v1.7.1

Omni 1.7.1 (2026-04-24)

Welcome to the v1.7.1 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

A EULA agreement has been added to Omni which must be accepted in order to continue using it.

This agreement can be accepted through UI or programmatically either by adding the below flags:

--eula-accept-name=Your Name
--eula-accept-email=your@email.com

Or if using --config-path with the below configuration:

eulaAccept:
  name: Your Name
  email: your@email.com

Contributors

• Artem Chernyshev

Changes

2 commits

• 1074e213 release(v1.7.1): prepare release
• 360dc72d fix: skip allocating nodes for deleted/tearing down MachineRequests

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.0

v1.7.0

Omni 1.7.0 (2026-04-17)

Welcome to the v1.7.0 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

A EULA agreement has been added to Omni which must be accepted in order to continue using it.

This agreement can be accepted through UI or programmatically either by adding the below flags:

--eula-accept-name=Your Name
--eula-accept-email=your@email.com

Or if using --config-path with the below configuration:

eulaAccept:
  name: Your Name
  email: your@email.com

Allow Machine Request Destroy

Machine requests are now created without a controller owner, allowing operators and admins to teardown stuck or unwanted requests directly. The controller replaces destroyed requests automatically to maintain the desired machine count.

Browsable Audit Logs in the UI

Audit logs are now browsable directly in the Omni UI, making it easier to review audit events without CLI access.

Human-Readable Config Validation Errors

Configuration validation errors are now presented in a human-readable format, making it easier to diagnose and fix configuration issues.

Move Omni Defaults to JSONSchema

Omni default config values are now defined in the JSONSchema.

Direct Talos Node Access via SideroLink

All Talos nodes can now be accessed directly via their SideroLink endpoint, removing the need to route through the load balancer for Talos API calls. Allowing direct access to worker nodes when control plane nodes are unavailable.

Kubernetes Manifests Sync

Omni now supports syncing Kubernetes manifests directly to managed clusters. Manifests can be defined in cluster templates, allowing declarative management of Kubernetes resources alongside cluster configuration.

omnictl edit Command

A new omnictl edit command has been added, allowing users to edit Omni resources interactively from the CLI.

Allow Using talosctl debug

Update Omni Talos API proxy code to elevate permissions for talosctl debug command.

Workload Proxy Subdomain Options

The workload proxy now supports an empty subdomain configuration and a new useOmniSubdomain option, providing more flexibility in how workload proxy URLs are structured.

Contributors

• Edward Sammut Alessi
• Utku Ozdemir
• Artem Chernyshev
• Oguz Kilcan
• Andrey Smirnov
• Orzelius
• Dmitriy Matrenichev
• Hector Monsalve
• Justin Garrison

