github siderolabs/omni v1.9.0-beta.0
on GitHub

pre-release2 hours ago

Omni 1.9.0-beta.0 (2026-06-19)

Welcome to the v1.9.0-beta.0 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Per-Class etcd Write Rate Limiting

You can now throttle etcd writes by payload size, with separate budgets for end users, infra providers, and internal callers. It is off by default and turns on via storage.rateLimits.etcd.*. Four new Prometheus series report throttle wait time, admitted writes, rejected writes, and rejected bytes, labeled by class. The failure counters also carry a reason of timeout or oversize.

KubeSpan Status View

A new graphical view shows KubeSpan peer status for a cluster machine.

Frontend Quality-of-Life Improvements

A round of UI improvements across Omni. The home screen has a reworked "Welcome to Omni" card. An unhealthy infrastructure provider shows its error on hover, the machine details panel shows the SMBIOS serial number, and kernel args editing moved into a modal. Config diffs have a sort-order toggle, version pickers sort newest first and scroll to the current selection, and Talos and Kubernetes update calls now report their errors. The disks view got several cleanups, pods sort by status, power-state icons have tooltips, Omni shows a loading indicator when it is slow to start, and the rewritten log viewer scrolls to the bottom reliably.

Static loadBalancerIP for the WireGuard Service in Helm

The Helm chart has a new service.wireguard.loadBalancerIP value for setting a static load balancer IP on the WireGuard Kubernetes Service. It is rendered only when the WireGuard service type is LoadBalancer.

Support for Image Factory Enterprise

Two new config options, registries.imageFactoryUsername and registries.imageFactoryPassword, let Omni authenticate to the Image Factory Enterprise with HTTP basic auth.

Kubernetes Manifests Status in the UI

The frontend now shows the status of a cluster's synced Kubernetes manifests.

Per-Machine Log Ingestion Rate Limit

Log ingestion now uses a per-machine token bucket, so one noisy machine can no longer overwhelm the log store. It is off by default to keep backwards compatibility.

Machine Config Patches in Maintenance Mode

Omni can now apply machine-level config patches while a machine is still in maintenance mode, not just after it joins a cluster. The patches go on top of the configuration the machine already runs, next to the SideroLink documents Omni manages, and Omni will not apply a document that installs Talos and pulls the machine out of maintenance. Omni also keeps whatever configuration a machine connects with as a low-priority, user-owned patch. So a machine that arrives with its own config (say a TrustedRootsConfig document) keeps it, and your own patches still win.

Install and Upgrade Talos in Maintenance Mode

A new streaming management API installs or upgrades Talos on machines booted in maintenance mode. It comes with omnictl install and upgrade subcommands and frontend modals that stream installer progress live. This feature uses Talos's LifecycleService API, which became available in v1.13.0. So it works with any Talos version starting from v1.13.0.

SBOM, VEX, and Vulnerability Scan on the Installation Media Wizard

The installation media wizard's confirmation page now shows SBOM and VEX links plus the vulnerability scan and modal, the same as the Image Factory. This shows up only when you use the Image Factory Enterprise.

Opt-In Skip of Kubernetes Node Audit

The Kubernetes node audit deletes nodes that no ClusterMachine backs. You can now skip it for individual nodes, which helps with virtual nodes such as VirtualKubelet. A node is skipped only when it has the omni.sidero.dev/node-audit-skip annotation and the cluster owner has turned on the matching cluster feature, so a workload cannot annotate its own way out of the audit.

Node Names and Locked Status in omnictl cluster status

The omnictl cluster status tree now prints each machine's Kubernetes node name in parentheses after its UUID, so you can match a machine to the upgrade status lines that reference node names. A "Locked" indicator shows up whenever a machine is locked.

Platform Tags Exposed as Machine Labels

Talos PlatformMetadata tags (for example EC2 instance tags) now appear as editable, removable machine labels in Omni. Omni fills them in once, when the machine first joins, and your own custom labels win on any key conflict.

Schematic Contents Preserved on Update

When Omni changes a machine's schematic, it now touches only the fields it manages (extensions and kernel args) and leaves the rest alone, instead of rebuilding the schematic from scratch. It reads the full schematic from the machine or the Image Factory and stores it as is.

Signed Images and SBOM Release Artifacts

Omni releases now ship an SBOM built from the Go modules as a release artifact, and Sidero Labs signs the published container images during release.

