siderolabs/omni v1.4.0-beta.0 on GitHub

Omni 1.4.0-beta.0 (2025-12-10)

Welcome to the v1.4.0-beta.0 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Support for OIDC Providers without Email Verified Claim

Enabled support for OIDC providers, such as Azure, that do not provide the email_verified claim during authentication.

Dynamic SAML Label Role Updates

Added support for dynamically updating SAML label roles on every login via the new update_on_each_login field.

Machine Class Logic Updates

Added support for locks, node deletion, and restore operations when using machine classes.

Virtual Resources for Platform Information

Platform and SBC information is now pulled from Talos machinery and presented as virtual resources:
MetalPlatformConfig, CloudPlatformConfig, and SBCConfig. They support Get and List operations.

Automated CLI Install Options

Automated installation options have been added to the CLI section of the homepage, supplementing the existing manual options.

OIDC Warning for Kubeconfig Download

A warning toast is now displayed when downloading kubeconfig to inform users that the OIDC plugin is required before using the file with kubectl.

UI/UX Improvements

Various UI improvements including pre-selecting the correct binary for the user's platform, truncating long items in the ongoing tasks list,
hiding JSON schema descriptions behind tooltips, and standardizing link styling.

Force Deletion of Infra Provider Resources

Added the ability to force-delete MachineRequests and InfraMachines managed by Infra providers.
This allows for the cleanup of resources and finalizers even if the underlying provider is unresponsive or deleted.

Migration to SQLite Storage

Discovery service state, audit logs, machine logs, and secondary resources have been migrated to use SQLite
storage.

Prevent Talos Minor Version Downgrades

Omni now prevents downgrading the Talos minor version below the initial version used to create the cluster.
This safeguard prevents machine configurations from entering a broken state due to unsupported features in older versions.

Contributors

Edward Sammut Alessi
Utku Ozdemir
Artem Chernyshev
Andrey Smirnov
Oguz Kilcan
Tim Jones
Hector Monsalve
Orzelius
lkc8fe

