diff --git a/docs/cluster-creation.md b/docs/cluster-creation.md
new file mode 100644
index 00000000000..b63a3c26709
--- /dev/null
+++ b/docs/cluster-creation.md
@@ -0,0 +1,264 @@
+# Cluster Creation Flow
+
+> See also: [cluster-creation.mm](cluster-creation.mm) (FreeMind/Freeplane mindmap with full detail)
+
+## Overview
+
+```mermaid
+flowchart TD
+    A[Pre-steps] --> B[az aro create - CLI]
+    B --> CRED{Credential model?}
+    CRED -->|"Service Principal (legacy)"| SP["Create AAD app + SP<br/>Role assignments for SP"]
+    CRED -->|"Managed Identity (new)"| MSI["Set user-assigned MSI<br/>Set platform workload identities"]
+    SP --> C[ARM routing]
+    MSI --> C
+    C --> D[RP Frontend - PUT handler]
+    D --> E[RP Backend - dequeue]
+    E --> INSTALL{Install path?}
+    INSTALL -->|Hive| HIVE[Hive ClusterDeployment]
+    INSTALL -->|Podman| PODMAN[Podman container install]
+    HIVE --> F[Phase 1: Bootstrap]
+    PODMAN --> F
+    F --> G[Phase 2: RemoveBootstrap]
+    G --> H[ProvisioningState: Succeeded / Failed]
+
+    style A fill:#e1f5fe
+    style B fill:#e1f5fe
+    style SP fill:#fff3e0
+    style MSI fill:#e1f5fe
+    style D fill:#fff3e0
+    style E fill:#fff3e0
+    style HIVE fill:#e8f5e9
+    style PODMAN fill:#e8f5e9
+    style F fill:#e8f5e9
+    style G fill:#e8f5e9
+```
+
+## Pre-steps
+
+```mermaid
+flowchart LR
+    P[Pre-steps] --> P1[Get Red Hat pull secret - optional]
+    P --> P2[Register ARO RP - az provider register]
+    P --> P3[Create vnets]
+    P --> P4[Create resource group]
+    P --> P5["(MSI) Create user-assigned managed identity"]
+    P --> P6["(MSI) Create platform workload identities for operators"]
+```
+
+## CLI: az aro create
+
+```mermaid
+flowchart TD
+    CLI["az aro create<br/>(python/az/aro/azext_aro/custom.py)"] --> V1[Static parameter validation]
+    V1 --> V2[Validate RP registered to subscription]
+    V2 --> V3[Validate subnets]
+    V3 --> V4[Dynamic validation]
+    V4 --> ID{Identity model?}
+
+    ID -->|Service Principal| SP1[Create AAD application if needed]
+    SP1 --> SP2[Create/retrieve service principal]
+    SP2 --> BUILD
+
+    ID -->|Managed Identity| MSI1[Set UserAssigned identity]
+    MSI1 --> MSI2[Set PlatformWorkloadIdentityProfile]
+    MSI2 --> BUILD
+
+    BUILD[Build OpenShiftCluster object] --> RBAC[ensure_resource_permissions - role assignments]
+    RBAC --> PUT[PUT to RP and wait for 201]
+    PUT --> POLL[Poll async operation record]
+    POLL --> OUT[Output cluster state]
+
+    V4 --> V4a[VNet permissions]
+    V4 --> V4b[Resource provider permissions]
+    V4 --> V4c[Quota validation]
+    V4 --> V4d[Disk encryption set]
+    V4 --> V4e[Domain validation]
+    V4 --> V4f[CIDR range validation]
+    V4 --> V4g[Version validation]
+    V4 --> V4h[Outbound type - LB vs UDR]
+    V4 --> V4i["(MSI) Identity validation"]
+```
+
+## RP Frontend: PUT handler
+
+```mermaid
+flowchart TD
+    FE["PUT handled by RP frontend<br/>(pkg/frontend)"] --> MW[Middleware chain]
+    MW --> MW1[Lowercase]
+    MW --> MW2[Log]
+    MW --> MW3[Metrics]
+    MW --> MW4[Panic]
+    MW --> MW5[Headers]
+    MW --> MW6[Validate - URL params]
+    MW --> MW7[Body]
+    MW --> MW8[SystemData - ARM metadata]
+    MW --> MW9["Authenticated<br/>(MISE or mutual TLS)"]
+
+    MW --> ROUTE["putOrPatchOpenShiftCluster<br/>(pkg/frontend/openshiftcluster_putorpatch.go)"]
+
+    ROUTE --> R1[Validate subscription state]
+    R1 --> R2[Unmarshal request body]
+    R2 --> R3[ValidateNewCluster]
+    R3 --> R3a["staticValidator.Static()"]
+    R3 --> R3b["skuValidator.ValidateVMSku()"]
+    R3 --> R3c["quotaValidator.ValidateQuota()"]
+    R3 --> R3d["providersValidator.ValidateProviders()"]
+    R3 --> R4["(MSI) validatePlatformWorkloadIdentities"]
+    R4 --> R5[Validate install version supported]
+    R5 --> R6["Set ProvisioningState = Creating"]
+    R6 --> R7[Allocate monitoring bucket]
+    R7 --> R8["(MSI) Store identity URL and tenant ID"]
+    R8 --> R9[Set defaults and operator flags]
+    R9 --> R10[Create async operation record]
+    R10 --> R11[Create cluster record in CosmosDB]
+    R11 --> R12[Return cluster record - excluding secrets]
+```
+
+## RP Backend
+
+```mermaid
+flowchart TD
+    BE["RP Backend<br/>(pkg/backend)"] --> D1[Backends race to dequeue - one wins lease]
+    D1 --> D2[Heartbeat process starts - maintains lease]
+    D2 --> D3[Load subscription document]
+    D3 --> D4["Determine Hive mode<br/>(installViaHive, adoptViaHive, or neither)"]
+    D4 --> D5[Create cluster manager]
+    D5 --> D6["m.Install(ctx) - multi-phase install"]
+```
+
+## Phase 1: Bootstrap
+
+```mermaid
+flowchart TD
+    P1["Phase 1: Bootstrap<br/>(pkg/cluster/install.go)"] --> IDCHECK{Identity model?}
+
+    IDCHECK -->|MSI| M1[ensureClusterMsiCertificate]
+    M1 --> M2[initializeClusterMsiClients]
+    M2 --> M3[platformWorkloadIdentityIDs]
+    M3 --> VALIDATE
+
+    IDCHECK -->|SP| VALIDATE
+
+    VALIDATE[Dynamic validation] --> V1[validateResources]
+    V1 --> V2[validateZones]
+    V2 --> IDCHECK2{Identity model?}
+
+    IDCHECK2 -->|MSI| M4[clusterIdentityIDs]
+    M4 --> M5[persistPlatformWorkloadIdentityIDs]
+    M5 --> INFRA
+
+    IDCHECK2 -->|SP| S1[initializeClusterSPClients]
+    S1 --> S2[clusterSPObjectID]
+    S2 --> INFRA
+
+    INFRA[Azure infrastructure setup] --> F1[ensurePreconfiguredNSG - if BYO NSG]
+    F1 --> F2[ensureACRToken]
+    F2 --> F3[ensureInfraID / ensureSSHKey / ensureStorageSuffix]
+    F3 --> F4[populateMTUSize]
+    F4 --> F5[createDNS]
+    F5 --> F6["createOIDC - OIDC provider creation"]
+    F6 --> F7[ensureResourceGroup]
+    F7 --> F8[ensureServiceEndpoints]
+    F8 --> DEPLOY
+
+    DEPLOY[Network and compute] --> N1[setMasterSubnetPolicies]
+    N1 --> N2["deployBaseResourceTemplate<br/>(DNS zones, LBs, VMs, NSGs, storage)"]
+    N2 --> N3["(MSI) federateIdentityCredentials"]
+    N3 --> N4[attachNSGs]
+    N4 --> API
+
+    API[API server and networking] --> A1[updateAPIIPEarly]
+    A1 --> A2[createOrUpdateRouterIPEarly]
+    A2 --> A3[ensureGatewayCreate]
+    A3 --> A4[createAPIServerPrivateEndpoint]
+    A4 --> CERT[createCertificates - API server and ingress TLS]
+    CERT --> INSTALL
+```
+
+```mermaid
+flowchart TD
