vendor: add buildkit

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2025-07-10 05:27:07 +08:00 · 2019-03-23 22:44:59 -07:00
parent 62faee5f07
commit 8b7c38e61a
364 changed files with 78556 additions and 1007 deletions
--- a/vendor/github.com/moby/buildkit/session/auth/auth.go
+++ b/vendor/github.com/moby/buildkit/session/auth/auth.go
@ -0,0 +1,26 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/session"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func CredentialsFunc(ctx context.Context, c session.Caller) func(string) (string, string, error) {
+	return func(host string) (string, string, error) {
+		client := NewAuthClient(c.Conn())
+
+		resp, err := client.Credentials(ctx, &CredentialsRequest{
+			Host: host,
+		})
+		if err != nil {
+			if st, ok := status.FromError(err); ok && st.Code() == codes.Unimplemented {
+				return "", "", nil
+			}
+			return "", "", err
+		}
+		return resp.Username, resp.Secret, nil
+	}
+}
--- a/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
+++ b/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
@ -0,0 +1,728 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: auth.proto
+
+package auth
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import (
+	context "golang.org/x/net/context"
+	grpc "google.golang.org/grpc"
+)
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type CredentialsRequest struct {
+	Host string `protobuf:"bytes,1,opt,name=Host,proto3" json:"Host,omitempty"`
+}
+
+func (m *CredentialsRequest) Reset()      { *m = CredentialsRequest{} }
+func (*CredentialsRequest) ProtoMessage() {}
+func (*CredentialsRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_auth_0215b2f0213c0d57, []int{0}
+}
+func (m *CredentialsRequest) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *CredentialsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_CredentialsRequest.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *CredentialsRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CredentialsRequest.Merge(dst, src)
+}
+func (m *CredentialsRequest) XXX_Size() int {
+	return m.Size()
+}
+func (m *CredentialsRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_CredentialsRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CredentialsRequest proto.InternalMessageInfo
+
+func (m *CredentialsRequest) GetHost() string {
+	if m != nil {
+		return m.Host
+	}
+	return ""
+}
+
+type CredentialsResponse struct {
+	Username string `protobuf:"bytes,1,opt,name=Username,proto3" json:"Username,omitempty"`
+	Secret   string `protobuf:"bytes,2,opt,name=Secret,proto3" json:"Secret,omitempty"`
+}
+
+func (m *CredentialsResponse) Reset()      { *m = CredentialsResponse{} }
+func (*CredentialsResponse) ProtoMessage() {}
+func (*CredentialsResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_auth_0215b2f0213c0d57, []int{1}
+}
+func (m *CredentialsResponse) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *CredentialsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_CredentialsResponse.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *CredentialsResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CredentialsResponse.Merge(dst, src)
+}
+func (m *CredentialsResponse) XXX_Size() int {
+	return m.Size()
+}
+func (m *CredentialsResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_CredentialsResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CredentialsResponse proto.InternalMessageInfo
+
+func (m *CredentialsResponse) GetUsername() string {
+	if m != nil {
+		return m.Username
+	}
+	return ""
+}
+
+func (m *CredentialsResponse) GetSecret() string {
+	if m != nil {
+		return m.Secret
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*CredentialsRequest)(nil), "moby.filesync.v1.CredentialsRequest")
+	proto.RegisterType((*CredentialsResponse)(nil), "moby.filesync.v1.CredentialsResponse")
+}
+func (this *CredentialsRequest) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CredentialsRequest)
+	if !ok {
+		that2, ok := that.(CredentialsRequest)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.Host != that1.Host {
+		return false
+	}
+	return true
+}
+func (this *CredentialsResponse) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CredentialsResponse)
+	if !ok {
+		that2, ok := that.(CredentialsResponse)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.Username != that1.Username {
+		return false
+	}
+	if this.Secret != that1.Secret {
+		return false
+	}
+	return true
+}
+func (this *CredentialsRequest) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&auth.CredentialsRequest{")
+	s = append(s, "Host: "+fmt.Sprintf("%#v", this.Host)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func (this *CredentialsResponse) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 6)
+	s = append(s, "&auth.CredentialsResponse{")
+	s = append(s, "Username: "+fmt.Sprintf("%#v", this.Username)+",\n")
+	s = append(s, "Secret: "+fmt.Sprintf("%#v", this.Secret)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringAuth(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// AuthClient is the client API for Auth service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type AuthClient interface {
+	Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error)
+}
+
+type authClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewAuthClient(cc *grpc.ClientConn) AuthClient {
+	return &authClient{cc}
+}
+
+func (c *authClient) Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error) {
+	out := new(CredentialsResponse)
+	err := c.cc.Invoke(ctx, "/moby.filesync.v1.Auth/Credentials", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// AuthServer is the server API for Auth service.
+type AuthServer interface {
+	Credentials(context.Context, *CredentialsRequest) (*CredentialsResponse, error)
+}
+
+func RegisterAuthServer(s *grpc.Server, srv AuthServer) {
+	s.RegisterService(&_Auth_serviceDesc, srv)
+}
+
+func _Auth_Credentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CredentialsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServer).Credentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.filesync.v1.Auth/Credentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServer).Credentials(ctx, req.(*CredentialsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Auth_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.Auth",
+	HandlerType: (*AuthServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Credentials",
+			Handler:    _Auth_Credentials_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "auth.proto",
+}
+
+func (m *CredentialsRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Host) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Host)))
+		i += copy(dAtA[i:], m.Host)
+	}
+	return i, nil
+}
+
+func (m *CredentialsResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Username) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Username)))
+		i += copy(dAtA[i:], m.Username)
+	}
+	if len(m.Secret) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Secret)))
+		i += copy(dAtA[i:], m.Secret)
+	}
+	return i, nil
+}
+
+func encodeVarintAuth(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CredentialsRequest) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Host)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func (m *CredentialsResponse) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Username)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	l = len(m.Secret)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func sovAuth(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozAuth(x uint64) (n int) {
+	return sovAuth(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CredentialsRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsRequest{`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CredentialsResponse) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsResponse{`,
+		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
+		`Secret:` + fmt.Sprintf("%v", this.Secret) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringAuth(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CredentialsRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CredentialsResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secret", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Secret = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipAuth(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthAuth
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowAuth
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipAuth(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthAuth = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowAuth   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("auth.proto", fileDescriptor_auth_0215b2f0213c0d57) }
+
+var fileDescriptor_auth_0215b2f0213c0d57 = []byte{
+	// 233 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4a, 0x2c, 0x2d, 0xc9,
+	0xd0, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc8, 0xcd, 0x4f, 0xaa, 0xd4, 0x4b, 0xcb, 0xcc,
+	0x49, 0x2d, 0xae, 0xcc, 0x4b, 0xd6, 0x2b, 0x33, 0x54, 0xd2, 0xe0, 0x12, 0x72, 0x2e, 0x4a, 0x4d,
+	0x49, 0xcd, 0x2b, 0xc9, 0x4c, 0xcc, 0x29, 0x0e, 0x4a, 0x2d, 0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x12,
+	0xe2, 0x62, 0xf1, 0xc8, 0x2f, 0x2e, 0x91, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x0c, 0x02, 0xb3, 0x95,
+	0x3c, 0xb9, 0x84, 0x51, 0x54, 0x16, 0x17, 0xe4, 0xe7, 0x15, 0xa7, 0x0a, 0x49, 0x71, 0x71, 0x84,
+	0x16, 0xa7, 0x16, 0xe5, 0x25, 0xe6, 0xa6, 0x42, 0x95, 0xc3, 0xf9, 0x42, 0x62, 0x5c, 0x6c, 0xc1,
+	0xa9, 0xc9, 0x45, 0xa9, 0x25, 0x12, 0x4c, 0x60, 0x19, 0x28, 0xcf, 0x28, 0x89, 0x8b, 0xc5, 0xb1,
+	0xb4, 0x24, 0x43, 0x28, 0x8a, 0x8b, 0x1b, 0xc9, 0x48, 0x21, 0x15, 0x3d, 0x74, 0xe7, 0xe9, 0x61,
+	0xba, 0x4d, 0x4a, 0x95, 0x80, 0x2a, 0x88, 0xbb, 0x9c, 0xac, 0x2e, 0x3c, 0x94, 0x63, 0xb8, 0xf1,
+	0x50, 0x8e, 0xe1, 0xc3, 0x43, 0x39, 0xc6, 0x86, 0x47, 0x72, 0x8c, 0x2b, 0x1e, 0xc9, 0x31, 0x9e,
+	0x78, 0x24, 0xc7, 0x78, 0xe1, 0x91, 0x1c, 0xe3, 0x83, 0x47, 0x72, 0x8c, 0x2f, 0x1e, 0xc9, 0x31,
+	0x7c, 0x78, 0x24, 0xc7, 0x38, 0xe1, 0xb1, 0x1c, 0xc3, 0x85, 0xc7, 0x72, 0x0c, 0x37, 0x1e, 0xcb,
+	0x31, 0x44, 0xb1, 0x80, 0x02, 0x2b, 0x89, 0x0d, 0x1c, 0x5a, 0xc6, 0x80, 0x00, 0x00, 0x00, 0xff,
+	0xff, 0x64, 0x61, 0x71, 0x59, 0x3b, 0x01, 0x00, 0x00,
+}
--- a/vendor/github.com/moby/buildkit/session/auth/auth.proto
+++ b/vendor/github.com/moby/buildkit/session/auth/auth.proto
@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "auth";
+
+service Auth{
+  rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
+}
+
+
+message CredentialsRequest {
+	string Host = 1;
+}
+
+message CredentialsResponse {
+	string Username = 1;
+	string Secret = 2;
+}
--- a/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go
+++ b/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go
@ -0,0 +1,44 @@
+package authprovider
+
+import (
+	"context"
+	"io/ioutil"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
+	"google.golang.org/grpc"
+)
+
+func NewDockerAuthProvider() session.Attachable {
+	return &authProvider{
+		config: config.LoadDefaultConfigFile(ioutil.Discard),
+	}
+}
+
+type authProvider struct {
+	config *configfile.ConfigFile
+}
+
+func (ap *authProvider) Register(server *grpc.Server) {
+	auth.RegisterAuthServer(server, ap)
+}
+
+func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRequest) (*auth.CredentialsResponse, error) {
+	if req.Host == "registry-1.docker.io" {
+		req.Host = "https://index.docker.io/v1/"
+	}
+	ac, err := ap.config.GetAuthConfig(req.Host)
+	if err != nil {
+		return nil, err
+	}
+	res := &auth.CredentialsResponse{}
+	if ac.IdentityToken != "" {
+		res.Secret = ac.IdentityToken
+	} else {
+		res.Username = ac.Username
+		res.Secret = ac.Password
+	}
+	return res, nil
+}
--- a/vendor/github.com/moby/buildkit/session/auth/generate.go
+++ b/vendor/github.com/moby/buildkit/session/auth/generate.go
@ -0,0 +1,3 @@
+package auth
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. auth.proto
--- a/vendor/github.com/moby/buildkit/session/content/attachable.go
+++ b/vendor/github.com/moby/buildkit/session/content/attachable.go
@ -0,0 +1,132 @@
+package content
+
+import (
+	"context"
+
+	api "github.com/containerd/containerd/api/services/content/v1"
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/services/content/contentserver"
+	"github.com/moby/buildkit/session"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+// GRPCHeaderID is a gRPC header for store ID
+const GRPCHeaderID = "buildkit-attachable-store-id"
+
+type attachableContentStore struct {
+	stores map[string]content.Store
+}
+
+func (cs *attachableContentStore) choose(ctx context.Context) (content.Store, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, errors.Wrap(errdefs.ErrInvalidArgument, "request lacks metadata")
+	}
+
+	values := md[GRPCHeaderID]
+	if len(values) == 0 {
+		return nil, errors.Wrapf(errdefs.ErrInvalidArgument, "request lacks metadata %q", GRPCHeaderID)
+	}
+	id := values[0]
+	store, ok := cs.stores[id]
+	if !ok {
+		return nil, errors.Wrapf(errdefs.ErrNotFound, "unknown store %s", id)
+	}
+	return store, nil
+}
+
+func (cs *attachableContentStore) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return content.Info{}, err
+	}
+	return store.Info(ctx, dgst)
+}
+
+func (cs *attachableContentStore) Update(ctx context.Context, info content.Info, fieldpaths ...string) (content.Info, error) {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return content.Info{}, err
+	}
+	return store.Update(ctx, info, fieldpaths...)