Changes

78 commits

• 5e912b14 release(v1.7.0): prepare release
• a25c5fde chore: prepare omni with talos v1.13.0-rc
• 77859611 chore: bump talos machinery
• 851d0e25 chore: bump deps
• 9afdc911 fix(frontend): open external eula link in a new tab
• 8933e716 release(v1.7.0-beta.1): prepare release
• cad37135 feat: implement eula guard for omni
• 0d92cc0d feat: allow force destroying machine requests
• 507becf1 feat: toggle info buttons if already opened
• db4f1d7d fix: attribute SA audit events to the performing admin
• 0773827c fix(frontend): disable workload proxy checkbox if disabled on instance
• f5aa0f72 fix: always set last error on manifests sync failure
• ba80cf6e fix: use resource definition's default namespace in omnictl get
• 131bd3a6 feat: allow using talosctl debug
• cf463639 feat: move config defaults into the JSON schema
• 53ed351d fix: evict per-machine cache entries before the cluster-wide entry
• 4352f3cb release(v1.7.0-beta.0): prepare release
• 9b09e8b0 fix: apply --force-context-name on initial kubeconfig creation
• 3251d142 fix: batch SQLite cleanup deletes to reduce write lock contention
• b6e3280a chore: bump go to v1.26.2
• 9201358b chore: bump dependencies and rekres
• e4760526 feat: support omnictl edit command
• 78bfa12a chore: collect metrics on the initial Collect call to avoid empty data
• 43be52c7 chore: bump sqlite metrics collector timeout and interval
• 5db4dbfa test: lock prepared for Omni upgrade cluster, then check pending changes
• 76d0c6a2 chore: extract sqlite metrics collector into a separate goroutine
• 68305854 chore(frontend): bump yaml to 2.8.3
• f0dd48f3 feat(frontend): place machine labels on new line for cluster scale/create
• d10f1f1c fix: log errors from the metrics endpoint handler
• 5edcef1f refactor(frontend): drop the views/cluster folder
• 65c6b804 refactor(frontend): drop the components/common folder
• cc71b5b5 refactor(frontend): drop the views/omni folder
• 0e66352f fix: fix stale writes of MachineRequestStatus in infra provider lib
• 2bb49a95 fix(frontend): fix useclusterpermissions not reacting to cluster changes
• 1bbe869b fix: clean up stale identity last active resources on identity removal
• a366efb9 fix: add missing cluster relations to resource types
• ff5d9beb test: add e2e tests for key expiration
• 6efb0f2f feat: support Kubernetes manifests in the cluster templates
• 73f3079f fix(frontend): hide machine tutorial card if we have machines
• fe7c1beb fix(frontend): fix ui error on cluster all nodes page
• e46d9420 fix(frontend): prevent invalid auth states in frontend
• b720fc30 fix(frontend): prevent saving unconfirmed keys
• 2a863fcf chore: rewrite cluster workload proxy controller to use manifests
• 7cb5ba3c feat(frontend): introduce browsable audit logs in the frontend
• 2b39af72 refactor(frontend): abort useresource get/list queries on unmount
• c6f2413d fix: enable Teardown audit logs
• 26798512 chore: bump deps, rekres, Talos 1.12.6, Kubernetes 1.35.3
• [44c0d0e2](44c0d0e210e67b5d8afa41d4...

v1.7.0-beta.1

Omni 1.7.0-beta.1 (2026-04-13)

Welcome to the v1.7.0-beta.1 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

A EULA agreement has been added to Omni which must be accepted in order to continue using it.

This agreement can be accepted through UI or programmatically either by adding the below flags:

--eula-accept-name=Your Name
--eula-accept-email=your@email.com

Or if using --config-path with the below configuration:

eulaAccept:
  name: Your Name
  email: your@email.com

Allow Machine Request Destroy

Machine requests are now created without a controller owner, allowing operators and admins to teardown stuck or unwanted requests directly. The controller replaces destroyed requests automatically to maintain the desired machine count.

Browsable Audit Logs in the UI

Audit logs are now browsable directly in the Omni UI, making it easier to review audit events without CLI access.

Human-Readable Config Validation Errors

Configuration validation errors are now presented in a human-readable format, making it easier to diagnose and fix configuration issues.

Move Omni Defaults to JSONSchema

Omni default config values are now defined in the JSONSchema.

Direct Talos Node Access via SideroLink

All Talos nodes can now be accessed directly via their SideroLink endpoint, removing the need to route through the load balancer for Talos API calls. Allowing direct access to worker nodes when control plane nodes are unavailable.

Kubernetes Manifests Sync

Omni now supports syncing Kubernetes manifests directly to managed clusters. Manifests can be defined in cluster templates, allowing declarative management of Kubernetes resources alongside cluster configuration.

omnictl edit Command

A new omnictl edit command has been added, allowing users to edit Omni resources interactively from the CLI.

Allow Using talosctl debug

Update Omni Talos API proxy code to elevate permissions for talosctl debug command.

Workload Proxy Subdomain Options

The workload proxy now supports an empty subdomain configuration and a new useOmniSubdomain option, providing more flexibility in how workload proxy URLs are structured.