+    INSTALL{Install path?} -->|Hive| H1[hiveCreateNamespace]
+    H1 --> H2[runHiveInstaller - create ClusterDeployment]
+    H2 --> H3["hiveClusterInstallationComplete<br/>(wait up to 60 min)"]
+    H3 --> H4[generateKubeconfigs]
+    H4 --> POST
+
+    INSTALL -->|Podman| P1a[runPodmanInstaller]
+    P1a --> P2a[generateKubeconfigs]
+    P2a --> P3a{"Adopt via Hive?"}
+    P3a -->|Yes| P4a[hiveEnsureResources]
+    P4a --> P5a["hiveClusterDeploymentReady (5 min)"]
+    P5a --> POST
+    P3a -->|No| POST
+
+    POST[Post-install bootstrap] --> Q1[ensureBillingRecord]
+    Q1 --> Q2[initializeKubernetesClients - cluster now running]
+    Q2 --> Q3[initializeOperatorDeployer]
+    Q3 --> Q4["apiServersReady (30 min timeout)"]
+    Q4 --> Q5[installAROOperator]
+    Q5 --> Q6[enableOperatorReconciliation]
+    Q6 --> Q7["incrInstallPhase - transition to Phase 2"]
+```
+
+## Bootstrap VM (parallel)
+
+```mermaid
+flowchart TD
+    BVM["Bootstrap VM executes<br/>(bootkube.sh)<br/>Runs in parallel with RP steps"] --> B1[Provides initial apiserver behind ILB]
+    B1 --> B2[Bootstrap etcd and wait for stability]
+    B2 --> B3[Run release payload image]
+    B3 --> B4[Generate cluster assets]
+    B4 --> B5[Repeatedly apply assets against running cluster]
+    B5 --> B6[Write bootstrap completed configmap]
+
+    B5 --> OPS[Cluster operators start gradually]
+    OPS --> O1[machine-api operator starts]
+    O1 --> O2[Worker VMs created]
+    O2 --> O3[Ingress - depends on workers]
+    O3 --> O4[Console - depends on ingress]
+```
+
+## Phase 2: RemoveBootstrap
+
+```mermaid
+flowchart TD
+    P2["Phase 2: RemoveBootstrap<br/>(pkg/cluster/install.go)"] --> INIT2[Initialize clients]
+    INIT2 --> RB[Bootstrap removal]
+
+    RB --> R1["removeBootstrap<br/>(delete VM, NIC, disk)"]
+    R1 --> R2["removeBootstrapIgnition<br/>(delete unencrypted, keep encrypted graph)"]
+    R2 --> HEALTH
+
+    HEALTH[API server and node health] --> H1["apiServersReady (30 min)"]
+    H1 --> H2[configureAPIServerCertificate]
+    H2 --> H3["apiServersReady (30 min) - recheck"]
+    H3 --> H4["minimumWorkerNodesReady (30 min)"]
+    H4 --> CONSOLE
+
+    CONSOLE[Console and UI] --> C1["operatorConsoleExists (30 min)"]
+    C1 --> C2[updateConsoleBranding - ARO branding]
+    C2 --> C3["operatorConsoleReady (20 min)"]
+    C3 --> OSCONFIG
+
+    OSCONFIG[OpenShift configuration] --> O1[disableSamples]
+    O1 --> O2[disableOperatorHubSources]
+    O2 --> O3[disableUpdates - lock version]
+    O3 --> O4["clusterVersionReady (30 min)"]
+    O4 --> ARO
+
+    ARO[ARO operator stabilization] --> A1["aroDeploymentReady (20 min)"]
+    A1 --> A2[updateClusterData]
+    A2 --> NET
+
+    NET[Networking and storage] --> N1[configureIngressCertificate]
+    N1 --> N2["ingressControllerReady (30 min)"]
+    N2 --> N3[configureDefaultStorageClass]
+    N3 --> N4[removeAzureFileCSIStorageClass]
+    N4 --> FIN
+
+    FIN[Finalization] --> F1[disableOperatorReconciliation]
+    F1 --> F2["clusterOperatorsHaveSettled (30 min)"]
+    F2 --> F3["finishInstallation<br/>(clear Install field, mark complete)"]
+```
+
diff --git a/docs/cluster-creation.mm b/docs/cluster-creation.mm
index 65b7da8c581..60185adecb0 100644
--- a/docs/cluster-creation.mm
+++ b/docs/cluster-creation.mm
@@ -1,26 +1,74 @@
 <map version="1.0.1">
 <!-- To view this file, download free mind mapping software FreeMind from http://freemind.sourceforge.net -->
-<node CREATED="1590501647125" ID="ID_1180463267" MODIFIED="1590501731010" TEXT="Cluster creation">
-<node CREATED="1590502294517" ID="ID_1734178417" MODIFIED="1590502299641" POSITION="right" TEXT="pre-steps">
+<node CREATED="1590501647125" ID="ID_1180463267" MODIFIED="1742320800000" TEXT="Cluster creation">
+<node CREATED="1742320931000" ID="ID_100000131" MODIFIED="1742320931000" POSITION="right" TEXT="Two credential models">
+<node CREATED="1742320932000" ID="ID_100000132" MODIFIED="1742320932000" TEXT="Service Principal (SP) - legacy">
+<node CREATED="1742320933000" ID="ID_100000133" MODIFIED="1742320933000" TEXT="CLI creates AAD application and service principal"/>
+<node CREATED="1742320934000" ID="ID_100000134" MODIFIED="1742320934000" TEXT="Role assignments for cluster SP and RP SP"/>
+<node CREATED="1742320935000" ID="ID_100000135" MODIFIED="1742320935000" TEXT="Backend uses fixupClusterSPObjectID"/>
+</node>
+<node CREATED="1742320936000" ID="ID_100000136" MODIFIED="1742320936000" TEXT="Managed Identity (MSI) - new">
+<node CREATED="1742320937000" ID="ID_100000137" MODIFIED="1742320937000" TEXT="Customer creates user-assigned managed identity pre-step"/>
+<node CREATED="1742320938000" ID="ID_100000138" MODIFIED="1742320938000" TEXT="Customer creates platform workload identities for operators pre-step"/>
+<node CREATED="1742320939000" ID="ID_100000139" MODIFIED="1742320939000" TEXT="CLI sets UserAssigned identity and PlatformWorkloadIdentityProfile"/>
+<node CREATED="1742320940000" ID="ID_100000140" MODIFIED="1742320940000" TEXT="Frontend stores identity URL and tenant ID from MSI headers"/>
+<node CREATED="1742320941000" ID="ID_100000141" MODIFIED="1742320941000" TEXT="Backend generates MSI certificate and creates MSI-authenticated clients"/>
+<node CREATED="1742320942000" ID="ID_100000142" MODIFIED="1742320942000" TEXT="Backend creates OIDC federated identity credentials"/>
+</node>
+</node>
+<node CREATED="1742320943000" ID="ID_100000143" MODIFIED="1742320943000" POSITION="right" TEXT="Two install paths">
+<node CREATED="1742320944000" ID="ID_100000144" MODIFIED="1742320944000" TEXT="Hive - ClusterDeployment on management cluster">
+<node CREATED="1742320945000" ID="ID_100000145" MODIFIED="1742320945000" TEXT="Creates namespace and ClusterDeployment in Hive"/>
+<node CREATED="1742320946000" ID="ID_100000146" MODIFIED="1742320946000" TEXT="Waits up to 60 minutes for completion"/>
+</node>
+<node CREATED="1742320947000" ID="ID_100000147" MODIFIED="1742320947000" TEXT="Podman - local container install">
+<node CREATED="1742320948000" ID="ID_100000148" MODIFIED="1742320948000" TEXT="Runs installer in local container"/>
+<node CREATED="1742320949000" ID="ID_100000149" MODIFIED="1742320949000" TEXT="Can optionally adopt into Hive after install"/>
+</node>
+</node>
