docs: omni v1.8.0

public/changelog.mdx

@@ -4,6 +4,146 @@ description: "Product updates and announcements"
 rss: true
 ---
 
+<Update label="v1.8.0" tags={["Omni"]}>
+  [Release notes →](https://github.com/siderolabs/omni/releases/tag/v1.8.0)
+
+  ### Urgent Upgrade Notes **(No, really, you MUST read this before you upgrade)**
+
+  As Omni is now using `--join-tokens-mode=legacyAllowed` by default it won't start if there are any nodes running Talos below 1.6 connected to the instance.
+  If you want to keep using Omni with the outdated Talos you will need to set the flag to `legacy`. But of course we strongly recommend you to update Talos ASAP.
+
+  `omnictl cluster template` has breaking changes: it now restricts including files outside of the current directory.
+  If using files in the parent dirs, old behavior can be enabled by using `--allowed-dir`.
+
+  ### Additional Audit Log Filters
+
+  Audit logs gain a generic search box and sortable columns in the UI, plus CLI filters for `event_type`, `resource_type`, `resource_id`, `cluster_id`, and `actor`.
+
+  ### Per-Actor etcd Write Metrics
+
+  New `omni_etcd_operations_total` and `omni_etcd_resource_bytes_total` Prometheus counters track etcd writes, split by operation (create/update/teardown/destroy), actor (internal/user/service account/infra provider), actor ID, and resource type. Byte sizes are captured from the actual on-disk payload via a new `WithObserver` hook in `state-etcd`.
+
+  ### Disks and Devices on Machine Pages
+
+  The frontend now shows disks and devices on the machines and individual machine pages.
+
+  ### Talos Version Text on Installation Media Wizard
+
+  The installation media wizard's Talos version text has been updated for clarity.
+
+  ### Switching Logs Inside the Logs Tab
+
+  The logs tab now allows switching between log sources directly inside the tab.
+
+  ### Quick Switching Between Cluster Machines
+
+  The frontend allows quickly switching between machines within a cluster from the machine detail view.
+
+  ### In-UI Notifications
+
+  Omni notifications are now shown in the UI as dismissible banners.
+
+  ### Frontend Quality-of-Life Improvements for Machines
+
+  The cluster machine page gains a copy-UUID button, the machines list page can toggle between hostnames and UUIDs (with the preference saved), and machine and cluster machine pages gain kernel args tabs for editing kernel arguments inline instead of through a modal.
+
+  ### Re-Saving the Omni Support Bundle
+
+  The frontend now allows re-saving a previously generated Omni support bundle without regenerating it.
+
+  ### Support Modal
+
+  A new support modal in the frontend exposes links to GitHub issues, support channels, documentation, community resources, and office hours.
+
+  ### Helm Chart Values Generated From Config Schema
+
+  A new `helmvaluesgen` tool, run on `make generate`, updates the `config:` section of the Helm chart's `values.yaml` from Omni's config schema, applying chart-specific overrides for defaults, omissions, and descriptions.
+
+  ### Legacy Installation Media Proxying Removed
+
+  Omni no longer proxies legacy installation media download requests to the Talos Image Factory. Such requests are now rejected with a message asking users to upgrade `omnictl`, which downloads installation media directly from the factory.
+
+  ### Image Factory Proxy for Infra Providers
+
+  Infra provider Image Factory requests can now be proxied through Omni via a new schematic creation API that accepts raw YAML. This is useful when Omni holds authentication for the Image Factory or when multiple Image Factory endpoints need to be supported.
+
+  ### Imported Cluster Secrets Cleanup
+
+  A new controller tears down `ImportedClusterSecrets` once their content has been copied into `ClusterSecrets` and marked `Imported=true`, so imported bootstrap material does not linger in the state after a successful import.
+
+  ### Infra Provider Factory Endpoint
+
+  Infra providers now use the Image Factory endpoint configured in Omni's features state (sourced from args/config) instead of a hardcoded default. The configured factory URL is exposed on the provider.
+
+  ### Installation Media Placeholders
+
+  InstallationMediaConfig now accepts empty strings for `talosVersion` and `joinToken`, which resolve to the current stable version and default token at download time. The create wizard exposes "Automatic" options for these fields, and the download modal shows version/token/arch pickers for all presets.
+
+  ### Reader Access to Join Tokens
+
