  {{- $targetContainer  := index . 3 -}}  {{- /* Target container name */ -}}
+  {{- $configuration    := index . 4 -}}  {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}}
+
+targetRef:
+  apiVersion: {{ $targetAPIVersion }}
+  kind: {{ $targetKind }}
+  name: {{ $targetName }}
+  {{- if eq ($configuration.mode) "VPA" }}
+updatePolicy:
+  updateMode: {{ $configuration.vpa.mode | quote }}
+resourcePolicy:
+  containerPolicies:
+  - containerName: {{ $targetContainer }}
+    maxAllowed:
+      cpu: {{ $configuration.vpa.cpu.max  | quote }}
+      memory: {{ $configuration.vpa.memory.max | quote }}
+    minAllowed:
+      cpu: {{ $configuration.vpa.cpu.min | quote }}
+      memory: {{ $configuration.vpa.memory.min | quote }}
+    controlledValues: RequestsAndLimits
+  {{- else }}
+updatePolicy:
+  updateMode: "Off"
+  {{- end }}
+{{- end }}
+
+
+{{- /* Usage: {{ include "helm_lib_resources_management_cpu_units_to_millicores" <cpu units> }} */ -}}
+{{- /* helper for converting cpu units to millicores */ -}}
+{{- define "helm_lib_resources_management_cpu_units_to_millicores" -}}
+  {{- $units := . | toString -}}
+  {{- if hasSuffix "m" $units -}}
+    {{- trimSuffix "m" $units -}}
+  {{- else -}}
+    {{- atoi $units | mul 1000 -}}
+  {{- end }}
+{{- end }}
+
+
+{{- /* Usage: {{ include "helm_lib_resources_management_memory_units_to_bytes" <memory units> }} */ -}}
+{{- /* helper for converting memory units to bytes */ -}}
+{{- define "helm_lib_resources_management_memory_units_to_bytes" }}
+  {{- $units := . | toString -}}
+  {{- if hasSuffix "k" $units -}}
+    {{- trimSuffix "k" $units  | atoi | mul 1000 -}}
+  {{- else if hasSuffix "M" $units -}}
+    {{- trimSuffix "M" $units  | atoi | mul 1000000 -}}
+  {{- else if hasSuffix "G" $units -}}
+    {{- trimSuffix "G" $units  | atoi | mul 1000000000 -}}
+  {{- else if hasSuffix "T" $units -}}
+    {{- trimSuffix "T" $units  | atoi | mul 1000000000000 -}}
+  {{- else if hasSuffix "P" $units -}}
+    {{- trimSuffix "P" $units  | atoi | mul 1000000000000000 -}}
+  {{- else if hasSuffix "E" $units -}}
+    {{- trimSuffix "E" $units  | atoi | mul 1000000000000000000 -}}
+  {{- else if hasSuffix "Ki" $units -}}
+    {{- trimSuffix "Ki" $units | atoi | mul 1024 -}}
+  {{- else if hasSuffix "Mi" $units -}}
+    {{- trimSuffix "Mi" $units | atoi | mul 1024 | mul 1024 -}}
+  {{- else if hasSuffix "Gi" $units -}}
+    {{- trimSuffix "Gi" $units | atoi | mul 1024 | mul 1024 | mul 1024 -}}
+  {{- else if hasSuffix "Ti" $units -}}
+    {{- trimSuffix "Ti" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}}
+  {{- else if hasSuffix "Pi" $units -}}
+    {{- trimSuffix "Pi" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}}
+  {{- else if hasSuffix "Ei" $units -}}
+    {{- trimSuffix "Ei" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}}
+  {{- else if regexMatch "^[0-9]+$" $units -}}
+    {{- $units -}}
+  {{- else -}}
+    {{- cat "ERROR: unknown memory format:" $units | fail -}}
+  {{- end }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_vpa_kube_rbac_proxy_resources" . }} */ -}}
+{{- /* helper for VPA resources for kube_rbac_proxy */ -}}
+{{- define "helm_lib_vpa_kube_rbac_proxy_resources" }}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+- containerName: kube-rbac-proxy
+  minAllowed:
+    {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 4 }}
+  maxAllowed:
+    cpu: 20m
+    memory: 25Mi
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_container_kube_rbac_proxy_resources" . }} */ -}}
+{{- /* helper for container resources for kube_rbac_proxy */ -}}
+{{- define "helm_lib_container_kube_rbac_proxy_resources" }}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+cpu: 10m
+memory: 25Mi
+{{- end }}
diff --git a/charts/helm_lib/templates/_spec_for_high_availability.tpl b/charts/helm_lib/templates/_spec_for_high_availability.tpl
new file mode 100644
index 0000000..8bfbf9e
--- /dev/null
+++ b/charts/helm_lib/templates/_spec_for_high_availability.tpl
@@ -0,0 +1,138 @@
+{{- /* Usage: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "test")) }} */ -}}
+{{- /* returns pod affinity spec */ -}}
+{{- define "helm_lib_pod_anti_affinity_for_ha" }}