+}
+
+func (cs *attachableContentStore) Walk(ctx context.Context, fn content.WalkFunc, fs ...string) error {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return err
+	}
+	return store.Walk(ctx, fn, fs...)
+}
+
+func (cs *attachableContentStore) Delete(ctx context.Context, dgst digest.Digest) error {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return err
+	}
+	return store.Delete(ctx, dgst)
+}
+
+func (cs *attachableContentStore) ListStatuses(ctx context.Context, fs ...string) ([]content.Status, error) {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return store.ListStatuses(ctx, fs...)
+}
+
+func (cs *attachableContentStore) Status(ctx context.Context, ref string) (content.Status, error) {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return content.Status{}, err
+	}
+	return store.Status(ctx, ref)
+}
+
+func (cs *attachableContentStore) Abort(ctx context.Context, ref string) error {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return err
+	}
+	return store.Abort(ctx, ref)
+}
+
+func (cs *attachableContentStore) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return store.Writer(ctx, opts...)
+}
+
+func (cs *attachableContentStore) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
+	store, err := cs.choose(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return store.ReaderAt(ctx, desc)
+}
+
+type attachable struct {
+	service api.ContentServer
+}
+
+// NewAttachable creates session.Attachable from aggregated stores.
+// A key of the store map is an ID string that is used for choosing underlying store.
+func NewAttachable(stores map[string]content.Store) session.Attachable {
+	store := &attachableContentStore{stores: stores}
+	service := contentserver.New(store)
+	a := attachable{
+		service: service,
+	}
+	return &a
+}
+
+func (a *attachable) Register(server *grpc.Server) {
+	api.RegisterContentServer(server, a.service)
+}
--- a/vendor/github.com/moby/buildkit/session/content/caller.go
+++ b/vendor/github.com/moby/buildkit/session/content/caller.go
@ -0,0 +1,84 @@
+package content
+
+import (
+	"context"
+
+	api "github.com/containerd/containerd/api/services/content/v1"
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/proxy"
+	"github.com/moby/buildkit/session"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"google.golang.org/grpc/metadata"
+)
+
+type callerContentStore struct {
+	store   content.Store
+	storeID string
+}
+
+func (cs *callerContentStore) choose(ctx context.Context) context.Context {
+	nsheader := metadata.Pairs(GRPCHeaderID, cs.storeID)
+	md, ok := metadata.FromOutgoingContext(ctx) // merge with outgoing context.
+	if !ok {
+		md = nsheader
+	} else {
+		// order ensures the latest is first in this list.
+		md = metadata.Join(nsheader, md)
+	}
+	return metadata.NewOutgoingContext(ctx, md)
+}
+
+func (cs *callerContentStore) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) {
+	ctx = cs.choose(ctx)
+	return cs.store.Info(ctx, dgst)
+}
+
+func (cs *callerContentStore) Update(ctx context.Context, info content.Info, fieldpaths ...string) (content.Info, error) {
+	ctx = cs.choose(ctx)
+	return cs.store.Update(ctx, info, fieldpaths...)
+}
+
+func (cs *callerContentStore) Walk(ctx context.Context, fn content.WalkFunc, fs ...string) error {
+	ctx = cs.choose(ctx)
+	return cs.store.Walk(ctx, fn, fs...)
+}
+
+func (cs *callerContentStore) Delete(ctx context.Context, dgst digest.Digest) error {
+	ctx = cs.choose(ctx)
+	return cs.store.Delete(ctx, dgst)
+}
+
+func (cs *callerContentStore) ListStatuses(ctx context.Context, fs ...string) ([]content.Status, error) {
+	ctx = cs.choose(ctx)
+	return cs.store.ListStatuses(ctx, fs...)
+}
+
+func (cs *callerContentStore) Status(ctx context.Context, ref string) (content.Status, error) {
+	ctx = cs.choose(ctx)
+	return cs.store.Status(ctx, ref)
+}
+
+func (cs *callerContentStore) Abort(ctx context.Context, ref string) error {
+	ctx = cs.choose(ctx)
+	return cs.store.Abort(ctx, ref)
+}
+
+func (cs *callerContentStore) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
+	ctx = cs.choose(ctx)
+	return cs.store.Writer(ctx, opts...)
+}
+
+func (cs *callerContentStore) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
+	ctx = cs.choose(ctx)
+	return cs.store.ReaderAt(ctx, desc)
+}
+
+// NewCallerStore creates content.Store from session.Caller with specified storeID
+func NewCallerStore(c session.Caller, storeID string) content.Store {
+	client := api.NewContentClient(c.Conn())
+	return &callerContentStore{
+		store:   proxy.NewContentStore(client),
+		storeID: storeID,
+	}
+}
--- a/vendor/github.com/moby/buildkit/session/context.go
+++ b/vendor/github.com/moby/buildkit/session/context.go
@ -0,0 +1,22 @@
+package session
+
+import "context"
+
+type contextKeyT string
+
+var contextKey = contextKeyT("buildkit/session-id")
+
+func NewContext(ctx context.Context, id string) context.Context {
+	if id != "" {
+		return context.WithValue(ctx, contextKey, id)
+	}
+	return ctx
+}
+
+func FromContext(ctx context.Context) string {
+	v := ctx.Value(contextKey)
+	if v == nil {
+		return ""
+	}
+	return v.(string)
+}
--- a/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
+++ b/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
@ -0,0 +1,110 @@
+package filesync
+
+import (
+	"bufio"
+	io "io"
+	"os"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/tonistiigi/fsutil"
+	fstypes "github.com/tonistiigi/fsutil/types"
+	"google.golang.org/grpc"
+)
+
+func sendDiffCopy(stream grpc.Stream, fs fsutil.FS, progress progressCb) error {
+	return fsutil.Send(stream.Context(), stream, fs, progress)
+}
+
+func newStreamWriter(stream grpc.ClientStream) io.WriteCloser {
+	wc := &streamWriterCloser{ClientStream: stream}
+	return &bufferedWriteCloser{Writer: bufio.NewWriter(wc), Closer: wc}
+}
+
+type bufferedWriteCloser struct {
+	*bufio.Writer
+	io.Closer
+}
+
+func (bwc *bufferedWriteCloser) Close() error {
+	if err := bwc.Writer.Flush(); err != nil {
+		return err
+	}
+	return bwc.Closer.Close()
+}
+
+type streamWriterCloser struct {
+	grpc.ClientStream
+}
+
+func (wc *streamWriterCloser) Write(dt []byte) (int, error) {
+	if err := wc.ClientStream.SendMsg(&BytesMessage{Data: dt}); err != nil {
+		return 0, err
+	}
+	return len(dt), nil
+}
+
+func (wc *streamWriterCloser) Close() error {
+	if err := wc.ClientStream.CloseSend(); err != nil {
+		return err
+	}
+	// block until receiver is done
+	var bm BytesMessage
+	if err := wc.ClientStream.RecvMsg(&bm); err != io.EOF {
+		return err
+	}
+	return nil
+}
+
+func recvDiffCopy(ds grpc.Stream, dest string, cu CacheUpdater, progress progressCb) error {
+	st := time.Now()
+	defer func() {
+		logrus.Debugf("diffcopy took: %v", time.Since(st))
+	}()
+	var cf fsutil.ChangeFunc
+	var ch fsutil.ContentHasher
+	if cu != nil {
+		cu.MarkSupported(true)
+		cf = cu.HandleChange
+		ch = cu.ContentHasher()
+	}
+	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+		NotifyHashed:  cf,
+		ContentHasher: ch,
+		ProgressCb:    progress,
+	})
+}
+
+func syncTargetDiffCopy(ds grpc.Stream, dest string) error {
+	if err := os.MkdirAll(dest, 0700); err != nil {
+		return err
+	}
+	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+		Merge: true,
+		Filter: func() func(string, *fstypes.Stat) bool {
+			uid := os.Getuid()
+			gid := os.Getgid()
+			return func(p string, st *fstypes.Stat) bool {
+				st.Uid = uint32(uid)
+				st.Gid = uint32(gid)
+				return true
+			}
+		}(),
+	})
+}
+
+func writeTargetFile(ds grpc.Stream, wc io.WriteCloser) error {
+	for {
+		bm := BytesMessage{}
+		if err := ds.RecvMsg(&bm); err != nil {
+			if errors.Cause(err) == io.EOF {
+				return nil
+			}
+			return err
+		}
+		if _, err := wc.Write(bm.Data); err != nil {
+			return err
+		}
+	}
+}
--- a/vendor/github.com/moby/buildkit/session/filesync/filesync.go
+++ b/vendor/github.com/moby/buildkit/session/filesync/filesync.go
@ -0,0 +1,297 @@
+package filesync
+
+import (
+	"context"
+	"fmt"
+	io "io"
+	"os"
+	"strings"
+
+	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+	fstypes "github.com/tonistiigi/fsutil/types"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+)
+
+const (
+	keyOverrideExcludes = "override-excludes"
+	keyIncludePatterns  = "include-patterns"
+	keyExcludePatterns  = "exclude-patterns"
+	keyFollowPaths      = "followpaths"
+	keyDirName          = "dir-name"
+)
+
+type fsSyncProvider struct {
+	dirs   map[string]SyncedDir
+	p      progressCb
+	doneCh chan error
+}
+
+type SyncedDir struct {
+	Name     string
+	Dir      string
+	Excludes []string
+	Map      func(string, *fstypes.Stat) bool
+}
+
+// NewFSSyncProvider creates a new provider for sending files from client
+func NewFSSyncProvider(dirs []SyncedDir) session.Attachable {
+	p := &fsSyncProvider{
+		dirs: map[string]SyncedDir{},
+	}
+	for _, d := range dirs {
+		p.dirs[d.Name] = d
+	}
+	return p
+}
+
+func (sp *fsSyncProvider) Register(server *grpc.Server) {
+	RegisterFileSyncServer(server, sp)
+}
+
+func (sp *fsSyncProvider) DiffCopy(stream FileSync_DiffCopyServer) error {
+	return sp.handle("diffcopy", stream)
+}
+func (sp *fsSyncProvider) TarStream(stream FileSync_TarStreamServer) error {
+	return sp.handle("tarstream", stream)
+}
+
+func (sp *fsSyncProvider) handle(method string, stream grpc.ServerStream) (retErr error) {
+	var pr *protocol
+	for _, p := range supportedProtocols {
+		if method == p.name && isProtoSupported(p.name) {
+			pr = &p
+			break
+		}
+	}
+	if pr == nil {
+		return errors.New("failed to negotiate protocol")
+	}
+
+	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
+
+	dirName := ""
+	name, ok := opts[keyDirName]
+	if ok && len(name) > 0 {
+		dirName = name[0]
+	}
+
+	dir, ok := sp.dirs[dirName]
+	if !ok {
+		return status.Errorf(codes.NotFound, "no access allowed to dir %q", dirName)
+	}
+
+	excludes := opts[keyExcludePatterns]
+	if len(dir.Excludes) != 0 && (len(opts[keyOverrideExcludes]) == 0 || opts[keyOverrideExcludes][0] != "true") {
+		excludes = dir.Excludes
+	}
+	includes := opts[keyIncludePatterns]
+
+	followPaths := opts[keyFollowPaths]
+
+	var progress progressCb
+	if sp.p != nil {
+		progress = sp.p
+		sp.p = nil
+	}
+
+	var doneCh chan error
+	if sp.doneCh != nil {
+		doneCh = sp.doneCh
+		sp.doneCh = nil
+	}
+	err := pr.sendFn(stream, fsutil.NewFS(dir.Dir, &fsutil.WalkOpt{
+		ExcludePatterns: excludes,
+		IncludePatterns: includes,
+		FollowPaths:     followPaths,
+		Map:             dir.Map,
+	}), progress)
+	if doneCh != nil {
+		if err != nil {
+			doneCh <- err
+		}
+		close(doneCh)
+	}
+	return err
+}
+
+func (sp *fsSyncProvider) SetNextProgressCallback(f func(int, bool), doneCh chan error) {
+	sp.p = f
