siderolabs/omni v1.6.0-beta.3 on GitHub

Omni 1.6.0-beta.3 (2026-03-13)

Welcome to the v1.6.0-beta.3 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

--audit-log-dir (.logs.audit.path)
--secondary-storage-path (.storage.secondary.path)
--machine-log-storage-path (.logs.machine.storage.path)
--machine-log-storage-enabled (.logs.machine.storage.enabled)
--log-storage-path (.logs.machine.storage.path)
--embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
--machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
--machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
--machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
--machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Talos and Kubernetes CA Rotation

Omni now supports rotating the Talos and Kubernetes Certificate Authorities for managed clusters.

Talos and Kubernetes Versions in ClusterStatus

The ClusterStatus resource now includes talos_version and kubernetes_version fields, making cluster version information available programmatically. They are now also shown in the cluster list in the UI.

Pending and Historical Config Diffs in UI

The UI now shows pending and historical configuration diffs, making it easy to review what changed and when.

Force Machine Destroy

A --force flag has been added to the machine destroy command (and a corresponding UI option) to forcibly remove machines that are stuck or unresponsive.

Helm Chart v2

A new Helm chart v2 has been implemented with improved structure and more configurable options.
More configuration values are now exposed in the Helm chart, giving operators greater flexibility when deploying Omni.

Installation Media Wizard

The installation media flow now uses a wizard-based UI by default, replacing the previous modal dialog. Presets may now also be saved, allowing for future reuse.

Machine Log Storage Cleanup

Global size-based cleanup has been added for machine log storage, preventing unbounded disk usage.
Configurable options for audit log cleanup have also been added.

Minimum Talos Version Bump

The minimum supported Talos version for new clusters has been bumped to 1.8.

Minor UI Improvements

Other minor UI improvements part of this release:

Talos and Kubernetes versions are now shown in the cluster list.
Node name and UUID are shown in the support bundle modal.
Machine set pools now have a collapse/expand toggle.
Cluster scaling has been moved to a modal dialog.
Getting started guidance and empty-state pages have been added for clusters, machines, and machine classes.
Instructions for adding machines and exporting cluster templates are now shown in the UI.
Clarification text has been added to backup settings.
YouTube video embedding is now supported in documentation/onboarding flows.
The frontend authentication flow no longer requires an explicit login click.
Resource labels use new colors for improved visual clarity.

Detailed Node Disk Information

The node details page now shows detailed disk information, including disk model, size, and type.

PCI Devices on Node Details

The node details page now includes a dedicated section listing all PCI devices present on the node.

Reset Node Unique Tokens

It is now possible to reset the unique token for a node, which can be useful for re-enrolling machines.

OIDC Token Cache Isolation for Kubeconfigs

Generated kubeconfigs now use isolated OIDC token caches, preventing token collisions between different kubeconfig users.

Pending Machines

Machines that were previously rejected can now be unrejected from the UI, allowing them to be accepted into Omni.

Rejected machines can also now be deleted directly from the UI.

SAML Logout Flow

Omni now implements the SAML logout flow, properly terminating sessions with the SAML identity provider on sign-out.

SQLite Metrics and Cleanup Counters

Metrics for the SQLite state backend have been exposed, along with cleanup counters for better observability.

Upgrade Parallelism

The upgrade parallelism for machine sets can now be configured via cluster templates and the UI, allowing operators to control how many machines are upgraded concurrently.

User and Service Account Activity Tracking

Omni now tracks the last activity time for users and service accounts, providing better visibility into account usage.

User Management gRPC Endpoints

New ManagementService gRPC endpoints have been added for user operations, enabling programmatic user management.

Configurable User and Service Account Limits

Operators can now enforce configurable limits on the number of users and service accounts that can be created in Omni.

Custom Vault Kubernetes Auth Mount Path

The Vault Kubernetes authentication mount path is now configurable, supporting non-default Vault configurations.

