v1.5.0

[Slessi]

Warning

We are currently investigating a potential memory leak during an upgrade from 1.4.8

Omni 1.5.0 (2026-02-05)

Welcome to the v1.5.0 release of Omni!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/omni/issues.

Better Audit Logging

Omni now collects audit logs for operations performed on all user-managed resources, improving security and traceability.

Config Generation

Omni can now generate its own configuration directly from the defined schema.
The config merge algorithms were also improved: now the config preserves the default values properly when some sections are
overwritten by the user provided config.

Etcd Maintenance

The following etcd commands are now usable with Omni managed clusters:
talosctl etcd downgrade validate
talosctl etcd downgrade enable
talosctl etcd downgrade cancel
talosctl etcd forfeit leadership

gRPC Tunnel Management

Added the ability to switch gRPC tunnel modes for connected machines.

Join Token Management

Added a dedicated omnictl jointoken omni-endpoint to streamline node registration.

Kernel Args CLI Tools

Added support for managing kernel arguments directly within cluster templates.

Schema-Aware Code Editor

The built-in code editor for the machine configs now supports different configuration schemas for each Talos version.
So the config will be always validated against the currently running Talos version schema.

omnictl Directory Support

The omnictl sync/apply can now process directories, simplifying bulk resource applications.

WireGuard Bind Address

The WireGuard endpoint (services.siderolink.wireGuard.endpoint / --siderolink-wireguard-bind-addr) is now respected. Previously, Omni always bound to all interfaces regardless of this setting. Default remains 0.0.0.0:50180.

Contributors

• Edward Sammut Alessi
• Utku Ozdemir
• Andrey Smirnov
• Oguz Kilcan
• Artem Chernyshev
• Noel Georgi
• Pranav Patil
• Orzelius
• Laura Brehm
• Aleksandr Gamzin
• Brant Gurganus
• Justin Garrison
• Mateusz Urbanek
• Spencer Smith
• Utku Ozdemir

