You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
### Urgent Upgrade Notes **(No, really, you MUST read this before you upgrade)**
11
+
12
+
As Omni is now using `--join-tokens-mode=legacyAllowed` by default it won't start if there are any nodes running Talos below 1.6 connected to the instance.
13
+
If you want to keep using Omni with the outdated Talos you will need to set the flag to `legacy`. But of course we strongly recommend you to update Talos ASAP.
14
+
15
+
`omnictl cluster template` has breaking changes: it now restricts including files outside of the current directory.
16
+
If using files in the parent dirs, old behavior can be enabled by using `--allowed-dir`.
17
+
18
+
### Additional Audit Log Filters
19
+
20
+
Audit logs gain a generic search box and sortable columns in the UI, plus CLI filters for `event_type`, `resource_type`, `resource_id`, `cluster_id`, and `actor`.
21
+
22
+
### Per-Actor etcd Write Metrics
23
+
24
+
New `omni_etcd_operations_total` and `omni_etcd_resource_bytes_total` Prometheus counters track etcd writes, split by operation (create/update/teardown/destroy), actor (internal/user/service account/infra provider), actor ID, and resource type. Byte sizes are captured from the actual on-disk payload via a new `WithObserver` hook in `state-etcd`.
25
+
26
+
### Disks and Devices on Machine Pages
27
+
28
+
The frontend now shows disks and devices on the machines and individual machine pages.
29
+
30
+
### Talos Version Text on Installation Media Wizard
31
+
32
+
The installation media wizard's Talos version text has been updated for clarity.
33
+
34
+
### Switching Logs Inside the Logs Tab
35
+
36
+
The logs tab now allows switching between log sources directly inside the tab.
37
+
38
+
### Quick Switching Between Cluster Machines
39
+
40
+
The frontend allows quickly switching between machines within a cluster from the machine detail view.
41
+
42
+
### In-UI Notifications
43
+
44
+
Omni notifications are now shown in the UI as dismissible banners.
45
+
46
+
### Frontend Quality-of-Life Improvements for Machines
47
+
48
+
The cluster machine page gains a copy-UUID button, the machines list page can toggle between hostnames and UUIDs (with the preference saved), and machine and cluster machine pages gain kernel args tabs for editing kernel arguments inline instead of through a modal.
49
+
50
+
### Re-Saving the Omni Support Bundle
51
+
52
+
The frontend now allows re-saving a previously generated Omni support bundle without regenerating it.
53
+
54
+
### Support Modal
55
+
56
+
A new support modal in the frontend exposes links to GitHub issues, support channels, documentation, community resources, and office hours.
57
+
58
+
### Helm Chart Values Generated From Config Schema
59
+
60
+
A new `helmvaluesgen` tool, run on `make generate`, updates the `config:` section of the Helm chart's `values.yaml` from Omni's config schema, applying chart-specific overrides for defaults, omissions, and descriptions.
61
+
62
+
### Legacy Installation Media Proxying Removed
63
+
64
+
Omni no longer proxies legacy installation media download requests to the Talos Image Factory. Such requests are now rejected with a message asking users to upgrade `omnictl`, which downloads installation media directly from the factory.
65
+
66
+
### Image Factory Proxy for Infra Providers
67
+
68
+
Infra provider Image Factory requests can now be proxied through Omni via a new schematic creation API that accepts raw YAML. This is useful when Omni holds authentication for the Image Factory or when multiple Image Factory endpoints need to be supported.
69
+
70
+
### Imported Cluster Secrets Cleanup
71
+
72
+
A new controller tears down `ImportedClusterSecrets` once their content has been copied into `ClusterSecrets` and marked `Imported=true`, so imported bootstrap material does not linger in the state after a successful import.
73
+
74
+
### Infra Provider Factory Endpoint
75
+
76
+
Infra providers now use the Image Factory endpoint configured in Omni's features state (sourced from args/config) instead of a hardcoded default. The configured factory URL is exposed on the provider.
