The deck gateway diff command shows the differences between your live Kong Gateway configuration and the state file provided.
deck gateway diff is typically used to preview upcoming changes, or to detect unexpected changes in the live system.
deck gateway diff
Uses:
deck
Related Documentation
Related Resources
Dry run
deck gateway diff should always be run before running deck gateway sync to preview upcoming changes. decK resolves all changes as though it’s performing a sync, and outputs the changes that would have been made at the end:
deck gateway diff /path/to/kong.yaml
updating service example-service {
"connect_timeout": 60000,
"enabled": true,
- "host": "httpbin.konghq.com",
+ "host": "httpbin.org",
"id": "c828da95-d684-42d3-8047-43d90552f6e2",
"name": "example-service",
"port": 80,
"protocol": "http",
"read_timeout": 60000,
"retries": 5,
"write_timeout": 60000
}
Summary:
Created: 0
Updated: 1
Deleted: 0
If you see changes in the diff that you didn’t expect, edit your state file until it matches your expectations and run deck gateway diff again before running deck gateway sync.
Drift detection
You can run deck gateway diff periodically with a known state file to detect any unexpected changes in the live system.
If your running Kong Gateway matches your expected state, you will see the following output:
Summary:
Created: 0
Updated: 0
Deleted: 0
If the live system has changed without a corresponding change to the state file, deck gateway diff will highlight the change and it can be reverted by running deck gateway sync.
Command usage
Usage:
deck gateway diff [flags] [kong-state-files...]
Flags:
--consumer-group-policy-overrides allow deck to diff consumer-group policy overrides.
This allows policy overrides to work with Kong GW versions >= 3.4
Warning: do not mix with consumer-group scoped plugins
-h, --help help for diff
--json-output generate command execution report in a JSON format
--no-mask-deck-env-vars-value do not mask DECK_ environment variable values at diff output.
--non-zero-exit-code return exit code 2 if there is a diff present,
exit code 0 if no diff is found,
and exit code 1 if an error occurs.
--parallelism int Maximum number of concurrent operations. (default 10)
--rbac-resources-only sync only the RBAC resources (Kong Enterprise only).
--select-tag strings only entities matching tags specified via this flag are diffed.
When this setting has multiple tag values, entities must match each of them.
--silence-events disable printing events to stdout
--skip-ca-certificates do not diff CA certificates.
--skip-consumers do not diff consumers or any plugins associated with consumers
--skip-consumers-with-consumer-groups do not show the association between consumer and consumer-group.
If set to true, deck skips listing consumers with consumer-groups,
thus gaining some performance with large configs.
Usage of this flag without apt select-tags and default-lookup-tags can be problematic.
This flag is not valid with Konnect.
-w, --workspace string Diff configuration with a specific workspace (Kong Enterprise only).
This takes precedence over _workspace fields in state files.
--yes yes assume yes to prompts and run non-interactively.