Changes

125 commits

• c27f8d39 release(v1.5.0): prepare release
• 277c946b fix: prevent unwanted upgrades of non-image-factory machines (backport)
• 9b05243c fix: pause cluster machine watches until expanded
• 6a37b31a fix: check config generation errors before computing redacted configs
• 515701af release(v1.5.0-beta.2): prepare release
• 2aabc02a chore: rekres
• 3a7c9278 chore: rekres to disable helm doc generation step
• c241820e fix: apply AccessPolicy rules on gRPC proxy for Talos backend
• 587356b3 fix: stop generating node unique token in NodeUniqueTokenStatus
• 85ff13f9 feat(installation-media): add step validation to installation media wizard
• 0b33cf8e feat(installation-media): select defaults for each form step
• 8f1eb588 refactor(frontend): extract route.name into a computed ref
• 0d5d7da6 feat: allow multiple --config-path flags for config merging
• 056d5e4e fix: bind wireguard to configured address instead of all interfaces
• 7376edaf fix(installation-media): fix bug when setting arch to amd64
• c3c483d7 fix(installation-media): clarify bootloader section
• 9bcd356c fix: don't submit empty machine labels to create schematic
• 46de2c3a chore: enable no-explicit-any in frontend and fix errors
• d20fd8f0 chore: rekres and generate-frontend
• bc7725f7 feat(installation-media): implement edit preset functionality
• 77a32346 refactor(installation-media): move form state to its own composable
• fe713e94 release(v1.5.0-beta.1): prepare release
• 49788342 test: fix failing workload proxy tests
• a5795c2f feat: add config descriptions in schema, use them in flags
• 883fadfe feat(installation-media): add review page for installation media
• db1b969b refactor(frontend): refactor config patch edit
• d12c92c0 feat(installation-media): allow skipping/jumping between steps
• 993097ae fix: fix tmenuitem to not lose reactivity from props
• 98ef83ee fix: fix config patches encryption when encryption is disabled
• aafc74f9 chore: update packages
• c87c952e refactor(frontend): rekres and use request error from fetch.pb.ts
• 0f8a3d6c test(e2e): add an e2e test for exposed services
• 680c7948 chore: enable noImplicitAny for typescript
• fd82327c release(v1.5.0-beta.0): prepare release
• 587bffe8 fix: fix regressions on service api url generation
• 28a2b87d feat: create sequential stage controller
• 5cfa4ccb fix(frontend): fix loading of machine config
• 6a256ac6 fix: open OIDC plugin link in a new tab
• 8b39d5f1 refactor(frontend): refactor patches watches
• ca61be7e chore: remove unused vite-plugin-node-polyfills
• 50901c1a chore: bump lodash
• 91c8bff4 feat: generate omni config from schema
• 6c220683 refactor(frontend): refactor nodeoverview watches
• 698dd146 fix: always show features section in cluster overview
• d8df9c11 test: wait for 1 minute for cluster to be destroyed
• d3ae77c0 chore: bump copyright to 2026
• 3804184d fix(frontend): keep correct auth flow for cli/workload
• 21a89ae7 docs: update CONTRIBUTING.md
• 2e90fad3 feat: add ominctl jointoken omni-endpoint
• 7919ba7e feat(frontend): constrain machine label width
• b9a049a3 feat(frontend): close tooltips even if hovered on
• b1233347 chore: add environment to chromatic.yml
• 9783f4c5 feat(installation-media): change installation media wizard to be route based
• 41506f72 chore: move graceful config rollout logic to the lowest controller level
• 8e4c6e86 test: regression test for machine class scaling
• b3e430bd test: add e2e for creating and scaling clusters using machine classes
• 0de90a23 feat: support different config schemas for the code editor
• 72557577 refactor: add a majorMinorVersion function to parse versions into major.minor
• f18ec16a refactor(frontend): refactor some watches to useresourcewatch
• cb45c1b4 fix: prevent ClusterMachine creation when Machine is not allocated
• f56551ab chore: move some tests from e2e upgrades e2e test to misc upgrades test
• 82d9bc5b fix: solve new machines not joining omni if they are part of a cluster
• 2d5e58cb chore: rekres and bump deps
• 8f6d0170 chore: bump node to 24.13
• e7a2fa39 fix(frontend): fix incorrect cluster query checking for disk_encryption
• c6aaff0f refactor: make namespace implicit in auth package
• 85d09948 chore: separate integration-tests
• 1483aacb refactor(frontend): expose all vars from watch in watch composable
• c6b29e52 test: add talemu fixtures and split into talemu + qemu tests
• 87e073f9 fix(frontend): fix lost reactivity on cluster overview page
• dff8e1f6 feat: make namespace implicit in k8s and oidc package NewResource functions
• 897db4fb test: fix another test flake in redacted machine config tests
• 4db83819 test: remove machine.install.extraKernelArgs from infra machines
• 79ef09b3 test: add an e2e test for destroying a cluster
• 0bea7ecd test: fix the flake in redacted machine config test
• 1ac3dd90 feat(installation-media): implement ui for listing saved presets
• ed77c84c fix(frontend): support disabled links for buttons
• 4bf2e0de test: fix flaky ECDSA signature generation in TestPlainSignature
• 9514df57 feat: collect audit logs for operations on user managed resources
• de6e2c66 refactor: make namespace implicit in omni resources
• fb08dcaa feat(frontend): add extra information to userpilot
• 9503f850 refactor: make namespace implicit in siderolink resources
• 0902357f fix: correctly filter out tearing down nodes with no finalizers
• 03b76d5a feat(installation-media): add a button to clear wizard state
• 66e243a2 refactor(installation-media): add metal id const and use gets where possible
• ef2d931a chore: rekres and bump deps
• 950ca1b0 refactor(installation-media): extract schematic generation and download links
• 389f0465 feat(frontend): add polymorphic buttons
• 2b53945c fix: use uncached reader for imported cluster secrets, fix its test
• 55fd33db refactor: make namespace implicit in system & virtual resources
• 0be46020 test: improve test stability
• 87f966ab feat: clean up orphaned machine logs from sqlite
• 844207df feat(installation-media): implement ui for saving presets
• 01bf6638 feat: support kernel args management in cluster templates
• 8eb0b50d chore!: set minimum talos version to 1.7.0
• 535d733e chore: drop migrations older than v1.1.0
• e400dd53 fix(frontend): allow selecting all download options for omnictl
• 9726c6bb chore(frontend): update dependencies
• ad027a33 fix(frontend): align cluster machines properly when mixing with classes
• 030ccc8a chore: update slack links
• c91658a9 fix: set secureboot for image correctly from download modal
• 865a0b9d fix(frontend): handle missing talos version when upgrading k8s
• 5c98d44b chore: implement InstallationMediaConfig resource
• e2afe7c7 feat: allow omnictl to handle directories
• b433207a fix(installation-media): prevent double schematic creation for sbc flow
• ed44eaba fix: ignore labeled MachineSetNodes in the UI same way as for CLI
• a9ca74be chore: bump API version to 2 as old CLI is no longer 100% compatible
• 36c20175 fix: ignore labeled MachineSetNodes in the export and sync CLI cmds
• 6a00bfdf fix: run more aggressive compaction for sqlite/metrics
• 40a98bc0 fix: get rid of an exception in the UserInfo
• 3bf0b004 chore(frontend): update storybook to 10.1.10
• 068093f4 fix: implement size-based machine logs cleanup
• 33259946 fix: prevent audit logs migration from getting stuck
• d5f6ebf3 fix(installation-media): parse yaml for overlay options before JSON stringifying
• dee6d8ca chore: make omnictl download go directly to the image factory
• f52e3396 test: refactor TalosUpgradeStatusController tests
• 1d9fbd02 docs: update license link and badge in README
• 48999514 feat: allow Talos APIs for etcd maintenance
• 7ffe5a4d feat(installation-media): allow submitting bootloader to schematic request
• d3e4884b chore: add new fields to the CreateSchematic Omni API
• aa6acff6 chore: support resource list based filtering in the DependencyGraph
• 4a973f9f chore(installation-media): move doc links into icons with tooltips
• c1f43fd6 chore(installation-media): remove links for uki, kernel image, initramfs image
• e6b18ee1 feat(installation-media): implement final confirmation step for wizard
• ee926cd9 feat: add a way to switch gRPC tunnel mode for the connected machines

