fix: address CodeRabbit review feedback on Azure KMS PR

- Remove overly restrictive top-level CEL rule that required
  selfManagedKMS for all WorkloadIdentities + Azure KMS combos.
  The AzureKMSSpec-level rules already enforce mutual exclusivity
  and "at least one of kms or selfManagedKMS must be set".
- Fix +required with omitempty contradiction on SelfManagedAzureKMS.ClientID
- Fix t.Fatal -> t.Fatalf with format verb in e2e test
- Fix t.Fatal in closure -> gomega assertion in azure_test.go
- Add HashStruct error handling in secretencryption_test.go
- Add v1 Azure encryption config test case for parity with AWS
- Add missing --location flag in docs examples
- Rename envtest suite from featuregated to stable (KMS is not gated)
- Add all required AzureWorkloadIdentities fields in envtest YAML

Signed-off-by: Bryan Cox <brcox@redhat.com>
Commit-Message-Assisted-by: Claude (via Claude Code)

Author: bryan-cox

api/hypershift/v1beta1/azure.go

@@ -853,7 +853,7 @@ type SelfManagedAzureKMS struct {
 	// Key Vault containing the encryption key.
 	//
 	// +required
-	ClientID AzureClientID `json:"clientID,omitempty"`
+	ClientID AzureClientID `json:"clientID"`
 }
 
 type AzureKMSKey struct {

api/hypershift/v1beta1/hostedcluster_types.go

@@ -527,7 +527,6 @@ type Capabilities struct {
 // +kubebuilder:validation:XValidation:rule=`!self.services.exists(s, s.service == 'APIServer' && has(s.servicePublishingStrategy.loadBalancer) && s.servicePublishingStrategy.loadBalancer.hostname != "" && has(self.configuration) && has(self.configuration.apiServer) && self.configuration.apiServer.servingCerts.namedCertificates.exists(cert, cert.names.exists(n, n == s.servicePublishingStrategy.loadBalancer.hostname)))`, message="APIServer loadBalancer hostname cannot be in ClusterConfiguration.apiserver.servingCerts.namedCertificates[]"
 // +kubebuilder:validation:XValidation:rule="!has(self.operatorConfiguration) || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork) || !self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork || self.networking.networkType == 'Other'",message="disableMultiNetwork can only be set to true when networkType is 'Other'"
 // +kubebuilder:validation:XValidation:rule="self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration) || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)", message="ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes"
-// +kubebuilder:validation:XValidation:rule="!has(self.secretEncryption) || !has(self.secretEncryption.kms) || self.secretEncryption.kms.provider != 'Azure' || self.platform.type != 'Azure' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType != 'WorkloadIdentities' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)",message="workloadIdentities.kms is required when Azure KMS encryption is configured with WorkloadIdentities authentication"
 type HostedClusterSpec struct {
 	// release specifies the desired OCP release payload for all the hosted cluster components.
 	// This includes those components running management side like the Kube API Server and the CVO but also the operands which land in the hosted cluster data plane like the ingress controller, ovn agents, etc.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml

@@ -6530,12 +6530,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml

@@ -6513,12 +6513,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml

@@ -6533,12 +6533,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml

@@ -6845,12 +6845,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml

@@ -6985,12 +6985,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml

@@ -6976,12 +6976,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml

@@ -6959,12 +6959,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml

@@ -6578,12 +6578,6 @@ spec:
             - message: ovnKubernetesConfig is forbidden when networkType is not OVNKubernetes
               rule: self.networking.networkType == 'OVNKubernetes' || !has(self.operatorConfiguration)
                 || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.ovnKubernetesConfig)
-            - message: workloadIdentities.kms is required when Azure KMS encryption
-                is configured with WorkloadIdentities authentication
-              rule: '!has(self.secretEncryption) || !has(self.secretEncryption.kms)
-                || self.secretEncryption.kms.provider != ''Azure'' || self.platform.type
-                != ''Azure'' || !has(self.platform.azure) || self.platform.azure.azureAuthenticationConfig.azureAuthenticationConfigType
-                != ''WorkloadIdentities'' || has(self.platform.azure.azureAuthenticationConfig.workloadIdentities.kms)'
           status:
             description: status is the latest observed status of the HostedCluster.
             properties: