I've been trying to figure out how to use Omni to provision a Talos cluster completely headless and I've learned a couple things:
Just for some context, I've got a local docker compose stack going with Keycloak 26.4 and Omni 1.2.1. I realize this isn't anywhere near prod-worthy but I'm still just poking around.
First, to make it headless, the default SAML flow isn't going to work, so you have to use a service account with OIDC. I needed a minimal OIDC client in Keycloak to make this work. (I just set the client ID to omni and root and home URLs to https://omni.example.com.)
Second, you can pass a --create-initial-service-account flag to the Omni start command, it will do that for you on first run.
Third, if you expose the /_out directory from the Omni container to the host, you can get access to initial-service-account-key.