From 1c2c23516902dae1c440217daf20a35f1348472a Mon Sep 17 00:00:00 2001
From: gangwgr <rgangwar@redhat.com>
Date: Wed, 1 Apr 2026 16:59:09 +0530
Subject: [PATCH 1/2] Adding TLS profile observed test cases

---
 .../origin/openshift-origin-main.yaml         |  11 ++
 .../origin/openshift-origin-release-4.22.yaml |  11 ++
 .../openshift-origin-main-presubmits.yaml     | 111 +++++++++++++++---
 ...nshift-origin-release-4.22-presubmits.yaml | 109 ++++++++++++++---
 4 files changed, 213 insertions(+), 29 deletions(-)

diff --git a/ci-operator/config/openshift/origin/openshift-origin-main.yaml b/ci-operator/config/openshift/origin/openshift-origin-main.yaml
index 513ce0a75fc34..0646f39395d9f 100644
--- a/ci-operator/config/openshift/origin/openshift-origin-main.yaml
+++ b/ci-operator/config/openshift/origin/openshift-origin-main.yaml
@@ -832,6 +832,17 @@ tests:
       SRC_FROM_GIT: "true"
       TEST_SUITE: openshift/conformance/serial
     workflow: openshift-microshift-e2e-origin-conformance
+- always_run: false
+  as: e2e-aws-tls-observed-config
+  optional: true
+  steps:
+    cluster_profile: openshift-org-aws
+    env:
+      TEST_SUITE: openshift/tls-observed-config
+    observers:
+      enable:
+      - observers-resource-watch
+    workflow: openshift-e2e-aws-serial
 - always_run: false
   as: e2e-hypershift-conformance
   optional: true
diff --git a/ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml b/ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml
index a6d0a4084cd1a..baf81e28ad175 100644
--- a/ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml
+++ b/ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml
@@ -832,6 +832,17 @@ tests:
       SRC_FROM_GIT: "true"
       TEST_SUITE: openshift/conformance/serial
     workflow: openshift-microshift-e2e-origin-conformance
+- always_run: false
+  as: e2e-aws-tls-observed-config
+  optional: true
+  steps:
+    cluster_profile: openshift-org-aws
+    env:
+      TEST_SUITE: openshift/tls-observed-config
+    observers:
+      enable:
+      - observers-resource-watch
+    workflow: openshift-e2e-aws-serial
 - always_run: false
   as: e2e-hypershift-conformance
   optional: true
diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml
index fa6f0c91a3c1f..7a175d627dea1 100644
--- a/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml
@@ -5,7 +5,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-agnostic-ovn-cmd
     decorate: true
     decoration_config:
@@ -2676,6 +2676,87 @@ presubmits:
     - ^main$
     - ^main-
     cluster: build09
+    context: ci/prow/e2e-aws-tls-observed-config
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-origin-main-e2e-aws-tls-observed-config
+    optional: true
+    rerun_command: /test e2e-aws-tls-observed-config
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-aws-tls-observed-config
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-aws-tls-observed-config,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build10
     context: ci/prow/e2e-azure
     decorate: true
     decoration_config:
@@ -2761,7 +2842,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-azure-ovn-etcd-scaling
     decorate: true
     decoration_config:
@@ -2847,7 +2928,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-azure-ovn-upgrade
     decorate: true
     decoration_config:
@@ -4572,7 +4653,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-hypershift-conformance
     decorate: true
     decoration_config:
@@ -5879,7 +5960,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-metal-ovn-single-node-live-iso
     decorate: true
     decoration_config:
@@ -5965,7 +6046,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-metal-ovn-single-node-with-worker-live-iso
     decorate: true
     decoration_config:
@@ -6318,7 +6399,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-openstack-dualstack-v6primary
     decorate: true
     decoration_config:
@@ -6832,7 +6913,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/go-verify-deps
     decorate: true
     decoration_config:
@@ -6915,7 +6996,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/images
     decorate: true
     decoration_config:
@@ -6974,7 +7055,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/lint
     decorate: true
     decoration_config:
@@ -7127,7 +7208,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/okd-scos-images
     decorate: true
     decoration_config:
@@ -7186,7 +7267,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/unit
     decorate: true
     decoration_config:
@@ -7253,7 +7334,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/verify
     decorate: true
     decoration_config:
@@ -7320,7 +7401,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/verify-deps
     decorate: true
     decoration_config:
@@ -7387,7 +7468,7 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build09
+    cluster: build10
     context: ci/prow/verify-image-manifest-lists
     decorate: true
     decoration_config:
diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml
index 5a23d08f1dd46..feb2476781fd8 100644
--- a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml
+++ b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml
@@ -5,7 +5,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-agnostic-ovn-cmd
     decorate: true
     decoration_config:
@@ -2676,6 +2676,87 @@ presubmits:
     - ^release-4\.22$
     - ^release-4\.22-
     cluster: build09
+    context: ci/prow/e2e-aws-tls-observed-config
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-origin-release-4.22-e2e-aws-tls-observed-config
+    optional: true
+    rerun_command: /test e2e-aws-tls-observed-config
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-aws-tls-observed-config
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-aws-tls-observed-config,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^release-4\.22$
+    - ^release-4\.22-
+    cluster: build10
     context: ci/prow/e2e-azure
     decorate: true
     decoration_config:
@@ -2761,7 +2842,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-azure-ovn-etcd-scaling
     decorate: true
     decoration_config:
@@ -2847,7 +2928,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-azure-ovn-upgrade
     decorate: true
     decoration_config:
@@ -4572,7 +4653,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-hypershift-conformance
     decorate: true
     decoration_config:
@@ -5879,7 +5960,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-metal-ovn-single-node-live-iso
     decorate: true
     decoration_config:
@@ -5965,7 +6046,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-metal-ovn-single-node-with-worker-live-iso
     decorate: true
     decoration_config:
@@ -6318,7 +6399,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/e2e-openstack-dualstack-v6primary
     decorate: true
     decoration_config:
@@ -6832,7 +6913,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/go-verify-deps
     decorate: true
     decoration_config:
@@ -6915,7 +6996,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/images
     decorate: true
     decoration_config:
@@ -6974,7 +7055,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/lint
     decorate: true
     decoration_config:
@@ -7041,7 +7122,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/unit
     decorate: true
     decoration_config:
@@ -7108,7 +7189,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/verify
     decorate: true
     decoration_config:
@@ -7175,7 +7256,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/verify-deps
     decorate: true
     decoration_config:
@@ -7242,7 +7323,7 @@ presubmits:
     branches:
     - ^release-4\.22$
     - ^release-4\.22-
-    cluster: build09
+    cluster: build10
     context: ci/prow/verify-image-manifest-lists
     decorate: true
     decoration_config:

From 85b1bb173326fdab6b95567056560de961f6eae7 Mon Sep 17 00:00:00 2001
From: gangwgr <rgangwar@redhat.com>
Date: Wed, 13 May 2026 19:31:41 +0530
Subject: [PATCH 2/2] vaul ci

---
 .../openshift-tls-scanner-main.yaml           | 30 -------------------
 .../openshift-tls-scanner-release-4.22.yaml   | 10 -------
 .../openshift-origin-main-presubmits.yaml     |  5 ++++
 ...nshift-origin-release-4.22-presubmits.yaml |  5 ++++
 ...tcd-encryption-vault-configure-commands.sh | 17 ++++++-----
 .../etcd-encryption-vault-configure-ref.yaml  |  5 ++++
 .../etcd-encryption-vault-install-commands.sh | 12 ++++----
 .../etcd-encryption-vault-install-ref.yaml    |  5 ++++
 8 files changed, 36 insertions(+), 53 deletions(-)

diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
index 19d1c9485d362..03663d7b9eca0 100644
--- a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
+++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
@@ -70,16 +70,6 @@ tests:
     workflow: generic-claim
 - as: periodic-default-tls
   interval: 72h
-  reporter_config:
-    channel: '#forum-case'
-    job_states_to_report:
-    - success
-    - failure
-    - error
-    report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
-      ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
-      Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
-      {{end}}'
   steps:
     cluster_profile: openshift-org-aws
     env:
@@ -89,16 +79,6 @@ tests:
     workflow: ipi-aws
 - as: periodic-pqc-readiness
   interval: 72h
-  reporter_config:
-    channel: '#forum-case'
-    job_states_to_report:
-    - success
-    - failure
-    - error
-    report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
-      ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
-      Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
-      {{end}}'
   steps:
     cluster_profile: openshift-org-aws
     env:
@@ -109,16 +89,6 @@ tests:
     workflow: openshift-e2e-aws-ovn-tls-13
 - as: periodic-tls13-adherence
   interval: 72h
-  reporter_config:
-    channel: '#forum-case'
-    job_states_to_report:
-    - success
-    - failure
-    - error
-    report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
-      ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
-      Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
-      {{end}}'
   steps:
     cluster_profile: openshift-org-aws
     env:
diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml
index 2dc7d8529ebea..df28acf08d6c6 100644
--- a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml
+++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml
@@ -71,16 +71,6 @@ tests:
     workflow: openshift-e2e-aws-ovn-tls-13
 - as: periodic-default-tls
   interval: 72h
-  reporter_config:
-    channel: '#forum-case'
-    job_states_to_report:
-    - success
-    - failure
-    - error
-    report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
-      ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
-      Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
-      {{end}}'
   steps:
     cluster_profile: openshift-org-aws
     env:
diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml
index 7a175d627dea1..67bca1468489c 100644
--- a/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml
@@ -2678,6 +2678,11 @@ presubmits:
     cluster: build09
     context: ci/prow/e2e-aws-tls-observed-config
     decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - .ci-operator.yaml
+      - images/hello-openshift/Dockerfile.rhel
+      - images/tests/Dockerfile.rhel
     labels:
       ci-operator.openshift.io/cloud: aws
       ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws
diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml
index feb2476781fd8..ff1b062369793 100644
--- a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml
+++ b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml
@@ -2678,6 +2678,11 @@ presubmits:
     cluster: build09
     context: ci/prow/e2e-aws-tls-observed-config
     decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - .ci-operator.yaml
+      - images/hello-openshift/Dockerfile.rhel
+      - images/tests/Dockerfile.rhel
     labels:
       ci-operator.openshift.io/cloud: aws
       ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws
diff --git a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
index 805f04e0e3d14..dedf8431e04d8 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
+++ b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
@@ -7,6 +7,7 @@ echo "========================================="
 echo "Vault Configuration for KMS"
 echo "========================================="
 echo "Namespace: ${VAULT_NAMESPACE}"
+echo "Release Name: ${VAULT_RELEASE_NAME}"
 echo ""
 
 export KUBECONFIG="${SHARED_DIR}/kubeconfig"
@@ -19,22 +20,22 @@ echo ""
 
 # Enable transit secret engine
 echo "Enabling transit secret engine..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
+oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
   env VAULT_TOKEN="${ROOT_TOKEN}" vault secrets enable -path=transit transit
 
 # Create encryption key
 echo "Creating transit encryption key..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
+oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
   env VAULT_TOKEN="${ROOT_TOKEN}" vault write -f transit/keys/${VAULT_KMS_KEY_NAME}
 
 # Enable AppRole auth
 echo "Enabling AppRole authentication..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
+oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
   env VAULT_TOKEN="${ROOT_TOKEN}" vault auth enable approle
 
 # Create KMS policy
 echo "Creating KMS policy..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
+oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
   sh -c "VAULT_TOKEN=${ROOT_TOKEN} vault policy write kms-policy - <<POLICY
 path \"transit/encrypt/${VAULT_KMS_KEY_NAME}\" {
   capabilities = [\"update\"]
@@ -52,7 +53,7 @@ POLICY"
 
 # Create AppRole role
 echo "Creating AppRole role..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
+oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
   env VAULT_TOKEN="${ROOT_TOKEN}" vault write auth/approle/role/kms-plugin \
     token_policies=kms-policy \
     token_ttl=1h \
@@ -60,9 +61,9 @@ oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
 
 # Get AppRole credentials
 echo "Retrieving AppRole credentials..."
-ROLE_ID=$(oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
+ROLE_ID=$(oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
   env VAULT_TOKEN="${ROOT_TOKEN}" vault read -field=role_id auth/approle/role/kms-plugin/role-id)
-SECRET_ID=$(oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
+SECRET_ID=$(oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
   env VAULT_TOKEN="${ROOT_TOKEN}" vault write -field=secret_id -f auth/approle/role/kms-plugin/secret-id)
 
