github siderolabs/omni v1.8.0-beta.1
on GitHub

latest releases: v1.8.0, client/v1.8.0
pre-release3 days ago

Omni 1.8.0-beta.1 (2026-05-18)

Welcome to the v1.8.0-beta.1 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

As Omni is now using --join-tokens-mode=legacyAllowed by default it won't start if there are any nodes running Talos below 1.6 connected to the instance.
If you want to keep using Omni with the outdated Talos you will need to set the flag to legacy. But of course we strongly recommend you to update Talos ASAP.

omnictl cluster template has breaking changes: it now restricts including files outside of the current directory.
If using files in the parent dirs, old behavior can be enabled by using --allowed-dir.

Additional Audit Log Filters

Audit logs gain a generic search box and sortable columns in the UI, plus CLI filters for event_type, resource_type, resource_id, cluster_id, and actor.

Per-Actor etcd Write Metrics

New omni_etcd_operations_total and omni_etcd_resource_bytes_total Prometheus counters track etcd writes, split by operation (create/update/teardown/destroy), actor (internal/user/service account/infra provider), actor ID, and resource type. Byte sizes are captured from the actual on-disk payload via a new WithObserver hook in state-etcd.

Disks and Devices on Machine Pages

The frontend now shows disks and devices on the machines and individual machine pages.

Talos Version Text on Installation Media Wizard

The installation media wizard's Talos version text has been updated for clarity.

Switching Logs Inside the Logs Tab

The logs tab now allows switching between log sources directly inside the tab.

Quick Switching Between Cluster Machines

The frontend allows quickly switching between machines within a cluster from the machine detail view.

In-UI Notifications

Omni notifications are now shown in the UI as dismissible banners.

Frontend Quality-of-Life Improvements for Machines

The cluster machine page gains a copy-UUID button, the machines list page can toggle between hostnames and UUIDs (with the preference saved), and machine and cluster machine pages gain kernel args tabs for editing kernel arguments inline instead of through a modal.

Re-Saving the Omni Support Bundle

The frontend now allows re-saving a previously generated Omni support bundle without regenerating it.

Support Modal

A new support modal in the frontend exposes links to GitHub issues, support channels, documentation, community resources, and office hours.

Helm Chart Values Generated From Config Schema

A new helmvaluesgen tool, run on make generate, updates the config: section of the Helm chart's values.yaml from Omni's config schema, applying chart-specific overrides for defaults, omissions, and descriptions.

Legacy Installation Media Proxying Removed

Omni no longer proxies legacy installation media download requests to the Talos Image Factory. Such requests are now rejected with a message asking users to upgrade omnictl, which downloads installation media directly from the factory.

Image Factory Proxy for Infra Providers

Infra provider Image Factory requests can now be proxied through Omni via a new schematic creation API that accepts raw YAML. This is useful when Omni holds authentication for the Image Factory or when multiple Image Factory endpoints need to be supported.

Imported Cluster Secrets Cleanup

A new controller tears down ImportedClusterSecrets once their content has been copied into ClusterSecrets and marked Imported=true, so imported bootstrap material does not linger in the state after a successful import.

Infra Provider Factory Endpoint

Infra providers now use the Image Factory endpoint configured in Omni's features state (sourced from args/config) instead of a hardcoded default. The configured factory URL is exposed on the provider.

Installation Media Placeholders

InstallationMediaConfig now accepts empty strings for talosVersion and joinToken, which resolve to the current stable version and default token at download time. The create wizard exposes "Automatic" options for these fields, and the download modal shows version/token/arch pickers for all presets.

Reader Access to Join Tokens

Users with the reader role can now read join tokens.
Reader had access to it before through Talos logs, so making the access more consistent.
More fine grained access will come with RBAC v2 later on.

Multi-Port Workload Proxy

The omni-kube-service-exposer.sidero.dev/port annotation now accepts a comma-separated list of host-port or host-port:service-port entries, each producing its own ExposedService URL. Label, icon, and prefix annotations gain per-host-port suffixed variants (e.g. label-30080). Existing single-port exposed services keep their URLs across the upgrade.

Configurable Log Level and Format

Omni's log level and log format are now configurable via flags and config.