77
+
78
+
### Installation Media Placeholders
79
+
80
+
InstallationMediaConfig now accepts empty strings for `talosVersion` and `joinToken`, which resolve to the current stable version and default token at download time. The create wizard exposes "Automatic" options for these fields, and the download modal shows version/token/arch pickers for all presets.
81
+
82
+
### Reader Access to Join Tokens
83
+
84
+
Users with the reader role can now read join tokens.
85
+
Reader had access to it before through Talos logs, so making the access more consistent.
86
+
More fine grained access will come with RBAC v2 later on.
87
+
88
+
### Multi-Port Workload Proxy
89
+
90
+
The `omni-kube-service-exposer.sidero.dev/port` annotation now accepts a comma-separated list of `host-port` or `host-port:service-port` entries, each producing its own ExposedService URL. Label, icon, and prefix annotations gain per-host-port suffixed variants (e.g. `label-30080`). Existing single-port exposed services keep their URLs across the upgrade.
91
+
92
+
### Configurable Log Level and Format
93
+
94
+
Omni's log level and log format are now configurable via flags and config.
95
+
96
+
### Provision Step Errors on Machine Requests
97
+
98
+
A new `Error` field on `ClusterMachineRequestStatus` surfaces provision step failures so users can see why a request is stuck without scraping logs. Errors are now persisted on both failure and requeue paths.
99
+
100
+
### `omnictl media` Command Group
101
+
102
+
A new `omnictl media preset {create,list,delete}` command group manages InstallationMediaConfig presets from the CLI, and `omnictl media download <preset>` downloads from them. Preset validation runs against the server's CloudPlatformConfig, SBCConfig, and TalosExtensions resources at create time. The legacy `omnictl download` is preserved but deprecated.
103
+
104
+
### Plain Download Links for Images
105
+
106
+
The frontend now uses plain browser download links for factory image downloads instead of intercepting them.
107
+
108
+
### Powered Off Machine State
109
+
110
+
Machines that are shut down now appear as "Powered Off" in the UI instead of being stuck in "Shutting Down" with a greyed-out unreachable state. Static infra providers honor the shutdown until the machine goes through a deallocation cycle, instead of automatically powering it back on. The CLI gains `omnictl machine shutdown` and `omnictl machine power-on` commands.
111
+
112
+
### Per-Key Creation and Last-Active Tracking for Service Accounts
113
+
114
+
Service account key listings now include per-key creation timestamps and last-active times. `omnictl serviceaccount list` shows `KEY CREATED` and `KEY LAST ACTIVE` columns alongside the existing SA-level `LAST ACTIVE`. A new `PublicKeyLastActive` resource backs this tracking, and the activity interceptor records last-used timestamps per signing key fingerprint.
The output of `omnictl serviceaccount create` is now commented out by default, making it friendlier for piping into `.env` files and shell automation.
119
+
120
+
### Talos Version End-of-Support Notifications
121
+
122
+
Omni now tracks machines running Talos versions approaching or past end of support relative to `MinTalosVersion`, emits two new notifications (approaching end of support, end of support reached), and exposes Prometheus metrics for both.
123
+
124
+
### Download `talosctl` From Factory
125
+
126
+
`talosctl` binaries are now downloaded directly from the Talos Image Factory instead of GitHub.
127
+
128
+
### Cluster Template Include Directory Restrictions
129
+
130
+
By default, cluster templates can only include files from the same directory as the template file. This prevents malicious templates from including arbitrary files like `/etc/passwd`. The previous behavior can be restored with `--allowed-dir`.
131
+
132
+
### Raw Bytes Support in Template Inline Fields
133
+
134
+
Inline fields for manifests and config patches now accept three forms: a single inline map (for backward compatibility), a list of inline maps, or raw bytes (which may contain multiple YAML documents). `omnictl cluster template export` now exports patches and manifests as raw bytes so multi-document values round-trip correctly.
135
+
136
+
### Template Includes Resolved Relative to Template File
137
+
138
+
`omnictl cluster template` commands now resolve patch and Kubernetes manifest includes relative to the template YAML file, rather than the current working directory of `omnictl`.
0 commit comments