Talos Upgrade Targets Capped at the Latest Supported Release

Each Omni release now declares the latest Talos minor version it can support end to end. Cluster create and update, the maintenance upgrade API, the upgrade status computation, and every version picker in the UI all read this same cap, so you can no longer pick a Talos version newer than the running Omni supports.

Contributors

  • Edward Sammut Alessi
  • Utku Ozdemir
  • Mateusz Urbanek
  • Oguz Kilcan
  • Artem Chernyshev
  • Maja Bojarska
  • Noel Georgi
  • Andrey Smirnov
  • Orzelius
  • 0hlov3
  • Bo Bobson
  • Matthew Sanabria
  • Sterling Koch
  • Steve Francis
  • fsgh42

Changes

97 commits

  • 0f853e1b release(v1.9.0-beta.0): prepare release
  • 060a4c75 chore: bump deps and default versions
  • 43bf5856 test: run integration-qemu against the image factory enterprise
  • 4b49029c feat: support machine config patches in maintenance mode
  • b9e40717 fix: stabilize flaky talemu e2e EULA setup and preset downloads
  • 448ed9a6 docs: update LICENSE
  • b44f92ef fix: ignore the embedded-config meta extension
  • e32307d8 fix: allow empty list of extensions in cluster templates
  • b08c34ac feat: implement advanced healthchecks for the cluster
  • 1c125d3f chore: add Oguz to sops-encrypted secrets recipients
  • 9a736342 fix: properly handle invalid UTF-8 strings in the machine statuses
  • d77ee049 fix: properly handle empty provider data in the common module
  • c55173ef feat: validate Talos version on installation media config
  • 243f046e fix(frontend): display correct units for byte values
  • d9eebd7c fix(frontend): reset monitor chart on watch change
  • 7f02f41f chore(frontend): bump frontend dependencies
  • 27ef3dd0 feat: install/upgrade Talos in maintenance mode
  • 18131edf feat(frontend): change machine tutorial into a welcome card
  • 4fdc0719 feat(frontend): adjust action buttons on getting started card
  • 987b3ec1 feat: reject control characters in join token names
  • 8bfc6c17 fix(frontend): fix incorrect pxe boot url
  • ead9840b feat: validate user-supplied request IDs and kernel args
  • 1ebde6a4 feat: validate bootstrap snapshot path on machine sets
  • 1ff04579 feat: allow opt-in skip of Kubernetes node audit
  • 50dcd264 feat: validate resource metadata at the state layer
  • 086a1964 feat: preserve schematic contents
  • 1ab0c4e3 feat(frontend): display infrastructure provider error when unhealthy
  • 5c67c7c9 fix: read machine uncached when deciding whether to reset it
  • 098dac2c refactor: remove unused fields, fix print columns/comments of resources
  • a29fba49 fix: use correct help string in the omnictl jointoken delete command
  • 9505aabe feat(frontend): add kubespan status view
  • d1976887 refactor: replace injectable clocks with real time
  • b5be9a77 fix: prune expired public keys with finalizers or no owner
  • 64b02f4f feat: cap Talos upgrade targets at the latest supported release
  • a1367d90 feat: per-machine log ingestion rate limit
  • bc0e5273 refactor: move state validations into their own package
  • 33909b1b fix: keep exposed services reachable after a health check flap
  • 84649427 feat(helm): support loadBalancerIP for WireGuard service
  • 4db44704 fix: release config update slot while a machine waits to upgrade
  • e63ea1f0 feat: add PostHog analytics to the Omni frontend
  • 5b520366 chore: bump major go dependencies
  • 48a7f939 fix: persist config status when update lock is contended
