The UI exposes an Installation Media configurator that saves presets as InstallationMediaConfig resources, but the CLI only allowed downloading built-in images via inline flags. This adds `omnictl media preset {create,list,delete}` for managing presets and `omnictl media download <preset>` for downloading from them, with create-time validation against the server's CloudPlatformConfig (architecture and secure-boot support, min Talos version), SBCConfig (min Talos version), and TalosExtensions resources. Download flags are restricted to runtime overrides only - flags that redefine the preset (platform, overlay, arch, bootloader) are intentionally not accepted, and overrides that affect validation re-run the relevant checks.
The legacy `omnictl download` is preserved but deprecated, and its download logic is extracted into an internal/download package shared by both commands.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Surface step errors via a new Error field on `ClusterMachineRequestStatus` so users can see why a request is stuck or has failed without scraping logs. Persist the error on both the failure and requeue paths in the provision controller (the previous in-memory mutations were never written), and constrain step mutations to Id and LabelMachineInfraID by passing a copy of `MachineRequestStatus` to step.Run instead of the controller's live object.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Fix an issue were the delete/revoke button for join tokens was permanently disabled in the modals. Refactor modals to ConfirmModal. Add stories & tests.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
The annotation now accepts a comma-separated list of entries. Each entry is either a bare host port or a "host-port:service-port" pair, where the service port can be a number or a name. Each entry produces its own ExposedService with its own URL.
Before:
omni-kube-service-exposer.sidero.dev/port: "30080"
After:
omni-kube-service-exposer.sidero.dev/port: "30080,30443:8080,30444:https"
The label, icon, and prefix annotations gain per-host-port suffixed variants like "label-30080" or "prefix-30443". The suffixed variant wins for that port, otherwise the unsuffixed one is used as a fallback. For multi-port services the unsuffixed prefix is claimed by the lowest port, and other ports auto-generate aliases instead of failing with a duplicate-alias error.
Existing single-port exposed services keep their URLs across the upgrade.
Also bump the kube-service-exposer image to the version that supports the new annotation format.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Previous behavior: resolve all includes relative to where `omnictl`
runs.
Current behavior: resolve all includes relative to where targeted
template YAML file is stored.
The new behavior should be more straightforward.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Only show patches for the currently viewed machine on the Patches tab of a clustered or unclustered machine.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Refactor the final use cases of watch.setup (excluding TList) to be useResourceWatch. TList must be tackled on its own in #1534
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
The read of the field was not protected by the lock, unlike all other operations, which caused a data race in CA rotation tests.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Use `shouldUpgrade` bool flag when computing the config/upgrade diffs.
Otherwise any if `shouldUpgrade` gets out of sync with the condition
inside the `ClusterMachineConfigStatus` controller causes it to loop
creating and deleting pending changes.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Introduce a new small tool, `helmvaluesgen`, which runs on `make generate` to update the `config:` section in the Helm chart's `values.yaml` with the current Omni config schema.
It takes two inputs:
1. Omni config schema JSON
2. An "overrides" YAML file for the customization for the Helm chart, such as different default values ("chart defaults, different from Omni's defaults"), omission rules, and different descriptions to be included in the chart README.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Now inline supports all three variants:
- a single inline map (backward compatibility for config patches).
- a list of inline maps
- raw bytes, that can also contain multiple documents.
`omnictl cluster template export` command was updated to export config
patches/manifests as raw bytes to ensure that multiple values are
properly supported.
Fixes: https://github.com/siderolabs/omni/issues/2683
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Set infra provider factory endpoint to the one configured in Omni features state, which itself is from args/config. Expose the configured factory URL on the provider.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add some QoL updates for machine management to Omni frontend.
1. Add a copy machine UUID button to the cluster machine page
2. Add a toggle between hostnames and UUIDs to the machines list page (copy will copy what it sees, preference is saved)
3. Add kernel args tabs to machine and cluster machine pages, to allow editing kernel args. The "Update kernel args" button from machines list dropdown menu will now redirect to here instead of opening a modal.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add the build tags we were using, `integration` and `tools`, to be included in the linting/formatting of golangci-lint.
