github siderolabs/omni v1.9.0-beta.1
on GitHub

pre-release2 hours ago

Omni 1.9.0-beta.1 (2026-06-24)

Welcome to the v1.9.0-beta.1 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Cluster Health Check Jobs

Cluster templates now support health check jobs that gate Talos upgrades. Omni creates the jobs when a Talos upgrade is running and re-runs them on an interval until they succeed, re-creating a job whenever it fails. The checks run before each node upgrade in the upgrade status controller, and if any defined health check fails Omni drops the available upgrade quota to zero, blocking further upgrades until the checks pass. You can read more about this feature on the docs.

Embedded Machine Config for Installation Media

Installation media can now carry an embedded machine configuration, so a machine applies it on first boot before it ever reaches Omni. You can set it from the frontend or with omnictl when creating installation media, and Omni stores it on the schematic request alongside the rest of the media config. The option is exposed only where the underlying stack reports support for it, through a new supports_embedded_config quirk.

Per-Class etcd Write Rate Limiting

You can now throttle etcd writes by payload size, with separate budgets for end users, infra providers, and internal callers. It is off by default and turns on via storage.rateLimits.etcd.*. Four new Prometheus series report throttle wait time, admitted writes, rejected writes, and rejected bytes, labeled by class. The failure counters also carry a reason of timeout or oversize.

Talos Extension Names Validated Against the Catalog

Extension names on installation media configs, machine request sets, and extensions configurations are now validated against the Talos extensions catalog for the relevant Talos version. Unknown names, duplicates, and oversized lists are rejected, and when no Talos version is set the default version's catalog is used so the names still get checked. Names without a namespace are looked up under siderolabs/, so older clients that send the documented short form keep working. The omnictl installation media create command now resolves short or partial extension names to canonical form before sending, replacing the client-side catalog check it used to do.

KubeSpan Status View

A new graphical view shows KubeSpan peer status for a cluster machine.

Frontend Quality-of-Life Improvements

A round of UI improvements across Omni. The home screen has a reworked "Welcome to Omni" card. An unhealthy infrastructure provider shows its error on hover, the machine details panel shows the SMBIOS serial number, and kernel args editing moved into a modal. Config diffs have a sort-order toggle, version pickers sort newest first and scroll to the current selection, and Talos and Kubernetes update calls now report their errors. The disks view got several cleanups, pods sort by status, power-state icons have tooltips, Omni shows a loading indicator when it is slow to start, and the rewritten log viewer scrolls to the bottom reliably. Machine patches no longer offer the cluster-machine patch option and surface an error when a machine is not part of a cluster.

Static loadBalancerIP for the WireGuard Service in Helm

The Helm chart has a new service.wireguard.loadBalancerIP value for setting a static load balancer IP on the WireGuard Kubernetes Service. It is rendered only when the WireGuard service type is LoadBalancer.

Support for Image Factory Enterprise

Two new config options, registries.imageFactoryUsername and registries.imageFactoryPassword, let Omni authenticate to the Image Factory Enterprise with HTTP basic auth.

Kubernetes Manifests Status in the UI

The frontend now shows the status of a cluster's synced Kubernetes manifests.

Per-Machine Log Ingestion Rate Limit

Log ingestion now uses a per-machine token bucket, so one noisy machine can no longer overwhelm the log store. It is off by default to keep backwards compatibility.

Machine Config Patches in Maintenance Mode

Omni can now apply machine-level config patches while a machine is still in maintenance mode, not just after it joins a cluster. The patches go on top of the configuration the machine already runs, next to the SideroLink documents Omni manages, and Omni will not apply a document that installs Talos and pulls the machine out of maintenance. Omni also keeps whatever configuration a machine connects with as a low-priority, user-owned patch. So a machine that arrives with its own config (say a TrustedRootsConfig document) keeps it, and your own patches still win.

Install and Upgrade Talos in Maintenance Mode

A new streaming management API installs or upgrades Talos on machines booted in maintenance mode. It comes with omnictl install and upgrade subcommands and frontend modals that stream installer progress live. This feature uses Talos's LifecycleService API, which became available in v1.13.0. So it works with any Talos version starting from v1.13.0.

SBOM, VEX, and Vulnerability Scan on the Installation Media Wizard

The installation media wizard's confirmation page now shows SBOM and VEX links plus the vulnerability scan and modal, the same as the Image Factory. This shows up only when you use the Image Factory Enterprise.

