Bump SwarmKit to 8d8689d5a94ac42406883a4cef89b3a5eaec3d11

Changes included;

- docker/swarmkit#2735 Assign secrets individually to each task
- docker/swarmkit#2759 Adding a new `Deallocator` component
- docker/swarmkit#2738 Add additional info for secret drivers
- docker/swarmkit#2775 Increase grpc max recv message size
  - addresses moby/moby#37941
  - addresses moby/moby#37997
  - follow-up to moby/moby#38103

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor.conf

@@ -126,7 +126,7 @@ github.com/containerd/ttrpc 2a805f71863501300ae1976d29f0454ae003e85a
 github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
 
 # cluster
-github.com/docker/swarmkit a84c01f49091167dd086c26b45dc18b38d52e4d9
+github.com/docker/swarmkit 8d8689d5a94ac42406883a4cef89b3a5eaec3d11
 github.com/gogo/protobuf v1.0.0
 github.com/cloudflare/cfssl 1.3.2
 github.com/fernet/fernet-go 1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2

vendor/github.com/docker/swarmkit/agent/secrets/secrets.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/docker/swarmkit/agent/exec"
 	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/identity"
 )
 
 // secrets is a map that keeps all the currently available secrets to the agent
@@ -62,6 +63,7 @@ func (s *secrets) Reset() {
 type taskRestrictedSecretsProvider struct {
 	secrets   exec.SecretGetter
 	secretIDs map[string]struct{} // allow list of secret ids
+	taskID    string              // ID of the task the provider restricts for
 }
 
 func (sp *taskRestrictedSecretsProvider) Get(secretID string) (*api.Secret, error) {
@@ -69,7 +71,18 @@ func (sp *taskRestrictedSecretsProvider) Get(secretID string) (*api.Secret, erro
 		return nil, fmt.Errorf("task not authorized to access secret %s", secretID)
 	}
 
-	return sp.secrets.Get(secretID)
+	// First check if the secret is available with the task specific ID, which is the concatenation
+	// of the original secret ID and the task ID with a dot in between.
+	// That is the case when a secret driver has returned DoNotReuse == true for a secret value.
+	taskSpecificID := identity.CombineTwoIDs(secretID, sp.taskID)
+	secret, err := sp.secrets.Get(taskSpecificID)
+	if err != nil {
+		// Otherwise, which is the default case, the secret is retrieved by its original ID.
+		return sp.secrets.Get(secretID)
+	}
+	// For all intents and purposes, the rest of the flow should deal with the original secret ID.
+	secret.ID = secretID
+	return secret, err
 }
 
 // Restrict provides a getter that only allows access to the secrets
@@ -84,5 +97,5 @@ func Restrict(secrets exec.SecretGetter, t *api.Task) exec.SecretGetter {
 		}
 	}
 
-	return &taskRestrictedSecretsProvider{secrets: secrets, secretIDs: sids}
+	return &taskRestrictedSecretsProvider{secrets: secrets, secretIDs: sids, taskID: t.ID}
 }

vendor/github.com/docker/swarmkit/api/objects.pb.go

@@ -102,6 +102,15 @@ type Service struct {
 	// UpdateStatus contains the status of an update, if one is in
 	// progress.
 	UpdateStatus *UpdateStatus `protobuf:"bytes,5,opt,name=update_status,json=updateStatus" json:"update_status,omitempty"`
+	// PendingDelete indicates that this service's deletion has been requested.
+	// Services, as well as all service-level resources, can only be deleted
+	// after all of the service's containers have properly shut down.
+	// When a user requests a deletion, we just flip this flag
+	// the deallocator will take it from there - it will start monitoring
+	// this service's tasks, and proceed to delete the service itself (and
+	// potentially its associated resources also marked for deletion) when
+	// all of its tasks are gone
+	PendingDelete bool `protobuf:"varint,7,opt,name=pending_delete,json=pendingDelete,proto3" json:"pending_delete,omitempty"`
 }
 
 func (m *Service) Reset()                    { *m = Service{} }
@@ -239,6 +248,19 @@ type Network struct {
 	// Runtime state of IPAM options. This may not reflect the
 	// ipam options from NetworkSpec.
 	IPAM *IPAMOptions `protobuf:"bytes,5,opt,name=ipam" json:"ipam,omitempty"`
+	// PendingDelete indicates that this network's deletion has been requested.
+	// Services, as well as all service-level resources, can only be deleted
+	// after all the service's containers have properly shut down
+	// when a user requests a deletion, we just flip this flag
+	// the deallocator will take it from there
+	// PendingDelete indicates that this network's deletion has been requested.
+	// Services, as well as all service-level resources, can only be deleted
+	// after all of the service's containers have properly shut down.
+	// When a user requests a deletion of this network, we just flip this flag
+	// the deallocator will take it from there - it will start monitoring
+	// the services that still use this service, and proceed to delete
+	// this network when all of these services are gone
+	PendingDelete bool `protobuf:"varint,6,opt,name=pending_delete,json=pendingDelete,proto3" json:"pending_delete,omitempty"`
 }
 
 func (m *Network) Reset()                    { *m = Network{} }
@@ -960,6 +982,16 @@ func (m *Service) MarshalTo(dAtA []byte) (int, error) {
 		}
 		i += n15
 	}
+	if m.PendingDelete {
+		dAtA[i] = 0x38
+		i++
+		if m.PendingDelete {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
 	if m.SpecVersion != nil {
 		dAtA[i] = 0x52
 		i++
@@ -1337,6 +1369,16 @@ func (m *Network) MarshalTo(dAtA []byte) (int, error) {
 		}
 		i += n31
 	}
+	if m.PendingDelete {
+		dAtA[i] = 0x30
+		i++
+		if m.PendingDelete {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
 	return i, nil
 }
 
@@ -1755,6 +1797,9 @@ func (m *Service) Size() (n int) {
 		l = m.PreviousSpec.Size()
 		n += 1 + l + sovObjects(uint64(l))
 	}
+	if m.PendingDelete {
+		n += 2
+	}
 	if m.SpecVersion != nil {
 		l = m.SpecVersion.Size()
 		n += 1 + l + sovObjects(uint64(l))
@@ -1909,6 +1954,9 @@ func (m *Network) Size() (n int) {
 		l = m.IPAM.Size()
 		n += 1 + l + sovObjects(uint64(l))
 	}
+	if m.PendingDelete {
+		n += 2
+	}
 	return n
 }
 
@@ -4731,6 +4779,7 @@ func (this *Service) String() string {
 		`Endpoint:` + strings.Replace(fmt.Sprintf("%v", this.Endpoint), "Endpoint", "Endpoint", 1) + `,`,
 		`UpdateStatus:` + strings.Replace(fmt.Sprintf("%v", this.UpdateStatus), "UpdateStatus", "UpdateStatus", 1) + `,`,
 		`PreviousSpec:` + strings.Replace(fmt.Sprintf("%v", this.PreviousSpec), "ServiceSpec", "ServiceSpec", 1) + `,`,
+		`PendingDelete:` + fmt.Sprintf("%v", this.PendingDelete) + `,`,
 		`SpecVersion:` + strings.Replace(fmt.Sprintf("%v", this.SpecVersion), "Version", "Version", 1) + `,`,
 		`PreviousSpecVersion:` + strings.Replace(fmt.Sprintf("%v", this.PreviousSpecVersion), "Version", "Version", 1) + `,`,
 		`}`,
@@ -4817,6 +4866,7 @@ func (this *Network) String() string {
 		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "NetworkSpec", "NetworkSpec", 1), `&`, ``, 1) + `,`,
 		`DriverState:` + strings.Replace(fmt.Sprintf("%v", this.DriverState), "Driver", "Driver", 1) + `,`,
 		`IPAM:` + strings.Replace(fmt.Sprintf("%v", this.IPAM), "IPAMOptions", "IPAMOptions", 1) + `,`,
+		`PendingDelete:` + fmt.Sprintf("%v", this.PendingDelete) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -5622,6 +5672,26 @@ func (m *Service) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PendingDelete", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowObjects
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.PendingDelete = bool(v != 0)
 		case 10:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field SpecVersion", wireType)
@@ -6891,6 +6961,26 @@ func (m *Network) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PendingDelete", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowObjects
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.PendingDelete = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipObjects(dAtA[iNdEx:])
@@ -8128,104 +8218,106 @@ var (
 func init() { proto.RegisterFile("github.com/docker/swarmkit/api/objects.proto", fileDescriptorObjects) }
 
