v1.6.0-beta.1

[Slessi]

Omni 1.6.0-beta.1 (2026-03-06)

Welcome to the v1.6.0-beta.1 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

• --audit-log-dir (.logs.audit.path)
• --secondary-storage-path (.storage.secondary.path)
• --machine-log-storage-path (.logs.machine.storage.path)
• --machine-log-storage-enabled (.logs.machine.storage.enabled)
• --log-storage-path (.logs.machine.storage.path)
• --embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
• --machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
• --machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
• --machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
• --machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Talos and Kubernetes CA Rotation

Omni now supports rotating the Talos and Kubernetes Certificate Authorities for managed clusters.

Talos and Kubernetes Versions in ClusterStatus

The ClusterStatus resource now includes talos_version and kubernetes_version fields, making cluster version information available programmatically. They are now also shown in the cluster list in the UI.

Pending and Historical Config Diffs in UI

The UI now shows pending and historical configuration diffs, making it easy to review what changed and when.

Force Machine Destroy

A --force flag has been added to the machine destroy command (and a corresponding UI option) to forcibly remove machines that are stuck or unresponsive.

Helm Chart v2

A new Helm chart v2 has been implemented with improved structure and more configurable options.
More configuration values are now exposed in the Helm chart, giving operators greater flexibility when deploying Omni.

Installation Media Wizard

The installation media flow now uses a wizard-based UI by default, replacing the previous modal dialog. Presets may now also be saved, allowing for future reuse.

Machine Log Storage Cleanup

Global size-based cleanup has been added for machine log storage, preventing unbounded disk usage.
Configurable options for audit log cleanup have also been added.

Minimum Talos Version Bump

The minimum supported Talos version for new clusters has been bumped to 1.8.

Minor UI Improvements

Other minor UI improvements part of this release:

• Talos and Kubernetes versions are now shown in the cluster list.
• Node name and UUID are shown in the support bundle modal.
• Machine set pools now have a collapse/expand toggle.
• Cluster scaling has been moved to a modal dialog.
• Getting started guidance and empty-state pages have been added for clusters, machines, and machine classes.
• Instructions for adding machines and exporting cluster templates are now shown in the UI.
• Clarification text has been added to backup settings.
• YouTube video embedding is now supported in documentation/onboarding flows.
• The frontend authentication flow no longer requires an explicit login click.
• Resource labels use new colors for improved visual clarity.

Detailed Node Disk Information

The node details page now shows detailed disk information, including disk model, size, and type.

PCI Devices on Node Details

The node details page now includes a dedicated section listing all PCI devices present on the node.

Reset Node Unique Tokens

It is now possible to reset the unique token for a node, which can be useful for re-enrolling machines.

OIDC Token Cache Isolation for Kubeconfigs

Generated kubeconfigs now use isolated OIDC token caches, preventing token collisions between different kubeconfig users.

Pending Machines

Machines that were previously rejected can now be unrejected from the UI, allowing them to be accepted into Omni.

Rejected machines can also now be deleted directly from the UI.

SAML Logout Flow

Omni now implements the SAML logout flow, properly terminating sessions with the SAML identity provider on sign-out.

SQLite Metrics and Cleanup Counters

Metrics for the SQLite state backend have been exposed, along with cleanup counters for better observability.

Upgrade Parallelism

The upgrade parallelism for machine sets can now be configured via cluster templates and the UI, allowing operators to control how many machines are upgraded concurrently.

User and Service Account Activity Tracking

Omni now tracks the last activity time for users and service accounts, providing better visibility into account usage.

User Management gRPC Endpoints

New ManagementService gRPC endpoints have been added for user operations, enabling programmatic user management.

Configurable User and Service Account Limits

Operators can now enforce configurable limits on the number of users and service accounts that can be created in Omni.

Custom Vault Kubernetes Auth Mount Path

The Vault Kubernetes authentication mount path is now configurable, supporting non-default Vault configurations.