Contributors

Edward Sammut Alessi
Andrey Smirnov
Utku Ozdemir
Oguz Kilcan
Artem Chernyshev
Kevin Tijssen
Noel Georgi
Orzelius
Mateusz Urbanek
Tim Jones
Daddie0
Daniil Kivenko
Dmitrii Sharshakov
Justin Garrison
Pranav Patil
Steve Francis
greenpsi

Changes

154 commits

cf7be162 release(v1.6.0-beta.3): prepare release
6d52a697 feat: add hsts header for omni frontend
385c512d test: fix ConfigPatching test
72cb85a4 feat: add configurable bandwidth rate limiting for SideroLink tunnel
49795f0c feat(frontend): display appropriate message for talos apis when booting
3a19194f fix: add missing timeout to the backup download calls in secrets ctrl
017b0398 fix(frontend): fix cluster details layout for ultrawide and mobile
febba94d test: fix flaky link cleanup test
118a2c7c chore(frontend): expose error codes on watches
28e85107 fix: calculate diff history and machine config out of applied config
7a153579 chore: remove go-jsonschema fork, use upstream v0.22.0
1e9b733c chore: bump deps, rekres
31e13e9e fix: do not release lock on apply config fails
91ec5eed fix(frontend): prevent -1 stats on home page
cf8f58e6 fix(frontend): correct config patch routing for cluster machines
cec99c31 feat(frontend): replace mount status data with volume status data
433fe435 chore: bump default talos version
23951c5c fix(frontend): reset support bundle state on close
7ed46ba9 feat(frontend): reintroduce apexcharts tree-shaking
a566261b feat(frontend): allow specifying date range for audit logs
75b77f7f fix: skip schematic comparison for invalid schematic machines
d4ae1460 release(v1.6.0-beta.2): prepare release
0b01dfdd fix: use localhost for internal kubeconfig server address
8ebaa095 fix(frontend): revert apexcharts tree-shaking
a168a96e feat: add info for audit-log filter args
afe41b09 release(v1.6.0-beta.1): prepare release
e2adcb0b fix: close ssa manager after use
543cf70b chore: force SSA manifests sync mode for Talos >= 1.13
6a0da38f chore(frontend): bump dependencies
ef3946cf fix: use uncached read for MachineExtensions in SchematicConfiguration
1e6be81f refactor: introduce uncached reader/writer package, fix flaky tests
beb7dba8 release(v1.6.0-beta.0): prepare release
a7b8b145 feat(frontend): update selected state of machineset labels
943a9ad4 fix(frontend): reset pagination when selectors change
05738937 feat: support setting upgrade parallelism in templates and UI
a9f2937c feat: add OIDC token cache isolation for generated kubeconfigs
8a814d17 feat(frontend): use new resource label colors
0cb34323 refactor(frontend): use tailwind classes instead of color variables
8a72a8ae refactor(frontend): don't interpolate resource label classes
f8a42eeb chore: move graceful upgrades to the lowest level
6f0ca32f fix(frontend): truncate machine classes in cluster list
5bb4ad9d fix(frontend): fix pending manifests warning sidebar color
6d03fc7c feat: track user and service account last activity
a6811877 refactor(frontend): create pagecontainer component to manage padding
e7f7a8ee fix(frontend): re-add padding in cluster scoped for error case
ed1ebe35 fix: enhance SAML handler startup error
a907c311 fix: properly select extensions when they're defined for cluster/ms lvl
66dbbdc6 feat(frontend): add instructions for adding machines
51747657 chore: update LICENSE
2372684a feat(frontend): show pci devices on node details
823af623 fix(frontend): fix unintented icon button size overrides
b5076c19 feat: implement saml logout flow
e57b7f5b chore(frontend): bump storybook dependencies
5d13f4ba chore(frontend): add uncategorised vue lint rules
415111c7 chore(frontend): update eslint related dependencies
05957580 chore(frontend): add lint rule for scoped styles
f361fa73 chore: bump deps
ba578e60 feat(frontend): move cluster scale pencil edit to a modal
7b1de4f0 feat(frontend): show talos and k8s versions in the cluster list
5fccd82b feat: add talos_version and kubernetes_version to clusterstatus
e3df911d feat: enforce configurable limits on user and service account creation
c5b40efb feat(frontend): add collapse/expand toggle to machine set pools
da60807d feat: add ManagementService gRPC endpoints for user operations
f29d769c fix: fetch siderolink url from omni
a6bf6667 feat(frontend): add some getting started info for clusters/machines
a4ee4b5e feat(frontend): add no clusters/machines found to home page
59881d2e refactor: remove direct dependency on github.com/siderolabs/talos
47fb4dd7 feat: allow resetting node unique tokens
578f2126 fix(frontend): handle invalid jwt response from backend
ad6cf5b1 feat: enforce auth_time in auth0 token validation
90474045 fix(frontend): keep cluster menu visible and sticky
7c0e18c2 feat: introduce machine --force destroy flag and UI option for that
4e5c9c57 fix: rename --force flag to --force-etcd-leave, same in the UI
1887d863 feat(frontend): show more detailed node disk information
ae2f48f0 refactor(frontend): clean up node mounts a bit
5bfa167d refactor(frontend): fix node details scrolling and padding