 var fileDescriptorObjects = []byte{
-	// 1581 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0x4b, 0x73, 0x1b, 0x4b,
-	0x15, 0xce, 0x48, 0x63, 0x3d, 0x8e, 0x6c, 0x61, 0xfa, 0x1a, 0x33, 0x11, 0x46, 0x32, 0xba, 0x05,
-	0x75, 0xeb, 0x56, 0x4a, 0xbe, 0x98, 0x0b, 0x38, 0x86, 0xcb, 0x8d, 0x64, 0x9b, 0x44, 0x15, 0x42,
-	0x5c, 0xed, 0x90, 0xb0, 0x1b, 0x5a, 0x33, 0x6d, 0x65, 0xd0, 0x68, 0x7a, 0x6a, 0xba, 0xa5, 0x20,
-	0x56, 0x59, 0x9b, 0x1f, 0xe0, 0x1d, 0x8b, 0xfc, 0x0b, 0x36, 0x2c, 0x58, 0x65, 0xc9, 0x8a, 0x62,
-	0xe5, 0x22, 0xfa, 0x17, 0x54, 0xb1, 0xa0, 0xba, 0xa7, 0x47, 0x1a, 0x5b, 0xe3, 0x17, 0x95, 0x72,
-	0xb1, 0x72, 0x3f, 0xbe, 0xef, 0xf4, 0x39, 0x67, 0xce, 0xcb, 0x82, 0x07, 0x7d, 0x4f, 0xbc, 0x1e,
-	0xf5, 0x5a, 0x0e, 0x1b, 0x6e, 0xb9, 0xcc, 0x19, 0xd0, 0x68, 0x8b, 0xbf, 0x21, 0xd1, 0x70, 0xe0,
-	0x89, 0x2d, 0x12, 0x7a, 0x5b, 0xac, 0xf7, 0x7b, 0xea, 0x08, 0xde, 0x0a, 0x23, 0x26, 0x18, 0x42,
-	0x31, 0xa4, 0x95, 0x40, 0x5a, 0xe3, 0x1f, 0xd6, 0x3e, 0xbf, 0x46, 0x82, 0x98, 0x84, 0x54, 0xf3,
-	0xaf, 0xc5, 0xf2, 0x90, 0x3a, 0x09, 0xb6, 0xd1, 0x67, 0xac, 0xef, 0xd3, 0x2d, 0xb5, 0xeb, 0x8d,
-	0x8e, 0xb7, 0x84, 0x37, 0xa4, 0x5c, 0x90, 0x61, 0xa8, 0x01, 0x6b, 0x7d, 0xd6, 0x67, 0x6a, 0xb9,
-	0x25, 0x57, 0xfa, 0xf4, 0xfe, 0x45, 0x1a, 0x09, 0x26, 0xfa, 0xea, 0xa7, 0x57, 0xbc, 0x3e, 0x83,
-	0x87, 0xfe, 0xa8, 0xef, 0x05, 0xfa, 0x4f, 0x4c, 0x6c, 0xfe, 0xc5, 0x00, 0xf3, 0x19, 0x15, 0x04,
-	0xfd, 0x0c, 0x8a, 0x63, 0x1a, 0x71, 0x8f, 0x05, 0x96, 0xb1, 0x69, 0x7c, 0x56, 0xd9, 0xfe, 0x4e,
-	0x6b, 0xd1, 0x23, 0xad, 0x97, 0x31, 0xa4, 0x63, 0xbe, 0x3f, 0x6b, 0xdc, 0xc3, 0x09, 0x03, 0x3d,
-	0x04, 0x70, 0x22, 0x4a, 0x04, 0x75, 0x6d, 0x22, 0xac, 0x9c, 0xe2, 0xd7, 0x5a, 0xb1, 0xba, 0xad,
-	0xe4, 0xfd, 0xd6, 0x8b, 0xc4, 0x4a, 0x5c, 0xd6, 0xe8, 0xb6, 0x90, 0xd4, 0x51, 0xe8, 0x26, 0xd4,
-	0xfc, 0xf5, 0x54, 0x8d, 0x6e, 0x8b, 0xe6, 0xdb, 0x25, 0x30, 0x7f, 0xcd, 0x5c, 0x8a, 0xd6, 0x21,
-	0xe7, 0xb9, 0x4a, 0xed, 0x72, 0xa7, 0x30, 0x3d, 0x6b, 0xe4, 0xba, 0xfb, 0x38, 0xe7, 0xb9, 0x68,
-	0x1b, 0xcc, 0x21, 0x15, 0x44, 0x2b, 0x64, 0x65, 0x19, 0x24, 0x6d, 0xd7, 0xd6, 0x28, 0x2c, 0xfa,
-	0x09, 0x98, 0xf2, 0x53, 0x69, 0x4d, 0x36, 0xb2, 0x38, 0xf2, 0xcd, 0xa3, 0x90, 0x3a, 0x09, 0x4f,
-	0xe2, 0xd1, 0x01, 0x54, 0x5c, 0xca, 0x9d, 0xc8, 0x0b, 0x85, 0xf4, 0xa1, 0xa9, 0xe8, 0x9f, 0x5e,
-	0x46, 0xdf, 0x9f, 0x43, 0x71, 0x9a, 0x87, 0x7e, 0x0e, 0x05, 0x2e, 0x88, 0x18, 0x71, 0x6b, 0x49,
-	0x49, 0xa8, 0x5f, 0xaa, 0x80, 0x42, 0x69, 0x15, 0x34, 0x07, 0x3d, 0x81, 0xea, 0x90, 0x04, 0xa4,
-	0x4f, 0x23, 0x5b, 0x4b, 0x29, 0x28, 0x29, 0xdf, 0xcb, 0x34, 0x3d, 0x46, 0xc6, 0x82, 0xf0, 0xca,
-	0x30, 0xbd, 0x45, 0x5d, 0x00, 0x22, 0x04, 0x71, 0x5e, 0x0f, 0x69, 0x20, 0xac, 0xa2, 0x92, 0xf2,
-	0xfd, 0x4c, 0x5d, 0xa8, 0x78, 0xc3, 0xa2, 0x41, 0x7b, 0x06, 0xee, 0xe4, 0x2c, 0x03, 0xa7, 0xc8,
-	0xe8, 0x31, 0x54, 0x1c, 0x1a, 0x09, 0xef, 0xd8, 0x73, 0x88, 0xa0, 0x56, 0x49, 0xc9, 0x6a, 0x64,
-	0xc9, 0xda, 0x9b, 0xc3, 0xb4, 0x61, 0x69, 0x26, 0xfa, 0x02, 0xcc, 0x88, 0xf9, 0xd4, 0x2a, 0x6f,
-	0x1a, 0x9f, 0x55, 0x2f, 0xff, 0x34, 0x98, 0xf9, 0x14, 0x2b, 0xa4, 0x7c, 0x7a, 0xae, 0x08, 0xb7,
-	0x60, 0x33, 0x7f, 0x63, 0x33, 0x70, 0x9a, 0xb9, 0xbb, 0x7e, 0x72, 0xda, 0x44, 0xb0, 0x5a, 0x32,
-	0x56, 0x0d, 0x15, 0x67, 0xc6, 0x17, 0xc6, 0x6f, 0x8d, 0xdf, 0x19, 0xcd, 0xff, 0xe4, 0xa1, 0x78,
-	0x44, 0xa3, 0xb1, 0xe7, 0x7c, 0xdc, 0x28, 0x7c, 0x78, 0x2e, 0x0a, 0x33, 0x9d, 0xa5, 0x9f, 0x5d,
-	0x08, 0xc4, 0x1d, 0x28, 0xd1, 0xc0, 0x0d, 0x99, 0x17, 0x08, 0x1d, 0x85, 0x99, 0x9e, 0x3a, 0xd0,
-	0x18, 0x3c, 0x43, 0xa3, 0x03, 0x58, 0x89, 0x93, 0xcb, 0x3e, 0x17, 0x82, 0x9b, 0x59, 0xf4, 0xdf,
-	0x28, 0xa0, 0x8e, 0x9d, 0xe5, 0x51, 0x6a, 0x87, 0xf6, 0x61, 0x25, 0x8c, 0xe8, 0xd8, 0x63, 0x23,
-	0x6e, 0x2b, 0x23, 0x0a, 0x37, 0x32, 0x02, 0x2f, 0x27, 0x2c, 0xb9, 0x43, 0xbf, 0x80, 0x65, 0x49,
-	0xb6, 0x93, 0xa2, 0x04, 0xd7, 0x16, 0x25, 0x5c, 0x91, 0x04, 0xbd, 0x41, 0xcf, 0xe1, 0x5b, 0xe7,
-	0xb4, 0x98, 0x09, 0xaa, 0x5c, 0x2f, 0xe8, 0x93, 0xb4, 0x26, 0xfa, 0x70, 0x17, 0x9d, 0x9c, 0x36,
