stolostron
diff --git a/‎azure/scope/arocontrolplane.go‎
Lines changed: 12 additions & 4 deletions b/‎azure/scope/arocontrolplane.go‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎azure/scope/aromachinepool.go‎
Lines changed: 11 additions & 26 deletions b/‎azure/scope/aromachinepool.go‎
Lines changed: 11 additions & 26 deletions
diff --git a/‎azure/services/keyvaults/keyvault.go‎
Lines changed: 6 additions & 4 deletions b/‎azure/services/keyvaults/keyvault.go‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎config/crd/bases/controlplane.cluster.x-k8s.io_arocontrolplanes.yaml‎
Lines changed: 6 additions & 1 deletion b/‎config/crd/bases/controlplane.cluster.x-k8s.io_arocontrolplanes.yaml‎
Lines changed: 6 additions & 1 deletion
@@ -81,10 +81,18 @@ func NewAROControlPlaneScope(ctx context.Context, params AROControlPlaneScopePar
 		return nil, errors.New("failed to generate new scope from nil AROControlPlane")
 	}
 
-	// Initialize Azure SDK credentials in the following cases:
-	// 1. Field-based mode (len(Resources) == 0): Always initialize credentials
-	// 2. Resources mode with IdentityRef set: Initialize CAPZ credentials for hybrid scenarios
-	// 3. Resources mode without IdentityRef: Skip credential initialization, ASO handles authentication
+	// Initialize Azure SDK credentials only when IdentityRef is set.
+	// With identityRef: Initialize CAPZ credentials for Key Vault operations
+	// Without identityRef: Skip credential initialization, ASO handles authentication
+	//
+	// When identityRef is not set, CAPZ cannot perform Key Vault operations:
+	// - Cannot check for encryption key existence
+	// - Cannot create encryption keys
+	// - Cannot auto-propagate key versions to HcpOpenShiftCluster
+	// Customers must manually create the vault and key via ASO and specify the key version in HcpOpenShiftCluster.
+	//
+	// Note: The check for empty Resources is defensive - the webhook now requires Resources mode,
+	// so Resources cannot be empty in practice.
 	shouldInitCredentials := len(params.ControlPlane.Spec.Resources) == 0 || params.ControlPlane.Spec.IdentityRef != nil
 
 	if shouldInitCredentials {
 
@@ -41,36 +41,28 @@ import (
 
 // AROMachinePoolScopeParams defines the input parameters used to create a new Scope.
 type AROMachinePoolScopeParams struct {
-	AzureClients
-	Client               client.Client
-	Cluster              *clusterv1.Cluster
-	MachinePool          *clusterv1.MachinePool
-	ControlPlane         *cplane.AROControlPlane
-	AROMachinePool       *v1beta2.AROMachinePool
-	Cache                *AROMachinePoolCache
-	Timeouts             azure.AsyncReconciler
-	CredentialCache      azure.CredentialCache
-	AROControlPlaneScope *AROControlPlaneScope
+	Client         client.Client
+	Cluster        *clusterv1.Cluster
+	MachinePool    *clusterv1.MachinePool
+	ControlPlane   *cplane.AROControlPlane
+	AROMachinePool *v1beta2.AROMachinePool
+	Cache          *AROMachinePoolCache
+	Timeouts       azure.AsyncReconciler
 }
 
 // NewAROMachinePoolScope creates a new Scope from the supplied parameters.
 // This is meant to be called for each reconcile iteration.
 func NewAROMachinePoolScope(ctx context.Context, params AROMachinePoolScopeParams) (*AROMachinePoolScope, error) {
-	ctx, _, done := tele.StartSpanWithLogger(ctx, "azure.aroMachinePoolScope.NewAROMachinePoolScope")
+	_, _, done := tele.StartSpanWithLogger(ctx, "azure.aroMachinePoolScope.NewAROMachinePoolScope")
 	defer done()
 
 	if params.AROMachinePool == nil {
 		return nil, errors.New("failed to generate new scope from nil AROMachinePool")
 	}
 