8c94b77c chore: bump Talos machinery to the latest main and use 1.12.4 schema
6776d127 feat: add global size-based cleanup for machine log storage
08c31275 test: migrate machine request set status tests
ed5b81ce feat(frontend): show nodename and uuid in support bundle modal
1abd7ce6 chore: bump default talos version
4cb81e43 test: fix flaky nature of ca rotation tests
928d568c feat(frontend): add ability to delete pending machines
6e8d837d fix: do not check Talos version in the machine set node updates
8786ad36 feat(frontend): update machine class condition text
78da5820 feat(frontend): provide get started text for first machine class
e406321d refactor(frontend): remove watch class usage from machine class
01a0b3e6 fix: add required SQLite storage path flag to compose.yaml
d133b564 fix(frontend): fix multi-doc parsing when creating single node clusters
4f6f0707 chore: update readme img
2f1f0f78 test: fix flaky unit tests
2ecd603c refactor(frontend): fix some minor lint warnings
1f237905 fix: compare current and new kernel args more defensively
d262e03b feat: allow unrejecting machines from the ui
d67b25f6 fix: track dependendants for searchFor in watch
d7d54916 refactor(frontend): remove from backupslist
8f5d64f8 test: add embedded etcd smoke test to helm e2e
ccc197b2 refactor: replace the old helm chart with the new one
69c2759b fix: break the dep loop in the cluster machine config status controller
dbf34e24 refactor(frontend): add type checking for context inclusion
52f249db feat: make more things configurable in the helm chart
fbf36740 test: add unit and e2e tests to the helm chart
04bcff7a fix: unify helm chart services and ingresses, remove JSON schema
0c2c5c1c test: use envsubst in tests and do small improvements
bd86ff31 chore: remove deprecated migration flags, config fields, and migration code
afdf123e feat: add support for Kubernetes CA rotation
4c9212f6 refactor: remove global runtime registry, inject runtimes to services
f845af53 feat(frontend): show pending and historical config diffs in ui
939a9a08 chore: expose machine request set id in the provision context
7d80fede feat: support custom Vault Kubernetes auth mount path
30d17dcf chore: update Go to 1.26 in go.mod, rekres, fix linting issues
d1c869a9 chore: bump deps, rekres
a89d270c fix: replace gotextdiff with linear-space Myers diff to prevent OOM
05e42f9a feat: expose metrics for sqlite state and add cleanup counters
868f8ac1 test: reach maintenance mode machines' Talos API through Omni in tests
ed5efa5d feat(frontend): for frontend auth flow dont require login click
ef3e3bc1 test: use automation sa directly in integration tests
6102db4e fix: use single shared etcd backup store factory
70c9a549 fix: properly generate upgrade diffs for the imported cluster
337bbe6c fix: fix memory leak in the config diff compute code
69b8e997 feat: update machinery doc links
79f85eec feat: add configuration options for audit log cleanup
7e4bc18f feat(frontend): refactor confirm modal with reka-ui
4009aa42 fix(frontend): import undefined components and add lint rule
0a4dab64 refactor(frontend): rename tbutton type to variant
e4b1f3b5 refactor(frontend): refactor patches, machine class, and node destroy watches
9bca00a7 test(installation-media): write e2e test for the wizard
a2eedd8d feat(installation-media): replace modal with wizard by default
f3cdbda7 refactor: remove global config, inject it to services
ed94ce9c fix: update the error for sqlite library
f61b72f5 refactor(frontend): reimplement tabs using reka-ui
4ef8c73b feat: move omni schematic cache to ephemeral
b9bd3f90 refactor: migrate all SQLite usage to zombiezen
922d8418 feat(frontend): add instructions on how to export cluster templates
b72b00b4 feat: bump minimum talos version to 1.8
0906bcc2 fix: prevent unwanted upgrades of non-image-factory machines
76fd73f6 feat(frontend): add clarification text to backup settings
e60b8091 feat(installation-media): remove hover on table rows and make name clickable
3a18fdd5 refactor(frontend): remove from cluster machines
eae8f84e fix: handle deletion event on InstallationMediaConfig validation
4cc3a3da test: do not check for empty wipe id in static infra provider test
3d2dc7b5 feat(frontend): allow embedding youtube videos
8f33ee1e fix: pause cluster machine watches until expanded
f2f8842a feat(installation-media): use usedownloadimage composable in download preset modal
c319d7bc fix: fix schematic generation for machines in agent mode
e73acfde chore: update dependencies
b83852a9 feat(installation-media): add download progress and omni specific filenames to images
197a7fa8 chore(frontend): update dependencies
dc2c9480 fix: check config generation errors before computing redacted configs
7e0bec69 feat(installation-media): backend validation for installation media configs
1e24fd22 feat: implement helm chart v2
c86c2e02 test: add e2e test to validate machine tabs
74e4abf8 feat(installation-media): replace edit naming with clone for installation media
c6cc25c7 feat: add support for Talos CA rotation