Provision Step Errors on Machine Requests

A new Error field on ClusterMachineRequestStatus surfaces provision step failures so users can see why a request is stuck without scraping logs. Errors are now persisted on both failure and requeue paths.

omnictl media Command Group

A new omnictl media preset {create,list,delete} command group manages InstallationMediaConfig presets from the CLI, and omnictl media download <preset> downloads from them. Preset validation runs against the server's CloudPlatformConfig, SBCConfig, and TalosExtensions resources at create time. The legacy omnictl download is preserved but deprecated.

Plain Download Links for Images

The frontend now uses plain browser download links for factory image downloads instead of intercepting them.

Powered Off Machine State

Machines that are shut down now appear as "Powered Off" in the UI instead of being stuck in "Shutting Down" with a greyed-out unreachable state. Static infra providers honor the shutdown until the machine goes through a deallocation cycle, instead of automatically powering it back on. The CLI gains omnictl machine shutdown and omnictl machine power-on commands.

Per-Key Creation and Last-Active Tracking for Service Accounts

Service account key listings now include per-key creation timestamps and last-active times. omnictl serviceaccount list shows KEY CREATED and KEY LAST ACTIVE columns alongside the existing SA-level LAST ACTIVE. A new PublicKeyLastActive resource backs this tracking, and the activity interceptor records last-used timestamps per signing key fingerprint.

Commented omnictl serviceaccount create Output

The output of omnictl serviceaccount create is now commented out by default, making it friendlier for piping into .env files and shell automation.

Talos Version End-of-Support Notifications

Omni now tracks machines running Talos versions approaching or past end of support relative to MinTalosVersion, emits two new notifications (approaching end of support, end of support reached), and exposes Prometheus metrics for both.

Download talosctl From Factory

talosctl binaries are now downloaded directly from the Talos Image Factory instead of GitHub.

Cluster Template Include Directory Restrictions

By default, cluster templates can only include files from the same directory as the template file. This prevents malicious templates from including arbitrary files like /etc/passwd. The previous behavior can be restored with --allowed-dir.

Raw Bytes Support in Template Inline Fields

Inline fields for manifests and config patches now accept three forms: a single inline map (for backward compatibility), a list of inline maps, or raw bytes (which may contain multiple YAML documents). omnictl cluster template export now exports patches and manifests as raw bytes so multi-document values round-trip correctly.

Template Includes Resolved Relative to Template File

omnictl cluster template commands now resolve patch and Kubernetes manifest includes relative to the template YAML file, rather than the current working directory of omnictl.

Contributors

  • Edward Sammut Alessi
  • Oguz Kilcan
  • Utku Ozdemir
  • Artem Chernyshev
  • Andrey Smirnov
  • Noel Georgi
  • Mateusz Urbanek
  • Justin Garrison
  • Maja Bojarska
  • Orzelius
  • Quentin Joly
  • Spencer Smith