Contributors

• Edward Sammut Alessi
• Andrey Smirnov
• Utku Ozdemir
• Oguz Kilcan
• Artem Chernyshev
• Kevin Tijssen
• Noel Georgi
• Orzelius
• Mateusz Urbanek
• Tim Jones
• Daddie0
• Daniil Kivenko
• Dmitrii Sharshakov
• Justin Garrison
• Pranav Patil
• Steve Francis
• greenpsi

Changes

129 commits

• afe41b09 release(v1.6.0-beta.1): prepare release
• e2adcb0b fix: close ssa manager after use
• 543cf70b chore: force SSA manifests sync mode for Talos >= 1.13
• 6a0da38f chore(frontend): bump dependencies
• ef3946cf fix: use uncached read for MachineExtensions in SchematicConfiguration
• 1e6be81f refactor: introduce uncached reader/writer package, fix flaky tests
• beb7dba8 release(v1.6.0-beta.0): prepare release
• a7b8b145 feat(frontend): update selected state of machineset labels
• 943a9ad4 fix(frontend): reset pagination when selectors change
• 05738937 feat: support setting upgrade parallelism in templates and UI
• a9f2937c feat: add OIDC token cache isolation for generated kubeconfigs
• 8a814d17 feat(frontend): use new resource label colors
• 0cb34323 refactor(frontend): use tailwind classes instead of color variables
• 8a72a8ae refactor(frontend): don't interpolate resource label classes
• f8a42eeb chore: move graceful upgrades to the lowest level
• 6f0ca32f fix(frontend): truncate machine classes in cluster list
• 5bb4ad9d fix(frontend): fix pending manifests warning sidebar color
• 6d03fc7c feat: track user and service account last activity
• a6811877 refactor(frontend): create pagecontainer component to manage padding
• e7f7a8ee fix(frontend): re-add padding in cluster scoped for error case
• ed1ebe35 fix: enhance SAML handler startup error
• a907c311 fix: properly select extensions when they're defined for cluster/ms lvl
• 66dbbdc6 feat(frontend): add instructions for adding machines
• 51747657 chore: update LICENSE
• 2372684a feat(frontend): show pci devices on node details
• 823af623 fix(frontend): fix unintented icon button size overrides
• b5076c19 feat: implement saml logout flow
• e57b7f5b chore(frontend): bump storybook dependencies
• 5d13f4ba chore(frontend): add uncategorised vue lint rules
• 415111c7 chore(frontend): update eslint related dependencies
• 05957580 chore(frontend): add lint rule for scoped styles
• f361fa73 chore: bump deps
• ba578e60 feat(frontend): move cluster scale pencil edit to a modal
• 7b1de4f0 feat(frontend): show talos and k8s versions in the cluster list
• 5fccd82b feat: add talos_version and kubernetes_version to clusterstatus
• e3df911d feat: enforce configurable limits on user and service account creation
• c5b40efb feat(frontend): add collapse/expand toggle to machine set pools
• da60807d feat: add ManagementService gRPC endpoints for user operations
• f29d769c fix: fetch siderolink url from omni
• a6bf6667 feat(frontend): add some getting started info for clusters/machines
• a4ee4b5e feat(frontend): add no clusters/machines found to home page
• 59881d2e refactor: remove direct dependency on github.com/siderolabs/talos
• 47fb4dd7 feat: allow resetting node unique tokens
• 578f2126 fix(frontend): handle invalid jwt response from backend
• ad6cf5b1 feat: enforce auth_time in auth0 token validation
• 90474045 fix(frontend): keep cluster menu visible and sticky
• 7c0e18c2 feat: introduce machine --force destroy flag and UI option for that
• 4e5c9c57 fix: rename --force flag to --force-etcd-leave, same in the UI
• 1887d863 feat(frontend): show more detailed node disk information
• ae2f48f0 refactor(frontend): clean up node mounts a bit
• 5bfa167d refactor(frontend): fix node details scrolling and padding
• 8c94b77c chore: bump Talos machinery to the latest main and use 1.12.4 schema
• 6776d127 feat: add global size-based cleanup for machine log storage
• 08c31275 test: migrate machine request set status tests
• ed5b81ce feat(frontend): show nodename and uuid in support bundle modal
• 1abd7ce6 chore: bump default talos version
• 4cb81e43 test: fix flaky nature of ca rotation tests
• 928d568c feat(frontend): add ability to delete pending machines
• 6e8d837d fix: do not check Talos version in the machine set node updates
• 8786ad36 feat(frontend): update machine class condition text
• 78da5820 feat(frontend): provide get started text for first machine class
• e406321d refactor(frontend): remove watch class usage from machine class
• 01a0b3e6 fix: add required SQLite storage path flag to compose.yaml