Rename the build tag `tools` to `sidero.tools` to avoid colliding with the same named build tag in `github.com/johannesboyne/gofakes3` package - otherwise the dependency was failing to compile due to having multiple package names in the same package.
Fix all the linting errors surfaced by this enablement.
Also, temporarily re-enabled `nolintlint` to find the nolint directives which were no longer necessary and removed them.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
InstallationMediaConfig can now use empty strings for talosVersion and joinToken, which resolve to the current stable version and default token at download time.
The create wizard adds "Automatic" options to the version and token dropdowns, and the download modal shows version/token/arch pickers for all presets.
Co-authored-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Dry-run requests and permission checks no longer add noisy Kubernetes access entries to the audit log. Kubernetes writes continue to be recorded.
Fixes: siderolabs/omni#2745
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Without the fix `MachineRequestStatus` cleanup controller deletes the
`MachineSetNode` and the `MachineSetNode` controller might allocate it
back immediately.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Machines that were shutting down and then disconnect are now shown as "Powered Off" in the UI instead of being stuck in "Shutting Down" with a greyed-out unreachable state.
For machines managed by a static infra provider, shutting down a machine now prevents the provider from automatically powering it back on due to cluster allocation. The provider honors the shutdown request until the machine goes through a deallocation cycle, at which point the request is considered stale.
Intentionally powered-off machines are also excluded from the "disconnected machines" list on the frontend when destroying a cluster, to avoid them being force-destroyed.
The shutdown modal in the frontend now calls a new management API endpoint instead of the Talos API directly. The CLI gains \`omnictl machine shutdown\` and \`omnictl machine power-on\` commands.
Closessiderolabs/omni#1634.
Part of siderolabs/omni-infra-provider-bare-metal#103.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
If initial EULA request fails, we will show AppUnavailable instead of sending to /eula. If you navigate directly /eula and its already accepted, navigate away to the Home page.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add a support modal to Omni, providing links to github issues, support, docs, community links, and office hours.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Show disks and devices for machines in the machines/machine page, even for maintenance mode machines.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Fix the indeterminate state for UpdateExtensions modal. It was never setting up the watch, so the information was not available. As part of this, refactored it to useResourceWatch and the new modal system and created stories for it. Also started moving refactored modals from views/modals into components/modals, as they are more of a component than a view anyway.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Allow quickly switching between cluster machines on the cluster machine page via a select dropdown. Reactivity was not working on most of the pages due to getContext only being checked once in setup, so had to fix a lot of things there.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
After clearing keys, use location.replace instead of router.replace to do a full page reload to clear any invalid key related state. This addresses an issue where user might see a blank screen if something breaks with their keys whilst still having a valid auth session. Usually an invalid auth session triggers a redirect to the auth provider, causing the same state reset. This also fixes a flakey test in e2e-talemu suite which was suffering from this.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
* Track machines running Talos versions approaching or past end of support relative to MinTalosVersion.
* Replace the config-driven non-ImageFactory deprecation notification with hardcoded constants and add two new notifications (approaching end of support, end of support reached) with corresponding Prometheus metrics.
* Add startup validation hooks (currently disabled) that will refuse to start when unsupported machines are detected.
* Fix frontend notification namespace from Default to Ephemeral.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
The plain text output makes it less friendly to automation and saving to
.env files because it's interpreted by the shell.
Signed-off-by: Justin Garrison <justin.garrison@siderolabs.com>
Select the default join token in the installation media wizard. Also bump tsconfig to ES2023 (which is baseline widely available) to get access to .toSorted().
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
By default only allow to include files from the same directory where the
template file lives.
This is to prevent malicious cluster templates that include something
like `/etc/passwd`.
Fixes: https://github.com/siderolabs/omni/issues/2590
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
After download completes on the Omni support bundle, the user may click save again to save the bundle again without having to initiate the download again. This helps incase you accidentally click out of the first save, or deleted it, or anything like that. If you want a fresh bundle, you can still get that when you close & re-open the modal.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Omni now rejects legacy installation media download requests with a message asking users to upgrade omnictl instead of proxying them to the Talos image factory.
Current omnictl versions continue to download installation media directly from the Talos image factory.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