  • 59d9079c refactor(frontend): remove last cases of any in codebase
  • 665371f3 refactor: drop unused field in create schematic gRPC request
  • c2f52d79 fix: prevent deadlock between machine upgrade and config update
  • 86159433 feat: nest omnictl, talosctl, scans under api
  • f144020c feat(frontend): show vulnerability items on installation media wizard
  • 68afcd08 chore: rekres
  • b3e038f8 feat(frontend): generate talos types for frontend
  • 0610a408 refactor(frontend): type tlist items
  • 4afaf514 refactor(frontend): drop watchjoin
  • 998e803e chore: bump go-kubernetes library
  • ccbc50bd feat(omnictl): show node name and locked status in cluster status
  • 3edf383b chore: bump deps, rekres, Talos 1.13.3, Kubernetes 1.36.1
  • 429708f8 feat(frontend): show join tokens in saved presets list
  • c857af93 feat(frontend): enable field-sizing content for kernel args
  • f62e044a feat(frontend): show errors for all update talos/k8s issues
  • 7ddd63b1 feat(frontend): sort upgrade modal versions descending and scroll to selected
  • ffcbf334 refactor(frontend): refactor update talos + k8s to new modals
  • 9248b762 test: mock clock in saml test
  • d18726e9 fix: lower minimum discovered Kubernetes version
  • 2dd7c880 test: pick previous Omni upgrade version from the release line
  • 2bfe8c08 chore: rekres and bump frontend deps
  • 3b9399fb fix: do not downgrade nodes header to single node
  • 15ad495a test: bump Talos to 1.13.3
  • 25f5de5c feat(frontend): allow changing config diff sort order
  • 0f060a44 feat(frontend): add improvements to disks view
  • e297c4d4 fix: hack/compose dlv tools install
  • 1704f004 chore(hack): add delve debugger support
  • 30d5d286 test: use up-to-date way to set node labels on the nodes in the tests
  • 72dfce9e fix(frontend): remove lingering test code
  • 028a57e8 feat(frontend): move editing logic for kernel args into a modal
  • 76ee6332 feat(frontend): add tooltips to power state
  • 32992281 feat: refactor logviewer to tanstack virtual
  • 1fafd378 chore: bump dependencies
  • 988bc9e8 chore: add missing syft version to kres
  • 065db696 test(integration): bump readiness timeout durations
  • fc362b5f feat: expose ec2 tags as machine labels
  • 6d61a546 feat: add sign-images target to sign omni container image
  • 34473a7f feat: generate SBOM as a release artifact
  • fa2f11fc fix: fetch versions from registry with auth
  • 0a2641c6 chore: bump deps to patch GO-2026-5027
  • ddfa70a9 feat: add per-class etcd write-bytes rate limiting
  • 69e4fe25 feat(frontend): add some feedback when omni is loading
  • 5246ba33 fix: ensure infra providers with new common module support the old Omni
  • 9ae98330 feat(frontend): sort pods by status on pods list
  • c8daa780 fix(frontend): fix incorrect permissions-policy header
  • 7484972d feat(frontend): load robot fonts from npm
  • bb442ab7 feat: add teardown RPCs and tighten state API access
  • c1126b47 chore: fix linter issues
  • 120be2f1 chore: rekres to secure slack workflows
  • 68624952 fix: dont clean clients with active watches
  • 679ca301 feat: support basic auth against the image factory
  • 2ce7140e feat: introduce UI for showing Kubernetes manifests status of clusters
  • c990a082 feat(frontend): change service finished state style to gray
  • 1b9177ee feat(frontend): show smbios serial info on machine details panel
  • 9dd6cb49 refactor: drop compose 'version' (from hack)

