Spike: partial updates

[rainest]

As-is, decK solves for the entirety of a target state. Entities that are in the current Kong state but not in the target state are deleted on sync, and there is no way to instruct deck to act only on the entities in a target state while ignoring others.

We would like to explore options for operating only on entities in the target state. For example, consider this current state:

_format_version: "1.1"
consumers:
- custom_id: bar1
  username: bar

and this requested target state:

_format_version: "1.1"
consumers:
- custom_id: foo1
  username: foo

The result of a sync currently is:

_format_version: "1.1"
consumers:
- custom_id: foo1
  username: foo

The bar consumer is deleted, and the foo consumer is added. For a partial update, the result would be:

_format_version: "1.1"
consumers:
- custom_id: bar1
  username: bar
- custom_id: foo1
  username: foo

The bar consumer is untouched, and the foo consumer is added.

There are several motivations for this:

• The ingress controller leverages decK, providing a complete blob of all target configuration and requesting that decK apply it. decK's operations on individual objects after are opaque to the controller, and if decK cannot apply some subset of configuration, the controller cannot determine which resources failed to apply, and cannot update status information in Kubernetes appropriately.
• This is a previously requested feature from the community: Add flag to avoid/skip deletion statement #211
• Entities that exist outside workspaces (at present, only CA certificates are supported) pose challenges because they are visible in all workspaces as if they were a workspaced entity. This may not be the correct approach to handling them, however.