Investigate encapsulated safe rollouts

Look into this: https://cloud.google.com/solutions/safe-rollouts-with-anthos-config-management

This moves away from a dynamic, unknown (not to be confused with unauthenticated) inventory/clusters, but addresses encapsulated deployment changes. This is all based on the concept of cluster->git-ref can be set.