+<node CREATED="1590502294517" ID="ID_1734178417" MODIFIED="1742320800000" POSITION="right" TEXT="pre-steps">
 <node CREATED="1590502253749" ID="ID_797314692" MODIFIED="1590502264066" TEXT="customer optionally gets Red Hat pull secret"/>
 <node CREATED="1590501802453" ID="ID_904198521" MODIFIED="1590501917964" TEXT="register ARO RP (az provider register)"/>
 <node CREATED="1590501904633" ID="ID_1079717712" MODIFIED="1590501908156" TEXT="create vnets"/>
 <node CREATED="1590501926018" ID="ID_1086806568" MODIFIED="1590501929862" TEXT="create resource group"/>
+<node CREATED="1742320801000" ID="ID_100000001" MODIFIED="1742320801000" TEXT="(MSI path) create user-assigned managed identity"/>
+<node CREATED="1742320802000" ID="ID_100000002" MODIFIED="1742320802000" TEXT="(MSI path) create platform workload identities for operators"/>
 </node>
-<node CREATED="1590501919601" ID="ID_161177817" MODIFIED="1591025651949" POSITION="right" TEXT="az aro create (python/az/aro/azext_aro/custom.py)">
+<node CREATED="1590501919601" ID="ID_161177817" MODIFIED="1742320800000" POSITION="right" TEXT="az aro create (python/az/aro/azext_aro/custom.py)">
 <node CREATED="1590502276404" ID="ID_929220713" MODIFIED="1591025695487" TEXT="static parameter validation"/>
 <node CREATED="1591025679701" ID="ID_101192528" MODIFIED="1591025686655" TEXT="validate RP is registered to subscription"/>
-<node CREATED="1591025696331" ID="ID_619046778" MODIFIED="1591025702207" TEXT="dynamic parameter validation"/>
-<node CREATED="1590502123499" ID="ID_698894632" MODIFIED="1590502126726" TEXT="cluster application is created"/>
-<node CREATED="1590502140300" ID="ID_2890021" MODIFIED="1590502146177" TEXT="cluster service principal is created"/>
-<node CREATED="1590502114963" ID="ID_1250417331" MODIFIED="1590502152495" TEXT="role assignments are created for cluster SP and RP SP"/>
-<node CREATED="1590501932641" ID="ID_855800116" MODIFIED="1591026874493" TEXT="PUT to RP including cluster SP and wait for HTTP 201 response"/>
+<node CREATED="1742320803000" ID="ID_100000003" MODIFIED="1742320803000" TEXT="validate subnets"/>
+<node CREATED="1742320804000" ID="ID_100000004" MODIFIED="1742320804000" TEXT="dynamic validation">
+<node CREATED="1742320805000" ID="ID_100000005" MODIFIED="1742320805000" TEXT="virtual network permissions"/>
+<node CREATED="1742320806000" ID="ID_100000006" MODIFIED="1742320806000" TEXT="resource provider permissions"/>
+<node CREATED="1742320807000" ID="ID_100000007" MODIFIED="1742320807000" TEXT="quota validation"/>
+<node CREATED="1742320808000" ID="ID_100000008" MODIFIED="1742320808000" TEXT="disk encryption set validation"/>
+<node CREATED="1742320809000" ID="ID_100000009" MODIFIED="1742320809000" TEXT="domain validation"/>
+<node CREATED="1742320810000" ID="ID_100000010" MODIFIED="1742320810000" TEXT="CIDR range validation"/>
+<node CREATED="1742320811000" ID="ID_100000011" MODIFIED="1742320811000" TEXT="version validation"/>
+<node CREATED="1742320812000" ID="ID_100000012" MODIFIED="1742320812000" TEXT="outbound type validation (LB vs UserDefinedRouting)"/>
+<node CREATED="1742320813000" ID="ID_100000013" MODIFIED="1742320813000" TEXT="(MSI path) managed identity and platform workload identity validation"/>
+</node>
+<node CREATED="1742320814000" ID="ID_100000014" MODIFIED="1742320814000" TEXT="identity setup (two paths)">
+<node CREATED="1590502123499" ID="ID_698894632" MODIFIED="1742320814000" TEXT="(SP path) cluster AAD application is created if client_id not provided"/>
+<node CREATED="1590502140300" ID="ID_2890021" MODIFIED="1742320814000" TEXT="(SP path) cluster service principal is created or retrieved"/>
+<node CREATED="1742320815000" ID="ID_100000015" MODIFIED="1742320815000" TEXT="(MSI path) set cluster identity to UserAssigned with mi_user_assigned"/>
+<node CREATED="1742320816000" ID="ID_100000016" MODIFIED="1742320816000" TEXT="(MSI path) set PlatformWorkloadIdentityProfile with operator identity mappings"/>
+</node>
+<node CREATED="1742320817000" ID="ID_100000017" MODIFIED="1742320817000" TEXT="build OpenShiftCluster object">
+<node CREATED="1742320818000" ID="ID_100000018" MODIFIED="1742320818000" TEXT="ClusterProfile (pull secret, domain, version, FIPS, resource group)"/>
+<node CREATED="1742320819000" ID="ID_100000019" MODIFIED="1742320819000" TEXT="NetworkProfile (CIDR ranges, NSG mode, load balancer config, outbound type)"/>
+<node CREATED="1742320820000" ID="ID_100000020" MODIFIED="1742320820000" TEXT="MasterProfile and WorkerProfile (VM sizes, encryption at host, subnets)"/>
+<node CREATED="1742320821000" ID="ID_100000021" MODIFIED="1742320821000" TEXT="APIServerProfile and IngressProfile (visibility settings)"/>
+</node>
+<node CREATED="1590502114963" ID="ID_1250417331" MODIFIED="1742320800000" TEXT="ensure_resource_permissions (role assignments for SP/MSI and RP)"/>
+<node CREATED="1590501932641" ID="ID_855800116" MODIFIED="1742320800000" TEXT="PUT to RP and wait for HTTP 201 response"/>
 <node CREATED="1590502081826" ID="ID_265795688" MODIFIED="1591026893807" TEXT="az polls asynchronous operation record to wait for RP completion"/>
 <node CREATED="1591026894337" ID="ID_482750948" MODIFIED="1591026912237" TEXT="output last received openShiftClusters document state"/>
 </node>
 <node CREATED="1590501950473" ID="ID_975936412" MODIFIED="1590501955854" POSITION="right" TEXT="PUT goes through ARM routing"/>
-<node CREATED="1590501957577" ID="ID_1034488002" MODIFIED="1591025982923" POSITION="right" TEXT="PUT is handled by RP frontend (pkg/frontend)">
-<node CREATED="1591026038303" ID="ID_1841508673" MODIFIED="1591026123524" TEXT="HTTP request traverses middleware functions (pkg/frontend/middleware)">
+<node CREATED="1590501957577" ID="ID_1034488002" MODIFIED="1742320800000" POSITION="right" TEXT="PUT is handled by RP frontend (pkg/frontend)">
+<node CREATED="1591026038303" ID="ID_1841508673" MODIFIED="1742320800000" TEXT="HTTP request traverses middleware functions (pkg/frontend/middleware)">
 <node CREATED="1591026063872" ID="ID_681924085" MODIFIED="1591026067131" TEXT="Lowercase"/>
 <node CREATED="1591026072536" ID="ID_331440489" MODIFIED="1591026073715" TEXT="Log"/>
 <node CREATED="1591026076192" ID="ID_211604015" MODIFIED="1591026077308" TEXT="Metrics"/>
@@ -28,135 +76,116 @@