Contributors

• Edward Sammut Alessi
• Utku Ozdemir
• Artem Chernyshev
• Oguz Kilcan
• Andrey Smirnov
• Orzelius
• Dmitriy Matrenichev
• Hector Monsalve
• Justin Garrison

Changes

73 commits

• 8933e716 release(v1.7.0-beta.1): prepare release
• cad37135 feat: implement eula guard for omni
• 0d92cc0d feat: allow force destroying machine requests
• 507becf1 feat: toggle info buttons if already opened
• db4f1d7d fix: attribute SA audit events to the performing admin
• 0773827c fix(frontend): disable workload proxy checkbox if disabled on instance
• f5aa0f72 fix: always set last error on manifests sync failure
• ba80cf6e fix: use resource definition's default namespace in omnictl get
• 131bd3a6 feat: allow using talosctl debug
• cf463639 feat: move config defaults into the JSON schema
• 53ed351d fix: evict per-machine cache entries before the cluster-wide entry
• 4352f3cb release(v1.7.0-beta.0): prepare release
• 9b09e8b0 fix: apply --force-context-name on initial kubeconfig creation
• 3251d142 fix: batch SQLite cleanup deletes to reduce write lock contention
• b6e3280a chore: bump go to v1.26.2
• 9201358b chore: bump dependencies and rekres
• e4760526 feat: support omnictl edit command
• 78bfa12a chore: collect metrics on the initial Collect call to avoid empty data
• 43be52c7 chore: bump sqlite metrics collector timeout and interval
• 5db4dbfa test: lock prepared for Omni upgrade cluster, then check pending changes
• 76d0c6a2 chore: extract sqlite metrics collector into a separate goroutine
• 68305854 chore(frontend): bump yaml to 2.8.3
• f0dd48f3 feat(frontend): place machine labels on new line for cluster scale/create
• d10f1f1c fix: log errors from the metrics endpoint handler
• 5edcef1f refactor(frontend): drop the views/cluster folder
• 65c6b804 refactor(frontend): drop the components/common folder
• cc71b5b5 refactor(frontend): drop the views/omni folder
• 0e66352f fix: fix stale writes of MachineRequestStatus in infra provider lib
• 2bb49a95 fix(frontend): fix useclusterpermissions not reacting to cluster changes
• 1bbe869b fix: clean up stale identity last active resources on identity removal
• a366efb9 fix: add missing cluster relations to resource types
• ff5d9beb test: add e2e tests for key expiration
• 6efb0f2f feat: support Kubernetes manifests in the cluster templates
• 73f3079f fix(frontend): hide machine tutorial card if we have machines
• fe7c1beb fix(frontend): fix ui error on cluster all nodes page
• e46d9420 fix(frontend): prevent invalid auth states in frontend
• b720fc30 fix(frontend): prevent saving unconfirmed keys
• 2a863fcf chore: rewrite cluster workload proxy controller to use manifests
• 7cb5ba3c feat(frontend): introduce browsable audit logs in the frontend
• 2b39af72 refactor(frontend): abort useresource get/list queries on unmount
• c6f2413d fix: enable Teardown audit logs
• 26798512 chore: bump deps, rekres, Talos 1.12.6, Kubernetes 1.35.3
• 44c0d0e2 feat: update omnictl version warning text
• 72dfad7d feat: update github issue templates
• 53f94596 fix(frontend): address login race conditions
• ada03608 feat: add a way to sync Kubernetes manifests in Omni
• d6f50a7f fix: disable client IP...

v1.7.0-beta.0

Omni 1.7.0-beta.0 (2026-04-09)

Welcome to the v1.7.0-beta.0 release of Omni!
This is a pre-release of Omni

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Browsable Audit Logs in the UI

Audit logs are now browsable directly in the Omni UI, making it easier to review audit events without CLI access.

Human-Readable Config Validation Errors

Configuration validation errors are now presented in a human-readable format, making it easier to diagnose and fix configuration issues.

