diff --git a/cmd/kops-controller/controllers/legacy_node_controller.go b/cmd/kops-controller/controllers/legacy_node_controller.go
index 2122c9d0b0..7fbb474625 100644
--- a/cmd/kops-controller/controllers/legacy_node_controller.go
+++ b/cmd/kops-controller/controllers/legacy_node_controller.go
@@ -39,7 +39,7 @@ import (
 )
 
 // NewLegacyNodeReconciler is the constructor for a LegacyNodeReconciler
-func NewLegacyNodeReconciler(mgr manager.Manager, configPath string, identifier nodeidentity.LegacyIdentifier) (*LegacyNodeReconciler, error) {
+func NewLegacyNodeReconciler(mgr manager.Manager, vfsContext *vfs.VFSContext, configPath string, identifier nodeidentity.LegacyIdentifier) (*LegacyNodeReconciler, error) {
 	r := &LegacyNodeReconciler{
 		client:     mgr.GetClient(),
 		log:        ctrl.Log.WithName("controllers").WithName("Node"),
@@ -53,7 +53,7 @@ func NewLegacyNodeReconciler(mgr manager.Manager, configPath string, identifier
 	}
 	r.coreV1Client = coreClient
 
-	configBase, err := vfs.Context.BuildVfsPath(configPath)
+	configBase, err := vfsContext.BuildVfsPath(configPath)
 	if err != nil {
 		return nil, fmt.Errorf("cannot parse ConfigBase %q: %v", configPath, err)
 	}
diff --git a/cmd/kops-controller/main.go b/cmd/kops-controller/main.go
index 94b00e3342..bc4defaac3 100644
--- a/cmd/kops-controller/main.go
+++ b/cmd/kops-controller/main.go
@@ -47,6 +47,7 @@ import (
 	"k8s.io/kops/upup/pkg/fi/cloudup/hetzner"
 	"k8s.io/kops/upup/pkg/fi/cloudup/openstack"
 	"k8s.io/kops/upup/pkg/fi/cloudup/scaleway"
+	"k8s.io/kops/util/pkg/vfs"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -114,6 +115,8 @@ func main() {
 		os.Exit(1)
 	}
 
+	vfsContext := vfs.NewVFSContext()
+
 	if opt.Server != nil {
 		var verifier bootstrap.Verifier
 		var err error
@@ -166,7 +169,7 @@ func main() {
 			os.Exit(1)
 		}
 
-		srv, err := server.NewServer(&opt, verifier, uncachedClient)
+		srv, err := server.NewServer(vfsContext, &opt, verifier, uncachedClient)
 		if err != nil {
 			setupLog.Error(err, "unable to create server")
 			os.Exit(1)
@@ -182,7 +185,7 @@ func main() {
 		}
 	}
 
-	if err := addNodeController(mgr, &opt); err != nil {
+	if err := addNodeController(mgr, vfsContext, &opt); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "NodeController")
 		os.Exit(1)
 	}
@@ -212,7 +215,7 @@ func buildScheme() error {
 	return nil
 }
 
-func addNodeController(mgr manager.Manager, opt *config.Options) error {
+func addNodeController(mgr manager.Manager, vfsContext *vfs.VFSContext, opt *config.Options) error {
 	var legacyIdentifier nodeidentity.LegacyIdentifier
 	var identifier nodeidentity.Identifier
 	var err error
@@ -282,7 +285,7 @@ func addNodeController(mgr manager.Manager, opt *config.Options) error {
 			return fmt.Errorf("must specify secretStore")
 		}
 
-		nodeController, err := controllers.NewLegacyNodeReconciler(mgr, opt.ConfigBase, legacyIdentifier)
+		nodeController, err := controllers.NewLegacyNodeReconciler(mgr, vfsContext, opt.ConfigBase, legacyIdentifier)
 		if err != nil {
 			return err
 		}
diff --git a/cmd/kops-controller/pkg/server/server.go b/cmd/kops-controller/pkg/server/server.go
index 985e2888e5..07ded09a08 100644
--- a/cmd/kops-controller/pkg/server/server.go
+++ b/cmd/kops-controller/pkg/server/server.go
@@ -51,7 +51,7 @@ import (
 
 type Server struct {
 	opt         *config.Options
-	certNames   sets.String
+	certNames   sets.Set[string]
 	keypairIDs  map[string]string
 	server      *http.Server
 	verifier    bootstrap.Verifier
@@ -70,30 +70,29 @@ type Server struct {
 
 var _ manager.LeaderElectionRunnable = &Server{}
 
-func NewServer(opt *config.Options, verifier bootstrap.Verifier, uncachedClient client.Client) (*Server, error) {
+func NewServer(vfsContext *vfs.VFSContext, opt *config.Options, verifier bootstrap.Verifier, uncachedClient client.Client) (*Server, error) {
 	server := &http.Server{
 		Addr: opt.Server.Listen,
 		TLSConfig: &tls.Config{
-			MinVersion:               tls.VersionTLS12,
-			PreferServerCipherSuites: true,
+			MinVersion: tls.VersionTLS12,
 		},
 	}
 
 	s := &Server{
 		opt:            opt,
-		certNames:      sets.NewString(opt.Server.CertNames...),
+		certNames:      sets.New(opt.Server.CertNames...),
 		server:         server,
 		verifier:       verifier,
 		uncachedClient: uncachedClient,
 	}
 
-	configBase, err := vfs.Context.BuildVfsPath(opt.ConfigBase)
+	configBase, err := vfsContext.BuildVfsPath(opt.ConfigBase)
 	if err != nil {
 		return nil, fmt.Errorf("cannot parse ConfigBase %q: %w", opt.ConfigBase, err)
 	}
 	s.configBase = configBase
 
-	p, err := vfs.Context.BuildVfsPath(opt.SecretStore)
+	p, err := vfsContext.BuildVfsPath(opt.SecretStore)
 	if err != nil {
 		return nil, fmt.Errorf("cannot parse SecretStore %q: %w", opt.SecretStore, err)
 	}