Opt-In Skip of Kubernetes Node Audit

The Kubernetes node audit deletes nodes that no ClusterMachine backs. You can now skip it for individual nodes, which helps with virtual nodes such as VirtualKubelet. A node is skipped only when it has the omni.sidero.dev/node-audit-skip annotation and the cluster owner has turned on the matching cluster feature, so a workload cannot annotate its own way out of the audit.

Node Names and Locked Status in omnictl cluster status

The omnictl cluster status tree now prints each machine's Kubernetes node name in parentheses after its UUID, so you can match a machine to the upgrade status lines that reference node names. A "Locked" indicator shows up whenever a machine is locked.

Platform Tags Exposed as Machine Labels

Talos PlatformMetadata tags (for example EC2 instance tags) now appear as editable, removable machine labels in Omni. Omni fills them in once, when the machine first joins, and your own custom labels win on any key conflict.

Schematic Contents Preserved on Update

When Omni changes a machine's schematic, it now touches only the fields it manages (extensions and kernel args) and leaves the rest alone, instead of rebuilding the schematic from scratch. It reads the full schematic from the machine or the Image Factory and stores it as is.

Signed Images and SBOM Release Artifacts

Omni releases now ship an SBOM built from the Go modules as a release artifact, and Sidero Labs signs the published container images during release.

Talos Upgrade Targets Capped at the Latest Supported Release

Each Omni release now declares the latest Talos minor version it can support end to end. Cluster create and update, the maintenance upgrade API, the upgrade status computation, and every version picker in the UI all read this same cap, so you can no longer pick a Talos version newer than the running Omni supports.

Contributors

  • Edward Sammut Alessi
  • Utku Ozdemir
  • Mateusz Urbanek
  • Oguz Kilcan
  • Artem Chernyshev
  • Maja Bojarska
  • Noel Georgi
  • Andrey Smirnov
  • Orzelius
  • 0hlov3
  • Bo Bobson
  • Matthew Sanabria
  • Sterling Koch
  • Steve Francis
  • fsgh42