+	sp.doneCh = doneCh
+}
+
+type progressCb func(int, bool)
+
+type protocol struct {
+	name   string
+	sendFn func(stream grpc.Stream, fs fsutil.FS, progress progressCb) error
+	recvFn func(stream grpc.Stream, destDir string, cu CacheUpdater, progress progressCb) error
+}
+
+func isProtoSupported(p string) bool {
+	// TODO: this should be removed after testing if stability is confirmed
+	if override := os.Getenv("BUILD_STREAM_PROTOCOL"); override != "" {
+		return strings.EqualFold(p, override)
+	}
+	return true
+}
+
+var supportedProtocols = []protocol{
+	{
+		name:   "diffcopy",
+		sendFn: sendDiffCopy,
+		recvFn: recvDiffCopy,
+	},
+}
+
+// FSSendRequestOpt defines options for FSSend request
+type FSSendRequestOpt struct {
+	Name             string
+	IncludePatterns  []string
+	ExcludePatterns  []string
+	FollowPaths      []string
+	OverrideExcludes bool // deprecated: this is used by docker/cli for automatically loading .dockerignore from the directory
+	DestDir          string
+	CacheUpdater     CacheUpdater
+	ProgressCb       func(int, bool)
+}
+
+// CacheUpdater is an object capable of sending notifications for the cache hash changes
+type CacheUpdater interface {
+	MarkSupported(bool)
+	HandleChange(fsutil.ChangeKind, string, os.FileInfo, error) error
+	ContentHasher() fsutil.ContentHasher
+}
+
+// FSSync initializes a transfer of files
+func FSSync(ctx context.Context, c session.Caller, opt FSSendRequestOpt) error {
+	var pr *protocol
+	for _, p := range supportedProtocols {
+		if isProtoSupported(p.name) && c.Supports(session.MethodURL(_FileSync_serviceDesc.ServiceName, p.name)) {
+			pr = &p
+			break
+		}
+	}
+	if pr == nil {
+		return errors.New("no local sources enabled")
+	}
+
+	opts := make(map[string][]string)
+	if opt.OverrideExcludes {
+		opts[keyOverrideExcludes] = []string{"true"}
+	}
+
+	if opt.IncludePatterns != nil {
+		opts[keyIncludePatterns] = opt.IncludePatterns
+	}
+
+	if opt.ExcludePatterns != nil {
+		opts[keyExcludePatterns] = opt.ExcludePatterns
+	}
+
+	if opt.FollowPaths != nil {
+		opts[keyFollowPaths] = opt.FollowPaths
+	}
+
+	opts[keyDirName] = []string{opt.Name}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	client := NewFileSyncClient(c.Conn())
+
+	var stream grpc.ClientStream
+
+	ctx = metadata.NewOutgoingContext(ctx, opts)
+
+	switch pr.name {
+	case "tarstream":
+		cc, err := client.TarStream(ctx)
+		if err != nil {
+			return err
+		}
+		stream = cc
+	case "diffcopy":
+		cc, err := client.DiffCopy(ctx)
+		if err != nil {
+			return err
+		}
+		stream = cc
+	default:
+		panic(fmt.Sprintf("invalid protocol: %q", pr.name))
+	}
+
+	return pr.recvFn(stream, opt.DestDir, opt.CacheUpdater, opt.ProgressCb)
+}
+
+// NewFSSyncTargetDir allows writing into a directory
+func NewFSSyncTargetDir(outdir string) session.Attachable {
+	p := &fsSyncTarget{
+		outdir: outdir,
+	}
+	return p
+}
+
+// NewFSSyncTarget allows writing into an io.WriteCloser
+func NewFSSyncTarget(w io.WriteCloser) session.Attachable {
+	p := &fsSyncTarget{
+		outfile: w,
+	}
+	return p
+}
+
+type fsSyncTarget struct {
+	outdir  string
+	outfile io.WriteCloser
+}
+
+func (sp *fsSyncTarget) Register(server *grpc.Server) {
+	RegisterFileSendServer(server, sp)
+}
+
+func (sp *fsSyncTarget) DiffCopy(stream FileSend_DiffCopyServer) error {
+	if sp.outdir != "" {
+		return syncTargetDiffCopy(stream, sp.outdir)
+	}
+	if sp.outfile == nil {
+		return errors.New("empty outfile and outdir")
+	}
+	defer sp.outfile.Close()
+	return writeTargetFile(stream, sp.outfile)
+}
+
+func CopyToCaller(ctx context.Context, fs fsutil.FS, c session.Caller, progress func(int, bool)) error {
+	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
+	if !c.Supports(method) {
+		return errors.Errorf("method %s not supported by the client", method)
+	}
+
+	client := NewFileSendClient(c.Conn())
+
+	cc, err := client.DiffCopy(ctx)
+	if err != nil {
+		return err
+	}
+
+	return sendDiffCopy(cc, fs, progress)
+}
+
+func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, error) {
+	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
+	if !c.Supports(method) {
+		return nil, errors.Errorf("method %s not supported by the client", method)
+	}
+
+	client := NewFileSendClient(c.Conn())
+
+	cc, err := client.DiffCopy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return newStreamWriter(cc), nil
+}
--- a/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
+++ b/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
@ -0,0 +1,669 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: filesync.proto
+
+package filesync
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+
+import (
+	context "golang.org/x/net/context"
+	grpc "google.golang.org/grpc"
+)
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// BytesMessage contains a chunk of byte data
+type BytesMessage struct {
+	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *BytesMessage) Reset()      { *m = BytesMessage{} }
+func (*BytesMessage) ProtoMessage() {}
+func (*BytesMessage) Descriptor() ([]byte, []int) {
+	return fileDescriptor_filesync_26f8b7bce2e5ac0e, []int{0}
+}
+func (m *BytesMessage) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *BytesMessage) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_BytesMessage.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *BytesMessage) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_BytesMessage.Merge(dst, src)
+}
+func (m *BytesMessage) XXX_Size() int {
+	return m.Size()
+}
+func (m *BytesMessage) XXX_DiscardUnknown() {
+	xxx_messageInfo_BytesMessage.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_BytesMessage proto.InternalMessageInfo
+
+func (m *BytesMessage) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*BytesMessage)(nil), "moby.filesync.v1.BytesMessage")
+}
+func (this *BytesMessage) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*BytesMessage)
+	if !ok {
+		that2, ok := that.(BytesMessage)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if !bytes.Equal(this.Data, that1.Data) {
+		return false
+	}
+	return true
+}
+func (this *BytesMessage) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&filesync.BytesMessage{")
+	s = append(s, "Data: "+fmt.Sprintf("%#v", this.Data)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringFilesync(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// FileSyncClient is the client API for FileSync service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type FileSyncClient interface {
+	DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSync_DiffCopyClient, error)
+	TarStream(ctx context.Context, opts ...grpc.CallOption) (FileSync_TarStreamClient, error)
+}
+
+type fileSyncClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewFileSyncClient(cc *grpc.ClientConn) FileSyncClient {
+	return &fileSyncClient{cc}
+}
+
+func (c *fileSyncClient) DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSync_DiffCopyClient, error) {
+	stream, err := c.cc.NewStream(ctx, &_FileSync_serviceDesc.Streams[0], "/moby.filesync.v1.FileSync/DiffCopy", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSyncDiffCopyClient{stream}
+	return x, nil
+}
+
+type FileSync_DiffCopyClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSyncDiffCopyClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSyncDiffCopyClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSyncDiffCopyClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *fileSyncClient) TarStream(ctx context.Context, opts ...grpc.CallOption) (FileSync_TarStreamClient, error) {
+	stream, err := c.cc.NewStream(ctx, &_FileSync_serviceDesc.Streams[1], "/moby.filesync.v1.FileSync/TarStream", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSyncTarStreamClient{stream}
+	return x, nil
+}
+
+type FileSync_TarStreamClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSyncTarStreamClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSyncTarStreamClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSyncTarStreamClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// FileSyncServer is the server API for FileSync service.
+type FileSyncServer interface {
+	DiffCopy(FileSync_DiffCopyServer) error
+	TarStream(FileSync_TarStreamServer) error
+}
+
+func RegisterFileSyncServer(s *grpc.Server, srv FileSyncServer) {
+	s.RegisterService(&_FileSync_serviceDesc, srv)
+}
+
+func _FileSync_DiffCopy_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSyncServer).DiffCopy(&fileSyncDiffCopyServer{stream})
+}
+
+type FileSync_DiffCopyServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSyncDiffCopyServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSyncDiffCopyServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSyncDiffCopyServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func _FileSync_TarStream_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSyncServer).TarStream(&fileSyncTarStreamServer{stream})
+}
+
+type FileSync_TarStreamServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSyncTarStreamServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSyncTarStreamServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSyncTarStreamServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _FileSync_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.FileSync",
+	HandlerType: (*FileSyncServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "DiffCopy",
+			Handler:       _FileSync_DiffCopy_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+		{
+			StreamName:    "TarStream",
+			Handler:       _FileSync_TarStream_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "filesync.proto",
+}
+
+// FileSendClient is the client API for FileSend service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type FileSendClient interface {
+	DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSend_DiffCopyClient, error)
+}
+
+type fileSendClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewFileSendClient(cc *grpc.ClientConn) FileSendClient {
+	return &fileSendClient{cc}
+}
+
+func (c *fileSendClient) DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSend_DiffCopyClient, error) {
+	stream, err := c.cc.NewStream(ctx, &_FileSend_serviceDesc.Streams[0], "/moby.filesync.v1.FileSend/DiffCopy", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSendDiffCopyClient{stream}
+	return x, nil
+}
+
+type FileSend_DiffCopyClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSendDiffCopyClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSendDiffCopyClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSendDiffCopyClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// FileSendServer is the server API for FileSend service.