 <node CREATED="1591026082272" ID="ID_875080718" MODIFIED="1591026083467" TEXT="Headers"/>
 <node CREATED="1591026083688" ID="ID_736348554" MODIFIED="1591026215254" TEXT="Validate (URL parameters)"/>
 <node CREATED="1591026091720" ID="ID_853456946" MODIFIED="1591026092788" TEXT="Body"/>
-<node CREATED="1591026102200" ID="ID_381029164" MODIFIED="1591026312142" TEXT="Authenticated (not for /healthz)"/>
+<node CREATED="1742320822000" ID="ID_100000022" MODIFIED="1742320822000" TEXT="SystemData (ARM system metadata enrichment)"/>
+<node CREATED="1591026102200" ID="ID_381029164" MODIFIED="1742320800000" TEXT="Authenticated (MISE or mutual TLS, not for /healthz)"/>
 </node>
-<node CREATED="1591026323778" ID="ID_1682226583" MODIFIED="1591026382359" TEXT="putOrPatchOpenShiftCluster route (pkg/frontend/openshiftcluster_putorpatch.go)">
+<node CREATED="1591026323778" ID="ID_1682226583" MODIFIED="1742320800000" TEXT="putOrPatchOpenShiftCluster route (pkg/frontend/openshiftcluster_putorpatch.go)">
 <node CREATED="1591026411900" ID="ID_1709517415" MODIFIED="1591026417240" TEXT="validate subscription state"/>
 <node CREATED="1591026487468" ID="ID_1239570824" MODIFIED="1591026490857" TEXT="unmarshal request body"/>
-<node CREATED="1590502373094" ID="ID_326312598" MODIFIED="1591226310312" TEXT="(static) validation (request body)"/>
-<node CREATED="1590502328534" ID="ID_715119661" MODIFIED="1591026615514" TEXT="set ProvisioningState to &quot;Creating&quot; to queue to backend"/>
-<node CREATED="1591026511765" ID="ID_692144509" MODIFIED="1591026516609" TEXT="allocate monitoring bucket"/>
+<node CREATED="1590502373094" ID="ID_326312598" MODIFIED="1742320800000" TEXT="validation on create (ValidateNewCluster)">
+<node CREATED="1742320824000" ID="ID_100000024" MODIFIED="1742320824000" TEXT="staticValidator.Static() - API model validation"/>
+<node CREATED="1742320825000" ID="ID_100000025" MODIFIED="1742320825000" TEXT="skuValidator.ValidateVMSku() - VM size availability"/>
+<node CREATED="1742320826000" ID="ID_100000026" MODIFIED="1742320826000" TEXT="quotaValidator.ValidateQuota() - compute quota"/>
+<node CREATED="1742320827000" ID="ID_100000027" MODIFIED="1742320827000" TEXT="providersValidator.ValidateProviders() - resource provider registration"/>
+</node>
+<node CREATED="1742320828000" ID="ID_100000028" MODIFIED="1742320828000" TEXT="(MSI path) validatePlatformWorkloadIdentities"/>
+<node CREATED="1742320829000" ID="ID_100000029" MODIFIED="1742320829000" TEXT="validate install version is supported"/>
+<node CREATED="1590502328534" ID="ID_715119661" MODIFIED="1742320800000" TEXT="set ProvisioningState to Creating to queue to backend"/>
+<node CREATED="1742320830000" ID="ID_100000030" MODIFIED="1742320830000" TEXT="allocate monitoring bucket"/>
+<node CREATED="1742320831000" ID="ID_100000031" MODIFIED="1742320831000" TEXT="(MSI path) store identity URL and tenant ID in cluster doc"/>
+<node CREATED="1742320832000" ID="ID_100000032" MODIFIED="1742320832000" TEXT="set defaults and default operator flags"/>
 <node CREATED="1591026556253" ID="ID_1483905360" MODIFIED="1591026579930" TEXT="create asynchronous operation record which client can poll on"/>
 <node CREATED="1590502173652" ID="ID_1206384235" MODIFIED="1590502186327" TEXT="cluster record created in CosmosDB"/>
-<node CREATED="1591026646790" ID="ID_782853728" MODIFIED="1591026664562" TEXT="return cluster record to end user (excluding secret fields)"/>
+<node CREATED="1591026646790" ID="ID_782853728" MODIFIED="1742320800000" TEXT="return cluster record to end user (excluding secrets and sensitive fields)"/>
 </node>
 </node>
-<node CREATED="1590502343830" ID="ID_1390328428" MODIFIED="1591226374839" POSITION="right" TEXT="Creation is handled by RP backend (pkg/backend)">
+<node CREATED="1590502343830" ID="ID_1390328428" MODIFIED="1742320800000" POSITION="right" TEXT="Creation is handled by RP backend (pkg/backend)">
 <node CREATED="1591226420068" ID="ID_1572125659" MODIFIED="1591226749539" TEXT="backends race to dequeue cluster record, one backend wins and takes the lease"/>
 <node CREATED="1591226456124" ID="ID_1974865526" MODIFIED="1591226692283" TEXT="heartbeat process starts, updating lease (prevents other backends dequeueing the same record)"/>
-<node CREATED="1590502362021" ID="ID_705716060" MODIFIED="1591226556577" TEXT="dynamic validation (pkg/api/validate/openshiftcluster_validatedynamic.go)">
-<node CREATED="1591226558510" ID="ID_1625452736" MODIFIED="1591226574889" TEXT="vnet permissions"/>
-<node CREATED="1591226575270" ID="ID_942065036" MODIFIED="1591226578729" TEXT="route table permissions"/>
-<node CREATED="1591226579238" ID="ID_101213817" MODIFIED="1591226585105" TEXT="vnet validation">
-<node CREATED="1591226592406" ID="ID_785623303" MODIFIED="1591226597577" TEXT="overlapping subnets"/>
-<node CREATED="1591226598909" ID="ID_501781834" MODIFIED="1591226604569" TEXT="dns servers misconfigured"/>
-</node>
-<node CREATED="1591226606166" ID="ID_967308470" MODIFIED="1591226613066" TEXT="necessary resource providers registered"/>
-<node CREATED="1591226613422" ID="ID_1357148973" MODIFIED="1591226620890" TEXT="sufficient quota"/>
-</node>
-<node CREATED="1591226960499" ID="ID_1868560504" MODIFIED="1591226965054" TEXT="prepare data for installconfig">
-<node CREATED="1590503945624" ID="ID_364348246" MODIFIED="1591226860333" TEXT="create ACR token and password"/>
-<node CREATED="1591226841609" ID="ID_1989042463" MODIFIED="1591226850525" TEXT="generate cluster ssh key, storage suffix"/>
-<node CREATED="1591226864585" ID="ID_1180722902" MODIFIED="1591226870934" TEXT="calculate cluster pull secret">
-<node CREATED="1591226879450" ID="ID_554370730" MODIFIED="1591226889989" TEXT="merge user&apos;s pull secret with ACR token"/>
-<node CREATED="1591226892993" ID="ID_1864768217" MODIFIED="1591226921013" TEXT="remove cloud.openshift.com to prevent telemetry data leaving Azure"/>
-</node>
-<node CREATED="1591226933922" ID="ID_1151216440" MODIFIED="1591226949445" TEXT="calculate availability zone configuration for masters and workers"/>
-</node>
-<node CREATED="1590502779514" ID="ID_1648402988" MODIFIED="1591227053975" TEXT="populate installconfig struct">
-<node CREATED="1590503163495" ID="ID_1467487990" MODIFIED="1590503170131" TEXT="includes references to vnets"/>