 # Create vault-credentials secret
@@ -81,7 +82,7 @@ echo "Vault Configuration Complete"
 echo "========================================="
 echo ""
 echo "Summary:"
-echo "  - Vault Service: vault.${VAULT_NAMESPACE}.svc:8200"
+echo "  - Vault Service: ${VAULT_RELEASE_NAME}.${VAULT_NAMESPACE}.svc:8200"
 echo "  - Credentials Secret: vault-credentials (namespace: ${VAULT_NAMESPACE})"
 echo "  - Transit Key: ${VAULT_KMS_KEY_NAME}"
 echo "  - ROLE_ID: ${ROLE_ID}"
diff --git a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
index 5d8cc09905326..b84e03b969f95 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
+++ b/ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
@@ -11,6 +11,11 @@ ref:
     default: "vault-kms"
     documentation: |-
       Namespace where Vault Enterprise is installed.
+  - name: VAULT_RELEASE_NAME
+    default: "vault"
+    documentation: |-
+      Helm release name for the Vault installation.
+      Must match the name used in vault-install step.
   - name: VAULT_KMS_KEY_NAME
     default: "kms-key"
     documentation: |-
diff --git a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
index 619a19b11621e..4766587228ff9 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
+++ b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
@@ -6,6 +6,7 @@ echo "Vault Enterprise Installation via Helm"
 echo "========================================="
 echo "Version: ${VAULT_VERSION}"
 echo "Namespace: ${VAULT_NAMESPACE}"
+echo "Release Name: ${VAULT_RELEASE_NAME}"
 echo ""
 
 export KUBECONFIG="${SHARED_DIR}/kubeconfig"
@@ -54,7 +55,7 @@ echo ""
 
 # Install Vault via Helm with dev mode enabled
 echo "Installing Vault Enterprise v${VAULT_VERSION} in dev mode..."
-helm upgrade --install vault hashicorp/vault \
+helm upgrade --install "${VAULT_RELEASE_NAME}" hashicorp/vault \
   --namespace "${VAULT_NAMESPACE}" \
   --version "${VAULT_CHART_VERSION}" \
   --set global.enabled=true \
@@ -70,8 +71,8 @@ helm upgrade --install vault hashicorp/vault \
   --timeout 10m
 
 #helm wait passes even vault pod is 0/1 Running. So, added the below wait to correctly verify the vault pod status
-echo "Waiting for Vault pod to be ready..."  
-oc wait --for=condition=ready pod/vault-0 -n "${VAULT_NAMESPACE}" --timeout=5m
+echo "Waiting for Vault pod to be ready..."
+oc wait --for=condition=ready pod/${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" --timeout=5m
 
 echo "========================================="
 echo "Vault Enterprise Installation Complete"
@@ -79,9 +80,10 @@ echo "========================================="
 echo ""
 echo "Summary:"
 echo "  - Namespace: ${VAULT_NAMESPACE}"
+echo "  - Release Name: ${VAULT_RELEASE_NAME}"
 echo "  - Version: ${VAULT_VERSION}"
-echo "  - Service: vault.${VAULT_NAMESPACE}.svc:8200"
-echo "  - Pod: vault-0 (Ready)"
+echo "  - Service: ${VAULT_RELEASE_NAME}.${VAULT_NAMESPACE}.svc:8200"
+echo "  - Pod: ${VAULT_RELEASE_NAME}-0 (Ready)"
 echo ""
 echo "Next step: Run etcd-encryption-vault-configure to configure Vault for KMS"
 echo ""
diff --git a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
index 4ae89ba0b095f..6b345062aeaea 100644
--- a/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
+++ b/ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
@@ -25,6 +25,11 @@ ref:
     default: "vault-kms"
     documentation: |-
       Namespace where Vault Enterprise will be installed.
+  - name: VAULT_RELEASE_NAME
+    default: "vault"
+    documentation: |-
+      Helm release name for the Vault installation.
+      Use different names for multiple Vault instances (e.g., vault-1, vault-2).
   - name: VAULT_IMAGE_REPOSITORY
     default: "docker.io/hashicorp/vault-enterprise"
     documentation: |-