+type FileSendServer interface {
+	DiffCopy(FileSend_DiffCopyServer) error
+}
+
+func RegisterFileSendServer(s *grpc.Server, srv FileSendServer) {
+	s.RegisterService(&_FileSend_serviceDesc, srv)
+}
+
+func _FileSend_DiffCopy_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSendServer).DiffCopy(&fileSendDiffCopyServer{stream})
+}
+
+type FileSend_DiffCopyServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSendDiffCopyServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSendDiffCopyServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSendDiffCopyServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _FileSend_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.FileSend",
+	HandlerType: (*FileSendServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "DiffCopy",
+			Handler:       _FileSend_DiffCopy_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "filesync.proto",
+}
+
+func (m *BytesMessage) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BytesMessage) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintFilesync(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func encodeVarintFilesync(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *BytesMessage) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovFilesync(uint64(l))
+	}
+	return n
+}
+
+func sovFilesync(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozFilesync(x uint64) (n int) {
+	return sovFilesync(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *BytesMessage) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&BytesMessage{`,
+		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringFilesync(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *BytesMessage) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowFilesync
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BytesMessage: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BytesMessage: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthFilesync
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipFilesync(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthFilesync
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipFilesync(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowFilesync
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthFilesync
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowFilesync
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipFilesync(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthFilesync = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowFilesync   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("filesync.proto", fileDescriptor_filesync_26f8b7bce2e5ac0e) }
+
+var fileDescriptor_filesync_26f8b7bce2e5ac0e = []byte{
+	// 217 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4b, 0xcb, 0xcc, 0x49,
+	0x2d, 0xae, 0xcc, 0x4b, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc8, 0xcd, 0x4f, 0xaa,
+	0xd4, 0x83, 0x0b, 0x96, 0x19, 0x2a, 0x29, 0x71, 0xf1, 0x38, 0x55, 0x96, 0xa4, 0x16, 0xfb, 0xa6,
+	0x16, 0x17, 0x27, 0xa6, 0xa7, 0x0a, 0x09, 0x71, 0xb1, 0xa4, 0x24, 0x96, 0x24, 0x4a, 0x30, 0x2a,
+	0x30, 0x6a, 0xf0, 0x04, 0x81, 0xd9, 0x46, 0xab, 0x19, 0xb9, 0x38, 0xdc, 0x32, 0x73, 0x52, 0x83,
+	0x2b, 0xf3, 0x92, 0x85, 0xfc, 0xb8, 0x38, 0x5c, 0x32, 0xd3, 0xd2, 0x9c, 0xf3, 0x0b, 0x2a, 0x85,
+	0xe4, 0xf4, 0xd0, 0xcd, 0xd3, 0x43, 0x36, 0x4c, 0x8a, 0x80, 0xbc, 0x06, 0xa3, 0x01, 0xa3, 0x90,
+	0x3f, 0x17, 0x67, 0x48, 0x62, 0x51, 0x70, 0x49, 0x51, 0x6a, 0x62, 0x2e, 0x35, 0x0c, 0x34, 0x8a,
+	0x82, 0x3a, 0x36, 0x35, 0x2f, 0x85, 0xda, 0x8e, 0x75, 0xb2, 0xbb, 0xf0, 0x50, 0x8e, 0xe1, 0xc6,
+	0x43, 0x39, 0x86, 0x0f, 0x0f, 0xe5, 0x18, 0x1b, 0x1e, 0xc9, 0x31, 0xae, 0x78, 0x24, 0xc7, 0x78,
+	0xe2, 0x91, 0x1c, 0xe3, 0x85, 0x47, 0x72, 0x8c, 0x0f, 0x1e, 0xc9, 0x31, 0xbe, 0x78, 0x24, 0xc7,
+	0xf0, 0xe1, 0x91, 0x1c, 0xe3, 0x84, 0xc7, 0x72, 0x0c, 0x17, 0x1e, 0xcb, 0x31, 0xdc, 0x78, 0x2c,
+	0xc7, 0x10, 0xc5, 0x01, 0x33, 0x33, 0x89, 0x0d, 0x1c, 0x0d, 0xc6, 0x80, 0x00, 0x00, 0x00, 0xff,
+	0xff, 0x5e, 0xce, 0x52, 0xb3, 0x98, 0x01, 0x00, 0x00,
+}
--- a/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
+++ b/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "filesync";
+
+service FileSync{
+  rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+  rpc TarStream(stream BytesMessage) returns (stream BytesMessage);
+}
+
+service FileSend{
+  rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+}
+
+
+// BytesMessage contains a chunk of byte data
+message BytesMessage{
+	bytes data = 1;
+}
--- a/vendor/github.com/moby/buildkit/session/filesync/generate.go
+++ b/vendor/github.com/moby/buildkit/session/filesync/generate.go
@ -0,0 +1,3 @@
+package filesync
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. filesync.proto
--- a/vendor/github.com/moby/buildkit/session/grpc.go
+++ b/vendor/github.com/moby/buildkit/session/grpc.go
@ -0,0 +1,81 @@
+package session
+
+import (
+	"context"
+	"net"
+	"sync/atomic"
+	"time"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/http2"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health/grpc_health_v1"
+)
+
+func serve(ctx context.Context, grpcServer *grpc.Server, conn net.Conn) {
+	go func() {
+		<-ctx.Done()
+		conn.Close()
+	}()
+	logrus.Debugf("serving grpc connection")
+	(&http2.Server{}).ServeConn(conn, &http2.ServeConnOpts{Handler: grpcServer})
+}
+
+func grpcClientConn(ctx context.Context, conn net.Conn) (context.Context, *grpc.ClientConn, error) {
+	var dialCount int64
+	dialer := grpc.WithDialer(func(addr string, d time.Duration) (net.Conn, error) {
+		if c := atomic.AddInt64(&dialCount, 1); c > 1 {
+			return nil, errors.Errorf("only one connection allowed")
+		}
+		return conn, nil
+	})
+
+	dialOpts := []grpc.DialOption{
+		dialer,
+		grpc.WithInsecure(),
+	}
+
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		tracer := span.Tracer()
+		dialOpts = append(dialOpts,
+			grpc.WithUnaryInterceptor(otgrpc.OpenTracingClientInterceptor(tracer, traceFilter())),
+			grpc.WithStreamInterceptor(otgrpc.OpenTracingStreamClientInterceptor(tracer, traceFilter())),
+		)
+	}
+
+	cc, err := grpc.DialContext(ctx, "", dialOpts...)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to create grpc client")
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	go monitorHealth(ctx, cc, cancel)
+
+	return ctx, cc, nil
+}
+
+func monitorHealth(ctx context.Context, cc *grpc.ClientConn, cancelConn func()) {
+	defer cancelConn()
+	defer cc.Close()
+
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+	healthClient := grpc_health_v1.NewHealthClient(cc)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+			_, err := healthClient.Check(ctx, &grpc_health_v1.HealthCheckRequest{})
+			cancel()
+			if err != nil {
+				return
+			}
+		}
+	}
+}
--- a/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
+++ b/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
@ -0,0 +1,156 @@
+package grpchijack
+
+import (
+	"context"
+	"io"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/session"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+func Dialer(api controlapi.ControlClient) session.Dialer {
+	return func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
+
+		meta = lowerHeaders(meta)
+
+		md := metadata.MD(meta)
+
+		ctx = metadata.NewOutgoingContext(ctx, md)
+
+		stream, err := api.Session(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		c, _ := streamToConn(stream)
+		return c, nil
+	}
+}
+
+func streamToConn(stream grpc.Stream) (net.Conn, <-chan struct{}) {
+	closeCh := make(chan struct{})
+	c := &conn{stream: stream, buf: make([]byte, 32*1<<10), closeCh: closeCh}
+	return c, closeCh
+}
+
+type conn struct {
+	stream  grpc.Stream
+	buf     []byte
+	lastBuf []byte
+
+	closedOnce sync.Once
+	readMu     sync.Mutex
+	err        error
+	closeCh    chan struct{}
+}
+
+func (c *conn) Read(b []byte) (n int, err error) {
+	c.readMu.Lock()
+	defer c.readMu.Unlock()
+
+	if c.lastBuf != nil {
+		n := copy(b, c.lastBuf)
+		c.lastBuf = c.lastBuf[n:]
+		if len(c.lastBuf) == 0 {
+			c.lastBuf = nil
+		}
+		return n, nil
+	}
+	m := new(controlapi.BytesMessage)
+	m.Data = c.buf
+
+	if err := c.stream.RecvMsg(m); err != nil {
+		return 0, err
+	}
+	c.buf = m.Data[:cap(m.Data)]
+
+	n = copy(b, m.Data)
+	if n < len(m.Data) {
+		c.lastBuf = m.Data[n:]
+	}
+
+	return n, nil
+}
+
+func (c *conn) Write(b []byte) (int, error) {
+	m := &controlapi.BytesMessage{Data: b}
+	if err := c.stream.SendMsg(m); err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}
+
+func (c *conn) Close() (err error) {
+	c.closedOnce.Do(func() {
+		defer func() {
+			close(c.closeCh)
+		}()
+
+		if cs, ok := c.stream.(grpc.ClientStream); ok {
+			err = cs.CloseSend()
+			if err != nil {
+				return
+			}
+		}
+
+		c.readMu.Lock()
+		for {
+			m := new(controlapi.BytesMessage)
+			m.Data = c.buf
+			err = c.stream.RecvMsg(m)
+			if err != nil {
+				if err != io.EOF {
+					return
+				}
+				err = nil
+				break
+			}
+			c.buf = m.Data[:cap(m.Data)]
+			c.lastBuf = append(c.lastBuf, c.buf...)
+		}
+		c.readMu.Unlock()
+
+	})
+	return nil
+}
+
+func (c *conn) LocalAddr() net.Addr {
+	return dummyAddr{}
+}
+func (c *conn) RemoteAddr() net.Addr {
+	return dummyAddr{}
+}
+func (c *conn) SetDeadline(t time.Time) error {
+	return nil
+}
+func (c *conn) SetReadDeadline(t time.Time) error {
+	return nil
+}
+func (c *conn) SetWriteDeadline(t time.Time) error {
+	return nil
+}
+
+type dummyAddr struct {
+}
+
+func (d dummyAddr) Network() string {
+	return "tcp"
+}
+
+func (d dummyAddr) String() string {
+	return "localhost"
+}
+
+func lowerHeaders(in map[string][]string) map[string][]string {
+	out := map[string][]string{}
+	for k := range in {
+		out[strings.ToLower(k)] = in[k]
+	}
+	return out
+}
--- a/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
+++ b/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
@ -0,0 +1,15 @@
+package grpchijack
+
+import (
+	"net"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"google.golang.org/grpc/metadata"
+)
+
+// Hijack hijacks session to a connection.
