feat: log and store redacted machine config diffs

Change the RedactedClusterMachineConfig controller to also compute diffs between each config change and store them in a new resource.

Additionally, log this diff and include its creation in the audit logs.

Clean up old diffs with both size (count) and time-based retention.
Include these diffs in the support bundles.

The resource ID follows the following pattern: `<machine-id>-<timestamp>`, e.g., `34bafa44-e994-4911-9c1a-609cccefee93-2025-07-04T19:05:40.181Z`.

Signed-off-by: Utku Ozdemir <[email protected]>

Author: utkuozdemir

client/api/omni/specs/omni.pb.go

@@ -1356,3 +1356,7 @@ message InfraProviderCombinedStatusSpec {
 
   Health health = 4;
 }
+
+message MachineConfigDiffSpec {
+  string diff = 1;
+}

client/api/omni/specs/omni.proto

@@ -0,0 +1,46 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package omni
+
+import (
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/resource/meta"
+	"github.com/cosi-project/runtime/pkg/resource/protobuf"
+	"github.com/cosi-project/runtime/pkg/resource/typed"
+
+	"github.com/siderolabs/omni/client/api/omni/specs"
+	"github.com/siderolabs/omni/client/pkg/omni/resources"
+)
+
+// NewMachineConfigDiff creates a new MachineConfigDiff resource.
+func NewMachineConfigDiff(id resource.ID) *MachineConfigDiff {
+	return typed.NewResource[MachineConfigDiffSpec, MachineConfigDiffExtension](
+		resource.NewMetadata(resources.DefaultNamespace, MachineConfigDiffType, id, resource.VersionUndefined),
+		protobuf.NewResourceSpec(&specs.MachineConfigDiffSpec{}),
+	)
+}
+
+const (
+	// MachineConfigDiffType is the type of the MachineConfigDiff resource.
+	// tsgen:MachineConfigDiffType
+	MachineConfigDiffType = resource.Type("MachineConfigDiffs.omni.sidero.dev")
+)
+
+// MachineConfigDiff is the diff between two redacted machine configurations.
+type MachineConfigDiff = typed.Resource[MachineConfigDiffSpec, MachineConfigDiffExtension]
+
+// MachineConfigDiffSpec wraps specs.MachineConfigDiffSpec.
+type MachineConfigDiffSpec = protobuf.ResourceSpec[specs.MachineConfigDiffSpec, *specs.MachineConfigDiffSpec]
+
+// MachineConfigDiffExtension provides auxiliary methods for MachineConfigDiff resource.
+type MachineConfigDiffExtension struct{}
+
+// ResourceDefinition implements [typed.Extension] interface.
+func (MachineConfigDiffExtension) ResourceDefinition() meta.ResourceDefinitionSpec {
+	return meta.ResourceDefinitionSpec{
+		Type:             MachineConfigDiffType,
+		DefaultNamespace: resources.DefaultNamespace,
+	}
+}

client/api/omni/specs/omni_vtproto.pb.go

@@ -58,6 +58,7 @@ func init() {
 	registry.MustRegisterResource(KubernetesUpgradeManifestStatusType, &KubernetesUpgradeManifestStatus{})
 	registry.MustRegisterResource(KubernetesUpgradeStatusType, &KubernetesUpgradeStatus{})
 	registry.MustRegisterResource(KubernetesVersionType, &KubernetesVersion{})
+	registry.MustRegisterResource(MachineConfigDiffType, &MachineConfigDiff{})
 	registry.MustRegisterResource(MachineLabelsType, &MachineLabels{})
 	registry.MustRegisterResource(MachineType, &Machine{})
 	registry.MustRegisterResource(MachineClassType, &MachineClass{})

client/pkg/omni/resources/omni/machine_config_diff.go

@@ -892,4 +892,8 @@ export type InfraProviderCombinedStatusSpec = {
   description?: string
   icon?: string
   health?: InfraProviderCombinedStatusSpecHealth
+}
+
+export type MachineConfigDiffSpec = {
+  diff?: string
 }

client/pkg/omni/resources/omni/omni.go

@@ -162,6 +162,7 @@ export const ClusterMachineStatusLabelNodeName = "omni.sidero.dev/node-name";
 export const ExtensionsConfigurationLabel = "omni.sidero.dev/root-configuration";
 export const MachineType = "Machines.omni.sidero.dev";
 export const MachineClassType = "MachineClasses.omni.sidero.dev";
+export const MachineConfigDiffType = "MachineConfigDiffs.omni.sidero.dev";
 export const MachineConfigGenOptionsType = "MachineConfigGenOptions.omni.sidero.dev";
 export const MachineExtensionsType = "MachineExtensions.omni.sidero.dev";
 export const MachineExtensionsStatusType = "MachineExtensionsStatuses.omni.sidero.dev";

