Problem
Recently I made a mistake in Jsonnet, which rendered a broken Secret, but this didn't show up in tk diff (and consequently not in kubectl diff), as I was refactoring, this was expected and no apply was executed. We ended up with a broken Tanka environment.

Steps to reproduce:

Tested with k8s-alpha and tanka v0.11.1

main.jsonnet:

local k = import 'k.libsonnet';

{
  local addSecret(password) = k.core.v1.secret.new('name', { creds: password }),

  // addSecret should not be mixed in, this was the mistake
  objects: addSecret('test') + {
    node: k.core.v1.configMap.new('somenode', { a: 'abc' }),
  },
}

This renders:

apiVersion: v1
data:
  creds: test
kind: Secret
metadata:
  name: name
  namespace: default
node:
  apiVersion: v1
  data:
    a: abc
  kind: ConfigMap
  metadata:
    name: somenode
type: Opaque

Expected result:
tk diff would yield a diff or at least a warning that something is up.

Actual result:
tk diff yields 'No differences'

More info:
tk apply shows:

error: error validating "STDIN": error validating data: ValidationError(Secret): unknown field "node" in io.k8s.api.core.v1.Secret; if you choose to ignore these errors, turn validation off with --validate=false
exit status 1

Proposed solution

Run client side validation:

kubectl apply --validate=true --dry-run=client

Either with tk diff or a new tk validate, or both?