+func Hijack(stream controlapi.Control_SessionServer) (net.Conn, <-chan struct{}, map[string][]string) {
+	md, _ := metadata.FromIncomingContext(stream.Context())
+	c, closeCh := streamToConn(stream)
+	return c, closeCh, md
+}
--- a/vendor/github.com/moby/buildkit/session/manager.go
+++ b/vendor/github.com/moby/buildkit/session/manager.go
@ -0,0 +1,218 @@
+package session
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+)
+
+// Caller can invoke requests on the session
+type Caller interface {
+	Context() context.Context
+	Supports(method string) bool
+	Conn() *grpc.ClientConn
+	Name() string
+	SharedKey() string
+}
+
+type client struct {
+	Session
+	cc        *grpc.ClientConn
+	supported map[string]struct{}
+}
+
+// Manager is a controller for accessing currently active sessions
+type Manager struct {
+	sessions        map[string]*client
+	mu              sync.Mutex
+	updateCondition *sync.Cond
+}
+
+// NewManager returns a new Manager
+func NewManager() (*Manager, error) {
+	sm := &Manager{
+		sessions: make(map[string]*client),
+	}
+	sm.updateCondition = sync.NewCond(&sm.mu)
+	return sm, nil
+}
+
+// HandleHTTPRequest handles an incoming HTTP request
+func (sm *Manager) HandleHTTPRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		return errors.New("handler does not support hijack")
+	}
+
+	id := r.Header.Get(headerSessionID)
+
+	proto := r.Header.Get("Upgrade")
+
+	sm.mu.Lock()
+	if _, ok := sm.sessions[id]; ok {
+		sm.mu.Unlock()
+		return errors.Errorf("session %s already exists", id)
+	}
+
+	if proto == "" {
+		sm.mu.Unlock()
+		return errors.New("no upgrade proto in request")
+	}
+
+	if proto != "h2c" {
+		sm.mu.Unlock()
+		return errors.Errorf("protocol %s not supported", proto)
+	}
+
+	conn, _, err := hijacker.Hijack()
+	if err != nil {
+		sm.mu.Unlock()
+		return errors.Wrap(err, "failed to hijack connection")
+	}
+
+	resp := &http.Response{
+		StatusCode: http.StatusSwitchingProtocols,
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		Header:     http.Header{},
+	}
+	resp.Header.Set("Connection", "Upgrade")
+	resp.Header.Set("Upgrade", proto)
+
+	// set raw mode
+	conn.Write([]byte{})
+	resp.Write(conn)
+
+	return sm.handleConn(ctx, conn, r.Header)
+}
+
+// HandleConn handles an incoming raw connection
+func (sm *Manager) HandleConn(ctx context.Context, conn net.Conn, opts map[string][]string) error {
+	sm.mu.Lock()
+	return sm.handleConn(ctx, conn, opts)
+}
+
+// caller needs to take lock, this function will release it
+func (sm *Manager) handleConn(ctx context.Context, conn net.Conn, opts map[string][]string) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	opts = canonicalHeaders(opts)
+
+	h := http.Header(opts)
+	id := h.Get(headerSessionID)
+	name := h.Get(headerSessionName)
+	sharedKey := h.Get(headerSessionSharedKey)
+
+	ctx, cc, err := grpcClientConn(ctx, conn)
+	if err != nil {
+		sm.mu.Unlock()
+		return err
+	}
+
+	c := &client{
+		Session: Session{
+			id:        id,
+			name:      name,
+			sharedKey: sharedKey,
+			ctx:       ctx,
+			cancelCtx: cancel,
+			done:      make(chan struct{}),
+		},
+		cc:        cc,
+		supported: make(map[string]struct{}),
+	}
+
+	for _, m := range opts[headerSessionMethod] {
+		c.supported[strings.ToLower(m)] = struct{}{}
+	}
+	sm.sessions[id] = c
+	sm.updateCondition.Broadcast()
+	sm.mu.Unlock()
+
+	defer func() {
+		sm.mu.Lock()
+		delete(sm.sessions, id)
+		sm.mu.Unlock()
+	}()
+
+	<-c.ctx.Done()
+	conn.Close()
+	close(c.done)
+
+	return nil
+}
+
+// Get returns a session by ID
+func (sm *Manager) Get(ctx context.Context, id string) (Caller, error) {
+	// session prefix is used to identify vertexes with different contexts so
+	// they would not collide, but for lookup we don't need the prefix
+	if p := strings.SplitN(id, ":", 2); len(p) == 2 && len(p[1]) > 0 {
+		id = p[1]
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go func() {
+		select {
+		case <-ctx.Done():
+			sm.updateCondition.Broadcast()
+		}
+	}()
+
+	var c *client
+
+	sm.mu.Lock()
+	for {
+		select {
+		case <-ctx.Done():
+			sm.mu.Unlock()
+			return nil, errors.Wrapf(ctx.Err(), "no active session for %s", id)
+		default:
+		}
+		var ok bool
+		c, ok = sm.sessions[id]
+		if !ok || c.closed() {
+			sm.updateCondition.Wait()
+			continue
+		}
+		sm.mu.Unlock()
+		break
+	}
+
+	return c, nil
+}
+
+func (c *client) Context() context.Context {
+	return c.context()
+}
+
+func (c *client) Name() string {
+	return c.name
+}
+
+func (c *client) SharedKey() string {
+	return c.sharedKey
+}
+
+func (c *client) Supports(url string) bool {
+	_, ok := c.supported[strings.ToLower(url)]
+	return ok
+}
+func (c *client) Conn() *grpc.ClientConn {
+	return c.cc
+}
+
+func canonicalHeaders(in map[string][]string) map[string][]string {
+	out := map[string][]string{}
+	for k := range in {
+		out[http.CanonicalHeaderKey(k)] = in[k]
+	}
+	return out
+}
--- a/vendor/github.com/moby/buildkit/session/secrets/generate.go
+++ b/vendor/github.com/moby/buildkit/session/secrets/generate.go
@ -0,0 +1,3 @@
+package secrets
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. secrets.proto
--- a/vendor/github.com/moby/buildkit/session/secrets/secrets.go
+++ b/vendor/github.com/moby/buildkit/session/secrets/secrets.go
@ -0,0 +1,30 @@
+package secrets
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+type SecretStore interface {
+	GetSecret(context.Context, string) ([]byte, error)
+}
+
+var ErrNotFound = errors.Errorf("not found")
+
+func GetSecret(ctx context.Context, c session.Caller, id string) ([]byte, error) {
+	client := NewSecretsClient(c.Conn())
+	resp, err := client.GetSecret(ctx, &GetSecretRequest{
+		ID: id,
+	})
+	if err != nil {
+		if st, ok := status.FromError(err); ok && (st.Code() == codes.Unimplemented || st.Code() == codes.NotFound) {
+			return nil, errors.Wrapf(ErrNotFound, "secret %s not found", id)
+		}
+		return nil, err
+	}
+	return resp.Data, nil
+}
--- a/vendor/github.com/moby/buildkit/session/secrets/secrets.pb.go
+++ b/vendor/github.com/moby/buildkit/session/secrets/secrets.pb.go
@ -0,0 +1,868 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: secrets.proto
+
+package secrets
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import (
+	context "golang.org/x/net/context"
+	grpc "google.golang.org/grpc"
+)
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type GetSecretRequest struct {
+	ID          string            `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Annotations map[string]string `protobuf:"bytes,2,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *GetSecretRequest) Reset()      { *m = GetSecretRequest{} }
+func (*GetSecretRequest) ProtoMessage() {}
+func (*GetSecretRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_secrets_21bd4adec74a381e, []int{0}
+}
+func (m *GetSecretRequest) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *GetSecretRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_GetSecretRequest.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *GetSecretRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetSecretRequest.Merge(dst, src)
+}
+func (m *GetSecretRequest) XXX_Size() int {
+	return m.Size()
+}
+func (m *GetSecretRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetSecretRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetSecretRequest proto.InternalMessageInfo
+
+func (m *GetSecretRequest) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *GetSecretRequest) GetAnnotations() map[string]string {
+	if m != nil {
+		return m.Annotations
+	}
+	return nil
+}
+
+type GetSecretResponse struct {
+	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *GetSecretResponse) Reset()      { *m = GetSecretResponse{} }
+func (*GetSecretResponse) ProtoMessage() {}
+func (*GetSecretResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_secrets_21bd4adec74a381e, []int{1}
+}
+func (m *GetSecretResponse) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *GetSecretResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_GetSecretResponse.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *GetSecretResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_GetSecretResponse.Merge(dst, src)
+}
+func (m *GetSecretResponse) XXX_Size() int {
+	return m.Size()
+}
+func (m *GetSecretResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_GetSecretResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_GetSecretResponse proto.InternalMessageInfo
+
+func (m *GetSecretResponse) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*GetSecretRequest)(nil), "moby.buildkit.secrets.v1.GetSecretRequest")
+	proto.RegisterMapType((map[string]string)(nil), "moby.buildkit.secrets.v1.GetSecretRequest.AnnotationsEntry")
+	proto.RegisterType((*GetSecretResponse)(nil), "moby.buildkit.secrets.v1.GetSecretResponse")
+}
+func (this *GetSecretRequest) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*GetSecretRequest)
+	if !ok {
+		that2, ok := that.(GetSecretRequest)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.ID != that1.ID {
+		return false
+	}
+	if len(this.Annotations) != len(that1.Annotations) {
+		return false
+	}
+	for i := range this.Annotations {
+		if this.Annotations[i] != that1.Annotations[i] {
+			return false
+		}
+	}
+	return true
+}
+func (this *GetSecretResponse) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*GetSecretResponse)
+	if !ok {
+		that2, ok := that.(GetSecretResponse)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if !bytes.Equal(this.Data, that1.Data) {
+		return false
+	}
+	return true
+}
+func (this *GetSecretRequest) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 6)
+	s = append(s, "&secrets.GetSecretRequest{")
+	s = append(s, "ID: "+fmt.Sprintf("%#v", this.ID)+",\n")
+	keysForAnnotations := make([]string, 0, len(this.Annotations))
+	for k, _ := range this.Annotations {
+		keysForAnnotations = append(keysForAnnotations, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	mapStringForAnnotations := "map[string]string{"
+	for _, k := range keysForAnnotations {
+		mapStringForAnnotations += fmt.Sprintf("%#v: %#v,", k, this.Annotations[k])
+	}
+	mapStringForAnnotations += "}"
+	if this.Annotations != nil {
+		s = append(s, "Annotations: "+mapStringForAnnotations+",\n")
+	}
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func (this *GetSecretResponse) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&secrets.GetSecretResponse{")
+	s = append(s, "Data: "+fmt.Sprintf("%#v", this.Data)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringSecrets(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// SecretsClient is the client API for Secrets service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type SecretsClient interface {
+	GetSecret(ctx context.Context, in *GetSecretRequest, opts ...grpc.CallOption) (*GetSecretResponse, error)
+}
+
+type secretsClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewSecretsClient(cc *grpc.ClientConn) SecretsClient {
+	return &secretsClient{cc}
+}
+
+func (c *secretsClient) GetSecret(ctx context.Context, in *GetSecretRequest, opts ...grpc.CallOption) (*GetSecretResponse, error) {
+	out := new(GetSecretResponse)
+	err := c.cc.Invoke(ctx, "/moby.buildkit.secrets.v1.Secrets/GetSecret", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// SecretsServer is the server API for Secrets service.