-	0xab, 0xb0, 0x9c, 0x0e, 0x81, 0xe6, 0x9f, 0x73, 0x50, 0x4a, 0x1c, 0x89, 0xbe, 0xd4, 0xdf, 0xcc,
-	0xb8, 0xdc, 0x6b, 0x09, 0x56, 0xd9, 0x1b, 0x7f, 0xae, 0x2f, 0x61, 0x29, 0x64, 0x91, 0xe0, 0x56,
-	0x4e, 0x05, 0x67, 0x66, 0xbe, 0x1f, 0xb2, 0x48, 0xec, 0xb1, 0xe0, 0xd8, 0xeb, 0xe3, 0x18, 0x8c,
-	0x5e, 0x41, 0x65, 0xec, 0x45, 0x62, 0x44, 0x7c, 0xdb, 0x0b, 0xb9, 0x95, 0x57, 0xdc, 0x1f, 0x5c,
-	0xf5, 0x64, 0xeb, 0x65, 0x8c, 0xef, 0x1e, 0x76, 0xaa, 0xd3, 0xb3, 0x06, 0xcc, 0xb6, 0x1c, 0x83,
-	0x16, 0xd5, 0x0d, 0x79, 0xed, 0x19, 0x94, 0x67, 0x37, 0xe8, 0x01, 0x40, 0x10, 0xe7, 0x85, 0x3d,
-	0x8b, 0xec, 0x95, 0xe9, 0x59, 0xa3, 0xac, 0xb3, 0xa5, 0xbb, 0x8f, 0xcb, 0x1a, 0xd0, 0x75, 0x11,
-	0x02, 0x93, 0xb8, 0x6e, 0xa4, 0xe2, 0xbc, 0x8c, 0xd5, 0xba, 0xf9, 0xa7, 0x22, 0x98, 0x2f, 0x08,
-	0x1f, 0xdc, 0x75, 0x89, 0x96, 0x6f, 0x2e, 0x64, 0xc6, 0x03, 0x00, 0x1e, 0xc7, 0x9b, 0x34, 0xc7,
-	0x9c, 0x9b, 0xa3, 0xa3, 0x50, 0x9a, 0xa3, 0x01, 0xb1, 0x39, 0xdc, 0x67, 0x42, 0x25, 0x81, 0x89,
-	0xd5, 0x1a, 0x7d, 0x0a, 0xc5, 0x80, 0xb9, 0x8a, 0x5e, 0x50, 0x74, 0x98, 0x9e, 0x35, 0x0a, 0xb2,
-	0xe8, 0x74, 0xf7, 0x71, 0x41, 0x5e, 0x75, 0x5d, 0x55, 0x74, 0x82, 0x80, 0x09, 0x22, 0x0b, 0x3a,
-	0xd7, 0xb5, 0x33, 0x33, 0xfa, 0xdb, 0x73, 0x58, 0x52, 0xef, 0x52, 0x4c, 0xf4, 0x12, 0x3e, 0x49,
-	0xf4, 0x4d, 0x0b, 0x2c, 0xdd, 0x46, 0x20, 0xd2, 0x12, 0x52, 0x37, 0xa9, 0x1e, 0x53, 0xbe, 0xbc,
-	0xc7, 0x28, 0x0f, 0x66, 0xf5, 0x98, 0x0e, 0xac, 0xb8, 0x94, 0x7b, 0x11, 0x75, 0x55, 0x99, 0xa0,
-	0x2a, 0x33, 0xab, 0xdb, 0xdf, 0xbd, 0x4a, 0x08, 0xc5, 0xcb, 0x9a, 0xa3, 0x76, 0xa8, 0x0d, 0x25,
-	0x1d, 0x37, 0xdc, 0xaa, 0xdc, 0xa6, 0x28, 0xcf, 0x68, 0xe7, 0xca, 0xdc, 0xf2, 0xad, 0xca, 0xdc,
-	0x43, 0x00, 0x9f, 0xf5, 0x6d, 0x37, 0xf2, 0xc6, 0x34, 0xb2, 0x56, 0xf4, 0xc4, 0x91, 0xc1, 0xdd,
-	0x57, 0x08, 0x5c, 0xf6, 0x59, 0x3f, 0x5e, 0x2e, 0x14, 0xa5, 0xea, 0x2d, 0x8b, 0x12, 0x81, 0x1a,
-	0xe1, 0xdc, 0xeb, 0x07, 0xd4, 0xb5, 0xfb, 0x34, 0xa0, 0x91, 0xe7, 0xd8, 0x11, 0xe5, 0x6c, 0x14,
-	0x39, 0x94, 0x5b, 0xdf, 0x50, 0x9e, 0xc8, 0x9c, 0x19, 0x1e, 0xc7, 0x60, 0xac, 0xb1, 0xd8, 0x4a,
-	0xc4, 0x5c, 0xb8, 0xe0, 0xbb, 0xb5, 0x93, 0xd3, 0xe6, 0x3a, 0xac, 0xa5, 0xcb, 0xd4, 0x8e, 0xf1,
-	0xc8, 0x78, 0x62, 0x1c, 0x1a, 0xcd, 0xbf, 0xe5, 0xe0, 0x9b, 0x0b, 0x3e, 0x45, 0x3f, 0x86, 0xa2,
-	0xf6, 0xea, 0x55, 0x93, 0x9f, 0xe6, 0xe1, 0x04, 0x8b, 0x36, 0xa0, 0x2c, 0x53, 0x9c, 0x72, 0x4e,
-	0xe3, 0xe2, 0x55, 0xc6, 0xf3, 0x03, 0x64, 0x41, 0x91, 0xf8, 0x1e, 0x91, 0x77, 0x79, 0x75, 0x97,
-	0x6c, 0xd1, 0x08, 0xd6, 0x63, 0xd7, 0xdb, 0xf3, 0x06, 0x6b, 0xb3, 0x50, 0x70, 0xcb, 0x54, 0xf6,
-	0x7f, 0x7d, 0xa3, 0x48, 0xd0, 0x1f, 0x67, 0x7e, 0xf0, 0x3c, 0x14, 0xfc, 0x20, 0x10, 0xd1, 0x04,
-	0xaf, 0xb9, 0x19, 0x57, 0xb5, 0xc7, 0x70, 0xff, 0x52, 0x0a, 0x5a, 0x85, 0xfc, 0x80, 0x4e, 0xe2,
-	0xf2, 0x84, 0xe5, 0x12, 0xad, 0xc1, 0xd2, 0x98, 0xf8, 0x23, 0xaa, 0xab, 0x59, 0xbc, 0xd9, 0xcd,
-	0xed, 0x18, 0xcd, 0x77, 0x39, 0x28, 0x6a, 0x75, 0xee, 0xba, 0xe5, 0xeb, 0x67, 0x17, 0x0a, 0xdb,
-	0x57, 0xb0, 0xac, 0x5d, 0x1a, 0x67, 0xa4, 0x79, 0x6d, 0x4c, 0x57, 0x62, 0x7c, 0x9c, 0x8d, 0x5f,
-	0x81, 0xe9, 0x85, 0x64, 0xa8, 0xdb, 0x7d, 0xe6, 0xcb, 0xdd, 0xc3, 0xf6, 0xb3, 0xe7, 0x61, 0x5c,
-	0x58, 0x4a, 0xd3, 0xb3, 0x86, 0x29, 0x0f, 0xb0, 0xa2, 0x65, 0x36, 0xc6, 0x77, 0x05, 0x28, 0xee,
-	0xf9, 0x23, 0x2e, 0x68, 0x74, 0xd7, 0x4e, 0xd2, 0xcf, 0x2e, 0x38, 0x69, 0x0f, 0x8a, 0x11, 0x63,
-	0xc2, 0x76, 0xc8, 0x55, 0xfe, 0xc1, 0x8c, 0x89, 0xbd, 0x76, 0xa7, 0x2a, 0x89, 0xb2, 0xb6, 0xc7,
-	0x7b, 0x5c, 0x90, 0xd4, 0x3d, 0x82, 0x5e, 0xc1, 0x7a, 0xd2, 0x11, 0x7b, 0x8c, 0x09, 0x2e, 0x22,
-	0x12, 0xda, 0x03, 0x3a, 0x91, 0xb3, 0x52, 0xfe, 0xb2, 0x41, 0xfb, 0x20, 0x70, 0xa2, 0x89, 0x72,
-	0xde, 0x53, 0x3a, 0xc1, 0x6b, 0x5a, 0x40, 0x27, 0xe1, 0x3f, 0xa5, 0x13, 0x8e, 0xbe, 0x86, 0x0d,
-	0x3a, 0x83, 0x49, 0x89, 0xb6, 0x4f, 0x86, 0xb2, 0xd7, 0xdb, 0x8e, 0xcf, 0x9c, 0x81, 0x6a, 0x37,
-	0x26, 0xbe, 0x4f, 0xd3, 0xa2, 0x7e, 0x15, 0x23, 0xf6, 0x24, 0x00, 0x71, 0xb0, 0x7a, 0x3e, 0x71,
