refactor: csr approval controller

Move CSR Approval to separate controller. Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
2026-01-27 10:20:27 +00:00 · 2024-08-28 16:48:17 +03:00
parent 31c9b5b199
commit 09a5b9e24d
22 changed files with 149 additions and 93 deletions
--- a/.github/workflows/build-edge.yaml
+++ b/.github/workflows/build-edge.yaml
@@ -26,7 +26,7 @@ jobs:
        run: git fetch --prune --unshallow

      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@v3.6.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
--- a/.github/workflows/release-charts.yaml
+++ b/.github/workflows/release-charts.yaml
@@ -25,7 +25,7 @@ jobs:
      - name: Install Helm
        uses: azure/setup-helm@v4
      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@v3.6.0

      - name: Github registry login
        uses: docker/login-action@v3
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -21,7 +21,7 @@ jobs:
        run: git fetch --prune --unshallow

      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@v3.6.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
--- a/4
+++ b/4
@@ -72,11 +72,11 @@ build: ## Build

 .PHONY: run
 run: build
-	./talos-cloud-controller-manager-$(ARCH) --v=5 --kubeconfig=kubeconfig --cloud-config=hack/ccm-config.yaml --controllers=cloud-node,node-ipam-controller \
+	./talos-cloud-controller-manager-$(ARCH) --v=5 --kubeconfig=kubeconfig --cloud-config=hack/ccm-config.yaml --controllers=cloud-node,node-csr-approval,node-ipam-controller \
 		--allocate-node-cidrs \
 		--node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=80 \
 		--cidr-allocator-type=CloudAllocator \
-		--use-service-account-credentials --leader-elect=false --bind-address=127.0.0.1 --secure-port=0 --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics
+		--use-service-account-credentials --leader-elect=false --bind-address=127.0.0.1 --secure-port=8443 --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics

 .PHONY: lint
 lint: ## Lint Code
--- a/charts/talos-cloud-controller-manager/Chart.yaml
+++ b/charts/talos-cloud-controller-manager/Chart.yaml
@@ -11,5 +11,5 @@ keywords:
 maintainers:
  - name: sergelogvinov
    url: https://github.com/sergelogvinov
-version: 0.3.1
+version: 0.4.0
 appVersion: "v1.6.0"
--- a/charts/talos-cloud-controller-manager/README.md
+++ b/charts/talos-cloud-controller-manager/README.md
@@ -1,6 +1,6 @@
 # talos-cloud-controller-manager

-![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square)

 Talos Cloud Controller Manager Helm Chart

@@ -27,12 +27,9 @@ Kubernetes: `>= 1.24.0`

 replicaCount: 2

-features:
-  # `approveNodeCSR` - check and approve node CSR.
-  approveNodeCSR: true
-
 enabledControllers:
  - cloud-node
+  - node-csr-approval

 # Deploy CCM only on control-plane nodes
 nodeSelector:
@@ -54,9 +51,8 @@ helm upgrade -i --namespace=kube-system -f talos-ccm.yaml \
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
-| enabledControllers | list | `["cloud-node"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node` controller. |
+| enabledControllers | list | `["cloud-node","node-csr-approval"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers. |
 | extraArgs | list | `[]` | Any extra arguments for talos-cloud-controller-manager |
-| features.approveNodeCSR | bool | `true` | List of CCM features. `approveNodeCSR` - check and approve node CSR. |
 | fullnameOverride | string | `""` | String to fully override deployment name. |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy: IfNotPresent or Always. |
 | image.repository | string | `"ghcr.io/siderolabs/talos-cloud-controller-manager"` | CCM image repository. |
--- a/charts/talos-cloud-controller-manager/README.md.gotmpl
+++ b/charts/talos-cloud-controller-manager/README.md.gotmpl
@@ -21,12 +21,9 @@

 replicaCount: 2

-features:
-  # `approveNodeCSR` - check and approve node CSR.
-  approveNodeCSR: true
-
 enabledControllers:
  - cloud-node
+  - node-csr-approval

 # Deploy CCM only on control-plane nodes
 nodeSelector:
--- a/charts/talos-cloud-controller-manager/templates/configmap.yaml
+++ b/charts/talos-cloud-controller-manager/templates/configmap.yaml
@@ -8,9 +8,6 @@ metadata:
 data:
  ccm-config.yaml: |
    global:
-  {{- if .Values.features.approveNodeCSR }}
-      approveNodeCSR: true
-  {{- end }}
  {{- with .Values.transformations }}
    transformations:
      {{- toYaml . | nindent 6 }}
--- a/charts/talos-cloud-controller-manager/templates/deployment.yaml
+++ b/charts/talos-cloud-controller-manager/templates/deployment.yaml
@@ -75,13 +75,13 @@ spec:
              value: "6443"
          {{- end }}
          ports:
-            - containerPort: {{ .Values.service.containerPort }}
-              name: https
+            - name: metrics
+              containerPort: {{ .Values.service.containerPort }}
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
-              port: https
+              port: metrics
              scheme: HTTPS
            initialDelaySeconds: 20
            periodSeconds: 30
--- a/charts/talos-cloud-controller-manager/templates/service.yaml
+++ b/charts/talos-cloud-controller-manager/templates/service.yaml
@@ -13,7 +13,7 @@ spec:
  clusterIP: None
  type: ClusterIP
  ports:
-    - name: https
+    - name: metrics
      port: {{ .Values.service.port }}
      targetPort: {{ .Values.service.containerPort }}
      protocol: TCP
--- a/charts/talos-cloud-controller-manager/values-example.yaml
+++ b/charts/talos-cloud-controller-manager/values-example.yaml
@@ -1,7 +1,6 @@

 image:
-  repository: ghcr.io/sergelogvinov/talos-cloud-controller-manager
  pullPolicy: Always
-  tag: latest
+  tag: edge

 logVerbosityLevel: 4
--- a/charts/talos-cloud-controller-manager/values.yaml
+++ b/charts/talos-cloud-controller-manager/values.yaml
@@ -28,17 +28,14 @@ extraArgs: []

 # -- List of controllers should be enabled.
 # Use '*' to enable all controllers.
-# Support only `cloud-node` controller.
+# Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers.
 enabledControllers:
  - cloud-node
  # - cloud-node-lifecycle
  # - route
  # - service
-
-features:
-  # -- List of CCM features.
-  # `approveNodeCSR` - check and approve node CSR.
-  approveNodeCSR: true
+  - node-csr-approval
+  # - node-ipam-controller

 # -- List of node transformations.
 # Available matchExpressions key values: https://github.com/siderolabs/talos/blob/main/pkg/machinery/resources/runtime/platform_metadata.go#L28
@@ -73,7 +70,7 @@ serviceAccount:
  name: ""

 # -- CCM pods' priorityClassName.
-priorityClassName: ""
+priorityClassName: system-cluster-critical

 # -- Annotations for data pods.
 # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
--- a/cmd/talos-cloud-controller-manager/main.go
+++ b/cmd/talos-cloud-controller-manager/main.go
@@ -62,11 +62,21 @@ func main() {
 		Constructor: nodeIpamController.startNodeIpamControllerWrapper,
 	}

+	nodeCSRApproval := nodeCSRApprovalController{}
+	controllerInitializers[kcmnames.CertificateSigningRequestApprovingController] = app.ControllerInitFuncConstructor{
+		InitContext: app.ControllerInitContext{
+			ClientName: talos.ServiceAccountName,
+		},
+		Constructor: nodeCSRApproval.startNodeCSRApprovalControllerWrapper,
+	}
+
 	app.ControllersDisabledByDefault.Insert(kcmnames.NodeLifecycleController)
 	app.ControllersDisabledByDefault.Insert(kcmnames.NodeIpamController)
+	app.ControllersDisabledByDefault.Insert(kcmnames.CertificateSigningRequestApprovingController)
 	controllerAliases["nodeipam"] = kcmnames.NodeIpamController
-	command := app.NewCloudControllerManagerCommand(ccmOptions, cloudInitializer, controllerInitializers, controllerAliases, fss, wait.NeverStop)
+	controllerAliases["node-csr-approval"] = kcmnames.CertificateSigningRequestApprovingController

