docs: add storage saas deployment#348
Open
Iheanacho-ai wants to merge 1 commit intosiderolabs:mainfrom
Open
Conversation
Signed-off-by: Amarachi Iheanacho <amarachi.iheanacho@siderolabs.com>
rothgar
reviewed
Feb 4, 2026
| This document explains how access is enforced in Omni-managed environments, including Talos Linux nodes and Kubernetes clusters. | ||
|
|
||
| When clusters and machines are managed by Omni, Omni becomes the central point of access for all the resources it controls. This includes access to Talos, Kubernetes, and Omni-specific resources. | ||
| When clusters and machines are managed by Omni, Omni becomes the central control plane for access to Talos, Kubernetes, and Omni-specific APIs. |
Member
There was a problem hiding this comment.
I think "control plane" is too easy to get confused with Kubernetes. "point of access" IMO is more clear on what Omni is doing. You could even call it an authentication proxy. But control plane is too easy to confuse.
rothgar
reviewed
Feb 4, 2026
| Omni supports non-interactive access through a programming language or the official Omni client, `omnictl`. When user authentication is used, Omni issues short-lived credentials. Tokens can remain valid for up to eight hours, and Omni-generated public keys expire after four hours. These limits are fixed and cannot be configured. | ||
| Service accounts provide non-interactive access to the Omni API for automation and CI/CD workflows. | ||
|
|
||
| Unlike user authentication, which issues short-lived credentials, service accounts use long-lived tokens that do not require periodic reauthentication through an identity provider. Tokens can remain valid for up to eight hours, and Omni-generated public keys expire after four hours. These limits are fixed and cannot be configured. |
Member
There was a problem hiding this comment.
This is confusing because you say "tokens that do not require periodic reauthentication" and "Tokens can remain valid for up to eight hours"
We should say there is a difference between "Service Account tokens" and "User tokens"
rothgar
reviewed
Feb 4, 2026
|
|
||
| ## Data protection in Omni SaaS deployments | ||
|
|
||
| When deployed as a SaaS offering, Omni encrypts all persisted customer account data at rest using AES-256. This includes cluster configuration, machine metadata, certificates, and encryption material. |
Member
There was a problem hiding this comment.
It also encrypts in transit via TLS communication.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.