-	0x06, 0xbe, 0xc7, 0xe5, 0xff, 0x52, 0xa9, 0xb9, 0x59, 0x76, 0x0c, 0xa9, 0xdb, 0xce, 0x15, 0xde,
-	0x6a, 0x75, 0xe6, 0xdc, 0xd4, 0x14, 0xae, 0x33, 0xea, 0xdb, 0xbd, 0xec, 0x5b, 0xd4, 0x81, 0xca,
-	0x28, 0x90, 0xcf, 0xc7, 0x3e, 0x28, 0xdf, 0xd4, 0x07, 0x10, 0xb3, 0x94, 0xe5, 0x1b, 0x60, 0x1e,
-	0xcb, 0x19, 0x46, 0xb6, 0x91, 0x52, 0x1c, 0x5c, 0xbf, 0xec, 0x1e, 0x1e, 0x61, 0x75, 0x8a, 0x5a,
-	0x80, 0x5c, 0x7a, 0x4c, 0x46, 0xbe, 0x68, 0xc7, 0xb5, 0xe5, 0x90, 0x31, 0x5f, 0xf5, 0x8c, 0x32,
-	0xce, 0xb8, 0x41, 0x75, 0x00, 0x3e, 0xea, 0x05, 0x54, 0x1c, 0x79, 0x7f, 0xa4, 0xaa, 0x31, 0xac,
-	0xe0, 0xd4, 0x49, 0x6d, 0x0c, 0x1b, 0x57, 0x99, 0x9a, 0x51, 0x09, 0x1e, 0xa5, 0x2b, 0x41, 0x65,
-	0xfb, 0xf3, 0x2c, 0xeb, 0xb2, 0x45, 0xa6, 0xaa, 0x46, 0x66, 0x92, 0xfc, 0xd5, 0x80, 0xc2, 0x11,
-	0x75, 0x22, 0x2a, 0x3e, 0x6a, 0x8e, 0xec, 0x9c, 0xcb, 0x91, 0x7a, 0xf6, 0xd8, 0x2d, 0x5f, 0x5d,
-	0x48, 0x91, 0x1a, 0x94, 0xbc, 0x40, 0xd0, 0x28, 0x20, 0xbe, 0xca, 0x91, 0x12, 0x9e, 0xed, 0xb3,
-	0xb3, 0xdc, 0x80, 0x42, 0x3c, 0x97, 0xde, 0xb5, 0x01, 0xf1, 0xab, 0x17, 0x0d, 0xc8, 0x54, 0xf2,
-	0xdf, 0x06, 0x94, 0x92, 0xf6, 0xf8, 0x51, 0xd5, 0xbc, 0x30, 0xe7, 0xe5, 0xff, 0xe7, 0x39, 0x0f,
-	0x81, 0x39, 0xf0, 0x02, 0x3d, 0x91, 0x62, 0xb5, 0x46, 0x2d, 0x28, 0x86, 0x64, 0xe2, 0x33, 0xe2,
-	0xea, 0xb2, 0xbc, 0xb6, 0xf0, 0x9b, 0x48, 0x3b, 0x98, 0xe0, 0x04, 0xb4, 0xbb, 0x76, 0x72, 0xda,
-	0x5c, 0x85, 0x6a, 0xda, 0xf2, 0xd7, 0x46, 0xf3, 0x1f, 0x06, 0x94, 0x0f, 0xfe, 0x20, 0x68, 0xa0,
-	0xa6, 0x8f, 0xff, 0x4b, 0xe3, 0x37, 0x17, 0x7f, 0x37, 0x29, 0x9f, 0xfb, 0x49, 0x24, 0xeb, 0xa3,
-	0x76, 0xac, 0xf7, 0x1f, 0xea, 0xf7, 0xfe, 0xf9, 0xa1, 0x7e, 0xef, 0xed, 0xb4, 0x6e, 0xbc, 0x9f,
-	0xd6, 0x8d, 0xbf, 0x4f, 0xeb, 0xc6, 0xbf, 0xa6, 0x75, 0xa3, 0x57, 0x50, 0xfe, 0xf9, 0xd1, 0x7f,
-	0x03, 0x00, 0x00, 0xff, 0xff, 0xbc, 0x6b, 0x9b, 0xd8, 0xfe, 0x13, 0x00, 0x00,
+	// 1610 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0xcd, 0x73, 0x1b, 0x49,
+	0x15, 0xcf, 0xc8, 0x63, 0x7d, 0x3c, 0x59, 0xc2, 0xf4, 0x1a, 0x33, 0x11, 0x46, 0x32, 0xda, 0x5a,
+	0x6a, 0x6b, 0x2b, 0x25, 0x2f, 0x66, 0x01, 0xc7, 0xb0, 0x6c, 0x24, 0xdb, 0x24, 0xaa, 0x10, 0xe2,
+	0x6a, 0x87, 0x84, 0xdb, 0xd0, 0x9a, 0x69, 0x2b, 0x83, 0x46, 0xd3, 0x53, 0xd3, 0x2d, 0x05, 0x71,
+	0xca, 0xd9, 0xfc, 0x01, 0xbe, 0x71, 0x80, 0xbf, 0x82, 0x0b, 0x07, 0x4e, 0xe1, 0xc6, 0x89, 0xe2,
+	0xe4, 0x22, 0xfa, 0x2f, 0xb8, 0x51, 0xdd, 0xd3, 0x23, 0x8d, 0xad, 0xf1, 0x17, 0x95, 0x72, 0xed,
+	0xc9, 0xfd, 0xf1, 0xfb, 0xbd, 0x7e, 0xef, 0xcd, 0xfb, 0xb2, 0xe0, 0x41, 0xdf, 0x13, 0xaf, 0x47,
+	0xbd, 0x96, 0xc3, 0x86, 0x5b, 0x2e, 0x73, 0x06, 0x34, 0xda, 0xe2, 0x6f, 0x48, 0x34, 0x1c, 0x78,
+	0x62, 0x8b, 0x84, 0xde, 0x16, 0xeb, 0xfd, 0x8e, 0x3a, 0x82, 0xb7, 0xc2, 0x88, 0x09, 0x86, 0x50,
+	0x0c, 0x69, 0x25, 0x90, 0xd6, 0xf8, 0x07, 0xb5, 0xcf, 0xae, 0x91, 0x20, 0x26, 0x21, 0xd5, 0xfc,
+	0x6b, 0xb1, 0x3c, 0xa4, 0x4e, 0x82, 0x6d, 0xf4, 0x19, 0xeb, 0xfb, 0x74, 0x4b, 0xed, 0x7a, 0xa3,
+	0xe3, 0x2d, 0xe1, 0x0d, 0x29, 0x17, 0x64, 0x18, 0x6a, 0xc0, 0x5a, 0x9f, 0xf5, 0x99, 0x5a, 0x6e,
+	0xc9, 0x95, 0x3e, 0xbd, 0x7f, 0x91, 0x46, 0x82, 0x89, 0xbe, 0xfa, 0xc9, 0x15, 0xaf, 0xcf, 0xe0,
+	0xa1, 0x3f, 0xea, 0x7b, 0x81, 0xfe, 0x13, 0x13, 0x9b, 0x7f, 0x35, 0xc0, 0x7c, 0x46, 0x05, 0x41,
+	0x3f, 0x85, 0xc2, 0x98, 0x46, 0xdc, 0x63, 0x81, 0x65, 0x6c, 0x1a, 0x9f, 0x96, 0xb7, 0xbf, 0xd3,
+	0x5a, 0xf4, 0x48, 0xeb, 0x65, 0x0c, 0xe9, 0x98, 0xef, 0xce, 0x1a, 0xf7, 0x70, 0xc2, 0x40, 0x0f,
+	0x01, 0x9c, 0x88, 0x12, 0x41, 0x5d, 0x9b, 0x08, 0x2b, 0xa7, 0xf8, 0xb5, 0x56, 0xac, 0x6e, 0x2b,
+	0x79, 0xbf, 0xf5, 0x22, 0xb1, 0x12, 0x97, 0x34, 0xba, 0x2d, 0x24, 0x75, 0x14, 0xba, 0x09, 0x75,
+	0xe9, 0x7a, 0xaa, 0x46, 0xb7, 0x45, 0xf3, 0xed, 0x32, 0x98, 0xbf, 0x62, 0x2e, 0x45, 0xeb, 0x90,
+	0xf3, 0x5c, 0xa5, 0x76, 0xa9, 0x93, 0x9f, 0x9e, 0x35, 0x72, 0xdd, 0x7d, 0x9c, 0xf3, 0x5c, 0xb4,
+	0x0d, 0xe6, 0x90, 0x0a, 0xa2, 0x15, 0xb2, 0xb2, 0x0c, 0x92, 0xb6, 0x6b, 0x6b, 0x14, 0x16, 0xfd,
