Debug etcd kmsv2 encrption

ci-operator/step-registry/cucushift/hypershift-extended/etcd-encryption/health-check/azure/cucushift-hypershift-extended-etcd-encryption-health-check-azure-ref.yaml

@@ -11,6 +11,10 @@ ref:
     requests:
       cpu: 10m
       memory: 100Mi
+  credentials:
+    - mount_path: /etc/hypershift-aro-azurecreds
+      name: hypershift-aro-azurecreds
+      namespace: test-credentials
   documentation: |-
     This step performs health checks on a Hypershift hosted cluster on Azure with ETCD encryption.
     Assumptions: 

ci-operator/step-registry/cucushift/installer/rehearse/azure/aks/hypershift/etcd-disk-encryption/provision/cucushift-installer-rehearse-azure-aks-hypershift-etcd-disk-encryption-provision-chain.yaml

@@ -3,18 +3,17 @@ chain:
   steps:
   - chain: cucushift-installer-rehearse-azure-aks-provision
   - ref: hypershift-azure-aks-attach-kv
+  - ref: azure-provision-vnet-hypershift
   - ref: azure-provision-resourcegroup
-  - ref: azure-provision-vault-key
   - ref: azure-provision-disk-encryption-set
   - ref: azure-provision-storage-account
   - ref: cucushift-hypershift-extended-k8s-mgmt-apply-crds
   - ref: cucushift-hypershift-extended-install-private
   - ref: cucushift-hypershift-extended-k8s-mgmt-get-guest-annotations
   - ref: cucushift-hypershift-extended-k8s-mgmt-simulate-icsp
   - chain: hypershift-azure-create
+  - ref: cucushift-hypershift-extended-debug
   - ref: cucushift-hypershift-extended-etcd-encryption-health-check-azure
-  - ref: cucushift-hypershift-extended-vm-encryption-azure-server-side-encryption-customer-managed-keys-health-check
-  - ref: cucushift-hypershift-extended-vm-encryption-azure-encryption-at-host-health-check
   - chain: cucushift-hypershift-extended-enable-qe-catalogsource
   env:
   - name: AKS_ADDONS
@@ -35,6 +34,8 @@ chain:
     default: "qe.azure.devcluster.openshift.com"
   - name: HYPERSHIFT_CUSTOM_RESOURCE_GROUP
     default: "true"
+  - name: HYPERSHIFT_ENABLE_CONVERSION_WEBHOOK
+    default: "false"
   - name: HYPERSHIFT_DISK_ENCRYPTION
     default: "true"
   - name: HYPERSHIFT_ENABLE_CONVERSION_WEBHOOK
@@ -51,6 +52,12 @@ chain:
     default: "true"
   - name: HYPERSHIFT_OPERATOR_PULL_SECRET
     default: "true"
+  - name: ASSIGN_SERVICE_PRINCIPAL_ROLES
+    default: "true"
+  - name: AKS_ADDONS
+    default: "azure-keyvault-secrets-provider"
+  - name: HYPERSHIFT_AZURE_CP_MI
+    default: "true"
   documentation: |-
     Provisions an aks management cluster and a public hosted cluster utilizing ETCD encryption, 
     Azure OS disk encryption with customer managed key and encryption at host. 

ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml

@@ -167,15 +167,6 @@ chain:
         PULL_SECRET_PATH="${SHARED_DIR}/hypershift-pull-secret"
       fi
 
-      ENCRYPTION_KEY_ID=""
-      if [[ $HYPERSHIFT_ETCD_ENCRYPTION == "true" ]]; then
-        if [[ -f "${SHARED_DIR}/azure_active_key_url" ]]; then
-          ENCRYPTION_KEY_ID="$(cat "${SHARED_DIR}/azure_active_key_url")"
-        else
-          ENCRYPTION_KEY_ID="$(cat "/etc/hypershift-aro-azurecreds/encryption-key-url")"
-        fi
-      fi
-
       DISK_ENCRYPTION_SET_ID=""
       if [[ $HYPERSHIFT_DISK_ENCRYPTION == "true" ]]; then
         DISK_ENCRYPTION_SET_ID="$(cat "${SHARED_DIR}/azure_des_id")"
@@ -211,14 +202,19 @@ chain:
         --azure-creds ${AZURE_CREDS} \
         --location ${HC_LOCATION} \
         --release-image ${RELEASE_IMAGE} \
-        --encryption-key-id=${ENCRYPTION_KEY_ID} \
         --disk-encryption-set-id=${DISK_ENCRYPTION_SET_ID} \
         --resource-group-name=${RESOURCE_GROUP_NAME} \
         --vnet-id=${VNET_ID} \
         --subnet-id=${SUBNET_ID} \
         --network-security-group-id=${NSG_ID} \
         --generate-ssh
       )
+
+      if [[ $HYPERSHIFT_ETCD_ENCRYPTION == "true" ]]; then
+          ENCRYPTION_KEY_ID="$(cat /etc/hypershift-aro-azurecreds/kms-encryption-key-id)"
+          KMS_CRED_SECRET_NAME="$(cat /etc/hypershift-aro-azurecreds/kms-credentials-secret-name)"
+          COMMAND+=(--encryption-key-id=${ENCRYPTION_KEY_ID} --kms-credentials-secret-name ${KMS_CRED_SECRET_NAME})            
+      fi
 
       if [[ $ENABLE_ICSP == "true" ]]; then
         COMMAND+=(--image-content-sources "${SHARED_DIR}/mgmt_icsp.yaml")
@@ -353,6 +349,8 @@ chain:
 
       "${COMMAND[@]}"
 
+      exit 0
+
       # The timeout should be much lower, this is due to https://bugzilla.redhat.com/show_bug.cgi?id=2060091
       echo "Waiting for cluster to become available"
       oc wait --timeout=30m --for=condition=Available --namespace=clusters hostedcluster/${CLUSTER_NAME}