For HyperShift and for Cluster API experiments, we currently have no way to securely check CSRs created by Nodes as they start up. HyperShift currently auto approves all CSRs.

Before going into production, HyperShift will require our existing Cluster Machine Approver (or something equivalent) to approve certificates based on the existing security criteria we have within regular OpenShift clusters.

To enable CMA to support both MAPI and CAPI based clusters, we can take the approach used in the cluster autoscaler:

• Convert internal code to use either unstructured or an internal machine type (we are read only on machines currently so could stick to an internal type unmarshalled from either API)
• Allow API group and version to be specified via CLI args (to be able to switch between MAPI/CAPI)
• Internally split Node/CSR clients from Machine clients
• By default, use in cluster creds for both clients
• Allow kubeconfig override for Node/CSR/Machine clients via `--kubeconfig` flag
• Provide second kubeconfig override for Machine client via `--management-kubeconfig` flag

This should allow the CMA to continue working in existing clusters, but also allow usage in a pure CAPI cluster (by using the kubeconfig flag), or in split management/spoke clusters using both kubeconfig flags.