Changes

82 commits

  • df05dbae release(v1.8.0-beta.1): prepare release
  • b5e5e86e refactor: update minio env names
  • 5a894a21 chore: update helm README with new install instructions
  • 4fe2a67f chore: rekres, bump deps and default versions
  • 6fab9972 release(v1.8.0-beta.0): prepare release
  • ac81e59f feat: collect ClusterKubernetesManifestStatus in the support bundles
  • 64a1d536 fix: wrong role promotion for some etcd APIs
  • 7cc7e181 test: fix workload proxy integration test for upgrade scenario
  • 2c8b1789 feat: add per-actor etcd write metrics
  • 49322f05 feat: use plain download links for image downloads
  • 01742e71 feat: add log level and format configuration
  • 7fb5b164 chore: bump deps
  • cab06214 feat(frontend): allow switching logs inside logs tab
  • c890ecec refactor(frontend): move node logs logic into machinelogscontainer
  • 75cdb09f refactor(frontend): extra machine service list into a composable
  • 9f1bb2fa docs: add COSI resource operations in API usage examples
  • 13c3f289 fix: add more input validations to management API
  • ced79da6 fix: consume SAML sessions once
  • 7b72ac64 chore(frontend): bump dependencies
  • ed7738b3 fix: do not panic is ssa apply with multi-version CRDs
  • e08e566d feat: destroy imported cluster secrets after bundle is consumed
  • d01a6f66 fix(frontend): keep machine details open when switching
  • 25fa9e14 fix: change ImportedClusterSecrets access level to operator
  • 39ee2f01 feat: proxy image factory requests done by the providers through Omni
  • e7aee25c test(frontend): add e2e tests for join tokens in frontend
  • e6be461c fix(frontend): add apexcharts formatter workaround
  • ba6205f5 fix(frontend): fix apexcharts broken tooltips and initial state
  • addf6624 feat: add omnictl media command group with preset support
  • 110be565 feat: expose provision step errors on machine request status
  • 699ebf70 fix(frontend): fix revoking/deleting join tokens
  • 1f4f2afa feat: allow exposing a Kubernetes service on multiple host ports
  • 75e881fc feat: resolve patches/kubernetes manifests relative to the templates dir
  • e9b71f0b fix(frontend): only show machine patches for currently visible machine
  • a524554c fix(frontend): fix editing labels on machine class
  • c14ee101 refactor(frontend): refactor all but the last tlist use of watch.setup
  • 56cce45e chore(frontend): bump node to 24.15.0
  • 7989c3c0 test: fix data race in machine service mock
  • c141613d fix: fix the storm of PendingUpdateStatus create/destroy
  • a43407d0 feat: generate config section of helm chart values from config schema
  • 0cdb5a58 feat: support raw bytes in the inline fields for manifests/patches
  • 14b83e12 feat: set infra provider factory endpoint to the one configured in omni
  • efbd089f feat(frontend): add qol machine updates to omni frontend
  • 2fe716d2 chore: enable go linting for build tags, fix linting errors
  • 718d61a6 chore(frontend): bump dependencies
  • d3592671 feat: download talosctl directly from factory
  • b2671d08 refactor(frontend): create downloadfile helper
  • dc9baca8 refactor(frontend): refactor downloadtalosctl modal to new modal system
  • 06d8140d feat: add join token/talos version placeholders in installation media
  • 5f4b9761 fix: bring back election campaign resign code in the etcd state
  • 03c4e1d9 fix: stop logging Kubernetes read checks
  • dc3b974d fix: remove workload proxy deployment when disabled on the account
  • 65af568b fix: skip allocating nodes for deleted/tearing down MachineRequests
  • f9dd8491 feat: introduce powered off machine state and power on support
  • 921389a5 fix(frontend): fix eula handling to prevent being stuck on /eula
  • 725f41d4 fix: properly display service account expiration time in the UI
  • c5a43105 feat(frontend): add support modal to omni
  • 66383890 feat(frontend): show disks and devices in machines/machine page
  • 1e31079e fix(frontend): fix indeterminate state for update extensions modal
  • 6d7e4f45 feat(frontend): allow quickly switching between cluster machines
  • c98b1187 fix(frontend): clear page state when keys are cleared
  • f89955b4 refactor(frontend): remove last use of component
  • be67f710 feat: allow reader access to join token
  • f2211688 chore: bump deps
  • 475e3660 feat: add Talos version end-of-support notifications and metrics
  • 302e9175 feat: comment serviceaccount create output
  • 967c229e chore: rekres to update to new kres schema
  • edbb621a chore: bump stripe-go to v85
  • cc0adefc fix(frontend): select default join token in installation media wizard
  • 0987fa9e chore: prepare omni with talos v1.13.0-rc
  • 73a06f89 chore: bump talos machinery
  • 78544a85 feat: restrict directories for included files in the cluster templates
  • a3fd0b1c feat(frontend): allow re-saving omni support bundle
  • 5c4a6b57 feat: remove image factory proxying
  • dc5e289c feat(frontend): show notifications in the frontend
  • 9fd6e9e1 fix(frontend): open external eula link in a new tab
  • 8c23f72e chore: bump deps
  • 2e9d00a6 chore: make Omni use join tokens mode legacyAllowed by default
  • 488b020b feat: add more filters to audit logs
  • 590ea2e3 feat: add per-key creation and last-active tracking for service accounts
  • 44b0d636 chore: bump deps
  • 186f02b4 chore(frontend): bump frontend dependencies
  • 57216254 feat(frontend): update talos version text on installation media wizard

Changes since v1.8.0-beta.0

4 commits

  • df05dbae release(v1.8.0-beta.1): prepare release
  • b5e5e86e refactor: update minio env names
  • 5a894a21 chore: update helm README with new install instructions
  • 4fe2a67f chore: rekres, bump deps and default versions