frontend/src/api/omni/specs/omni.pb.ts

@@ -28,6 +28,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/siderolabs/omni/client/api/omni/management"
+	"github.com/siderolabs/omni/client/pkg/omni/resources/infra"
 	"github.com/siderolabs/omni/client/pkg/omni/resources/omni"
 	"github.com/siderolabs/omni/client/pkg/omni/resources/siderolink"
 	"github.com/siderolabs/omni/client/pkg/omni/resources/system"
@@ -318,6 +319,18 @@ func (s *managementServer) collectClusterResources(ctx context.Context, cluster
 			rt:          omni.DiscoveryAffiliateDeleteTaskType,
 			listOptions: clusterQuery,
 		},
+		{
+			rt:          omni.MachineConfigDiffType,
+			listOptions: clusterQuery,
+		},
+		{
+			rt:          infra.InfraMachineType,
+			listOptions: clusterQuery,
+		},
+		{
+			rt:          infra.InfraMachineStatusType,
+			listOptions: clusterQuery,
+		},
 	}
 
 	machineIDs := map[string]struct{}{}

frontend/src/api/resources.ts

@@ -21,17 +21,18 @@ const (
 
 // Data contains the audit data.
 type Data struct {
-	NewUser        *NewUser        `json:"new_user,omitempty"`
-	Machine        *Machine        `json:"machine,omitempty"`
-	MachineLabels  *MachineLabels  `json:"machine_labels,omitempty"`
-	AccessPolicy   *AccessPolicy   `json:"access_policy,omitempty"`
-	Cluster        *Cluster        `json:"cluster,omitempty"`
-	MachineSet     *MachineSet     `json:"machine_set,omitempty"`
-	MachineSetNode *MachineSetNode `json:"machine_set_node,omitempty"`
-	ConfigPatch    *ConfigPatch    `json:"config_patch,omitempty"`
-	TalosAccess    *TalosAccess    `json:"talos_access,omitempty"`
-	K8SAccess      *K8SAccess      `json:"k8s_access,omitempty"`
-	Session        Session         `json:"session,omitempty"`
+	NewUser           *NewUser           `json:"new_user,omitempty"`
+	Machine           *Machine           `json:"machine,omitempty"`
+	MachineLabels     *MachineLabels     `json:"machine_labels,omitempty"`
+	AccessPolicy      *AccessPolicy      `json:"access_policy,omitempty"`
+	Cluster           *Cluster           `json:"cluster,omitempty"`
+	MachineSet        *MachineSet        `json:"machine_set,omitempty"`
+	MachineSetNode    *MachineSetNode    `json:"machine_set_node,omitempty"`
+	ConfigPatch       *ConfigPatch       `json:"config_patch,omitempty"`
+	MachineConfigDiff *MachineConfigDiff `json:"machine_config_diff,omitempty"`
+	TalosAccess       *TalosAccess       `json:"talos_access,omitempty"`
+	K8SAccess         *K8SAccess         `json:"k8s_access,omitempty"`
+	Session           Session            `json:"session,omitempty"`
 }
 
 // Session contains information about the current session.
@@ -111,6 +112,12 @@ type ConfigPatch struct {
 	Data   string            `json:"data,omitempty"`
 }
 
+// MachineConfigDiff struct contains information about the machine configuration diff.
+type MachineConfigDiff struct {
+	ID   resource.ID `json:"id,omitempty"`
+	Diff string      `json:"diff,omitempty"`
+}
+
 // TalosAccess struct contains information about the access to the Talos node.
 type TalosAccess struct {
 	FullMethodName string `json:"full_method_name,omitempty"`

internal/backend/grpc/support.go

@@ -70,6 +70,8 @@ func Init(a *audit.Log) {
 	audit.ShouldLogUpdate(a, configPatchUpdate, audit.WithInternalAgent())
 	audit.ShouldLogUpdateWithConflicts(a, configPatchUpdate, audit.WithInternalAgent())
 	audit.ShouldLogDestroy(a, omni.ConfigPatchType, configPatchDestroy, audit.WithInternalAgent())
+
+	audit.ShouldLogCreate(a, machineConfigDiffCreate, audit.WithInternalAgent())
 }
 
 func publicKeyCreate(_ context.Context, data *audit.Data, res *auth.PublicKey, _ ...state.CreateOption) error {
@@ -389,6 +391,15 @@ func configPatchDestroy(_ context.Context, data *audit.Data, ptr resource.Pointe
 	return nil
 }
 
+func machineConfigDiffCreate(_ context.Context, data *audit.Data, res *omni.MachineConfigDiff, _ ...state.CreateOption) error {
+	initPtrField(&data.MachineConfigDiff)
+
+	data.MachineConfigDiff.ID = res.Metadata().ID()
+	data.MachineConfigDiff.Diff = res.TypedSpec().Value.Diff
+
+	return nil
+}
+
 func initPtrField[T any](v **T) {
 	if *v == nil {
 		*v = new(T)