+	command := app.NewCloudControllerManagerCommand(ccmOptions, cloudInitializer, controllerInitializers, controllerAliases, fss, wait.NeverStop)
 	command.Flags().VisitAll(func(flag *pflag.Flag) {
 		if flag.Name == "cloud-provider" {
 			if err := flag.Value.Set(talos.ProviderName); err != nil {
--- a/cmd/talos-cloud-controller-manager/nodecsrapprovalcontroller.go
+++ b/cmd/talos-cloud-controller-manager/nodecsrapprovalcontroller.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+
+	"github.com/siderolabs/talos-cloud-controller-manager/pkg/certificatesigningrequest"
+	"github.com/siderolabs/talos-cloud-controller-manager/pkg/talos"
+
+	cloudprovider "k8s.io/cloud-provider"
+	app "k8s.io/cloud-provider/app"
+	cloudcontrollerconfig "k8s.io/cloud-provider/app/config"
+	genericcontrollermanager "k8s.io/controller-manager/app"
+	"k8s.io/controller-manager/controller"
+	"k8s.io/klog/v2"
+)
+
+type nodeCSRApprovalController struct{}
+
+func (approvalController *nodeCSRApprovalController) startNodeCSRApprovalControllerWrapper(
+	initContext app.ControllerInitContext,
+	_ *cloudcontrollerconfig.CompletedConfig,
+	cloud cloudprovider.Interface,
+) app.InitFunc {
+	klog.V(4).InfoS("nodeCSRApprovalController.startNodeCSRApprovalControllerWrapper() called")
+
+	return func(ctx context.Context, controllerContext genericcontrollermanager.ControllerContext) (controller.Interface, bool, error) {
+		return startNodeCSRApprovalController(ctx, initContext, controllerContext, cloud)
+	}
+}
+
+func startNodeCSRApprovalController(
+	ctx context.Context,
+	initContext app.ControllerInitContext,
+	controllerContext genericcontrollermanager.ControllerContext,
+	_ cloudprovider.Interface,
+) (controller.Interface, bool, error) {
+	csrController := certificatesigningrequest.NewCsrController(
+		controllerContext.ClientBuilder.ClientOrDie(initContext.ClientName),
+		talos.CSRNodeChecks,
+	)
+
+	go csrController.Run(ctx)
+
+	return nil, true, nil
+}
--- a/docs/deploy/cloud-controller-manager-edge.yml
+++ b/docs/deploy/cloud-controller-manager-edge.yml
@@ -5,7 +5,7 @@ kind: ServiceAccount
 metadata:
  name: talos-cloud-controller-manager
  labels:
-    helm.sh/chart: talos-cloud-controller-manager-0.3.0
+    helm.sh/chart: talos-cloud-controller-manager-0.4.0
    app.kubernetes.io/name: talos-cloud-controller-manager
    app.kubernetes.io/instance: talos-cloud-controller-manager
    app.kubernetes.io/version: "v1.6.0"
@@ -18,7 +18,7 @@ kind: ServiceAccount
 metadata:
  name: talos-cloud-controller-manager-talos-secrets
  labels:
-    helm.sh/chart: talos-cloud-controller-manager-0.3.0
+    helm.sh/chart: talos-cloud-controller-manager-0.4.0
    app.kubernetes.io/name: talos-cloud-controller-manager
    app.kubernetes.io/instance: talos-cloud-controller-manager
    app.kubernetes.io/version: "v1.6.0"
@@ -34,7 +34,7 @@ kind: ConfigMap
 metadata:
  name: talos-cloud-controller-manager
  labels:
-    helm.sh/chart: talos-cloud-controller-manager-0.3.0
+    helm.sh/chart: talos-cloud-controller-manager-0.4.0
    app.kubernetes.io/name: talos-cloud-controller-manager
    app.kubernetes.io/instance: talos-cloud-controller-manager
    app.kubernetes.io/version: "v1.6.0"
@@ -43,7 +43,6 @@ metadata:
 data:
  ccm-config.yaml: |
    global:
-      approveNodeCSR: true
 ---
 # Source: talos-cloud-controller-manager/templates/role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -51,7 +50,7 @@ kind: ClusterRole
 metadata:
  name: system:talos-cloud-controller-manager
  labels:
-    helm.sh/chart: talos-cloud-controller-manager-0.3.0
+    helm.sh/chart: talos-cloud-controller-manager-0.4.0
    app.kubernetes.io/name: talos-cloud-controller-manager
    app.kubernetes.io/instance: talos-cloud-controller-manager
    app.kubernetes.io/version: "v1.6.0"
@@ -159,7 +158,7 @@ kind: Service
 metadata:
  name: talos-cloud-controller-manager
  labels:
-    helm.sh/chart: talos-cloud-controller-manager-0.3.0
+    helm.sh/chart: talos-cloud-controller-manager-0.4.0
    app.kubernetes.io/name: talos-cloud-controller-manager
    app.kubernetes.io/instance: talos-cloud-controller-manager
    app.kubernetes.io/version: "v1.6.0"
@@ -169,7 +168,7 @@ spec:
  clusterIP: None
  type: ClusterIP
  ports:
-    - name: https
+    - name: metrics
      port: 50258
      targetPort: 50258
      protocol: TCP
@@ -183,7 +182,7 @@ kind: Deployment
 metadata:
  name: talos-cloud-controller-manager
  labels:
-    helm.sh/chart: talos-cloud-controller-manager-0.3.0
+    helm.sh/chart: talos-cloud-controller-manager-0.4.0
    app.kubernetes.io/name: talos-cloud-controller-manager
    app.kubernetes.io/instance: talos-cloud-controller-manager
    app.kubernetes.io/version: "v1.6.0"
@@ -210,6 +209,7 @@ spec:
        runAsGroup: 10258
        runAsNonRoot: true
        runAsUser: 10258
+      priorityClassName: system-cluster-critical
      containers:
        - name: talos-cloud-controller-manager
          securityContext:
@@ -226,18 +226,19 @@ spec:
            - --v=2
            - --cloud-provider=talos
            - --cloud-config=/etc/talos/ccm-config.yaml
-            - --controllers=cloud-node
+            - --controllers=cloud-node,node-csr-approval
            - --leader-elect-resource-name=cloud-controller-manager-talos
            - --use-service-account-credentials
            - --secure-port=50258
+            - --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics
          ports:
-            - containerPort: 50258
-              name: https
+            - name: metrics
+              containerPort: 50258
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
-              port: https
+              port: metrics
              scheme: HTTPS
            initialDelaySeconds: 20
            periodSeconds: 30
--- a/go.mod
+++ b/go.mod
@@ -6,19 +6,19 @@ require (
 	github.com/cosi-project/runtime v0.5.5
 	github.com/siderolabs/go-retry v0.3.3
 	github.com/siderolabs/net v0.4.0
-	github.com/siderolabs/talos/pkg/machinery v1.7.5
+	github.com/siderolabs/talos/pkg/machinery v1.7.6
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.1
-	k8s.io/api v0.30.3
-	k8s.io/apimachinery v0.30.3
-	k8s.io/client-go v0.30.3
-	k8s.io/cloud-provider v0.30.3
-	k8s.io/component-base v0.30.3
-	k8s.io/controller-manager v0.30.3
+	k8s.io/api v0.30.4
+	k8s.io/apimachinery v0.30.4
+	k8s.io/client-go v0.30.4
+	k8s.io/cloud-provider v0.30.4
+	k8s.io/component-base v0.30.4
+	k8s.io/controller-manager v0.30.4
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	k8s.io/utils v0.0.0-20240821151609-f90d01438635
 )