+type SecretsServer interface {
+	GetSecret(context.Context, *GetSecretRequest) (*GetSecretResponse, error)
+}
+
+func RegisterSecretsServer(s *grpc.Server, srv SecretsServer) {
+	s.RegisterService(&_Secrets_serviceDesc, srv)
+}
+
+func _Secrets_GetSecret_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetSecretRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SecretsServer).GetSecret(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.secrets.v1.Secrets/GetSecret",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SecretsServer).GetSecret(ctx, req.(*GetSecretRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Secrets_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.buildkit.secrets.v1.Secrets",
+	HandlerType: (*SecretsServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetSecret",
+			Handler:    _Secrets_GetSecret_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "secrets.proto",
+}
+
+func (m *GetSecretRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GetSecretRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintSecrets(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if len(m.Annotations) > 0 {
+		for k, _ := range m.Annotations {
+			dAtA[i] = 0x12
+			i++
+			v := m.Annotations[k]
+			mapSize := 1 + len(k) + sovSecrets(uint64(len(k))) + 1 + len(v) + sovSecrets(uint64(len(v)))
+			i = encodeVarintSecrets(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintSecrets(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintSecrets(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *GetSecretResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GetSecretResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintSecrets(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func encodeVarintSecrets(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *GetSecretRequest) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovSecrets(uint64(l))
+	}
+	if len(m.Annotations) > 0 {
+		for k, v := range m.Annotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovSecrets(uint64(len(k))) + 1 + len(v) + sovSecrets(uint64(len(v)))
+			n += mapEntrySize + 1 + sovSecrets(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *GetSecretResponse) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovSecrets(uint64(l))
+	}
+	return n
+}
+
+func sovSecrets(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozSecrets(x uint64) (n int) {
+	return sovSecrets(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *GetSecretRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForAnnotations := make([]string, 0, len(this.Annotations))
+	for k, _ := range this.Annotations {
+		keysForAnnotations = append(keysForAnnotations, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	mapStringForAnnotations := "map[string]string{"
+	for _, k := range keysForAnnotations {
+		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
+	}
+	mapStringForAnnotations += "}"
+	s := strings.Join([]string{`&GetSecretRequest{`,
+		`ID:` + fmt.Sprintf("%v", this.ID) + `,`,
+		`Annotations:` + mapStringForAnnotations + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *GetSecretResponse) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&GetSecretResponse{`,
+		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringSecrets(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *GetSecretRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowSecrets
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GetSecretRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GetSecretRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSecrets
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthSecrets
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Annotations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSecrets
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthSecrets
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Annotations == nil {
+				m.Annotations = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowSecrets
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowSecrets
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthSecrets
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowSecrets
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthSecrets
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipSecrets(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthSecrets
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Annotations[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipSecrets(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthSecrets
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GetSecretResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowSecrets
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GetSecretResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GetSecretResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSecrets
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthSecrets
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipSecrets(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthSecrets
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipSecrets(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowSecrets
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowSecrets
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowSecrets
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthSecrets
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowSecrets
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipSecrets(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthSecrets = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowSecrets   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("secrets.proto", fileDescriptor_secrets_21bd4adec74a381e) }
+
+var fileDescriptor_secrets_21bd4adec74a381e = []byte{
+	// 288 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x2d, 0x4e, 0x4d, 0x2e,
+	0x4a, 0x2d, 0x29, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x92, 0xc8, 0xcd, 0x4f, 0xaa, 0xd4,
+	0x4b, 0x2a, 0xcd, 0xcc, 0x49, 0xc9, 0xce, 0x2c, 0xd1, 0x83, 0x49, 0x96, 0x19, 0x2a, 0x1d, 0x64,
+	0xe4, 0x12, 0x70, 0x4f, 0x2d, 0x09, 0x06, 0x8b, 0x04, 0xa5, 0x16, 0x96, 0xa6, 0x16, 0x97, 0x08,
+	0xf1, 0x71, 0x31, 0x79, 0xba, 0x48, 0x30, 0x2a, 0x30, 0x6a, 0x70, 0x06, 0x31, 0x79, 0xba, 0x08,
+	0xc5, 0x72, 0x71, 0x27, 0xe6, 0xe5, 0xe5, 0x97, 0x24, 0x96, 0x64, 0xe6, 0xe7, 0x15, 0x4b, 0x30,
+	0x29, 0x30, 0x6b, 0x70, 0x1b, 0x59, 0xeb, 0xe1, 0x32, 0x54, 0x0f, 0xdd, 0x40, 0x3d, 0x47, 0x84,
+	0x6e, 0xd7, 0xbc, 0x92, 0xa2, 0xca, 0x20, 0x64, 0xf3, 0xa4, 0xec, 0xb8, 0x04, 0xd0, 0x15, 0x08,
+	0x09, 0x70, 0x31, 0x67, 0xa7, 0x56, 0x42, 0xdd, 0x00, 0x62, 0x0a, 0x89, 0x70, 0xb1, 0x96, 0x25,
+	0xe6, 0x94, 0xa6, 0x4a, 0x30, 0x81, 0xc5, 0x20, 0x1c, 0x2b, 0x26, 0x0b, 0x46, 0x25, 0x75, 0x2e,
+	0x41, 0x24, 0x1b, 0x8b, 0x0b, 0xf2, 0xf3, 0x8a, 0x53, 0x85, 0x84, 0xb8, 0x58, 0x52, 0x12, 0x4b,
+	0x12, 0xc1, 0x26, 0xf0, 0x04, 0x81, 0xd9, 0x46, 0xf9, 0x5c, 0xec, 0x10, 0x55, 0xc5, 0x42, 0x29,
+	0x5c, 0x9c, 0x70, 0x3d, 0x42, 0x5a, 0xc4, 0x7b, 0x45, 0x4a, 0x9b, 0x28, 0xb5, 0x10, 0x47, 0x38,
+	0xd9, 0x5e, 0x78, 0x28, 0xc7, 0x70, 0xe3, 0xa1, 0x1c, 0xc3, 0x87, 0x87, 0x72, 0x8c, 0x0d, 0x8f,
+	0xe4, 0x18, 0x57, 0x3c, 0x92, 0x63, 0x3c, 0xf1, 0x48, 0x8e, 0xf1, 0xc2, 0x23, 0x39, 0xc6, 0x07,
+	0x8f, 0xe4, 0x18, 0x5f, 0x3c, 0x92, 0x63, 0xf8, 0xf0, 0x48, 0x8e, 0x71, 0xc2, 0x63, 0x39, 0x86,
+	0x0b, 0x8f, 0xe5, 0x18, 0x6e, 0x3c, 0x96, 0x63, 0x88, 0x62, 0x87, 0x9a, 0x99, 0xc4, 0x06, 0x8e,
+	0x3d, 0x63, 0x40, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2c, 0x38, 0xec, 0x1f, 0xce, 0x01, 0x00, 0x00,
+}
--- a/vendor/github.com/moby/buildkit/session/secrets/secrets.proto
+++ b/vendor/github.com/moby/buildkit/session/secrets/secrets.proto
@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package moby.buildkit.secrets.v1;
+
+option go_package = "secrets";
+
+service Secrets{
+  rpc GetSecret(GetSecretRequest) returns (GetSecretResponse);
+}
+
+
+message GetSecretRequest {
+	string ID = 1;
+	map<string, string> annotations = 2;
+}
+
+message GetSecretResponse {
+	bytes data = 1;
+}
--- a/vendor/github.com/moby/buildkit/session/secrets/secretsprovider/file.go
+++ b/vendor/github.com/moby/buildkit/session/secrets/secretsprovider/file.go
@ -0,0 +1,54 @@
+package secretsprovider
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+
+	"github.com/moby/buildkit/session/secrets"
+	"github.com/pkg/errors"
+)
+
+type FileSource struct {
+	ID       string
+	FilePath string
+}
+
+func NewFileStore(files []FileSource) (secrets.SecretStore, error) {
+	m := map[string]FileSource{}
+	for _, f := range files {
+		if f.ID == "" {
+			return nil, errors.Errorf("secret missing ID")
+		}
+		if f.FilePath == "" {
+			f.FilePath = f.ID
+		}
+		fi, err := os.Stat(f.FilePath)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to stat %s", f.FilePath)
+		}
+		if fi.Size() > MaxSecretSize {
+			return nil, errors.Errorf("secret %s too big. max size 500KB", f.ID)
+		}
+		m[f.ID] = f
+	}
+	return &fileStore{
+		m: m,
+	}, nil
+}
+
+type fileStore struct {
+	m map[string]FileSource
+}
+
+func (fs *fileStore) GetSecret(ctx context.Context, id string) ([]byte, error) {
+	v, ok := fs.m[id]
+	if !ok {
+		return nil, errors.WithStack(secrets.ErrNotFound)
+	}
+	dt, err := ioutil.ReadFile(v.FilePath)
+	if err != nil {
+		return nil, err
+	}
+	return dt, nil
+}
--- a/vendor/github.com/moby/buildkit/session/secrets/secretsprovider/secretsprovider.go
+++ b/vendor/github.com/moby/buildkit/session/secrets/secretsprovider/secretsprovider.go
@ -0,0 +1,60 @@
+package secretsprovider
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/secrets"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// MaxSecretSize is the maximum byte length allowed for a secret
+const MaxSecretSize = 500 * 1024 // 500KB
+
+func NewSecretProvider(store secrets.SecretStore) session.Attachable {
+	return &secretProvider{
+		store: store,
+	}
+}
+
+type secretProvider struct {
+	store secrets.SecretStore
+}
+
+func (sp *secretProvider) Register(server *grpc.Server) {
+	secrets.RegisterSecretsServer(server, sp)
+}
+
+func (sp *secretProvider) GetSecret(ctx context.Context, req *secrets.GetSecretRequest) (*secrets.GetSecretResponse, error) {
+	dt, err := sp.store.GetSecret(ctx, req.ID)
+	if err != nil {
+		if errors.Cause(err) == secrets.ErrNotFound {
+			return nil, status.Errorf(codes.NotFound, err.Error())
+		}
+		return nil, err
+	}
+	if l := len(dt); l > MaxSecretSize {
+		return nil, errors.Errorf("invalid secret size %d", l)
+	}
+
+	return &secrets.GetSecretResponse{
+		Data: dt,
+	}, nil
+}
+
+func FromMap(m map[string][]byte) session.Attachable {
+	return NewSecretProvider(mapStore(m))
+}
+
+type mapStore map[string][]byte
+
+func (m mapStore) GetSecret(ctx context.Context, id string) ([]byte, error) {
+	v, ok := m[id]
+	if !ok {
+		return nil, errors.WithStack(secrets.ErrNotFound)
+	}
+	return v, nil
+}
--- a/vendor/github.com/moby/buildkit/session/session.go
+++ b/vendor/github.com/moby/buildkit/session/session.go
@ -0,0 +1,143 @@
+package session
+
+import (
+	"context"
+	"net"
+	"strings"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	"github.com/moby/buildkit/identity"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health"
+	"google.golang.org/grpc/health/grpc_health_v1"
+)
+
+const (
+	headerSessionID        = "X-Docker-Expose-Session-Uuid"
+	headerSessionName      = "X-Docker-Expose-Session-Name"
+	headerSessionSharedKey = "X-Docker-Expose-Session-Sharedkey"
+	headerSessionMethod    = "X-Docker-Expose-Session-Grpc-Method"
+)
+
+// Dialer returns a connection that can be used by the session
+type Dialer func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error)
+
+// Attachable defines a feature that can be exposed on a session
+type Attachable interface {
+	Register(*grpc.Server)
+}
+
+// Session is a long running connection between client and a daemon
+type Session struct {
+	id         string
+	name       string
+	sharedKey  string
+	ctx        context.Context
+	cancelCtx  func()
+	done       chan struct{}
+	grpcServer *grpc.Server
+	conn       net.Conn
+}
+
+// NewSession returns a new long running session
+func NewSession(ctx context.Context, name, sharedKey string) (*Session, error) {
+	id := identity.NewID()
+
+	serverOpts := []grpc.ServerOption{}
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		tracer := span.Tracer()
+		serverOpts = []grpc.ServerOption{