+{{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+{{- $labels := index . 1 }} {{- /* Match labels for podAntiAffinity label selector */ -}}
+  {{- if (include "helm_lib_ha_enabled" $context) }}
+affinity:
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchLabels:
+    {{- range $key, $value := $labels }}
+          {{ $key }}: {{ $value | quote }}
+    {{- end }}
+      topologyKey: kubernetes.io/hostname
+  {{- end }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} */ -}}
+{{- /* returns deployment strategy and replicas for ha components running on master nodes */ -}}
+{{- define "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- if (include "helm_lib_ha_enabled" .) }}
+    {{- if gt (index .Values.global.discovery "clusterMasterCount" | int) 0 }}
+replicas: {{ index .Values.global.discovery "clusterMasterCount" }}
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+      {{- if gt (index .Values.global.discovery "clusterMasterCount" | int) 2 }}
+    maxUnavailable: 2
+      {{- else }}
+    maxUnavailable: 1
+      {{- end }}
+    {{- else if gt (index .Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }}
+replicas: {{ index .Values.global.discovery.d8SpecificNodeCountByRole "master" }}
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+      {{- if gt (index .Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 2 }}
+    maxUnavailable: 2
+      {{- else }}
+    maxUnavailable: 1
+      {{- end }}
+    {{- else }}
+replicas: 2
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+    {{- end }}
+  {{- else }}
+replicas: 1
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+  {{- end }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" (list . (dict "strategy" "strategy_type")) }} */ -}}
+{{- /* returns deployment with custom strategy and replicas for ha components running on master nodes */ -}}
+{{- define "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" }}
+{{- $context := index . 0 }}
+{{- $optionalArgs := dict }}
+{{- $strategy := "RollingUpdate" }}
+{{- if ge (len .) 2 }}
+  {{- $optionalArgs = index . 1 }}
+{{- end }}
+{{- if hasKey $optionalArgs "strategy" }}
+  {{- $strategy = $optionalArgs.strategy }}
+{{- end }}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+  {{- if (include "helm_lib_ha_enabled" $context) }}
+    {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 0 }}
+replicas: {{ index $context.Values.global.discovery "clusterMasterCount" }}
+strategy:
+  type: {{ $strategy }}
+      {{- if eq $strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxSurge: 0
+        {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 2 }}
+    maxUnavailable: 2
+        {{- else }}
+    maxUnavailable: 1
+        {{- end }}
+      {{- end }}
+    {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }}
+replicas: {{ index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" }}
+strategy:
+  type: {{ $strategy }}
+      {{- if eq $strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxSurge: 0
+        {{- if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 2 }}
+    maxUnavailable: 2
+        {{- else }}
+    maxUnavailable: 1
+        {{- end }}
+      {{- end }}
+    {{- else }}
+replicas: 2
+strategy:
+  type: {{ $strategy }}
+      {{- if eq $strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+      {{- end }}
+    {{- end }}
+  {{- else }}
+replicas: 1
+strategy:
+  type: {{ $strategy }}
+    {{- if eq $strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- /* Usage: {{ include "helm_lib_deployment_strategy_and_replicas_for_ha" }} */ -}}
+{{- /* returns deployment strategy and replicas for ha components running not on master nodes */ -}}
+{{- define "helm_lib_deployment_strategy_and_replicas_for_ha" }}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+replicas: {{ include "helm_lib_is_ha_to_value" (list . 2 1) }}
+{{- if (include "helm_lib_ha_enabled" .) }}
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+{{- end }}
+{{- end }}
diff --git a/images/csi-nfs/werf.inc.yaml b/images/csi-nfs/werf.inc.yaml
index 9827165..c04afc0 100644
--- a/images/csi-nfs/werf.inc.yaml
+++ b/images/csi-nfs/werf.inc.yaml
@@ -35,7 +35,7 @@ shell:
     - chmod +x /nfsplugin
 
