diff --git a/pkg/cluster/arooperator.go b/pkg/cluster/arooperator.go
index b5c536c5afe..00c6f3540ad 100644
--- a/pkg/cluster/arooperator.go
+++ b/pkg/cluster/arooperator.go
@@ -104,7 +104,7 @@ func (m *manager) ensureUpgradeAnnotation(ctx context.Context) error {
 }
 
 func (m *manager) renewMDSDCertificate(ctx context.Context) error {
-	return RenewMDSDCertificate(ctx, m.log, m.env, m.ch)
+	return RenewMDSDCertificate(ctx, m.log, m.env, m.kubeClientHelper)
 }
 
 func (m *manager) restartAROOperatorMaster(ctx context.Context) error {
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index 6d5cb2d4c0d..beea6363e29 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -106,7 +106,7 @@ type manager struct {
 	graph   graph.Manager
 	rpBlob  blob.Manager
 
-	ch               clienthelper.Interface
+	kubeClientHelper clienthelper.Interface
 	kubernetescli    kubernetes.Interface
 	dynamiccli       dynamic.Interface
 	extensionscli    extensionsclient.Interface
diff --git a/pkg/cluster/condition.go b/pkg/cluster/condition.go
index 56e47dfe73c..56647cdb6be 100644
--- a/pkg/cluster/condition.go
+++ b/pkg/cluster/condition.go
@@ -171,7 +171,7 @@ func (m *manager) aroCredentialsRequestReconciled(ctx context.Context) (bool, er
 func (m *manager) clusterOperatorsHaveSettled(ctx context.Context) (bool, error) {
 	coList := &configv1.ClusterOperatorList{}
 
-	err := m.ch.List(ctx, coList)
+	err := m.kubeClientHelper.List(ctx, coList)
 	if err != nil {
 		// Be resilient to failures as kube-apiserver might drop connections while it's reconciling
 		m.log.Errorf("failure listing cluster operators, retrying: %s", err.Error())
diff --git a/pkg/cluster/condition_test.go b/pkg/cluster/condition_test.go
index 2a16577da6a..5ff6f2151d7 100644
--- a/pkg/cluster/condition_test.go
+++ b/pkg/cluster/condition_test.go
@@ -636,8 +636,8 @@ func TestHaveClusterOperatorsSettled(t *testing.T) {
 				Build())
 
 			m := &manager{
-				log: log,
-				ch:  ch,
+				log:              log,
+				kubeClientHelper: ch,
 			}
 
 			result, err := m.clusterOperatorsHaveSettled(ctx)
diff --git a/pkg/cluster/install.go b/pkg/cluster/install.go
index c7d171e8fee..8b8f3777146 100644
--- a/pkg/cluster/install.go
+++ b/pkg/cluster/install.go
@@ -655,18 +655,18 @@ func (m *manager) initializeKubernetesClients(ctx context.Context) error {
 		return err
 	}
 
-	client, err := client.New(restConfig, client.Options{
+	kubeClient, err := client.New(restConfig, client.Options{
 		Mapper: mapper,
 	})
 
-	m.ch = clienthelper.NewWithClient(m.log, client)
+	m.kubeClientHelper = clienthelper.NewWithClient(m.log, kubeClient)
 	return err
 }
 
 // initializeKubernetesClients initializes clients which are used
 // once the cluster is up later on in the install process.
 func (m *manager) initializeOperatorDeployer(ctx context.Context) (err error) {
-	m.aroOperatorDeployer, err = deploy.New(m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.arocli, m.ch, m.extensionscli, m.kubernetescli, m.operatorcli)
+	m.aroOperatorDeployer, err = deploy.New(m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.arocli, m.kubeClientHelper, m.extensionscli, m.kubernetescli, m.operatorcli)
 	return
 }
 
diff --git a/pkg/cluster/tls.go b/pkg/cluster/tls.go
index 4f144f94653..9e2ee36f044 100644
--- a/pkg/cluster/tls.go
+++ b/pkg/cluster/tls.go
@@ -92,7 +92,7 @@ func (m *manager) configureAPIServerCertificate(ctx context.Context) error {
 	}
 
