From c0e64a5bee11da95397b613a1af5b408e24f9e2f Mon Sep 17 00:00:00 2001
From: scatat <stephentan@gmail.com>
Date: Fri, 20 Mar 2026 20:07:07 +0000
Subject: [PATCH] fix: exclude control plane endpoint from MetalMachine
 addresses

When Talos reports node addresses, it includes the shared control plane
endpoint (VIP). The metalmachine controller copies these into
MetalMachine.Status.Addresses, where CACPPT treats them as per-machine
endpoints, breaking scale-down operations.

Filter the control plane endpoint at the CAPI boundary, guarded by
len > 1 so single-node control planes retain the address.

Ref: siderolabs/cluster-api-control-plane-provider-talos#242

Signed-off-by: scatat <stephentan@gmail.com>
---
 .../controllers/metalmachine_controller.go                   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/caps-controller-manager/controllers/metalmachine_controller.go b/app/caps-controller-manager/controllers/metalmachine_controller.go
index 104c9de1d..f2feebecc 100644
--- a/app/caps-controller-manager/controllers/metalmachine_controller.go
+++ b/app/caps-controller-manager/controllers/metalmachine_controller.go
@@ -211,6 +211,11 @@ func (r *MetalMachineReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 		addresses := make([]capiv1.MachineAddress, 0, len(serverBinding.Spec.Addresses))
 		for _, addr := range serverBinding.Spec.Addresses {
+			// skip shared control plane endpoint unless it's the only address (single-node)
+			if addr == cluster.Spec.ControlPlaneEndpoint.Host && len(serverBinding.Spec.Addresses) > 1 {
+				continue
+			}
+
 			addresses = append(addresses, capiv1.MachineAddress{
 				Type:    capiv1.MachineInternalIP,
 				Address: addr,