Changes since v1.5.0-beta.2

4 commits

• c27f8d39 release(v1.5.0): prepare release
• 277c946b fix: prevent unwanted upgrades of non-image-factory machines (backport)
• 9b05243c fix: pause cluster machine watches until expanded
• 6a37b31a fix: check config generation errors before computing redacted configs

Changes from siderolabs/go-kubernetes

4 commits

• ec0e3ae chore: expose more ssa options
• ad2fccd feat: add SSA and pruning support
• c53fcf6 chore: rekres with latest changes
• 6cf115c feat: provide compatibility for Kubernetes 1.35

Changes from siderolabs/image-factory

29 commits

• b5ba663 fix: avoid pulling Talos core in schematic pkg
• b2b0cc8 fix: update cosign to v3.0.4
• fca99d0 chore: update docs/developing.md
• 49f4226 chore: separate kres integration-test variables
• 190aa22 fix: add missing libarchive dependency
• 37bd795 fix: image-factory rootless
• 99cbfd7 fix: don't enforce bundle verified
• cf3e56a chore: bump talos
• 8723b02 fix: drop sbc board support
• f0150c4 feat: use rootless Image Factory
• f57218f feat: refactor configuration of image factory
• e440ce7 fix: support new cosign bundle format
• 5eb1775 feat: introduce Enterprise Image Factory
• fa266e0 release(v0.9.0): prepare release
• 6799661 feat: show booter command in final wizard
• fb22bce feat: support selecting bootloader
• e881e4b feat: bump deps
• d1bec57 feat: implement schematic GET API
• f1dad9d feat: better test matrix
• bc4f959 fix: remove secureboot talosctl preset
• db5e4dc feat: add a prompt about using talosctl cluster create qemu
• 2c5037c chore: bump deps
• 1559666 feat: replace hardcoded artifact image constants with CLI-configurable values
• c27ee27 fix: return 400 when an invalid image name is requested
• 58125d4 feat: support proxying external installer registry
• d782950 feat: support serving TLS froom Image Factory
• 743fe7f feat: support disable cosign signature verification
• 3a20123 chore: rekres with parallel jobs
• 241963f chore(ci): use runner groups

Dependency Changes

• filippo.io/age v1.2.1 -> v1.3.1
• github.com/aws/aws-sdk-go-v2 v1.40.0 -> v1.41.1
• github.com/aws/aws-sdk-go-v2/config v1.32.1 -> v1.32.7
• github.com/aws/aws-sdk-go-v2/credentials v1.19.1 -> v1.19.7
• github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.11 -> v1.20.19
• github.com/aws/aws-sdk-go-v2/service/s3 v1.92.0 -> v1.95.1
• github.com/aws/smithy-go v1.23.2 -> v1.24.0
• github.com/cosi-project/state-sqlite v0.1.0 -> v0.1.1
• github.com/emicklei/dot v1.9.2 -> v1.10.0
• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 -> v2.27.4
• github.com/prometheus/common v0.67.4 -> v0.67.5
• github.com/siderolabs/go-kubernetes v0.2.27 -> v0.2.30
• github.com/siderolabs/image-factory v0.8.4 -> b5ba6630ed93
• github.com/siderolabs/omni/client v1.3.4 -> v1.4.7
• github.com/siderolabs/talos/pkg/machinery v1.12.0-beta.1 -> b9e27ebe72c4
• github.com/sirupsen/logrus v1.9.3 -> v1.9.4
• github.com/spf13/cobra v1.10.1 -> v1.10.2
• github.com/zitadel/logging v0.6.2 -> v0.7.0
• github.com/zitadel/oidc/v3 v3.45.0 -> v3.45.3
• go.etcd.io/etcd/client/pkg/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/client/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/server/v3 v3.6.6 -> v3.6.7
• golang.org/x/crypto v0.45.0 -> v0.47.0
• golang.org/x/net v0.47.0 -> v0.49.0
• golang.org/x/oauth2 v0.33.0 -> v0.34.0
• golang.org/x/sync v0.18.0 -> v0.19.0
• golang.org/x/text v0.31.0 -> v0.33.0
• golang.org/x/tools v0.39.0 -> v0.41.0
• google.golang.org/grpc v1.77.0 -> v1.78.0
• google.golang.org/protobuf v1.36.10 -> v1.36.11
• k8s.io/api v0.35.0-beta.0 -> v0.35.0
• k8s.io/apimachinery v0.35.0-beta.0 -> v0.35.0
• k8s.io/client-go v0.35.0-beta.0 -> v0.35.0
• modernc.org/sqlite v1.40.1 -> v1.44.1

Previous release can be found at v1.4.0

---

This discussion was created from the release v1.5.0.