Changes since v1.6.0-beta.2

21 commits

cf7be162 release(v1.6.0-beta.3): prepare release
6d52a697 feat: add hsts header for omni frontend
385c512d test: fix ConfigPatching test
72cb85a4 feat: add configurable bandwidth rate limiting for SideroLink tunnel
49795f0c feat(frontend): display appropriate message for talos apis when booting
3a19194f fix: add missing timeout to the backup download calls in secrets ctrl
017b0398 fix(frontend): fix cluster details layout for ultrawide and mobile
febba94d test: fix flaky link cleanup test
118a2c7c chore(frontend): expose error codes on watches
28e85107 fix: calculate diff history and machine config out of applied config
7a153579 chore: remove go-jsonschema fork, use upstream v0.22.0
1e9b733c chore: bump deps, rekres
31e13e9e fix: do not release lock on apply config fails
91ec5eed fix(frontend): prevent -1 stats on home page
cf8f58e6 fix(frontend): correct config patch routing for cluster machines
cec99c31 feat(frontend): replace mount status data with volume status data
433fe435 chore: bump default talos version
23951c5c fix(frontend): reset support bundle state on close
7ed46ba9 feat(frontend): reintroduce apexcharts tree-shaking
a566261b feat(frontend): allow specifying date range for audit logs
75b77f7f fix: skip schematic comparison for invalid schematic machines

Changes from siderolabs/discovery-api

2 commits

9c06846 feat: change the way excluded addresses are specified
f71a14a feat: add advertised filters to discovery data

Changes from siderolabs/discovery-client

2 commits

854400f feat: bump discovery API to v0.1.8
0a4c6fd chore: update dependencies and rekres

Changes from siderolabs/discovery-service

4 commits

d5fdcb8 release(v1.0.15): prepare release
b9a9ae9 feat: update dependencies
8863fd8 release(v1.0.14): prepare release
e0c8062 chore: rekres and update dependencies

Changes from siderolabs/go-debug

1 commit

47fce68 feat: support Go 1.26, rekres

Changes from siderolabs/go-kubernetes

10 commits

8364add chore: small improcements to ssa package
a95f3bf chore: add helper functions for CLI applications
f2c063b test: add integration tests for ssa logic
9de92cf refactor: drop k8s.io/utils
8e6f068 fix: bring back legacy sync
de675a0 fix: stop using custom dialer for Kubernetes client
e7a89c3 refactor: use fluxcd/ssa instead of kubernetes cli-utils for ssa
0a235c0 feat: add early support for Kubernetes 1.36
3bea212 fix: use new Myers diff algorithm
604c56b chore: extract common code to the go-kubernetes package