-<node CREATED="1590503923288" ID="ID_716993735" MODIFIED="1590503934619" TEXT="includes cluster pull secret"/>
-<node CREATED="1590504630936" ID="ID_1227083335" MODIFIED="1590504638020" TEXT="includes cluster service principal"/>
-<node CREATED="1590504969578" ID="ID_347262687" MODIFIED="1590504975958" TEXT="includes AZ information"/>
-<node CREATED="1591226998618" ID="ID_1805181178" MODIFIED="1591227013926" TEXT="includes RHCOS image co-ordinates"/>
-</node>
-<node CREATED="1591227019507" ID="ID_877475648" MODIFIED="1591227022798" TEXT="validate installconfig"/>
-<node CREATED="1591227024803" ID="ID_1706136491" MODIFIED="1591227099863" TEXT="run install (pkg/install/install.go)">
-<node CREATED="1590502975629" ID="ID_349047649" MODIFIED="1590502991682" TEXT="phase 1: bootstrap">
-<node CREATED="1590502696186" ID="ID_45495378" MODIFIED="1591228716914" TEXT="register external cluster dns record if appropriate"/>
-<node CREATED="1591227143660" ID="ID_846465412" MODIFIED="1591227147513" TEXT="deploy storage template">
-<node CREATED="1591227191973" ID="ID_926546882" MODIFIED="1591227236506" TEXT="generate ClusterID install graph node"/>
-<node CREATED="1591227202861" ID="ID_7835241" MODIFIED="1591227271713" TEXT="create cluster resource group"/>
-<node CREATED="1591227305518" ID="ID_1281381149" MODIFIED="1591227319210" TEXT="retrieve service principal ID for cluster application"/>
-<node CREATED="1591227616113" ID="ID_99542609" MODIFIED="1591227620690" TEXT="build ARM template">
-<node CREATED="1591227378351" ID="ID_863743809" MODIFIED="1591227392331" TEXT="role assignment (CSP -&gt; Contributor)"/>
-<node CREATED="1590503353899" ID="ID_842297870" MODIFIED="1590503358909" TEXT="storage containers">
-<node CREATED="1591227420599" ID="ID_1974776406" MODIFIED="1591227520348" TEXT="ignition - serves bootstrap ignition config"/>
-<node CREATED="1591227422095" ID="ID_599514623" MODIFIED="1591227534052" TEXT="aro - saves encrypted copy of the install graph"/>
-</node>
-<node CREATED="1590502944932" ID="ID_1463280690" MODIFIED="1591227441620" TEXT="network security groups">
-<node CREATED="1591227442696" ID="ID_832435734" MODIFIED="1591227445579" TEXT="control plane"/>
-<node CREATED="1591227445791" ID="ID_1013416500" MODIFIED="1591227475388" TEXT="worker nodes"/>
-</node>
-<node CREATED="1591227555473" ID="ID_1235869362" MODIFIED="1591227604165" TEXT="deny assignment for anyone but RP and CSP"/>
-</node>
-<node CREATED="1590502512176" ID="ID_1871853681" MODIFIED="1591228512592" TEXT="deploy ARM template and wait"/>
-<node CREATED="1590502019483" ID="ID_960981413" MODIFIED="1591227674230" TEXT="generate install graph from installconfig using the vendored installer">
-<node CREATED="1590504187746" ID="ID_552125362" MODIFIED="1590504995151" TEXT="includes 1 or 3 worker machineset(s)"/>
-<node CREATED="1590504643520" ID="ID_412100703" MODIFIED="1590504650678" TEXT="includes secret with cluster service principal"/>
-<node CREATED="1590502642273" ID="ID_1960649964" MODIFIED="1590502655973" TEXT="includes bootstrap ignition config"/>
-<node CREATED="1590503832727" ID="ID_337657349" MODIFIED="1590503838619" TEXT="includes bootstrap cluster assets"/>
-</node>
-<node CREATED="1591227657818" ID="ID_150264491" MODIFIED="1591227666030" TEXT="write install graph to storage container"/>
-</node>
-<node CREATED="1590503186392" ID="ID_1357558604" MODIFIED="1590503199515" TEXT="attach nsgs to subnets"/>
-<node CREATED="1590502466183" ID="ID_986457782" MODIFIED="1591227804528" TEXT="create billing record"/>
-<node CREATED="1591228496836" ID="ID_48294449" MODIFIED="1591228521314" TEXT="create more cluster resources using ARM">
-<node CREATED="1590502914276" ID="ID_1293565635" MODIFIED="1591228494903" TEXT="build ARM template">
-<node CREATED="1590502687977" ID="ID_365124781" MODIFIED="1591227844880" TEXT="cluster private dns zone and recordsets">
-<node CREATED="1591227861044" ID="ID_425280122" MODIFIED="1591227902481" TEXT="A api-int (ILB)"/>
-<node CREATED="1591227892957" ID="ID_441536775" MODIFIED="1591227904929" TEXT="A api (LB)"/>
-<node CREATED="1591227865156" ID="ID_299076322" MODIFIED="1591227921802" TEXT="A etcd-{0,1,2}"/>
-<node CREATED="1591227922045" ID="ID_1443092651" MODIFIED="1591227928113" TEXT="SRV _etcd-server-ssl._tcp"/>
-</node>
-<node CREATED="1591227946885" ID="ID_1851897858" MODIFIED="1591227955690" TEXT="virtual network link (joins dns zone to vnet)"/>
+<node CREATED="1742320833000" ID="ID_100000033" MODIFIED="1742320833000" TEXT="load subscription document for RBAC context"/>
+<node CREATED="1742320834000" ID="ID_100000034" MODIFIED="1742320834000" TEXT="determine Hive install mode (installViaHive, adoptViaHive, or neither)"/>
+<node CREATED="1742320835000" ID="ID_100000035" MODIFIED="1742320835000" TEXT="create cluster manager with database, encryption, billing, Hive, metrics"/>
+<node CREATED="1742320836000" ID="ID_100000036" MODIFIED="1742320836000" TEXT="call m.Install(ctx) which runs multi-phase install"/>
+</node>
+<node CREATED="1742320837000" ID="ID_100000037" MODIFIED="1742320837000" POSITION="right" TEXT="Phase 1: Bootstrap (pkg/cluster/install.go)">
+<node CREATED="1742320838000" ID="ID_100000038" MODIFIED="1742320838000" TEXT="credential initialization and validation">
+<node CREATED="1742320844000" ID="ID_100000044" MODIFIED="1742320844000" TEXT="(MSI path) ensureClusterMsiCertificate - generate MSI certificate"/>
+<node CREATED="1742320845000" ID="ID_100000045" MODIFIED="1742320845000" TEXT="(MSI path) initializeClusterMsiClients - create MSI-authenticated clients"/>
+<node CREATED="1742320847000" ID="ID_100000047" MODIFIED="1742320847000" TEXT="(MSI path) platformWorkloadIdentityIDs - populate operator identity IDs"/>
+<node CREATED="1742320950000" ID="ID_100000150" MODIFIED="1742320950000" TEXT="validateResources"/>
+<node CREATED="1742320951000" ID="ID_100000151" MODIFIED="1742320951000" TEXT="validateZones"/>
+<node CREATED="1742320846000" ID="ID_100000046" MODIFIED="1742320846000" TEXT="(MSI path) clusterIdentityIDs - populate cluster MSI object IDs"/>
+<node CREATED="1742320848000" ID="ID_100000048" MODIFIED="1742320848000" TEXT="(MSI path) persistPlatformWorkloadIdentityIDs - store IDs in document"/>