+			grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(span.Tracer(), traceFilter())),
+			grpc.UnaryInterceptor(otgrpc.OpenTracingServerInterceptor(tracer, traceFilter())),
+		}
+	}
+
+	s := &Session{
+		id:         id,
+		name:       name,
+		sharedKey:  sharedKey,
+		grpcServer: grpc.NewServer(serverOpts...),
+	}
+
+	grpc_health_v1.RegisterHealthServer(s.grpcServer, health.NewServer())
+
+	return s, nil
+}
+
+// Allow enables a given service to be reachable through the grpc session
+func (s *Session) Allow(a Attachable) {
+	a.Register(s.grpcServer)
+}
+
+// ID returns unique identifier for the session
+func (s *Session) ID() string {
+	return s.id
+}
+
+// Run activates the session
+func (s *Session) Run(ctx context.Context, dialer Dialer) error {
+	ctx, cancel := context.WithCancel(ctx)
+	s.cancelCtx = cancel
+	s.done = make(chan struct{})
+
+	defer cancel()
+	defer close(s.done)
+
+	meta := make(map[string][]string)
+	meta[headerSessionID] = []string{s.id}
+	meta[headerSessionName] = []string{s.name}
+	meta[headerSessionSharedKey] = []string{s.sharedKey}
+
+	for name, svc := range s.grpcServer.GetServiceInfo() {
+		for _, method := range svc.Methods {
+			meta[headerSessionMethod] = append(meta[headerSessionMethod], MethodURL(name, method.Name))
+		}
+	}
+	conn, err := dialer(ctx, "h2c", meta)
+	if err != nil {
+		return errors.Wrap(err, "failed to dial gRPC")
+	}
+	s.conn = conn
+	serve(ctx, s.grpcServer, conn)
+	return nil
+}
+
+// Close closes the session
+func (s *Session) Close() error {
+	if s.cancelCtx != nil && s.done != nil {
+		if s.conn != nil {
+			s.conn.Close()
+		}
+		s.grpcServer.Stop()
+		<-s.done
+	}
+	return nil
+}
+
+func (s *Session) context() context.Context {
+	return s.ctx
+}
+
+func (s *Session) closed() bool {
+	select {
+	case <-s.context().Done():
+		return true
+	default:
+		return false
+	}
+}
+
+// MethodURL returns a gRPC method URL for service and method name
+func MethodURL(s, m string) string {
+	return "/" + s + "/" + m
+}
+
+func traceFilter() otgrpc.Option {
+	return otgrpc.IncludingSpans(func(parentSpanCtx opentracing.SpanContext,
+		method string,
+		req, resp interface{}) bool {
+		return !strings.HasSuffix(method, "Health/Check")
+	})
+}
--- a/vendor/github.com/moby/buildkit/session/sshforward/copy.go
+++ b/vendor/github.com/moby/buildkit/session/sshforward/copy.go
@ -0,0 +1,61 @@
+package sshforward
+
+import (
+	io "io"
+
+	context "golang.org/x/net/context"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+)
+
+func Copy(ctx context.Context, conn io.ReadWriteCloser, stream grpc.Stream) error {
+	g, ctx := errgroup.WithContext(ctx)
+
+	g.Go(func() (retErr error) {
+		p := &BytesMessage{}
+		for {
+			if err := stream.RecvMsg(p); err != nil {
+				if err == io.EOF {
+					return nil
+				}
+				conn.Close()
+				return err
+			}
+			select {
+			case <-ctx.Done():
+				conn.Close()
+				return ctx.Err()
+			default:
+			}
+			if _, err := conn.Write(p.Data); err != nil {
+				conn.Close()
+				return err
+			}
+			p.Data = p.Data[:0]
+		}
+	})
+
+	g.Go(func() (retErr error) {
+		for {
+			buf := make([]byte, 32*1024)
+			n, err := conn.Read(buf)
+			switch {
+			case err == io.EOF:
+				return nil
+			case err != nil:
+				return err
+			}
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			default:
+			}
+			p := &BytesMessage{Data: buf[:n]}
+			if err := stream.SendMsg(p); err != nil {
+				return err
+			}
+		}
+	})
+
+	return g.Wait()
+}
--- a/vendor/github.com/moby/buildkit/session/sshforward/generate.go
+++ b/vendor/github.com/moby/buildkit/session/sshforward/generate.go
@ -0,0 +1,3 @@
+package sshforward
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. ssh.proto
--- a/vendor/github.com/moby/buildkit/session/sshforward/ssh.go
+++ b/vendor/github.com/moby/buildkit/session/sshforward/ssh.go
@ -0,0 +1,113 @@
+package sshforward
+
+import (
+	"io/ioutil"
+	"net"
+	"os"
+	"path/filepath"
+
+	"github.com/moby/buildkit/session"
+	context "golang.org/x/net/context"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc/metadata"
+)
+
+// DefaultID is the default ssh ID
+const DefaultID = "default"
+
+const KeySSHID = "buildkit.ssh.id"
+
+type server struct {
+	caller session.Caller
+}
+
+func (s *server) run(ctx context.Context, l net.Listener, id string) error {
+	eg, ctx := errgroup.WithContext(ctx)
+
+	eg.Go(func() error {
+		<-ctx.Done()
+		return ctx.Err()
+	})
+
+	eg.Go(func() error {
+		for {
+			conn, err := l.Accept()
+			if err != nil {
+				return err
+			}
+
+			client := NewSSHClient(s.caller.Conn())
+
+			opts := make(map[string][]string)
+			opts[KeySSHID] = []string{id}
+			ctx = metadata.NewOutgoingContext(ctx, opts)
+
+			stream, err := client.ForwardAgent(ctx)
+			if err != nil {
+				conn.Close()
+				return err
+			}
+
+			go Copy(ctx, conn, stream)
+		}
+	})
+
+	return eg.Wait()
+}
+
+type SocketOpt struct {
+	ID   string
+	UID  int
+	GID  int
+	Mode int
+}
+
+func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockPath string, closer func() error, err error) {
+	dir, err := ioutil.TempDir("", ".buildkit-ssh-sock")
+	if err != nil {
+		return "", nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			os.RemoveAll(dir)
+		}
+	}()
+
+	sockPath = filepath.Join(dir, "ssh_auth_sock")
+
+	l, err := net.Listen("unix", sockPath)
+	if err != nil {
+		return "", nil, err
+	}
+
+	if err := os.Chown(sockPath, opt.UID, opt.GID); err != nil {
+		l.Close()
+		return "", nil, err
+	}
+	if err := os.Chmod(sockPath, os.FileMode(opt.Mode)); err != nil {
+		l.Close()
+		return "", nil, err
+	}
+
+	s := &server{caller: c}
+
+	id := opt.ID
+	if id == "" {
+		id = DefaultID
+	}
+
+	go s.run(ctx, l, id) // erroring per connection allowed
+
+	return sockPath, func() error {
+		err := l.Close()
+		os.RemoveAll(sockPath)
+		return err
+	}, nil
+}
+
+func CheckSSHID(ctx context.Context, c session.Caller, id string) error {
+	client := NewSSHClient(c.Conn())
+	_, err := client.CheckAgent(ctx, &CheckAgentRequest{ID: id})
+	return err
+}
--- a/vendor/github.com/moby/buildkit/session/sshforward/ssh.pb.go
+++ b/vendor/github.com/moby/buildkit/session/sshforward/ssh.pb.go
@ -0,0 +1,900 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: ssh.proto
+
+package sshforward
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+
+import (
+	context "golang.org/x/net/context"
+	grpc "google.golang.org/grpc"
+)
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// BytesMessage contains a chunk of byte data
+type BytesMessage struct {
+	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *BytesMessage) Reset()      { *m = BytesMessage{} }
+func (*BytesMessage) ProtoMessage() {}
+func (*BytesMessage) Descriptor() ([]byte, []int) {
+	return fileDescriptor_ssh_13bd2c34c031d472, []int{0}
+}
+func (m *BytesMessage) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *BytesMessage) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_BytesMessage.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *BytesMessage) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_BytesMessage.Merge(dst, src)
+}
+func (m *BytesMessage) XXX_Size() int {
+	return m.Size()
+}
+func (m *BytesMessage) XXX_DiscardUnknown() {
+	xxx_messageInfo_BytesMessage.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_BytesMessage proto.InternalMessageInfo
+
+func (m *BytesMessage) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+type CheckAgentRequest struct {
+	ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+}
+
+func (m *CheckAgentRequest) Reset()      { *m = CheckAgentRequest{} }
+func (*CheckAgentRequest) ProtoMessage() {}
+func (*CheckAgentRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_ssh_13bd2c34c031d472, []int{1}
+}
+func (m *CheckAgentRequest) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *CheckAgentRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_CheckAgentRequest.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *CheckAgentRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CheckAgentRequest.Merge(dst, src)
+}
+func (m *CheckAgentRequest) XXX_Size() int {
+	return m.Size()
+}
+func (m *CheckAgentRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_CheckAgentRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CheckAgentRequest proto.InternalMessageInfo
+
+func (m *CheckAgentRequest) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+type CheckAgentResponse struct {
+}
+
+func (m *CheckAgentResponse) Reset()      { *m = CheckAgentResponse{} }
+func (*CheckAgentResponse) ProtoMessage() {}
+func (*CheckAgentResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_ssh_13bd2c34c031d472, []int{2}
+}
+func (m *CheckAgentResponse) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *CheckAgentResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_CheckAgentResponse.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalTo(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (dst *CheckAgentResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CheckAgentResponse.Merge(dst, src)
+}
+func (m *CheckAgentResponse) XXX_Size() int {
+	return m.Size()
+}
+func (m *CheckAgentResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_CheckAgentResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CheckAgentResponse proto.InternalMessageInfo
+
+func init() {
+	proto.RegisterType((*BytesMessage)(nil), "moby.sshforward.v1.BytesMessage")
+	proto.RegisterType((*CheckAgentRequest)(nil), "moby.sshforward.v1.CheckAgentRequest")
+	proto.RegisterType((*CheckAgentResponse)(nil), "moby.sshforward.v1.CheckAgentResponse")
+}
+func (this *BytesMessage) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*BytesMessage)
+	if !ok {
+		that2, ok := that.(BytesMessage)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if !bytes.Equal(this.Data, that1.Data) {
+		return false
+	}
+	return true
+}
+func (this *CheckAgentRequest) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CheckAgentRequest)
+	if !ok {
+		that2, ok := that.(CheckAgentRequest)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.ID != that1.ID {
+		return false
+	}
+	return true
+}
+func (this *CheckAgentResponse) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CheckAgentResponse)
+	if !ok {
+		that2, ok := that.(CheckAgentResponse)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	return true
+}
+func (this *BytesMessage) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&sshforward.BytesMessage{")
+	s = append(s, "Data: "+fmt.Sprintf("%#v", this.Data)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func (this *CheckAgentRequest) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&sshforward.CheckAgentRequest{")
+	s = append(s, "ID: "+fmt.Sprintf("%#v", this.ID)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func (this *CheckAgentResponse) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 4)
+	s = append(s, "&sshforward.CheckAgentResponse{")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringSsh(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// SSHClient is the client API for SSH service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type SSHClient interface {
+	CheckAgent(ctx context.Context, in *CheckAgentRequest, opts ...grpc.CallOption) (*CheckAgentResponse, error)
+	ForwardAgent(ctx context.Context, opts ...grpc.CallOption) (SSH_ForwardAgentClient, error)
+}
+
+type sSHClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewSSHClient(cc *grpc.ClientConn) SSHClient {
+	return &sSHClient{cc}
+}
+
+func (c *sSHClient) CheckAgent(ctx context.Context, in *CheckAgentRequest, opts ...grpc.CallOption) (*CheckAgentResponse, error) {
+	out := new(CheckAgentResponse)
+	err := c.cc.Invoke(ctx, "/moby.sshforward.v1.SSH/CheckAgent", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *sSHClient) ForwardAgent(ctx context.Context, opts ...grpc.CallOption) (SSH_ForwardAgentClient, error) {
+	stream, err := c.cc.NewStream(ctx, &_SSH_serviceDesc.Streams[0], "/moby.sshforward.v1.SSH/ForwardAgent", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &sSHForwardAgentClient{stream}
+	return x, nil
+}
+
+type SSH_ForwardAgentClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type sSHForwardAgentClient struct {
+	grpc.ClientStream
+}
+
+func (x *sSHForwardAgentClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *sSHForwardAgentClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// SSHServer is the server API for SSH service.