+	0x18, 0x4c, 0xf9, 0xa9, 0xb4, 0x26, 0x1b, 0x59, 0x1c, 0xf9, 0xe6, 0x51, 0x48, 0x9d, 0x84, 0x27,
+	0xf1, 0xe8, 0x00, 0xca, 0x2e, 0xe5, 0x4e, 0xe4, 0x85, 0x42, 0xfa, 0xd0, 0x54, 0xf4, 0x8f, 0x2f,
+	0xa3, 0xef, 0xcf, 0xa1, 0x38, 0xcd, 0x43, 0x3f, 0x83, 0x3c, 0x17, 0x44, 0x8c, 0xb8, 0xb5, 0xac,
+	0x24, 0xd4, 0x2f, 0x55, 0x40, 0xa1, 0xb4, 0x0a, 0x9a, 0x83, 0x9e, 0x40, 0x75, 0x48, 0x02, 0xd2,
+	0xa7, 0x91, 0xad, 0xa5, 0xe4, 0x95, 0x94, 0xef, 0x65, 0x9a, 0x1e, 0x23, 0x63, 0x41, 0xb8, 0x32,
+	0x4c, 0x6f, 0x51, 0x17, 0x80, 0x08, 0x41, 0x9c, 0xd7, 0x43, 0x1a, 0x08, 0xab, 0xa0, 0xa4, 0x7c,
+	0x92, 0xa9, 0x0b, 0x15, 0x6f, 0x58, 0x34, 0x68, 0xcf, 0xc0, 0x9d, 0x9c, 0x65, 0xe0, 0x14, 0x19,
+	0x3d, 0x86, 0xb2, 0x43, 0x23, 0xe1, 0x1d, 0x7b, 0x0e, 0x11, 0xd4, 0x2a, 0x2a, 0x59, 0x8d, 0x2c,
+	0x59, 0x7b, 0x73, 0x98, 0x36, 0x2c, 0xcd, 0x44, 0x9f, 0x83, 0x19, 0x31, 0x9f, 0x5a, 0xa5, 0x4d,
+	0xe3, 0xd3, 0xea, 0xe5, 0x9f, 0x06, 0x33, 0x9f, 0x62, 0x85, 0x94, 0x4f, 0xcf, 0x15, 0xe1, 0x16,
+	0x6c, 0x2e, 0xdd, 0xd8, 0x0c, 0x9c, 0x66, 0xee, 0xae, 0x9f, 0x9c, 0x36, 0x11, 0xac, 0x16, 0x8d,
+	0x55, 0x43, 0xc5, 0x99, 0xf1, 0xb9, 0xf1, 0x1b, 0xe3, 0xb7, 0x46, 0xf3, 0x2f, 0x26, 0x14, 0x8e,
+	0x68, 0x34, 0xf6, 0x9c, 0x0f, 0x1b, 0x85, 0x0f, 0xcf, 0x45, 0x61, 0xa6, 0xb3, 0xf4, 0xb3, 0x0b,
+	0x81, 0xb8, 0x03, 0x45, 0x1a, 0xb8, 0x21, 0xf3, 0x02, 0xa1, 0xa3, 0x30, 0xd3, 0x53, 0x07, 0x1a,
+	0x83, 0x67, 0x68, 0x74, 0x00, 0x95, 0x38, 0xb9, 0xec, 0x73, 0x21, 0xb8, 0x99, 0x45, 0xff, 0xb5,
+	0x02, 0xea, 0xd8, 0x59, 0x19, 0xa5, 0x76, 0x68, 0x1f, 0x2a, 0x61, 0x44, 0xc7, 0x1e, 0x1b, 0x71,
+	0x5b, 0x19, 0x91, 0xbf, 0x91, 0x11, 0x78, 0x25, 0x61, 0xc9, 0x1d, 0xfa, 0x04, 0xaa, 0x21, 0x0d,
+	0x5c, 0x2f, 0xe8, 0xdb, 0x2e, 0xf5, 0xa9, 0xa0, 0x2a, 0x08, 0x8b, 0xb8, 0xa2, 0x4f, 0xf7, 0xd5,
+	0x21, 0xfa, 0x39, 0xac, 0xc8, 0x37, 0xec, 0xa4, 0x76, 0xc1, 0xb5, 0xb5, 0x0b, 0x97, 0x25, 0x41,
+	0x6f, 0xd0, 0x73, 0xf8, 0xd6, 0x39, 0x65, 0x67, 0x82, 0xca, 0xd7, 0x0b, 0xfa, 0x28, 0xad, 0xb0,
+	0x3e, 0xdc, 0x45, 0x27, 0xa7, 0xcd, 0x2a, 0xac, 0xa4, 0x23, 0xa5, 0xf9, 0xa7, 0x1c, 0x14, 0x13,
+	0x7f, 0xa3, 0x2f, 0xf4, 0xa7, 0x35, 0x2e, 0x77, 0x6e, 0x82, 0x55, 0x6e, 0x89, 0xbf, 0xea, 0x17,
+	0xb0, 0x1c, 0xb2, 0x48, 0x70, 0x2b, 0xa7, 0x62, 0x38, 0xb3, 0x2c, 0x1c, 0xb2, 0x48, 0xec, 0xb1,
+	0xe0, 0xd8, 0xeb, 0xe3, 0x18, 0x8c, 0x5e, 0x41, 0x79, 0xec, 0x45, 0x62, 0x44, 0x7c, 0xdb, 0x0b,
+	0xb9, 0xb5, 0xa4, 0xb8, 0xdf, 0xbf, 0xea, 0xc9, 0xd6, 0xcb, 0x18, 0xdf, 0x3d, 0xec, 0x54, 0xa7,
+	0x67, 0x0d, 0x98, 0x6d, 0x39, 0x06, 0x2d, 0xaa, 0x1b, 0xf2, 0xda, 0x33, 0x28, 0xcd, 0x6e, 0xd0,
+	0x03, 0x80, 0x20, 0x4e, 0x1f, 0x7b, 0x96, 0x00, 0x95, 0xe9, 0x59, 0xa3, 0xa4, 0x93, 0xaa, 0xbb,
+	0x8f, 0x4b, 0x1a, 0xd0, 0x75, 0x11, 0x02, 0x93, 0xb8, 0x6e, 0xa4, 0xd2, 0xa1, 0x84, 0xd5, 0xba,
+	0xf9, 0xc7, 0x02, 0x98, 0x2f, 0x08, 0x1f, 0xdc, 0x75, 0x25, 0x97, 0x6f, 0x2e, 0x24, 0xd0, 0x03,
+	0x00, 0x1e, 0x87, 0xa5, 0x34, 0xc7, 0x9c, 0x9b, 0xa3, 0x83, 0x55, 0x9a, 0xa3, 0x01, 0xb1, 0x39,
+	0xdc, 0x67, 0x42, 0xe5, 0x8a, 0x89, 0xd5, 0x1a, 0x7d, 0x0c, 0x85, 0x80, 0xb9, 0x8a, 0x9e, 0x57,
+	0x74, 0x98, 0x9e, 0x35, 0xf2, 0xb2, 0x36, 0x75, 0xf7, 0x71, 0x5e, 0x5e, 0x75, 0x5d, 0x55, 0x9b,
+	0x82, 0x80, 0x09, 0x22, 0xeb, 0x3e, 0xd7, 0x25, 0x36, 0x33, 0x49, 0xda, 0x73, 0x58, 0x52, 0x16,
+	0x53, 0x4c, 0xf4, 0x12, 0x3e, 0x4a, 0xf4, 0x4d, 0x0b, 0x2c, 0xde, 0x46, 0x20, 0xd2, 0x12, 0x52,
+	0x37, 0xa9, 0x56, 0x54, 0xba, 0xbc, 0x15, 0x29, 0x0f, 0x66, 0xb5, 0xa2, 0x0e, 0x54, 0x5c, 0xca,
+	0xbd, 0x88, 0xba, 0xaa, 0x9a, 0x50, 0x95, 0x99, 0xd5, 0xed, 0xef, 0x5e, 0x25, 0x84, 0xe2, 0x15,
+	0xcd, 0x51, 0x3b, 0xd4, 0x86, 0xa2, 0x8e, 0x1b, 0x6e, 0x95, 0x6f, 0x53, 0xbb, 0x67, 0xb4, 0x73,
+	0xd5, 0x70, 0xe5, 0x56, 0xd5, 0xf0, 0x21, 0x80, 0xcf, 0xfa, 0xb6, 0x1b, 0x79, 0x63, 0x1a, 0x59,
+	0x15, 0x3d, 0x98, 0x64, 0x70, 0xf7, 0x15, 0x02, 0x97, 0x7c, 0xd6, 0x8f, 0x97, 0x0b, 0x45, 0xa9,
+	0x7a, 0xcb, 0xa2, 0x44, 0xa0, 0x46, 0x38, 0xf7, 0xfa, 0x01, 0x75, 0xed, 0x3e, 0x0d, 0x68, 0xe4,