 ---
-{{ $csiBinaries := "/bin/mount /bin/umount /sbin/mount.nfs /sbin/mount.nfs4 /sbin/umount.nfs /sbin/umount.nfs4 /bin/tar /bin/gzip /bin/cp" }}
+{{ $csiBinaries := "/bin/mount /bin/umount /sbin/mount.nfs /sbin/mount.nfs4 /sbin/umount.nfs /sbin/umount.nfs4 /bin/cp" }}
 ---
 image: {{ $.ImageName }}-binaries-artifact
 from: {{ $.BASE_ALT_DEV }}
@@ -47,18 +47,18 @@ shell:
 
 ---
 image: {{ $.ImageName }}-distroless-artifact
-from: {{ $.BASE_ALPINE_DEV }}
+from: {{ $.BASE_ALT_DEV }}
 final: false
 
 shell:
   install:
-    - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share
+    - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/var/lib/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share
     - cp -pr /tmp /relocate
-    - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc
+    - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /etc/netconfig /relocate/etc
     - cp -pr /usr/share/ca-certificates /relocate/usr/share
     - cp -pr /usr/share/zoneinfo /relocate/usr/share
-    - cp -pr etc/ssl/cert.pem /relocate/etc/ssl
-    - cp -pr /etc/ssl/certs /relocate/etc/ssl
+    - cp -pr /var/lib/ssl/cert.pem /relocate/var/lib/ssl
+    - cp -pr /var/lib/ssl/certs /relocate/var/lib/ssl
     - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd
     - echo "deckhouse:x:64535:" >> /relocate/etc/group
     - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow
@@ -96,5 +96,6 @@ import:
     includePaths:
       - 'libresolv*'
       - 'libnss_dns*'
+      - 'libnss_files*'
 docker:
   ENTRYPOINT: ["/nfsplugin"]
diff --git a/images/wait-rpcbind/src/cmd/main.go b/images/wait-rpcbind/src/cmd/main.go
new file mode 100644
index 0000000..521fe77
--- /dev/null
+++ b/images/wait-rpcbind/src/cmd/main.go
@@ -0,0 +1,70 @@
+/*
+Copyright 2024 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"log"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+)
+
+func main() {
+	log.Println("Waiting for socket /run/rpcbind.sock...")
+
+	sigs := make(chan os.Signal, 1)
+	done := make(chan string, 1)
+
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		sig := <-sigs
+		log.Printf("Received signal %s, exiting.", sig.String())
+		done <- sig.String()
+	}()
+
+	for {
+		select {
+		case sigName := <-done:
+			log.Printf("Program terminated by %s signal.", sigName)
+			return
+		default:
+			info, err := os.Lstat("/run/rpcbind.sock")
+			if err == nil {
+				if (info.Mode() & os.ModeSocket) != 0 {
+					conn, err := net.DialTimeout("unix", "/run/rpcbind.sock", 1*time.Second)
+					if err == nil {
+						conn.Close()
+						log.Println("Socket /run/rpcbind.sock found and confirmed as rpcbind.")
+						return
+					} else {
+						log.Println("Unable to connect to the socket /run/rpcbind.sock, continuing to wait...")
+					}
+				} else {
+					log.Println("/run/rpcbind.sock found but is not a socket. Continuing to wait...")
+				}
+			} else if os.IsNotExist(err) {
+				log.Println("/run/rpcbind.sock does not exist, continuing to wait...")
+			} else {
+				log.Printf("Error checking socket /run/rpcbind.sock: %v", err)
+			}
+			time.Sleep(1 * time.Second)
+		}
+	}
+}
diff --git a/images/wait-rpcbind/src/go.mod b/images/wait-rpcbind/src/go.mod
new file mode 100644
index 0000000..7f5218b
--- /dev/null
+++ b/images/wait-rpcbind/src/go.mod
@@ -0,0 +1,3 @@
+module d8-controller
+
+go 1.22.2
diff --git a/images/wait-rpcbind/src/go.sum b/images/wait-rpcbind/src/go.sum
new file mode 100644
index 0000000..e69de29
diff --git a/images/wait-rpcbind/werf.inc.yaml b/images/wait-rpcbind/werf.inc.yaml
new file mode 100644
index 0000000..b6564f2
--- /dev/null
+++ b/images/wait-rpcbind/werf.inc.yaml
@@ -0,0 +1,36 @@
+{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }}
+{{- $_ := set . "BASE_SCRATCH"    "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}
+
+---
+image: {{ $.ImageName }}-golang-artifact
+from: {{ $.BASE_GOLANG }}
+final: false
+
+git:
+  - add: /images/wait-rpcbind/src
+    to: /src
+    stageDependencies:
+      setup:
+        - "**/*"
+mount:
+  - fromPath: ~/go-pkg-cache
+    to: /go/pkg
+shell:
+  setup:
+    - cd /src/cmd
+    - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o wait-rpcbind
+    - mv wait-rpcbind /wait-rpcbind
+    - chmod +x /wait-rpcbind
+
+---
+image: {{ $.ImageName }}
+from: {{ $.BASE_SCRATCH }}
+
+import:
+  - image: {{ $.ImageName }}-golang-artifact
+    add: /wait-rpcbind
+    to: /wait-rpcbind
+    before: setup
+
+docker:
+  ENTRYPOINT: ["/wait-rpcbind"]
diff --git a/templates/csi/controller.yaml b/templates/csi/controller.yaml
index 6bcae47..e3bf730 100644
--- a/templates/csi/controller.yaml
+++ b/templates/csi/controller.yaml
@@ -1,3 +1,18 @@
+###
+### common
+###
+{{- define "csi_init_container_command" }}
+- "/wait-rpcbind"
+{{- end }}
+
+{{- define "csi_init_container_volume_mounts" }}
+- name: run
+  mountPath: /run
+{{- end }}
+
+{{- $csiInitContainerImage := include "helm_lib_module_image" (list . "waitRpcbind") }}
+
+
 ###
 ### controller
 ###
@@ -30,6 +45,16 @@
     type: Directory
 - name: tmp-dir
   emptyDir: {}
+
+{{- if .Values.csiNfs.v3support }}
+- name: run-rpcbind-sock
+  hostPath:
+    path: /run/rpcbind.sock
+- name: run
+  hostPath:
+    path: /run
+{{- end }}
+
 {{- end }}
 