Direct Talos Node Access via SideroLink

All Talos nodes can now be accessed directly via their SideroLink endpoint, removing the need to route through the load balancer for Talos API calls. Allowing direct access to worker nodes when control plane nodes are unavailable.

Kubernetes Manifests Sync

Omni now supports syncing Kubernetes manifests directly to managed clusters. Manifests can be defined in cluster templates, allowing declarative management of Kubernetes resources alongside cluster configuration.

omnictl edit Command

A new omnictl edit command has been added, allowing users to edit Omni resources interactively from the CLI.

Workload Proxy Subdomain Options

The workload proxy now supports an empty subdomain configuration and a new useOmniSubdomain option, providing more flexibility in how workload proxy URLs are structured.

Contributors

• Edward Sammut Alessi
• Utku Ozdemir
• Artem Chernyshev
• Oguz Kilcan
• Andrey Smirnov
• Orzelius
• Dmitriy Matrenichev
• Hector Monsalve

Changes

62 commits

• 4352f3cb release(v1.7.0-beta.0): prepare release
• 9b09e8b0 fix: apply --force-context-name on initial kubeconfig creation
• 3251d142 fix: batch SQLite cleanup deletes to reduce write lock contention
• b6e3280a chore: bump go to v1.26.2
• 9201358b chore: bump dependencies and rekres
• e4760526 feat: support omnictl edit command
• 78bfa12a chore: collect metrics on the initial Collect call to avoid empty data
• 43be52c7 chore: bump sqlite metrics collector timeout and interval
• 5db4dbfa test: lock prepared for Omni upgrade cluster, then check pending changes
• 76d0c6a2 chore: extract sqlite metrics collector into a separate goroutine
• 68305854 chore(frontend): bump yaml to 2.8.3
• f0dd48f3 feat(frontend): place machine labels on new line for cluster scale/create
• d10f1f1c fix: log errors from the metrics endpoint handler
• 5edcef1f refactor(frontend): drop the views/cluster folder
• 65c6b804 refactor(frontend): drop the components/common folder
• cc71b5b5 refactor(frontend): drop the views/omni folder
• 0e66352f fix: fix stale writes of MachineRequestStatus in infra provider lib
• 2bb49a95 fix(frontend): fix useclusterpermissions not reacting to cluster changes
• 1bbe869b fix: clean up stale identity last active resources on identity removal
• a366efb9 fix: add missing cluster relations to resource types
• ff5d9beb test: add e2e tests for key expiration
• 6efb0f2f feat: support Kubernetes manifests in the cluster templates
• 73f3079f fix(frontend): hide machine tutorial card if we have machines
• fe7c1beb fix(frontend): fix ui error on cluster all nodes page
• e46d9420 fix(frontend): prevent invalid auth states in frontend
• b720fc30 fix(frontend): prevent saving unconfirmed keys
• 2a863fcf chore: rewrite cluster workload proxy controller to use manifests
• 7cb5ba3c feat(frontend): introduce browsable audit logs in the frontend
• 2b39af72 refactor(frontend): abort useresource get/list queries on unmount
• c6f2413d fix: enable Teardown audit logs
• 26798512 chore: bump deps, rekres, Talos 1.12.6, Kubernetes 1.35.3
• 44c0d0e2 feat: update omnictl version warning text
• 72dfad7d feat: update github issue templates
• 53f94596 fix(frontend): address login race conditions
• ada03608 feat: add a way to sync Kubernetes manifests in Omni
• d6f50a7f fix: disable client IP reporting in embedded discovery service
• 3b2f6daa feat(frontend): refactor watch to allow watch singletons outside of components
• 027ff314 fix(frontend): respect embedded discovery checkbox in cluster create
• b9cabbd9 feat: add deprecation notification for non-ImageFactory machines
• 21a08702 chore(frontend): bump monaco-editor to 0.55.1
• 7699f5e7 chore(frontend): bump frontend deps
• 5b29817f fix: restore resolved node address fallback
• 56b6a90f feat: make config validation errors human-readable
• 9052ebc2 fix: allow Talos API read and copy methods
• cfb18f36 chore: rewrite machine status link as qcontroller
• c7f60c0c feat: access all Talos nodes directly via their SideroLink endpoint
• 311f75ce feat(frontend): remove cookie consent banner
• 2977f053 feat: allow empty subdomain for workload proxy
• d5862a27 fix(frontend): prevent flashing no access during login
• e85ab384 fix: correct SQLite size metrics to include indexes and freelist
• 621d3f44 fix: fix panics in diff algorithms
• 90d73211 fix: use dynamic SQLite pool
• 1fc2e01f fix: track load balancer port allocations in-memory
• [e35ff83f](e35ff83...