Changes from siderolabs/go-kubernetes

2 commits

  • 38c182f fix: normalize the changeset to be keyed without apiVersion
  • ca35008 feat: update k8s api to 0.36.0

Changes from siderolabs/image-factory

22 commits

  • ccffefc release(v1.2.0): prepare release
  • 4abeff4 feat: add /talosctl/:version endpoint to list downloadable talosctls
  • 405b488 feat(i18n): add french locale
  • c6ad082 feat(registry): resolve latest tag to stable version
  • 471706d chore: drop update to talos main tests
  • 403cd5a fix: centralize schematic ownership enforcement
  • f1cceee feat: implement authentication support
  • 81f9312 release(v1.1.0): prepare release
  • 1b834b7 feat: add SHA-256 and SHA-512 checksum frontend
  • e775c36 feat: upgrade tailwind to v4
  • bb27d39 feat: update Talos to v1.13.0-rc.0
  • 2a59890 fix: gsa signer pull during verify
  • fbc302f fix: support insecure registries for signature bundles
  • 8e7d10e feat: add support for google service account signing
  • 74afd80 fix: set correct Content-Type when downloading images
  • 8372fe8 feat: add SPDX frontend
  • b379bf2 feat: switch schematic cache to LRU and negative TTL
  • 0450038 chore: remove deuplicate k8s-down ci step
  • 470cb2f chore: switch to large runners
  • 713fc6e fix: memory usage when building images
  • 0a25274 fix: excessive memory usage
  • 0f9eb22 feat: update machinery doc links

Dependency Changes

  • github.com/aws/aws-sdk-go-v2 v1.41.5 -> v1.41.7
  • github.com/aws/aws-sdk-go-v2/config v1.32.14 -> v1.32.17
  • github.com/aws/aws-sdk-go-v2/credentials v1.19.14 -> v1.19.16
  • github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.12 -> v1.22.18
  • github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0 -> v1.101.0
  • github.com/aws/smithy-go v1.24.3 -> v1.25.1
  • github.com/coreos/go-oidc/v3 v3.17.0 -> v3.18.0
  • github.com/cosi-project/runtime v1.14.1 -> v1.16.0
  • github.com/cosi-project/state-etcd v0.5.3 -> v0.6.0
  • github.com/fluxcd/cli-utils v0.37.2-flux.1 -> v1.2.0
  • github.com/fluxcd/pkg/ssa v0.70.0 -> v0.74.0
  • github.com/fsnotify/fsnotify v1.9.0 -> v1.10.1
  • github.com/google/go-containerregistry v0.21.4 -> v0.21.5
  • github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 -> v2.29.0
  • github.com/mattn/go-shellwords v1.0.12 -> v1.0.13
  • github.com/siderolabs/go-kubernetes v0.2.36 -> v0.2.37
  • github.com/siderolabs/image-factory v1.0.3 -> v1.2.0
  • github.com/siderolabs/omni/client v1.6.1 -> v1.6.5
  • github.com/siderolabs/talos/pkg/machinery v1.13.0-rc.0 -> v1.13.2
  • github.com/stripe/stripe-go/v85 v85.1.0 new
  • github.com/zitadel/oidc/v3 v3.46.0 -> v3.47.5
  • go.etcd.io/etcd/client/pkg/v3 v3.6.10 -> v3.6.11
  • go.etcd.io/etcd/client/v3 v3.6.10 -> v3.6.11
  • go.etcd.io/etcd/server/v3 v3.6.10 -> v3.6.11
  • go.uber.org/zap v1.27.1 -> v1.28.0
  • golang.org/x/crypto v0.49.0 -> v0.51.0
  • golang.org/x/net v0.52.0 -> v0.54.0
  • golang.org/x/text v0.35.0 -> v0.37.0
  • golang.org/x/tools v0.43.0 -> v0.45.0
  • google.golang.org/grpc v1.80.0 -> v1.81.0
  • k8s.io/api v0.35.3 -> v0.36.0
  • k8s.io/apimachinery v0.35.3 -> v0.36.0
  • k8s.io/client-go v0.35.3 -> v0.36.0
  • sigs.k8s.io/controller-runtime v0.23.3 -> v0.24.0

Previous release can be found at v1.7.0

Check out latest releases or
releases around siderolabs/omni v1.8.0-beta.1

Don't miss a new omni release

NewReleases is sending notifications on new releases.

Get notifications