Changes from siderolabs/go-api-signature

1 commit

  • 07009e7 chore: bump deps, update gopenpgp to v3

Changes from siderolabs/go-kubernetes

2 commits

  • cc8c2c9 fix: return the apply results in a consistent order
  • 131a2bd fix: handle cluster-scoped resources with a ns correctly

Changes from siderolabs/go-talos-support

2 commits

  • 59d47af feat: rewrite support bundle library around client provider
  • 8dd4326 feat: support encryption of the support bundle using age

Changes from siderolabs/image-factory

26 commits

  • 425e59e release(v1.3.3): prepare release
  • b5d3d92 fix: vulnerability scans with extensions
  • 916bcf6 feat: update go-vex
  • 9920386 feat: update Image Factory with Talos 1.14.0-alpha.1
  • d49e952 feat: allow excluding Talos releases
  • 147a3e8 feat: add scan report to factory client
  • 2887e78 feat: add support for embedding machine configuration
  • 660ac01 release(v1.3.2): prepare release
  • 38183fc fix: update golang.org/x/net
  • 9f6aee8 fix: make PXE copyable on SecureBoot
  • d7377c5 refactor: migrate to Tailwind CSS classes
  • 1e86750 fix: update golang.org/x/* packages
  • 33c79e4 test: move from kuttl to chainsaw
  • ba34dab feat: move SPDX cache to enterprise options
  • cd137ed chore: disable authentication for local development
  • 4ea792f fix: build profile with version
  • fcf9d57 release(v1.3.1): prepare release
  • 1d216c7 docs: update the developing documentation
  • 4a60270 fix(config): validate early and sort SPDX deterministically
  • 41d3947 release(v1.3.0): prepare release
  • ae3ed04 feat: add enterprise features with Helm chart support
  • 3fb0f96 feat(enterprise): add vulnerability scanning endpoint
  • 92209b6 feat: return normalized schematic on creation
  • ba2a46d feat(enterprise): implement VEX endpoint
  • 9b40156 feat: show schematic-id url parameter on the final wizard step
  • 114bb60 fix(spdx): use configured external URL in document namespace

Dependency Changes

  • github.com/ProtonMail/go-crypto v1.4.1 new
  • github.com/ProtonMail/gopenpgp/v3 v3.4.1 new
  • github.com/auth0/go-jwt-middleware/v3 v3.2.0 new
  • github.com/aws/aws-sdk-go-v2 v1.41.7 -> v1.42.0
  • github.com/aws/aws-sdk-go-v2/config v1.32.17 -> v1.32.25
  • github.com/aws/aws-sdk-go-v2/credentials v1.19.16 -> v1.19.24
  • github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.18 -> v1.22.28
  • github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0 -> v1.104.0
  • github.com/aws/smithy-go v1.25.1 -> v1.27.2
  • github.com/coreos/go-oidc/v3 v3.18.0 -> v3.19.0
  • github.com/cosi-project/runtime v1.16.0 -> v1.16.1
  • github.com/cosi-project/state-etcd v0.6.0 -> v0.7.0
  • github.com/felixge/httpsnoop v1.0.4 -> v1.1.0
  • github.com/fluxcd/cli-utils v1.2.0 -> v1.2.1
  • github.com/fluxcd/pkg/ssa v0.74.0 -> v0.76.0
  • github.com/golang-jwt/jwt/v5 v5.3.1 new
  • github.com/google/go-containerregistry v0.21.5 -> v0.21.7
  • github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 new
  • github.com/prometheus/client_model v0.6.2 new
  • github.com/prometheus/common v0.67.5 -> v0.69.0
  • github.com/russellhaering/goxmldsig v1.6.0 new
  • github.com/siderolabs/go-api-signature v0.3.12 -> v0.3.13
  • github.com/siderolabs/go-kubernetes v0.2.37 -> v0.2.39
  • github.com/siderolabs/go-talos-support v0.2.1 -> v0.3.0
  • github.com/siderolabs/image-factory v1.2.0 -> v1.3.3
  • github.com/siderolabs/omni/client v1.6.5 -> v1.8.1
  • github.com/siderolabs/talos/pkg/machinery v1.13.2 -> v1.14.0-alpha.1
  • github.com/stripe/stripe-go/v85 v85.1.0 -> v85.2.0
  • go.etcd.io/etcd/client/pkg/v3 v3.6.11 -> v3.6.12
  • go.etcd.io/etcd/client/v3 v3.6.11 -> v3.6.12
  • go.etcd.io/etcd/server/v3 v3.6.11 -> v3.6.12
  • golang.org/x/crypto v0.51.0 -> v0.53.0
  • golang.org/x/net v0.54.0 -> v0.56.0
  • golang.org/x/sync v0.20.0 -> v0.21.0
  • golang.org/x/text v0.37.0 -> v0.38.0
  • golang.org/x/tools v0.45.0 -> v0.46.0
  • golang.zx2c4.com/wireguard f333402bd9cb -> ecfc5a8d5446
  • google.golang.org/grpc v1.81.0 -> v1.81.1
  • k8s.io/api v0.36.0 -> v0.36.2
  • k8s.io/apimachinery v0.36.0 -> v0.36.2
  • k8s.io/client-go v0.36.0 -> v0.36.2
  • sigs.k8s.io/controller-runtime v0.24.0 -> v0.24.1

Previous release can be found at v1.8.0

Check out latest releases or
releases around siderolabs/omni v1.9.0-beta.0

Don't miss a new omni release

NewReleases is sending notifications on new releases.

Get notifications