How do join my dedicated, etcd only node to my cluster?

Following the instructions on this page: Managing Server Roles | RKE2
I installed a node as a dedicated, etcd only node named cc1.
This was the first server I installed.

I later built two control plane servers, cc0 and cc2.
cc0 Ready control-plane,master 161m v1.26.10+rke2r2
cc1 NotReady 167m v1.26.10+rke2r2
cc2 Ready control-plane,etcd,master 3h18m v1.26.10+rke2r2

So I have two masters which seems wrong. Should not there be only one?

In any case, I cannot seem to join the etcd server to the cluster. I can generate a join token (on cc2) which looks like,

kubeadm join 127.0.0.1:6443 --token t3ep59.o2bZhI3s8y2228o5 --discovery-token-ca-cert-hash sha256:a9544b866b63f0dd8d0f4a5103b8fe117f1f248db28109d3925e7c62374474ff

kubectl cluster-info says,
Kubernetes control plane is running at https://192.168.10.103:6443
CoreDNS is running at https://192.168.10.103:6443/api/v1/namespaces/kube-system/services/rke2-coredns-rke2-coredns:udp-53/proxy

When I run the join command it fails with error
error execution phase preflight: couldn’t validate the identity of the API Server: Unauthorized

Thanks for any advice.

When I read,
" A dedicated control-plane node cannot be the first server in the cluster; there must be an existing node with the etcd role before joining dedicated control-plane nodes"
I assumed this meant I could build an etcd only server as the first server. I now believe this was an incorrect understanding.
I think I need to enable the apiserver before I can join the server to the cluster. Is this correct?

I forgot that I needed to run the rke2-agent service. For some reason I believed that the agent service was only supposed to run on worker nodes