v1.6.5

Omni 1.6.5 (2026-04-09)

Welcome to the v1.6.5 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

• --audit-log-dir (.logs.audit.path)
• --secondary-storage-path (.storage.secondary.path)
• --machine-log-storage-path (.logs.machine.storage.path)
• --machine-log-storage-enabled (.logs.machine.storage.enabled)
• --log-storage-path (.logs.machine.storage.path)
• --embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
• --machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
• --machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
• --machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
• --machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Contributors

• Andrey Smirnov
• Utku Ozdemir
• Oguz Kilcan
• Orzelius
• Artem Chernyshev
• Dmitriy Matrenichev
• Hector Monsalve

Changes

4 commits

• f81832d2 release(v1.6.5): prepare release
• 3640387a fix: batch SQLite cleanup deletes to reduce write lock contention
• 2c7de540 chore: bump go to v1.26.2
• bcf85902 chore: bump dependencies and rekres

Changes from siderolabs/crypto

1 commit

• 6d82f0c fix: bump minimum TLS version to v1.3

Changes from siderolabs/discovery-service

4 commits

• f1fdd95 release(v1.0.17): prepare release
• 2267f4c feat: store relative expiration (TTL) instead of absolute
• f708818 release(v1.0.16): prepare release
• 379016a feat: add option to disable client IP reporting in Hello response

Changes from siderolabs/go-kubernetes

5 commits

• 503792d chore: add retry to main kubernetes operations
• 6a00c4f feat: handle CR defined alongside their CRD in the same apply
• 4ff2602 feat: update deprecations to Kuberntes 1.36.0-beta.0
• 691a26b feat: add StateProvider for per-node COSI state in upgrade checks
• 92163c3 fix: set a the context logger

Changes from siderolabs/go-talos-support

2 commits

• 6ec24a7 feat: add per-node Talos client provider for support bundle collection
• 5e0155f fix: add trailing new line when writing to logger

Changes from siderolabs/grpc-proxy

3 commits

• d670c42 chore: bump dependencies
• 8614c71 chore: bump deps
• 80677e0 fix: propagate the headers before the message