 {{- define "csi_additional_controller_volume_mounts" }}
@@ -38,6 +63,12 @@
   mountPropagation: "Bidirectional"
 - mountPath: /tmp
   name: tmp-dir
+
+{{- if .Values.csiNfs.v3support }}
+- name: run-rpcbind-sock
+  mountPath: /run/rpcbind.sock
+{{- end }}
+
 {{- end }}
 
 {{- $csiControllerImage := include "helm_lib_module_image" (list . "csiNfs") }}
@@ -55,6 +86,12 @@
 {{- $_ := set $csiControllerConfig "additionalControllerVolumes" (include "csi_additional_controller_volume" . | fromYamlArray) }}
 {{- $_ := set $csiControllerConfig "additionalControllerVolumeMounts" (include "csi_additional_controller_volume_mounts" . | fromYamlArray) }}
 
+{{- if .Values.csiNfs.v3support }}
+{{- $_ := set $csiControllerConfig "initContainerImage" $csiInitContainerImage }}
+{{- $_ := set $csiControllerConfig "initContainerCommand" (include "csi_init_container_command" . | fromYamlArray) }}
+{{- $_ := set $csiControllerConfig "initContainerVolumeMounts" (include "csi_init_container_volume_mounts" . | fromYamlArray) }}
+{{- end }}
+
 {{- include "helm_lib_csi_controller_manifests" (list . $csiControllerConfig) }}
 
 ###
@@ -78,6 +115,22 @@
   value: unix:///csi/csi.sock
 {{- end }}
 
+{{- define "csi_additional_node_volume" }}
+{{- if .Values.csiNfs.v3support }}
+- name: run-rpcbind-sock
+  hostPath:
+    path: /run/rpcbind.sock
+- name: run
+  hostPath:
+    path: /run
+{{- end }}
+{{- end }}
+
+{{- define "csi_additional_node_volume_mounts" }}
+- name: run-rpcbind-sock
+  mountPath: /run/rpcbind.sock
+{{- end }}
+
 {{- $csiNodeConfig := dict }}
 {{- $_ := set $csiNodeConfig "fullname" "csi-nfs" }}
 {{- $_ := set $csiNodeConfig "nodeImage" $csiControllerImage }}
@@ -86,4 +139,12 @@
 {{- $_ := set $csiNodeConfig "additionalNodeArgs" (include "csi_node_args" . | fromYamlArray) }}
 {{- $_ := set $csiNodeConfig "additionalNodeEnvs" (include "csi_node_envs" . | fromYamlArray) }}
 
+{{- if .Values.csiNfs.v3support }}
+{{- $_ := set $csiNodeConfig "additionalNodeVolumes" (include "csi_additional_node_volume" . | fromYamlArray) }}
+{{- $_ := set $csiNodeConfig "additionalNodeVolumeMounts" (include "csi_additional_node_volume_mounts" . | fromYamlArray) }}
+{{- $_ := set $csiNodeConfig "initContainerImage" $csiInitContainerImage }}
+{{- $_ := set $csiNodeConfig "initContainerCommand" (include "csi_init_container_command" . | fromYamlArray) }}
+{{- $_ := set $csiNodeConfig "initContainerVolumeMounts" (include "csi_init_container_volume_mounts" . | fromYamlArray) }}
+{{- end }}
+
 {{- include "helm_lib_csi_node_manifests" (list . $csiNodeConfig) }}