• d133b564 fix(frontend): fix multi-doc parsing when creating single node clusters
• 4f6f0707 chore: update readme img
• 2f1f0f78 test: fix flaky unit tests
• 2ecd603c refactor(frontend): fix some minor lint warnings
• 1f237905 fix: compare current and new kernel args more defensively
• d262e03b feat: allow unrejecting machines from the ui
• d67b25f6 fix: track dependendants for searchFor in watch
• d7d54916 refactor(frontend): remove from backupslist
• 8f5d64f8 test: add embedded etcd smoke test to helm e2e
• ccc197b2 refactor: replace the old helm chart with the new one
• 69c2759b fix: break the dep loop in the cluster machine config status controller
• dbf34e24 refactor(frontend): add type checking for context inclusion
• 52f249db feat: make more things configurable in the helm chart
• fbf36740 test: add unit and e2e tests to the helm chart
• 04bcff7a fix: unify helm chart services and ingresses, remove JSON schema
• 0c2c5c1c test: use envsubst in tests and do small improvements
• bd86ff31 chore: remove deprecated migration flags, config fields, and migration code
• afdf123e feat: add support for Kubernetes CA rotation
• 4c9212f6 refactor: remove global runtime registry, inject runtimes to services
• f845af53 feat(frontend): show pending and historical config diffs in ui
• 939a9a08 chore: expose machine request set id in the provision context
• 7d80fede feat: support custom Vault Kubernetes auth mount path
• 30d17dcf chore: update Go to 1.26 in go.mod, rekres, fix linting issues
• d1c869a9 chore: bump deps, rekres
• a89d270c fix: replace gotextdiff with linear-space Myers diff to prevent OOM
• 05e42f9a feat: expose metrics for sqlite state and add cleanup counters
• 868f8ac1 test: reach maintenance mode machines' Talos API through Omni in tests
• ed5efa5d feat(frontend): for frontend auth flow dont require login click
• ef3e3bc1 test: use automation sa directly in integration tests
• 6102db4e fix: use single shared etcd backup store factory
• 70c9a549 fix: properly generate upgrade diffs for the imported cluster
• 337bbe6c fix: fix memory leak in the config diff compute code
• 69b8e997 feat: update machinery doc links
• 79f85eec feat: add configuration options for audit log cleanup
• 7e4bc18f feat(frontend): refactor confirm modal with reka-ui
• 4009aa42 fix(frontend): import undefined components and add lint rule
• 0a4dab64 refactor(frontend): rename tbutton type to variant
• e4b1f3b5 refactor(frontend): refactor patches, machine class, and node destroy watches
• 9bca00a7 test(installation-media): write e2e test for the wizard
• a2eedd8d feat(installation-media): replace modal with wizard by default
• f3cdbda7 refactor: remove global config, inject it to services
• ed94ce9c fix: update the error for sqlite library
• f61b72f5 refactor(frontend): reimplement tabs using reka-ui
• 4ef8c73b feat: move omni schematic cache to ephemeral
• b9bd3f90 refactor: migrate all SQLite usage to zombiezen
• 922d8418 feat(frontend): add instructions on how to export cluster templates
• b72b00b4 feat: bump minimum talos version to 1.8
• 0906bcc2 fix: prevent unwanted upgrades of non-image-factory machines
• 76fd73f6 feat(frontend): add clarification text to backup settings
• e60b8091 feat(installation-media): remove hover on table rows and make name clickable
• 3a18fdd5 refactor(frontend): remove from cluster machines
• eae8f84e fix: handle deletion event on InstallationMediaConfig validation
• 4cc3a3da test: do not check for empty wipe id in static infra provider test
• 3d2dc7b5 feat(frontend): allow embedding youtube videos
• 8f33ee1e fix: pause cluster machine watches until expanded
• f2f8842a feat(installation-media): use usedownloadimage composable in download preset modal
• c319d7bc fix: fix schematic generation for machines in agent mode
• e73acfde chore: update dependencies
• b83852a9 feat(installation-media): add download progress and omni specific filenames to images
• 197a7fa8 chore(frontend): update dependencies
• dc2c9480 fix: check config generation errors before computing redacted configs
• 7e0bec69 feat(installation-media): backend validation for installation media configs
• 1e24fd22 feat: implement helm chart v2
• c86c2e02 test: add e2e test to validate machine tabs
• 74e4abf8 feat(installation-media): replace edit naming with clone for installation media
• c6cc25c7 feat: add support for Talos CA rotation

