carvel-dev
support applying separately constructred diff (similar to terraform plan/apply)
Similar to terrafrom plan/apply it would be super useful if the diff and apply stages could be split into two invocations of the tool. This would allow better integration with systems where user input can't be provided via a TTY (e.g. Buildkite pipelines). Currently the only solution in these cases is to use -y, but at least initially this isn't what I'd like to do when deploying production services.
@samschlegel interesting...
This would allow better integration with systems where user input can't be provided via a TTY (e.g. Buildkit pipelines).
im assuming you are planning to do some kind of manual review in the middle step, and then approve the change to continue going thru the pipeline?
one challenge i am thinking of is if there is some kind of artifact that is propagated it cannot contain secrets information (ie cannot be just plain diff). few solutions to that: (1) propagate ref that points to diff saved in the cluster, or (2) propagate some kind of checksum (sha256?) that is later compared to new diff and if it matches it continues (not sure if checksuming content that potentially includes secrets is ok).
Yes, that's the plan. One step outputs the diff and uploads the plan, and then the pipeline blocks waiting for manual review, and the step after downloads the artifacts.
If the output contains secrets, the input would also have secrets, so it doesn't seem like that should be an issue here? Terraform plans include the secrets, and we encrypt it when sharing it between steps.
This would also be useful in Concourse pipelines, allowing the diff to be committed to a git repo from one job and then picked up by a downstream job to be applied.