+	0x39, 0x76, 0x44, 0x39, 0x1b, 0x45, 0x0e, 0xe5, 0xd6, 0x37, 0x94, 0x27, 0x32, 0x47, 0x8b, 0xc7,
+	0x31, 0x18, 0x6b, 0x2c, 0xb6, 0x12, 0x31, 0x17, 0x2e, 0xf8, 0x6e, 0xed, 0xe4, 0xb4, 0xb9, 0x0e,
+	0x6b, 0xe9, 0x32, 0xb5, 0x63, 0x3c, 0x32, 0x9e, 0x18, 0x87, 0x46, 0xf3, 0xef, 0x39, 0xf8, 0xe6,
+	0x82, 0x4f, 0xd1, 0x8f, 0xa0, 0xa0, 0xbd, 0x7a, 0xd5, 0x80, 0xa8, 0x79, 0x38, 0xc1, 0xa2, 0x0d,
+	0x28, 0xc9, 0x14, 0xa7, 0x9c, 0xd3, 0xb8, 0x78, 0x95, 0xf0, 0xfc, 0x00, 0x59, 0x50, 0x20, 0xbe,
+	0x47, 0xe4, 0xdd, 0x92, 0xba, 0x4b, 0xb6, 0x68, 0x04, 0xeb, 0xb1, 0xeb, 0xed, 0x79, 0x1f, 0xb6,
+	0x59, 0x28, 0xb8, 0x65, 0x2a, 0xfb, 0xbf, 0xba, 0x51, 0x24, 0xe8, 0x8f, 0x33, 0x3f, 0x78, 0x1e,
+	0x0a, 0x7e, 0x10, 0x88, 0x68, 0x82, 0xd7, 0xdc, 0x8c, 0xab, 0xda, 0x63, 0xb8, 0x7f, 0x29, 0x05,
+	0xad, 0xc2, 0xd2, 0x80, 0x4e, 0xe2, 0xf2, 0x84, 0xe5, 0x12, 0xad, 0xc1, 0xf2, 0x98, 0xf8, 0x23,
+	0xaa, 0xab, 0x59, 0xbc, 0xd9, 0xcd, 0xed, 0x18, 0xcd, 0x7f, 0xe4, 0xa0, 0xa0, 0xd5, 0xb9, 0xeb,
+	0xc9, 0x40, 0x3f, 0xbb, 0x50, 0xd8, 0xbe, 0x84, 0x15, 0xed, 0xd2, 0x38, 0x23, 0xcd, 0x6b, 0x63,
+	0xba, 0x1c, 0xe3, 0xe3, 0x6c, 0xfc, 0x12, 0x4c, 0x2f, 0x24, 0x43, 0x3d, 0x15, 0x64, 0xbe, 0xdc,
+	0x3d, 0x6c, 0x3f, 0x7b, 0x1e, 0xc6, 0x85, 0xa5, 0x38, 0x3d, 0x6b, 0x98, 0xf2, 0x00, 0x2b, 0x5a,
+	0x46, 0x43, 0xcf, 0x67, 0x34, 0xf4, 0xcc, 0xfe, 0xf9, 0xe7, 0x3c, 0x14, 0xf6, 0xfc, 0x11, 0x17,
+	0x34, 0xba, 0x6b, 0x5f, 0xea, 0x67, 0x17, 0x7c, 0xb9, 0x07, 0x85, 0x88, 0x31, 0x61, 0x3b, 0xe4,
+	0x2a, 0x37, 0x62, 0xc6, 0xc4, 0x5e, 0xbb, 0x53, 0x95, 0x44, 0xd9, 0x02, 0xe2, 0x3d, 0xce, 0x4b,
+	0xea, 0x1e, 0x41, 0xaf, 0x60, 0x3d, 0x69, 0x9c, 0x3d, 0xc6, 0x04, 0x17, 0x11, 0x09, 0xed, 0x01,
+	0x9d, 0xc8, 0xc9, 0x6b, 0xe9, 0xb2, 0xb1, 0xfd, 0x20, 0x70, 0xa2, 0x89, 0xf2, 0xf1, 0x53, 0x3a,
+	0xc1, 0x6b, 0x5a, 0x40, 0x27, 0xe1, 0x3f, 0xa5, 0x13, 0x8e, 0xbe, 0x82, 0x0d, 0x3a, 0x83, 0x49,
+	0x89, 0xb6, 0x4f, 0x86, 0x72, 0x24, 0xb0, 0x1d, 0x9f, 0x39, 0x03, 0xe5, 0x79, 0x13, 0xdf, 0xa7,
+	0x69, 0x51, 0xbf, 0x8c, 0x11, 0x7b, 0x12, 0x80, 0x38, 0x58, 0x3d, 0x9f, 0x38, 0x03, 0xdf, 0xe3,
+	0xf2, 0x3f, 0xb3, 0xd4, 0x14, 0x2e, 0x1b, 0x8b, 0xd4, 0x6d, 0xe7, 0x0a, 0x6f, 0xb5, 0x3a, 0x73,
+	0x6e, 0x6a, 0xa6, 0xd7, 0x89, 0xf7, 0xed, 0x5e, 0xf6, 0x2d, 0xea, 0x40, 0x79, 0x14, 0xc8, 0xe7,
+	0x63, 0x1f, 0x94, 0x6e, 0xea, 0x03, 0x88, 0x59, 0xca, 0xf2, 0x0d, 0x30, 0x8f, 0xe5, 0xa8, 0x23,
+	0xbb, 0x4d, 0x31, 0x8e, 0xc1, 0x5f, 0x74, 0x0f, 0x8f, 0xb0, 0x3a, 0x45, 0x2d, 0x40, 0x2e, 0x3d,
+	0x26, 0x23, 0x5f, 0xb4, 0xe3, 0x12, 0x74, 0xc8, 0x98, 0xaf, 0x5a, 0x4b, 0x09, 0x67, 0xdc, 0xa0,
+	0x3a, 0x00, 0x1f, 0xf5, 0x02, 0x2a, 0x8e, 0xbc, 0x3f, 0x50, 0xd5, 0x3f, 0x2a, 0x38, 0x75, 0x52,
+	0x1b, 0xc3, 0xc6, 0x55, 0xa6, 0x66, 0x14, 0x8c, 0x47, 0xe9, 0x82, 0x51, 0xde, 0xfe, 0x2c, 0xcb,
+	0xba, 0x6c, 0x91, 0xa9, 0xe2, 0x92, 0x99, 0x24, 0x7f, 0x33, 0x20, 0x7f, 0x44, 0x9d, 0x88, 0x8a,
+	0x0f, 0x9a, 0x23, 0x3b, 0xe7, 0x72, 0xa4, 0x9e, 0x3d, 0xc4, 0xcb, 0x57, 0x17, 0x52, 0xa4, 0x06,
+	0x45, 0x2f, 0x10, 0x34, 0x0a, 0x88, 0xaf, 0x72, 0xa4, 0x88, 0x67, 0xfb, 0xec, 0x2c, 0x37, 0x20,
+	0x1f, 0x8f, 0xaf, 0x77, 0x6d, 0x40, 0xfc, 0xea, 0x45, 0x03, 0x32, 0x95, 0xfc, 0xaf, 0x01, 0xc5,
+	0xa4, 0x8b, 0x7e, 0x50, 0x35, 0x2f, 0x8c, 0x83, 0x4b, 0xff, 0xf7, 0x38, 0x88, 0xc0, 0x1c, 0x78,
+	0x81, 0x1e, 0x5c, 0xb1, 0x5a, 0xa3, 0x16, 0x14, 0x42, 0x32, 0xf1, 0x19, 0x71, 0x75, 0xf5, 0x5e,
+	0x5b, 0xf8, 0x85, 0xa5, 0x1d, 0x4c, 0x70, 0x02, 0xda, 0x5d, 0x3b, 0x39, 0x6d, 0xae, 0x42, 0x35,
+	0x6d, 0xf9, 0x6b, 0xa3, 0xf9, 0x2f, 0x03, 0x4a, 0x07, 0xbf, 0x17, 0x34, 0x50, 0x43, 0xca, 0xd7,
+	0xd2, 0xf8, 0xcd, 0xc5, 0x5f, 0x61, 0x4a, 0xe7, 0x7e, 0x60, 0xc9, 0xfa, 0xa8, 0x1d, 0xeb, 0xdd,
+	0xfb, 0xfa, 0xbd, 0x7f, 0xbf, 0xaf, 0xdf, 0x7b, 0x3b, 0xad, 0x1b, 0xef, 0xa6, 0x75, 0xe3, 0x9f,
+	0xd3, 0xba, 0xf1, 0x9f, 0x69, 0xdd, 0xe8, 0xe5, 0x95, 0x7f, 0x7e, 0xf8, 0xbf, 0x00, 0x00, 0x00,
+	0xff, 0xff, 0xea, 0x67, 0xde, 0xa7, 0x4c, 0x14, 0x00, 0x00,
 }