Changes since v1.6.0-beta.0

6 commits

• afe41b09 release(v1.6.0-beta.1): prepare release
• e2adcb0b fix: close ssa manager after use
• 543cf70b chore: force SSA manifests sync mode for Talos >= 1.13
• 6a0da38f chore(frontend): bump dependencies
• ef3946cf fix: use uncached read for MachineExtensions in SchematicConfiguration
• 1e6be81f refactor: introduce uncached reader/writer package, fix flaky tests

Changes from siderolabs/discovery-api

2 commits

• 9c06846 feat: change the way excluded addresses are specified
• f71a14a feat: add advertised filters to discovery data

Changes from siderolabs/discovery-client

2 commits

• 854400f feat: bump discovery API to v0.1.8
• 0a4c6fd chore: update dependencies and rekres

Changes from siderolabs/discovery-service

2 commits

• 8863fd8 release(v1.0.14): prepare release
• e0c8062 chore: rekres and update dependencies

Changes from siderolabs/go-debug

1 commit

• 47fce68 feat: support Go 1.26, rekres

Changes from siderolabs/go-kubernetes

10 commits

• 8364add chore: small improcements to ssa package
• a95f3bf chore: add helper functions for CLI applications
• f2c063b test: add integration tests for ssa logic
• 9de92cf refactor: drop k8s.io/utils
• 8e6f068 fix: bring back legacy sync
• de675a0 fix: stop using custom dialer for Kubernetes client
• e7a89c3 refactor: use fluxcd/ssa instead of kubernetes cli-utils for ssa
• 0a235c0 feat: add early support for Kubernetes 1.36
• 3bea212 fix: use new Myers diff algorithm
• 604c56b chore: extract common code to the go-kubernetes package

Changes from siderolabs/image-factory

37 commits

• f0c7a7b release(v1.0.3): prepare release
• dd92631 docs: correct path to hack/copy-artifacts.sh
• ddc1a83 fix: update Talos to fix rpi_5 build
• b3d07e5 docs: remove redundant Kubernetes version prerequisite
• 9666795 fix: values.schema.json
• 8a8da46 feat: adjust security context for user namespace mode
• bc631dc fix: values.schema.json
• 8ea6fe9 feat: add user namespace support with Kubernetes version validation
• 324c464 fix: skip initializing TUF if keyless signing is disabled
• a42b9d9 release(v1.0.2): prepare release
• 80d1ba3 fix: pass nameoptions to verify bundle too
• eec01d1 release(v1.0.1): prepare release
• ec1c0a7 fix: pass insecure to the cosign new bundle verifier
• 14d0f2a release(v1.0.0): prepare release
• a90529c feat: add more security contexts
• ec69fe2 fix: extra kernel args for overlays
• aa325ee feat: add Helm docs and schema
• 3c18e05 feat: add Sidero google service account email also to verfiers
• 151feb5 fix: docs url
• 42a1c45 feat: add helm to kres
• ac4718a feat: update Talos and pkgs
• 1d6468e feat: add helm e2e to CI
• 2f0499c feat: added e2e tests
• 2eccf98 fix: made changes on the recommendation of copilot
• e27ea36 feat: Added E2E with KUTTL
• 9f6b9e7 feat: Added additional tests
• 4939747 feat: Added helm unittests
• dcaa1db feat: added helmchart
• 1f85622 feat: add cloudflare credentials helper
• 852856d fix: installer internal config
• c8c6576 release(v1.0.0-beta.0): prepare release
• 56bd21b fix: allow Cache-Control header in CORS
• 83f4d91 fix: clarify bootloader selection
• c8c5faa feat: allow using image GET/HEAD API by the JS code on any domains
• e732d90 feat: support acm for secureboot
• 5f103c1 feat: support copying to clipboard
• c3532c4 feat: update Talos with GRUB and other fixes