+<node CREATED="1742320952000" ID="ID_100000152" MODIFIED="1742320952000" TEXT="(SP path) initializeClusterSPClients"/>
+<node CREATED="1742320849000" ID="ID_100000049" MODIFIED="1742320849000" TEXT="(SP path) clusterSPObjectID - populate SP object IDs"/>
+</node>
+<node CREATED="1742320851000" ID="ID_100000051" MODIFIED="1742320851000" TEXT="Azure infrastructure setup">
+<node CREATED="1742320857000" ID="ID_100000057" MODIFIED="1742320857000" TEXT="ensurePreconfiguredNSG - if BYO NSG enabled"/>
+<node CREATED="1590503945624" ID="ID_364348246" MODIFIED="1742320800000" TEXT="ensureACRToken - ACR credential setup"/>
+<node CREATED="1742320858000" ID="ID_100000058" MODIFIED="1742320858000" TEXT="ensureInfraID - generate cluster infrastructure ID"/>
+<node CREATED="1742320859000" ID="ID_100000059" MODIFIED="1742320859000" TEXT="ensureSSHKey - generate SSH key pair"/>
+<node CREATED="1742320860000" ID="ID_100000060" MODIFIED="1742320860000" TEXT="ensureStorageSuffix"/>
+<node CREATED="1742320861000" ID="ID_100000061" MODIFIED="1742320861000" TEXT="populateMTUSize - network MTU sizing"/>
+<node CREATED="1742320863000" ID="ID_100000063" MODIFIED="1742320863000" TEXT="createDNS - DNS zone setup"/>
+<node CREATED="1742320864000" ID="ID_100000064" MODIFIED="1742320864000" TEXT="createOIDC - OIDC provider creation"/>
+<node CREATED="1591227202861" ID="ID_7835241" MODIFIED="1742320800000" TEXT="ensureResourceGroup - create cluster resource group"/>
+<node CREATED="1742320853000" ID="ID_100000053" MODIFIED="1742320853000" TEXT="ensureServiceEndpoints - VNet service endpoints"/>
+</node>
+<node CREATED="1742320865000" ID="ID_100000065" MODIFIED="1742320865000" TEXT="network and compute deployment">
+<node CREATED="1742320866000" ID="ID_100000066" MODIFIED="1742320866000" TEXT="setMasterSubnetPolicies"/>
+<node CREATED="1742320867000" ID="ID_100000067" MODIFIED="1742320867000" TEXT="deployBaseResourceTemplate - deploy base ARM/bicep (networks, VMs, LBs, NSGs, storage)">
+<node CREATED="1590502687977" ID="ID_365124781" MODIFIED="1742320800000" TEXT="cluster private DNS zone and recordsets (api-int, api, etcd, SRV)"/>
+<node CREATED="1591227946885" ID="ID_1851897858" MODIFIED="1591227955690" TEXT="virtual network link (joins DNS zone to vnet)"/>
 <node CREATED="1590504421422" ID="ID_74218882" MODIFIED="1590504424993" TEXT="private link service"/>
-<node CREATED="1591227976710" ID="ID_534503069" MODIFIED="1591228384910" TEXT="public IP for API server inbound (-pip-v4)"/>
-<node CREATED="1590503419666" ID="ID_832407609" MODIFIED="1591228413239" TEXT="public load balancer for API server">
-<node CREATED="1591228019279" ID="ID_705458648" MODIFIED="1591228024938" TEXT="configuration depends on private/public apiserver"/>
-<node CREATED="1591228060791" ID="ID_965676248" MODIFIED="1591228065298" TEXT=":6443"/>
-</node>
-<node CREATED="1591228013534" ID="ID_456510197" MODIFIED="1591228416703" TEXT="internal load balancer for API server">
-<node CREATED="1591228067071" ID="ID_1368782287" MODIFIED="1591228069571" TEXT=":6443"/>
-<node CREATED="1591228070631" ID="ID_1886145277" MODIFIED="1591228092291" TEXT=":22623 (serves ignition)"/>
-</node>
-<node CREATED="1590502560440" ID="ID_355611943" MODIFIED="1591228080059" TEXT="bootstrap NIC, VM">
-<node CREATED="1591228154568" ID="ID_1645425455" MODIFIED="1591228562617" TEXT="customdata points to ignition config in storage container (uses SAS token)"/>
-<node CREATED="1591228234385" ID="ID_1732972442" MODIFIED="1591228235844" TEXT="diagnostics profile saves serial output"/>
-</node>
-<node CREATED="1590502572168" ID="ID_1424819241" MODIFIED="1591228084131" TEXT="3 master NICs and VMs">
-<node CREATED="1591228175697" ID="ID_1866133243" MODIFIED="1591228185700" TEXT="customdata points to internal load balancer :22623"/>
-<node CREATED="1591228220865" ID="ID_828339793" MODIFIED="1591228231245" TEXT="diagnostics profile saves serial output"/>
-</node>
-<node CREATED="1591228243945" ID="ID_813134746" MODIFIED="1591228475528" TEXT="public IP for worker nodes outbound (-outbound-pip-v4)"/>
-<node CREATED="1591228407499" ID="ID_1099527640" MODIFIED="1591228471559" TEXT="public load balancer for worker nodes"/>
-</node>
-<node CREATED="1591228541789" ID="ID_867243099" MODIFIED="1591228576721" TEXT="generate SAS token and pass as ARM template parameter"/>
-<node CREATED="1591228501468" ID="ID_1952696774" MODIFIED="1591228509160" TEXT="deploy ARM template and wait"/>
-</node>
-<node CREATED="1590504438350" ID="ID_1774929298" MODIFIED="1590504456657" TEXT="create private endpoint in RP resource group and connect PE/PLS"/>
-<node CREATED="1591228610285" ID="ID_283255789" MODIFIED="1591228635082" TEXT="update API server IP">
-<node CREATED="1591228635941" ID="ID_1512066616" MODIFIED="1591228722858" TEXT="update external cluster dns record which was registered at start (if applicable)"/>
-<node CREATED="1591228724615" ID="ID_296105763" MODIFIED="1591228737658" TEXT="store private endpoint IP in database"/>
-</node>
-<node CREATED="1590502724282" ID="ID_991825848" MODIFIED="1591228752850" TEXT="create signed TLS certificates if appropriate">
-<node CREATED="1591228754151" ID="ID_1438424488" MODIFIED="1591228757187" TEXT="API server"/>
-<node CREATED="1591228757447" ID="ID_837500356" MODIFIED="1591228762675" TEXT="ingress"/>
-</node>
-<node CREATED="1591228786871" ID="ID_781093330" MODIFIED="1591228790899" TEXT="(create kubernetes clients)"/>
-<node CREATED="1590503510899" ID="ID_309529824" MODIFIED="1590505140320" TEXT="wait for bootstrap completion configmap"/>
-<node CREATED="1590503470139" ID="ID_1195352875" MODIFIED="1591228834699" TEXT="install geneva logging (mdsd)"/>
-<node CREATED="1591228836448" ID="ID_1513120256" MODIFIED="1591228848228" TEXT="install ifreload kernel bug workaround"/>
-<node CREATED="1591228852080" ID="ID_78262830" MODIFIED="1591228855821" TEXT="proceed to phase 2"/>
-</node>
-<node CREATED="1590503666981" ID="ID_818219301" MODIFIED="1590504857645" TEXT="bootstrap VM executes (bootkube.sh)">
-<node CREATED="1590504788473" ID="ID_1189966395" MODIFIED="1590504799942" TEXT="bootstrap vm provides initial apiserver implementation behind ILB"/>
+<node CREATED="1742320868000" ID="ID_100000068" MODIFIED="1742320868000" TEXT="public and internal load balancers for API server (:6443, :22623)"/>