 require (
@@ -127,9 +127,9 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiserver v0.30.3 // indirect
-	k8s.io/component-helpers v0.30.3 // indirect
-	k8s.io/kms v0.30.3 // indirect
+	k8s.io/apiserver v0.30.4 // indirect
+	k8s.io/component-helpers v0.30.4 // indirect
+	k8s.io/kms v0.30.4 // indirect
 	k8s.io/kube-openapi v0.0.0-20240620174524-b456828f718b // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
--- a/go.sum
+++ b/go.sum
@@ -213,8 +213,8 @@ github.com/siderolabs/net v0.4.0 h1:1bOgVay/ijPkJz4qct98nHsiB/ysLQU0KLoBC4qLm7I=
 github.com/siderolabs/net v0.4.0/go.mod h1:/ibG+Hm9HU27agp5r9Q3eZicEfjquzNzQNux5uEk0kM=
 github.com/siderolabs/protoenc v0.2.1 h1:BqxEmeWQeMpNP3R6WrPqDatX8sM/r4t97OP8mFmg6GA=
 github.com/siderolabs/protoenc v0.2.1/go.mod h1:StTHxjet1g11GpNAWiATgc8K0HMKiFSEVVFOa/H0otc=
-github.com/siderolabs/talos/pkg/machinery v1.7.5 h1:M02UZSDfN0BB4bXhTYDjEmVvAIX1GsAS45cyKh6+HHU=
-github.com/siderolabs/talos/pkg/machinery v1.7.5/go.mod h1:OeamhNo92c3V96bddZNhcCgoRyzw2KWBtpma1lfchtg=
+github.com/siderolabs/talos/pkg/machinery v1.7.6 h1:+tONHv8JuW46/mTWNgDAUkdfYvWBZ/Ai1mlK1SSQzZU=
+github.com/siderolabs/talos/pkg/machinery v1.7.6/go.mod h1:8H8geXAcGN0DvMOL70p4sC5gZUCxdoZmtLbuoKigFZI=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
@@ -391,30 +391,30 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
-k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
-k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
-k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g=
-k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg=
-k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
-k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
-k8s.io/cloud-provider v0.30.3 h1:SNWZmllTymOTzIPJuhtZH6il/qVi75dQARRQAm9k6VY=
-k8s.io/cloud-provider v0.30.3/go.mod h1:Ax0AVdHnM7tMYnJH1Ycy4SMBD98+4zA+tboUR9eYsY8=
-k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s=
-k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA=
-k8s.io/component-helpers v0.30.3 h1:KPc8l0eGx9Wg2OcKc58k9ozNcVcOInAi3NGiuS2xJ/c=
-k8s.io/component-helpers v0.30.3/go.mod h1:VOQ7g3q+YbKWwKeACG2BwPv4ftaN8jXYJ5U3xpzuYAE=
-k8s.io/controller-manager v0.30.3 h1:QRFGkWWD5gi/KCSU0qxyUoZRbt+BKgiCUXiTD1RO95w=
-k8s.io/controller-manager v0.30.3/go.mod h1:F95rjHCOH2WwV9XlVxRo71CtddKLhF3FzE+s1lc7E/0=
+k8s.io/api v0.30.4 h1:XASIELmW8w8q0i1Y4124LqPoWMycLjyQti/fdYHYjCs=
+k8s.io/api v0.30.4/go.mod h1:ZqniWRKu7WIeLijbbzetF4U9qZ03cg5IRwl8YVs8mX0=
+k8s.io/apimachinery v0.30.4 h1:5QHQI2tInzr8LsT4kU/2+fSeibH1eIHswNx480cqIoY=
+k8s.io/apimachinery v0.30.4/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/apiserver v0.30.4 h1:rHkGJhxd+m4jILrgkenwSmG4X0QXk6ecGuybzS/PQak=
+k8s.io/apiserver v0.30.4/go.mod h1:oyGAj9B9/0+I9huJyf4/8SMBF2mNh2bTMlu7703dkH8=
+k8s.io/client-go v0.30.4 h1:eculUe+HPQoPbixfwmaSZGsKcOf7D288tH6hDAdd+wY=
+k8s.io/client-go v0.30.4/go.mod h1:IBS0R/Mt0LHkNHF4E6n+SUDPG7+m2po6RZU7YHeOpzc=
+k8s.io/cloud-provider v0.30.4 h1:j5T/KePmxux289heU+aG+Aq3RmaGfzARAglWUkxTErE=
+k8s.io/cloud-provider v0.30.4/go.mod h1:OfI8YUt8pCU8xvkN1dQ1pvJpQwNZlEszIY186v68H7A=
+k8s.io/component-base v0.30.4 h1:FlgKqazIkIIxpLA4wFXsiPiDllJn9fhsN3G4TeX7T7U=
+k8s.io/component-base v0.30.4/go.mod h1:Qd3h+OJxV/LrnriXG/E15ZK83dzd306qJHW9+87S5ls=
+k8s.io/component-helpers v0.30.4 h1:A4KYmrz12HZtGZ8TAnanl0SUx7n6tKduxzB3NHvinr0=
+k8s.io/component-helpers v0.30.4/go.mod h1:h5D4gI8hGQXMHw90qJq41PRUJrn2dvFA3ElZFUTzRps=
+k8s.io/controller-manager v0.30.4 h1:PdAGa5srv9fTECbBtWeaLshNpy//hGHHpXjRkh1wOkQ=
+k8s.io/controller-manager v0.30.4/go.mod h1:fTVfW8X0yJh+pUuybc45WxyoLQEhJqJjSff6/2b+l3I=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kms v0.30.3 h1:NLg+oN45S2Y3U0WiLRzbS61AY/XrS5JBMZp531Z+Pho=
-k8s.io/kms v0.30.3/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
+k8s.io/kms v0.30.4 h1:Je7wR5/m+w/E7Ef9R9RY1yeMU/C2GXIvhzRFfg8H5kQ=
+k8s.io/kms v0.30.4/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
 k8s.io/kube-openapi v0.0.0-20240620174524-b456828f718b h1:Q9xmGWBvOGd8UJyccgpYlLosk/JlfP3xQLNkQlHJeXw=
 k8s.io/kube-openapi v0.0.0-20240620174524-b456828f718b/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI=
+k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
--- a/hack/ccm-config.yaml
+++ b/hack/ccm-config.yaml
@@ -1,5 +1,4 @@
 global:
-  approveNodeCSR: true
  # endpoints:
  #   - 1.2.3.4
  #   - 4.3.2.1
--- a/pkg/certificatesigningrequest/controller.go
+++ b/pkg/certificatesigningrequest/controller.go
@@ -86,6 +86,13 @@ func (r *Reconciler) Run(ctx context.Context) {
 					continue
 				}