Changes

102 commits

7b3ffa2a release(v1.4.0-beta.0): prepare release
d31f7f86 fix: stop referencing deprecated field on frontend storybook
d68562f5 feat: add labels to talos version metric
2dd0daac fix(frontend): change incorrect copy toast message
e886bb76 feat: store discovery service state in SQLite
fbfbb453 fix: do not filter out rc releases to from pre-release talos versions
e27cf264 chore: rekres
09ef0432 fix(frontend): prevent an error when downloading support bundle
c654237b feat(frontend): show a warning toast about oidc when downloading kubeconfig
6eea2cab feat(frontend): add automated install options for cli
75cc7778 fix(installation-media): check min_version for providers
50b2546f feat(installation-media): support talos 1.12.0 bootloader section
d9c06640 chore(installation-media): rename external args to extra args
6ee38310 feat(installation-media): implement external args step
dd0bdb63 feat: store audit logs in sqlite
bc2a5a99 chore: prepare omni with talos v1.12.0-beta.1
24ed384a fix(installation-media): only list architectures supported by providers
64e19ed6 fix(installation-media): correct doc links for sbc & cloud steps
9826116e fix(installation-media): adjust secureboot support check
ba2e77cc fix: change stripe button to billing
60cb92a1 feat: prevent downgrading talos minor version below initial version
60dac9d5 feat(frontend): hide descriptions in json schema behind tooltip
b9a3e4ee chore(frontend): fix monaco-editor worker on dev server
f0646a67 feat(frontend): change default config patch for talos 1.12
31d5a1b6 refactor(installation-media): get cloud providers and sbcs from api
672a1c42 refactor(frontend): create composables for resource list & get
2804426b feat: store machine logs in sqlite
741a86f2 fix(frontend): fix backup interval clamping
2e2be883 refactor(frontend): wait for signing keys instead of throwing
5e8ef874 feat: allow passing extra parameters to sqlite conn string
448fb645 fix: trim whitespaces from the initial label keys and values
59f4fff1 fix: properly filter the machines which were already added to a cluster
d3a9c663 fix(frontend): update csp for userpilot and refactor init logic
20c8c3ab feat(frontend): preselect the correct binary for the user's platform where possible
297415de feat(frontend): truncate items inside ongoing tasks list
9d30ff55 chore: bump dependencies
edb1603c fix(frontend): prevent logout dropdown menu from shrinking
5610e71d refactor(frontend): refactor Tooltip to use reka-ui Tooltip
c2ab8ab9 refactor(frontend): replace popper with tooltip in PatchEdit
cc99091a refactor(frontend): replace popper with tooltip + popover in MachineSetPicker
7f6be055 refactor(frontend): replace popper with tooltip in TButtonGroup
e91711a2 refactor(frontend): refactor TActionsBox with reka-ui
a96bd3de fix: restore monaco-editor styles by enabling unsafe-inline
7b944d08 fix(frontend): constrain sidebar to a fixed size
8b5c29b3 feat: support locks,node delete and restore when using machine classes
bc01ae0d feat: pull platforms and SBC information from Talos machinery
133fa156 fix(frontend): add nonce to apexcharts and add csp to dev
2a690593 chore: rewrite MachineSetNodeController as QController
23a3594e fix(frontend): sort talosctl versions correctly and select correct default
997e4601 feat(frontend): style all regular links with primary
6ca43f37 test: pick UKI and non-UKI machines correctly
19a6cd12 feat(installation-media): implement system extensions step
52360252 fix: do not clear schematic meta values for non-UKI machines
b284d491 refactor: use template instead of bytes replace for nonce
78050045 fix: add nonce for userpilot scripts
4bcaea1e feat: centralize Schematic ID computation
7397f148 feat(installation-media): implement cloud provider + sbc steps
f6ac435b fix: do not allow downloading deprecated Talos versions in the UI
29296971 feat: support dynamically updating SAML label roles
b3fd95cd refactor(frontend): change RadioGroup to use slots for options
bb879bf6 refactor(frontend): refactor pods list and add stories
75f70e4d feat: allow force-deletion of machine requests
3e3f5134 feat(installation-media): add machine architecture step
e3ef4daa fix: correct handling extra outputs for cleanup controller
e1eaf649 refactor(frontend): switch from openpgp to webcrypto
e9ac4a8a fix(frontend): keep use_embedded_discovery_service state when scaling
519b46d6 fix: make exposed services also support plain keys
a973a7a3 fix: fix typos across the project
61d09f81 chore(frontend): update dependencies
db97e092 chore: bump Kubernetes version to 1.34.2
cecb9695 chore: rekres
3c744d93 fix(frontend): fix exposed services sidebar not appearing
85e0f36b feat: allow force-deletion of infra machines
cd40dd5f fix: reduce usage of cached state to avoid stale reads
03460a9e test: fix flaky etcd backup tests
4d0658bb test: fix flaky MachineUpgradeStatusController test
e9586a08 fix: use deterministic order for machine extensions
88928fe6 fix: move infra provider ID annotations to labels
25ae4a18 refactor(auth): extract interceptor from key generation logic
faf286ab fix: keep existing cluster level system extensions config in the UI
606fbc4d fix: ignore MachineSets which reference non-existing clusters
7cdd62a8 fix(frontend): remove double scrollbar on machines list
6df818b2 chore: make FrontendAuthFlow generated
ff1d14e6 refactor(auth): extract identity from key generation logic
7468e6ea chore: rekres, make linters happy, bump Go, deps and Talos versions
e042332e feat(installation-media): implement talos version step
1dec8ed7 feat: allow OIDC providers which do not have email_verified claim
119c20da fix: keep ClusterMachineRequestStatus while MachineRequest exists
cb40d4fb feat: support plain keys in the request signatures
60a130ea fix: prevent MachineSetStatus from going into create/destroy loop
e38b3b9b feat(frontend): add a link generator to installation media
b976e2d2 fix: do not skip creating schematic config in agent mode
d8d6dc4c fix(frontend): only show label outline if selected
e3b53cd9 test: use resource cache in unit tests
67ad8f4d feat(frontend): add a split button component
e38f0ffe fix: remove KernelArgs resource when a machine is removed
1a0174dc test: fix install extra kernel args in infra test
971353da chore: add basic logic for light/dark theme
3244ac4f fix: update MachineRequestStatus resource when we populate UUID
85fa6af8 chore: expose enable-talos-pre-release-versions flag in the FeaturesConfig
3e90bc6c fix: prevent stale reads of kernel args in schematic id calculation
75a9f3ee feat: use sqlite as secondary resource storage