+  Users with the reader role can now read join tokens.
+  Reader had access to it before through Talos logs, so making the access more consistent.
+  More fine grained access will come with RBAC v2 later on.
+
+  ### Multi-Port Workload Proxy
+
+  The `omni-kube-service-exposer.sidero.dev/port` annotation now accepts a comma-separated list of `host-port` or `host-port:service-port` entries, each producing its own ExposedService URL. Label, icon, and prefix annotations gain per-host-port suffixed variants (e.g. `label-30080`). Existing single-port exposed services keep their URLs across the upgrade.
+
+  ### Configurable Log Level and Format
+
+  Omni's log level and log format are now configurable via flags and config.
+
+  ### Provision Step Errors on Machine Requests
+
+  A new `Error` field on `ClusterMachineRequestStatus` surfaces provision step failures so users can see why a request is stuck without scraping logs. Errors are now persisted on both failure and requeue paths.
+
+  ### `omnictl media` Command Group
+
+  A new `omnictl media preset {create,list,delete}` command group manages InstallationMediaConfig presets from the CLI, and `omnictl media download <preset>` downloads from them. Preset validation runs against the server's CloudPlatformConfig, SBCConfig, and TalosExtensions resources at create time. The legacy `omnictl download` is preserved but deprecated.
+
+  ### Plain Download Links for Images
+
+  The frontend now uses plain browser download links for factory image downloads instead of intercepting them.
+
+  ### Powered Off Machine State
+
+  Machines that are shut down now appear as "Powered Off" in the UI instead of being stuck in "Shutting Down" with a greyed-out unreachable state. Static infra providers honor the shutdown until the machine goes through a deallocation cycle, instead of automatically powering it back on. The CLI gains `omnictl machine shutdown` and `omnictl machine power-on` commands.
+
+  ### Per-Key Creation and Last-Active Tracking for Service Accounts
+
+  Service account key listings now include per-key creation timestamps and last-active times. `omnictl serviceaccount list` shows `KEY CREATED` and `KEY LAST ACTIVE` columns alongside the existing SA-level `LAST ACTIVE`. A new `PublicKeyLastActive` resource backs this tracking, and the activity interceptor records last-used timestamps per signing key fingerprint.
+
+  ### Commented `omnictl serviceaccount create` Output
+
+  The output of `omnictl serviceaccount create` is now commented out by default, making it friendlier for piping into `.env` files and shell automation.
+
+  ### Talos Version End-of-Support Notifications
+
+  Omni now tracks machines running Talos versions approaching or past end of support relative to `MinTalosVersion`, emits two new notifications (approaching end of support, end of support reached), and exposes Prometheus metrics for both.
+
+  ### Download `talosctl` From Factory
+
+  `talosctl` binaries are now downloaded directly from the Talos Image Factory instead of GitHub.
+
+  ### Cluster Template Include Directory Restrictions
+
+  By default, cluster templates can only include files from the same directory as the template file. This prevents malicious templates from including arbitrary files like `/etc/passwd`. The previous behavior can be restored with `--allowed-dir`.
+
+  ### Raw Bytes Support in Template Inline Fields
+
+  Inline fields for manifests and config patches now accept three forms: a single inline map (for backward compatibility), a list of inline maps, or raw bytes (which may contain multiple YAML documents). `omnictl cluster template export` now exports patches and manifests as raw bytes so multi-document values round-trip correctly.
+
+  ### Template Includes Resolved Relative to Template File
+
+  `omnictl cluster template` commands now resolve patch and Kubernetes manifest includes relative to the template YAML file, rather than the current working directory of `omnictl`.
+</Update>
+
+<Update label="v1.3.1" tags={["Image Factory"]}>
+  [Release notes →](https://github.com/siderolabs/image-factory/releases/tag/v1.3.1)
+
+
+</Update>
+
 <Update label="v1.13.2" tags={["Talos"]}>
   [Release notes →](https://github.com/siderolabs/talos/releases/tag/v1.13.2)
 

public/snippets/custom-variables.mdx

@@ -2,7 +2,7 @@ export const k8s_prev_release = '1.35.0'
 export const k8s_release = '1.36.0'
 
 {/* latest Omni release version */}
-export const omni_release = 'v1.7.3'
+export const omni_release = 'v1.8.0'
 export const omni_helm_chart_release = '2.5.10'
 
 {/* latest Image Factory release version */}