Changes from siderolabs/image-factory

37 commits

f0c7a7b release(v1.0.3): prepare release
dd92631 docs: correct path to hack/copy-artifacts.sh
ddc1a83 fix: update Talos to fix rpi_5 build
b3d07e5 docs: remove redundant Kubernetes version prerequisite
9666795 fix: values.schema.json
8a8da46 feat: adjust security context for user namespace mode
bc631dc fix: values.schema.json
8ea6fe9 feat: add user namespace support with Kubernetes version validation
324c464 fix: skip initializing TUF if keyless signing is disabled
a42b9d9 release(v1.0.2): prepare release
80d1ba3 fix: pass nameoptions to verify bundle too
eec01d1 release(v1.0.1): prepare release
ec1c0a7 fix: pass insecure to the cosign new bundle verifier
14d0f2a release(v1.0.0): prepare release
a90529c feat: add more security contexts
ec69fe2 fix: extra kernel args for overlays
aa325ee feat: add Helm docs and schema
3c18e05 feat: add Sidero google service account email also to verfiers
151feb5 fix: docs url
42a1c45 feat: add helm to kres
ac4718a feat: update Talos and pkgs
1d6468e feat: add helm e2e to CI
2f0499c feat: added e2e tests
2eccf98 fix: made changes on the recommendation of copilot
e27ea36 feat: Added E2E with KUTTL
9f6b9e7 feat: Added additional tests
4939747 feat: Added helm unittests
dcaa1db feat: added helmchart
1f85622 feat: add cloudflare credentials helper
852856d fix: installer internal config
c8c6576 release(v1.0.0-beta.0): prepare release
56bd21b fix: allow Cache-Control header in CORS
83f4d91 fix: clarify bootloader selection
c8c5faa feat: allow using image GET/HEAD API by the JS code on any domains
e732d90 feat: support acm for secureboot
5f103c1 feat: support copying to clipboard
c3532c4 feat: update Talos with GRUB and other fixes

Changes from siderolabs/kms-client

3 commits

296bf9a feat: add logging to the KMS server
2d6b082 feat: add TLS support for KMS server
4233ecd chore: bump deps, rekres

Dependency Changes

github.com/aws/aws-sdk-go-v2 v1.41.1 -> v1.41.3
github.com/aws/aws-sdk-go-v2/config v1.32.7 -> v1.32.11
github.com/aws/aws-sdk-go-v2/credentials v1.19.7 -> v1.19.11
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.19 -> v1.22.6
github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1 -> v1.96.4
github.com/aws/smithy-go v1.24.0 -> v1.24.2
github.com/cosi-project/runtime 2b3357ea6788 -> v1.14.0
github.com/cosi-project/state-sqlite v0.1.1 -> v0.3.0
github.com/emicklei/dot v1.10.0 -> v1.11.0
github.com/fluxcd/cli-utils v0.37.2-flux.1 new
github.com/google/go-containerregistry v0.20.7 -> v0.21.2
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4 -> v2.28.0
github.com/johannesboyne/gofakes3 ebf3e50324d3 -> 4c385a1f6a73
github.com/siderolabs/discovery-api v0.1.6 -> v0.1.8
github.com/siderolabs/discovery-client v0.1.13 -> v0.1.15
github.com/siderolabs/discovery-service v1.0.13 -> v1.0.15
github.com/siderolabs/go-debug v0.6.1 -> v0.6.2
github.com/siderolabs/go-kubernetes v0.2.30 -> 8364adde8878
github.com/siderolabs/image-factory b5ba6630ed93 -> v1.0.3
github.com/siderolabs/kms-client v0.1.0 -> v0.2.0
github.com/siderolabs/omni/client v1.4.7 -> v1.5.9
github.com/siderolabs/talos/pkg/machinery b9e27ebe72c4 -> cc636f1dd1f1
github.com/zitadel/oidc/v3 v3.45.3 -> v3.45.5
go.etcd.io/etcd/client/pkg/v3 v3.6.7 -> v3.6.8
go.etcd.io/etcd/client/v3 v3.6.7 -> v3.6.8
go.etcd.io/etcd/server/v3 v3.6.7 -> v3.6.8
go.yaml.in/yaml/v4 v4.0.0-rc.3 -> v4.0.0-rc.4
golang.org/x/crypto v0.47.0 -> v0.48.0
golang.org/x/net v0.49.0 -> v0.51.0
golang.org/x/oauth2 v0.34.0 -> v0.36.0
golang.org/x/sync v0.19.0 -> v0.20.0
golang.org/x/text v0.33.0 -> v0.34.0
golang.org/x/time v0.14.0 -> v0.15.0
golang.org/x/tools v0.41.0 -> v0.42.0
google.golang.org/grpc v1.78.0 -> v1.79.2
google.golang.org/protobuf v1.36.11 -> f2248ac996af
k8s.io/api v0.35.0 -> v0.35.2
k8s.io/client-go v0.35.0 -> v0.35.2
k8s.io/klog/v2 v2.130.1 -> v2.140.0
sigs.k8s.io/controller-runtime v0.22.4 -> v0.23.3
zombiezen.com/go/sqlite v1.4.2 new

Previous release can be found at v1.5.0