Changes from siderolabs/discovery-service

5 commits

a5fccd5 release(v1.0.13): prepare release
1d3ea34 feat: add support for custom persistent snapshot store
0178eff release(v1.0.12): prepare release
b7b68e0 chore: update dependencies, Go version
2c1239f refactor: use DynamicCertificate from crypto library

Changes from siderolabs/gen

1 commit

4c7388b chore: update Go modules, replace YAML library

Changes from siderolabs/go-api-signature

2 commits

8b046e5 fix: do not decode the signature in the plain key from base64
7e98556 feat: support verifying payload using plain ecdsa keys

Changes from siderolabs/go-kubernetes

1 commit

8454fe9 feat: add upgrade path for 1.35

Changes from siderolabs/go-talos-support

2 commits

abfc570 chore: update dependencies, replace YAML library
e0738a9 fix: set pod name in k8s kube-system log filenames

Changes from siderolabs/proto-codec

1 commit

bd9c491 chore: bump and update dependencies

Dependency Changes

github.com/auth0/go-jwt-middleware/v2 v2.3.0 -> v2.3.1
github.com/aws/aws-sdk-go-v2 v1.39.3 -> v1.40.0
github.com/aws/aws-sdk-go-v2/config v1.31.12 -> v1.32.1
github.com/aws/aws-sdk-go-v2/credentials v1.18.16 -> v1.19.1
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.12 -> v1.20.11
github.com/aws/aws-sdk-go-v2/service/s3 v1.88.4 -> v1.92.0
github.com/aws/smithy-go v1.23.1 -> v1.23.2
github.com/coreos/go-oidc/v3 v3.16.0 -> v3.17.0
github.com/cosi-project/runtime v1.11.0 -> v1.13.0
github.com/cosi-project/state-etcd v0.5.2 -> v0.5.3
github.com/cosi-project/state-sqlite v0.1.0 new
github.com/jxskiss/base62 v1.1.0 new
github.com/klauspost/compress v1.18.0 -> v1.18.1
github.com/prometheus/common v0.67.1 -> v0.67.4
github.com/siderolabs/discovery-service v1.0.11 -> v1.0.13
github.com/siderolabs/gen v0.8.5 -> v0.8.6
github.com/siderolabs/go-api-signature v0.3.10 -> v0.3.12
github.com/siderolabs/go-kubernetes v0.2.26 -> v0.2.27
github.com/siderolabs/go-talos-support v0.1.2 -> v0.1.4
github.com/siderolabs/omni/client v1.2.1 -> v1.3.4
github.com/siderolabs/proto-codec v0.1.2 -> v0.1.3
github.com/siderolabs/talos/pkg/machinery v1.12.0-alpha.2 -> v1.12.0-beta.1
go.etcd.io/etcd/client/pkg/v3 v3.6.5 -> v3.6.6
go.etcd.io/etcd/client/v3 v3.6.5 -> v3.6.6
go.etcd.io/etcd/server/v3 v3.6.5 -> v3.6.6
go.uber.org/zap v1.27.0 -> v1.27.1
go.yaml.in/yaml/v4 v4.0.0-rc.3 new
golang.org/x/crypto v0.43.0 -> v0.45.0
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/oauth2 v0.32.0 -> v0.33.0
golang.org/x/sync v0.17.0 -> v0.18.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/tools v0.38.0 -> v0.39.0
google.golang.org/grpc v1.76.0 -> v1.77.0
k8s.io/api v0.35.0-alpha.1 -> v0.35.0-beta.0
k8s.io/apimachinery v0.35.0-alpha.1 -> v0.35.0-beta.0
k8s.io/client-go v0.35.0-alpha.1 -> v0.35.0-beta.0
modernc.org/sqlite v1.40.1 new
sigs.k8s.io/controller-runtime v0.22.3 -> v0.22.4

Previous release can be found at v1.3.0