vendor: update buildkit to 2f99651

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go

@@ -86,27 +86,25 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 			progresswriter.Wrap(name, ap.logger, done)
 		}
 		ap.mu.Unlock()
-		// try GET first because Docker Hub does not support POST
-		// switch once support has landed
-		resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to)
+		// credential information is provided, use oauth POST endpoint
+		resp, err := authutil.FetchTokenWithOAuth(ctx, http.DefaultClient, nil, "buildkit-client", to)
 		if err != nil {
 			var errStatus remoteserrors.ErrUnexpectedStatus
 			if errors.As(err, &errStatus) {
-				// retry with POST request
+				// Registries without support for POST may return 404 for POST /v2/token.
 				// As of September 2017, GCR is known to return 404.
 				// As of February 2018, JFrog Artifactory is known to return 401.
 				if (errStatus.StatusCode == 405 && to.Username != "") || errStatus.StatusCode == 404 || errStatus.StatusCode == 401 {
-					resp, err := authutil.FetchTokenWithOAuth(ctx, http.DefaultClient, nil, "buildkit-client", to)
+					resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to)
 					if err != nil {
 						return nil, err
 					}
-
-					return toTokenResponse(resp.AccessToken, resp.IssuedAt, resp.ExpiresIn), nil
+					return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn), nil
 				}
 			}
 			return nil, err
 		}
-		return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn), nil
+		return toTokenResponse(resp.AccessToken, resp.IssuedAt, resp.ExpiresIn), nil
 	}
 	// do request anonymously
 	resp, err := authutil.FetchToken(ctx, http.DefaultClient, nil, to)

vendor/github.com/moby/buildkit/session/filesync/filesync.go

@@ -70,7 +70,7 @@ func (sp *fsSyncProvider) handle(method string, stream grpc.ServerStream) (retEr
 		}
 	}
 	if pr == nil {
-		return errors.New("failed to negotiate protocol")
+		return InvalidSessionError{errors.New("failed to negotiate protocol")}
 	}
 
 	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
@@ -83,7 +83,7 @@ func (sp *fsSyncProvider) handle(method string, stream grpc.ServerStream) (retEr
 
 	dir, ok := sp.dirs[dirName]
 	if !ok {
-		return status.Errorf(codes.NotFound, "no access allowed to dir %q", dirName)
+		return InvalidSessionError{status.Errorf(codes.NotFound, "no access allowed to dir %q", dirName)}
 	}
 
 	excludes := opts[keyExcludePatterns]
@@ -317,3 +317,15 @@ func CopyFileWriter(ctx context.Context, md map[string]string, c session.Caller)
 
 	return newStreamWriter(cc), nil
 }
+
+type InvalidSessionError struct {
+	err error
+}
+
+func (e InvalidSessionError) Error() string {
+	return e.err.Error()
+}
+
+func (e InvalidSessionError) Unwrap() error {
+	return e.err
+}

vendor/github.com/moby/buildkit/session/grpc.go

@@ -14,6 +14,7 @@ import (
 	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/health/grpc_health_v1"
 )
 
@@ -40,7 +41,7 @@ func grpcClientConn(ctx context.Context, conn net.Conn) (context.Context, *grpc.
 
 	dialOpts := []grpc.DialOption{
 		dialer,
-		grpc.WithInsecure(),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
 	}
 
 	if span := trace.SpanFromContext(ctx); span.SpanContext().IsValid() {

vendor/github.com/moby/buildkit/session/grpchijack/dial.go

@@ -16,11 +16,8 @@ import (
 
 func Dialer(api controlapi.ControlClient) session.Dialer {
 	return func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
-
 		meta = lowerHeaders(meta)
-
 		md := metadata.MD(meta)
-
 		ctx = metadata.NewOutgoingContext(ctx, md)
 
 		stream, err := api.Session(ctx)
@@ -126,7 +123,6 @@ func (c *conn) Close() (err error) {
 			c.lastBuf = append(c.lastBuf, c.buf...)
 		}
 		c.readMu.Unlock()
-
 	})
 	return nil
 }