feat: add a way to sync Kubernetes manifests in Omni

[Unix4ever]

Manifests support two modes:

• FULL - Omni will keep the manifest in sync always.
• ONE_TIME - Omni will apply the manifest only if it doesn't exist. If the manifest is removed by hand and then changed in Omni it will be applied too.

Manifests are applied using service side apply, Omni now has two inventories: omni-internal-inventory and omni-user-inventory:

• User inventory will be used for user managed manifests.
• Internal one will be used for the manifests which are created by Omni controllers (workloadproxy, advanced healtcheck service).

Manifests also support setting namespace to all namespaced resources. It might be useful for the huge manifest files which are supplied without the namespace (similar to kubectl apply -n namespace -f manifest.yaml).

[Orzelius]

Not as much a code review as just a bunch of questions from my part

[rothgar]

How is someone intended to use this initially? Is this only part of cluster templates or can it be added to any cluster in Omni?

[Unix4ever]

How is someone intended to use this initially? Is this only part of cluster templates or can it be added to any cluster in Omni?

I'm going to make it part of the cluster templates in the next PR.
Also will move workloadproxy manifests to this system.

[Unix4ever]

Pretty much rewrote the controller. Made the status updates more frequent, fixed more issues there:

• mappers for the LoadbalancerStatus and ClusterStatus were incorrect.
• reduced the prune/rollout timeouts to make the controller retry and update the status.

The status now contains more phases as well as the information about the resource being created.

Example:

metadata:
    namespace: default
    type: ClusterKubernetesManifestsStatuses.omni.sidero.dev
    id: talos-default
    version: 34
    owner: ClusterKubernetesManifestsStatusController
    phase: running
    created: 2026-02-06T12:38:46Z
    updated: 2026-02-06T13:20:00Z
spec:
    manifests:
        default_nginx-deployment_apps_Deployment:
            phase: 3
            lasterror: ""
            mode: 1
            kind: Deployment
            name: nginx-deployment
            namespace: default
    errors: {}
    outofsync: 0
    total: 1

[utkuozdemir]

What if we compress them unconditionally? Our old compressing resources were done kinda that way for kind of backwards compatibility. Maybe we can just do this simpler.

[Unix4ever]

It has more than that. It also doesn't compress if the manifest size is small. So I thought it kinda makes sense to use the same approach here.

[utkuozdemir]

Curious, does this mean there is no order of apply between manifests? I guess it'd probably work anyway, our code would keep trying to apply them, but normally there can be an order in k8s manifests - an example is creating a CRD and a CR. If so, we could maybe turn these into slices instead?

[Unix4ever]

This is the status resource.

While the manifests are ordered: separate KubernetesManifest resources are ordered by COSI using the ID, and it's possible to put many manifests to a single resource delimiting by ---, then it's a slice.

[Unix4ever]

Show the system manifest flag inside the ClusterKubernetesManifestsStatus.

[Unix4ever]

wrap the error to add more context

[Unix4ever]

wrap the error to add more context

[Unix4ever]

add last modified date.

[Unix4ever]

Consider making it less restricted

[Unix4ever]

Try to use inventory to track prune/delete events.

[Unix4ever]

Suggested change

	_, err = dr.Create(ctx, manifest, v1.CreateOptions{FieldManager: constants.KubernetesFieldManagerName})
	_, err = dr.Apply(ctx, manifest, v1.CreateOptions{FieldManager: constants.KubernetesFieldManagerName})