+				if csr.Spec.SignerName != certificatesv1.KubeletServingSignerName {
+					klog.V(5).InfoS("CertificateSigningRequestReconciler: ignoring, not a Kubelet serving certificate",
+						"signer", csr.Spec.SignerName)
+
+					continue
+				}
+
 				valid, err := r.Reconcile(ctx, csr)
 				if err != nil {
 					klog.ErrorS(err, "CertificateSigningRequestReconciler: failed to reconcile CSR", "name", csr.Name)
--- a/pkg/talos/cloud.go
+++ b/pkg/talos/cloud.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io"

-	"github.com/siderolabs/talos-cloud-controller-manager/pkg/certificatesigningrequest"
 	"github.com/siderolabs/talos-cloud-controller-manager/pkg/talosclient"

 	clientkubernetes "k8s.io/client-go/kubernetes"
@@ -32,8 +31,7 @@ const (
 type Cloud struct {
 	client *client

-	instancesV2   cloudprovider.InstancesV2
-	csrController *certificatesigningrequest.Reconciler
+	instancesV2 cloudprovider.InstancesV2

 	ctx  context.Context //nolint:containedctx
 	stop func()
@@ -108,13 +106,6 @@ func (c *Cloud) Initialize(clientBuilder cloudprovider.ControllerClientBuilder,
 		provider.stop()
 	}(c)

-	if c.client.config.Global.ApproveNodeCSR {
-		klog.InfoS("Started CSR Node controller")
-
-		c.csrController = certificatesigningrequest.NewCsrController(c.client.kclient, csrNodeChecks)
-		go c.csrController.Run(c.ctx)
-	}
-
 	klog.InfoS("talos initialized")
 }

--- a/pkg/talos/helper.go
+++ b/pkg/talos/helper.go
@@ -189,8 +189,9 @@ func syncNodeLabels(c *client, node *v1.Node, nodeLabels map[string]string) erro
 	return nil
 }

+// CSRNodeChecks checks if the IP addresses in the CSR match the IP addresses of the node.
 // TODO: add more checks, like domain name, worker nodes don't have controlplane IPs, etc...
-func csrNodeChecks(ctx context.Context, kclient clientkubernetes.Interface, x509cr *x509.CertificateRequest) (bool, error) {
+func CSRNodeChecks(ctx context.Context, kclient clientkubernetes.Interface, x509cr *x509.CertificateRequest) (bool, error) {
 	node, err := kclient.CoreV1().Nodes().Get(ctx, x509cr.DNSNames[0], metav1.GetOptions{})
 	if err != nil {
 		return false, fmt.Errorf("failed to get node %s: %w", x509cr.DNSNames[0], err)
--- a/pkg/talos/helper_test.go
+++ b/pkg/talos/helper_test.go
@@ -377,7 +377,7 @@ func TestSyncNodeLabels(t *testing.T) {
 	}
 }

-func TestCsrNodeChecks(t *testing.T) {
+func TestCSRNodeChecks(t *testing.T) {
 	ctx := context.Background()
 	nodes := &v1.NodeList{
 		Items: []v1.Node{
@@ -528,7 +528,7 @@ func TestCsrNodeChecks(t *testing.T) {
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			kclient := fake.NewSimpleClientset(nodes)
-			approve, err := csrNodeChecks(ctx, kclient, tt.cert)
+			approve, err := CSRNodeChecks(ctx, kclient, tt.cert)

 			if tt.expectedError != nil {
 				assert.Equal(t, tt.expectedError.Error(), err.Error())