+type SSHServer interface {
+	CheckAgent(context.Context, *CheckAgentRequest) (*CheckAgentResponse, error)
+	ForwardAgent(SSH_ForwardAgentServer) error
+}
+
+func RegisterSSHServer(s *grpc.Server, srv SSHServer) {
+	s.RegisterService(&_SSH_serviceDesc, srv)
+}
+
+func _SSH_CheckAgent_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CheckAgentRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SSHServer).CheckAgent(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.sshforward.v1.SSH/CheckAgent",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SSHServer).CheckAgent(ctx, req.(*CheckAgentRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SSH_ForwardAgent_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(SSHServer).ForwardAgent(&sSHForwardAgentServer{stream})
+}
+
+type SSH_ForwardAgentServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type sSHForwardAgentServer struct {
+	grpc.ServerStream
+}
+
+func (x *sSHForwardAgentServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *sSHForwardAgentServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _SSH_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.sshforward.v1.SSH",
+	HandlerType: (*SSHServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "CheckAgent",
+			Handler:    _SSH_CheckAgent_Handler,
+		},
+	},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "ForwardAgent",
+			Handler:       _SSH_ForwardAgent_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "ssh.proto",
+}
+
+func (m *BytesMessage) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BytesMessage) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintSsh(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func (m *CheckAgentRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CheckAgentRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintSsh(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	return i, nil
+}
+
+func (m *CheckAgentResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CheckAgentResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	return i, nil
+}
+
+func encodeVarintSsh(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *BytesMessage) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovSsh(uint64(l))
+	}
+	return n
+}
+
+func (m *CheckAgentRequest) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovSsh(uint64(l))
+	}
+	return n
+}
+
+func (m *CheckAgentResponse) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	return n
+}
+
+func sovSsh(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozSsh(x uint64) (n int) {
+	return sovSsh(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *BytesMessage) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&BytesMessage{`,
+		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CheckAgentRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CheckAgentRequest{`,
+		`ID:` + fmt.Sprintf("%v", this.ID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CheckAgentResponse) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CheckAgentResponse{`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringSsh(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *BytesMessage) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowSsh
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BytesMessage: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BytesMessage: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSsh
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthSsh
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipSsh(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthSsh
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CheckAgentRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowSsh
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CheckAgentRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CheckAgentRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSsh
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthSsh
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipSsh(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthSsh
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CheckAgentResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowSsh
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CheckAgentResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CheckAgentResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipSsh(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthSsh
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipSsh(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowSsh
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowSsh
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowSsh
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthSsh
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowSsh
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipSsh(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthSsh = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowSsh   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("ssh.proto", fileDescriptor_ssh_13bd2c34c031d472) }
+
+var fileDescriptor_ssh_13bd2c34c031d472 = []byte{
+	// 252 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x2c, 0x2e, 0xce, 0xd0,
+	0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xca, 0xcd, 0x4f, 0xaa, 0xd4, 0x2b, 0x2e, 0xce, 0x48,
+	0xcb, 0x2f, 0x2a, 0x4f, 0x2c, 0x4a, 0xd1, 0x2b, 0x33, 0x54, 0x52, 0xe2, 0xe2, 0x71, 0xaa, 0x2c,
+	0x49, 0x2d, 0xf6, 0x4d, 0x2d, 0x2e, 0x4e, 0x4c, 0x4f, 0x15, 0x12, 0xe2, 0x62, 0x49, 0x49, 0x2c,
+	0x49, 0x94, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x09, 0x02, 0xb3, 0x95, 0x94, 0xb9, 0x04, 0x9d, 0x33,
+	0x52, 0x93, 0xb3, 0x1d, 0xd3, 0x53, 0xf3, 0x4a, 0x82, 0x52, 0x0b, 0x4b, 0x53, 0x8b, 0x4b, 0x84,
+	0xf8, 0xb8, 0x98, 0x3c, 0x5d, 0xc0, 0xca, 0x38, 0x83, 0x98, 0x3c, 0x5d, 0x94, 0x44, 0xb8, 0x84,
+	0x90, 0x15, 0x15, 0x17, 0xe4, 0xe7, 0x15, 0xa7, 0x1a, 0xed, 0x62, 0xe4, 0x62, 0x0e, 0x0e, 0xf6,
+	0x10, 0x8a, 0xe6, 0xe2, 0x42, 0xc8, 0x0a, 0xa9, 0xea, 0x61, 0xba, 0x44, 0x0f, 0xc3, 0x0a, 0x29,
+	0x35, 0x42, 0xca, 0x20, 0x96, 0x08, 0x85, 0x71, 0xf1, 0xb8, 0x41, 0x14, 0x40, 0x8c, 0x57, 0xc0,
+	0xa6, 0x0f, 0xd9, 0x97, 0x52, 0x04, 0x55, 0x68, 0x30, 0x1a, 0x30, 0x3a, 0x39, 0x5c, 0x78, 0x28,
+	0xc7, 0x70, 0xe3, 0xa1, 0x1c, 0xc3, 0x87, 0x87, 0x72, 0x8c, 0x0d, 0x8f, 0xe4, 0x18, 0x57, 0x3c,
+	0x92, 0x63, 0x3c, 0xf1, 0x48, 0x8e, 0xf1, 0xc2, 0x23, 0x39, 0xc6, 0x07, 0x8f, 0xe4, 0x18, 0x5f,
+	0x3c, 0x92, 0x63, 0xf8, 0xf0, 0x48, 0x8e, 0x71, 0xc2, 0x63, 0x39, 0x86, 0x0b, 0x8f, 0xe5, 0x18,
+	0x6e, 0x3c, 0x96, 0x63, 0x88, 0xe2, 0x42, 0x98, 0x9a, 0xc4, 0x06, 0x0e, 0x78, 0x63, 0x40, 0x00,
+	0x00, 0x00, 0xff, 0xff, 0x6c, 0xe6, 0x6d, 0xb7, 0x85, 0x01, 0x00, 0x00,
+}
--- a/vendor/github.com/moby/buildkit/session/sshforward/ssh.proto
+++ b/vendor/github.com/moby/buildkit/session/sshforward/ssh.proto
@ -0,0 +1,22 @@
+syntax = "proto3";
+
+package moby.sshforward.v1;
+
+option go_package = "sshforward";
+
+service SSH {
+	rpc CheckAgent(CheckAgentRequest) returns (CheckAgentResponse);
+	rpc ForwardAgent(stream BytesMessage) returns (stream BytesMessage);
+}
+
+// BytesMessage contains a chunk of byte data
+message BytesMessage{
+	bytes data = 1;
+}
+
+message CheckAgentRequest {
+	string ID = 1;
+}
+
+message CheckAgentResponse {
+}
--- a/vendor/github.com/moby/buildkit/session/sshforward/sshprovider/agentprovider.go
+++ b/vendor/github.com/moby/buildkit/session/sshforward/sshprovider/agentprovider.go
@ -0,0 +1,198 @@
+package sshprovider
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+	"net"
+	"os"
+	"time"
+
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/sshforward"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+// AgentConfig is the config for a single exposed SSH agent
+type AgentConfig struct {
+	ID    string
+	Paths []string
+}
+
+// NewSSHAgentProvider creates a session provider that allows access to ssh agent
+func NewSSHAgentProvider(confs []AgentConfig) (session.Attachable, error) {
+	m := map[string]source{}
+	for _, conf := range confs {
+		if len(conf.Paths) == 0 || len(conf.Paths) == 1 && conf.Paths[0] == "" {
+			conf.Paths = []string{os.Getenv("SSH_AUTH_SOCK")}
+		}
+
+		if conf.Paths[0] == "" {
+			return nil, errors.Errorf("invalid empty ssh agent socket, make sure SSH_AUTH_SOCK is set")
+		}
+
+		src, err := toAgentSource(conf.Paths)
+		if err != nil {
+			return nil, err
+		}
+		if conf.ID == "" {
+			conf.ID = sshforward.DefaultID
+		}
+		if _, ok := m[conf.ID]; ok {
+			return nil, errors.Errorf("invalid duplicate ID %s", conf.ID)
+		}
+		m[conf.ID] = src
+	}
+
+	return &socketProvider{m: m}, nil
+}
+
+type source struct {
+	agent  agent.Agent
+	socket string
+}
+
+type socketProvider struct {
+	m map[string]source
+}
+
+func (sp *socketProvider) Register(server *grpc.Server) {
+	sshforward.RegisterSSHServer(server, sp)
+}
+
+func (sp *socketProvider) CheckAgent(ctx context.Context, req *sshforward.CheckAgentRequest) (*sshforward.CheckAgentResponse, error) {
+	id := sshforward.DefaultID
+	if req.ID != "" {
+		id = req.ID
+	}
+	if _, ok := sp.m[id]; !ok {
+		return &sshforward.CheckAgentResponse{}, errors.Errorf("unset ssh forward key %s", id)
+	}
+	return &sshforward.CheckAgentResponse{}, nil
+}
+
+func (sp *socketProvider) ForwardAgent(stream sshforward.SSH_ForwardAgentServer) error {
+	id := sshforward.DefaultID
+
+	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
+
+	if v, ok := opts[sshforward.KeySSHID]; ok && len(v) > 0 && v[0] != "" {
+		id = v[0]
+	}
+
+	src, ok := sp.m[id]
+	if !ok {
+		return errors.Errorf("unset ssh forward key %s", id)
+	}
+
+	var a agent.Agent
+
+	if src.socket != "" {
+		conn, err := net.DialTimeout("unix", src.socket, time.Second)
+		if err != nil {
+			return errors.Wrapf(err, "failed to connect to %s", src.socket)
+		}
+
+		a = &readOnlyAgent{agent.NewClient(conn)}
+		defer conn.Close()
+	} else {
+		a = src.agent
+	}
+
+	s1, s2 := sockPair()
+
+	eg, ctx := errgroup.WithContext(context.TODO())
+
+	eg.Go(func() error {
+		return agent.ServeAgent(a, s1)
+	})
+
+	eg.Go(func() error {
+		defer s1.Close()
+		return sshforward.Copy(ctx, s2, stream)
+	})
+
+	return eg.Wait()
+}
+
+func toAgentSource(paths []string) (source, error) {
+	var keys bool
+	var socket string
+	a := agent.NewKeyring()
+	for _, p := range paths {
+		if socket != "" {
+			return source{}, errors.New("only single socket allowed")
+		}
+		fi, err := os.Stat(p)
+		if err != nil {
+			return source{}, errors.WithStack(err)
+		}
+		if fi.Mode()&os.ModeSocket > 0 {
+			if keys {
+				return source{}, errors.Errorf("invalid combination of keys and sockets")
+			}
+			socket = p
+			continue
+		}
+		keys = true
+		f, err := os.Open(p)
+		if err != nil {
+			return source{}, errors.Wrapf(err, "failed to open %s", p)
+		}
+		dt, err := ioutil.ReadAll(&io.LimitedReader{R: f, N: 100 * 1024})
+		if err != nil {
+			return source{}, errors.Wrapf(err, "failed to read %s", p)
+		}
+
+		k, err := ssh.ParseRawPrivateKey(dt)
+		if err != nil {
+			return source{}, errors.Wrapf(err, "failed to parse %s", p) // TODO: prompt passphrase?
+		}
+		if err := a.Add(agent.AddedKey{PrivateKey: k}); err != nil {
+			return source{}, errors.Wrapf(err, "failed to add %s to agent", p)
+		}
+	}
+
+	if socket != "" {
+		return source{socket: socket}, nil
+	}
+
+	return source{agent: a}, nil
+}
+
+func sockPair() (io.ReadWriteCloser, io.ReadWriteCloser) {
+	pr1, pw1 := io.Pipe()
+	pr2, pw2 := io.Pipe()
+	return &sock{pr1, pw2, pw1}, &sock{pr2, pw1, pw2}
+}
+
+type sock struct {
+	io.Reader
+	io.Writer
+	io.Closer
+}
+
+type readOnlyAgent struct {
+	agent.Agent
+}
+
+func (a *readOnlyAgent) Add(_ agent.AddedKey) error {
+	return errors.Errorf("adding new keys not allowed by buildkit")
+}
+
+func (a *readOnlyAgent) Remove(_ ssh.PublicKey) error {
+	return errors.Errorf("removing keys not allowed by buildkit")
+}
+
+func (a *readOnlyAgent) RemoveAll() error {
+	return errors.Errorf("removing keys not allowed by buildkit")
+}
+
+func (a *readOnlyAgent) Lock(_ []byte) error {
+	return errors.Errorf("locking agent not allowed by buildkit")
+}