vendor/github.com/docker/swarmkit/api/objects.proto

@@ -122,6 +122,16 @@ message Service {
 	// UpdateStatus contains the status of an update, if one is in
 	// progress.
 	UpdateStatus update_status = 5;
+
+	// PendingDelete indicates that this service's deletion has been requested.
+	// Services, as well as all service-level resources, can only be deleted
+	// after all of the service's containers have properly shut down.
+	// When a user requests a deletion, we just flip this flag
+	// the deallocator will take it from there - it will start monitoring
+	// this service's tasks, and proceed to delete the service itself (and
+	// potentially its associated resources also marked for deletion) when
+	// all of its tasks are gone
+	bool pending_delete = 7;
 }
 
 // Endpoint specified all the network parameters required to
@@ -292,6 +302,20 @@ message Network {
 	// Runtime state of IPAM options. This may not reflect the
 	// ipam options from NetworkSpec.
 	IPAMOptions ipam = 5 [(gogoproto.customname) = "IPAM"];
+
+	// PendingDelete indicates that this network's deletion has been requested.
+	// Services, as well as all service-level resources, can only be deleted
+	// after all the service's containers have properly shut down
+	// when a user requests a deletion, we just flip this flag
+	// the deallocator will take it from there
+	// PendingDelete indicates that this network's deletion has been requested.
+	// Services, as well as all service-level resources, can only be deleted
+	// after all of the service's containers have properly shut down.
+	// When a user requests a deletion of this network, we just flip this flag
+	// the deallocator will take it from there - it will start monitoring
+	// the services that still use this service, and proceed to delete
+	// this network when all of these services are gone
+	bool pending_delete = 6;
 }
 
 // Cluster provides global cluster settings.

vendor/github.com/docker/swarmkit/identity/combined_id.go

@@ -0,0 +1,8 @@
+package identity
+
+import "fmt"
+
+// CombineTwoIDs combines the given IDs into a new ID, e.g. a secret and a task ID.
+func CombineTwoIDs(id1, id2 string) string {
+	return fmt.Sprintf("%s.%s", id1, id2)
+}

vendor/github.com/docker/swarmkit/manager/dispatcher/assignments.go

@@ -6,6 +6,7 @@ import (
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/api/equality"
 	"github.com/docker/swarmkit/api/validation"
+	"github.com/docker/swarmkit/identity"
 	"github.com/docker/swarmkit/manager/drivers"
 	"github.com/docker/swarmkit/manager/state/store"
 	"github.com/sirupsen/logrus"
@@ -35,8 +36,10 @@ func newAssignmentSet(log *logrus.Entry, dp *drivers.DriverProvider) *assignment
 }
 
 func assignSecret(a *assignmentSet, readTx store.ReadTx, mapKey typeAndID, t *api.Task) {
-	a.tasksUsingDependency[mapKey] = make(map[string]struct{})
-	secret, err := a.secret(readTx, t, mapKey.id)
+	if _, exists := a.tasksUsingDependency[mapKey]; !exists {
+		a.tasksUsingDependency[mapKey] = make(map[string]struct{})
+	}
+	secret, doNotReuse, err := a.secret(readTx, t, mapKey.id)
 	if err != nil {
 		a.log.WithFields(logrus.Fields{
 			"resource.type": "secret",
@@ -45,6 +48,19 @@ func assignSecret(a *assignmentSet, readTx store.ReadTx, mapKey typeAndID, t *ap
 		}).Debug("failed to fetch secret")
 		return
 	}
+	// If the secret should not be reused for other tasks, give it a unique ID for the task to allow different values for different tasks.
+	if doNotReuse {
+		// Give the secret a new ID and mark it as internal
+		originalSecretID := secret.ID
+		taskSpecificID := identity.CombineTwoIDs(originalSecretID, t.ID)
+		secret.ID = taskSpecificID
+		secret.Internal = true
+		// Create a new mapKey with the new ID and insert it into the dependencies map for the task.
+		// This will make the changes map contain an entry with the new ID rather than the original one.
+		mapKey = typeAndID{objType: mapKey.objType, id: secret.ID}
+		a.tasksUsingDependency[mapKey] = make(map[string]struct{})
+		a.tasksUsingDependency[mapKey][t.ID] = struct{}{}
+	}
 	a.changes[mapKey] = &api.AssignmentChange{
 		Assignment: &api.Assignment{
 			Item: &api.Assignment_Secret{
@@ -104,7 +120,12 @@ func (a *assignmentSet) addTaskDependencies(readTx store.ReadTx, t *api.Task) {
 		secretID := secretRef.SecretID
 		mapKey := typeAndID{objType: api.ResourceType_SECRET, id: secretID}
 
-		if len(a.tasksUsingDependency[mapKey]) == 0 {
+		// This checks for the presence of each task in the dependency map for the
+		// secret. This is currently only done for secrets since the other types of
+		// dependencies do not support driver plugins. Arguably, the same task would
+		// not have the same secret as a dependency more than once, but this check
+		// makes sure the task only gets the secret assigned once.
+		if _, exists := a.tasksUsingDependency[mapKey][t.ID]; !exists {
 			assignSecret(a, readTx, mapKey, t)
 		}
 		a.tasksUsingDependency[mapKey][t.ID] = struct{}{}
@@ -290,27 +311,29 @@ func (a *assignmentSet) message() api.AssignmentsMessage {
 }
 
 // secret populates the secret value from raft store. For external secrets, the value is populated
-// from the secret driver.
-func (a *assignmentSet) secret(readTx store.ReadTx, task *api.Task, secretID string) (*api.Secret, error) {
+// from the secret driver. The function returns: a secret object; an indication of whether the value
+// is to be reused across tasks; and an error if the secret is not found in the store, if the secret
+// driver responds with one or if the payload does not pass validation.
+func (a *assignmentSet) secret(readTx store.ReadTx, task *api.Task, secretID string) (*api.Secret, bool, error) {
 	secret := store.GetSecret(readTx, secretID)
 	if secret == nil {
-		return nil, fmt.Errorf("secret not found")
+		return nil, false, fmt.Errorf("secret not found")
 	}
 	if secret.Spec.Driver == nil {
-		return secret, nil
+		return secret, false, nil
 	}
 	d, err := a.dp.NewSecretDriver(secret.Spec.Driver)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
-	value, err := d.Get(&secret.Spec, task)
+	value, doNotReuse, err := d.Get(&secret.Spec, task)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	if err := validation.ValidateSecretPayload(value); err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	// Assign the secret
 	secret.Spec.Data = value
-	return secret, nil
+	return secret, doNotReuse, nil
 }

vendor/github.com/docker/swarmkit/manager/drivers/secrets.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/api/naming"
 )
 
 const (
@@ -25,20 +26,29 @@ func NewSecretDriver(plugin plugingetter.CompatPlugin) *SecretDriver {
 	return &SecretDriver{plugin: plugin}
 }
 