 	for _, namespace := range []string{"openshift-config", "openshift-azure-operator"} {
-		err = EnsureTLSSecretFromKeyvault(ctx, m.env.ClusterKeyvault(), m.ch, types.NamespacedName{Name: m.APICertName(), Namespace: namespace}, m.APICertName())
+		err = EnsureTLSSecretFromKeyvault(ctx, m.env.ClusterKeyvault(), m.kubeClientHelper, types.NamespacedName{Name: m.APICertName(), Namespace: namespace}, m.APICertName())
 		if err != nil {
 			return err
 		}
@@ -135,7 +135,7 @@ func (m *manager) configureIngressCertificate(ctx context.Context) error {
 	}
 
 	for _, namespace := range []string{"openshift-ingress", "openshift-azure-operator"} {
-		err = EnsureTLSSecretFromKeyvault(ctx, m.env.ClusterKeyvault(), m.ch, types.NamespacedName{Namespace: namespace, Name: m.IngressCertName()}, m.IngressCertName())
+		err = EnsureTLSSecretFromKeyvault(ctx, m.env.ClusterKeyvault(), m.kubeClientHelper, types.NamespacedName{Namespace: namespace, Name: m.IngressCertName()}, m.IngressCertName())
 		if err != nil {
 			return err
 		}
diff --git a/pkg/cluster/workloadidentityresources.go b/pkg/cluster/workloadidentityresources.go
index 7b9b5589dec..fea4987cd6f 100644
--- a/pkg/cluster/workloadidentityresources.go
+++ b/pkg/cluster/workloadidentityresources.go
@@ -77,7 +77,7 @@ func (m *manager) deployPlatformWorkloadIdentitySecrets(ctx context.Context) err
 		resources = append(resources, secret)
 	}
 
-	return m.ch.Ensure(ctx, resources...)
+	return m.kubeClientHelper.Ensure(ctx, resources...)
 }
 
 func (m *manager) generatePlatformWorkloadIdentitySecretsAndNamespaces(isCreate bool) ([]*corev1.Secret, []*corev1.Namespace, error) {
diff --git a/pkg/cluster/workloadidentityresources_test.go b/pkg/cluster/workloadidentityresources_test.go
index c43f0082cc3..3ec4ddb597e 100644
--- a/pkg/cluster/workloadidentityresources_test.go
+++ b/pkg/cluster/workloadidentityresources_test.go
@@ -356,7 +356,7 @@ func TestDeployPlatformWorkloadIdentitySecrets(t *testing.T) {
 					},
 				},
 
-				ch: ch,
+				kubeClientHelper: ch,
 
 				platformWorkloadIdentityRolesByVersion: platformWorkloadIdentityRolesByVersion,
 			}
diff --git a/pkg/env/prod.go b/pkg/env/prod.go
index e19e722ec16..f0853217143 100644
--- a/pkg/env/prod.go
+++ b/pkg/env/prod.go
@@ -165,19 +165,14 @@ func newProd(ctx context.Context, log *logrus.Entry, service ServiceName) (*prod
 		return nil, err
 	}
 
-	localFPKVCredential, err := p.FPNewClientCertificateCredential(p.TenantID(), nil)
-	if err != nil {
-		return nil, err
-	}
-
 	clusterKeyvaultURI := azsecrets.URI(p, ClusterKeyvaultSuffix, keyVaultPrefix)
-	clusterKeyvaultClient, err := azsecrets.NewClient(clusterKeyvaultURI, localFPKVCredential, p.Environment().AzureClientOptions())
+	clusterKeyvaultClient, err := azsecrets.NewClient(clusterKeyvaultURI, msiCredential, p.Environment().AzureClientOptions())
 	if err != nil {
 		return nil, fmt.Errorf("cannot create key vault secrets client: %w", err)
 	}
 	p.clusterKeyvault = clusterKeyvaultClient
 
-	clusterCertificatesClient, err := azcertificates.NewClient(clusterKeyvaultURI, localFPKVCredential, p.Environment().AzureClientOptions())
+	clusterCertificatesClient, err := azcertificates.NewClient(clusterKeyvaultURI, msiCredential, p.Environment().AzureClientOptions())
 	if err != nil {
 		return nil, fmt.Errorf("cannot create key vault certificates client: %w", err)
 	}