Changes from siderolabs/proto-codec

1 commit

• 9b8a14e chore: bump dependencies

Changes from siderolabs/siderolink

1 commit

• 0a1933c chore: bump dependencies

Dependency Changes

• github.com/ProtonMail/gopenpgp/v2 v2.9.0 -> v2.10.0
• github.com/aws/aws-sdk-go-v2 v1.41.3 -> v1.41.5
• github.com/aws/aws-sdk-go-v2/config v1.32.11 -> v1.32.14
• github.com/aws/aws-sdk-go-v2/credentials v1.19.11 -> v1.19.14
• github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.6 -> v1.22.12
• github.com/aws/aws-sdk-go-v2/service/s3 v1.96.4 -> v1.98.0
• github.com/aws/smithy-go v1.24.2 -> v1.24.3
• github.com/cosi-project/runtime v1.14.0 -> v1.14.1
• github.com/go-jose/go-jose/v4 v4.1.3 -> v4.1.4
• github.com/google/go-containerregistry v0.21.2 -> v0.21.4
• github.com/hashicorp/vault/api v1.22.0 -> v1.23.0
• github.com/hashicorp/vault/api/auth/kubernetes v0.10.0 -> v0.12.0
• github.com/siderolabs/crypto v0.6.4 -> v0.6.5
• github.com/siderolabs/discovery-service v1.0.15 -> v1.0.17
• github.com/siderolabs/go-kubernetes 8364adde8878 -> v0.2.36
• github.com/siderolabs/go-talos-support v0.1.4 -> v0.2.0
• github.com/siderolabs/grpc-proxy v0.5.1 -> v0.5.2
• github.com/siderolabs/omni/client v1.5.9 -> v1.6.1
• github.com/siderolabs/proto-codec v0.1.3 -> v0.1.4
• github.com/siderolabs/siderolink v0.3.15 -> v0.3.16
• github.com/siderolabs/talos/pkg/machinery cc636f1dd1f1 -> v1.13.0-beta.1
• github.com/zitadel/oidc/v3 v3.45.5 -> v3.46.0
• go.etcd.io/etcd/client/pkg/v3 v3.6.8 -> v3.6.10
• go.etcd.io/etcd/client/v3 v3.6.8 -> v3.6.10
• go.etcd.io/etcd/server/v3 v3.6.8 -> v3.6.10
• golang.org/x/tools v0.42.0 -> v0.43.0
• k8s.io/api v0.35.2 -> v0.35.3
• k8s.io/client-go v0.35.2 -> v0.35.3

Previous release can be found at v1.6.4

v1.6.4

Omni 1.6.4 (2026-04-02)

Welcome to the v1.6.4 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

• --audit-log-dir (.logs.audit.path)
• --secondary-storage-path (.storage.secondary.path)
• --machine-log-storage-path (.logs.machine.storage.path)
• --machine-log-storage-enabled (.logs.machine.storage.enabled)
• --log-storage-path (.logs.machine.storage.path)
• --embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
• --machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
• --machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
• --machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
• --machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Contributors

• Artem Chernyshev

Changes

2 commits

• 8cc2c4d6 release(v1.6.4): prepare release
• 4bea9686 chore: bump sqlite metrics collector timeout and interval

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.3

v1.6.3

Omni 1.6.3 (2026-04-01)

Welcome to the v1.6.3 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

• --audit-log-dir (.logs.audit.path)
• --secondary-storage-path (.storage.secondary.path)
• --machine-log-storage-path (.logs.machine.storage.path)
• --machine-log-storage-enabled (.logs.machine.storage.enabled)
• --log-storage-path (.logs.machine.storage.path)
• --embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
• --machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
• --machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
• --machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
• --machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Contributors

• Artem Chernyshev

Changes

3 commits

• 88565b0f release(v1.6.3): prepare release
• b71f8507 chore: collect metrics on the initial Collect call to avoid empty data
• 7783277e chore: extract sqlite metrics collector into a separate goroutine

Dependency Changes

• golang.org/x/crypto v0.48.0 -> v0.49.0
• golang.org/x/net v0.51.0 -> v0.52.0
• golang.org/x/text v0.34.0 -> v0.35.0
• google.golang.org/grpc v1.79.2 -> v1.80.0

Previous release can be found at v1.6.2

v1.6.2

Omni 1.6.2 (2026-03-25)

Welcome to the v1.6.2 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

• --audit-log-dir (.logs.audit.path)
• --secondary-storage-path (.storage.secondary.path)
• --machine-log-storage-path (.logs.machine.storage.path)
• --machine-log-storage-enabled (.logs.machine.storage.enabled)
• --log-storage-path (.logs.machine.storage.path)
• --embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
• --machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
• --machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
• --machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
• --machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Contributors

• Edward Sammut Alessi

Changes

2 commits

• 749c9921 release(v1.6.2): prepare release
• 84149d69 fix(frontend): prevent invalid auth state

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.1

v1.6.1

Omni 1.6.1 (2026-03-19)

Welcome to the v1.6.1 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

• --audit-log-dir (.logs.audit.path)
• --secondary-storage-path (.storage.secondary.path)
• --machine-log-storage-path (.logs.machine.storage.path)
• --machine-log-storage-enabled (.logs.machine.storage.enabled)
• --log-storage-path (.logs.machine.storage.path)
• --embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
• --machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
• --machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
• --machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
• --machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Contributors

• Oguz Kilcan
• Andrey Smirnov
• Artem Chernyshev
• Utku Ozdemir

Changes

8 commits

• 44562c97 release(v1.6.1): prepare release
• 1b7fa208 fix: correct SQLite size metrics to include indexes and freelist
• 0b1e9ea0 fix: fix panics in diff algorithms
• d7ec007b fix: use dynamic SQLite pool
• 3c6dd0ee fix: track load balancer port allocations in-memory
• e2248065 fix: load balancer health status diff and stopped status race
• 079e28c7 chore: export the SQLite memory allocator stats
• e7dfbc9c fix: add omnictl backward compatibility with older Omni servers

Dependency Changes

• github.com/cosi-project/state-sqlite v0.3.0 -> v0.4.0

Previous release can be found at v1.6.0

v1.6.0

Omni 1.6.0 (2026-03-16)

Welcome to the v1.6.0 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Urgent Upgrade Notes (No, really, you MUST read this before you upgrade)

The deprecated flags and config fields that were kept for the SQLite migration period (introduced in v1.4.0) have been removed.

If you still have any of the following flags or config keys set, you must remove them before upgrading, as they will cause startup errors:

• --audit-log-dir (.logs.audit.path)
• --secondary-storage-path (.storage.secondary.path)
• --machine-log-storage-path (.logs.machine.storage.path)
• --machine-log-storage-enabled (.logs.machine.storage.enabled)
• --log-storage-path (.logs.machine.storage.path)
• --embedded-discovery-service-snapshot-path (.services.embeddedDiscoveryService.snapshotsPath)
• --machine-log-buffer-capacity (.logs.machine.bufferInitialCapacity)
• --machine-log-buffer-max-capacity (.logs.machine.bufferMaxCapacity)
• --machine-log-buffer-safe-gap (.logs.machine.bufferSafetyGap)
• --machine-log-num-compressed-chunks (.logs.machine.storage.numCompressedChunks)

The automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs has also been removed. If you are upgrading from a version older than v1.4.0, you must first upgrade to v1.4.x to complete the migrations, then upgrade to this version.

Talos and Kubernetes CA Rotation

Omni now supports rotating the Talos and Kubernetes Certificate Authorities for managed clusters.

Talos and Kubernetes Versions in ClusterStatus

The ClusterStatus resource now includes talos_version and kubernetes_version fields, making cluster version information available programmatically. They are now also shown in the cluster list in the UI.

Pending and Historical Config Diffs in UI

The UI now shows pending and historical configuration diffs, making it easy to review what changed and when.

Force Machine Destroy

A --force flag has been added to the machine destroy command (and a corresponding UI option) to forcibly remove machines that are stuck or unresponsive.

Helm Chart v2

A new Helm chart v2 has been implemented with improved structure and more configurable options.
More configuration values are now exposed in the Helm chart, giving operators greater flexibility when deploying Omni.

Installation Media Wizard

The installation media flow now uses a wizard-based UI by default, replacing the previous modal dialog. Presets may now also be saved, allowing for future reuse.

Machine Log Storage Cleanup

Global size-based cleanup has been added for machine log storage, preventing unbounded disk usage.
Configurable options for audit log cleanup have also been added.

Minimum Talos Version Bump

The minimum supported Talos version for new clusters has been bumped to 1.8.

