The read of the field was not protected by the lock, unlike all other operations, which caused a data race in CA rotation tests.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Use `shouldUpgrade` bool flag when computing the config/upgrade diffs.
Otherwise any if `shouldUpgrade` gets out of sync with the condition
inside the `ClusterMachineConfigStatus` controller causes it to loop
creating and deleting pending changes.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Introduce a new small tool, `helmvaluesgen`, which runs on `make generate` to update the `config:` section in the Helm chart's `values.yaml` with the current Omni config schema.
It takes two inputs:
1. Omni config schema JSON
2. An "overrides" YAML file for the customization for the Helm chart, such as different default values ("chart defaults, different from Omni's defaults"), omission rules, and different descriptions to be included in the chart README.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Now inline supports all three variants:
- a single inline map (backward compatibility for config patches).
- a list of inline maps
- raw bytes, that can also contain multiple documents.
`omnictl cluster template export` command was updated to export config
patches/manifests as raw bytes to ensure that multiple values are
properly supported.
Fixes: https://github.com/siderolabs/omni/issues/2683
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Set infra provider factory endpoint to the one configured in Omni features state, which itself is from args/config. Expose the configured factory URL on the provider.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add some QoL updates for machine management to Omni frontend.
1. Add a copy machine UUID button to the cluster machine page
2. Add a toggle between hostnames and UUIDs to the machines list page (copy will copy what it sees, preference is saved)
3. Add kernel args tabs to machine and cluster machine pages, to allow editing kernel args. The "Update kernel args" button from machines list dropdown menu will now redirect to here instead of opening a modal.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add the build tags we were using, `integration` and `tools`, to be included in the linting/formatting of golangci-lint.
Rename the build tag `tools` to `sidero.tools` to avoid colliding with the same named build tag in `github.com/johannesboyne/gofakes3` package - otherwise the dependency was failing to compile due to having multiple package names in the same package.
Fix all the linting errors surfaced by this enablement.
Also, temporarily re-enabled `nolintlint` to find the nolint directives which were no longer necessary and removed them.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
InstallationMediaConfig can now use empty strings for talosVersion and joinToken, which resolve to the current stable version and default token at download time.
The create wizard adds "Automatic" options to the version and token dropdowns, and the download modal shows version/token/arch pickers for all presets.
Co-authored-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Dry-run requests and permission checks no longer add noisy Kubernetes access entries to the audit log. Kubernetes writes continue to be recorded.
Fixes: siderolabs/omni#2745
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Without the fix `MachineRequestStatus` cleanup controller deletes the
`MachineSetNode` and the `MachineSetNode` controller might allocate it
back immediately.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Machines that were shutting down and then disconnect are now shown as "Powered Off" in the UI instead of being stuck in "Shutting Down" with a greyed-out unreachable state.
For machines managed by a static infra provider, shutting down a machine now prevents the provider from automatically powering it back on due to cluster allocation. The provider honors the shutdown request until the machine goes through a deallocation cycle, at which point the request is considered stale.
Intentionally powered-off machines are also excluded from the "disconnected machines" list on the frontend when destroying a cluster, to avoid them being force-destroyed.
The shutdown modal in the frontend now calls a new management API endpoint instead of the Talos API directly. The CLI gains \`omnictl machine shutdown\` and \`omnictl machine power-on\` commands.
Closessiderolabs/omni#1634.
Part of siderolabs/omni-infra-provider-bare-metal#103.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
If initial EULA request fails, we will show AppUnavailable instead of sending to /eula. If you navigate directly /eula and its already accepted, navigate away to the Home page.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add a support modal to Omni, providing links to github issues, support, docs, community links, and office hours.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Show disks and devices for machines in the machines/machine page, even for maintenance mode machines.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Fix the indeterminate state for UpdateExtensions modal. It was never setting up the watch, so the information was not available. As part of this, refactored it to useResourceWatch and the new modal system and created stories for it. Also started moving refactored modals from views/modals into components/modals, as they are more of a component than a view anyway.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Allow quickly switching between cluster machines on the cluster machine page via a select dropdown. Reactivity was not working on most of the pages due to getContext only being checked once in setup, so had to fix a lot of things there.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
After clearing keys, use location.replace instead of router.replace to do a full page reload to clear any invalid key related state. This addresses an issue where user might see a blank screen if something breaks with their keys whilst still having a valid auth session. Usually an invalid auth session triggers a redirect to the auth provider, causing the same state reset. This also fixes a flakey test in e2e-talemu suite which was suffering from this.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
* Track machines running Talos versions approaching or past end of support relative to MinTalosVersion.
* Replace the config-driven non-ImageFactory deprecation notification with hardcoded constants and add two new notifications (approaching end of support, end of support reached) with corresponding Prometheus metrics.
* Add startup validation hooks (currently disabled) that will refuse to start when unsupported machines are detected.
* Fix frontend notification namespace from Default to Ephemeral.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
The plain text output makes it less friendly to automation and saving to
.env files because it's interpreted by the shell.
Signed-off-by: Justin Garrison <justin.garrison@siderolabs.com>
Select the default join token in the installation media wizard. Also bump tsconfig to ES2023 (which is baseline widely available) to get access to .toSorted().
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
By default only allow to include files from the same directory where the
template file lives.
This is to prevent malicious cluster templates that include something
like `/etc/passwd`.
Fixes: https://github.com/siderolabs/omni/issues/2590
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
After download completes on the Omni support bundle, the user may click save again to save the bundle again without having to initiate the download again. This helps incase you accidentally click out of the first save, or deleted it, or anything like that. If you want a fresh bundle, you can still get that when you close & re-open the modal.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Omni now rejects legacy installation media download requests with a message asking users to upgrade omnictl instead of proxying them to the Talos image factory.
Current omnictl versions continue to download installation media directly from the Talos image factory.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add multiple new filters to audit logs. Through the UI, there will be a generic search box and the ability to sort columns. Through the CLI, there will be support for the same plus also direct filters for event_type, resource_type, resource_id, cluster_id, and actor.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add creation timestamps and per-key last-active tracking to service account key listings. The `omnictl serviceaccount list` command now shows KEY CREATED and KEY LAST ACTIVE columns for each public key, alongside the existing SA-level LAST ACTIVE.
A new PublicKeyLastActive resource tracks per-key usage. The activity interceptor now extracts the signing key fingerprint from the auth context and records last-used timestamps per key, with independent debouncing. The ServiceAccountStatusController aggregates this data into the service account status for display.
A cleanup controller removes PublicKeyLastActive resources when their corresponding public key is torn down.
Closes: siderolabs/omni#2661
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Update the text shown when selecting the Talos version on the Installation Media wizard to be the latest recommended version, rather than the latest.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Implement a guard for Omni to prevent usage until users accept an EULA through the UI or a startup flag.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Machine requests are now created without a controller owner, allowing operators and admins to teardown stuck or unwanted requests directly. The controller replaces destroyed requests automatically to maintain the desired machine count. Includes a migration to clear ownership on existing requests.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