-// Get gets a secret from the secret provider
-func (d *SecretDriver) Get(spec *api.SecretSpec, task *api.Task) ([]byte, error) {
+// Get gets a secret from the secret provider. The function returns: the secret value;
+// a bool indicating whether the value should be reused across different tasks (defaults to false);
+// and an error if either the spec or task are nil, if calling the driver returns an error, or if
+// the driver returns an error in the payload.
+func (d *SecretDriver) Get(spec *api.SecretSpec, task *api.Task) ([]byte, bool, error) {
 	if spec == nil {
-		return nil, fmt.Errorf("secret spec is nil")
+		return nil, false, fmt.Errorf("secret spec is nil")
 	}
 	if task == nil {
-		return nil, fmt.Errorf("task is nil")
+		return nil, false, fmt.Errorf("task is nil")
 	}
 
 	var secretResp SecretsProviderResponse
 	secretReq := &SecretsProviderRequest{
 		SecretName:    spec.Annotations.Name,
+		SecretLabels:  spec.Annotations.Labels,
+		ServiceID:     task.ServiceID,
 		ServiceName:   task.ServiceAnnotations.Name,
 		ServiceLabels: task.ServiceAnnotations.Labels,
+		TaskID:        task.ID,
+		TaskName:      naming.Task(task),
+		TaskImage:     task.Spec.GetContainer().Image,
+		NodeID:        task.NodeID,
 	}
 	container := task.Spec.GetContainer()
 	if container != nil {
@@ -67,21 +77,27 @@ func (d *SecretDriver) Get(spec *api.SecretSpec, task *api.Task) ([]byte, error)
 
 	err := d.plugin.Client().Call(SecretsProviderAPI, secretReq, &secretResp)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	if secretResp.Err != "" {
-		return nil, fmt.Errorf(secretResp.Err)
+		return nil, secretResp.DoNotReuse, fmt.Errorf(secretResp.Err)
 	}
 	// Assign the secret value
-	return secretResp.Value, nil
+	return secretResp.Value, secretResp.DoNotReuse, nil
 }
 
 // SecretsProviderRequest is the secrets provider request.
 type SecretsProviderRequest struct {
 	SecretName          string            `json:",omitempty"` // SecretName is the name of the secret to request from the plugin
+	SecretLabels        map[string]string `json:",omitempty"` // SecretLabels capture environment names and other metadata pertaining to the secret
 	ServiceHostname     string            `json:",omitempty"` // ServiceHostname is the hostname of the service, can be used for x509 certificate
+	ServiceID           string            `json:",omitempty"` // ServiceID is the name of the service that requested the secret
 	ServiceName         string            `json:",omitempty"` // ServiceName is the name of the service that requested the secret
-	ServiceLabels       map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata
+	ServiceLabels       map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata pertaining to the service
+	TaskID              string            `json:",omitempty"` // TaskID is the ID of the task that the secret will be assigned to
+	TaskName            string            `json:",omitempty"` // TaskName is the name of the task that the secret will be assigned to
+	TaskImage           string            `json:",omitempty"` // TaskName is the image of the task that the secret will be assigned to
+	NodeID              string            `json:",omitempty"` // NodeID is the ID of the node that the task will be executed on
 	ServiceEndpointSpec *EndpointSpec     `json:",omitempty"` // ServiceEndpointSpec holds the specification for endpoints
 }
 
@@ -89,6 +105,11 @@ type SecretsProviderRequest struct {
 type SecretsProviderResponse struct {
 	Value []byte `json:",omitempty"` // Value is the value of the secret
 	Err   string `json:",omitempty"` // Err is the error response of the plugin
+
+	// DoNotReuse indicates that the secret returned from this request should
+	// only be used for one task, and any further tasks should call the secret
+	// driver again.
+	DoNotReuse bool `json:",omitempty"`
 }
 
 // EndpointSpec represents the spec of an endpoint.

vendor/github.com/docker/swarmkit/manager/orchestrator/taskreaper/task_reaper.go

@@ -31,7 +31,7 @@ type TaskReaper struct {
 	// taskHistory is the number of tasks to keep
 	taskHistory int64
 
-	// List of slot tubles to be inspected for task history cleanup.
+	// List of slot tuples to be inspected for task history cleanup.
 	dirty map[orchestrator.SlotTuple]struct{}
 
 	// List of tasks collected for cleanup, which includes two kinds of tasks
@@ -61,7 +61,7 @@ func New(store *store.MemoryStore) *TaskReaper {
 // Run is the TaskReaper's watch loop which collects candidates for cleanup.
 // Task history is mainly used in task restarts but is also available for administrative purposes.
 // Note that the task history is stored per-slot-per-service for replicated services
-// and per-node-per-service for global services. History does not apply to serviceless
+// and per-node-per-service for global services. History does not apply to serviceless tasks
 // since they are not attached to a service. In addition, the TaskReaper watch loop is also
 // responsible for cleaning up tasks associated with slots that were removed as part of
 // service scale down or service removal.
@@ -196,11 +196,9 @@ func (tr *TaskReaper) Run(ctx context.Context) {
 				}
 				isTimerStopped = true
 				tr.tick()
-			} else {
-				if isTimerStopped {
-					timer.Reset(reaperBatchingInterval)
-					isTimerStopped = false
-				}
+			} else if isTimerStopped {
+				timer.Reset(reaperBatchingInterval)
+				isTimerStopped = false
 			}
 		case <-timer.C:
 			// we can safely ignore draining off of the timer channel, because

vendor/github.com/docker/swarmkit/manager/state/raft/transport/transport.go

@@ -4,6 +4,7 @@ package transport
 
 import (
 	"context"
+	"math"
 	"net"
 	"sync"
 	"time"
@@ -354,6 +355,15 @@ func (t *Transport) dial(addr string) (*grpc.ClientConn, error) {
 			return net.DialTimeout("tcp", addr, timeout)
 		}))
 
+	// TODO(dperny): this changes the max received message size for outgoing
+	// client connections. this means if the server sends a message larger than
+	// this, we will still accept and unmarshal it. i'm unsure what the
+	// potential consequences are of setting this to be effectively unbounded,
+	// so after docker/swarmkit#2774 is fixed, we should remove this option
+	grpcOptions = append(grpcOptions, grpc.WithDefaultCallOptions(
+		grpc.MaxCallRecvMsgSize(math.MaxInt32),
+	))
+
 	cc, err := grpc.Dial(addr, grpcOptions...)
 	if err != nil {
 		return nil, err

vendor/github.com/docker/swarmkit/manager/state/store/networks.go

@@ -105,7 +105,7 @@ func GetNetwork(tx ReadTx, id string) *api.Network {
 func FindNetworks(tx ReadTx, by By) ([]*api.Network, error) {
 	checkType := func(by By) error {
 		switch by.(type) {
-		case byName, byNamePrefix, byIDPrefix, byCustom, byCustomPrefix:
+		case byName, byNamePrefix, byIDPrefix, byCustom, byCustomPrefix, byAll:
 			return nil
 		default:
 			return ErrInvalidFindBy

vendor/github.com/docker/swarmkit/manager/state/store/services.go

@@ -126,7 +126,7 @@ func GetService(tx ReadTx, id string) *api.Service {
 func FindServices(tx ReadTx, by By) ([]*api.Service, error) {
 	checkType := func(by By) error {
 		switch by.(type) {
-		case byName, byNamePrefix, byIDPrefix, byRuntime, byReferencedNetworkID, byReferencedSecretID, byReferencedConfigID, byCustom, byCustomPrefix:
+		case byName, byNamePrefix, byIDPrefix, byRuntime, byReferencedNetworkID, byReferencedSecretID, byReferencedConfigID, byCustom, byCustomPrefix, byAll:
 			return nil
 		default:
 			return ErrInvalidFindBy