Changes from siderolabs/kms-client

3 commits

• 296bf9a feat: add logging to the KMS server
• 2d6b082 feat: add TLS support for KMS server
• 4233ecd chore: bump deps, rekres

Dependency Changes

• github.com/aws/aws-sdk-go-v2 v1.41.1 -> v1.41.2
• github.com/aws/aws-sdk-go-v2/config v1.32.7 -> v1.32.10
• github.com/aws/aws-sdk-go-v2/credentials v1.19.7 -> v1.19.10
• github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.19 -> v1.22.4
• github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1 -> v1.96.2
• github.com/aws/smithy-go v1.24.0 -> v1.24.1
• github.com/cosi-project/runtime 2b3357ea6788 -> v1.14.0
• github.com/cosi-project/state-sqlite v0.1.1 -> v0.3.0
• github.com/emicklei/dot v1.10.0 -> v1.11.0
• github.com/google/go-containerregistry v0.20.7 -> v0.21.1
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4 -> v2.28.0
• github.com/johannesboyne/gofakes3 ebf3e50324d3 -> 4c385a1f6a73
• github.com/siderolabs/discovery-api v0.1.6 -> v0.1.8
• github.com/siderolabs/discovery-client v0.1.13 -> v0.1.15
• github.com/siderolabs/discovery-service v1.0.13 -> v1.0.14
• github.com/siderolabs/go-debug v0.6.1 -> v0.6.2
• github.com/siderolabs/go-kubernetes v0.2.30 -> 8364adde8878
• github.com/siderolabs/image-factory b5ba6630ed93 -> v1.0.3
• github.com/siderolabs/kms-client v0.1.0 -> v0.2.0
• github.com/siderolabs/omni/client v1.4.7 -> v1.5.7
• github.com/siderolabs/talos/pkg/machinery b9e27ebe72c4 -> cc636f1dd1f1
• github.com/zitadel/oidc/v3 v3.45.3 -> v3.45.4
• go.etcd.io/etcd/client/pkg/v3 v3.6.7 -> v3.6.8
• go.etcd.io/etcd/client/v3 v3.6.7 -> v3.6.8
• go.etcd.io/etcd/server/v3 v3.6.7 -> v3.6.8
• go.yaml.in/yaml/v4 v4.0.0-rc.3 -> v4.0.0-rc.4
• golang.org/x/crypto v0.47.0 -> v0.48.0
• golang.org/x/net v0.49.0 -> v0.51.0
• golang.org/x/oauth2 v0.34.0 -> v0.35.0
• golang.org/x/text v0.33.0 -> v0.34.0
• golang.org/x/tools v0.41.0 -> v0.42.0
• google.golang.org/grpc v1.78.0 -> v1.79.1
• google.golang.org/protobuf v1.36.11 -> f2248ac996af
• k8s.io/api v0.35.0 -> v0.35.2
• k8s.io/client-go v0.35.0 -> v0.35.2
• sigs.k8s.io/controller-runtime v0.22.4 -> v0.23.1
• zombiezen.com/go/sqlite v1.4.2 new

Previous release can be found at v1.5.0

---

This discussion was created from the release v1.6.0-beta.1.