stagesetctl diff
By default diff performs a
server-side
dry-run apply and exits 1 when there are changes, so it works as a CI gate. It
shows, per object, what a reconcile would create, configure, or delete, plus the
actions a rollout would run. To see the full rendered manifests
without comparing against the cluster, use build.
stagesetctl diff NAME [flags]
| Flag | Default | Description |
|---|---|---|
--stage | (all) | Diff only the named stage(s); repeatable. |
--source-dir | (none) | Use a local artifact tree as [STAGE=]PATH; repeatable. Skips the cluster fetch. |
--server-side | true | Server-side dry-run apply diff (needs update/patch RBAC). false renders client-side against live objects. |
--as-tenant | false | Render and dry-run impersonating spec.serviceAccountName (see multi-cluster and tenancy). |
--show-secrets | false | Reveal Secret values instead of masking. |
--show-unchanged | false | Include objects with no change. |
--prune | true | Show resources that would be deleted (fell out of inventory). |
--color | auto | Colorize output: auto, always, or never. |
--exit-code | true | Exit 1 when changes are found. false always exits 0 on a clean run. |
Example
stagesetctl diff payments
--- live
+++ merged
@@ Deployment payments/web @@
spec:
- replicas: 3
+ replicas: 6
- ConfigMap payments/old-feature-flags (pruned: fell out of inventory)
Actions to run:
application:
pre db-migrate job ledger-migrations
post smoke-test http https://payments.internal/healthz
Objects that left the stage’s inventory show as deletions
(pruned: …); pass --prune=false to hide them. The trailing Actions to run
block lists the pre/post/onFailure actions a real reconcile
would execute — diff never runs them, it only reports them.
A clean run prints nothing and exits 0; pending changes exit 1. To inspect
without failing the shell:
stagesetctl diff payments --color=never --exit-code=false
Use --server-side=false when you lack apply RBAC and only need a textual
render-versus-live comparison.