-	credentialsProvider, err := NewAzureCredentialsProvider(ctx, params.CredentialCache, params.Client, params.ControlPlane.Spec.IdentityRef, params.AROMachinePool.Namespace)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to init credentials provider")
-	}
-	err = params.AzureClients.setCredentialsWithProvider(ctx, params.ControlPlane.Spec.SubscriptionID, params.ControlPlane.Spec.AzureEnvironment, credentialsProvider)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to configure azure settings and credentials for Identity")
-	}
+	// AROMachinePool no longer requires Azure credentials
+	// ProviderIDList is populated from workload cluster nodes instead of Azure VM API
+	// ASO handles all Azure operations via its own authentication (serviceoperator.azure.com/credential-from annotations)
 
 	if params.Cache == nil {
 		params.Cache = &AROMachinePoolCache{}
@@ -89,7 +81,6 @@ func NewAROMachinePoolScope(ctx context.Context, params AROMachinePoolScopeParam
 		Client:                     params.Client,
 		patchHelper:                helper,
 		cache:                      params.Cache,
-		AzureClients:               params.AzureClients,
 		Cluster:                    params.Cluster,
 		MachinePool:                params.MachinePool,
 		ControlPlane:               params.ControlPlane,
@@ -106,7 +97,6 @@ type AROMachinePoolScope struct {
 	capiMachinePoolPatchHelper *patch.Helper
 	cache                      *AROMachinePoolCache
 
-	AzureClients
 	Cluster          *clusterv1.Cluster
 	ControlPlane     *cplane.AROControlPlane
 	MachinePool      *clusterv1.MachinePool
@@ -218,11 +208,6 @@ func (s *AROMachinePoolScope) UpdatePatchStatus(condition clusterv1.ConditionTyp
 type AROMachinePoolCache struct {
 }
 
-// BaseURI returns the Azure ResourceManagerEndpoint.
-func (s *AROMachinePoolScope) BaseURI() string {
-	return s.ResourceManagerEndpoint
-}
-
 // GetClient returns the controller-runtime client.
 func (s *AROMachinePoolScope) GetClient() client.Client {
 	return s.Client
 
@@ -85,10 +85,11 @@ func (s *Service) Reconcile(ctx context.Context) error {
 	// Get all KeyVault specs
 	keyVaultSpecs := s.Scope.KeyVaultSpecs()
 
-	// In resources mode (e.g., ARO HCP), KeyVault vault resources are managed by ASO,
+	// For ARO HCP (resources mode), KeyVault vault resources are managed by ASO,
 	// so KeyVaultSpecs may be empty. However, we still need to ensure encryption keys exist.
+	// For legacy non-ARO clusters, KeyVaultSpecs contains vault definitions to reconcile.
 	if len(keyVaultSpecs) > 0 {
-		// Process each KeyVault spec (field-based mode)
+		// Process each KeyVault spec (legacy path - not used by ARO HCP)
 		for _, keyVaultSpec := range keyVaultSpecs {
 			log.V(2).Info("reconciling KeyVault", "keyvault", keyVaultSpec.ResourceName())
 
@@ -100,8 +101,9 @@ func (s *Service) Reconcile(ctx context.Context) error {
 		}
 	}
 
-	// Ensure the ETCD encryption key exists (works in both field-based and resources modes)
-	// In resources mode, the vault is managed by ASO but keys must be managed via Azure SDK
+	// Ensure the ETCD encryption key exists
+	// For ARO HCP (resources mode): vault is managed by ASO, keys managed via Azure SDK
+	// For legacy clusters: both vault and keys managed via Azure SDK
 	if err := s.EnsureETCDEncryptionKey(ctx, s.Scope); err != nil {
 		return errors.Wrap(err, "failed to ensure ETCD encryption key exists")
 	}
 
@@ -79,7 +79,12 @@ spec:
               identityRef:
                 description: |-
                   IdentityRef is a reference to an identity to be used when reconciling the aro control plane.
-                  If no identity is specified, the default identity for this controller will be used.
+                  This field is optional. When set, CAPZ will initialize Azure SDK credentials and perform
+                  Key Vault operations (check existence, create encryption keys, propagate key versions).
+
+                  When NOT set (ASO credential-based mode), ASO handles authentication via
+                  serviceoperator.azure.com/credential-from annotations, and customers must manually
+                  create the vault and encryption key via ASO and specify the keyVersion in HcpOpenShiftCluster spec.
                 properties:
                   apiVersion:
                     description: API version of the referent.