Minor UI Improvements

Other minor UI improvements part of this release:

• Talos and Kubernetes versions are now shown in the cluster list.
• Node name and UUID are shown in the support bundle modal.
• Machine set pools now have a collapse/expand toggle.
• Cluster scaling has been moved to a modal dialog.
• Getting started guidance and empty-state pages have been added for clusters, machines, and machine classes.
• Instructions for adding machines and exporting cluster templates are now shown in the UI.
• Clarification text has been added to backup settings.
• YouTube video embedding is now supported in documentation/onboarding flows.
• The frontend authentication flow no longer requires an explicit login click.
• Resource labels use new colors for improved visual clarity.

Detailed Node Disk Information

The node details page now shows detailed disk information, including disk model, size, and type.

PCI Devices on Node Details

The node details page now includes a dedicated section listing all PCI devices present on the node.

Reset Node Unique Tokens

It is now possible to reset the unique token for a node, which can be useful for re-enrolling machines.

OIDC Token Cache Isolation for Kubeconfigs

Generated kubeconfigs now use isolated OIDC token caches, preventing token collisions between different kubeconfig users.

Pending Machines

Machines that were previously rejected can now be unrejected from the UI, allowing them to be accepted into Omni.

Rejected machines can also now be deleted directly from the UI.

SAML Logout Flow

Omni now implements the SAML logout flow, properly terminating sessions with the SAML identity provider on sign-out.

SQLite Metrics and Cleanup Counters

Metrics for the SQLite state backend have been exposed, along with cleanup counters for better observability.

Upgrade Parallelism

The upgrade parallelism for machine sets can now be configured via cluster templates and the UI, allowing operators to control how many machines are upgraded concurrently.

User and Service Account Activity Tracking

Omni now tracks the last activity time for users and service accounts, providing better visibility into account usage.

User Management gRPC Endpoints

New ManagementService gRPC endpoints have been added for user operations, enabling programmatic user management.

Configurable User and Service Account Limits

Operators can now enforce configurable limits on the number of users and service accounts that can be created in Omni.

Custom Vault Kubernetes Auth Mount Path

The Vault Kubernetes authentication mount path is now configurable, supporting non-default Vault configurations.

Contributors

• Edward Sammut Alessi
• Andrey Smirnov
• Utku Ozdemir
• Oguz Kilcan
• Artem Chernyshev
• Kevin Tijssen
• Noel Georgi
• Orzelius
• Mateusz Urbanek
• Pranav Patil
• Tim Jones
• Daddie0
• Daniil Kivenko
• Dmitrii Sharshakov
• Justin Garrison
• Steve Francis
• greenpsi

Changes

160 commits

• 69873dc8 release(v1.6.0): prepare release
• cf7d7524 feat: enforce configurable machine registration limit
• 711782b0 feat: warn about non-factory machines on extensions and kernel args
• dcf25297 docs: fix cluster create command in development docs
• be6862ac fix(frontend): cater for cmd/ctrl click on cluster/machine links
• 7d902897 fix: properly update infra provider connection status
• cf7be162 release(v1.6.0-beta.3): prepare release
• 6d52a697 feat: add hsts header for omni frontend
• 385c512d test: fix ConfigPatching test
• 72cb85a4 feat: add configurable bandwidth rate limiting for SideroLink tunnel
• 49795f0c feat(frontend): display appropriate message for talos apis when booting
• 3a19194f fix: add missing timeout to the backup download calls in secrets ctrl
• 017b0398 fix(frontend): fix cluster details layout for ultrawide and mobile
• febba94d test: fix flaky link cleanup test
• 118a2c7c chore(frontend): expose error codes on watches
• 28e85107 fix: calculate diff history and machine config out of applied config
• 7a153579 chore: remove go-jsonschema fork, use upstream v0.22.0
• 1e9b733c chore: bump deps, rekres
• 31e13e9e fix: do not release lock on apply config fails
• 91ec5eed fix(frontend): prevent -1 stats on home page
• [cf8f58e6](cf8f58e...