Table size queries (`omni_sqlite_subsystem_size_bytes`) filtered by dbstat name, missing index sizes. Join with sqlite_master to attribute index pages to their parent table.
DB size (`omni_sqlite_db_size_bytes`) used dbstat sum which excludes freelist pages. Use page_count * page_size to match actual file size.
Add `omni_sqlite_db_freelist_size_bytes` metric to track wasted space.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
(cherry picked from commit e85ab384c343ca26987ce65ca1f9f4a9ee7d2361)
Add `account.maxRegisteredMachines` config option to cap the number of registered machines. The provision handler atomically checks the limit under a mutex before creating new Link resources, returning ResourceExhausted when the cap is reached.
Introduce a Notification resource type (ephemeral namespace) so controllers can surface warnings to users. `omnictl` displays all active notifications on every command invocation. Frontend part of showing notifications will be implemented in a different PR.
MachineStatusMetricsController creates a warning notification when the registration limit is reached and tears it down when it's not.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Introduce token-bucket based bandwidth rate limiting for the SideroLink WireGuard tunnel, configurable via services.siderolink.bandwidthLimitMbps and services.siderolink.bandwidthLimitBurstBytes config fields (with corresponding CLI flag fallbacks).
Rate limiting is applied in both directions: outbound via a wrapped conn.Bind and inbound via a TUN input packet filter. A shared limiter drops packets exceeding the budget, relying on TCP congestion control to throttle senders. Disabled by default (0 = unlimited).
Also adds a Grafana service to docker-compose with pre-built Omni dashboards for local development observability.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Replace the audit log download button with a modal which includes a date range for filtering to keep file sizes down. Includes a warning if trying to download logs for longer than 7 days. Modal includes a bytes downloaded indicator to convey progres. Download is canceled if modal is closed.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add state validation that rejects identity creation when the configured maximum number of users or service accounts is reached. The gRPC resource and management servers now use the validated state so these limits are enforced for all creation paths (CLI, UI, API). Identity is created before the user resource so the validation fires before any side effects.
Also adds create validation for join token name, e2e Playwright tests covering UI and AccountLimits integration test covering API and CLI for limit enforcement.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Add a two-phase approach to the helm e2e test: first install Omni with
embedded etcd and run a smoke test (omnictl get defaultjointoken),
then uninstall and reinstall with external etcd for the full
integration suite.
Other changes:
- Extract reusable extract_sa_key function
- Split helm values into base + external etcd overlay to remove duplication
- Move helm test values to hack/test/helm/templates/ and drop .envsubst suffix
- Fix empty string arg bug in configure_registry_mirrors (remove dead else branch)
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Since we don't want to support/maintain the old chart anymore, we simply replace it with the new chart.
Added a validation which fails on upgrades from the old one to the new one.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add support for priorityClassName, terminationGracePeriodSeconds, dnsPolicy/dnsConfig, initContainers, extraContainers (sidecars), and custom labels on all services.
Also, fix some unit tests and add additional unit tests.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add helm unit tests (via helm-unittest) covering services, ingresses, HTTPRoutes, secrets, PrometheusRules and ServiceAccounts. Add a helm-based e2e test workflow that deploys Omni on a Talos cluster with Traefik and etcd, runs integration tests including workload proxy, and verifies the full stack end-to-end. Add a configurable TestOptions struct to the workload proxy test to allow running with smaller scale in helm e2e.
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Now that we have envsubst in the build container, we can simplify our scripts a bit.
Also do other cosmetic improvements in the test scripts.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
The deprecated flags and config fields kept for the SQLite migration period (v1.4.0) have been removed along with all automatic migration code for BoltDB secondary storage, file-based audit logs, file-based discovery service snapshots, and circular buffer machine logs.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Update Go in go.mod to keep it consistent with the value in the Makefile (the actual Go version the project is built with).
It kicks in some new linters, causes linters to change behavior. Reformat and fix all those linting issues.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
**Helm Chart v2:**
- Add new Helm chart with comprehensive configuration via values.yaml
- Support for both Kubernetes Ingress and Gateway API
- Built-in validation for required fields and URL consistency
- Prometheus metrics and ServiceMonitor support
- Detailed documentation with examples for Traefik
- Workload proxy setup guide
**Deploy directory reorganization:**
- Move Docker Compose files to `deploy/compose/`
- Move existing Helm chart to `deploy/helm/omni/`
- Add top-level `deploy/README.md` pointing to deployment options
- Add deprecation warning to v1 Helm chart
**Documentation:**
- Add link to Helm chart in root README
Co-authored-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Having issues with wireguard connectivity from QEMU machines to Omni running on macOS revealed an issue: If macOS has multiple interfaces with IPs in the same subnet (for example connected both via ethernet and Wi-Fi), it could respond to WireGuard packets not from the interface they are received from, but from the other one, even when the wg endpoint was explicitly set to be a specific IP:PORT in Omni config. And this was breaking wg handshakes.
