feat: log and store redacted machine config diffs

[utkuozdemir]

Change the RedactedClusterMachineConfig controller to also compute diffs between each config change and store them in a new resource.

Additionally, log this diff and include its creation in the audit logs.

Clean up old diffs with both size (count) and time-based retention. Include these diffs in the support bundles.

The resource ID follows the following pattern: <machine-id>-<timestamp>, e.g., 34bafa44-e994-4911-9c1a-609cccefee93-2025-07-04T19:05:40.181Z.

Closes #1119.

Sample Diff Resource

get machineconfigdiff -oyaml
metadata:
    namespace: default
    type: MachineConfigDiffs.omni.sidero.dev
    id: 34bafa44-e994-4911-9c1a-609cccefee93-2025-07-04T19:05:40.181Z
    version: 1
    owner: RedactedClusterMachineConfigController
    phase: running
    created: 2025-07-04T19:05:40Z
    updated: 2025-07-04T19:05:40Z
    labels:
        omni.sidero.dev/cluster: talos-default
        omni.sidero.dev/machine: 34bafa44-e994-4911-9c1a-609cccefee93
        omni.sidero.dev/machine-set: talos-default-control-planes
        omni.sidero.dev/role-controlplane:
    annotations:
        omni.sidero.dev/modified-at: 2025-07-04T19:05:40.181685358Z
spec:
    diff: |-
        @@ -49,6 +49,7 @@
                     enabled: true
                     forwardKubeDNSToHost: true
             nodeLabels:
        +        aaa: bbb
                 node.kubernetes.io/exclude-from-external-load-balancers: ""
         cluster:
             id: Dyt3vOPZ26gywnEh4PQgf7n37Dmvp4KR4pAnu8RP33w=

[utkuozdemir]

Didn't name this as RedactedClusterMachineConfigDiff to avoid over-verbosity.

[utkuozdemir]

Added these two into bundles as well, good to have.

[Copilot]

Pull Request Overview

This PR introduces a new MachineConfigDiff resource to capture, store, and audit diffs of redacted machine configs, and adds logic to periodically clean up old diffs.

• Controller changes to compute diffs on each config change, save them, and clean up by age/count
• Runtime updates to register caches and controllers for the new diff type
• Audit, support bundles, frontend, and client code extended to recognize and handle the new diff resource

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
internal/backend/runtime/omni/state_access.go	Added MachineConfigDiffType to access filters
internal/backend/runtime/omni/omni.go	Registered cache/controllers for MachineConfigDiff
internal/backend/runtime/omni/controllers/omni/redacted_cluster_machine_config.go	Implemented diff computation, saving, and cleanup logic
internal/backend/runtime/omni/controllers/omni/redacted_cluster_machine_config_test.go	Extended tests for diff creation and retention
internal/backend/runtime/omni/audit/hooks/hooks.go	Added audit hook for diff creation
internal/backend/runtime/omni/audit/data.go	Extended audit Data struct with MachineConfigDiff
internal/backend/grpc/support.go	Included diffs in support bundle collection
frontend/src/api/resources.ts	Defined MachineConfigDiffType constant
frontend/src/api/omni/specs/omni.pb.ts	Added MachineConfigDiffSpec type
client/pkg/omni/resources/omni/omni.go	Registered MachineConfigDiff resource
client/pkg/omni/resources/omni/machine_config_diff.go	Implemented client type for MachineConfigDiff
client/api/omni/specs/omni.proto	Added MachineConfigDiffSpec message
client/api/omni/specs/omni.pb.go	Generated code for MachineConfigDiffSpec
client/api/omni/specs/omni_vtproto.pb.go	Added VT clone/marshal implementations for diffs

[utkuozdemir]

Some refactor here to use the cached state in more places.

[utkuozdemir]

These two types also got cluster labels with my recent changes, so I add them here as well.

[utkuozdemir]

/m