Changes

118 commits

  • 3455e7430 release(v1.9.0-beta.1): prepare release
  • 8bea9d98d feat(frontend): add expandable code editor for extra overlay options
  • 4121e730f feat(frontend): add expandable code editor for embedded machine config
  • 22318022d feat(frontend): add more default editor options and remove default class
  • 00e99c4d5 refactor(frontend): refactor code editor to use v-model
  • 454daba78 chore: bump default talos version to 1.13.5
  • cb74aa700 feat: support embedded machine config in installation media CLI
  • 86af10d45 fix: get rid of the race in the UUID conflict resolution flow
  • 55bda4979 refactor: only log schematic id when ensuring
  • c2b067a1f feat(frontend): allow specifying embedded machine config for installation media
  • 574daf6d5 feat: add embedded_machine_config to create schematic request
  • 1a8c85b88 feat: add embedded_machine_config to installation media config spec
  • 687e56ae1 feat: add supports_embedded_config quirk to virtual resources
  • 2fa8855c6 feat: validate Talos extensions against the catalog
  • 807fe47a7 feat: register destroy controllers for user-managed resource types
  • c3c511acb chore: bump containerd to 1.7.33
  • af44779ae chore(frontend): bump dependencies
  • 17b2b30ec fix: prevent API requests from hanging after idle periods
  • 240c48323 feat(frontend): remove cluster machine patch option from machine patches
  • 498e8c0b4 feat(frontend): show error if machine not part of cluster
  • a66f1ae3a feat(frontend): use machine status link snapshot for recent machines phase
  • 0f853e1bb release(v1.9.0-beta.0): prepare release
  • 060a4c759 chore: bump deps and default versions
  • 43bf5856e test: run integration-qemu against the image factory enterprise
  • 4b49029cb feat: support machine config patches in maintenance mode
  • b9e407174 fix: stabilize flaky talemu e2e EULA setup and preset downloads
  • 448ed9a69 docs: update LICENSE
  • b44f92efe fix: ignore the embedded-config meta extension
  • e32307d8e fix: allow empty list of extensions in cluster templates
  • b08c34ac8 feat: implement advanced healthchecks for the cluster
  • 1c125d3f4 chore: add Oguz to sops-encrypted secrets recipients
  • 9a736342d fix: properly handle invalid UTF-8 strings in the machine statuses
  • d77ee0495 fix: properly handle empty provider data in the common module
  • c55173efc feat: validate Talos version on installation media config
  • 243f046e0 fix(frontend): display correct units for byte values
  • d9eebd7c4 fix(frontend): reset monitor chart on watch change
  • 7f02f41f3 chore(frontend): bump frontend dependencies
  • 27ef3dd03 feat: install/upgrade Talos in maintenance mode
  • 18131edfd feat(frontend): change machine tutorial into a welcome card
  • 4fdc07191 feat(frontend): adjust action buttons on getting started card
  • 987b3ec18 feat: reject control characters in join token names
  • 8bfc6c17d fix(frontend): fix incorrect pxe boot url
  • ead9840b7 feat: validate user-supplied request IDs and kernel args
  • 1ebde6a44 feat: validate bootstrap snapshot path on machine sets
  • 1ff045796 feat: allow opt-in skip of Kubernetes node audit
  • 50dcd264c feat: validate resource metadata at the state layer
  • 086a1964c feat: preserve schematic contents
  • 1ab0c4e32 feat(frontend): display infrastructure provider error when unhealthy
  • 5c67c7c9b fix: read machine uncached when deciding whether to reset it
  • 098dac2c3 refactor: remove unused fields, fix print columns/comments of resources
  • a29fba498 fix: use correct help string in the omnictl jointoken delete command
  • 9505aabec feat(frontend): add kubespan status view
  • d19768879 refactor: replace injectable clocks with real time
  • b5be9a779 fix: prune expired public keys with finalizers or no owner
  • 64b02f4f6 feat: cap Talos upgrade targets at the latest supported release
  • a1367d90e feat: per-machine log ingestion rate limit
  • bc0e5273b refactor: move state validations into their own package
  • 33909b1b9 fix: keep exposed services reachable after a health check flap
  • 84649427b feat(helm): support loadBalancerIP for WireGuard service
  • 4db447046 fix: release config update slot while a machine waits to upgrade
  • e63ea1f0e feat: add PostHog analytics to the Omni frontend
  • 5b5203660 chore: bump major go dependencies
  • 48a7f9394 fix: persist config status when update lock is contended
  • 59d9079c7 refactor(frontend): remove last cases of any in codebase
  • 665371f3a refactor: drop unused field in create schematic gRPC request
  • c2f52d799 fix: prevent deadlock between machine upgrade and config update
  • 861594332 feat: nest omnictl, talosctl, scans under api
  • f144020c0 feat(frontend): show vulnerability items on installation media wizard
  • 68afcd086 chore: rekres
  • b3e038f8d feat(frontend): generate talos types for frontend
  • 0610a4088 refactor(frontend): type tlist items
  • 4afaf514b refactor(frontend): drop watchjoin
  • 998e803ec chore: bump go-kubernetes library
  • ccbc50bda feat(omnictl): show node name and locked status in cluster status
  • 3edf383b6 chore: bump deps, rekres, Talos 1.13.3, Kubernetes 1.36.1
  • 429708f84 feat(frontend): show join tokens in saved presets list
  • c857af939 feat(frontend): enable field-sizing content for kernel args
  • f62e044aa feat(frontend): show errors for all update talos/k8s issues
  • 7ddd63b1a feat(frontend): sort upgrade modal versions descending and scroll to selected
  • ffcbf3342 refactor(frontend): refactor update talos + k8s to new modals
  • 9248b762b test: mock clock in saml test
  • d18726e9c fix: lower minimum discovered Kubernetes version
  • 2dd7c8807 test: pick previous Omni upgrade version from the release line
  • 2bfe8c08a chore: rekres and bump frontend deps
  • 3b9399fba fix: do not downgrade nodes header to single node
  • 15ad495ad test: bump Talos to 1.13.3
  • 25f5de5c6 feat(frontend): allow changing config diff sort order
  • 0f060a449 feat(frontend): add improvements to disks view
  • e297c4d47 fix: hack/compose dlv tools install
  • 1704f0047 chore(hack): add delve debugger support
  • 30d5d2868 test: use up-to-date way to set node labels on the nodes in the tests
  • 72dfce9e5 fix(frontend): remove lingering test code
  • 028a57e84 feat(frontend): move editing logic for kernel args into a modal
  • 76ee6332f feat(frontend): add tooltips to power state
  • 329922816 feat: refactor logviewer to tanstack virtual
  • 1fafd3781 chore: bump dependencies
  • 988bc9e81 chore: add missing syft version to kres
  • 065db6960 test(integration): bump readiness timeout durations
  • fc362b5fc feat: expose ec2 tags as machine labels
  • 6d61a546e feat: add sign-images target to sign omni container image
  • 34473a7f5 feat: generate SBOM as a release artifact
  • fa2f11fc0 fix: fetch versions from registry with auth
  • 0a2641c6c chore: bump deps to patch GO-2026-5027
  • ddfa70a9c feat: add per-class etcd write-bytes rate limiting
  • 69e4fe255 feat(frontend): add some feedback when omni is loading
  • 5246ba332 fix: ensure infra providers with new common module support the old Omni
  • 9ae983308 feat(frontend): sort pods by status on pods list
  • c8daa7805 fix(frontend): fix incorrect permissions-policy header
  • 7484972df feat(frontend): load robot fonts from npm
  • bb442ab7e feat: add teardown RPCs and tighten state API access
  • c1126b471 chore: fix linter issues
  • 120be2f10 chore: rekres to secure slack workflows
  • 686249525 fix: dont clean clients with active watches
  • 679ca3014 feat: support basic auth against the image factory
  • 2ce7140ec feat: introduce UI for showing Kubernetes manifests status of clusters
  • c990a0820 feat(frontend): change service finished state style to gray
  • 1b9177ee8 feat(frontend): show smbios serial info on machine details panel
  • 9dd6cb490 refactor: drop compose 'version' (from hack)