The core issue seems to be the wireguard-go library not implementing sticky sockets (`IP_PKTINFO`) on macOS.
While investigating, we found that the standard wireguard-go `StdNetBind` always binds to all interfaces (`0.0.0.0`), ignoring any specific host in the endpoint configuration. Add a custom bind implementation that respects the configured host.
This fixes the macOS issue as a side benefit.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add an E2E test which adds an nginx service through an inlineManifests config patch on the control plane, and check that it is accessible.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Move some tests from e2e-upgrades test to e2e-misc-upgrades to speed up the overall speed, because the test was taking too much time.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Remove the flags for turning on SQLite storage for:
- Discovery service state
- Audit logs
- Machine logs
Instead, migrate them unconditionally to SQLite on the next startup.
Remove many flags which are no longer meaningful. Only keep the ones which are required for the migrations.
Additionally: Make the `--sqlite-storage-path` (or its config counterpart `.storage.sqlite.path`) required with no default value, as a default value does not make sense for it in most of the cases.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
META section updates are no-op for non-UKI machines, but still, the recent changes in the kernel args PR started clearing them (since now we compute schematic ID always), causing the schematic ID to be updated, which caused cluster machines to be upgraded and restarted.
Remove the UKI check and keep meta valus always as-is.
Update the integration tests to:
- Also include META values.
- Make Omni upgrade test pick both UKI and non-UKI machines.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Updated the default Kubernetes version to 1.34.2 and adjusted related
version constants in the integration script and Go files.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Changelog included the whole of Talos due to the unwanted dependency of `github.com/siderolabs/talos` brought in by a test. Remove that dependency, and re-generate the changelog for `v1.3.0-beta.0`.
Also, bump the Talos machinery version and rekres, which also bumps Go version to `1.25.3`.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Update the node version used by the frontend to the latest LTS version 24.11.0
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
(Re)implement the kernel args support functionality in the following way:
- Only support UKI or UKI-like (>=1.12 with GrubUseUKICmdline) systems.
- In `MachineStatusController`:
- When we see a machine for the first time, do a one-time operation of extracting of the extra kernel args from it and store them in the newly introduced `KernelArgs` resource. This resource is user-owned from that point on.
- Mark the `MachineStatus` with an annotation as "its kernel args are initialized".
- Start storing the the raw schematic.
- Take a one-time snapshot of the extensions on the machine and set them as "initial extensions". They might not be the "actual initial", i.e., the set of extensions when we actually seen the machine for the first time, but we do this in a best-effort basis. We need this, since now we cannot simply go back to the initial schematic ID when all extensions are removed - kernel args are also included in the schematic.
- Start collecting the kernel cmdline from Talos machines as well.
- Adapt the `SchematicConfiguration` controller to not revert to the initial schematic ID ever - it now always computes the needed schematic - when it wants to revert to the initial set of extensions, it uses the new field on the `MachineStatus`.
- Introduce the resource `MachineUpgradeStatus` and its controller `MachineUpgradeStatusController`, which handles the maintenance mode upgrades when kernel args are updated. The controller is named this way, since our long-term plan is to centralize all upgrade calls to be done from this controller. Currently, it does not change Talos version or the set of extensions. It works only in maintenance mode, only for kernel args changes (when supported).
- Introduce the resource `KernelArgsStatus` and its controller `KernelArgsStatusController`, which provides information about the kernel args updates. Its status is reliable in both maintenance and non-maintenance modes.
- Build a UI to update these args (with @Unix4ever's help).
Co-authored-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
- Make sure the console output of QEMU is sent to `console=ttyS0` when non-UKI is used.
- Use the new `cluster create` arg `--skip-injecting-extra-cmdline` to make sure `console=ttyS0` kernel arg is not duplicated.
- Get rid of `SUDO_USER` var.
- Add the missing `--omni.output-dir` flag to make sure the support bundles are collected to proper destinations.
- Gather all artifacts to be collected under `TEST_OUTPUTS_DIR` for better organization in the test artifacts archive.
- Quote some strings.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
It was using local pod IP which was generating new schematic every time
the test runs.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Rekres, fix linter issues, bump go to 1.25.2
See groups.google.com/g/golang-nuts/c/Gxn25BP4MXk/m/3KrM-XBOBAAJ
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