+<node CREATED="1742320869000" ID="ID_100000069" MODIFIED="1742320869000" TEXT="public IP for API server and worker outbound"/>
+<node CREATED="1590502560440" ID="ID_355611943" MODIFIED="1742320800000" TEXT="bootstrap NIC and VM (customdata points to ignition in storage)"/>
+<node CREATED="1590502572168" ID="ID_1424819241" MODIFIED="1742320800000" TEXT="3 master NICs and VMs (customdata points to ILB :22623)"/>
+<node CREATED="1742320870000" ID="ID_100000070" MODIFIED="1742320870000" TEXT="public load balancer for worker nodes outbound"/>
+<node CREATED="1590502944932" ID="ID_1463280690" MODIFIED="1742320800000" TEXT="network security groups (control plane, workers)"/>
+<node CREATED="1590503353899" ID="ID_842297870" MODIFIED="1742320800000" TEXT="storage containers (ignition, aro graph)"/>
+<node CREATED="1742320871000" ID="ID_100000071" MODIFIED="1742320871000" TEXT="deny assignment for anyone but RP and cluster identity"/>
+</node>
+<node CREATED="1742320872000" ID="ID_100000072" MODIFIED="1742320872000" TEXT="(MSI path) federateIdentityCredentials - bind Azure identities to k8s service accounts via OIDC"/>
+<node CREATED="1742320873000" ID="ID_100000073" MODIFIED="1742320873000" TEXT="attachNSGs - attach NSGs to subnets"/>
+</node>
+<node CREATED="1742320874000" ID="ID_100000074" MODIFIED="1742320874000" TEXT="API server and networking">
+<node CREATED="1742320875000" ID="ID_100000075" MODIFIED="1742320875000" TEXT="updateAPIIPEarly - populate API server IP"/>
+<node CREATED="1742320876000" ID="ID_100000076" MODIFIED="1742320876000" TEXT="createOrUpdateRouterIPEarly - set router IP"/>
+<node CREATED="1742320877000" ID="ID_100000077" MODIFIED="1742320877000" TEXT="ensureGatewayCreate - create gateway resources"/>
+<node CREATED="1590504438350" ID="ID_1774929298" MODIFIED="1742320800000" TEXT="createAPIServerPrivateEndpoint - create PE in RP resource group and connect PE/PLS"/>
+</node>
+<node CREATED="1590502724282" ID="ID_991825848" MODIFIED="1742320800000" TEXT="createCertificates - TLS certificates (API server, ingress)"/>
+<node CREATED="1742320878000" ID="ID_100000078" MODIFIED="1742320878000" TEXT="cluster installation (two paths)">
+<node CREATED="1742320879000" ID="ID_100000079" MODIFIED="1742320879000" TEXT="(Hive path) installViaHive">
+<node CREATED="1742320880000" ID="ID_100000080" MODIFIED="1742320880000" TEXT="hiveCreateNamespace - create namespace in management cluster"/>
+<node CREATED="1742320881000" ID="ID_100000081" MODIFIED="1742320881000" TEXT="runHiveInstaller - create Hive ClusterDeployment"/>
+<node CREATED="1742320882000" ID="ID_100000082" MODIFIED="1742320882000" TEXT="hiveClusterInstallationComplete - wait up to 60 minutes"/>
+<node CREATED="1742320883000" ID="ID_100000083" MODIFIED="1742320883000" TEXT="generateKubeconfigs"/>
+</node>
+<node CREATED="1742320884000" ID="ID_100000084" MODIFIED="1742320884000" TEXT="(Podman path) runPodmanInstaller">
+<node CREATED="1742320885000" ID="ID_100000085" MODIFIED="1742320885000" TEXT="runPodmanInstaller - local container-based install"/>
+<node CREATED="1742320886000" ID="ID_100000086" MODIFIED="1742320886000" TEXT="generateKubeconfigs"/>
+<node CREATED="1742320887000" ID="ID_100000087" MODIFIED="1742320887000" TEXT="(if adoptViaHive) hiveEnsureResources and hiveClusterDeploymentReady (5min)"/>
+</node>
+</node>
+<node CREATED="1590502466183" ID="ID_986457782" MODIFIED="1742320800000" TEXT="ensureBillingRecord - create/update billing DB record"/>
+<node CREATED="1742320888000" ID="ID_100000088" MODIFIED="1742320888000" TEXT="post-install bootstrap phase">
+<node CREATED="1742320889000" ID="ID_100000089" MODIFIED="1742320889000" TEXT="initializeKubernetesClients - cluster now running"/>
+<node CREATED="1742320890000" ID="ID_100000090" MODIFIED="1742320890000" TEXT="initializeOperatorDeployer"/>
+<node CREATED="1742320891000" ID="ID_100000091" MODIFIED="1742320891000" TEXT="apiServersReady - wait up to 30 minutes"/>
+<node CREATED="1742320892000" ID="ID_100000092" MODIFIED="1742320892000" TEXT="installAROOperator - deploy ARO operator"/>
+<node CREATED="1742320893000" ID="ID_100000093" MODIFIED="1742320893000" TEXT="enableOperatorReconciliation"/>
+<node CREATED="1742320894000" ID="ID_100000094" MODIFIED="1742320894000" TEXT="incrInstallPhase - transition to Phase 2"/>
+</node>
+</node>
+<node CREATED="1590503666981" ID="ID_818219301" MODIFIED="1742320800000" POSITION="right" TEXT="bootstrap VM executes (bootkube.sh) - runs in parallel with RP steps">
+<node CREATED="1590504788473" ID="ID_1189966395" MODIFIED="1590504799942" TEXT="bootstrap VM provides initial apiserver implementation behind ILB"/>
 <node CREATED="1590503732622" ID="ID_1984986404" MODIFIED="1590504725261" TEXT="bootstrap etcd and wait for stability"/>
 <node CREATED="1590503858838" ID="ID_1075791103" MODIFIED="1590503901019" TEXT="runs release payload image"/>
 <node CREATED="1590503876391" ID="ID_1346442592" MODIFIED="1590503896395" TEXT="more cluster assets are generated"/>
-<node CREATED="1590504219587" ID="ID_18180478" MODIFIED="1590504287943" TEXT="assets repeatedly applies assets against running cluster"/>
+<node CREATED="1590504219587" ID="ID_18180478" MODIFIED="1590504287943" TEXT="assets repeatedly applied against running cluster"/>
 <node CREATED="1590505112901" ID="ID_1690485668" MODIFIED="1590505123264" TEXT="writes a bootstrap completed configmap"/>
-</node>
 <node CREATED="1590504291004" ID="ID_1622034039" MODIFIED="1590504299947" TEXT="gradually, cluster operators start">
 <node CREATED="1590503769591" ID="ID_1573177316" MODIFIED="1590503796731" TEXT="machine-api operator starts running">
 <node CREATED="1590503671133" ID="ID_617037512" MODIFIED="1590503807631" TEXT="worker VMs created"/>
@@ -164,25 +193,49 @@
 <node CREATED="1590504342445" ID="ID_362731312" MODIFIED="1590504354176" TEXT="ingress dependent on worker VMs"/>
 <node CREATED="1590504315508" ID="ID_1589775695" MODIFIED="1590504341528" TEXT="console starts running (dependent on ingress)"/>
 </node>
-<node CREATED="1590502992446" ID="ID_833769786" MODIFIED="1591227133568" TEXT="phase 2: remove-bootstrap">
-<node CREATED="1590502868427" ID="ID_724737877" MODIFIED="1590502880919" TEXT="delete bootstrap VM, nic, disk"/>