Changes since v1.9.0-beta.0

21 commits

  • 3455e7430 release(v1.9.0-beta.1): prepare release
  • 8bea9d98d feat(frontend): add expandable code editor for extra overlay options
  • 4121e730f feat(frontend): add expandable code editor for embedded machine config
  • 22318022d feat(frontend): add more default editor options and remove default class
  • 00e99c4d5 refactor(frontend): refactor code editor to use v-model
  • 454daba78 chore: bump default talos version to 1.13.5
  • cb74aa700 feat: support embedded machine config in installation media CLI
  • 86af10d45 fix: get rid of the race in the UUID conflict resolution flow
  • 55bda4979 refactor: only log schematic id when ensuring
  • c2b067a1f feat(frontend): allow specifying embedded machine config for installation media
  • 574daf6d5 feat: add embedded_machine_config to create schematic request
  • 1a8c85b88 feat: add embedded_machine_config to installation media config spec
  • 687e56ae1 feat: add supports_embedded_config quirk to virtual resources
  • 2fa8855c6 feat: validate Talos extensions against the catalog
  • 807fe47a7 feat: register destroy controllers for user-managed resource types
  • c3c511acb chore: bump containerd to 1.7.33
  • af44779ae chore(frontend): bump dependencies
  • 17b2b30ec fix: prevent API requests from hanging after idle periods
  • 240c48323 feat(frontend): remove cluster machine patch option from machine patches
  • 498e8c0b4 feat(frontend): show error if machine not part of cluster
  • a66f1ae3a feat(frontend): use machine status link snapshot for recent machines phase

Changes from siderolabs/go-api-signature

1 commit

  • 07009e7 chore: bump deps, update gopenpgp to v3

Changes from siderolabs/go-kubernetes

2 commits

  • cc8c2c9 fix: return the apply results in a consistent order
  • 131a2bd fix: handle cluster-scoped resources with a ns correctly

Changes from siderolabs/go-talos-support

2 commits

  • 59d47af feat: rewrite support bundle library around client provider
  • 8dd4326 feat: support encryption of the support bundle using age

Changes from siderolabs/image-factory

26 commits

  • 425e59e release(v1.3.3): prepare release
  • b5d3d92 fix: vulnerability scans with extensions
  • 916bcf6 feat: update go-vex
  • 9920386 feat: update Image Factory with Talos 1.14.0-alpha.1
  • d49e952 feat: allow excluding Talos releases
  • 147a3e8 feat: add scan report to factory client
  • 2887e78 feat: add support for embedding machine configuration
  • 660ac01 release(v1.3.2): prepare release
  • 38183fc fix: update golang.org/x/net
  • 9f6aee8 fix: make PXE copyable on SecureBoot
  • d7377c5 refactor: migrate to Tailwind CSS classes
  • 1e86750 fix: update golang.org/x/* packages
  • 33c79e4 test: move from kuttl to chainsaw
  • ba34dab feat: move SPDX cache to enterprise options
  • cd137ed chore: disable authentication for local development
  • 4ea792f fix: build profile with version
  • fcf9d57 release(v1.3.1): prepare release
  • 1d216c7 docs: update the developing documentation
  • 4a60270 fix(config): validate early and sort SPDX deterministically
  • 41d3947 release(v1.3.0): prepare release
  • ae3ed04 feat: add enterprise features with Helm chart support
  • 3fb0f96 feat(enterprise): add vulnerability scanning endpoint
  • 92209b6 feat: return normalized schematic on creation
  • ba2a46d feat(enterprise): implement VEX endpoint
  • 9b40156 feat: show schematic-id url parameter on the final wizard step
  • 114bb60 fix(spdx): use configured external URL in document namespace

Dependency Changes

  • github.com/ProtonMail/go-crypto v1.4.1 new
  • github.com/ProtonMail/gopenpgp/v3 v3.4.1 new
  • github.com/auth0/go-jwt-middleware/v3 v3.2.0 new
  • github.com/aws/aws-sdk-go-v2 v1.41.7 -> v1.42.0
  • github.com/aws/aws-sdk-go-v2/config v1.32.17 -> v1.32.25
  • github.com/aws/aws-sdk-go-v2/credentials v1.19.16 -> v1.19.24
  • github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.18 -> v1.22.28
  • github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0 -> v1.104.0
  • github.com/aws/smithy-go v1.25.1 -> v1.27.2
  • github.com/coreos/go-oidc/v3 v3.18.0 -> v3.19.0
  • github.com/cosi-project/runtime v1.16.0 -> v1.16.1
  • github.com/cosi-project/state-etcd v0.6.0 -> v0.7.0
  • github.com/felixge/httpsnoop v1.0.4 -> v1.1.0
  • github.com/fluxcd/cli-utils v1.2.0 -> v1.2.1
  • github.com/fluxcd/pkg/ssa v0.74.0 -> v0.76.0
  • github.com/golang-jwt/jwt/v5 v5.3.1 new
  • github.com/google/go-containerregistry v0.21.5 -> v0.21.7
  • github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 new
  • github.com/prometheus/client_model v0.6.2 new
  • github.com/prometheus/common v0.67.5 -> v0.69.0
  • github.com/russellhaering/goxmldsig v1.6.0 new
  • github.com/siderolabs/go-api-signature v0.3.12 -> v0.3.13
  • github.com/siderolabs/go-kubernetes v0.2.37 -> v0.2.39
  • github.com/siderolabs/go-talos-support v0.2.1 -> v0.3.0
  • github.com/siderolabs/image-factory v1.2.0 -> v1.3.3
  • github.com/siderolabs/omni/client v1.6.5 -> v1.8.1
  • github.com/siderolabs/talos/pkg/machinery v1.13.2 -> v1.14.0-alpha.1
  • github.com/stripe/stripe-go/v85 v85.1.0 -> v85.2.0
  • go.etcd.io/etcd/client/pkg/v3 v3.6.11 -> v3.6.12
  • go.etcd.io/etcd/client/v3 v3.6.11 -> v3.6.12
  • go.etcd.io/etcd/server/v3 v3.6.11 -> v3.6.12
  • golang.org/x/crypto v0.51.0 -> v0.53.0
  • golang.org/x/net v0.54.0 -> v0.56.0
  • golang.org/x/sync v0.20.0 -> v0.21.0
  • golang.org/x/text v0.37.0 -> v0.38.0
  • golang.org/x/tools v0.45.0 -> v0.46.0
  • golang.zx2c4.com/wireguard f333402bd9cb -> ecfc5a8d5446
  • google.golang.org/grpc v1.81.0 -> v1.81.1
  • k8s.io/api v0.36.0 -> v0.36.2
  • k8s.io/apimachinery v0.36.0 -> v0.36.2
  • k8s.io/client-go v0.36.0 -> v0.36.2
  • sigs.k8s.io/controller-runtime v0.24.0 -> v0.24.1

Previous release can be found at v1.8.0

Check out latest releases or
releases around siderolabs/omni v1.9.0-beta.1

Don't miss a new omni release

NewReleases is sending notifications on new releases.

Get notifications