-<node CREATED="1590505072660" ID="ID_1726041669" MODIFIED="1590505104472" TEXT="delete ignition config (unencrypted), but keep the graph (encrypted)"/>
-<node CREATED="1590503075141" ID="ID_835163685" MODIFIED="1590503083905" TEXT="apply signed TLS certificates to cluster"/>
-<node CREATED="1590503236984" ID="ID_1257617294" MODIFIED="1590503249309" TEXT="disable cluster Cincinnati configuration"/>
-<node CREATED="1590503389626" ID="ID_762508405" MODIFIED="1590503398533" TEXT="update console branding"/>
-<node CREATED="1590504072049" ID="ID_1216289806" MODIFIED="1590504087702" TEXT="alertmanager configuration step (hack)"/>
 </node>
+<node CREATED="1742320895000" ID="ID_100000095" MODIFIED="1742320895000" POSITION="right" TEXT="Phase 2: RemoveBootstrap (pkg/cluster/install.go)">
+<node CREATED="1742320896000" ID="ID_100000096" MODIFIED="1742320896000" TEXT="initialize clients">
+<node CREATED="1742320897000" ID="ID_100000097" MODIFIED="1742320897000" TEXT="initializeKubernetesClients"/>
+<node CREATED="1742320898000" ID="ID_100000098" MODIFIED="1742320898000" TEXT="initializeOperatorDeployer"/>
+</node>
+<node CREATED="1742320899000" ID="ID_100000099" MODIFIED="1742320899000" TEXT="bootstrap removal">
+<node CREATED="1590502868427" ID="ID_724737877" MODIFIED="1742320800000" TEXT="removeBootstrap - delete bootstrap VM, NIC, disk"/>
+<node CREATED="1590505072660" ID="ID_1726041669" MODIFIED="1742320800000" TEXT="removeBootstrapIgnition - delete unencrypted ignition config (keep encrypted graph)"/>
+</node>
+<node CREATED="1742320900000" ID="ID_100000100" MODIFIED="1742320900000" TEXT="API server and node health">
+<node CREATED="1742320901000" ID="ID_100000101" MODIFIED="1742320901000" TEXT="apiServersReady (30min timeout)"/>
+<node CREATED="1742320902000" ID="ID_100000102" MODIFIED="1742320902000" TEXT="configureAPIServerCertificate - apply signed TLS certificate"/>
+<node CREATED="1742320903000" ID="ID_100000103" MODIFIED="1742320903000" TEXT="apiServersReady (30min timeout) - recheck after cert change"/>
+<node CREATED="1742320904000" ID="ID_100000104" MODIFIED="1742320904000" TEXT="minimumWorkerNodesReady (30min timeout)"/>
+</node>
+<node CREATED="1742320905000" ID="ID_100000105" MODIFIED="1742320905000" TEXT="console and UI">
+<node CREATED="1742320906000" ID="ID_100000106" MODIFIED="1742320906000" TEXT="operatorConsoleExists (30min timeout)"/>
+<node CREATED="1590503389626" ID="ID_762508405" MODIFIED="1742320800000" TEXT="updateConsoleBranding - custom ARO branding"/>
+<node CREATED="1742320907000" ID="ID_100000107" MODIFIED="1742320907000" TEXT="operatorConsoleReady (20min timeout)"/>
+</node>
+<node CREATED="1742320908000" ID="ID_100000108" MODIFIED="1742320908000" TEXT="OpenShift configuration">
+<node CREATED="1742320909000" ID="ID_100000109" MODIFIED="1742320909000" TEXT="disableSamples - disable sample operators"/>
+<node CREATED="1742320910000" ID="ID_100000110" MODIFIED="1742320910000" TEXT="disableOperatorHubSources"/>
+<node CREATED="1590503236984" ID="ID_1257617294" MODIFIED="1742320800000" TEXT="disableUpdates - lock cluster version"/>
+<node CREATED="1742320911000" ID="ID_100000111" MODIFIED="1742320911000" TEXT="clusterVersionReady (30min timeout)"/>
+</node>
+<node CREATED="1742320912000" ID="ID_100000112" MODIFIED="1742320912000" TEXT="ARO operator stabilization">
+<node CREATED="1742320913000" ID="ID_100000113" MODIFIED="1742320913000" TEXT="aroDeploymentReady (20min timeout)"/>
+<node CREATED="1742320914000" ID="ID_100000114" MODIFIED="1742320914000" TEXT="updateClusterData - update cluster metadata"/>
 </node>
-<node CREATED="1590503612499" ID="ID_17207191" MODIFIED="1590503627720" TEXT="cluster record provisioningState -&gt; &quot;Succeeded&quot; or &quot;Failed&quot;"/>
+<node CREATED="1742320915000" ID="ID_100000115" MODIFIED="1742320915000" TEXT="cluster networking and storage">
+<node CREATED="1742320916000" ID="ID_100000116" MODIFIED="1742320916000" TEXT="configureIngressCertificate - ingress TLS certificate"/>
+<node CREATED="1742320917000" ID="ID_100000117" MODIFIED="1742320917000" TEXT="ingressControllerReady (30min timeout)"/>
+<node CREATED="1742320918000" ID="ID_100000118" MODIFIED="1742320918000" TEXT="configureDefaultStorageClass"/>
+<node CREATED="1742320919000" ID="ID_100000119" MODIFIED="1742320919000" TEXT="removeAzureFileCSIStorageClass - cleanup legacy storage"/>
 </node>
-<node CREATED="1590504014890" ID="ID_1199416675" MODIFIED="1590504022476" POSITION="right" TEXT="Not part of cluster creation">
-<node CREATED="1590504023473" ID="ID_1023037898" MODIFIED="1590504034228" TEXT="No cluster-specific Geneva configuration"/>
+<node CREATED="1742320920000" ID="ID_100000120" MODIFIED="1742320920000" TEXT="finalization">
+<node CREATED="1742320921000" ID="ID_100000121" MODIFIED="1742320921000" TEXT="disableOperatorReconciliation - stop operator changes"/>
+<node CREATED="1742320922000" ID="ID_100000122" MODIFIED="1742320922000" TEXT="clusterOperatorsHaveSettled (30min timeout) - verify stability"/>
+<node CREATED="1742320923000" ID="ID_100000123" MODIFIED="1742320923000" TEXT="finishInstallation - clear Install field, mark complete"/>
 </node>
-<node CREATED="1590504543431" ID="ID_294285508" MODIFIED="1590504550763" POSITION="right" TEXT="Potential follow-up actions">
-<node CREATED="1590504551615" ID="ID_398187299" MODIFIED="1590504574803" TEXT="Document data flow `az aro create` parameters -&gt; where they are actually used"/>
-<node CREATED="1590504835345" ID="ID_1657913982" MODIFIED="1590504841453" TEXT="Go into more detail on bootstrap VM steps"/>
-<node CREATED="1591025935206" ID="ID_1810135696" MODIFIED="1591025958914" TEXT="Re-review ARM manifest (RP registration)"/>
-<node CREATED="1591026798041" ID="ID_961966630" MODIFIED="1591026806252" TEXT="Look at how to represent one process waiting on another"/>
 </node>
+<node CREATED="1590503612499" ID="ID_17207191" MODIFIED="1742320800000" POSITION="right" TEXT="cluster record provisioningState set to Succeeded or Failed"/>
 </node>
 </map>
diff --git a/docs/cluster-creation.png b/docs/cluster-creation.png
index 43a7018e0ab..5f913717e6e 100644
Binary files a/docs/cluster-creation.png and b/docs/cluster-creation.png differ
